berbew | 513be2fa1186d385753fb7132ff2b786bf7cc8651b7d8c12dc242e3857eee143

Resubmissions

21-09-2024 17:07

240921-vnbeqatelr 7

21-09-2024 11:57

240921-n4mz5a1bqd 666

Analysis

max time kernel
16s
max time network
679s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-09-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DoomRat.exe
Size

12.1MB
MD5

9b13e58ef5dcfa319ff36e8dc040c248
SHA1

d97589619b4ba09b458888db1e93d08ff9a4d2e4
SHA256

513be2fa1186d385753fb7132ff2b786bf7cc8651b7d8c12dc242e3857eee143
SHA512

3a60282fdba5c70e0825c81b705c3d13721241605165ae28bd4fa59bdbbe2d6e4c666ce5d1a4475fc764d355eca9a6af607180bc46c7a7b938cf514e6944c9a0
SSDEEP

393216:4GV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:HYQZ2YwUlJn1QtIm28IKzo

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://asboywnrihlvdsbpigftigzyb20gyw5vbnltb3vz.ru/cmfwe2

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.controlfire.com.mx
Port:
21
Username:
[email protected]
Password:
0a4XlE=4t8mz

Extracted

Family

metasploit

Version

windows/reverse_http

http://89.197.154.116:7810/dDmZLRctSF-O2Y_Y6DNv7gGR1g00Lo-DSbAP10Qhyakl6e3RBIKZx4eGRNsN-6iE5mPtUWD3pQadMjciytVqzPL

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

emotet

Botnet

Epoch3

190.192.39.136:80

5.189.168.53:8080

162.241.41.111:7080

190.85.46.52:7080

190.190.15.20:80

181.95.133.104:80

41.212.89.128:80

115.176.16.221:80

143.95.101.72:8080

75.127.14.170:8080

116.202.10.123:8080

74.208.173.91:8080

103.93.220.182:80

50.116.78.109:8080

67.121.104.51:20

180.26.62.115:443

139.59.12.63:8080

76.18.16.210:80

113.161.148.81:80

5.79.70.250:8080

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch2

38.18.235.242:80

5.196.108.189:8080

121.124.124.40:7080

104.236.246.93:8080

113.61.66.94:80

120.150.60.189:80

91.211.88.52:7080

47.144.21.12:443

108.46.29.236:80

139.162.108.71:8080

134.209.36.254:8080

139.59.60.244:8080

66.65.136.14:80

76.175.162.101:80

174.106.122.139:80

95.213.236.64:8080

174.45.13.118:80

50.35.17.13:80

209.141.54.221:8080

87.106.139.101:8080

rsa_pubkey.plain

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbfff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfjgaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbddfmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igmagnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lldfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpnnle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	240921-n3cg1a1dqrfa5a855ec8b0ca50052f9c0a3498c7e4c9255c020ed0653e49ea9138127cb935N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-n239bs1dql7c4dad3e30175c39380d5fa3f0fda97dbe56eefb3e3ea63b5bdd4494551680b7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdqnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-ngxk2szbmgf9eb4436f984ba87018a3e166fcb0def3f983d328206dbcc7449469b49954bbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lidmhmnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joffnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeqbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmeoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmeoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inpccihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibpiogmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiaglp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggbook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgffic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiokfpph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbognp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehhpla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bggnof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jklphekp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnkldqkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kechmoil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpnnle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghppm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-nlr65azdkca1e7aaa8d6ea3c7c57e4edb09dc1daa98545ab33a56622f6dcd3c8938929e334N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgiepjga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-nx8y1szhph083bcd3bea727a5041bb723002da15c05a8fcab4cc71bbb047876a17a70769e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiaqcnpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcqpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgbfhmll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emehdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdoihpbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	240921-n1evca1djrbff78b13939ca5c72f63d045378d0c114bd41f91cd8e164a1ea9b6d37e22491aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmipblaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gknkpjfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gddbcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhpqaiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbbfdfkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-nt2erszgmcfa81770d34d44d77cc30aa205f3136146d1d190716337f87f6304a561b50aa2eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbfff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jecofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hncmmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-nfmz8azdkr6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	240921-n14hps1dmnd24a9eebeba63ebe00cc9e1e850d7c8214c706cf102ecbd4399738a552a5d8c7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjopcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inpccihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inpccihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeqbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epagkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epagkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	240921-nf4mzazbkaf082729a1a03dca517fcc891d47ef67b461c9b3edf7e2a7af20159530fa06bb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	240921-ndxrmsyhngff1a93f9bd381c3ca44e0ca52f316e9b1dec3fb4e8b9698127e01ecf4c090415N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiehpahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbgoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bggnof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpeafcfa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detect Blackmoon payload 18 IoCs

resource	yara_rule
behavioral1/memory/592-182-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/1864-176-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/2888-172-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/656-212-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/4240-334-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/4864-288-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5108-260-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5964-660-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5252-569-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/2404-432-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/3052-428-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5576-829-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5112-849-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5660-847-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5832-755-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/4256-998-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/files/0x000700000001ae29-1594.dat	family_blackmoon
behavioral1/memory/5208-702-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe"	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-9043\\jwkd.exe"	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	43356	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	19444	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	28112	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	38756	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	41992	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	45560	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	22864	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	17548	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	25872	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	47768	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6252	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	47352	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	15880	41824	Process not Found	4188
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	26092	41824	Process not Found	4188

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000700000001ae38-2491.dat	floxif

Emotet payload 4 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral1/memory/5216-622-0x0000000000590000-0x00000000005A0000-memory.dmp	emotet
behavioral1/memory/5216-618-0x0000000000570000-0x0000000000582000-memory.dmp	emotet
behavioral1/memory/5804-762-0x0000000000500000-0x0000000000510000-memory.dmp	emotet
behavioral1/memory/5804-758-0x00000000001E0000-0x00000000001F2000-memory.dmp	emotet

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	240921-nnad4azgkmSecuriteInfo.com.Win32.Evo-gen.12679.2695.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	240921-nnwmbszgmr4bf06d507147221db5e14e2d18ae20af0c8fec0bf1c951bf4ae3afc17ea14430.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	240921-nh1zvszcja450a6401e4769ef40d94fd052fa49317474e3733e9a3c6dbc0a33222ad41bd09.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/5020-770-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1780-803-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
47032	Process not Found
12764	Process not Found
47080	Process not Found
22472	Process not Found
22844	Process not Found
34428	Process not Found
47016	Process not Found
4036	Process not Found
45616	Process not Found

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
24040	Process not Found
9360	Process not Found
38144	Process not Found
47492	Process not Found
45976	Process not Found
4320	Process not Found
23020	Process not Found
11396	Process not Found
4048	Process not Found

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
21872	Process not Found

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001ae38-2491.dat	acprotect
behavioral1/files/0x000400000002b40a-45139.dat	acprotect

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	240921-nwb8nazgrcefb8551b84eecb2b636babeb11cd57f8_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
3684	240921-n2yc3s1dpn69b2c233d4fdb8080ed851c14f8d35bbf2a1d0722b9fcd25881cef408c03cc31.exe
2888	240921-nxwnpa1cjj26b8d22f9ec0038546e166e87c6c6592d87f6cbae9ac9add3cfbcfd7e8e3bc02N.exe
1864	44048.exe
592	i842042.exe
656	c482044.exe
4052	240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
4988	240921-n1a66a1anf215aeff56e62dba92b343ca6870e0ed55785d0baa4db13e6f0af95410233921cN.exe
4396	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN
5108	628600.exe
1172	Inpccihl.exe
4364	Inpccihl.exe
3096	240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe
4864	64262.exe
4908	Iiehpahb.exe
4576	240921-n2fs2a1dnl1ed7c05df26c58eff483b094bcca4a7b6089a6c8fa54850c7d64687c75353d35N.exe
2552	240921-nyz3hazhrh637945b594925ffab100bc0fdfe4ceda9973beb9fc9a9bb1d58d5b3c9c5b15af.exe
4984	Iiehpahb.exe
1144	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
2980	Ibpiogmp.exe
5104	Iijaka32.exe
4332	Igmagnkg.exe
4820	Jkhngl32.exe
4132	240921-ntldjszgke20f2c1c9ca30f7c7ce29bab29f50d1283fce32ba23f3cceb924b8c5ce26612c0N.exe
4240	24488.exe
640	240921-n292wa1dqqa63b7b04b46cdff6a8357897b5c488b2b2efd625f08e4f3bce43b193c3df3db1N.exe
5076	Jbbfdfkn.exe
2304	Jeqbpb32.exe
1992	240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
4856	Jgonlm32.exe
2536	Joffnk32.exe
396	Jeqbpb32.exe
3052	48860.exe
1568	Jbdbjf32.exe
3012	Jecofa32.exe
2900	Jiokfpph.exe
1828	240921-nyc8qszhqe9d59aecb17ec500ad724fe9727419f0a1d0d7c788ec3aee630e61853e5796860N.exe
4256	Jiokfpph.exe
756	Joiccj32.exe
3572	Jbgoof32.exe
2404	o626042.exe
4504	Jiaglp32.exe
5172	Jkodhk32.exe
5200	Jpkphjeb.exe
5216	240921-nn1ahszekgefb3b45b5eb5209239662ea2f35a65b1_JaffaCakes118.exe
5252	6420486.exe
5460	Kbekqdjh.exe
5476	Kbekqdjh.exe
5504	Jnnpdg32.exe
5536	Kfqgab32.exe
5416	240921-nt2erszgmcfa81770d34d44d77cc30aa205f3136146d1d190716337f87f6304a561b50aa2eN.exe
5572	Kechmoil.exe
5396	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
5596	240921-n239bs1dql7c4dad3e30175c39380d5fa3f0fda97dbe56eefb3e3ea63b5bdd4494551680b7N.exe
5616	240921-nk8sgszflmefb14be9f4467007fea276e6f0f3da14_JaffaCakes118.exe
5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
5708	Lhdqnj32.exe
5676	Kiaqcnpb.exe
5736	Llpmoiof.exe
5768	Lnnikdnj.exe
5856	240921-ndvmaazcnq3f2d104e4a0e27466e8ecbf9892b46a0bf3846abca87c588cc10bb2b285a0f79N.exe
5928	Lldfjh32.exe
5940	Lidmhmnp.exe
5964	60262.exe
6032	Lflgmqhd.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	240921-nnwmbszgmr4bf06d507147221db5e14e2d18ae20af0c8fec0bf1c951bf4ae3afc17ea14430.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	240921-nh1zvszcja450a6401e4769ef40d94fd052fa49317474e3733e9a3c6dbc0a33222ad41bd09.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	240921-nnad4azgkmSecuriteInfo.com.Win32.Evo-gen.12679.2695.exe

Loads dropped DLL 23 IoCs

pid	Process
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
4444	DoomRat.exe
3052	240921-nd1tasyhpf867c3507625df5294758346af12bfefd87a8bb8c48e9e9e68958652886742797.exe
7016	240921-nfwblazdmjefae79fb2dcc351cd269a6fc5d340cb0_JaffaCakes118.exe
5264	240921-n1rh5s1ape3a11224d108b18e62015b0b0cf82a56170433d416ea9ccbf45f904724801de5cN.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/592-182-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1864-176-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2888-172-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/656-212-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/4240-334-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/4864-288-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5108-260-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5640-668-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5020-665-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/5964-660-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x000700000001ad30-659.dat	upx
behavioral1/memory/5252-569-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5640-490-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2404-432-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/3052-428-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1780-699-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/5576-829-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5112-849-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5660-847-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5832-755-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/4256-998-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x000400000002b417-6859.dat	upx
behavioral1/files/0x000700000001ae38-2491.dat	upx
behavioral1/files/0x000700000001ae58-1720.dat	upx
behavioral1/files/0x000700000001ae39-1646.dat	upx
behavioral1/memory/5208-702-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x000300000002fa29-17549.dat	upx
behavioral1/files/0x000300000002fcac-18742.dat	upx
behavioral1/files/0x000400000002fcd6-18745.dat	upx
behavioral1/files/0x0005000000030f69-28409.dat	upx
behavioral1/files/0x000400000002b40a-45139.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ffqdkxypyko = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\cuvjyl.exe\""	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe"	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\xBArVzW = "C:\\Users\\Admin\\AppData\\Local\\xBArVzW\\JrYnjUO.exe"	240921-nk8sgszflmefb14be9f4467007fea276e6f0f3da14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaqq = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-9043\\jwkd.exe"	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuaroat = "C:\\Users\\Admin\\xuaroat.exe /p"	240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-9043\Desktop.ini	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\J:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\M:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\Q:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\Z:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\O:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\P:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\T:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\A:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\E:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\K:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\L:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\N:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\G:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\I:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\W:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\Y:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\X:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\B:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\R:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\S:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\U:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
File opened (read-only)	\??\V:	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
747	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781863308-9043\\jwkd.exe"	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000001ac97-1091.dat	autoit_exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aekedq32.dll	Joffnk32.exe
File created	C:\Windows\SysWOW64\Efmdqkmi.dll	Llpmoiof.exe
File opened for modification	C:\Windows\SysWOW64\Emehdh32.exe	Ejdocm32.exe
File created	C:\Windows\SysWOW64\Gknkpjfb.exe	Gilapgqb.exe
File created	C:\Windows\SysWOW64\Becnaq32.dll	Hjedffig.exe
File created	C:\Windows\SysWOW64\Nkgemlkg.dll	240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
File opened for modification	C:\Windows\SysWOW64\Jklbcn32.dll	Ibmeoq32.exe
File created	C:\Windows\SysWOW64\Fhlfehjp.dll	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN
File opened for modification	C:\Windows\SysWOW64\Kechmoil.exe	Jiaglp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfcqpa32.exe	Cjjcfabm.exe
File opened for modification	C:\Windows\SysWOW64\Fmjaphek.exe	Emehdh32.exe
File created	C:\Windows\SysWOW64\Kaehljpj.exe	240921-n1evca1djrbff78b13939ca5c72f63d045378d0c114bd41f91cd8e164a1ea9b6d37e22491aN.exe
File created	C:\Windows\SysWOW64\Jghmkm32.dll	Kfqgab32.exe
File opened for modification	C:\Windows\SysWOW64\Hacbhb32.exe	Hjedffig.exe
File opened for modification	C:\Windows\SysWOW64\Jnkldqkc.exe	240921-nf4mzazbkaf082729a1a03dca517fcc891d47ef67b461c9b3edf7e2a7af20159530fa06bb8N.exe
File created	C:\Windows\SysWOW64\Jhpqaiji.exe	240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
File created	C:\Windows\SysWOW64\Knbbep32.exe	240921-n14hps1dmnd24a9eebeba63ebe00cc9e1e850d7c8214c706cf102ecbd4399738a552a5d8c7N.exe
File created	C:\Windows\SysWOW64\Kkfcndce.exe	240921-nys9yszhrcc14ae0727c90d5a56b15a5e1d4a71af764cf4a21d98babbd4cb75643ac30d4afN.exe
File created	C:\Windows\SysWOW64\Kndojobi.exe	240921-n3f57a1drn62d87ff9a0f9331e8f1bb5235b41bb20722737b17e43708bbd7ea79ba91e7745N.exe
File created	C:\Windows\SysWOW64\Iaejbl32.dll	Jjopcb32.exe
File created	C:\Windows\SysWOW64\Jbdbjf32.exe	240921-n292wa1dqqa63b7b04b46cdff6a8357897b5c488b2b2efd625f08e4f3bce43b193c3df3db1N.exe
File opened for modification	C:\Windows\SysWOW64\Ghhhcomg.exe	Ffpicn32.exe
File created	C:\Windows\SysWOW64\Nkiebg32.dll	Fhdohp32.exe
File opened for modification	C:\Windows\SysWOW64\Ggbook32.exe	Gdoihpbk.exe
File opened for modification	C:\Windows\SysWOW64\Hdkidohn.exe	240921-npz15szepac2e813052657a29fce4e260b2ec9d336cbb23bcafa106a51880fb4f447efe371N.exe
File opened for modification	C:\Windows\SysWOW64\Lghcocol.exe	240921-nnbbdszdrb0fbe70d45fc231926f0111e704020083445d142b7215e881a06dbb182aa59397N.exe
File opened for modification	C:\Windows\SysWOW64\Jnnpdg32.exe	Jiokfpph.exe
File created	C:\Windows\SysWOW64\Mhibfmcl.dll	Oghppm32.exe
File created	C:\Windows\SysWOW64\Jeggngeb.dll	Dfjgaq32.exe
File created	C:\Windows\SysWOW64\Dpabql32.dll	240921-nlr65azdkca1e7aaa8d6ea3c7c57e4edb09dc1daa98545ab33a56622f6dcd3c8938929e334N.exe
File created	C:\Windows\SysWOW64\Haedpe32.dll	240921-ned1xszcqp0625f3a2523d24b22185bfa67853af9bc96e396bfe59bbcb9ade396a7a007fc0N.exe
File opened for modification	C:\Windows\SysWOW64\Jhpqaiji.exe	240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
File created	C:\Windows\SysWOW64\Kejocggj.dll	240921-nqt7aazfjcbd1e7a7df928551d9a76ba7ed1ed0e40d0326d53068e46826f9633b76e231af2N.exe
File created	C:\Windows\SysWOW64\Iiehpahb.exe	Inpccihl.exe
File created	C:\Windows\SysWOW64\Hjedffig.exe	Gknkpjfb.exe
File opened for modification	C:\Windows\SysWOW64\Hpfcdojl.exe	Haoimcgg.exe
File created	C:\Windows\SysWOW64\Milidebi.exe	Lgffic32.exe
File opened for modification	C:\Windows\SysWOW64\Mgdbei32.dll	Iijaka32.exe
File created	C:\Windows\SysWOW64\Hjhigidn.dll	Oidofh32.exe
File created	C:\Windows\SysWOW64\Mgdbei32.dll	Ibpiogmp.exe
File created	C:\Windows\SysWOW64\Kfqgab32.exe	Jkodhk32.exe
File created	C:\Windows\SysWOW64\Llpmoiof.exe	Jnnpdg32.exe
File created	C:\Windows\SysWOW64\Cdckomdh.dll	Lldfjh32.exe
File created	C:\Windows\SysWOW64\Oidofh32.exe	Nemcjk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhigidn.dll	Neffpj32.exe
File opened for modification	C:\Windows\SysWOW64\Kaehljpj.exe	240921-n1evca1djrbff78b13939ca5c72f63d045378d0c114bd41f91cd8e164a1ea9b6d37e22491aN.exe
File opened for modification	C:\Windows\SysWOW64\Mbenmk32.exe	Kgjgne32.exe
File opened for modification	C:\Windows\SysWOW64\Jpkphjeb.exe	Jiokfpph.exe
File created	C:\Windows\SysWOW64\Kiaqcnpb.exe	Kbekqdjh.exe
File created	C:\Windows\SysWOW64\Bmpdfl32.dll	Bfjnjcni.exe
File created	C:\Windows\SysWOW64\Inogde32.dll	Cjjcfabm.exe
File opened for modification	C:\Windows\SysWOW64\Dfjgaq32.exe	Dakacjdb.exe
File created	C:\Windows\SysWOW64\Llelopkl.dll	Emehdh32.exe
File created	C:\Windows\SysWOW64\Agbgbe32.dll	240921-nys9yszhrcc14ae0727c90d5a56b15a5e1d4a71af764cf4a21d98babbd4cb75643ac30d4afN.exe
File created	C:\Windows\SysWOW64\Pqnalj32.dll	Igmagnkg.exe
File created	C:\Windows\SysWOW64\Jbgoof32.exe	Jeqbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bggnof32.exe	Oekpkigo.exe
File created	C:\Windows\SysWOW64\Bfjnjcni.exe	Neffpj32.exe
File created	C:\Windows\SysWOW64\Fbackgod.dll	Cfcqpa32.exe
File created	C:\Windows\SysWOW64\Nggmhj32.dll	240921-ntek1a1amm7e7e1fdd9adb897953d9301a09c74b5f3921b0298e083e418e3f4d31d80fc942N.exe
File opened for modification	C:\Windows\SysWOW64\Fgbfhmll.exe	Fpeafcfa.exe
File created	C:\Windows\SysWOW64\Ndlapjeg.dll	240921-nf4mzazbkaf082729a1a03dca517fcc891d47ef67b461c9b3edf7e2a7af20159530fa06bb8N.exe
File created	C:\Windows\SysWOW64\Jhpqaiji.exe	240921-nfmz8azdkr6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4N.exe
File created	C:\Windows\SysWOW64\Nhqihllh.dll	Joiccj32.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
27196	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 5556	208	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe	197
PID 4116 set thread context of 6692	4116	msdcsc.exe	253

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\Windows\BJ.exe	240921-nncjfszdrdefb31465841e7e51bc2cd72c26601d2e_JaffaCakes118.exe
File opened for modification	\??\c:\Windows\BJ.exe	240921-nncjfszdrdefb31465841e7e51bc2cd72c26601d2e_JaffaCakes118.exe
File created	\??\c:\Windows\svchest425075242507520.exe	240921-nncjfszdrdefb31465841e7e51bc2cd72c26601d2e_JaffaCakes118.exe
File created	\??\c:\windows\fonts\ghibwzx\ofqhicn.exe	240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
File opened for modification	\??\c:\windows\fonts\ghibwzx\ofqhicn.exe	240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
30536	Process not Found
32264	Process not Found
31812	Process not Found
22068	Process not Found
14608	sc.exe
32172	Process not Found
23428	Process not Found
23040	Process not Found
22412	Process not Found
4424	sc.exe
32416	Process not Found
16536	Process not Found
23012	Process not Found
29252	Process not Found
20324	Process not Found
18924	Process not Found
32684	Process not Found
25976	Process not Found
28944	Process not Found
31220	Process not Found
33256	Process not Found
14852	sc.exe
10068	Process not Found
12608	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001af2a-2234.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3284	5416	WerFault.exe	122
7352	7016	WerFault.exe
1744	6384	WerFault.exe	248
6040	5604	WerFault.exe	158
22988	45788	Process not Found	5139

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggnof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nfwblazdmjefae79fb2dcc351cd269a6fc5d340cb0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nh1zvszcja450a6401e4769ef40d94fd052fa49317474e3733e9a3c6dbc0a33222ad41bd09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o626042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdqnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnnikdnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnncgmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nfh19szapfebafe534539465892444701b6fafaf8b299a70881fcc58d5bce34c2802284caeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inpccihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nvhzta1bjjefb7a8cb82a282ba4facfee291ba7482_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjopcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhbfff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekpkigo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nwb8nazgrcefb8551b84eecb2b636babeb11cd57f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nyc8qszhqe9d59aecb17ec500ad724fe9727419f0a1d0d7c788ec3aee630e61853e5796860N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niipjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghhhcomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-ndxrmsyhngff1a93f9bd381c3ca44e0ca52f316e9b1dec3fb4e8b9698127e01ecf4c090415N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nnad4azgkmSecuriteInfo.com.Win32.Evo-gen.12679.2695.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lflgmqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nwrncazhkd4124-0-0x0000000000680000-0x0000000000B6A000-memory.dmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbdbjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nxyhaazhpd0dd187afe3956bdca41c4f3b648bafdf18b946afffa6960d2f804ce9b1cb3203N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuaroat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacbhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhpqaiji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nxv26azhnhefb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nnbbdszdrb0fbe70d45fc231926f0111e704020083445d142b7215e881a06dbb182aa59397N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c482044.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfjgaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpeafcfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nvex6azgndefb7a3e2cb8f232021f1c5e081073998_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nx8y1szhph083bcd3bea727a5041bb723002da15c05a8fcab4cc71bbb047876a17a70769e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nmx4rszfrpefb2ba0605a47144b8a9d748d5b13e4a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-n1cpzs1angefbb509e9ad5140075036576003a3352_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiokfpph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbekqdjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08060.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nmd1wszdmfefb250c2b2cf93668796210720cdb79d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmagnkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijaka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lldfjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghppm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkhngl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidofh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jklphekp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knbbep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	628600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c628426.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nhlj6szbqdefaf9583f501557601f7acc59d1a7d32_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64262.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
23032	Process not Found
8084	cmd.exe
6000	cmd.exe
18052	Process not Found
21284	Process not Found
25672	Process not Found
1200	Process not Found
12488	Process not Found
12396	Process not Found

System Time Discovery 1 TTPs 14 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
10652	Process not Found
25188	Process not Found
26024	Process not Found
29752	Process not Found
8808	net.exe
29820	Process not Found
33964	Process not Found
35780	Process not Found
9108	Process not Found
21052	Process not Found
12460	Process not Found
32364	Process not Found
33848	Process not Found
1032	Process not Found

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
43796	Process not Found

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
21336	Process not Found
46600	Process not Found

Kills process with taskkill 5 IoCs

evasion

pid	Process
26632	Process not Found
6532	Process not Found
17880	Process not Found
2328	Process not Found
8188	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oekpkigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgonlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpkphjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbpnlg.dll"	Iiehpahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfcqpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240921-n14hps1dmnd24a9eebeba63ebe00cc9e1e850d7c8214c706cf102ecbd4399738a552a5d8c7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbddfmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhigidn.dll"	Neffpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll"	Dfjgaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhdohp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	240921-ned1xszcqp0625f3a2523d24b22185bfa67853af9bc96e396bfe59bbcb9ade396a7a007fc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdoihpbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inpccihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	240921-nt2erszgmcfa81770d34d44d77cc30aa205f3136146d1d190716337f87f6304a561b50aa2eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpnnle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpcoo32.dll"	Gddbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajkgl32.dll"	240921-nfmz8azdkr6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll"	Cfcqpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240921-nyc8qszhqe9d59aecb17ec500ad724fe9727419f0a1d0d7c788ec3aee630e61853e5796860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiaglp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehhpla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacbhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kechmoil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nemcjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiilpik.dll"	Oekpkigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiehpahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhdqnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdfdmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	240921-n2qy1a1dnn89191081739ce1044189a69371d7a282f6f981fa239c831b6dfb3e242f6cedaaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhbfff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnkldqkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekedq32.dll"	Joffnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghmkm32.dll"	240921-nt2erszgmcfa81770d34d44d77cc30aa205f3136146d1d190716337f87f6304a561b50aa2eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240921-ndxrmsyhngff1a93f9bd381c3ca44e0ca52f316e9b1dec3fb4e8b9698127e01ecf4c090415N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaccdk32.dll"	Jeqbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkodhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnigobn.dll"	240921-nx8y1szhph083bcd3bea727a5041bb723002da15c05a8fcab4cc71bbb047876a17a70769e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iijaka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiokfpph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgemlkg.dll"	240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bionkjfo.dll"	240921-nhg7razeknb89257f5a20537b48da1926c82d09f21740cb2eb2fd63f1f717fc6f38be0e0d1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igmagnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihdpk32.dll"	Mbognp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomdjhoo.dll"	Mifcejnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbiiion.dll"	Dakacjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niipjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjjcfabm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	240921-n3hzsa1bmd5a15fb8a1bfc9d3ca1ecf7a0b02431b64c40b52a97e165c60a922401dd75a3bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niipjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gddbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfikmcdh.dll"	Jpkphjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	240921-n239bs1dql7c4dad3e30175c39380d5fa3f0fda97dbe56eefb3e3ea63b5bdd4494551680b7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nemcjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jklphekp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jecofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqeaphi.dll"	Ehhpla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcnggo32.dll"	Ffpicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklbcn32.dll"	240921-n1evca1djrbff78b13939ca5c72f63d045378d0c114bd41f91cd8e164a1ea9b6d37e22491aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	240921-n2qy1a1dnn89191081739ce1044189a69371d7a282f6f981fa239c831b6dfb3e242f6cedaaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgppmg32.dll"	Nhbfff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqiieebk.dll"	Kbekqdjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	240921-nfmz8azdkr6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4N.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
47040	Process not Found
47340	Process not Found
47528	Process not Found
47508	Process not Found

Opens file in notepad (likely ransom note) 6 IoCs

ransomware

pid	Process
9532	Process not Found
34900	Process not Found
1300	Process not Found
17492	Process not Found
4100	Process not Found
42948	Process not Found

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1200	Process not Found
23032	Process not Found

Runs regedit.exe 1 IoCs

pid	Process
17128	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1000	Process not Found
43356	Process not Found
28112	Process not Found
1000	Process not Found
45560	Process not Found
22864	Process not Found
6252	Process not Found
38756	Process not Found
45452	Process not Found
17548	Process not Found
25872	Process not Found
47768	Process not Found
26092	Process not Found
43000	Process not Found
35668	Process not Found
19444	Process not Found
41992	Process not Found
47352	Process not Found
15880	Process not Found

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1144	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
1144	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
1144	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
1144	240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
5556	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
5556	240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
1992	240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
1992	240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
5848	WMVDECOD.exe
5848	WMVDECOD.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5552	240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe
5552	240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe
5252	240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
5172	240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
5172	240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
6868	240921-nzp9pa1aleefbab66abe4041350ddd3e6a046a8145_JaffaCakes118.exe
6868	240921-nzp9pa1aleefbab66abe4041350ddd3e6a046a8145_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeSecurityPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeSystemtimePrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeBackupPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeRestorePrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeShutdownPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeDebugPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeUndockPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeManageVolumePrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeImpersonatePrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: 33	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: 34	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: 35	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: 36	5640	240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeSecurityPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeSystemtimePrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeBackupPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeRestorePrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeShutdownPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeDebugPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeUndockPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeManageVolumePrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeImpersonatePrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: 33	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: 34	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: 35	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: 36	5536	240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
Token: SeDebugPrivilege	5476	240921-ny81ea1cnnefba2f0fef43c9d866b89e8757e898bd_JaffaCakes118.exe
Token: SeSecurityPrivilege	5692	240921-nrt8nszfnaefb5d5c89e8a85176549d52e7a330434_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4116	msdcsc.exe
Token: SeSecurityPrivilege	4116	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4116	msdcsc.exe
Token: SeLoadDriverPrivilege	4116	msdcsc.exe
Token: SeSystemProfilePrivilege	4116	msdcsc.exe
Token: SeSystemtimePrivilege	4116	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4116	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4116	msdcsc.exe
Token: SeCreatePagefilePrivilege	4116	msdcsc.exe
Token: SeBackupPrivilege	4116	msdcsc.exe
Token: SeRestorePrivilege	4116	msdcsc.exe
Token: SeShutdownPrivilege	4116	msdcsc.exe
Token: SeDebugPrivilege	4116	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4116	msdcsc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4052	240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
5396	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
5136	240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
4052	240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
1992	240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
5396	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
5372	backup.exe
5616	240921-nk8sgszflmefb14be9f4467007fea276e6f0f3da14_JaffaCakes118.exe
1972	backup.exe
5784	240921-ndjj1syhmdefacb5aeaf7ed6de6a15a5f77e95193a_JaffaCakes118.exe
5636	backup.exe
5148	backup.exe
5336	xuaroat.exe
2324	240921-n2w51s1dpmefbc6b4f3bcec711c548ffa80e637b33_JaffaCakes118.exe
220	240921-ng2j1azdrmefaf2fe4583864c205ad3e1dba764c62_JaffaCakes118.exe
2324	240921-n2w51s1dpmefbc6b4f3bcec711c548ffa80e637b33_JaffaCakes118.exe
5792	backup.exe
5552	240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe
5076	240921-nfveaszarba8a0f2a44111b027ffa16b8a02ca4bbb4d38e9e810e73ef6c39f6513ef7c0287.exe
5076	240921-nfveaszarba8a0f2a44111b027ffa16b8a02ca4bbb4d38e9e810e73ef6c39f6513ef7c0287.exe
6736	backup.exe
5172	240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
7084	240921-n1cpzs1angefbb509e9ad5140075036576003a3352_JaffaCakes118.exe
5540	240921-nwgs5szgrg7e012e1f90b19749abce0893f816422bc66ef5a3198cbcd0fd45b26a3fe6a7b8N.exe
5868	240921-nq81fazhnlf97356e0ce81539bb21cb00c61a7d44924780b07c6afc8c29ef35966ead1d840N.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
5020	240921-nw17sazhlcefb8e4e558e5e113c2ed54c8047472fd_JaffaCakes118.exe
1780	240921-nn8a5azgppefb3f9b2c364d479d904ff6aebd95551_JaffaCakes118.exe
4240	240921-nw17sazhlcefb8e4e558e5e113c2ed54c8047472fd_JaffaCakes118.exe
5212	240921-nvjaks1bjk8dbe52e366d3e092fe264e9d4e7b048f38e28634c7a7241289d14cbf7fc0813fN.exe
6200	240921-nn8a5azgppefb3f9b2c364d479d904ff6aebd95551_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4444	1980	DoomRat.exe	74
PID 1980 wrote to memory of 4444	1980	DoomRat.exe	74
PID 4444 wrote to memory of 2248	4444	DoomRat.exe	75
PID 4444 wrote to memory of 2248	4444	DoomRat.exe	75
PID 4444 wrote to memory of 3684	4444	DoomRat.exe	76
PID 4444 wrote to memory of 3684	4444	DoomRat.exe	76
PID 4444 wrote to memory of 3684	4444	DoomRat.exe	76
PID 4444 wrote to memory of 2888	4444	DoomRat.exe	1605
PID 4444 wrote to memory of 2888	4444	DoomRat.exe	1605
PID 4444 wrote to memory of 2888	4444	DoomRat.exe	1605
PID 2888 wrote to memory of 1864	2888	240921-nxwnpa1cjj26b8d22f9ec0038546e166e87c6c6592d87f6cbae9ac9add3cfbcfd7e8e3bc02N.exe	78
PID 2888 wrote to memory of 1864	2888	240921-nxwnpa1cjj26b8d22f9ec0038546e166e87c6c6592d87f6cbae9ac9add3cfbcfd7e8e3bc02N.exe	78
PID 2888 wrote to memory of 1864	2888	240921-nxwnpa1cjj26b8d22f9ec0038546e166e87c6c6592d87f6cbae9ac9add3cfbcfd7e8e3bc02N.exe	78
PID 1864 wrote to memory of 592	1864	44048.exe	195
PID 1864 wrote to memory of 592	1864	44048.exe	195
PID 1864 wrote to memory of 592	1864	44048.exe	195
PID 592 wrote to memory of 656	592	i842042.exe	80
PID 592 wrote to memory of 656	592	i842042.exe	80
PID 592 wrote to memory of 656	592	i842042.exe	80
PID 4444 wrote to memory of 4052	4444	DoomRat.exe	81
PID 4444 wrote to memory of 4052	4444	DoomRat.exe	81
PID 4444 wrote to memory of 4052	4444	DoomRat.exe	81
PID 4444 wrote to memory of 4396	4444	DoomRat.exe	82
PID 4444 wrote to memory of 4396	4444	DoomRat.exe	82
PID 4444 wrote to memory of 4396	4444	DoomRat.exe	82
PID 4444 wrote to memory of 4988	4444	DoomRat.exe	83
PID 4444 wrote to memory of 4988	4444	DoomRat.exe	83
PID 4444 wrote to memory of 4988	4444	DoomRat.exe	83
PID 656 wrote to memory of 5108	656	c482044.exe	84
PID 656 wrote to memory of 5108	656	c482044.exe	84
PID 656 wrote to memory of 5108	656	c482044.exe	84
PID 4988 wrote to memory of 1172	4988	240921-n1a66a1anf215aeff56e62dba92b343ca6870e0ed55785d0baa4db13e6f0af95410233921cN.exe	86
PID 4988 wrote to memory of 1172	4988	240921-n1a66a1anf215aeff56e62dba92b343ca6870e0ed55785d0baa4db13e6f0af95410233921cN.exe	86
PID 4988 wrote to memory of 1172	4988	240921-n1a66a1anf215aeff56e62dba92b343ca6870e0ed55785d0baa4db13e6f0af95410233921cN.exe	86
PID 4396 wrote to memory of 4364	4396	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN	1681
PID 4396 wrote to memory of 4364	4396	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN	1681
PID 4396 wrote to memory of 4364	4396	240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN	1681
PID 4444 wrote to memory of 3096	4444	DoomRat.exe	365
PID 4444 wrote to memory of 3096	4444	DoomRat.exe	365
PID 4444 wrote to memory of 3096	4444	DoomRat.exe	365
PID 5108 wrote to memory of 4864	5108	628600.exe	304
PID 5108 wrote to memory of 4864	5108	628600.exe	304
PID 5108 wrote to memory of 4864	5108	628600.exe	304
PID 4364 wrote to memory of 4908	4364	Inpccihl.exe	469
PID 4364 wrote to memory of 4908	4364	Inpccihl.exe	469
PID 4364 wrote to memory of 4908	4364	Inpccihl.exe	469
PID 4444 wrote to memory of 4576	4444	DoomRat.exe	1528
PID 4444 wrote to memory of 4576	4444	DoomRat.exe	1528
PID 4444 wrote to memory of 4576	4444	DoomRat.exe	1528
PID 4444 wrote to memory of 2552	4444	DoomRat.exe	93
PID 4444 wrote to memory of 2552	4444	DoomRat.exe	93
PID 4444 wrote to memory of 2552	4444	DoomRat.exe	93
PID 1172 wrote to memory of 4984	1172	Inpccihl.exe	221
PID 1172 wrote to memory of 4984	1172	Inpccihl.exe	221
PID 1172 wrote to memory of 4984	1172	Inpccihl.exe	221
PID 4444 wrote to memory of 1144	4444	DoomRat.exe	92
PID 4444 wrote to memory of 1144	4444	DoomRat.exe	92
PID 4444 wrote to memory of 1144	4444	DoomRat.exe	92
PID 3096 wrote to memory of 2980	3096	240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe	211
PID 3096 wrote to memory of 2980	3096	240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe	211
PID 3096 wrote to memory of 2980	3096	240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe	211
PID 4576 wrote to memory of 5104	4576	240921-n2fs2a1dnl1ed7c05df26c58eff483b094bcca4a7b6089a6c8fa54850c7d64687c75353d35N.exe	308
PID 4576 wrote to memory of 5104	4576	240921-n2fs2a1dnl1ed7c05df26c58eff483b094bcca4a7b6089a6c8fa54850c7d64687c75353d35N.exe	308
PID 4576 wrote to memory of 5104	4576	240921-n2fs2a1dnl1ed7c05df26c58eff483b094bcca4a7b6089a6c8fa54850c7d64687c75353d35N.exe	308

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

Views/modifies file attributes 1 TTPs 18 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
27704	Process not Found
38680	Process not Found
48176	Process not Found
33000	Process not Found
21872	Process not Found
35288	Process not Found
39888	Process not Found
35500	Process not Found
30332	Process not Found
45180	Process not Found
46188	Process not Found
20180	Process not Found
5140	Process not Found
41188	Process not Found
37988	Process not Found
40068	Process not Found
44376	Process not Found
49928	Process not Found

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\DoomRat.exe
  "C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\DoomRat.exe
    "C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2248
  - - C:\Users\Admin\Downloads\240921-n2yc3s1dpn69b2c233d4fdb8080ed851c14f8d35bbf2a1d0722b9fcd25881cef408c03cc31.exe
      C:\Users\Admin\Downloads\240921-n2yc3s1dpn69b2c233d4fdb8080ed851c14f8d35bbf2a1d0722b9fcd25881cef408c03cc31.exe
      4⤵
      Executes dropped EXE
      PID:3684
  - - C:\Users\Admin\Downloads\240921-nxwnpa1cjj26b8d22f9ec0038546e166e87c6c6592d87f6cbae9ac9add3cfbcfd7e8e3bc02N.exe
      C:\Users\Admin\Downloads\240921-nxwnpa1cjj26b8d22f9ec0038546e166e87c6c6592d87f6cbae9ac9add3cfbcfd7e8e3bc02N.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2888
    - - \??\c:\44048.exe
        
        c:\44048.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - \??\c:\i842042.exe
        
        c:\i842042.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        \??\c:\c482044.exe
        
        c:\c482044.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        \??\c:\628600.exe
        
        c:\628600.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        \??\c:\64262.exe
        
        c:\64262.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        \??\c:\24488.exe
        
        c:\24488.exe
        10⤵
        Executes dropped EXE
        
        PID:4240
        
        \??\c:\48860.exe
        
        c:\48860.exe
        11⤵
        Executes dropped EXE
        
        PID:3052
        
        \??\c:\o626042.exe
        
        c:\o626042.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        \??\c:\6420486.exe
        
        c:\6420486.exe
        13⤵
        Executes dropped EXE
        
        PID:5252
        
        \??\c:\60262.exe
        
        c:\60262.exe
        14⤵
        Executes dropped EXE
        
        PID:5964
        
        \??\c:\08060.exe
        
        c:\08060.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        \??\c:\04044.exe
        
        c:\04044.exe
        16⤵
        
        PID:5832
        
        \??\c:\24444.exe
        
        c:\24444.exe
        17⤵
        
        PID:5576
        
        \??\c:\66840.exe
        
        c:\66840.exe
        18⤵
        
        PID:5112
        
        \??\c:\w60004.exe
        
        c:\w60004.exe
        19⤵
        
        PID:5660
        
        \??\c:\44426.exe
        
        c:\44426.exe
        20⤵
        
        PID:1952
        
        \??\c:\806488.exe
        
        c:\806488.exe
        21⤵
        
        PID:4256
        
        \??\c:\c628426.exe
        
        c:\c628426.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        \??\c:\0888826.exe
        
        c:\0888826.exe
        23⤵
        
        PID:4408
        
        \??\c:\2044826.exe
        
        c:\2044826.exe
        24⤵
        
        PID:5020
        
        \??\c:\06208.exe
        
        c:\06208.exe
        25⤵
        
        PID:5892
        
        \??\c:\666242.exe
        
        c:\666242.exe
        26⤵
        
        PID:5524
        
        \??\c:\8042642.exe
        
        c:\8042642.exe
        27⤵
        
        PID:3404
        
        \??\c:\08426.exe
        
        c:\08426.exe
        28⤵
        
        PID:6440
        
        \??\c:\008820.exe
        
        c:\008820.exe
        29⤵
        
        PID:6620
        
        \??\c:\m0488.exe
        
        c:\m0488.exe
        30⤵
        
        PID:6212
        
        \??\c:\088220.exe
        
        c:\088220.exe
        31⤵
        
        PID:6788
        
        \??\c:\m2266.exe
        
        c:\m2266.exe
        32⤵
        
        PID:7872
        
        \??\c:\42624.exe
        
        c:\42624.exe
        33⤵
        
        PID:2524
        
        \??\c:\60604.exe
        
        c:\60604.exe
        34⤵
        
        PID:9920
        
        \??\c:\0440400.exe
        
        c:\0440400.exe
        35⤵
        
        PID:6628
        
        \??\c:\84062.exe
        
        c:\84062.exe
        36⤵
        
        PID:5668
        
        \??\c:\m2042.exe
        
        c:\m2042.exe
        37⤵
        
        PID:10800
        
        \??\c:\g8462.exe
        
        c:\g8462.exe
        38⤵
        
        PID:8744
        
        \??\c:\2868440.exe
        
        c:\2868440.exe
        39⤵
        
        PID:12796
        
        \??\c:\6444260.exe
        
        c:\6444260.exe
        40⤵
        
        PID:14948
  - - C:\Users\Admin\Downloads\240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
      C:\Users\Admin\Downloads\240921-ntabaazgjead296ae0bf3fe0284c1455b29f3e5d2a703752fdc48d482113253b3fb904423bN.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4052
    - - C:\backup.exe
        
        \backup.exe \
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5372
      - C:\PerfLogs\backup.exe
        
        C:\PerfLogs\backup.exe C:\PerfLogs\
        6⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
      - C:\Program Files\backup.exe
        
        "C:\Program Files\backup.exe" C:\Program Files\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5636
        
        C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5148
        
        C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5792
        
        C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:6736
        
        C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        8⤵
        
        PID:7052
        
        C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        8⤵
        
        PID:7272
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        9⤵
        
        PID:344
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        9⤵
        
        PID:11640
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        10⤵
        
        PID:13408
        
        C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        8⤵
        
        PID:4044
        
        C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        7⤵
        
        PID:9176
        
        C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        8⤵
        
        PID:7276
      - C:\Program Files (x86)\backup.exe
        
        "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
        6⤵
        
        PID:11528
        
        C:\Program Files (x86)\859f8029\backup.exe
        
        "C:\Program Files (x86)\859f8029\backup.exe" C:\Program Files (x86)\859f8029\
        7⤵
        
        PID:12872
  - - C:\Users\Admin\Downloads\240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN
      C:\Users\Admin\Downloads\240921-npfbqszgqnBackdoor.Win32.Berbew.pz-44cef0e08e009eff1988ba926d5a0a44c1086ebbe2b371ae7b9eb12738f0a9cfN
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\SysWOW64\Inpccihl.exe
        
        C:\Windows\system32\Inpccihl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SysWOW64\Iiehpahb.exe
        
        C:\Windows\system32\Iiehpahb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Jkhngl32.exe
        
        C:\Windows\system32\Jkhngl32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Jbbfdfkn.exe
        
        C:\Windows\system32\Jbbfdfkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Joffnk32.exe
        
        C:\Windows\system32\Joffnk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Jiokfpph.exe
        
        C:\Windows\system32\Jiokfpph.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Jnnpdg32.exe
        
        C:\Windows\system32\Jnnpdg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Llpmoiof.exe
        
        C:\Windows\system32\Llpmoiof.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Likcilhh.exe
        
        C:\Windows\system32\Likcilhh.exe
        13⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        14⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Nemcjk32.exe
        
        C:\Windows\system32\Nemcjk32.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Oidofh32.exe
        
        C:\Windows\system32\Oidofh32.exe
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
  - - C:\Users\Admin\Downloads\240921-n1a66a1anf215aeff56e62dba92b343ca6870e0ed55785d0baa4db13e6f0af95410233921cN.exe
      C:\Users\Admin\Downloads\240921-n1a66a1anf215aeff56e62dba92b343ca6870e0ed55785d0baa4db13e6f0af95410233921cN.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Inpccihl.exe
        
        C:\Windows\system32\Inpccihl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\Iiehpahb.exe
        
        C:\Windows\system32\Iiehpahb.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Igmagnkg.exe
        
        C:\Windows\system32\Igmagnkg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Jgonlm32.exe
        
        C:\Windows\system32\Jgonlm32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Jecofa32.exe
        
        C:\Windows\system32\Jecofa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Kbekqdjh.exe
        
        C:\Windows\system32\Kbekqdjh.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Kiaqcnpb.exe
        
        C:\Windows\system32\Kiaqcnpb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5676
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4600
        
        C:\Windows\SysWOW64\Mbognp32.exe
        
        C:\Windows\system32\Mbognp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Neffpj32.exe
        
        C:\Windows\system32\Neffpj32.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
  - - C:\Users\Admin\Downloads\240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe
      C:\Users\Admin\Downloads\240921-np65fszhjr65c3c1c1f0b5c33eaf74cbe190d6ba0fb9234f0c02bbec54e1e0a88b2eefd521N.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\SysWOW64\Ibpiogmp.exe
        
        C:\Windows\system32\Ibpiogmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
      - C:\Windows\SysWOW64\Jeqbpb32.exe
        
        C:\Windows\system32\Jeqbpb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Jiokfpph.exe
        
        C:\Windows\system32\Jiokfpph.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Jpkphjeb.exe
        
        C:\Windows\system32\Jpkphjeb.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Kbekqdjh.exe
        
        C:\Windows\system32\Kbekqdjh.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Lhdqnj32.exe
        
        C:\Windows\system32\Lhdqnj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Lflgmqhd.exe
        
        C:\Windows\system32\Lflgmqhd.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
  - - C:\Users\Admin\Downloads\240921-n2fs2a1dnl1ed7c05df26c58eff483b094bcca4a7b6089a6c8fa54850c7d64687c75353d35N.exe
      C:\Users\Admin\Downloads\240921-n2fs2a1dnl1ed7c05df26c58eff483b094bcca4a7b6089a6c8fa54850c7d64687c75353d35N.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\Iijaka32.exe
        
        C:\Windows\system32\Iijaka32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
      - C:\Windows\SysWOW64\Jeqbpb32.exe
        
        C:\Windows\system32\Jeqbpb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Jbgoof32.exe
        
        C:\Windows\system32\Jbgoof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Jkodhk32.exe
        
        C:\Windows\system32\Jkodhk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kfqgab32.exe
        
        C:\Windows\system32\Kfqgab32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Lnnikdnj.exe
        
        C:\Windows\system32\Lnnikdnj.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Niipjj32.exe
        
        C:\Windows\system32\Niipjj32.exe
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
  - - C:\Users\Admin\Downloads\240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-neanhazajcefad2af60ae5f2a731e9909ef2428f07_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1144
    - - C:\Windows\SysWOW64\nslookup.exe
        
        nslookup nomoreransom.coin dns1.soprodns.ru
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
  - - C:\Users\Admin\Downloads\240921-nyz3hazhrh637945b594925ffab100bc0fdfe4ceda9973beb9fc9a9bb1d58d5b3c9c5b15af.exe
      C:\Users\Admin\Downloads\240921-nyz3hazhrh637945b594925ffab100bc0fdfe4ceda9973beb9fc9a9bb1d58d5b3c9c5b15af.exe
      4⤵
      Executes dropped EXE
      PID:2552
  - - C:\Users\Admin\Downloads\240921-ntldjszgke20f2c1c9ca30f7c7ce29bab29f50d1283fce32ba23f3cceb924b8c5ce26612c0N.exe
      C:\Users\Admin\Downloads\240921-ntldjszgke20f2c1c9ca30f7c7ce29bab29f50d1283fce32ba23f3cceb924b8c5ce26612c0N.exe
      4⤵
      Executes dropped EXE
      PID:4132
  - - C:\Users\Admin\Downloads\240921-n292wa1dqqa63b7b04b46cdff6a8357897b5c488b2b2efd625f08e4f3bce43b193c3df3db1N.exe
      C:\Users\Admin\Downloads\240921-n292wa1dqqa63b7b04b46cdff6a8357897b5c488b2b2efd625f08e4f3bce43b193c3df3db1N.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:640
    - - C:\Windows\SysWOW64\Jbdbjf32.exe
        
        C:\Windows\system32\Jbdbjf32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\Windows\SysWOW64\Joiccj32.exe
        
        C:\Windows\system32\Joiccj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Jiaglp32.exe
        
        C:\Windows\system32\Jiaglp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Kechmoil.exe
        
        C:\Windows\system32\Kechmoil.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Lidmhmnp.exe
        
        C:\Windows\system32\Lidmhmnp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5940
        
        C:\Windows\SysWOW64\Nemcjk32.exe
        
        C:\Windows\system32\Nemcjk32.exe
        10⤵
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Nhbfff32.exe
        
        C:\Windows\system32\Nhbfff32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Oekpkigo.exe
        
        C:\Windows\system32\Oekpkigo.exe
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Ccnncgmc.exe
        
        C:\Windows\system32\Ccnncgmc.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Cmipblaq.exe
        
        C:\Windows\system32\Cmipblaq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Djdflp32.exe
        
        C:\Windows\system32\Djdflp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        17⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Epagkd32.exe
        
        C:\Windows\system32\Epagkd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Fpeafcfa.exe
        
        C:\Windows\system32\Fpeafcfa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Fgbfhmll.exe
        
        C:\Windows\system32\Fgbfhmll.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1168
        
        C:\Windows\SysWOW64\Fhdohp32.exe
        
        C:\Windows\system32\Fhdohp32.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Gdoihpbk.exe
        
        C:\Windows\system32\Gdoihpbk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Ggbook32.exe
        
        C:\Windows\system32\Ggbook32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
  - - C:\Users\Admin\Downloads\240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nphrvszgqrefb42a1fceecd94454619302c0f3f62b_JaffaCakes118.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1992
    - - C:\Users\Admin\xuaroat.exe
        
        "C:\Users\Admin\xuaroat.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5336
  - - C:\Users\Admin\Downloads\240921-nyc8qszhqe9d59aecb17ec500ad724fe9727419f0a1d0d7c788ec3aee630e61853e5796860N.exe
      C:\Users\Admin\Downloads\240921-nyc8qszhqe9d59aecb17ec500ad724fe9727419f0a1d0d7c788ec3aee630e61853e5796860N.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1828
  - - C:\Users\Admin\Downloads\240921-nn1ahszekgefb3b45b5eb5209239662ea2f35a65b1_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nn1ahszekgefb3b45b5eb5209239662ea2f35a65b1_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      PID:5216
    - - C:\Windows\SysWOW64\Windows.Storage.Search\WMVDECOD.exe
        
        "C:\Windows\SysWOW64\Windows.Storage.Search\WMVDECOD.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5848
  - - C:\Users\Admin\Downloads\240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:5396
  - - C:\Users\Admin\Downloads\240921-nt2erszgmcfa81770d34d44d77cc30aa205f3136146d1d190716337f87f6304a561b50aa2eN.exe
      C:\Users\Admin\Downloads\240921-nt2erszgmcfa81770d34d44d77cc30aa205f3136146d1d190716337f87f6304a561b50aa2eN.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:5416
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 372
        5⤵
        Program crash
        
        PID:3284
  - - C:\Users\Admin\Downloads\240921-n239bs1dql7c4dad3e30175c39380d5fa3f0fda97dbe56eefb3e3ea63b5bdd4494551680b7N.exe
      C:\Users\Admin\Downloads\240921-n239bs1dql7c4dad3e30175c39380d5fa3f0fda97dbe56eefb3e3ea63b5bdd4494551680b7N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:5596
    - - C:\Windows\SysWOW64\Lldfjh32.exe
        
        C:\Windows\system32\Lldfjh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
      - C:\Windows\SysWOW64\Mifcejnj.exe
        
        C:\Windows\system32\Mifcejnj.exe
        6⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        7⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Oghppm32.exe
        
        C:\Windows\system32\Oghppm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Bfjnjcni.exe
        
        C:\Windows\system32\Bfjnjcni.exe
        9⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Cjjcfabm.exe
        
        C:\Windows\system32\Cjjcfabm.exe
        10⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Cfcqpa32.exe
        
        C:\Windows\system32\Cfcqpa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dakacjdb.exe
        
        C:\Windows\system32\Dakacjdb.exe
        12⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Dfjgaq32.exe
        
        C:\Windows\system32\Dfjgaq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Ejdocm32.exe
        
        C:\Windows\system32\Ejdocm32.exe
        14⤵
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Fmjaphek.exe
        
        C:\Windows\system32\Fmjaphek.exe
        16⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Fhabbp32.exe
        
        C:\Windows\system32\Fhabbp32.exe
        17⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Fhflnpoi.exe
        
        C:\Windows\system32\Fhflnpoi.exe
        18⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Gilapgqb.exe
        
        C:\Windows\system32\Gilapgqb.exe
        19⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Hjedffig.exe
        
        C:\Windows\system32\Hjedffig.exe
        21⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Hacbhb32.exe
        
        C:\Windows\system32\Hacbhb32.exe
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Ibmeoq32.exe
        
        C:\Windows\system32\Ibmeoq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Kaehljpj.exe
        
        C:\Windows\system32\Kaehljpj.exe
        24⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Mlbkap32.exe
        
        C:\Windows\system32\Mlbkap32.exe
        25⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        26⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Bfendmoc.exe
        
        C:\Windows\system32\Bfendmoc.exe
        27⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Ejoomhmi.exe
        
        C:\Windows\system32\Ejoomhmi.exe
        28⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Hpofii32.exe
        
        C:\Windows\system32\Hpofii32.exe
        29⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        30⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        31⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        32⤵
        
        PID:4168
  - - C:\Users\Admin\Downloads\240921-nk8sgszflmefb14be9f4467007fea276e6f0f3da14_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nk8sgszflmefb14be9f4467007fea276e6f0f3da14_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:5616
  - - C:\Users\Admin\Downloads\240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads\240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe" +s +h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\Downloads\240921-ny2w4a1cnkefba1ff649c84cf56e808d2c51cc3b49_JaffaCakes118.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6000
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exe"
        5⤵
        Modifies firewall policy service
        Disables RegEdit via registry modification
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        Modifies firewall policy service
        Disables RegEdit via registry modification
        
        PID:6692
  - - C:\Users\Admin\Downloads\240921-ndvmaazcnq3f2d104e4a0e27466e8ecbf9892b46a0bf3846abca87c588cc10bb2b285a0f79N.exe
      C:\Users\Admin\Downloads\240921-ndvmaazcnq3f2d104e4a0e27466e8ecbf9892b46a0bf3846abca87c588cc10bb2b285a0f79N.exe
      4⤵
      Executes dropped EXE
      PID:5856
    - - C:\Windows\SysWOW64\Niipjj32.exe
        
        C:\Windows\system32\Niipjj32.exe
        5⤵
        Modifies registry class
        
        PID:4864
      - C:\Windows\SysWOW64\Ngdfdmdi.exe
        
        C:\Windows\system32\Ngdfdmdi.exe
        6⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Oghppm32.exe
        
        C:\Windows\system32\Oghppm32.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2404
  - - C:\Users\Admin\Downloads\240921-nw17sazhlcefb8e4e558e5e113c2ed54c8047472fd_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nw17sazhlcefb8e4e558e5e113c2ed54c8047472fd_JaffaCakes118.exe
      4⤵
      Suspicious use of UnmapMainImage
      PID:5020
    - - C:\Users\Admin\Downloads\240921-nw17sazhlcefb8e4e558e5e113c2ed54c8047472fd_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240921-nw17sazhlcefb8e4e558e5e113c2ed54c8047472fd_JaffaCakes118.exe
        5⤵
        Suspicious use of UnmapMainImage
        
        PID:4240
  - - C:\Users\Admin\Downloads\240921-nera9azaldefadaf64fa6e3b52062afa8fbe0d394c_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nera9azaldefadaf64fa6e3b52062afa8fbe0d394c_JaffaCakes118.exe
      4⤵
      PID:5604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 532
        5⤵
        Program crash
        
        PID:6040
  - - C:\Users\Admin\Downloads\240921-nn8a5azgppefb3f9b2c364d479d904ff6aebd95551_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nn8a5azgppefb3f9b2c364d479d904ff6aebd95551_JaffaCakes118.exe
      4⤵
      Suspicious use of UnmapMainImage
      PID:1780
    - - C:\Users\Admin\Downloads\240921-nn8a5azgppefb3f9b2c364d479d904ff6aebd95551_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240921-nn8a5azgppefb3f9b2c364d479d904ff6aebd95551_JaffaCakes118.exe
        5⤵
        Suspicious use of UnmapMainImage
        
        PID:6200
  - - C:\Users\Admin\Downloads\240921-npjn6azemeefb42b5107bf9f41d6dfec2ccb84a7c4_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-npjn6azemeefb42b5107bf9f41d6dfec2ccb84a7c4_JaffaCakes118.exe
      4⤵
      PID:5804
    - - C:\Windows\SysWOW64\msvcrt\msisip.exe
        
        "C:\Windows\SysWOW64\msvcrt\msisip.exe"
        5⤵
        
        PID:9036
  - - C:\Users\Admin\Downloads\240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
      4⤵
      Suspicious use of SetThreadContext
      PID:208
    - - C:\Users\Admin\Downloads\240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
        
        C:\Users\Admin\Downloads\240921-ndpe9szcnjefacc79caff9d7d71c438040c56d4f8b_JaffaCakes118.exe
        5⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops desktop.ini file(s)
        Modifies WinLogon
        Suspicious behavior: EnumeratesProcesses
        
        PID:5556
  - - C:\Users\Admin\Downloads\240921-ndjj1syhmdefacb5aeaf7ed6de6a15a5f77e95193a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ndjj1syhmdefacb5aeaf7ed6de6a15a5f77e95193a_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\240921-nwxjlazhkgstart.bat
      4⤵
      PID:5324
  - - C:\Users\Admin\Downloads\240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nmzmlazgjjefb2dee0e3b00565069dd431d8736d96_JaffaCakes118.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5536
  - - C:\Users\Admin\Downloads\240921-nd1tasyhpf867c3507625df5294758346af12bfefd87a8bb8c48e9e9e68958652886742797.exe
      C:\Users\Admin\Downloads\240921-nd1tasyhpf867c3507625df5294758346af12bfefd87a8bb8c48e9e9e68958652886742797.exe
      4⤵
      Loads dropped DLL
      PID:3052
  - - C:\Users\Admin\Downloads\240921-ntek1a1amm7e7e1fdd9adb897953d9301a09c74b5f3921b0298e083e418e3f4d31d80fc942N.exe
      C:\Users\Admin\Downloads\240921-ntek1a1amm7e7e1fdd9adb897953d9301a09c74b5f3921b0298e083e418e3f4d31d80fc942N.exe
      4⤵
      Drops file in System32 directory
      PID:4600
    - - C:\Windows\SysWOW64\Ehhpla32.exe
        
        C:\Windows\system32\Ehhpla32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3548
      - C:\Windows\SysWOW64\Ffpicn32.exe
        
        C:\Windows\system32\Ffpicn32.exe
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ghhhcomg.exe
        
        C:\Windows\system32\Ghhhcomg.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Gddbcp32.exe
        
        C:\Windows\system32\Gddbcp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Hncmmd32.exe
        
        C:\Windows\system32\Hncmmd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
  - - C:\Users\Admin\Downloads\240921-nrt8nszfnaefb5d5c89e8a85176549d52e7a330434_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nrt8nszfnaefb5d5c89e8a85176549d52e7a330434_JaffaCakes118.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5692
  - - C:\Users\Admin\Downloads\240921-ny81ea1cnnefba2f0fef43c9d866b89e8757e898bd_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ny81ea1cnnefba2f0fef43c9d866b89e8757e898bd_JaffaCakes118.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5476
  - - C:\Users\Admin\Downloads\240921-nvjaks1bjk8dbe52e366d3e092fe264e9d4e7b048f38e28634c7a7241289d14cbf7fc0813fN.exe
      C:\Users\Admin\Downloads\240921-nvjaks1bjk8dbe52e366d3e092fe264e9d4e7b048f38e28634c7a7241289d14cbf7fc0813fN.exe
      4⤵
      Suspicious use of UnmapMainImage
      PID:5212
    - - C:\Users\Admin\Downloads\240921-nvjaks1bjk8dbe52e366d3e092fe264e9d4e7b048f38e28634c7a7241289d14cbf7fc0813fN.exe
        
        C:\Users\Admin\Downloads\240921-nvjaks1bjk8dbe52e366d3e092fe264e9d4e7b048f38e28634c7a7241289d14cbf7fc0813fN.exe
        5⤵
        
        PID:7224
  - - C:\Users\Admin\Downloads\240921-npz15szepac2e813052657a29fce4e260b2ec9d336cbb23bcafa106a51880fb4f447efe371N.exe
      C:\Users\Admin\Downloads\240921-npz15szepac2e813052657a29fce4e260b2ec9d336cbb23bcafa106a51880fb4f447efe371N.exe
      4⤵
      Drops file in System32 directory
      PID:5712
    - - C:\Windows\SysWOW64\Hdkidohn.exe
        
        C:\Windows\system32\Hdkidohn.exe
        5⤵
        
        PID:6236
  - - C:\Users\Admin\Downloads\240921-nd6pjsyhreefad0fd0df318555fe12c9766f91b129_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nd6pjsyhreefad0fd0df318555fe12c9766f91b129_JaffaCakes118.exe
      4⤵
      PID:5736
  - - C:\Users\Admin\Downloads\240921-n2w51s1dpmefbc6b4f3bcec711c548ffa80e637b33_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-n2w51s1dpmefbc6b4f3bcec711c548ffa80e637b33_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2324
  - - C:\Users\Admin\Downloads\240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5136
  - - C:\Users\Admin\Downloads\240921-nncjfszdrdefb31465841e7e51bc2cd72c26601d2e_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nncjfszdrdefb31465841e7e51bc2cd72c26601d2e_JaffaCakes118.exe
      4⤵
      Drops file in Windows directory
      PID:5640
    - - \??\c:\Windows\svchest425075242507520.exe
        
        c:\Windows\svchest425075242507520.exe
        5⤵
        
        PID:7692
  - - C:\Users\Admin\Downloads\240921-ng2j1azdrmefaf2fe4583864c205ad3e1dba764c62_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ng2j1azdrmefaf2fe4583864c205ad3e1dba764c62_JaffaCakes118.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:220
  - - C:\Users\Admin\Downloads\240921-nfzc9azbjdf6fb98b21dce931bfddab829c2fee4aea35034f95b3962be5b7c60c36f150138N.exe
      C:\Users\Admin\Downloads\240921-nfzc9azbjdf6fb98b21dce931bfddab829c2fee4aea35034f95b3962be5b7c60c36f150138N.exe
      4⤵
      PID:3096
    - - C:\Windows\SysWOW64\Hkpheidp.exe
        
        C:\Windows\system32\Hkpheidp.exe
        5⤵
        
        PID:5216
      - C:\Windows\SysWOW64\Hgiepjga.exe
        
        C:\Windows\system32\Hgiepjga.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
  - - C:\Users\Admin\Downloads\240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe
      C:\Users\Admin\Downloads\240921-npbcsazgqj4a93984ce38bc47e15d2ac6d66e2ed8ced20ea763b8e20e629136bf2b9fff12eN.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5552
  - - C:\Users\Admin\Downloads\240921-nlr65azdkca1e7aaa8d6ea3c7c57e4edb09dc1daa98545ab33a56622f6dcd3c8938929e334N.exe
      C:\Users\Admin\Downloads\240921-nlr65azdkca1e7aaa8d6ea3c7c57e4edb09dc1daa98545ab33a56622f6dcd3c8938929e334N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      PID:5808
    - - C:\Windows\SysWOW64\Hpmpnp32.exe
        
        C:\Windows\system32\Hpmpnp32.exe
        5⤵
        
        PID:5656
      - C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        6⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 360
        7⤵
        Program crash
        
        PID:1744
  - - C:\Users\Admin\Downloads\240921-nfveaszarba8a0f2a44111b027ffa16b8a02ca4bbb4d38e9e810e73ef6c39f6513ef7c0287.exe
      C:\Users\Admin\Downloads\240921-nfveaszarba8a0f2a44111b027ffa16b8a02ca4bbb4d38e9e810e73ef6c39f6513ef7c0287.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5076
  - - C:\Users\Admin\Downloads\240921-ned1xszcqp0625f3a2523d24b22185bfa67853af9bc96e396bfe59bbcb9ade396a7a007fc0N.exe
      C:\Users\Admin\Downloads\240921-ned1xszcqp0625f3a2523d24b22185bfa67853af9bc96e396bfe59bbcb9ade396a7a007fc0N.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:6428
  - - C:\Users\Admin\Downloads\240921-nys9yszhrcc14ae0727c90d5a56b15a5e1d4a71af764cf4a21d98babbd4cb75643ac30d4afN.exe
      C:\Users\Admin\Downloads\240921-nys9yszhrcc14ae0727c90d5a56b15a5e1d4a71af764cf4a21d98babbd4cb75643ac30d4afN.exe
      4⤵
      Drops file in System32 directory
      PID:6792
    - - C:\Windows\SysWOW64\Kkfcndce.exe
        
        C:\Windows\system32\Kkfcndce.exe
        5⤵
        
        PID:6616
      - C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        6⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        7⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        8⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        9⤵
        
        PID:12940
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        10⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        11⤵
        
        PID:15140
  - - C:\Users\Admin\Downloads\240921-nvhzta1bjjefb7a8cb82a282ba4facfee291ba7482_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nvhzta1bjjefb7a8cb82a282ba4facfee291ba7482_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6800
    - - C:\Users\Admin\Downloads\240921-nvhzta1bjjefb7a8cb82a282ba4facfee291ba7482_JaffaCakes118.exe
        
        "C:\Users\Admin\Downloads\240921-nvhzta1bjjefb7a8cb82a282ba4facfee291ba7482_JaffaCakes118.exe"
        5⤵
        
        PID:5724
  - - C:\Users\Admin\Downloads\240921-nrl73azflgefb5ac936f69115a770735e8deb98b31_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nrl73azflgefb5ac936f69115a770735e8deb98b31_JaffaCakes118.exe
      4⤵
      PID:6808
  - - C:\Users\Admin\Downloads\240921-nhlj6szbqdefaf9583f501557601f7acc59d1a7d32_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nhlj6szbqdefaf9583f501557601f7acc59d1a7d32_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6816
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:8040
    - - C:\Windows\SysWOW64\LaunchWinApp.exe
        
        C:\Windows\system32\LaunchWinApp.exe
        5⤵
        
        PID:3812
  - - C:\Users\Admin\Downloads\240921-nf4mzazbkaf082729a1a03dca517fcc891d47ef67b461c9b3edf7e2a7af20159530fa06bb8N.exe
      C:\Users\Admin\Downloads\240921-nf4mzazbkaf082729a1a03dca517fcc891d47ef67b461c9b3edf7e2a7af20159530fa06bb8N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      PID:6828
    - - C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3960
      - C:\Windows\SysWOW64\Kageaj32.exe
        
        C:\Windows\system32\Kageaj32.exe
        6⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        7⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Pocfpf32.exe
        
        C:\Windows\system32\Pocfpf32.exe
        8⤵
        
        PID:8704
  - - C:\Users\Admin\Downloads\240921-ngxk2szbmgf9eb4436f984ba87018a3e166fcb0def3f983d328206dbcc7449469b49954bbaN.exe
      C:\Users\Admin\Downloads\240921-ngxk2szbmgf9eb4436f984ba87018a3e166fcb0def3f983d328206dbcc7449469b49954bbaN.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:6844
    - - C:\Windows\SysWOW64\Jklphekp.exe
        
        C:\Windows\system32\Jklphekp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6400
      - C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        6⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        7⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Oampjeml.exe
        
        C:\Windows\system32\Oampjeml.exe
        8⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Pcmeke32.exe
        
        C:\Windows\system32\Pcmeke32.exe
        9⤵
        
        PID:9356
  - - C:\Users\Admin\Downloads\240921-ndz7rsyhpdab11bc4d914653846cd26f24d97e4dcc3a4901e1cb65d63bae55cfff4980182b.exe
      C:\Users\Admin\Downloads\240921-ndz7rsyhpdab11bc4d914653846cd26f24d97e4dcc3a4901e1cb65d63bae55cfff4980182b.exe
      4⤵
      PID:6856
  - - C:\Users\Admin\Downloads\240921-nzp9pa1aleefbab66abe4041350ddd3e6a046a8145_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nzp9pa1aleefbab66abe4041350ddd3e6a046a8145_JaffaCakes118.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6868
  - - C:\Users\Admin\Downloads\240921-n3hzsa1bmd5a15fb8a1bfc9d3ca1ecf7a0b02431b64c40b52a97e165c60a922401dd75a3bbN.exe
      C:\Users\Admin\Downloads\240921-n3hzsa1bmd5a15fb8a1bfc9d3ca1ecf7a0b02431b64c40b52a97e165c60a922401dd75a3bbN.exe
      4⤵
      Modifies registry class
      PID:6900
    - - C:\Windows\SysWOW64\Jjopcb32.exe
        
        C:\Windows\system32\Jjopcb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6776
      - C:\Windows\SysWOW64\Kbddfmgl.exe
        
        C:\Windows\system32\Kbddfmgl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        7⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        8⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        9⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        10⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        11⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        12⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        13⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        14⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        15⤵
        
        PID:15224
  - - C:\Users\Admin\Downloads\240921-nnwmbszgmr4bf06d507147221db5e14e2d18ae20af0c8fec0bf1c951bf4ae3afc17ea14430.exe
      C:\Users\Admin\Downloads\240921-nnwmbszgmr4bf06d507147221db5e14e2d18ae20af0c8fec0bf1c951bf4ae3afc17ea14430.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Identifies Wine through registry keys
      PID:6908
  - - C:\Users\Admin\Downloads\240921-nsvktszfqhefb675dc9737c417c0e811f912b675e3_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nsvktszfqhefb675dc9737c417c0e811f912b675e3_JaffaCakes118.exe
      4⤵
      PID:6920
    - - C:\Users\Admin\Downloads\240921-nsvktszfqhefb675dc9737c417c0e811f912b675e3_JaffaCakes118mgr.exe
        
        C:\Users\Admin\Downloads\240921-nsvktszfqhefb675dc9737c417c0e811f912b675e3_JaffaCakes118mgr.exe
        5⤵
        
        PID:7740
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:12528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:12860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:16080
  - - C:\Users\Admin\Downloads\240921-nmq1fszfrkefb28bd4a27200427578bfde7985924c_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nmq1fszfrkefb28bd4a27200427578bfde7985924c_JaffaCakes118.exe
      4⤵
      PID:6932
  - - C:\Users\Admin\Downloads\240921-nd3mwsyhqeefacfb2bafc5808d64995eced9dc78f3_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nd3mwsyhqeefacfb2bafc5808d64995eced9dc78f3_JaffaCakes118.exe
      4⤵
      PID:6940
  - - C:\Users\Admin\Downloads\240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
      C:\Users\Admin\Downloads\240921-n2bjba1dmrebbf7f5c4e2f6f4be7b9f288d79d286a19c987cef84d65eadcf38577276db17aN.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:6956
    - - C:\Windows\SysWOW64\Jhpqaiji.exe
        
        C:\Windows\system32\Jhpqaiji.exe
        5⤵
        
        PID:6420
      - C:\Windows\SysWOW64\Lgcjdd32.exe
        
        C:\Windows\system32\Lgcjdd32.exe
        6⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        7⤵
        
        PID:8980
  - - C:\Users\Admin\Downloads\240921-nnad4azgkkSecuriteInfo.com.Win32.PWSX-gen.29050.19153.exe
      C:\Users\Admin\Downloads\240921-nnad4azgkkSecuriteInfo.com.Win32.PWSX-gen.29050.19153.exe
      4⤵
      PID:6976
  - - C:\Users\Admin\Downloads\240921-nnbbdszdrb0fbe70d45fc231926f0111e704020083445d142b7215e881a06dbb182aa59397N.exe
      C:\Users\Admin\Downloads\240921-nnbbdszdrb0fbe70d45fc231926f0111e704020083445d142b7215e881a06dbb182aa59397N.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:6992
    - - C:\Windows\SysWOW64\Lghcocol.exe
        
        C:\Windows\system32\Lghcocol.exe
        5⤵
        
        PID:7528
      - C:\Windows\SysWOW64\Oidhlb32.exe
        
        C:\Windows\system32\Oidhlb32.exe
        6⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Papfgbmg.exe
        
        C:\Windows\system32\Papfgbmg.exe
        7⤵
        
        PID:9328
  - - C:\Users\Admin\Downloads\240921-n2pqya1bjfefbc4ba879e0fee96eb2e2030815db07_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-n2pqya1bjfefbc4ba879e0fee96eb2e2030815db07_JaffaCakes118.exe
      4⤵
      PID:7000
    - - C:\Users\Admin\Downloads\240921-n2pqya1bjfefbc4ba879e0fee96eb2e2030815db07_JaffaCakes118mgr.exe
        
        C:\Users\Admin\Downloads\240921-n2pqya1bjfefbc4ba879e0fee96eb2e2030815db07_JaffaCakes118mgr.exe
        5⤵
        
        PID:6880
  - - C:\Users\Admin\Downloads\240921-nfmz8azdkr6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4N.exe
      C:\Users\Admin\Downloads\240921-nfmz8azdkr6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      Modifies registry class
      PID:7008
    - - C:\Windows\SysWOW64\Jhpqaiji.exe
        
        C:\Windows\system32\Jhpqaiji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5280
  - - C:\Users\Admin\Downloads\240921-nfwblazdmjefae79fb2dcc351cd269a6fc5d340cb0_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nfwblazdmjefae79fb2dcc351cd269a6fc5d340cb0_JaffaCakes118.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:7016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 536
        5⤵
        Program crash
        
        PID:7352
  - - C:\Users\Admin\Downloads\240921-nwb8nazgrcefb8551b84eecb2b636babeb11cd57f8_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nwb8nazgrcefb8551b84eecb2b636babeb11cd57f8_JaffaCakes118.exe
      4⤵
      Checks BIOS information in registry
      System Location Discovery: System Language Discovery
      PID:7036
  - - C:\Users\Admin\Downloads\240921-ngnm5szdpq753cc13de78e0223d8d29ebad9f6ada889e8b71b4c9734b63d1a1a0d8180c9c6N.exe
      C:\Users\Admin\Downloads\240921-ngnm5szdpq753cc13de78e0223d8d29ebad9f6ada889e8b71b4c9734b63d1a1a0d8180c9c6N.exe
      4⤵
      PID:7044
  - - C:\Users\Admin\Downloads\240921-ny734s1akaefba2d720d220d38f74811d3dcdbd622_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ny734s1akaefba2d720d220d38f74811d3dcdbd622_JaffaCakes118.exe
      4⤵
      PID:7056
  - - C:\Users\Admin\Downloads\240921-n1cpzs1angefbb509e9ad5140075036576003a3352_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-n1cpzs1angefbb509e9ad5140075036576003a3352_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:7084
  - - C:\Users\Admin\Downloads\240921-nwct7azgrde36bbe4fe30a92025f98b1eb83b7f895cb9e87fcb0d18f4e41daed725b9514cfN.exe
      C:\Users\Admin\Downloads\240921-nwct7azgrde36bbe4fe30a92025f98b1eb83b7f895cb9e87fcb0d18f4e41daed725b9514cfN.exe
      4⤵
      PID:7092
  - - C:\Users\Admin\Downloads\240921-nq5b9azhmp32bb7bc3eb45e14a8a2ea42848b1d94b2a0a0b437e8f39270d8c627cf55d2d43N.exe
      C:\Users\Admin\Downloads\240921-nq5b9azhmp32bb7bc3eb45e14a8a2ea42848b1d94b2a0a0b437e8f39270d8c627cf55d2d43N.exe
      4⤵
      PID:7100
  - - C:\Users\Admin\Downloads\240921-nmx4rszfrpefb2ba0605a47144b8a9d748d5b13e4a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nmx4rszfrpefb2ba0605a47144b8a9d748d5b13e4a_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7108
  - - C:\Users\Admin\Downloads\240921-nqt7aazfjcbd1e7a7df928551d9a76ba7ed1ed0e40d0326d53068e46826f9633b76e231af2N.exe
      C:\Users\Admin\Downloads\240921-nqt7aazfjcbd1e7a7df928551d9a76ba7ed1ed0e40d0326d53068e46826f9633b76e231af2N.exe
      4⤵
      Drops file in System32 directory
      PID:7120
    - - C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        5⤵
        
        PID:7580
      - C:\Windows\SysWOW64\Mnphmkji.exe
        
        C:\Windows\system32\Mnphmkji.exe
        6⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        7⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Bbgeno32.exe
        
        C:\Windows\system32\Bbgeno32.exe
        8⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\Ebejfk32.exe
        
        C:\Windows\system32\Ebejfk32.exe
        9⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        10⤵
        
        PID:12240
  - - C:\Users\Admin\Downloads\240921-nt6z9a1aqq2408-0-0x0000000000E80000-0x000000000131D000-memory.dmp
      C:\Users\Admin\Downloads\240921-nt6z9a1aqq2408-0-0x0000000000E80000-0x000000000131D000-memory.dmp
      4⤵
      PID:7128
  - - C:\Users\Admin\Downloads\240921-nf1lbazdmnefae937f3d4658cb4964903612b8f500_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nf1lbazdmnefae937f3d4658cb4964903612b8f500_JaffaCakes118.exe
      4⤵
      PID:7136
    - - C:\Users\Admin\Downloads\240921-nf1lbazdmnefae937f3d4658cb4964903612b8f500_JaffaCakes118.exe
        
        5⤵
        
        PID:9840
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:8668
  - - C:\Users\Admin\Downloads\240921-nqy58szhmk2568-3-0x0000000000E80000-0x000000000131D000-memory.dmp
      C:\Users\Admin\Downloads\240921-nqy58szhmk2568-3-0x0000000000E80000-0x000000000131D000-memory.dmp
      4⤵
      PID:7144
  - - C:\Users\Admin\Downloads\240921-nhmr8szbqg11ac5542c5a5154e478d33cecd01be6dc1cd045d033f5fbde889edf747b84698N.exe
      C:\Users\Admin\Downloads\240921-nhmr8szbqg11ac5542c5a5154e478d33cecd01be6dc1cd045d033f5fbde889edf747b84698N.exe
      4⤵
      PID:7152
    - - C:\Windows\SysWOW64\Kkmioc32.exe
        
        C:\Windows\system32\Kkmioc32.exe
        5⤵
        
        PID:6376
      - C:\Windows\SysWOW64\Mejpje32.exe
        
        C:\Windows\system32\Mejpje32.exe
        6⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Okgaijaj.exe
        
        C:\Windows\system32\Okgaijaj.exe
        7⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Piijno32.exe
        
        C:\Windows\system32\Piijno32.exe
        8⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        9⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        10⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        11⤵
        
        PID:12220
  - - C:\Users\Admin\Downloads\240921-n2qy1a1dnn89191081739ce1044189a69371d7a282f6f981fa239c831b6dfb3e242f6cedaaN.exe
      C:\Users\Admin\Downloads\240921-n2qy1a1dnn89191081739ce1044189a69371d7a282f6f981fa239c831b6dfb3e242f6cedaaN.exe
      4⤵
      Modifies registry class
      PID:4508
    - - C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        5⤵
        
        PID:7240
      - C:\Windows\SysWOW64\Mldhfpib.exe
        
        C:\Windows\system32\Mldhfpib.exe
        6⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Qljcoj32.exe
        
        C:\Windows\system32\Qljcoj32.exe
        7⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        8⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Epikpo32.exe
        
        C:\Windows\system32\Epikpo32.exe
        9⤵
        
        PID:10932
  - - C:\Users\Admin\Downloads\240921-n1rh5s1ape3a11224d108b18e62015b0b0cf82a56170433d416ea9ccbf45f904724801de5cN.exe
      C:\Users\Admin\Downloads\240921-n1rh5s1ape3a11224d108b18e62015b0b0cf82a56170433d416ea9ccbf45f904724801de5cN.exe
      4⤵
      Loads dropped DLL
      PID:5264
    - - C:\Windows\System\FqPkDdx.exe
        
        C:\Windows\System\FqPkDdx.exe
        5⤵
        
        PID:6464
    - - C:\Windows\System\AzPMKVj.exe
        
        C:\Windows\System\AzPMKVj.exe
        5⤵
        
        PID:6192
    - - C:\Windows\System\XFGOEoy.exe
        
        C:\Windows\System\XFGOEoy.exe
        5⤵
        
        PID:3872
    - - C:\Windows\System\PFgeTbT.exe
        
        C:\Windows\System\PFgeTbT.exe
        5⤵
        
        PID:6076
    - - C:\Windows\System\vHFdadz.exe
        
        C:\Windows\System\vHFdadz.exe
        5⤵
        
        PID:6416
    - - C:\Windows\System\zbepbun.exe
        
        C:\Windows\System\zbepbun.exe
        5⤵
        
        PID:6444
    - - C:\Windows\System\PspobBj.exe
        
        C:\Windows\System\PspobBj.exe
        5⤵
        
        PID:3024
    - - C:\Windows\System\mSATXBy.exe
        
        C:\Windows\System\mSATXBy.exe
        5⤵
        
        PID:6716
    - - C:\Windows\System\dyuZfgU.exe
        
        C:\Windows\System\dyuZfgU.exe
        5⤵
        
        PID:6556
    - - C:\Windows\System\oXahiMA.exe
        
        C:\Windows\System\oXahiMA.exe
        5⤵
        
        PID:7132
    - - C:\Windows\System\oxrulfp.exe
        
        C:\Windows\System\oxrulfp.exe
        5⤵
        
        PID:6432
    - - C:\Windows\System\YAhjBwV.exe
        
        C:\Windows\System\YAhjBwV.exe
        5⤵
        
        PID:4860
    - - C:\Windows\System\iiAKrbN.exe
        
        C:\Windows\System\iiAKrbN.exe
        5⤵
        
        PID:2300
    - - C:\Windows\System\LniBREz.exe
        
        C:\Windows\System\LniBREz.exe
        5⤵
        
        PID:5212
    - - C:\Windows\System\UGzMvsr.exe
        
        C:\Windows\System\UGzMvsr.exe
        5⤵
        
        PID:788
    - - C:\Windows\System\nZZYPlC.exe
        
        C:\Windows\System\nZZYPlC.exe
        5⤵
        
        PID:4852
    - - C:\Windows\System\AMHhZaH.exe
        
        C:\Windows\System\AMHhZaH.exe
        5⤵
        
        PID:4592
    - - C:\Windows\System\HdLoOUg.exe
        
        C:\Windows\System\HdLoOUg.exe
        5⤵
        
        PID:5240
    - - C:\Windows\System\JuNeqLM.exe
        
        C:\Windows\System\JuNeqLM.exe
        5⤵
        
        PID:7848
    - - C:\Windows\System\ccInyaz.exe
        
        C:\Windows\System\ccInyaz.exe
        5⤵
        
        PID:6712
    - - C:\Windows\System\EpSbaWR.exe
        
        C:\Windows\System\EpSbaWR.exe
        5⤵
        
        PID:5660
    - - C:\Windows\System\sYcsWOz.exe
        
        C:\Windows\System\sYcsWOz.exe
        5⤵
        
        PID:6504
    - - C:\Windows\System\gODrISG.exe
        
        C:\Windows\System\gODrISG.exe
        5⤵
        
        PID:4580
    - - C:\Windows\System\BBDwhLB.exe
        
        C:\Windows\System\BBDwhLB.exe
        5⤵
        
        PID:6164
    - - C:\Windows\System\mnMQmNA.exe
        
        C:\Windows\System\mnMQmNA.exe
        5⤵
        
        PID:7912
    - - C:\Windows\System\ICPmGYa.exe
        
        C:\Windows\System\ICPmGYa.exe
        5⤵
        
        PID:2292
    - - C:\Windows\System\ccVCKRs.exe
        
        C:\Windows\System\ccVCKRs.exe
        5⤵
        
        PID:8204
    - - C:\Windows\System\fKLVfQE.exe
        
        C:\Windows\System\fKLVfQE.exe
        5⤵
        
        PID:8228
    - - C:\Windows\System\MqbQRPq.exe
        
        C:\Windows\System\MqbQRPq.exe
        5⤵
        
        PID:8268
    - - C:\Windows\System\NpLPvbY.exe
        
        C:\Windows\System\NpLPvbY.exe
        5⤵
        
        PID:8292
    - - C:\Windows\System\HlszhzN.exe
        
        C:\Windows\System\HlszhzN.exe
        5⤵
        
        PID:8336
    - - C:\Windows\System\EpHDcih.exe
        
        C:\Windows\System\EpHDcih.exe
        5⤵
        
        PID:8360
    - - C:\Windows\System\YGvfXjn.exe
        
        C:\Windows\System\YGvfXjn.exe
        5⤵
        
        PID:8384
    - - C:\Windows\System\zYLHKUK.exe
        
        C:\Windows\System\zYLHKUK.exe
        5⤵
        
        PID:8428
    - - C:\Windows\System\isThXKU.exe
        
        C:\Windows\System\isThXKU.exe
        5⤵
        
        PID:8448
    - - C:\Windows\System\pyQvcVO.exe
        
        C:\Windows\System\pyQvcVO.exe
        5⤵
        
        PID:8480
    - - C:\Windows\System\AilUWZP.exe
        
        C:\Windows\System\AilUWZP.exe
        5⤵
        
        PID:8508
    - - C:\Windows\System\VsnNTfz.exe
        
        C:\Windows\System\VsnNTfz.exe
        5⤵
        
        PID:8544
    - - C:\Windows\System\hMOkPMe.exe
        
        C:\Windows\System\hMOkPMe.exe
        5⤵
        
        PID:8572
    - - C:\Windows\System\jTjMnEQ.exe
        
        C:\Windows\System\jTjMnEQ.exe
        5⤵
        
        PID:8592
    - - C:\Windows\System\SfBXiPC.exe
        
        C:\Windows\System\SfBXiPC.exe
        5⤵
        
        PID:8632
    - - C:\Windows\System\tleMFDH.exe
        
        C:\Windows\System\tleMFDH.exe
        5⤵
        
        PID:8652
    - - C:\Windows\System\geJUYZc.exe
        
        C:\Windows\System\geJUYZc.exe
        5⤵
        
        PID:8672
    - - C:\Windows\System\UsWeEIq.exe
        
        C:\Windows\System\UsWeEIq.exe
        5⤵
        
        PID:8688
    - - C:\Windows\System\VhimoRS.exe
        
        C:\Windows\System\VhimoRS.exe
        5⤵
        
        PID:8708
    - - C:\Windows\System\EaQcpuc.exe
        
        C:\Windows\System\EaQcpuc.exe
        5⤵
        
        PID:8732
    - - C:\Windows\System\quYdrDt.exe
        
        C:\Windows\System\quYdrDt.exe
        5⤵
        
        PID:8764
    - - C:\Windows\System\fcrhcVC.exe
        
        C:\Windows\System\fcrhcVC.exe
        5⤵
        
        PID:8784
    - - C:\Windows\System\wYzJAmB.exe
        
        C:\Windows\System\wYzJAmB.exe
        5⤵
        
        PID:8828
    - - C:\Windows\System\kZGhLWd.exe
        
        C:\Windows\System\kZGhLWd.exe
        5⤵
        
        PID:8844
    - - C:\Windows\System\CFygTBV.exe
        
        C:\Windows\System\CFygTBV.exe
        5⤵
        
        PID:8860
    - - C:\Windows\System\gSKiVYq.exe
        
        C:\Windows\System\gSKiVYq.exe
        5⤵
        
        PID:8876
    - - C:\Windows\System\sGuQiHw.exe
        
        C:\Windows\System\sGuQiHw.exe
        5⤵
        
        PID:8892
    - - C:\Windows\System\jGvNMim.exe
        
        C:\Windows\System\jGvNMim.exe
        5⤵
        
        PID:8912
    - - C:\Windows\System\eLmxkRn.exe
        
        C:\Windows\System\eLmxkRn.exe
        5⤵
        
        PID:8932
    - - C:\Windows\System\QAlnzZF.exe
        
        C:\Windows\System\QAlnzZF.exe
        5⤵
        
        PID:8968
    - - C:\Windows\System\xLshIey.exe
        
        C:\Windows\System\xLshIey.exe
        5⤵
        
        PID:9000
    - - C:\Windows\System\QRzKMPa.exe
        
        C:\Windows\System\QRzKMPa.exe
        5⤵
        
        PID:7252
    - - C:\Windows\System\jyPEUUF.exe
        
        C:\Windows\System\jyPEUUF.exe
        5⤵
        
        PID:5680
    - - C:\Windows\System\xMOTXyM.exe
        
        C:\Windows\System\xMOTXyM.exe
        5⤵
        
        PID:7300
    - - C:\Windows\System\wcUvMrJ.exe
        
        C:\Windows\System\wcUvMrJ.exe
        5⤵
        
        PID:6240
    - - C:\Windows\System\WFosfYy.exe
        
        C:\Windows\System\WFosfYy.exe
        5⤵
        
        PID:7380
    - - C:\Windows\System\PhGNPwW.exe
        
        C:\Windows\System\PhGNPwW.exe
        5⤵
        
        PID:7784
    - - C:\Windows\System\XTqCpcx.exe
        
        C:\Windows\System\XTqCpcx.exe
        5⤵
        
        PID:7932
    - - C:\Windows\System\TiCYtko.exe
        
        C:\Windows\System\TiCYtko.exe
        5⤵
        
        PID:7976
    - - C:\Windows\System\aYLnWGK.exe
        
        C:\Windows\System\aYLnWGK.exe
        5⤵
        
        PID:7536
    - - C:\Windows\System\ICjxyWC.exe
        
        C:\Windows\System\ICjxyWC.exe
        5⤵
        
        PID:4992
    - - C:\Windows\System\vkkaVaE.exe
        
        C:\Windows\System\vkkaVaE.exe
        5⤵
        
        PID:4908
    - - C:\Windows\System\UWXbixy.exe
        
        C:\Windows\System\UWXbixy.exe
        5⤵
        
        PID:7568
    - - C:\Windows\System\WLvgoLp.exe
        
        C:\Windows\System\WLvgoLp.exe
        5⤵
        
        PID:6004
    - - C:\Windows\System\GgcWWRJ.exe
        
        C:\Windows\System\GgcWWRJ.exe
        5⤵
        
        PID:8108
    - - C:\Windows\System\bgbYOrd.exe
        
        C:\Windows\System\bgbYOrd.exe
        5⤵
        
        PID:8128
    - - C:\Windows\System\nGEBOeN.exe
        
        C:\Windows\System\nGEBOeN.exe
        5⤵
        
        PID:5492
    - - C:\Windows\System\TPbNXUC.exe
        
        C:\Windows\System\TPbNXUC.exe
        5⤵
        
        PID:7604
    - - C:\Windows\System\skWJrMm.exe
        
        C:\Windows\System\skWJrMm.exe
        5⤵
        
        PID:9256
    - - C:\Windows\System\jMZGSaF.exe
        
        C:\Windows\System\jMZGSaF.exe
        5⤵
        
        PID:9316
    - - C:\Windows\System\hvYIVoI.exe
        
        C:\Windows\System\hvYIVoI.exe
        5⤵
        
        PID:9376
    - - C:\Windows\System\ufpCasl.exe
        
        C:\Windows\System\ufpCasl.exe
        5⤵
        
        PID:9400
    - - C:\Windows\System\WpOjuyl.exe
        
        C:\Windows\System\WpOjuyl.exe
        5⤵
        
        PID:9416
    - - C:\Windows\System\skxrbzE.exe
        
        C:\Windows\System\skxrbzE.exe
        5⤵
        
        PID:9444
    - - C:\Windows\System\yhpNVoQ.exe
        
        C:\Windows\System\yhpNVoQ.exe
        5⤵
        
        PID:9600
    - - C:\Windows\System\PpsJffw.exe
        
        C:\Windows\System\PpsJffw.exe
        5⤵
        
        PID:9672
    - - C:\Windows\System\yRkNkxc.exe
        
        C:\Windows\System\yRkNkxc.exe
        5⤵
        
        PID:9688
    - - C:\Windows\System\HzihznS.exe
        
        C:\Windows\System\HzihznS.exe
        5⤵
        
        PID:9708
    - - C:\Windows\System\pbMjkzh.exe
        
        C:\Windows\System\pbMjkzh.exe
        5⤵
        
        PID:9724
    - - C:\Windows\System\TNqaAPy.exe
        
        C:\Windows\System\TNqaAPy.exe
        5⤵
        
        PID:9740
    - - C:\Windows\System\FlSFxnS.exe
        
        C:\Windows\System\FlSFxnS.exe
        5⤵
        
        PID:9020
    - - C:\Windows\System\zTDamQl.exe
        
        C:\Windows\System\zTDamQl.exe
        5⤵
        
        PID:4532
    - - C:\Windows\System\rmrowYO.exe
        
        C:\Windows\System\rmrowYO.exe
        5⤵
        
        PID:7188
    - - C:\Windows\System\iHuquHF.exe
        
        C:\Windows\System\iHuquHF.exe
        5⤵
        
        PID:6660
    - - C:\Windows\System\HsWQrBA.exe
        
        C:\Windows\System\HsWQrBA.exe
        5⤵
        
        PID:6892
    - - C:\Windows\System\kfUEFrZ.exe
        
        C:\Windows\System\kfUEFrZ.exe
        5⤵
        
        PID:8284
    - - C:\Windows\System\HHTYFSe.exe
        
        C:\Windows\System\HHTYFSe.exe
        5⤵
        
        PID:2080
    - - C:\Windows\System\tHQJbDg.exe
        
        C:\Windows\System\tHQJbDg.exe
        5⤵
        
        PID:8404
    - - C:\Windows\System\CVzRZpr.exe
        
        C:\Windows\System\CVzRZpr.exe
        5⤵
        
        PID:8440
    - - C:\Windows\System\ybjQaSD.exe
        
        C:\Windows\System\ybjQaSD.exe
        5⤵
        
        PID:8516
    - - C:\Windows\System\xyEIaHq.exe
        
        C:\Windows\System\xyEIaHq.exe
        5⤵
        
        PID:8540
    - - C:\Windows\System\mqvcbox.exe
        
        C:\Windows\System\mqvcbox.exe
        5⤵
        
        PID:10076
    - - C:\Windows\System\MSrmarQ.exe
        
        C:\Windows\System\MSrmarQ.exe
        5⤵
        
        PID:8628
    - - C:\Windows\System\duGcOuq.exe
        
        C:\Windows\System\duGcOuq.exe
        5⤵
        
        PID:8684
    - - C:\Windows\System\fMkWiFE.exe
        
        C:\Windows\System\fMkWiFE.exe
        5⤵
        
        PID:8704
    - - C:\Windows\System\zxPRhGQ.exe
        
        C:\Windows\System\zxPRhGQ.exe
        5⤵
        
        PID:9352
    - - C:\Windows\System\izEVosq.exe
        
        C:\Windows\System\izEVosq.exe
        5⤵
        
        PID:8752
    - - C:\Windows\System\lGJHApA.exe
        
        C:\Windows\System\lGJHApA.exe
        5⤵
        
        PID:8776
    - - C:\Windows\System\aKLGIEo.exe
        
        C:\Windows\System\aKLGIEo.exe
        5⤵
        
        PID:8840
    - - C:\Windows\System\vVZcCAL.exe
        
        C:\Windows\System\vVZcCAL.exe
        5⤵
        
        PID:8812
    - - C:\Windows\System\rNCTFGP.exe
        
        C:\Windows\System\rNCTFGP.exe
        5⤵
        
        PID:8900
    - - C:\Windows\System\BeSQjJq.exe
        
        C:\Windows\System\BeSQjJq.exe
        5⤵
        
        PID:8868
    - - C:\Windows\System\NfxCEpW.exe
        
        C:\Windows\System\NfxCEpW.exe
        5⤵
        
        PID:8928
    - - C:\Windows\System\ZETIVpf.exe
        
        C:\Windows\System\ZETIVpf.exe
        5⤵
        
        PID:8960
    - - C:\Windows\System\MdSlyay.exe
        
        C:\Windows\System\MdSlyay.exe
        5⤵
        
        PID:9008
    - - C:\Windows\System\DHEkUEG.exe
        
        C:\Windows\System\DHEkUEG.exe
        5⤵
        
        PID:8976
    - - C:\Windows\System\emRCUiE.exe
        
        C:\Windows\System\emRCUiE.exe
        5⤵
        
        PID:9104
    - - C:\Windows\System\tHKcfgx.exe
        
        C:\Windows\System\tHKcfgx.exe
        5⤵
        
        PID:3316
    - - C:\Windows\System\cRsxjOB.exe
        
        C:\Windows\System\cRsxjOB.exe
        5⤵
        
        PID:884
    - - C:\Windows\System\vRzgTqd.exe
        
        C:\Windows\System\vRzgTqd.exe
        5⤵
        
        PID:6364
    - - C:\Windows\System\UTVPzJm.exe
        
        C:\Windows\System\UTVPzJm.exe
        5⤵
        
        PID:5592
    - - C:\Windows\System\iPXkvlI.exe
        
        C:\Windows\System\iPXkvlI.exe
        5⤵
        
        PID:9168
    - - C:\Windows\System\dgypgpV.exe
        
        C:\Windows\System\dgypgpV.exe
        5⤵
        
        PID:9144
    - - C:\Windows\System\fIFLuMd.exe
        
        C:\Windows\System\fIFLuMd.exe
        5⤵
        
        PID:9128
    - - C:\Windows\System\MMDoggN.exe
        
        C:\Windows\System\MMDoggN.exe
        5⤵
        
        PID:10232
    - - C:\Windows\System\JSjdkbY.exe
        
        C:\Windows\System\JSjdkbY.exe
        5⤵
        
        PID:2384
    - - C:\Windows\System\AiluwMb.exe
        
        C:\Windows\System\AiluwMb.exe
        5⤵
        
        PID:7512
    - - C:\Windows\System\UMTRJAH.exe
        
        C:\Windows\System\UMTRJAH.exe
        5⤵
        
        PID:5976
    - - C:\Windows\System\huQQmBe.exe
        
        C:\Windows\System\huQQmBe.exe
        5⤵
        
        PID:9408
    - - C:\Windows\System\ApZRSsj.exe
        
        C:\Windows\System\ApZRSsj.exe
        5⤵
        
        PID:5664
    - - C:\Windows\System\qZksHLc.exe
        
        C:\Windows\System\qZksHLc.exe
        5⤵
        
        PID:8716
    - - C:\Windows\System\IJDiqkB.exe
        
        C:\Windows\System\IJDiqkB.exe
        5⤵
        
        PID:6704
    - - C:\Windows\System\cLZqMFC.exe
        
        C:\Windows\System\cLZqMFC.exe
        5⤵
        
        PID:7524
    - - C:\Windows\System\mHiSpQp.exe
        
        C:\Windows\System\mHiSpQp.exe
        5⤵
        
        PID:8372
    - - C:\Windows\System\flaDAtf.exe
        
        C:\Windows\System\flaDAtf.exe
        5⤵
        
        PID:7616
    - - C:\Windows\System\bYEosgE.exe
        
        C:\Windows\System\bYEosgE.exe
        5⤵
        
        PID:8532
    - - C:\Windows\System\mkAxGWi.exe
        
        C:\Windows\System\mkAxGWi.exe
        5⤵
        
        PID:9224
    - - C:\Windows\System\gcmxmDK.exe
        
        C:\Windows\System\gcmxmDK.exe
        5⤵
        
        PID:9264
    - - C:\Windows\System\dpTZqMu.exe
        
        C:\Windows\System\dpTZqMu.exe
        5⤵
        
        PID:9288
    - - C:\Windows\System\tNZFpCo.exe
        
        C:\Windows\System\tNZFpCo.exe
        5⤵
        
        PID:8020
    - - C:\Windows\System\OrmTTfE.exe
        
        C:\Windows\System\OrmTTfE.exe
        5⤵
        
        PID:9452
    - - C:\Windows\System\xmDFIho.exe
        
        C:\Windows\System\xmDFIho.exe
        5⤵
        
        PID:9612
    - - C:\Windows\System\SrEAshI.exe
        
        C:\Windows\System\SrEAshI.exe
        5⤵
        
        PID:9636
    - - C:\Windows\System\CcmoIjz.exe
        
        C:\Windows\System\CcmoIjz.exe
        5⤵
        
        PID:9652
    - - C:\Windows\System\BTehHCL.exe
        
        C:\Windows\System\BTehHCL.exe
        5⤵
        
        PID:10252
    - - C:\Windows\System\MPByRzC.exe
        
        C:\Windows\System\MPByRzC.exe
        5⤵
        
        PID:10364
    - - C:\Windows\System\bgWgezU.exe
        
        C:\Windows\System\bgWgezU.exe
        5⤵
        
        PID:10412
    - - C:\Windows\System\nmUWPHW.exe
        
        C:\Windows\System\nmUWPHW.exe
        5⤵
        
        PID:10464
    - - C:\Windows\System\cMpDWpP.exe
        
        C:\Windows\System\cMpDWpP.exe
        5⤵
        
        PID:10532
    - - C:\Windows\System\sVzXAwA.exe
        
        C:\Windows\System\sVzXAwA.exe
        5⤵
        
        PID:10556
    - - C:\Windows\System\IyGQyZE.exe
        
        C:\Windows\System\IyGQyZE.exe
        5⤵
        
        PID:10740
    - - C:\Windows\System\dCAMWfV.exe
        
        C:\Windows\System\dCAMWfV.exe
        5⤵
        
        PID:10772
    - - C:\Windows\System\wAcmQBI.exe
        
        C:\Windows\System\wAcmQBI.exe
        5⤵
        
        PID:10812
    - - C:\Windows\System\akArMLj.exe
        
        C:\Windows\System\akArMLj.exe
        5⤵
        
        PID:10840
    - - C:\Windows\System\FsGtUHg.exe
        
        C:\Windows\System\FsGtUHg.exe
        5⤵
        
        PID:10884
    - - C:\Windows\System\rwuNfth.exe
        
        C:\Windows\System\rwuNfth.exe
        5⤵
        
        PID:10912
    - - C:\Windows\System\rdKCkSf.exe
        
        C:\Windows\System\rdKCkSf.exe
        5⤵
        
        PID:10988
    - - C:\Windows\System\KbLVZDC.exe
        
        C:\Windows\System\KbLVZDC.exe
        5⤵
        
        PID:11076
    - - C:\Windows\System\XkFuTNL.exe
        
        C:\Windows\System\XkFuTNL.exe
        5⤵
        
        PID:11092
    - - C:\Windows\System\kySKyBx.exe
        
        C:\Windows\System\kySKyBx.exe
        5⤵
        
        PID:11108
    - - C:\Windows\System\tvKXVbL.exe
        
        C:\Windows\System\tvKXVbL.exe
        5⤵
        
        PID:11124
    - - C:\Windows\System\OSZVIbe.exe
        
        C:\Windows\System\OSZVIbe.exe
        5⤵
        
        PID:11144
    - - C:\Windows\System\FxjCelA.exe
        
        C:\Windows\System\FxjCelA.exe
        5⤵
        
        PID:11160
    - - C:\Windows\System\BUusaHq.exe
        
        C:\Windows\System\BUusaHq.exe
        5⤵
        
        PID:11176
    - - C:\Windows\System\uMiXPer.exe
        
        C:\Windows\System\uMiXPer.exe
        5⤵
        
        PID:11192
    - - C:\Windows\System\HrZGcZY.exe
        
        C:\Windows\System\HrZGcZY.exe
        5⤵
        
        PID:11208
    - - C:\Windows\System\TXdCuNh.exe
        
        C:\Windows\System\TXdCuNh.exe
        5⤵
        
        PID:11224
    - - C:\Windows\System\NzBzyRp.exe
        
        C:\Windows\System\NzBzyRp.exe
        5⤵
        
        PID:11240
    - - C:\Windows\System\sFCsubO.exe
        
        C:\Windows\System\sFCsubO.exe
        5⤵
        
        PID:11256
    - - C:\Windows\System\RnbzIUc.exe
        
        C:\Windows\System\RnbzIUc.exe
        5⤵
        
        PID:9872
    - - C:\Windows\System\eGEvcbE.exe
        
        C:\Windows\System\eGEvcbE.exe
        5⤵
        
        PID:9888
    - - C:\Windows\System\DdPCMPH.exe
        
        C:\Windows\System\DdPCMPH.exe
        5⤵
        
        PID:9916
    - - C:\Windows\System\CSiXgFZ.exe
        
        C:\Windows\System\CSiXgFZ.exe
        5⤵
        
        PID:9940
    - - C:\Windows\System\szOgzVr.exe
        
        C:\Windows\System\szOgzVr.exe
        5⤵
        
        PID:5944
    - - C:\Windows\System\YfRiyIf.exe
        
        C:\Windows\System\YfRiyIf.exe
        5⤵
        
        PID:8720
    - - C:\Windows\System\VBbQIGS.exe
        
        C:\Windows\System\VBbQIGS.exe
        5⤵
        
        PID:4112
    - - C:\Windows\System\GRPZkFt.exe
        
        C:\Windows\System\GRPZkFt.exe
        5⤵
        
        PID:9432
    - - C:\Windows\System\VXcTTwx.exe
        
        C:\Windows\System\VXcTTwx.exe
        5⤵
        
        PID:9576
    - - C:\Windows\System\dWAjfMx.exe
        
        C:\Windows\System\dWAjfMx.exe
        5⤵
        
        PID:5940
    - - C:\Windows\System\dZgrYIT.exe
        
        C:\Windows\System\dZgrYIT.exe
        5⤵
        
        PID:7872
    - - C:\Windows\System\AgLsSdL.exe
        
        C:\Windows\System\AgLsSdL.exe
        5⤵
        
        PID:9628
    - - C:\Windows\System\XcJUlLV.exe
        
        C:\Windows\System\XcJUlLV.exe
        5⤵
        
        PID:8700
    - - C:\Windows\System\jcRCXMJ.exe
        
        C:\Windows\System\jcRCXMJ.exe
        5⤵
        
        PID:7792
    - - C:\Windows\System\yNnpzUK.exe
        
        C:\Windows\System\yNnpzUK.exe
        5⤵
        
        PID:4648
    - - C:\Windows\System\hsDKcQs.exe
        
        C:\Windows\System\hsDKcQs.exe
        5⤵
        
        PID:10480
    - - C:\Windows\System\JqLqXnA.exe
        
        C:\Windows\System\JqLqXnA.exe
        5⤵
        
        PID:10648
    - - C:\Windows\System\vWXsFNM.exe
        
        C:\Windows\System\vWXsFNM.exe
        5⤵
        
        PID:12708
    - - C:\Windows\System\fWrkpkS.exe
        
        C:\Windows\System\fWrkpkS.exe
        5⤵
        
        PID:12740
    - - C:\Windows\System\aajiTFs.exe
        
        C:\Windows\System\aajiTFs.exe
        5⤵
        
        PID:12828
    - - C:\Windows\System\TNawTMb.exe
        
        C:\Windows\System\TNawTMb.exe
        5⤵
        
        PID:12896
    - - C:\Windows\System\XBSQjxB.exe
        
        C:\Windows\System\XBSQjxB.exe
        5⤵
        
        PID:12992
    - - C:\Windows\System\iBGKoJg.exe
        
        C:\Windows\System\iBGKoJg.exe
        5⤵
        
        PID:13016
    - - C:\Windows\System\jsyijIz.exe
        
        C:\Windows\System\jsyijIz.exe
        5⤵
        
        PID:13044
    - - C:\Windows\System\mGLsyEn.exe
        
        C:\Windows\System\mGLsyEn.exe
        5⤵
        
        PID:13060
    - - C:\Windows\System\Maqelur.exe
        
        C:\Windows\System\Maqelur.exe
        5⤵
        
        PID:13076
    - - C:\Windows\System\iJHazey.exe
        
        C:\Windows\System\iJHazey.exe
        5⤵
        
        PID:13092
    - - C:\Windows\System\JFyraaf.exe
        
        C:\Windows\System\JFyraaf.exe
        5⤵
        
        PID:13108
    - - C:\Windows\System\AyTisDk.exe
        
        C:\Windows\System\AyTisDk.exe
        5⤵
        
        PID:13124
    - - C:\Windows\System\McMrxRo.exe
        
        C:\Windows\System\McMrxRo.exe
        5⤵
        
        PID:13144
    - - C:\Windows\System\OadpFde.exe
        
        C:\Windows\System\OadpFde.exe
        5⤵
        
        PID:13160
    - - C:\Windows\System\qNzLyom.exe
        
        C:\Windows\System\qNzLyom.exe
        5⤵
        
        PID:13176
    - - C:\Windows\System\aCUwyTZ.exe
        
        C:\Windows\System\aCUwyTZ.exe
        5⤵
        
        PID:13192
    - - C:\Windows\System\jzfzEbJ.exe
        
        C:\Windows\System\jzfzEbJ.exe
        5⤵
        
        PID:13212
    - - C:\Windows\System\FBmmvXM.exe
        
        C:\Windows\System\FBmmvXM.exe
        5⤵
        
        PID:13232
    - - C:\Windows\System\EeJbSzC.exe
        
        C:\Windows\System\EeJbSzC.exe
        5⤵
        
        PID:13264
    - - C:\Windows\System\Utiukwb.exe
        
        C:\Windows\System\Utiukwb.exe
        5⤵
        
        PID:13284
    - - C:\Windows\System\uhUMwIe.exe
        
        C:\Windows\System\uhUMwIe.exe
        5⤵
        
        PID:13300
    - - C:\Windows\System\sVvrkzo.exe
        
        C:\Windows\System\sVvrkzo.exe
        5⤵
        
        PID:11552
    - - C:\Windows\System\XCXHViY.exe
        
        C:\Windows\System\XCXHViY.exe
        5⤵
        
        PID:6644
    - - C:\Windows\System\idWXOFh.exe
        
        C:\Windows\System\idWXOFh.exe
        5⤵
        
        PID:10020
    - - C:\Windows\System\xpHfXDP.exe
        
        C:\Windows\System\xpHfXDP.exe
        5⤵
        
        PID:11684
    - - C:\Windows\System\ILVevcJ.exe
        
        C:\Windows\System\ILVevcJ.exe
        5⤵
        
        PID:8144
    - - C:\Windows\System\GDdXclw.exe
        
        C:\Windows\System\GDdXclw.exe
        5⤵
        
        PID:11824
    - - C:\Windows\System\TDxUpNd.exe
        
        C:\Windows\System\TDxUpNd.exe
        5⤵
        
        PID:11928
    - - C:\Windows\System\wzOLbic.exe
        
        C:\Windows\System\wzOLbic.exe
        5⤵
        
        PID:11944
    - - C:\Windows\System\EDkSyZV.exe
        
        C:\Windows\System\EDkSyZV.exe
        5⤵
        
        PID:12176
    - - C:\Windows\System\AwTJVxR.exe
        
        C:\Windows\System\AwTJVxR.exe
        5⤵
        
        PID:12200
    - - C:\Windows\System\VPfdFvP.exe
        
        C:\Windows\System\VPfdFvP.exe
        5⤵
        
        PID:12236
    - - C:\Windows\System\VRzbkWd.exe
        
        C:\Windows\System\VRzbkWd.exe
        5⤵
        
        PID:2100
    - - C:\Windows\System\woEwnQz.exe
        
        C:\Windows\System\woEwnQz.exe
        5⤵
        
        PID:3268
    - - C:\Windows\System\rWOLdDj.exe
        
        C:\Windows\System\rWOLdDj.exe
        5⤵
        
        PID:13320
    - - C:\Windows\System\UyDoNhj.exe
        
        C:\Windows\System\UyDoNhj.exe
        5⤵
        
        PID:13344
    - - C:\Windows\System\ZHXQKUI.exe
        
        C:\Windows\System\ZHXQKUI.exe
        5⤵
        
        PID:13360
    - - C:\Windows\System\gNFGIar.exe
        
        C:\Windows\System\gNFGIar.exe
        5⤵
        
        PID:13376
    - - C:\Windows\System\UewzVlx.exe
        
        C:\Windows\System\UewzVlx.exe
        5⤵
        
        PID:13396
    - - C:\Windows\System\yOnwbKH.exe
        
        C:\Windows\System\yOnwbKH.exe
        5⤵
        
        PID:13436
    - - C:\Windows\System\vLkYhBP.exe
        
        C:\Windows\System\vLkYhBP.exe
        5⤵
        
        PID:13452
    - - C:\Windows\System\iwrgHhx.exe
        
        C:\Windows\System\iwrgHhx.exe
        5⤵
        
        PID:13472
    - - C:\Windows\System\njwFNwL.exe
        
        C:\Windows\System\njwFNwL.exe
        5⤵
        
        PID:13488
    - - C:\Windows\System\tQhjcDs.exe
        
        C:\Windows\System\tQhjcDs.exe
        5⤵
        
        PID:13512
    - - C:\Windows\System\xoGIxHH.exe
        
        C:\Windows\System\xoGIxHH.exe
        5⤵
        
        PID:13536
    - - C:\Windows\System\oZEBIwq.exe
        
        C:\Windows\System\oZEBIwq.exe
        5⤵
        
        PID:13556
    - - C:\Windows\System\DyLPVxR.exe
        
        C:\Windows\System\DyLPVxR.exe
        5⤵
        
        PID:13580
    - - C:\Windows\System\KxNcpNS.exe
        
        C:\Windows\System\KxNcpNS.exe
        5⤵
        
        PID:13600
    - - C:\Windows\System\eLQAEIR.exe
        
        C:\Windows\System\eLQAEIR.exe
        5⤵
        
        PID:13628
    - - C:\Windows\System\gnfpkSM.exe
        
        C:\Windows\System\gnfpkSM.exe
        5⤵
        
        PID:13648
    - - C:\Windows\System\iXRmOxY.exe
        
        C:\Windows\System\iXRmOxY.exe
        5⤵
        
        PID:13672
    - - C:\Windows\System\lhKBDcN.exe
        
        C:\Windows\System\lhKBDcN.exe
        5⤵
        
        PID:13688
    - - C:\Windows\System\mJjdOgg.exe
        
        C:\Windows\System\mJjdOgg.exe
        5⤵
        
        PID:13704
    - - C:\Windows\System\BFtXjSM.exe
        
        C:\Windows\System\BFtXjSM.exe
        5⤵
        
        PID:13720
    - - C:\Windows\System\kibBXXy.exe
        
        C:\Windows\System\kibBXXy.exe
        5⤵
        
        PID:13760
    - - C:\Windows\System\ZstfyRK.exe
        
        C:\Windows\System\ZstfyRK.exe
        5⤵
        
        PID:13784
    - - C:\Windows\System\unjTpaT.exe
        
        C:\Windows\System\unjTpaT.exe
        5⤵
        
        PID:13804
    - - C:\Windows\System\NevyPqY.exe
        
        C:\Windows\System\NevyPqY.exe
        5⤵
        
        PID:13820
    - - C:\Windows\System\SMdddjf.exe
        
        C:\Windows\System\SMdddjf.exe
        5⤵
        
        PID:13840
    - - C:\Windows\System\LoOMUfi.exe
        
        C:\Windows\System\LoOMUfi.exe
        5⤵
        
        PID:13860
    - - C:\Windows\System\QuxfWTe.exe
        
        C:\Windows\System\QuxfWTe.exe
        5⤵
        
        PID:13884
    - - C:\Windows\System\wPJYMce.exe
        
        C:\Windows\System\wPJYMce.exe
        5⤵
        
        PID:13904
    - - C:\Windows\System\IXYekUf.exe
        
        C:\Windows\System\IXYekUf.exe
        5⤵
        
        PID:13924
    - - C:\Windows\System\jDNuyzQ.exe
        
        C:\Windows\System\jDNuyzQ.exe
        5⤵
        
        PID:13940
    - - C:\Windows\System\ZBoZlHz.exe
        
        C:\Windows\System\ZBoZlHz.exe
        5⤵
        
        PID:13964
    - - C:\Windows\System\xscybpP.exe
        
        C:\Windows\System\xscybpP.exe
        5⤵
        
        PID:13988
    - - C:\Windows\System\bWjNLuc.exe
        
        C:\Windows\System\bWjNLuc.exe
        5⤵
        
        PID:14004
    - - C:\Windows\System\kITsiqy.exe
        
        C:\Windows\System\kITsiqy.exe
        5⤵
        
        PID:14020
    - - C:\Windows\System\gUJDPsA.exe
        
        C:\Windows\System\gUJDPsA.exe
        5⤵
        
        PID:14036
    - - C:\Windows\System\ojExByc.exe
        
        C:\Windows\System\ojExByc.exe
        5⤵
        
        PID:14052
    - - C:\Windows\System\PQvjdNQ.exe
        
        C:\Windows\System\PQvjdNQ.exe
        5⤵
        
        PID:14092
    - - C:\Windows\System\MltFPuZ.exe
        
        C:\Windows\System\MltFPuZ.exe
        5⤵
        
        PID:14112
    - - C:\Windows\System\Sdxhpji.exe
        
        C:\Windows\System\Sdxhpji.exe
        5⤵
        
        PID:14144
    - - C:\Windows\System\iRpOnEP.exe
        
        C:\Windows\System\iRpOnEP.exe
        5⤵
        
        PID:8000
    - - C:\Windows\System\ZpKhxJn.exe
        
        C:\Windows\System\ZpKhxJn.exe
        5⤵
        
        PID:8224
    - - C:\Windows\System\jMnuKjB.exe
        
        C:\Windows\System\jMnuKjB.exe
        5⤵
        
        PID:10636
    - - C:\Windows\System\yqQGaXC.exe
        
        C:\Windows\System\yqQGaXC.exe
        5⤵
        
        PID:10800
    - - C:\Windows\System\BsLzDlH.exe
        
        C:\Windows\System\BsLzDlH.exe
        5⤵
        
        PID:12156
    - - C:\Windows\System\wZNKljP.exe
        
        C:\Windows\System\wZNKljP.exe
        5⤵
        
        PID:11592
    - - C:\Windows\System\jdoOwRT.exe
        
        C:\Windows\System\jdoOwRT.exe
        5⤵
        
        PID:13636
    - - C:\Windows\System\lzDOwkb.exe
        
        C:\Windows\System\lzDOwkb.exe
        5⤵
        
        PID:13664
    - - C:\Windows\System\GRSjBIF.exe
        
        C:\Windows\System\GRSjBIF.exe
        5⤵
        
        PID:13736
    - - C:\Windows\System\VapFvaX.exe
        
        C:\Windows\System\VapFvaX.exe
        5⤵
        
        PID:13780
    - - C:\Windows\System\FmbugHH.exe
        
        C:\Windows\System\FmbugHH.exe
        5⤵
        
        PID:13812
    - - C:\Windows\System\jPAPsQF.exe
        
        C:\Windows\System\jPAPsQF.exe
        5⤵
        
        PID:13836
    - - C:\Windows\System\Nslwtif.exe
        
        C:\Windows\System\Nslwtif.exe
        5⤵
        
        PID:13876
    - - C:\Windows\System\GMTUieE.exe
        
        C:\Windows\System\GMTUieE.exe
        5⤵
        
        PID:5276
    - - C:\Windows\System\ccbnQmj.exe
        
        C:\Windows\System\ccbnQmj.exe
        5⤵
        
        PID:14176
    - - C:\Windows\System\CnAoGqM.exe
        
        C:\Windows\System\CnAoGqM.exe
        5⤵
        
        PID:9384
    - - C:\Windows\System\TUBpiqx.exe
        
        C:\Windows\System\TUBpiqx.exe
        5⤵
        
        PID:14304
    - - C:\Windows\System\nwidtNs.exe
        
        C:\Windows\System\nwidtNs.exe
        5⤵
        
        PID:14340
    - - C:\Windows\System\QNVSRoG.exe
        
        C:\Windows\System\QNVSRoG.exe
        5⤵
        
        PID:14356
    - - C:\Windows\System\yjZmgzq.exe
        
        C:\Windows\System\yjZmgzq.exe
        5⤵
        
        PID:14372
    - - C:\Windows\System\WZYaIDJ.exe
        
        C:\Windows\System\WZYaIDJ.exe
        5⤵
        
        PID:14388
    - - C:\Windows\System\meJZlBK.exe
        
        C:\Windows\System\meJZlBK.exe
        5⤵
        
        PID:14408
    - - C:\Windows\System\LYregxW.exe
        
        C:\Windows\System\LYregxW.exe
        5⤵
        
        PID:14436
    - - C:\Windows\System\VuJLqEl.exe
        
        C:\Windows\System\VuJLqEl.exe
        5⤵
        
        PID:14452
    - - C:\Windows\System\PbsILgE.exe
        
        C:\Windows\System\PbsILgE.exe
        5⤵
        
        PID:14468
    - - C:\Windows\System\XwPJAfh.exe
        
        C:\Windows\System\XwPJAfh.exe
        5⤵
        
        PID:14484
    - - C:\Windows\System\fsSYwDx.exe
        
        C:\Windows\System\fsSYwDx.exe
        5⤵
        
        PID:14500
    - - C:\Windows\System\YxYfJbh.exe
        
        C:\Windows\System\YxYfJbh.exe
        5⤵
        
        PID:14516
    - - C:\Windows\System\siYssKk.exe
        
        C:\Windows\System\siYssKk.exe
        5⤵
        
        PID:14532
    - - C:\Windows\System\lMkjsoK.exe
        
        C:\Windows\System\lMkjsoK.exe
        5⤵
        
        PID:14548
    - - C:\Windows\System\BvpsPkr.exe
        
        C:\Windows\System\BvpsPkr.exe
        5⤵
        
        PID:14564
    - - C:\Windows\System\FutVBsh.exe
        
        C:\Windows\System\FutVBsh.exe
        5⤵
        
        PID:14580
    - - C:\Windows\System\twqdnow.exe
        
        C:\Windows\System\twqdnow.exe
        5⤵
        
        PID:14596
    - - C:\Windows\System\bXHYNxK.exe
        
        C:\Windows\System\bXHYNxK.exe
        5⤵
        
        PID:14616
    - - C:\Windows\System\lLclRmB.exe
        
        C:\Windows\System\lLclRmB.exe
        5⤵
        
        PID:14632
    - - C:\Windows\System\UnuBIwi.exe
        
        C:\Windows\System\UnuBIwi.exe
        5⤵
        
        PID:14672
    - - C:\Windows\System\fIdYPWb.exe
        
        C:\Windows\System\fIdYPWb.exe
        5⤵
        
        PID:14688
    - - C:\Windows\System\bmKJsdw.exe
        
        C:\Windows\System\bmKJsdw.exe
        5⤵
        
        PID:14704
    - - C:\Windows\System\EByubRU.exe
        
        C:\Windows\System\EByubRU.exe
        5⤵
        
        PID:14720
    - - C:\Windows\System\iVoizZE.exe
        
        C:\Windows\System\iVoizZE.exe
        5⤵
        
        PID:14740
    - - C:\Windows\System\KcGAESp.exe
        
        C:\Windows\System\KcGAESp.exe
        5⤵
        
        PID:14760
    - - C:\Windows\System\GddLdEK.exe
        
        C:\Windows\System\GddLdEK.exe
        5⤵
        
        PID:14784
    - - C:\Windows\System\tKYRrkS.exe
        
        C:\Windows\System\tKYRrkS.exe
        5⤵
        
        PID:14800
    - - C:\Windows\System\SOTlasZ.exe
        
        C:\Windows\System\SOTlasZ.exe
        5⤵
        
        PID:14816
    - - C:\Windows\System\VuHXDFp.exe
        
        C:\Windows\System\VuHXDFp.exe
        5⤵
        
        PID:14832
    - - C:\Windows\System\gpexynn.exe
        
        C:\Windows\System\gpexynn.exe
        5⤵
        
        PID:14864
    - - C:\Windows\System\cRSCTOB.exe
        
        C:\Windows\System\cRSCTOB.exe
        5⤵
        
        PID:14888
    - - C:\Windows\System\HRKpFPr.exe
        
        C:\Windows\System\HRKpFPr.exe
        5⤵
        
        PID:14932
    - - C:\Windows\System\WCYCWwy.exe
        
        C:\Windows\System\WCYCWwy.exe
        5⤵
        
        PID:14972
    - - C:\Windows\System\PSwkzYb.exe
        
        C:\Windows\System\PSwkzYb.exe
        5⤵
        
        PID:15004
    - - C:\Windows\System\QPygGkE.exe
        
        C:\Windows\System\QPygGkE.exe
        5⤵
        
        PID:15052
    - - C:\Windows\System\SoEhhrM.exe
        
        C:\Windows\System\SoEhhrM.exe
        5⤵
        
        PID:15096
    - - C:\Windows\System\lBXdekN.exe
        
        C:\Windows\System\lBXdekN.exe
        5⤵
        
        PID:15116
    - - C:\Windows\System\FSvpAJa.exe
        
        C:\Windows\System\FSvpAJa.exe
        5⤵
        
        PID:15164
    - - C:\Windows\System\BsyfCPV.exe
        
        C:\Windows\System\BsyfCPV.exe
        5⤵
        
        PID:15232
    - - C:\Windows\System\GlqpBdk.exe
        
        C:\Windows\System\GlqpBdk.exe
        5⤵
        
        PID:15280
    - - C:\Windows\System\BtnfwES.exe
        
        C:\Windows\System\BtnfwES.exe
        5⤵
        
        PID:15304
    - - C:\Windows\System\xKkbUps.exe
        
        C:\Windows\System\xKkbUps.exe
        5⤵
        
        PID:15332
    - - C:\Windows\System\xivHJty.exe
        
        C:\Windows\System\xivHJty.exe
        5⤵
        
        PID:15348
    - - C:\Windows\System\KpDNGQT.exe
        
        C:\Windows\System\KpDNGQT.exe
        5⤵
        
        PID:8756
    - - C:\Windows\System\ZGcucWO.exe
        
        C:\Windows\System\ZGcucWO.exe
        5⤵
        
        PID:6536
    - - C:\Windows\System\tkLhein.exe
        
        C:\Windows\System\tkLhein.exe
        5⤵
        
        PID:3988
    - - C:\Windows\System\ZUHkvTa.exe
        
        C:\Windows\System\ZUHkvTa.exe
        5⤵
        
        PID:12520
    - - C:\Windows\System\gwBbijL.exe
        
        C:\Windows\System\gwBbijL.exe
        5⤵
        
        PID:7668
    - - C:\Windows\System\IgCjfoN.exe
        
        C:\Windows\System\IgCjfoN.exe
        5⤵
        
        PID:9900
    - - C:\Windows\System\NdPCpcN.exe
        
        C:\Windows\System\NdPCpcN.exe
        5⤵
        
        PID:10720
    - - C:\Windows\System\gpOeMlZ.exe
        
        C:\Windows\System\gpOeMlZ.exe
        5⤵
        
        PID:10704
    - - C:\Windows\System\Gbvtftl.exe
        
        C:\Windows\System\Gbvtftl.exe
        5⤵
        
        PID:10856
    - - C:\Windows\System\kQtfvhe.exe
        
        C:\Windows\System\kQtfvhe.exe
        5⤵
        
        PID:10944
    - - C:\Windows\System\jUSwDXF.exe
        
        C:\Windows\System\jUSwDXF.exe
        5⤵
        
        PID:10976
    - - C:\Windows\System\oWwJbbE.exe
        
        C:\Windows\System\oWwJbbE.exe
        5⤵
        
        PID:4332
    - - C:\Windows\System\ejogBRs.exe
        
        C:\Windows\System\ejogBRs.exe
        5⤵
        
        PID:11596
    - - C:\Windows\System\BnMpjHe.exe
        
        C:\Windows\System\BnMpjHe.exe
        5⤵
        
        PID:10216
    - - C:\Windows\System\nnFhdZK.exe
        
        C:\Windows\System\nnFhdZK.exe
        5⤵
        
        PID:12592
    - - C:\Windows\System\rruXsHn.exe
        
        C:\Windows\System\rruXsHn.exe
        5⤵
        
        PID:11136
    - - C:\Windows\System\tbJzQBh.exe
        
        C:\Windows\System\tbJzQBh.exe
        5⤵
        
        PID:11204
    - - C:\Windows\System\jbgIIFp.exe
        
        C:\Windows\System\jbgIIFp.exe
        5⤵
        
        PID:9868
    - - C:\Windows\System\fSZuLIW.exe
        
        C:\Windows\System\fSZuLIW.exe
        5⤵
        
        PID:10236
    - - C:\Windows\System\psZhnWT.exe
        
        C:\Windows\System\psZhnWT.exe
        5⤵
        
        PID:8252
    - - C:\Windows\System\mWFHnYQ.exe
        
        C:\Windows\System\mWFHnYQ.exe
        5⤵
        
        PID:2320
    - - C:\Windows\System\GUgFZRd.exe
        
        C:\Windows\System\GUgFZRd.exe
        5⤵
        
        PID:8124
    - - C:\Windows\System\ElYZXTj.exe
        
        C:\Windows\System\ElYZXTj.exe
        5⤵
        
        PID:9584
    - - C:\Windows\System\CGNopsw.exe
        
        C:\Windows\System\CGNopsw.exe
        5⤵
        
        PID:9324
    - - C:\Windows\System\NyDGsOc.exe
        
        C:\Windows\System\NyDGsOc.exe
        5⤵
        
        PID:8804
    - - C:\Windows\System\HocQHYn.exe
        
        C:\Windows\System\HocQHYn.exe
        5⤵
        
        PID:8612
    - - C:\Windows\System\ddxMsjE.exe
        
        C:\Windows\System\ddxMsjE.exe
        5⤵
        
        PID:13432
    - - C:\Windows\System\xKrdRyn.exe
        
        C:\Windows\System\xKrdRyn.exe
        5⤵
        
        PID:13552
    - - C:\Windows\System\kFbaqST.exe
        
        C:\Windows\System\kFbaqST.exe
        5⤵
        
        PID:13892
    - - C:\Windows\System\DFjbGJf.exe
        
        C:\Windows\System\DFjbGJf.exe
        5⤵
        
        PID:11748
    - - C:\Windows\System\ivgCAii.exe
        
        C:\Windows\System\ivgCAii.exe
        5⤵
        
        PID:11440
    - - C:\Windows\System\Adjnqbv.exe
        
        C:\Windows\System\Adjnqbv.exe
        5⤵
        
        PID:14132
    - - C:\Windows\System\WyHJMvr.exe
        
        C:\Windows\System\WyHJMvr.exe
        5⤵
        
        PID:11332
    - - C:\Windows\System\rIogplc.exe
        
        C:\Windows\System\rIogplc.exe
        5⤵
        
        PID:9768
    - - C:\Windows\System\fJLnrYB.exe
        
        C:\Windows\System\fJLnrYB.exe
        5⤵
        
        PID:11736
    - - C:\Windows\System\kBgWRdF.exe
        
        C:\Windows\System\kBgWRdF.exe
        5⤵
        
        PID:12880
    - - C:\Windows\System\OnjQHCl.exe
        
        C:\Windows\System\OnjQHCl.exe
        5⤵
        
        PID:14108
    - - C:\Windows\System\aetNbsh.exe
        
        C:\Windows\System\aetNbsh.exe
        5⤵
        
        PID:13712
    - - C:\Windows\System\XALCCeg.exe
        
        C:\Windows\System\XALCCeg.exe
        5⤵
        
        PID:11892
    - - C:\Windows\System\vqmrAim.exe
        
        C:\Windows\System\vqmrAim.exe
        5⤵
        
        PID:11364
    - - C:\Windows\System\MyMyPJh.exe
        
        C:\Windows\System\MyMyPJh.exe
        5⤵
        
        PID:14424
    - - C:\Windows\System\doVyEjN.exe
        
        C:\Windows\System\doVyEjN.exe
        5⤵
        
        PID:12444
    - - C:\Windows\System\BpwsXOY.exe
        
        C:\Windows\System\BpwsXOY.exe
        5⤵
        
        PID:12848
    - - C:\Windows\System\cOtGwkz.exe
        
        C:\Windows\System\cOtGwkz.exe
        5⤵
        
        PID:10672
    - - C:\Windows\System\hAGfnCG.exe
        
        C:\Windows\System\hAGfnCG.exe
        5⤵
        
        PID:368
    - - C:\Windows\System\GALcEXK.exe
        
        C:\Windows\System\GALcEXK.exe
        5⤵
        
        PID:15172
    - - C:\Windows\System\lpxmKiu.exe
        
        C:\Windows\System\lpxmKiu.exe
        5⤵
        
        PID:13000
    - - C:\Windows\System\uPRCPNN.exe
        
        C:\Windows\System\uPRCPNN.exe
        5⤵
        
        PID:13024
    - - C:\Windows\System\wmuBWaT.exe
        
        C:\Windows\System\wmuBWaT.exe
        5⤵
        
        PID:13040
    - - C:\Windows\System\oQCKxfY.exe
        
        C:\Windows\System\oQCKxfY.exe
        5⤵
        
        PID:13084
    - - C:\Windows\System\SQEtdHV.exe
        
        C:\Windows\System\SQEtdHV.exe
        5⤵
        
        PID:13104
    - - C:\Windows\System\vnwndmT.exe
        
        C:\Windows\System\vnwndmT.exe
        5⤵
        
        PID:13136
    - - C:\Windows\System\bNSqvue.exe
        
        C:\Windows\System\bNSqvue.exe
        5⤵
        
        PID:13172
    - - C:\Windows\System\BdkaBEZ.exe
        
        C:\Windows\System\BdkaBEZ.exe
        5⤵
        
        PID:11896
    - - C:\Windows\System\EsImRAN.exe
        
        C:\Windows\System\EsImRAN.exe
        5⤵
        
        PID:11752
    - - C:\Windows\System\bhJLkjC.exe
        
        C:\Windows\System\bhJLkjC.exe
        5⤵
        
        PID:11716
    - - C:\Windows\System\aMxWzJi.exe
        
        C:\Windows\System\aMxWzJi.exe
        5⤵
        
        PID:7752
    - - C:\Windows\System\HhaEjKj.exe
        
        C:\Windows\System\HhaEjKj.exe
        5⤵
        
        PID:11556
    - - C:\Windows\System\fHEFfbi.exe
        
        C:\Windows\System\fHEFfbi.exe
        5⤵
        
        PID:11508
    - - C:\Windows\System\bSVLfKS.exe
        
        C:\Windows\System\bSVLfKS.exe
        5⤵
        
        PID:13276
    - - C:\Windows\System\zqIKACU.exe
        
        C:\Windows\System\zqIKACU.exe
        5⤵
        
        PID:13248
    - - C:\Windows\System\CQtMqzE.exe
        
        C:\Windows\System\CQtMqzE.exe
        5⤵
        
        PID:13220
    - - C:\Windows\System\yoKOskK.exe
        
        C:\Windows\System\yoKOskK.exe
        5⤵
        
        PID:13388
    - - C:\Windows\System\FXmHIVb.exe
        
        C:\Windows\System\FXmHIVb.exe
        5⤵
        
        PID:13328
    - - C:\Windows\System\aKIcgcL.exe
        
        C:\Windows\System\aKIcgcL.exe
        5⤵
        
        PID:6152
    - - C:\Windows\System\GHIVAAH.exe
        
        C:\Windows\System\GHIVAAH.exe
        5⤵
        
        PID:12196
    - - C:\Windows\System\EfJXjky.exe
        
        C:\Windows\System\EfJXjky.exe
        5⤵
        
        PID:9632
    - - C:\Windows\System\albqYgy.exe
        
        C:\Windows\System\albqYgy.exe
        5⤵
        
        PID:15184
    - - C:\Windows\System\hNJDZrb.exe
        
        C:\Windows\System\hNJDZrb.exe
        5⤵
        
        PID:13504
    - - C:\Windows\System\fyWcCFI.exe
        
        C:\Windows\System\fyWcCFI.exe
        5⤵
        
        PID:15312
    - - C:\Windows\System\JeZlzeu.exe
        
        C:\Windows\System\JeZlzeu.exe
        5⤵
        
        PID:10108
    - - C:\Windows\System\udzmWUD.exe
        
        C:\Windows\System\udzmWUD.exe
        5⤵
        
        PID:7260
    - - C:\Windows\System\fERgfJo.exe
        
        C:\Windows\System\fERgfJo.exe
        5⤵
        
        PID:12252
    - - C:\Windows\System\uZEqRTc.exe
        
        C:\Windows\System\uZEqRTc.exe
        5⤵
        
        PID:5632
    - - C:\Windows\System\HDRrKpr.exe
        
        C:\Windows\System\HDRrKpr.exe
        5⤵
        
        PID:13980
    - - C:\Windows\System\FTsGUUX.exe
        
        C:\Windows\System\FTsGUUX.exe
        5⤵
        
        PID:14048
    - - C:\Windows\System\vFVkYEP.exe
        
        C:\Windows\System\vFVkYEP.exe
        5⤵
        
        PID:14088
    - - C:\Windows\System\SdUSQvg.exe
        
        C:\Windows\System\SdUSQvg.exe
        5⤵
        
        PID:14152
    - - C:\Windows\System\TghfYKU.exe
        
        C:\Windows\System\TghfYKU.exe
        5⤵
        
        PID:14196
    - - C:\Windows\System\HakPvRU.exe
        
        C:\Windows\System\HakPvRU.exe
        5⤵
        
        PID:14312
    - - C:\Windows\System\CONSgfV.exe
        
        C:\Windows\System\CONSgfV.exe
        5⤵
        
        PID:9304
    - - C:\Windows\System\sgLhNCG.exe
        
        C:\Windows\System\sgLhNCG.exe
        5⤵
        
        PID:10440
    - - C:\Windows\System\uimEAnY.exe
        
        C:\Windows\System\uimEAnY.exe
        5⤵
        
        PID:15136
    - - C:\Windows\System\aNsFhCv.exe
        
        C:\Windows\System\aNsFhCv.exe
        5⤵
        
        PID:12164
    - - C:\Windows\System\qCwFhNC.exe
        
        C:\Windows\System\qCwFhNC.exe
        5⤵
        
        PID:14384
    - - C:\Windows\System\MOFkfNe.exe
        
        C:\Windows\System\MOFkfNe.exe
        5⤵
        
        PID:1648
    - - C:\Windows\System\hEOTGph.exe
        
        C:\Windows\System\hEOTGph.exe
        5⤵
        
        PID:12080
    - - C:\Windows\System\eCPuFVb.exe
        
        C:\Windows\System\eCPuFVb.exe
        5⤵
        
        PID:14476
    - - C:\Windows\System\KYIlgiO.exe
        
        C:\Windows\System\KYIlgiO.exe
        5⤵
        
        PID:14524
    - - C:\Windows\System\wwZAMtc.exe
        
        C:\Windows\System\wwZAMtc.exe
        5⤵
        
        PID:12452
    - - C:\Windows\System\qywQUBq.exe
        
        C:\Windows\System\qywQUBq.exe
        5⤵
        
        PID:14624
    - - C:\Windows\System\npAyvTv.exe
        
        C:\Windows\System\npAyvTv.exe
        5⤵
        
        PID:14700
    - - C:\Windows\System\LRNmXCo.exe
        
        C:\Windows\System\LRNmXCo.exe
        5⤵
        
        PID:12784
    - - C:\Windows\System\tiUiWjq.exe
        
        C:\Windows\System\tiUiWjq.exe
        5⤵
        
        PID:10448
    - - C:\Windows\System\dbWFGMp.exe
        
        C:\Windows\System\dbWFGMp.exe
        5⤵
        
        PID:10588
    - - C:\Windows\System\yWbrNAS.exe
        
        C:\Windows\System\yWbrNAS.exe
        5⤵
        
        PID:15156
    - - C:\Windows\System\MmBsKIl.exe
        
        C:\Windows\System\MmBsKIl.exe
        5⤵
        
        PID:15368
    - - C:\Windows\System\CHgyosr.exe
        
        C:\Windows\System\CHgyosr.exe
        5⤵
        
        PID:15388
    - - C:\Windows\System\IRkHtRg.exe
        
        C:\Windows\System\IRkHtRg.exe
        5⤵
        
        PID:15404
    - - C:\Windows\System\vkQfBJC.exe
        
        C:\Windows\System\vkQfBJC.exe
        5⤵
        
        PID:15428
    - - C:\Windows\System\vcilDDs.exe
        
        C:\Windows\System\vcilDDs.exe
        5⤵
        
        PID:15452
    - - C:\Windows\System\YUCKmaG.exe
        
        C:\Windows\System\YUCKmaG.exe
        5⤵
        
        PID:15472
    - - C:\Windows\System\yKrmVFg.exe
        
        C:\Windows\System\yKrmVFg.exe
        5⤵
        
        PID:15496
    - - C:\Windows\System\CHDFMrE.exe
        
        C:\Windows\System\CHDFMrE.exe
        5⤵
        
        PID:15520
    - - C:\Windows\System\qIxYZvw.exe
        
        C:\Windows\System\qIxYZvw.exe
        5⤵
        
        PID:15544
    - - C:\Windows\System\fqaRCPP.exe
        
        C:\Windows\System\fqaRCPP.exe
        5⤵
        
        PID:15560
    - - C:\Windows\System\pvReNod.exe
        
        C:\Windows\System\pvReNod.exe
        5⤵
        
        PID:15584
    - - C:\Windows\System\FhgVpOa.exe
        
        C:\Windows\System\FhgVpOa.exe
        5⤵
        
        PID:15616
    - - C:\Windows\System\MpHmZFz.exe
        
        C:\Windows\System\MpHmZFz.exe
        5⤵
        
        PID:15636
    - - C:\Windows\System\QzTLHup.exe
        
        C:\Windows\System\QzTLHup.exe
        5⤵
        
        PID:15660
    - - C:\Windows\System\HRWUkHq.exe
        
        C:\Windows\System\HRWUkHq.exe
        5⤵
        
        PID:15704
    - - C:\Windows\System\FatLKXs.exe
        
        C:\Windows\System\FatLKXs.exe
        5⤵
        
        PID:15724
    - - C:\Windows\System\PFUkRUy.exe
        
        C:\Windows\System\PFUkRUy.exe
        5⤵
        
        PID:15744
    - - C:\Windows\System\WzGywgS.exe
        
        C:\Windows\System\WzGywgS.exe
        5⤵
        
        PID:15768
    - - C:\Windows\System\OzAFfMf.exe
        
        C:\Windows\System\OzAFfMf.exe
        5⤵
        
        PID:15784
    - - C:\Windows\System\ePXamtP.exe
        
        C:\Windows\System\ePXamtP.exe
        5⤵
        
        PID:15800
    - - C:\Windows\System\zlrIGhw.exe
        
        C:\Windows\System\zlrIGhw.exe
        5⤵
        
        PID:15820
    - - C:\Windows\System\FfnFbRs.exe
        
        C:\Windows\System\FfnFbRs.exe
        5⤵
        
        PID:15836
    - - C:\Windows\System\AvMRKnq.exe
        
        C:\Windows\System\AvMRKnq.exe
        5⤵
        
        PID:15852
    - - C:\Windows\System\EDaTZKh.exe
        
        C:\Windows\System\EDaTZKh.exe
        5⤵
        
        PID:15868
    - - C:\Windows\System\UoYnJPV.exe
        
        C:\Windows\System\UoYnJPV.exe
        5⤵
        
        PID:15884
    - - C:\Windows\System\IGZpksX.exe
        
        C:\Windows\System\IGZpksX.exe
        5⤵
        
        PID:15900
    - - C:\Windows\System\fkotGmb.exe
        
        C:\Windows\System\fkotGmb.exe
        5⤵
        
        PID:15920
    - - C:\Windows\System\kCsuyYR.exe
        
        C:\Windows\System\kCsuyYR.exe
        5⤵
        
        PID:15936
    - - C:\Windows\System\gVvVcGa.exe
        
        C:\Windows\System\gVvVcGa.exe
        5⤵
        
        PID:15952
    - - C:\Windows\System\tjKCvEU.exe
        
        C:\Windows\System\tjKCvEU.exe
        5⤵
        
        PID:15968
    - - C:\Windows\System\qKcAcWb.exe
        
        C:\Windows\System\qKcAcWb.exe
        5⤵
        
        PID:15992
    - - C:\Windows\System\ifXPmzI.exe
        
        C:\Windows\System\ifXPmzI.exe
        5⤵
        
        PID:16008
    - - C:\Windows\System\oWrzumQ.exe
        
        C:\Windows\System\oWrzumQ.exe
        5⤵
        
        PID:16028
    - - C:\Windows\System\jYZyiSn.exe
        
        C:\Windows\System\jYZyiSn.exe
        5⤵
        
        PID:16044
    - - C:\Windows\System\VdalrQt.exe
        
        C:\Windows\System\VdalrQt.exe
        5⤵
        
        PID:16072
    - - C:\Windows\System\XrjySoQ.exe
        
        C:\Windows\System\XrjySoQ.exe
        5⤵
        
        PID:16088
    - - C:\Windows\System\efShWOh.exe
        
        C:\Windows\System\efShWOh.exe
        5⤵
        
        PID:16104
    - - C:\Windows\System\YDkwSXH.exe
        
        C:\Windows\System\YDkwSXH.exe
        5⤵
        
        PID:16120
    - - C:\Windows\System\gBoWbjJ.exe
        
        C:\Windows\System\gBoWbjJ.exe
        5⤵
        
        PID:16136
    - - C:\Windows\System\aIDSrzR.exe
        
        C:\Windows\System\aIDSrzR.exe
        5⤵
        
        PID:16156
    - - C:\Windows\System\yvVUHyM.exe
        
        C:\Windows\System\yvVUHyM.exe
        5⤵
        
        PID:16172
    - - C:\Windows\System\IrgbMBh.exe
        
        C:\Windows\System\IrgbMBh.exe
        5⤵
        
        PID:16188
    - - C:\Windows\System\WYTysbu.exe
        
        C:\Windows\System\WYTysbu.exe
        5⤵
        
        PID:16212
    - - C:\Windows\System\xiCqPEw.exe
        
        C:\Windows\System\xiCqPEw.exe
        5⤵
        
        PID:16228
    - - C:\Windows\System\fwsiZnh.exe
        
        C:\Windows\System\fwsiZnh.exe
        5⤵
        
        PID:16244
    - - C:\Windows\System\MtwwFUT.exe
        
        C:\Windows\System\MtwwFUT.exe
        5⤵
        
        PID:16260
    - - C:\Windows\System\Mjnbxjk.exe
        
        C:\Windows\System\Mjnbxjk.exe
        5⤵
        
        PID:16280
    - - C:\Windows\System\ItJkGYl.exe
        
        C:\Windows\System\ItJkGYl.exe
        5⤵
        
        PID:16296
    - - C:\Windows\System\sVcGXCC.exe
        
        C:\Windows\System\sVcGXCC.exe
        5⤵
        
        PID:16336
    - - C:\Windows\System\gSPRnfh.exe
        
        C:\Windows\System\gSPRnfh.exe
        5⤵
        
        PID:16360
    - - C:\Windows\System\GWuGUbn.exe
        
        C:\Windows\System\GWuGUbn.exe
        5⤵
        
        PID:16376
    - - C:\Windows\System\mzvbgss.exe
        
        C:\Windows\System\mzvbgss.exe
        5⤵
        
        PID:9424
    - - C:\Windows\System\SPbEpCT.exe
        
        C:\Windows\System\SPbEpCT.exe
        5⤵
        
        PID:10756
    - - C:\Windows\System\vEhQtjX.exe
        
        C:\Windows\System\vEhQtjX.exe
        5⤵
        
        PID:5392
    - - C:\Windows\System\hYMsoex.exe
        
        C:\Windows\System\hYMsoex.exe
        5⤵
        
        PID:11612
    - - C:\Windows\System\IxvwEvi.exe
        
        C:\Windows\System\IxvwEvi.exe
        5⤵
        
        PID:6468
    - - C:\Windows\System\gRntojV.exe
        
        C:\Windows\System\gRntojV.exe
        5⤵
        
        PID:13624
    - - C:\Windows\System\FxHmbUT.exe
        
        C:\Windows\System\FxHmbUT.exe
        5⤵
        
        PID:13768
    - - C:\Windows\System\dClIrtZ.exe
        
        C:\Windows\System\dClIrtZ.exe
        5⤵
        
        PID:11404
    - - C:\Windows\System\ABtNvTN.exe
        
        C:\Windows\System\ABtNvTN.exe
        5⤵
        
        PID:9248
    - - C:\Windows\System\emFESuU.exe
        
        C:\Windows\System\emFESuU.exe
        5⤵
        
        PID:13868
    - - C:\Windows\System\xPMesCG.exe
        
        C:\Windows\System\xPMesCG.exe
        5⤵
        
        PID:12768
    - - C:\Windows\System\LpkOGmz.exe
        
        C:\Windows\System\LpkOGmz.exe
        5⤵
        
        PID:14128
    - - C:\Windows\System\aOSfCGS.exe
        
        C:\Windows\System\aOSfCGS.exe
        5⤵
        
        PID:9072
    - - C:\Windows\System\ZJFbcfA.exe
        
        C:\Windows\System\ZJFbcfA.exe
        5⤵
        
        PID:1568
    - - C:\Windows\System\cfNiZdP.exe
        
        C:\Windows\System\cfNiZdP.exe
        5⤵
        
        PID:9456
    - - C:\Windows\System\dVYPjrg.exe
        
        C:\Windows\System\dVYPjrg.exe
        5⤵
        
        PID:10632
    - - C:\Windows\System\dJsifUx.exe
        
        C:\Windows\System\dJsifUx.exe
        5⤵
        
        PID:12220
    - - C:\Windows\System\IiFclre.exe
        
        C:\Windows\System\IiFclre.exe
        5⤵
        
        PID:14364
    - - C:\Windows\System\bMprBlz.exe
        
        C:\Windows\System\bMprBlz.exe
        5⤵
        
        PID:15132
    - - C:\Windows\System\OZAsuQq.exe
        
        C:\Windows\System\OZAsuQq.exe
        5⤵
        
        PID:6820
    - - C:\Windows\System\TMuDjJS.exe
        
        C:\Windows\System\TMuDjJS.exe
        5⤵
        
        PID:13588
    - - C:\Windows\System\SpNdqal.exe
        
        C:\Windows\System\SpNdqal.exe
        5⤵
        
        PID:14124
    - - C:\Windows\System\JAgniyv.exe
        
        C:\Windows\System\JAgniyv.exe
        5⤵
        
        PID:12372
    - - C:\Windows\System\SIMNPru.exe
        
        C:\Windows\System\SIMNPru.exe
        5⤵
        
        PID:13068
    - - C:\Windows\System\lQDGVwr.exe
        
        C:\Windows\System\lQDGVwr.exe
        5⤵
        
        PID:14544
    - - C:\Windows\System\OyaTUHq.exe
        
        C:\Windows\System\OyaTUHq.exe
        5⤵
        
        PID:14556
    - - C:\Windows\System\jxundpU.exe
        
        C:\Windows\System\jxundpU.exe
        5⤵
        
        PID:12528
    - - C:\Windows\System\irkrkbn.exe
        
        C:\Windows\System\irkrkbn.exe
        5⤵
        
        PID:14796
    - - C:\Windows\System\FcjElug.exe
        
        C:\Windows\System\FcjElug.exe
        5⤵
        
        PID:14896
    - - C:\Windows\System\gjAosMF.exe
        
        C:\Windows\System\gjAosMF.exe
        5⤵
        
        PID:12796
    - - C:\Windows\System\FkyRdEr.exe
        
        C:\Windows\System\FkyRdEr.exe
        5⤵
        
        PID:640
    - - C:\Windows\System\nYfhZnO.exe
        
        C:\Windows\System\nYfhZnO.exe
        5⤵
        
        PID:13996
    - - C:\Windows\System\UEaQbze.exe
        
        C:\Windows\System\UEaQbze.exe
        5⤵
        
        PID:10164
    - - C:\Windows\System\zvMJzfo.exe
        
        C:\Windows\System\zvMJzfo.exe
        5⤵
        
        PID:14216
    - - C:\Windows\System\Tdwtlnf.exe
        
        C:\Windows\System\Tdwtlnf.exe
        5⤵
        
        PID:14960
    - - C:\Windows\System\wYFToBF.exe
        
        C:\Windows\System\wYFToBF.exe
        5⤵
        
        PID:15516
    - - C:\Windows\System\uPecqTx.exe
        
        C:\Windows\System\uPecqTx.exe
        5⤵
        
        PID:4744
    - - C:\Windows\System\TnntzLk.exe
        
        C:\Windows\System\TnntzLk.exe
        5⤵
        
        PID:15808
    - - C:\Windows\System\sXOMEBh.exe
        
        C:\Windows\System\sXOMEBh.exe
        5⤵
        
        PID:6636
    - - C:\Windows\System\RgPBZLp.exe
        
        C:\Windows\System\RgPBZLp.exe
        5⤵
        
        PID:15848
    - - C:\Windows\System\Vikufev.exe
        
        C:\Windows\System\Vikufev.exe
        5⤵
        
        PID:11156
    - - C:\Windows\System\klrbOxn.exe
        
        C:\Windows\System\klrbOxn.exe
        5⤵
        
        PID:15944
    - - C:\Windows\System\hJtXXaI.exe
        
        C:\Windows\System\hJtXXaI.exe
        5⤵
        
        PID:7692
    - - C:\Windows\System\qWzUDTK.exe
        
        C:\Windows\System\qWzUDTK.exe
        5⤵
        
        PID:9964
    - - C:\Windows\System\FmLjHRm.exe
        
        C:\Windows\System\FmLjHRm.exe
        5⤵
        
        PID:10868
    - - C:\Windows\System\XRhhEtV.exe
        
        C:\Windows\System\XRhhEtV.exe
        5⤵
        
        PID:16128
    - - C:\Windows\System\LfGixgJ.exe
        
        C:\Windows\System\LfGixgJ.exe
        5⤵
        
        PID:15316
    - - C:\Windows\System\ImVLnRp.exe
        
        C:\Windows\System\ImVLnRp.exe
        5⤵
        
        PID:8416
    - - C:\Windows\System\zSvDqjV.exe
        
        C:\Windows\System\zSvDqjV.exe
        5⤵
        
        PID:14652
    - - C:\Windows\System\mSLBYkG.exe
        
        C:\Windows\System\mSLBYkG.exe
        5⤵
        
        PID:14732
    - - C:\Windows\System\ObBlgyH.exe
        
        C:\Windows\System\ObBlgyH.exe
        5⤵
        
        PID:15012
    - - C:\Windows\System\TdPVFTr.exe
        
        C:\Windows\System\TdPVFTr.exe
        5⤵
        
        PID:10724
    - - C:\Windows\System\wXNKgUw.exe
        
        C:\Windows\System\wXNKgUw.exe
        5⤵
        
        PID:16236
    - - C:\Windows\System\zCQQOMp.exe
        
        C:\Windows\System\zCQQOMp.exe
        5⤵
        
        PID:12888
    - - C:\Windows\System\tGomxZw.exe
        
        C:\Windows\System\tGomxZw.exe
        5⤵
        
        PID:15112
    - - C:\Windows\System\aVAdxDd.exe
        
        C:\Windows\System\aVAdxDd.exe
        5⤵
        
        PID:12904
    - - C:\Windows\System\haQYLTN.exe
        
        C:\Windows\System\haQYLTN.exe
        5⤵
        
        PID:13428
    - - C:\Windows\System\AXGyPpC.exe
        
        C:\Windows\System\AXGyPpC.exe
        5⤵
        
        PID:13484
    - - C:\Windows\System\sxuRxqS.exe
        
        C:\Windows\System\sxuRxqS.exe
        5⤵
        
        PID:9784
    - - C:\Windows\System\UEJeELz.exe
        
        C:\Windows\System\UEJeELz.exe
        5⤵
        
        PID:7740
    - - C:\Windows\System\HTxJljQ.exe
        
        C:\Windows\System\HTxJljQ.exe
        5⤵
        
        PID:13700
    - - C:\Windows\System\TOuGyOP.exe
        
        C:\Windows\System\TOuGyOP.exe
        5⤵
        
        PID:10936
    - - C:\Windows\System\slbLXbL.exe
        
        C:\Windows\System\slbLXbL.exe
        5⤵
        
        PID:10848
    - - C:\Windows\System\wZoBoke.exe
        
        C:\Windows\System\wZoBoke.exe
        5⤵
        
        PID:12256
    - - C:\Windows\System\OmeTkyV.exe
        
        C:\Windows\System\OmeTkyV.exe
        5⤵
        
        PID:16388
    - - C:\Windows\System\iJuWTyj.exe
        
        C:\Windows\System\iJuWTyj.exe
        5⤵
        
        PID:16404
    - - C:\Windows\System\QdnQHdZ.exe
        
        C:\Windows\System\QdnQHdZ.exe
        5⤵
        
        PID:16420
    - - C:\Windows\System\lZQeqeX.exe
        
        C:\Windows\System\lZQeqeX.exe
        5⤵
        
        PID:16436
    - - C:\Windows\System\nzaerum.exe
        
        C:\Windows\System\nzaerum.exe
        5⤵
        
        PID:16452
    - - C:\Windows\System\YxcccOR.exe
        
        C:\Windows\System\YxcccOR.exe
        5⤵
        
        PID:16476
    - - C:\Windows\System\xsxvnDV.exe
        
        C:\Windows\System\xsxvnDV.exe
        5⤵
        
        PID:16492
    - - C:\Windows\System\JhSYRCV.exe
        
        C:\Windows\System\JhSYRCV.exe
        5⤵
        
        PID:16508
    - - C:\Windows\System\lqbzlxy.exe
        
        C:\Windows\System\lqbzlxy.exe
        5⤵
        
        PID:16524
    - - C:\Windows\System\UwpVzRi.exe
        
        C:\Windows\System\UwpVzRi.exe
        5⤵
        
        PID:16544
    - - C:\Windows\System\ibqmHzW.exe
        
        C:\Windows\System\ibqmHzW.exe
        5⤵
        
        PID:16568
    - - C:\Windows\System\RTcdHqo.exe
        
        C:\Windows\System\RTcdHqo.exe
        5⤵
        
        PID:16588
    - - C:\Windows\System\TYPHspK.exe
        
        C:\Windows\System\TYPHspK.exe
        5⤵
        
        PID:16608
    - - C:\Windows\System\nQZmyWU.exe
        
        C:\Windows\System\nQZmyWU.exe
        5⤵
        
        PID:16640
    - - C:\Windows\System\WoLVHaD.exe
        
        C:\Windows\System\WoLVHaD.exe
        5⤵
        
        PID:16656
    - - C:\Windows\System\lPTzlSB.exe
        
        C:\Windows\System\lPTzlSB.exe
        5⤵
        
        PID:16680
    - - C:\Windows\System\fOtHWrv.exe
        
        C:\Windows\System\fOtHWrv.exe
        5⤵
        
        PID:16696
    - - C:\Windows\System\ASNFQnu.exe
        
        C:\Windows\System\ASNFQnu.exe
        5⤵
        
        PID:16712
    - - C:\Windows\System\EQzggMN.exe
        
        C:\Windows\System\EQzggMN.exe
        5⤵
        
        PID:16728
    - - C:\Windows\System\kNBIsZQ.exe
        
        C:\Windows\System\kNBIsZQ.exe
        5⤵
        
        PID:16776
    - - C:\Windows\System\BgoWhRB.exe
        
        C:\Windows\System\BgoWhRB.exe
        5⤵
        
        PID:16796
    - - C:\Windows\System\AlvzkfS.exe
        
        C:\Windows\System\AlvzkfS.exe
        5⤵
        
        PID:16832
  - - C:\Users\Admin\Downloads\240921-nmy13azfrrefb2bddae67f6f5c7aa91f5b9c289683_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nmy13azfrrefb2bddae67f6f5c7aa91f5b9c289683_JaffaCakes118.exe
      4⤵
      PID:5920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe start schedule /y
        5⤵
        
        PID:7208
    - - C:\Windows\SysWOW64\At.exe
        
        At.exe 12:00:50 PM C:\Windows\Help\HelpCat.exe
        5⤵
        
        PID:10488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c at 11:59:53 AM C:\Windows\Sysinf.bat
        5⤵
        
        PID:10500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c at 12:02:53 PM C:\Windows\Sysinf.bat
        5⤵
        
        PID:10508
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop wscsvc /y
        5⤵
        
        PID:10516
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop sharedaccess /y
        5⤵
        
        PID:9196
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop wuauserv /y
        5⤵
        
        PID:11776
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop srservice /y
        5⤵
        
        PID:8988
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop 360timeprot /y
        5⤵
        System Time Discovery
        
        PID:8808
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\system32\sc.exe config srservice start= disabled
        5⤵
        Launches sc.exe
        
        PID:12608
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\system32\sc.exe config SharedAccess start= disabled
        5⤵
        Launches sc.exe
        
        PID:4424
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\system32\sc.exe config wscsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:14852
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\system32\sc.exe config srservice start= disabled
        5⤵
        Launches sc.exe
        
        PID:14608
  - - C:\Users\Admin\Downloads\240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
      C:\Users\Admin\Downloads\240921-nxjdcs1brj33c58b6e3890cbdca9ae92e968500b49c019a19624b2f15be1c7d5262edf3a34N.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5172
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\ghibwzx\ofqhicn.exe
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8084
  - - C:\Users\Admin\Downloads\240921-nq81fazhnlf97356e0ce81539bb21cb00c61a7d44924780b07c6afc8c29ef35966ead1d840N.exe
      C:\Users\Admin\Downloads\240921-nq81fazhnlf97356e0ce81539bb21cb00c61a7d44924780b07c6afc8c29ef35966ead1d840N.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5868
  - - C:\Users\Admin\Downloads\240921-n14hps1dmnd24a9eebeba63ebe00cc9e1e850d7c8214c706cf102ecbd4399738a552a5d8c7N.exe
      C:\Users\Admin\Downloads\240921-n14hps1dmnd24a9eebeba63ebe00cc9e1e850d7c8214c706cf102ecbd4399738a552a5d8c7N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      Modifies registry class
      PID:596
    - - C:\Windows\SysWOW64\Knbbep32.exe
        
        C:\Windows\system32\Knbbep32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
      - C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        6⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        7⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        8⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        9⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        10⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        11⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        12⤵
        
        PID:7032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\240921-m2qgssydjhGoogle Chrome - tmp.cmd""
      4⤵
      PID:5132
  - - C:\Users\Admin\Downloads\240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ntn5fa1anqefb708d0bd92f3ebb602a8cd36fc9ab7_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5252
  - - C:\Users\Admin\Downloads\240921-nwrncazhkd4124-0-0x0000000000680000-0x0000000000B6A000-memory.dmp
      C:\Users\Admin\Downloads\240921-nwrncazhkd4124-0-0x0000000000680000-0x0000000000B6A000-memory.dmp
      4⤵
      System Location Discovery: System Language Discovery
      PID:6164
  - - C:\Users\Admin\Downloads\240921-nezbvszamdefadf1dcf96b4b47b000f88bc934e6b0_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nezbvszamdefadf1dcf96b4b47b000f88bc934e6b0_JaffaCakes118.exe
      4⤵
      PID:6172
  - - C:\Users\Admin\Downloads\240921-nnjmrszejcbea949251af8a7f49264f8aa342d39dfd54572f37203bcfd8918379d50bcc8d8N.exe
      C:\Users\Admin\Downloads\240921-nnjmrszejcbea949251af8a7f49264f8aa342d39dfd54572f37203bcfd8918379d50bcc8d8N.exe
      4⤵
      PID:4452
  - - C:\Users\Admin\Downloads\240921-nsrh6szfqdefb6672c69c067938a5e936d8bc7d29b_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nsrh6szfqdefb6672c69c067938a5e936d8bc7d29b_JaffaCakes118.exe
      4⤵
      PID:312
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:8188
  - - C:\Users\Admin\Downloads\240921-nxyhaazhpd0dd187afe3956bdca41c4f3b648bafdf18b946afffa6960d2f804ce9b1cb3203N.exe
      C:\Users\Admin\Downloads\240921-nxyhaazhpd0dd187afe3956bdca41c4f3b648bafdf18b946afffa6960d2f804ce9b1cb3203N.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6220
    - - C:\Windows\SysWOW64\Kkfcndce.exe
        
        C:\Windows\system32\Kkfcndce.exe
        5⤵
        
        PID:6600
      - C:\Windows\SysWOW64\Pllgnl32.exe
        
        C:\Windows\system32\Pllgnl32.exe
        6⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Ajbmdn32.exe
        
        C:\Windows\system32\Ajbmdn32.exe
        7⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        8⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Dcpmen32.exe
        
        C:\Windows\system32\Dcpmen32.exe
        9⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        10⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        11⤵
        
        PID:11048
  - - C:\Users\Admin\Downloads\240921-n14hps1dmmefbbed921e0fe143398290e59378905e_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-n14hps1dmmefbbed921e0fe143398290e59378905e_JaffaCakes118.exe
      4⤵
      PID:6228
  - - C:\Users\Admin\Downloads\240921-ng1mpszbnbefaf29ea681545652fcb9bacb36f980a_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ng1mpszbnbefaf29ea681545652fcb9bacb36f980a_JaffaCakes118.exe
      4⤵
      PID:5408
  - - C:\Users\Admin\Downloads\240921-nxsa9s1brnefb95b4a39a92796aca899dc6d9276f1_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nxsa9s1brnefb95b4a39a92796aca899dc6d9276f1_JaffaCakes118.exe
      4⤵
      PID:6284
  - - C:\Users\Admin\Downloads\240921-nhg7razeknb89257f5a20537b48da1926c82d09f21740cb2eb2fd63f1f717fc6f38be0e0d1N.exe
      C:\Users\Admin\Downloads\240921-nhg7razeknb89257f5a20537b48da1926c82d09f21740cb2eb2fd63f1f717fc6f38be0e0d1N.exe
      4⤵
      Modifies registry class
      PID:5748
    - - C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        5⤵
        
        PID:7948
      - C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        6⤵
        
        PID:4676
  - - C:\Users\Admin\Downloads\240921-nnad4azdraSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
      C:\Users\Admin\Downloads\240921-nnad4azdraSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
      4⤵
      PID:2976
  - - C:\Users\Admin\Downloads\240921-nh1zvszcja450a6401e4769ef40d94fd052fa49317474e3733e9a3c6dbc0a33222ad41bd09.exe
      C:\Users\Admin\Downloads\240921-nh1zvszcja450a6401e4769ef40d94fd052fa49317474e3733e9a3c6dbc0a33222ad41bd09.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:4864
  - - C:\Users\Admin\Downloads\240921-nmd1wszdmfefb250c2b2cf93668796210720cdb79d_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nmd1wszdmfefb250c2b2cf93668796210720cdb79d_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:6708
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:14228
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        
        PID:12692
  - - C:\Users\Admin\Downloads\240921-nl53zszfpmfa0671d0e21d690a7980e755204baf461cb52ed75057887b4413eeca79ff5cfbN.exe
      C:\Users\Admin\Downloads\240921-nl53zszfpmfa0671d0e21d690a7980e755204baf461cb52ed75057887b4413eeca79ff5cfbN.exe
      4⤵
      PID:208
    - - C:\Windows\SysWOW64\Mhafeb32.exe
        
        C:\Windows\system32\Mhafeb32.exe
        5⤵
        
        PID:7984
      - C:\Windows\SysWOW64\Ajbmdn32.exe
        
        C:\Windows\system32\Ajbmdn32.exe
        6⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        7⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Cfnqklgh.exe
        
        C:\Windows\system32\Cfnqklgh.exe
        8⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        9⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\Flqdlnde.exe
        
        C:\Windows\system32\Flqdlnde.exe
        10⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        11⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        12⤵
        
        PID:12912
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        13⤵
        
        PID:16760
  - - C:\Users\Admin\Downloads\240921-n3f57a1drn62d87ff9a0f9331e8f1bb5235b41bb20722737b17e43708bbd7ea79ba91e7745N.exe
      C:\Users\Admin\Downloads\240921-n3f57a1drn62d87ff9a0f9331e8f1bb5235b41bb20722737b17e43708bbd7ea79ba91e7745N.exe
      4⤵
      Drops file in System32 directory
      PID:5892
    - - C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        5⤵
        
        PID:6764
      - C:\Windows\SysWOW64\Pkadoiip.exe
        
        C:\Windows\system32\Pkadoiip.exe
        6⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        7⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        8⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Jlobkg32.exe
        
        C:\Windows\system32\Jlobkg32.exe
        9⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        10⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        11⤵
        
        PID:15016
  - - C:\Users\Admin\Downloads\240921-nrbrbszhnn50101E938A3D3BA094C877785E695BE7.exe
      C:\Users\Admin\Downloads\240921-nrbrbszhnn50101E938A3D3BA094C877785E695BE7.exe
      4⤵
      PID:5104
  - - C:\Users\Admin\Downloads\240921-nzxzja1amcefbadcbbc9fdee2b03ff3cd4888d41bd_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nzxzja1amcefbadcbbc9fdee2b03ff3cd4888d41bd_JaffaCakes118.exe
      4⤵
      PID:3100
  - - C:\Users\Admin\Downloads\240921-ndxrmsyhngff1a93f9bd381c3ca44e0ca52f316e9b1dec3fb4e8b9698127e01ecf4c090415N.exe
      C:\Users\Admin\Downloads\240921-ndxrmsyhngff1a93f9bd381c3ca44e0ca52f316e9b1dec3fb4e8b9698127e01ecf4c090415N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5860
    - - C:\Windows\SysWOW64\Kgmcce32.exe
        
        C:\Windows\system32\Kgmcce32.exe
        5⤵
        
        PID:6456
      - C:\Windows\SysWOW64\Pkadoiip.exe
        
        C:\Windows\system32\Pkadoiip.exe
        6⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Ajbmdn32.exe
        
        C:\Windows\system32\Ajbmdn32.exe
        7⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        8⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\Hdhedh32.exe
        
        C:\Windows\system32\Hdhedh32.exe
        9⤵
        
        PID:9428
  - - C:\Users\Admin\Downloads\240921-nwgs5szgrg7e012e1f90b19749abce0893f816422bc66ef5a3198cbcd0fd45b26a3fe6a7b8N.exe
      C:\Users\Admin\Downloads\240921-nwgs5szgrg7e012e1f90b19749abce0893f816422bc66ef5a3198cbcd0fd45b26a3fe6a7b8N.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5540
  - - C:\Users\Admin\Downloads\240921-n3cg1a1dqrfa5a855ec8b0ca50052f9c0a3498c7e4c9255c020ed0653e49ea9138127cb935N.exe
      C:\Users\Admin\Downloads\240921-n3cg1a1dqrfa5a855ec8b0ca50052f9c0a3498c7e4c9255c020ed0653e49ea9138127cb935N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:1376
    - - C:\Windows\SysWOW64\Kgjgne32.exe
        
        C:\Windows\system32\Kgjgne32.exe
        5⤵
        Drops file in System32 directory
        
        PID:6652
      - C:\Windows\SysWOW64\Mbenmk32.exe
        
        C:\Windows\system32\Mbenmk32.exe
        6⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Nhpbfpka.exe
        
        C:\Windows\system32\Nhpbfpka.exe
        7⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        8⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Fllkqn32.exe
        
        C:\Windows\system32\Fllkqn32.exe
        9⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        10⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\Hginecde.exe
        
        C:\Windows\system32\Hginecde.exe
        11⤵
        
        PID:2268
  - - C:\Users\Admin\Downloads\240921-nx8y1szhph083bcd3bea727a5041bb723002da15c05a8fcab4cc71bbb047876a17a70769e3N.exe
      C:\Users\Admin\Downloads\240921-nx8y1szhph083bcd3bea727a5041bb723002da15c05a8fcab4cc71bbb047876a17a70769e3N.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1748
    - - C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7392
      - C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        6⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        7⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Bljlfh32.exe
        
        C:\Windows\system32\Bljlfh32.exe
        8⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        9⤵
        
        PID:11612
  - - C:\Users\Admin\Downloads\240921-n1evca1djrbff78b13939ca5c72f63d045378d0c114bd41f91cd8e164a1ea9b6d37e22491aN.exe
      C:\Users\Admin\Downloads\240921-n1evca1djrbff78b13939ca5c72f63d045378d0c114bd41f91cd8e164a1ea9b6d37e22491aN.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in System32 directory
      Modifies registry class
      PID:1648
  - - C:\Users\Admin\Downloads\240921-nfh19szapfebafe534539465892444701b6fafaf8b299a70881fcc58d5bce34c2802284caeN.exe
      C:\Users\Admin\Downloads\240921-nfh19szapfebafe534539465892444701b6fafaf8b299a70881fcc58d5bce34c2802284caeN.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5064
  - - C:\Users\Admin\Downloads\240921-nd2qlazcpqe5ab52082999c81335610db501a04ef3a0f85fbccbd606d89e414ff2c5e52973.exe
      C:\Users\Admin\Downloads\240921-nd2qlazcpqe5ab52082999c81335610db501a04ef3a0f85fbccbd606d89e414ff2c5e52973.exe
      4⤵
      PID:4656
  - - C:\Users\Admin\Downloads\240921-nxv26azhnhefb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nxv26azhnhefb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5344
    - - C:\Users\Admin\Downloads\240921-nxv26azhnhefb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
        
        "C:\Users\Admin\Downloads\240921-nxv26azhnhefb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"
        5⤵
        
        PID:15760
  - - C:\Users\Admin\Downloads\240921-nvex6azgndefb7a3e2cb8f232021f1c5e081073998_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nvex6azgndefb7a3e2cb8f232021f1c5e081073998_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4996
    - - C:\Users\Admin\Downloads\240921-nvex6azgndefb7a3e2cb8f232021f1c5e081073998_JaffaCakes118.exe
        
        --d91e1aae
        5⤵
        
        PID:11580
  - - C:\Users\Admin\Downloads\240921-nnad4azgkmSecuriteInfo.com.Win32.Evo-gen.12679.2695.exe
      C:\Users\Admin\Downloads\240921-nnad4azgkmSecuriteInfo.com.Win32.Evo-gen.12679.2695.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:7312
  - - C:\Users\Admin\Downloads\240921-nqy58szhmladca99f9ab203e37ea78ddc49c45afaa1f7b7ce794d07927a49730c75ace7849N.exe
      C:\Users\Admin\Downloads\240921-nqy58szhmladca99f9ab203e37ea78ddc49c45afaa1f7b7ce794d07927a49730c75ace7849N.exe
      4⤵
      PID:3096
    - - C:\Windows\SysWOW64\Ohiemobf.exe
        
        C:\Windows\system32\Ohiemobf.exe
        5⤵
        
        PID:8552
      - C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        6⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        7⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Dlkbjqgm.exe
        
        C:\Windows\system32\Dlkbjqgm.exe
        8⤵
        
        PID:11588
  - - C:\Users\Admin\Downloads\240921-ndsspazcnnefacdbc8cb16c154663af2d13636df41_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-ndsspazcnnefacdbc8cb16c154663af2d13636df41_JaffaCakes118.exe
      4⤵
      PID:5384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
        5⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe start schedule /y
        5⤵
        
        PID:10228
    - - C:\Windows\SysWOW64\At.exe
        
        At.exe 12:00:56 PM C:\Windows\Help\HelpCat.exe
        5⤵
        
        PID:10644
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c at 12:00:00 PM C:\Windows\Sysinf.bat
        5⤵
        
        PID:10700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c at 12:03:00 PM C:\Windows\Sysinf.bat
        5⤵
        
        PID:504
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop wscsvc /y
        5⤵
        
        PID:3744
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop sharedaccess /y
        5⤵
        
        PID:15268
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop wuauserv /y
        5⤵
        
        PID:12804
  - - C:\Users\Admin\Downloads\240921-nq66vazhmqefb53e87c859fe12d548e042ce914a4c_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nq66vazhmqefb53e87c859fe12d548e042ce914a4c_JaffaCakes118.exe
      4⤵
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\tjKWX23
        
        "tjKWX23"
        5⤵
        
        PID:8344
  - - C:\Users\Admin\Downloads\240921-nssfgazfqeefb668574ff5c77f1e98b8fd43e58272_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nssfgazfqeefb668574ff5c77f1e98b8fd43e58272_JaffaCakes118.exe
      4⤵
      PID:5768
  - - C:\Users\Admin\Downloads\240921-nex4sszamc3159eef2c35d42b32655900c8a66be79a999682050b1f583b610684ce1ac9054N.exe
      C:\Users\Admin\Downloads\240921-nex4sszamc3159eef2c35d42b32655900c8a66be79a999682050b1f583b610684ce1ac9054N.exe
      4⤵
      PID:5952
    - - C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        5⤵
        
        PID:8244
      - C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        6⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        7⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\Hmnmgnoh.exe
        
        C:\Windows\system32\Hmnmgnoh.exe
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        9⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        10⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        11⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        12⤵
        
        PID:15076
  - - C:\Users\Admin\Downloads\240921-ngqshazdqk6fa592f5823a4d75ae04c9891c221fed1558d0193e277b0bcad904f2ae672f69N.exe
      C:\Users\Admin\Downloads\240921-ngqshazdqk6fa592f5823a4d75ae04c9891c221fed1558d0193e277b0bcad904f2ae672f69N.exe
      4⤵
      PID:5608
    - - \??\c:\q02604.exe
        
        c:\q02604.exe
        5⤵
        
        PID:8744
      - \??\c:\006048.exe
        
        c:\006048.exe
        6⤵
        
        PID:9428
        
        \??\c:\8220040.exe
        
        c:\8220040.exe
        7⤵
        
        PID:7892
        
        \??\c:\862608.exe
        
        c:\862608.exe
        8⤵
        
        PID:11372
        
        \??\c:\m6826.exe
        
        c:\m6826.exe
        9⤵
        
        PID:12272
        
        \??\c:\82848.exe
        
        c:\82848.exe
        10⤵
        
        PID:9768
        
        \??\c:\2626626.exe
        
        c:\2626626.exe
        11⤵
        
        PID:12780
        
        \??\c:\0048222.exe
        
        c:\0048222.exe
        12⤵
        
        PID:14900
  - - C:\Users\Admin\Downloads\240921-nzne4a1cqj02efc0358cf6ac9f88ab3da170e5291c9d3f4bf552d8cc15165dc7ba036adcb1N.exe
      C:\Users\Admin\Downloads\240921-nzne4a1cqj02efc0358cf6ac9f88ab3da170e5291c9d3f4bf552d8cc15165dc7ba036adcb1N.exe
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\Qhngolpo.exe
        
        C:\Windows\system32\Qhngolpo.exe
        5⤵
        
        PID:9620
      - C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        6⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Dlkbjqgm.exe
        
        C:\Windows\system32\Dlkbjqgm.exe
        7⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        8⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        9⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        10⤵
        
        PID:15200
  - - C:\Users\Admin\Downloads\240921-nek48szcrkefad85e4b28b462bd2b4c89be6bd02f9_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nek48szcrkefad85e4b28b462bd2b4c89be6bd02f9_JaffaCakes118.exe
      4⤵
      PID:4856
  - - C:\Users\Admin\Downloads\240921-nm6qxazgjpefb2fcbae7458b0e6f888d8521b24a32_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nm6qxazgjpefb2fcbae7458b0e6f888d8521b24a32_JaffaCakes118.exe
      4⤵
      PID:5404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
        5⤵
        
        PID:7780
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe start schedule /y
        5⤵
        
        PID:12368
    - - C:\Windows\SysWOW64\At.exe
        
        At.exe 12:01:00 PM C:\Windows\Help\HelpCat.exe
        5⤵
        
        PID:15984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c at 12:00:04 PM C:\Windows\Sysinf.bat
        5⤵
        
        PID:14984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c at 12:03:04 PM C:\Windows\Sysinf.bat
        5⤵
        
        PID:14840
    - - C:\Windows\SysWOW64\net.exe
        
        net.exe stop wscsvc /y
        5⤵
        
        PID:14808
  - - C:\Users\Admin\Downloads\240921-nsh7ss1akj2028-72-0x00000000001F0000-0x00000000006DA000-memory.dmp
      C:\Users\Admin\Downloads\240921-nsh7ss1akj2028-72-0x00000000001F0000-0x00000000006DA000-memory.dmp
      4⤵
      PID:6500
  - - C:\Users\Admin\Downloads\240921-nmcstszdmdf944f66d8c02705b533ece132593907a0d5d5d4dd4edff643773706330dc393dN.exe
      C:\Users\Admin\Downloads\240921-nmcstszdmdf944f66d8c02705b533ece132593907a0d5d5d4dd4edff643773706330dc393dN.exe
      4⤵
      PID:9096
  - - C:\Users\Admin\Downloads\240921-nn1w2szgnnfd936d4bbd46a01b018b220736664eef5194925856e960c0175d826f1aba4a02N.exe
      C:\Users\Admin\Downloads\240921-nn1w2szgnnfd936d4bbd46a01b018b220736664eef5194925856e960c0175d826f1aba4a02N.exe
      4⤵
      PID:9424
    - - C:\Windows\SysWOW64\Fjjnifbl.exe
        
        C:\Windows\system32\Fjjnifbl.exe
        5⤵
        
        PID:5140
  - - C:\Users\Admin\Downloads\240921-nmlqqszfrj00b2d5547663e9d33d1b8f5f940f514f3fd8fc9cb96b9461fb49481f4c9f0d24N.exe
      C:\Users\Admin\Downloads\240921-nmlqqszfrj00b2d5547663e9d33d1b8f5f940f514f3fd8fc9cb96b9461fb49481f4c9f0d24N.exe
      4⤵
      PID:10356
    - - C:\Users\Admin\Downloads\240921-nmlqqszfrj00b2d5547663e9d33d1b8f5f940f514f3fd8fc9cb96b9461fb49481f4c9f0d24N.exe
        
        "C:\Users\Admin\Downloads\240921-nmlqqszfrj00b2d5547663e9d33d1b8f5f940f514f3fd8fc9cb96b9461fb49481f4c9f0d24N.exe"
        5⤵
        
        PID:12092
      - C:\Windows\Googlekm.exe
        
        "C:\Windows\Googlekm.exe"
        6⤵
        
        PID:11676
        
        C:\Windows\Googlekm.exe
        
        "C:\Windows\Googlekm.exe"
        7⤵
        
        PID:9044
  - - C:\Users\Admin\Downloads\240921-nx8y1s1ckk94291kl7a0fl-vjj4.exe
      C:\Users\Admin\Downloads\240921-nx8y1s1ckk94291kl7a0fl-vjj4.exe
      4⤵
      PID:11008
    - - C:\Users\Admin\Downloads\240921-nx8y1s1ckk94291kl7a0fl-vjj4.exe
        
        C:\Users\Admin\Downloads\240921-nx8y1s1ckk94291kl7a0fl-vjj4.exe
        5⤵
        
        PID:9880
  - - C:\Users\Admin\Downloads\240921-nx7qys1ckjefb9b2989b2936c738be2efa60fe22d9_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-nx7qys1ckjefb9b2989b2936c738be2efa60fe22d9_JaffaCakes118.exe
      4⤵
      PID:13612
  - - C:\Users\Admin\Downloads\240921-np964szeqbefb4aeaa80c41ac7ada713ac5b09e9cd_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240921-np964szeqbefb4aeaa80c41ac7ada713ac5b09e9cd_JaffaCakes118.exe
      4⤵
      PID:15688
  - - C:\Users\Admin\Downloads\240921-nwkvsszhjd806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
      C:\Users\Admin\Downloads\240921-nwkvsszhjd806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
      4⤵
      PID:10880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\0004882.exe

Filesize
359KB

MD5
d5e308dea3f0c3240b254e3ea3b9688e

SHA1
6c2e8231bd6310c8d62d852f285a19fdc8c42425

SHA256
c95665136832d5b012d593280328b56de0e4cab77061f0b4de04bf67f07b748f

SHA512
e374983efe7c0dabe67081d15ab30977c36f6dbca19b9fac7f3c6e3bbe3679e7839dcfb46225e5fba40f0793701ab37a057bbfcf73d75a94576cdd5686b02369

Download Submit
C:\000826.exe.tmp

Filesize
92KB

MD5
1f19ea7a3bc8a56978c703475d1fae58

SHA1
94c69c3c5a77b72a7a8b35abd598572b6a12a3be

SHA256
592f2e72130b90ffd4f01db1acc9995fa3c0c6aa26d603b092e5de1bc88b72af

SHA512
786ec76cbdad2fdfd69eb3a9b749039f64b659cedbc941d1186399fe136b81e3f06a66938786acec77bb66c7f4049f372e18cb5da6e34383a54f9a3e96895f0d

Download Submit
C:\04044.exe.tmp

Filesize
2.6MB

MD5
0afd22e8c20c7916035f692f0eb6424c

SHA1
b865233030c6f23a4d4cc756ea1d65a08bf90aa7

SHA256
bf0006942099320128c9b68b9e8abd45e2c51c3ac454482227ab9da97ee4d94d

SHA512
f8bc1253fd6272aa5efa23f15a50b267b936bfc0e96115779df5837e31a96162b248016cd55320e6974edeaa01968d36d98974344085c5968ac70843a34c2bd7

Download Submit
C:\0440400.exe.tmp

Filesize
2.6MB

MD5
9aa77fe9690408bf5ecf629cd46dca05

SHA1
8addcabdb10a6b8aa987f800c488657278c193bd

SHA256
f7c5c65bb4c95693019c268c40cf627b1680ca7c1179f6428fb6b64be75d7bac

SHA512
ee5d43d09b3e423f8bb198b241a54527eed712d4405e21ce0ee055a021f6a2abedaec19ef1a348b931252a6b46c30cae764dc85e0e50bde6a0fa0424512b8281

Download Submit
C:\60008.exe

Filesize
94KB

MD5
26bd4a42d552481855ca8656153a8173

SHA1
715a71e8287401e2ac1ae40e295af72e53a52d23

SHA256
9fe2703d87c79d22124b2d233dce94b3b96088aebb7328d5ae9c32e5f4d38963

SHA512
25b99aa6aaa3778158d38596466571b2f2b67b866b152ec36677b5c29af4e1aea92eb26950ef969877db70e4639464622a11f5cba853cfde5f399ddb901c28ff

Download Submit
C:\6662666.exe

Filesize
174KB

MD5
6f6dd11e2dd1bfcd590dc162016da6c5

SHA1
72e6a5d731923ab04fd8dab68e813211cbce54d2

SHA256
c1db2ef0b79c9923199f1cbaa998a52bfd812e6a09bc6ca4e0a63a587c5bff09

SHA512
ac3c6bdf7711b6f0f6d5cc00abd535ca7a9ade57c0068c9242bf8f7c7e7463fe46e1de7c2fceb66fd8a75539a85b8ab05262747d0df3e8e0ae583efe199c4046

Download Submit
C:\6688266.exe

Filesize
119KB

MD5
d6a79cf54b7a952df1d0cfbf2bf210e6

SHA1
dd571a1cb65079cee6b35bea3372e7f33d99017e

SHA256
a5a60f631e5182e6076e818c46d16f89a3f59ae7d6b72a042de020fc0c060b0b

SHA512
bcf86f0946861b291b10ae18790396630f1e5d6040b5229c87df391e2808a68710b2912162db40b2694bcf23e445fdb41f4ae6b23b4de5be912556ed854392e5

Download Submit
C:\86204.exe

Filesize
119KB

MD5
fb75fb63a351cd2f3194e65715483061

SHA1
1a8da17c24ed74b4a05409904267d779a31b84d5

SHA256
cf3772f6e710b8af1b348f78e6e89494500cdd2160c06e6e561d92e340766e00

SHA512
6508507c49cd4638ba1b8792d52f01d844ee3f1f2058429861801b8152fc32d6466290a1aa4721f3efbf01e0e81a3213ac90e0d4fe685c082b989fe068c5a90f

Download Submit
C:\KaVBAH\boddevsys.exe

Filesize
2.6MB

MD5
c60138360cbc7e59a844dac65bdbae79

SHA1
3764885fb473cfbcfa1fc5f389812f756eb91a03

SHA256
16ee31a11ef862fce4ab57bf3c5b1a52282817232c1d5fc4ad36c6e7e7f09c86

SHA512
394886ec5a36e1610238e4be9016fb0cb22e9e97a10129f07c46645b8221ced06aa359451f4e00152d01a1ec1c005b9dbb4b57e85c79dce5d84c8156c24397eb

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp

Filesize
76KB

MD5
f33e2ec189c38cf1a8492ee1e95e13bc

SHA1
5f441b7bdf2ed624f2c4bf28629be4f71476d1aa

SHA256
56e15864ed9f10df8593bc894b947be10fc42275f8c69a8a882905fc169fdde5

SHA512
47b2f6c3409583a3ee645a5ee20794d3fa1e774943e6c8962d9f40b275e3d91d591a717f00a38661974a84c4f35d31246e8e28a2ea340c86d64d6962ce35bf29

Download Submit
C:\ProgramData\wmimgmt.exe

Filesize
118KB

MD5
ef9bf810caa06bce1a8cb54153820112

SHA1
c4940f5e881696d92794adf6d935feb2b0a01a16

SHA256
f3d7daf043472a6d676a803de648b3c472c0416ca3773d0d07376567fb291dcd

SHA512
4190b91b00ab3c6d6bfac250f21ff68b56a67ef1d839626c2a2bdbed737346bad9122f4df740d01312d43a6cbce81a11ed5f237d540c1390d36fabe483086e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exe

Filesize
921KB

MD5
efba1ff649c84cf56e808d2c51cc3b49

SHA1
f23bab8448683f45cc1d9f3b85420c21ca30c13c

SHA256
275500636216e3d0f50d0285a73dedb300c01979ca1358f45bf9c12ec12de02f

SHA512
e683fe29d4a763108eaf32cd80466261d80f2623ad9003603314fe39863b1600f0de5019919b9826ac5f93bd1e50535259150bde14d72412b25fef85ee9894b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Filesize
1.8MB

MD5
85bc29056ca1ba37cca7b0a0d9985bef

SHA1
0da55acb297200527b4a7804704399a4cf534176

SHA256
210be4f1e3cb164f0a8df18019756bc277224021b60e5d27b5c952e960a16d10

SHA512
4806952a9127a9b12fafa5e106e2a5552cb68f7691d88ff29aec48bae55e48620a5ac4b49d84276e2efa34b6561b807e7768f9b428944cb25405c7d11f880e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\79b2429bb8.exe

Filesize
2.7MB

MD5
e070119159a31b350ca20caedb7a0ff5

SHA1
984d5a97a9f594b8beccdfed2d6ec2e9369d364c

SHA256
dffa12f91b77f45044817b223e6d573a1d5aaf9c668ae8bf1d543ea222040f75

SHA512
6ceb6c69e435d7b8bb234798daa91c4fb3fcb71dc9cc6dc76ed395bf682cc5ca9af83cb666183a346593c4464468999837454ef4b8ddfb052115ec0784553308

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000049041\do.ps1

Filesize
1KB

MD5
5ece3d10a728fa68406d1faba6cebe01

SHA1
806a9d0a12a7f184b046e233702b26235db9dc60

SHA256
f5f6fe589d44294495e0d811b82c206d1bdf823750a20c75d21e0b3183c3322f

SHA512
927ba3cbd08f140351f1a246795466a429825f8469d2e9f2a0729a31efb443e9fbef618a0113b3dbc1ffc02f7555e80d363998b459e0f9f209b70512120caa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1064.tmp

Filesize
481B

MD5
ce2acb7e34e9f1bde9e436be89ca2043

SHA1
8fb3a45a90157a18a5a08f4b7af2d19e58438c90

SHA256
8c80dd375a05ec2730a39992fa71f612e62a0bb6ec6ad95524390a8fd5b22ae7

SHA512
ecb455a70f763f9787269ed391ae0d24c137001f447d1556e3ba392cfb853a30ee4228c4d667f23337832fe326cbcd2fba18d20389fc9c5456f78592efda8f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1065.tmp

Filesize
42KB

MD5
5b08542f0606284f7f2679a03bd6a89b

SHA1
61e5cad4f260d389ed42189613ee5c09253c6b1e

SHA256
234897b809153f94a74b613de6213069d6fb737d7863f231f09eda48bbc12623

SHA512
0499a117634e6b860a6e903ddb7067182849b8662c6413d6ddd058deaefc2aced8a1cef0f6903d5af6ff920c280ba10ff6864beffa0dc1d4d29529e2d367b686

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4cf4cecfbc3cd2800b255add23cc227c

SHA1
9b4e3d76ed5b09bad89b3298c8f5a467bb0edac3

SHA256
8394b628000a3d28932474c40a04e60d68b4c31dd3e64a564b2b4237846b02b0

SHA512
e41c1d67ffeac62a4da99a143ed9cc278059059aa63956faf98198334081a5167a6b5d65af4363bfb4d21a894d01a96691a37da9f5c6db63e69ea98ca36b59af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2c08c7ccfced343d1cb8abfd4b46dc7c

SHA1
e2a7142cc55e49d5a75a814838941755b643df83

SHA256
4d871ca87798c856949900d3c75b1f667018549534bb931b1b23b8dd9ef1f500

SHA512
6811a7d2a2d67ce44a425b792a1053aed3644867ad7fad8dd830ec767c6847444f49b65c7371669135a400a0477f484f6df88dd6551c57f524bd1b96a4bfc32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
687e09884c95606463327a97bf1247b2

SHA1
75407eb83d341c296fd3619a5386095b6d0861bf

SHA256
1196e974e9ed06a9cc320c41999f9b83716a369ec9d17fb435d4725b523a1f64

SHA512
1588b4a675b3801deb9c599fbbc79fe136111f0d84478dc64810890e5f889cf57889e2b185bce349e84b8cbd980adb1849d18bdcb108be83bb9a9e9bdff05cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
01375309452f213eccf49fab3a9d7a4c

SHA1
067d566cd05e904726e71df70a2dc8642d8b1ee2

SHA256
160fd6daac7847d82c3e23799da4e92d09cb7816a857f5f030755b33fecb0414

SHA512
ddbbef941b9556352b1c5437b00c6d7fede7a4144494b4eda0342b2326987ebf1f0a03c5aeddba499bd261204171ed2abc0a30c6eba4dc077d803b57f3746f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7f11156d1969a7545b6fb53972fcfc1a

SHA1
987f72e69864083204ac84a4be37a79e16e5729e

SHA256
7eb76ecfdbd4a1add70e8350999a625ecde482c2bff57f5bf5f7a78e1df7b28d

SHA512
f256dec9ba464888a036c9687a979e0a025f3db88f1e2e5db78b593356c8af1108ba07328d0fa0a80cdd64a4d4dbffc25066f5991ef88167de1176e9b58e2bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
875b2e281ccc287214769692b48d8bf1

SHA1
23e115fa1ed5946b9dd3e9fb4dd905ec59ae3cfa

SHA256
be684577791bf6fee45b6e67139e1737d93d6a2cbff46b2d798988cab5638465

SHA512
3b385c50f4be41cc4620e61408f726023995e57b9ad504ff436db6e8318da2e4a75b152a520d217bcb19421736295ed45ff3eb2cdc8cd2c44b874be56ed999d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a7a531de8d6679ffb55174d8c1c05e7a

SHA1
af93eb157b407990c34d09519f18042dcbc992da

SHA256
2ca517f4a8da1fd7f2aacc263e13c9e81ae5fcd9db23f09672494b016b01aa66

SHA512
a0236d2129862490cd8d1b4207a76a1598c3faba34b79f91d93fecbda104b5a80912b54679f9a35547c059f3bfa3d93dbf8c1c2d1bd3e54990376db2a0478117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fab13ea641f6211bb844c2fc6dbe8eb4

SHA1
a4dd9410d0da97a90197ff2307e0990883309b71

SHA256
554c96ab5436a7ae942f95d235bad9981e181c51faa2016d6db65b8fe8d053dd

SHA512
f3490df1168350df72cd4a995848ca8ad2ff75c580589ed15668ef01b682d7858ba954c8e88b69a35e3ff8549f8b5496fcc9a5aecef2e4113b4257c4f444a819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1fead23e1532ba37aa704de922308ac8

SHA1
d4c87d20ec5236dfa7d04e821081c73a9ab4ca80

SHA256
8f7441e631a70c0cb21ee1414c37eb44a34b8d7f588e3f0eb9cbad125a5cf4fa

SHA512
d3f3a3e06bdd2d206b12a342b0f28fec466136abaf1b0a9f1cefa45339296b64db48997efffd07ca898a7f2a694a758014f24ab035484a70540ca0ea79bd1070

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
72851ec8275f7df6161e86a8b70cb795

SHA1
bdb79ffc0a29c0ec2a4cf727a3cfbf60ba1cd70f

SHA256
726ec9448860fe1375af5a3579496575f39c23d5209db95ce9cc8e330859a128

SHA512
1e1a8f7ec3becfb69d41af7be46ad9980a5b1bef9d832209555e8c6f5679b410a3bf89139266361b5c14570b7d759417931d345545741d8ba33ea7b7c2794eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
42d2b92e24151fc711a6d933d5401299

SHA1
ce89851968c42e5001977bdf26b1a39efe853d06

SHA256
8d3594c3c8da1f2b10a2c32366734a1149ad7a4eec6e2cd025bd2d3bf3e22d10

SHA512
590bf63f69753ef331b8611686a5a389c91e7de5b28210126e6e7906bf6d01d11825d546a8d47537c55f0baa0d9f52fc1d6e24ace1b21bbc5f5bee92dfbeba7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aacce3b2d1d7c0039d3e1bb04699a425

SHA1
2182967e1021ab904ca5a274acd7e3fedc70b728

SHA256
d1027ed0c7b7b855dfa4602394edbfc7c5b9f5ee8c9adb9fa35f4a54667c8d73

SHA512
93c2e00a95143626628de372b2081df075da806530220dbb69a9d369320fe2824cb639e003723cabaae70ea2414adb8f299772dc7ad2e563c4e1e37eb71b20fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
00014f1b85d2edf149e237d76b1d63e1

SHA1
ebb57b9e116888d6b715a0d9b06f1699db24fe52

SHA256
fa26d62b7f1567ced90ff3d264de94b30b74a16a0fc5603d6dd5373e191a5849

SHA512
c4cd61d73c9ee26656996961edacb02fbf845e643e5fce33d9458e369f0c581a98fe5771e6fdd6076aeb59f89d6f2618312c026f2597d05945e12ad740b10781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a6aa7b1084518769228785ad554cbc19

SHA1
4a8a26c296c7fb3ba553675d38cf20edffe4f3d1

SHA256
57f2e1a88c5cd1bbaac829897000f233da15d69fc1bc4d4a2a432782501a0089

SHA512
f5553983f94d78116b83d1d1eebdb97d4f015333bd1ad099b85b1368f8b323023b47ccfabfec7de90144829f8f5cde8b6ac739f81a949af73a4b59b72455ab9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9b54b44e5403d57cac12a6059efc00cb

SHA1
fec93fece7d56c5315dca31ef7ad1be0ea8290f9

SHA256
937b99aa188c9fb275fccf359ecb4b96eeba769deacb7c0cb6c893f175f8fa67

SHA512
538f7b63b1ac28abdd453b8dbbafdeec37ec9b6b1cd6df664ed3810de55ec3c9a7640fa7c1edde180bd409be1f064f93c4d2156463a06df8feb42a1a654d8e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
77a6146465f65674d09aa801cb565bc4

SHA1
5245717b2ab7f53ed52fcfd021e356f32fddcfaf

SHA256
b59bbc1ff70c1a5a94afe77a73e6382a685a9cc43726e1fc4ea1158322bef93c

SHA512
2c7c1d654c664d5f1168e0bff26f2a7ae7c87a948a1ea9b43c61e8784ce2c1b90ba00828c39c1db1114d0fc714b1be552589643150c23635bdd7a585b2a49d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
150425b65019434146cf9dc078526217

SHA1
f766b308d8f983632ec932070398dc86e6d12670

SHA256
03e44364e5e73f033712de1bae43c21e861a0d31e6948efdebf97d8e30d91b8e

SHA512
9dc4ff69d830066e5d17a89150dbcd59e9ef27c8eb37b78439e7902dcd4a6f73fe43e79c5492c8adeaf551d47ac74efd2c0ff0fcf2c50d759b8cf271c8fdb68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8b480f53d551336ba4a5ff3f18e9f1f2

SHA1
63ee8fcf04820543c41950b20c29cd843fde78c8

SHA256
9802a76514993649897bb390ac23dab841ac77a556b42725aaa24c3267ebd8cb

SHA512
1980801ba8b654cba05cf79c70e222e54a342ab020edc30acc4b4379f71f8f7552cf13e1040bd9ec67a34e155e8ea8479c8c5c54454d1d57bb94ba0152c9f49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b4367d698f6f7be42085a3a85dd0d6d

SHA1
b88046f611ab07498ecd8762d33d38ab87c212c3

SHA256
7040f5dac17dbdfbbb8a9276937f666c62cd0a92588daf5dc4a8b24da758b59b

SHA512
ceb2276c86a2d165de0157f1f56cdbc5bc5d3c9a1f288d0b59f312589f3efd8bda735b16ab0d27f6fc541b2cdd65fc8b1e2352e5f4bdb47817688e3da3447bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2251bb34508d2e9ca0c94cfefb6e8d3f

SHA1
8e7ff588b223d059191cfd3449e66e00922d252a

SHA256
d55ee8f32d43cb6dc40e8980744d04870bc9c3872e9bbf692711b89f6f05fcc6

SHA512
09b1c464781afdcbbf4ee414bbf75aba615cbf2d5ebb77e75043c4caf91ebecebef630426056bc84508bb5910fadd8a86767900d36e8a281482361f987262501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
85cb7ec8b28c212bc183241449d8cb77

SHA1
5e923595159d2eed82796bd4749f380d0da20e66

SHA256
bb52232ea5d1f55a6f5f469944d7163d3681aaa1ac2de7f08cca15c625626db8

SHA512
28fb7682463abc37e63202e1bd104094a7b297b00c079a3e2fd2394edc4866c89dd5b3ce1949cdc6b7dd47dd77346bfd85211062f436f3c0de8d150eeb7f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
678c13a9708c61bb22d2f6357bed04e9

SHA1
6860fea71a86c5d3cb2e1ae4ae4012e8ee783230

SHA256
7948d4982dcea9dc804708d3d0afa415085c8d5708eb42a47de692a68f4b2515

SHA512
3da9f9e0679fef827ff66e0846687cadc8ce40be60586f0d178138676f17ccc2dc45e70a5687e313a3a44d71c5ef2e77b24602984e17de08d6fdaab32ea584bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
385f74c6601a3ba76852c281061e0868

SHA1
8959b0d79ba519033ca19595d5ebf116a8b83d46

SHA256
516d06d2349dd9f57700e22a6e9c277cdf8b9a95ee20e28257b0f66e702b3a26

SHA512
706aace4afd5e71621d6012bc2eead814db51e6163dcf09baee6e17c28c1a8d412b2ea75ebe845f92c7eb2335606cfc62202f55b4f457d0fefba21da81d29c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4f49d28a25f5e58645af69c876e1238a

SHA1
df4a99fcfdfe939a4a5feb1f7c846565ad24b3e7

SHA256
53056433d7e666e48447dda362a58fae9b9193dff1a3238285277ce24044fb37

SHA512
7fe57e2d566219aca64ffb492c07df5fdd66bf0875e6d3fd0c94674fa8186d2cd414ad654040cd916ff0873bbe903564e994e4c5f2866704a3ed05988be683e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ef24ebaf0c62a2215d809bac14ba099

SHA1
7ff72b94ff8a5889cb2596d26dd6fba15ced10b1

SHA256
061cf2de104cab6f2cb56a4fc5653b8f4dc4bd1e4a533d028f951ccb8db9846f

SHA512
4f6cbe64d448c28c43f56513fcfc933a6ace2ca14d51a6d5a54184ba8913884f34086196a199dab3602e077f63148ac834e483be91eb3e4f0cc451e4c09987cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
991f84d41d7acff6471e536caa8d97db

SHA1
1906f8aeb5a717ca0f84154724045839330b0ea9

SHA256
514b5ad70eac59d19d9f9e83c16b5c0d667c414ddc1721b5c6d5de02506b1a35

SHA512
bf08949cb4016436617d51807d5e29841907a3daa322eaaa79e33a0f11b670176b47cfdefd95730dd89e9c2fb22e6be1237db33289f180459a8638f0d4a45773

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6f5717b00a211321f48de45d384406ae

SHA1
79a7f9101c079d0faa824dc629380507f19606d6

SHA256
b02862bdc729fe26f967a0bfdb8c6f2dfc4ab629cf8e3d7ebedacaaa32eef53b

SHA512
68d9aba46b0e19b2cf6526c5c17cb4c037af4719da47de1ab60f26b2ff98440e30cd59f2215bc2e3e469a6c20c065665df0b6faa6bc1a134e9073bfa01aaac55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5ffe0bedbfa1773f6506f456c3ceac2a

SHA1
60e493cc440d6a70ce60ca40f3775c3fe1d7660f

SHA256
7d1ae7f5156e30a087be88b7988e609e27062c130fb4cc3ebbf761abce1e1ce5

SHA512
066e777415e6a57bb6dd18baa65798ac8f5bc5b28713dcdf28738166ee6156fd0b233742bf29d47e00cc05514cd31b4ae4ce4be5b72c45ae29f36fb7c98f8d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bb9e24c37fcc63f43454639881b29cdc

SHA1
60470c899f7de1b692ab115872e3a6e0d4587772

SHA256
ec079ac3502d5c99cc27ddebdf36ae9f7bc5f12c86c2cbfeb33a8b68b20107e2

SHA512
6bb21461e8eb61eda184718289093edf2d4314bd2f646d0fe3c81cbaf254b485fe75df8c79cb215566f1f383cb13d3596cc06b4fd35b94bdc6d273fd151e6799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3b3db13b65087dc5425f09fbf35a70c8

SHA1
b38ea5fc955b155c3e2c6d9f021e42de292e905b

SHA256
3790c9373b5fc975b888efa0aacb016194940811405064334e87f6cc4fcf9434

SHA512
84b296dfe302dc491453e4bc4adeb4f59ac3613890ce062a0b7812eaef42a008bf2f78d8c260c0c65ec1c518680d5210625d6a22b3f14269facba59135d6feda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
02f3ace9c010e6b08b424b3901d56173

SHA1
157c10d5b025ed39e0a38801a38eb2fd71cb5015

SHA256
52e53419e061af577b8db2785a6c53f8ea16bb5d788574be3b74cdbad2e42708

SHA512
9c6726d614296d6fc07590accda1c4ab94bb66816bf39ef66783c36d99dd991373c5a42ec7a791d74a0c9535625f9528c8ed090011a63c7d2c4a182663a712e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
70e2a62386913b9e0839d8530e75a65a

SHA1
182b1e3f06fd3cdb435eebfa224712403e5af111

SHA256
b31ad120792211d335d2a87441ee6463d6cae8b9afa312eeac62f5df3229eab3

SHA512
21de329b1a3ff76fcbce06e62b95d5cd1507007da7c7deb017bf5abe6241e133d13b16582bf120575c3f7c788343f5085e2a772fb7f64987bff0c5e723cc32bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b24588f90d5b6228f0da6b84a4cae762

SHA1
2fa950e5f6ae1b19ba85a8ce0f370b8657ffa565

SHA256
576167b84065771a235ccdfa921520636357bcf3848863348738c5dc318a29a0

SHA512
379505ec00491afeccdc1ddd2d2bea3f5f8f04888c3183076c888779b6316eb6e95700501fe3735c31c984761028c11bb4530377d63bb63219eecc983394644c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
83733a04767faa8202018554e78d5297

SHA1
3a2be5f481f1c8d38ffa3c949bc7404573e2c408

SHA256
0d0eed8f0fd6e3ed8c5dddafc37494fc641ca918d9d68842ac47031e0a7fc203

SHA512
6d60159daafd3d88135c4f7643efe4674a24092ecdd868a24bbf581bf593a3125ad29c57f95d23e41bedccd2164fa3b6e21f919cd333ea83b5abe9e77686f869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cd5039606098fae6d62ef5548d61b3bd

SHA1
55d09a251ea33caea11e8cad4a721ed577034bb5

SHA256
cf26112b7e43f7752fba969bbd133277e9d1e593e0dc523192779edea8e77277

SHA512
1ac98db9972aab89b917f8146364973444f622d4e04e1671123f10e0e5beab46f095242c2fced42c39c518c440570e67a09615df27e561ff93dc5b920834817e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
98aff5ebeaef74e3aaad9c631dc034ab

SHA1
7eaa2bbbd8ec037fe1d73ddcf6897570aab7e71f

SHA256
9ef488d9035ee379a3f41e7ac3b08b89be3cd9773ac920680e51f38497b313fd

SHA512
6bb3a154389088da5172e67da02facc438b80a6da25f69a13c695878d4591d1f5c20f500c8daccabcd3a5c9d4b01baedc9421edee61b4e76b1abfad139909066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
803f38d07a487654c409580bc8a10a06

SHA1
0d420de8e9b6fe770407f3b42a1bcf276dc7ee4e

SHA256
8c5b245f2c42bd180202460df5c79c9562e21f890ec529ff0e0cd8b92f70aaea

SHA512
710a065f7706a69bf857430a8b2355cfd7bb87be8931f855cdf8fe5542372a165e1133fa171a4db61ffabace13aaac6a5c9a0131a5486cec2a1ee0b3270cac63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fd8d1ed9f10752e08d7d7471c2e85e30

SHA1
5c1071786d6e33e97e97fc299a534da7e6cc219a

SHA256
433a7e58e14a5168c8c9c5de4215df2ab616719af638588fa15dd5f11560308e

SHA512
5f5f34120d2aad2d84e6d37c03c8906b520375863473ed107b86cc55caa59a0b1baba8b86c962de61171fab6e91ec752bffac290cf7d38b6ef4a52a4b3122c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
24a0590922e1150a097fa4103dec4321

SHA1
68e9509551575ee5d4aa256a9a8ac011bf3fbe45

SHA256
1241ebdeb34a8fb99b8d37df783ee76c7757eac972b509fb2c0359c78a6e8aee

SHA512
e990dcc817363f6839f681c60667d2ec1ab1e5fee77a178179d81690eea93cb12239bd70de90b6df31029e96e96832fc53904000dad0f4b2de8311ea31c4df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
53d70c64b388e8a921b98db4e99c774f

SHA1
86d2d20390b9309cba7fd383ddbcf5ca7cff73d2

SHA256
aee986565c5868c5c039e5d3278dcf04fb2f49830f27a1f65c594144f1dbbaa1

SHA512
b23bd3b7b96f50a9544f89a9c7f7e01b0970b8d333ff1a55509bc2b9ca89a1dfe176b1eaa43beb6beae1fd1737aa30097b35ea31e60d502dc10e7aca63ece411

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8dfc8509ffdfeab69277d39497767cb9

SHA1
64dbf209448366251f220e0445604aeeddd0b6c6

SHA256
a6806b0c6de05baf7db6605e55709c4db21bbfd1b6b54888ca35fcc7f4df522f

SHA512
b07ca8c4bb87f3c2b0b7601c3e060423eafdb7c55f59300da7b73630c0a524ad22339aaaab48a27cab7dd3d6351069c427b43e2ae2a91b3dfea3b12ddc3c1449

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
387bdbfa4897fc4cb405b60248b1af6c

SHA1
2ff2d8f01e34c7941d1317e28c5a9cf3883fbbbe

SHA256
b2b0f39ba864aa19553fa4f8e0ffe859223542090847bacf33b802d47d0e4162

SHA512
70075dd00e0bb40319d0828d4ada1eb4cf41d4f94a4310b3d8e6d2b6866d04fafd32e0f25ac1337690c2894f42201629264bae771cbe30ba3c74ca36b2b696cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
504a02ee606689a7557d5b131dbf7239

SHA1
64e25066d90c5b2bf06a6abe9c9171307abfa299

SHA256
2faeb0f8a23080b046a4cf4c6bd4c7ed85c0594c7a308d9a9abe0e654617c806

SHA512
79146abbfb73ad19cca24f5c7c5228aab4a6a58eb88564e97248045a398ca9590864838b2857d9752f1d608c51f8fbf827e7752ada733a1cd308bd8af379ba60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1336721096447e19c00dfc6c54e9fced

SHA1
55a3924e1b1a0931b871a2b8c48f8ab13833d6c9

SHA256
c9628ba91e74774231583716f43df42fec4cb6672d6a8b1b9dd8244787ceb59d

SHA512
24ae82b1bdd9df797eee0de484ed13e8e518a1cd73455b9880e48f6c3132ed4d98462f5af85767a4ec79b7aa001a0db7be82006adecc923159df82f14e0b68ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a6bacfcafcce880fe691be8cce41c1c9

SHA1
03ce5306c8cf43f35858f3e5ce3e49428c392fba

SHA256
bdba0221d45d4c7a12196e9bdbac0e90ae4f2c6234f7574448e2a36468307504

SHA512
56cc644255730972a92734249fedf2a04643dbdf56b48257f2ce52d8ee6bb7bf7514e71be79a380cf53067655256e5d49b465407ff96d9196196ad9a14a1cbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5e8da77b91fa964decf8460667a8a3a7

SHA1
619f16d1e07e480018df12e6f13915b3009ccf44

SHA256
ce2f20e6fbf825653d3aa14bd04964b27b6c8dccb11e12cc6ea67899c03e4cc2

SHA512
aa6adb46f74c10959f607bd957034b38f8e6694626065b733df2842d749adbf4f624a7d5f16ed82d3b836a08ab5ea5f788d86d546ac72d4833da772076c65b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
70c6f14d72dc46c55bfe55ebe767082e

SHA1
69ee7ffacf18b1506f4d7873dfe7772cf21dd41c

SHA256
6f916a73fbc777561efb9b359c1d5d66c9e478c3af802d5c685ec034c430c6fc

SHA512
795282334fa8c1cdce4111fc826942db9eda2ca60047143537379a4c2e264ecc50e2ccda8d953fa583315035d65a6c0f5a21c11410ff720a90f2146c8bb09aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4c67fbab09239ee01319a050211c211f

SHA1
39d7ef3f7725a5ac5074f34ce84e63d020f5f780

SHA256
a1c15c0a9598b63142b8011db340fbc63048c18c0da6ea5d014359d82324bc11

SHA512
145edc980b5ce74b3a223f96411e352e5209f051029d66ddf46953e66cb30aae7e91beb536fe47bc27ed25f59628e1eac8e65a6c663c76a1d513f7727afe718d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
26704aff65b268ca9d2b4aa67fc75963

SHA1
8ec98cc5f6231264fce473fc66e314d1ef0bf458

SHA256
3173d1b1c435068d478522300ca1ca34a0db996e83ff786dcb3b1e215e7fc718

SHA512
73296bcff8fcd1e4f4006f7026e7b19d94bc2b9b0bff2f444e75a2d1c7d6bdc970cc5df2516ddc30291a8aadb3dd80313206e2d48a4ae28f380ff737c7b66dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b16dbb9174053211ba958b63fa0b81a1

SHA1
672c071b92d760a434bf9e3fb8eb06a7ec944d30

SHA256
2f36cfd7af51cdd6e414ba9eeb5caddf80ce460ff2ae776ee37bf28eea28f16b

SHA512
61e3349198b7997e9b124924dcc6815bd3008d68f3c322ae177cbe4e46d2ba50e6ee32bff8466e7fbeea3b3fdd0f3828e306bfd3bb605c29a465952aa14b289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3671c707958ab13672372ab2bf06342b

SHA1
24db14d817e6a610f9dbdc515e3ad517dc0ffbfe

SHA256
6ae7372c391d2272b1f65108cbf6fa3fe890c0598c84b1d3f9e11f6d81f85a13

SHA512
1f806812badb0fe79b79c925e0b049c992191f9eff5a23282ad00a534c52a82bff84d333560f57381fa50d95194e79fffc6c3221d23d32c6f9bcf19ba51ba40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
50e84f34082ed56ca025e02a99f12fc4

SHA1
2fe5728ee9ae5013c6be43276e8fba36e424ec70

SHA256
07d8e8e7bab64d50dd6880307033ffdb66b501e0f51fcab78ecd9554e71816c7

SHA512
3cea2339d3afabf353707d2bac8ccd99bae2d6ee159901639dca16b58b795d175ae82441dd10424714ba3559b8fbc90b86614561eb640e543354e41a732f98a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
712bfe135c1b915cbb107c6c282bffa3

SHA1
47c1a4b29dec10d1f16c4a7cfdd474c7ba6214be

SHA256
00e6559a7b83e8a86554545fbe5db700eaca47f92d1769a66e6d090fc275c716

SHA512
a34a82cc2e9b6347ba7de6befd3ef6fe57c0fb2fe98494632e6d0f0e299af782a613ce2c9e216eafaf22b26ffd457b2ae42eb0ad7cb908152eeb93446e728cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
089cc8a88be01adc50f516051cfc7f98

SHA1
22b476120a2d91fc055b8782bbdc3750020fca15

SHA256
751b7002c96271d4d68534e9101ad5cdbfc21fcd1adc5ddcfab5cbe31f644545

SHA512
cda73077af5b7c0e473af92ace5ebb1b2019bbceb0daaab44485a4d6945a591555ec9286cfeedff330460038790af83e74473474bde7d794b4fdc43fe83cbf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d152ff720c60e3bff2a8ee570db3b25e

SHA1
c818be57098d36a8645d6fcd7835d276267b5dc9

SHA256
a8adb68df966d96f64ee915bb5334112138406bdf94ec7a2bd410a04361bd554

SHA512
53015c8b3278a04e57bfca0d1ab3880a2d0ff956e02f76eba8f2c7928ee5710ce12933d4e8a3a25e83aa8727dbd25b1c15c113ad98acb1824ce1830295045b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
510e8d9638cd60ec4a8983d8d7300ce4

SHA1
d33e8df4ec0f2831a11f40f8548364dc0c4ad958

SHA256
f0da2a0934262db6ee850b7e4d02cf142a178d900ea9639461ebf2badbc884bb

SHA512
7a5f2bb5288deacfc35c4c88c9b0e94607b30c7e81880368c6a0a213e0a25dc0b886b8fd3acce1d9772b17a8d8cfebae8d14b31392a14c0642ae8da77c99ae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9859d41dbaa1655ecc0d95b2567480b0

SHA1
fd62d958ea645817584bc839ae41da57328f71c6

SHA256
5d5a24f7610f233e59451d2c373a3f31aa0270443b919ad9acb326e7f842b4be

SHA512
8342b84aafdf1d98b604302306e8f04c321caee01ccfd2b914b1c76d09853b1a731b5ac80e85016b16b78526b0ea49e0daaba59a1bc7c032f527b6effab45011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f0ecf2e76d5e7b29585540a8fb921e10

SHA1
849f438a0d1faa00b911ec43a24cf4e602d5f9a1

SHA256
c7a55dec06ad3d4f11a688708599ab943fe3dba5a1aa9539d4cc75dadedeaf74

SHA512
3de0443789c9dc7cb771caa6929c6e207d69374f74df97e8bb4f2b72fad8bc5a8321324e8fdbdc69a7f1d41f43bb1d09acd396700764af06be6e92f89638de08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4711c02297a855603966b3b05d157146

SHA1
925e9266a27647ba7cfe3c99a80b423f52fc6c28

SHA256
96eccfc9a6f73a465e5e1fa2cd44e895a141a702ca0dd32ae199565974ec2b14

SHA512
3066ba502782519c771ffa414b77754acb13c6c32538b3ced3f6f3d24321542a73364a3ed22045bd29f3d977fb302b4013d6d0932fe342b02dcad3da4b4f314e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b43a04fc94cfac88f06d3fe2c8d2eb4e

SHA1
757fd8bd04bb847f65c4dfae12ba5974d50a95c0

SHA256
71215031716e7504751f4d7c160e7e40d16754c874edaae47b1f435d861945e9

SHA512
842394e779fb6ec94f32cba05185faa973e88d596079c29e906500735354c2daf1ccb21c7de050ecb4ee769401ec4370019986af6db549d6b17ffdb2aa252275

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3119d40ce423d91026623ca1eeb90a93

SHA1
6d34ef77339ef02f0f5271df852c0af9a354c896

SHA256
2767506d568914787447ecaeefe52e651d2dd137ada6d04c5da1b03f7b13f90f

SHA512
bc323be3e55ae63af0d98790e1d30843a6e8bd5f499d26288b571ac08a12e1aa53a9a1dd42e728c56ce7cdb14b06555a2e11af5fe74b38f15a7e58a762a67308

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3a68a2723a8281558c89a0fd0ceff5c3

SHA1
71cf048d12ffa29b3ee56833a12a958199ad4d59

SHA256
2b58906b614cfb2164586ee9f212783eb89b8afa1ab85ca74b2f4ae909405388

SHA512
caf732ed0c6776d79fa59c1ca2fe7f144bb1955996d6f50115b958aa3b078f40764f0314417396aa68fd3409697e12a16b7359fa99989d41b8125faa49b2cf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
61067c4035c170bc0fa1b80962ae29cb

SHA1
9c2c6cd2ffdbcc28bbb4ed6a9108ac511febaa99

SHA256
09336068fb7b48c4d6da30d3da0cd2a7bcbe86f1183e693ba1326f0db484c0f8

SHA512
6fc571e449a77ede4311853e5cfb965a0c84f5eaf7bb864de6e83613549dcc0e7c43d1e6df5734a4f986011100b4e922b70be7a6c92759d1ba6a065cf52cab2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ddf53ad6e537b2ba6c5e99655e9df51e

SHA1
ef437fb54fb17d224fed68c5926437fb362422a3

SHA256
f044d09710f64a5c1aff5f198d2cd9d1d884b2efd3202bcb7c076ef5388e33f9

SHA512
0bbcf0750c8d68a163f98c7f979fa08b63ebcc749a55fd9741454fd00790ecf2aab73731a556e74a699b61bd5c8de6a6b69698f72f774e15f7915938f7c7ca8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b4baae0c1d353e6871982820ca27c279

SHA1
6deb949f7348a62acdb7d7ee9c0077ed76dc99b8

SHA256
7a335a4f79346d11a368405d9bfa8764edb985809dc7da9e4b38ea13b06b4378

SHA512
49c6e224dce16a274af22ce4e1c2552a4f1ec085e4d810fd21b1f33b63604887a598a524e2fc429d473e39007f3a191652aaf6e862307606061801e56d513ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6bb54d9dfa8031186cd8da2d2158488f

SHA1
81eb81fb357c938cd8bc2b686c464839697896ef

SHA256
51fbf32584938996c1496e6686f758cc5d27ab31e6ce1553e88aa4170062096d

SHA512
7d08a33ff490d6a44066d12b638a26e5d8fec5484098cf8629fbcdd027409e31c2f344163f451de5a577e44f5d66734c51de23f79d39ac26bdea6308bb0ca597

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
174f16e21f9f7d45f6e741293b9620eb

SHA1
ed7b9b5439669310ba28c5abeec581a1baf5426b

SHA256
3941b6d17aba23d1227b0f21b4e2c621dfef40a3cdb62c5db8f48e29254964cc

SHA512
c0c1b1e77ba6c55924248dea081651b9f3134bd16c942877c0697503c185df5385f52a36a4aa7fe1457a8afa2ed40309627d4528b1cf2d0fc53a555adbb280a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
63f4755bda8c5a0d3a45cbd7c07281be

SHA1
5b881a251a642b6bb3f7350092174beb9de51a44

SHA256
34c4800f7de95fdb21bbbb751ac1d351cfc7fed4018ab28c24464f39a6cf958e

SHA512
bb80ccd55c372fa95854b1c6687ef7e15f89489dd16901f73ae7b224da4bc3aadf4130660131a233335ee03772e3cdb909e2346726c8dce236c875e825bc6a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
30ba608a40d3f3cf2c21a9fc1afa3dd3

SHA1
bcc42475ce7eb149b54ab7f8e34144aa57c7f6b4

SHA256
63562f34076d877d4a423ce861ce4aa76ff24fafea052a104a5137649880738a

SHA512
3ed1de654504c2cf37c77b335ceb562b255a41793a1b8c0996e445d5fb2089a40b3dd70aa64378bfbfad0605d386b7029aa0c75dad192abb58e0eaa08453315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1e8a2976fb050a4279f1d70776c7f6e1

SHA1
eff8ec418778771966a60b698e65cf58f176bad4

SHA256
bbfc564e3063c8b2cdc760221ac90b7fed5a3c40c566501a24771df2ff2299e7

SHA512
b041dfa8c88b2042f4185f683122d644af05cd75243082b065d375476530900b0bf845cc70a37917bc78572a7a9a0056fdb78aeb2953d8de7c825a03c1118fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
298a34b8a52e75e55e470313cace1089

SHA1
ae35e1a2bcf3a4d1daa7bbeedb508db215cfe8cd

SHA256
74877a1a821edbe5849c86bbf93b807ab23101b7eb025d8cadad818983cb9638

SHA512
fa7c4cd3d1691074895a796ae78181ee2f4cca7730cd01417679aa279a1b1b102e1ec989f4b3414c816f9ce36c004ef7ba645c7b3c4c2952ec47a4dcbe97e0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
44c9c4ac6acccbff69c8168ecd7fb66c

SHA1
4137a17e5c52b83ce0c63247c344e0b4861389e9

SHA256
8b20aaf8faa902af5c71de788f6f41e0d423613454d045de9d8afcac89b4b3f4

SHA512
b138c22a66dcfd08f50e6eb018f2e2d3af82b9c56f7f26948ce8ea248047a242f5bf87dd039fe477029298b106e0427d0867b2400eac3ea6a88d2c711524dd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f5c7b73e29b2755fa82b99edfa3633ef

SHA1
fe3b9451f7c3147dfa8946ad37aa9f78cff9ccd7

SHA256
0d45dbaed2154efc4b32691c42ed5f6b5fede492122b3699db1cd4d7f4644a0d

SHA512
e1f29b975078dd3c9fc2d98380d9d60d6aae25e71491634a8cdb5b0c18888e2e8604d79982071ba26b0e93c6ca89e2545e40fe4ac5c12f1bcbe923f63f082845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b2f7a86402b09c937d0803dbf4fbd325

SHA1
1730f7e779c468c984c719673adc2503ccb8bcc9

SHA256
185d5cdf30fa6c59a16ea001c107dc1d76f8993a6b233879a5765d01fb2c536c

SHA512
76d7081efe6fa809b0cfa3108472741e672d44ba2bf0b063b114b003359ced1bcad64858552a1f448fc6c3f2128e8d7f9fe8f08d2a42b1b10fc256746bd52fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9c9b5ea8c886f86d088a6166d99b2a7f

SHA1
2cfd0924f10b526ce008e07c5d60bb919aa0482e

SHA256
1289e4eb54cfdb47e46fd59a9f0819fec31a64db682594b43f7f179414ea1d46

SHA512
0525ac949a31d423248adb0cf572629eeae7b87930133e20856a5ea7149613c9b82c68a77ddb6d72048338df5200e9668b5cfcffc6679185127d7ff3a174b4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
02c6a54bf4104e2f1c55a1d376bb44e3

SHA1
24ee98b173733a5a49a99ac44e4ce2c1f4230a6e

SHA256
c54e59f8513eeb13dd0930c0c22057df579d2d998cc38208e7e016e50b4a2637

SHA512
865d3f99bc0fcc86ac091bf829ca5929a3ca61a1719981d53d519776db06d93b4439b2e3696da07cd3c8b20c540ab368969323d3b571dc24261a72899e3d0ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
77aa557d11a12becefbc792f54082ecc

SHA1
c8c2ef6aaed175f92941ece46678ba8c3981cab2

SHA256
9d8ea4f17109816adf1c45505345db2ea8494ce4e4517539601a8a6539af3d9e

SHA512
340aebf49c70433787a418ebce0ed919f646def3b8a94343574fd41fe72de115dd728949ed17bc74fcd06732a9d14acaf931bc973ca09e3db738fb5679e2220b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8bd94d442d54699b21442945642dca9a

SHA1
5d0da78b1fb273363594953db36e4c73a2fda3d9

SHA256
3feef410ae08dbf93770daf4c8bd1f1e2315fd2d755f6b01790ba5d7385a4315

SHA512
ce16d0a31164d1a76fc7f851e6ee34daa712148adc4781587c50b5e5cfdd51fb79d11999f53be3726db49300865794add0c2aca325d0cde9b03a701dd07861ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d89761dbba38dac8599dfa130d650a0b

SHA1
eb13079a54206f5070002ebccb18e81e305a3b57

SHA256
0c9f65d9dc8ba17be33222451b30f31cdc2b18f804e240a4ea1ec93ee7d39847

SHA512
56afd8ca9e976910cb2c007032749f2b1b111e35e7d533d1524c2c8a288f7fed2daeae6a6fefccb62d44acbddc0d9611ab98d0ed5bf4ddabc1724edcc3b61fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
51ea6886b3f35038f01b954cd0eb6ca1

SHA1
eace97b279aa0047df40f94b5f23fc5ca22163d8

SHA256
2de1391ea1b54c2c9772993b44b01e8d26e07c0691a232af53951b2d55977e1c

SHA512
2ee9219a03b53ff58d619dd8e481ef64cd5167b4aa167b4958a11886c1e34e5017cfadc7ad3baf1b2f0a17ab000d06db5886dbe91a488df2a3d0d3dac20eb494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6f9ae1a3cbbdf6dc74a99e16c9032684

SHA1
a1a428e8465b736522a73a5e395c4ad16d28dd44

SHA256
5b1161e80451a194b72a36d2c263ea1c95c7e2fd4440cad40aa1fb77aff2929d

SHA512
493bcba07b179226124c22d48564bb42392b90fd2446335635d8546d2e3de00c772c7e0b1b0c9c301c6e646391645bb9a2b26292e59f082c780b9685d582bd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2f1a92a7108520426688fa0c4dd175d2

SHA1
d50236e86399cdc877c677e1c89e14d5def23b56

SHA256
698ac643a9ecc2caeebd556105783293415d0d565cbe501b28b14c49dc0d8da0

SHA512
5ac7800a464aa63e4a0b0611e932749ac3d6288aff8a75e508a82a15a153edf746af9c9baeba7d05182b29885b41213f1a03c50f6bab88cacf90f1aa3af094c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
67313cf0af16c6f3a22885159e03f8a4

SHA1
474568ed563c172a7361d7329b656b7af4c5b844

SHA256
411aa0a720dbfce49aeb2e804660bc9e9a994c6ef35dc0e039e62beb9a6fc7a3

SHA512
e9a5dee033d691dc788ee7bdb931230e134f8d51a7c0980eb82a19f16eeff391e726bad7886e9d570078f452b7482b1c13a5e3c15011373e360b1229affadaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4881e0453b42b5c8f422b04a1f890336

SHA1
cd904f6e66035387db24ef7f1f417d9a01dc054e

SHA256
e6f439ac21883462d578b5b8d7185feede2531c118bb5d55b4b30ce7a321e9b8

SHA512
b80ccf484d0402c22957154c8240b51fe833966e4bb1904b93d7a3016802499316b54e5f82d39ee60844b374bfac8a9916904083c14a2bbfc7e1caee5b0a6d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e6ddaa4d9642f2f1e0eddccbd6cf6dc

SHA1
bb72dc7c19f443ecf906eed2f211e2c9fef0a25f

SHA256
1d666e4069eaab9b49eebbbb4935abc34d84371b9d87265159d4bb87c7246d8b

SHA512
0b4de9d6c025bbdab0319c4894f28751a728dc2331d86ac7dde77d95b6794b9833583ec3c4b8b6cc1c89a53e37b6d8ad5f9a3926df7866e7a35f4e23eae3eddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a5445590430691a04d47074353839620

SHA1
db3390457f2fffca84798adb30305c3a44442262

SHA256
b5abb355c47f88d2b0e31d4d015d52c880ce4f8a373d29921038f246164444e4

SHA512
c6a476dc82fb955d637ce8a679df542b4d79f13296560dbf032a4d5fc86938b3cece974fd9e26415a81d122e63b776e74b352b9a84a36126cb851ebf9cb51b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
42e0b2a85c55796a531edd33ebe0b29a

SHA1
e166572ab3f566d362932a69ca06371b11f2a94e

SHA256
4821fdca94790f808b33c942a2007026a0fe18e0ff01f813b5d394c6e55af112

SHA512
d0974d75083f3c42ad35864be809dbba62a4bee76ca5a2088b896a675053d7538a15fe3e1bcb7b66c259caab05b941e192a5d7719f33f0af04e4134cadb311a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
08311c816b26e9302e0937a12fdce937

SHA1
4c6c671cdc674105118b26b03efd745c4b74f734

SHA256
584fb9ae61fd94efff32fe1140a716063b04eaa3065107cabcb8c78e4f6e6c42

SHA512
534e8b40ee8ce63c2c11a89197b8630e7eb93010e304b134a758c17a6d1e675562300faa66e714c028759d6c38a933221142fe6531412324a44c580175fa1e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8d8aef04b423ad03ec10a4166fe42ab5

SHA1
8151e1c2cf7113183c18acae13ae7e45f91af210

SHA256
3961120d74c3c45e3a34458072278ce8dc588295cc84342ca9c5d0b11ecb4feb

SHA512
d6a2dae0674917220397b03fd2df92db9b91237cc5a1e05ccb2dadb046de73961762e17a2d55439cbaccc4f27d05394b86ff55f44da11fc2f983eea6bf805eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5045784a5773d743d8dc5f2bdc5762ca

SHA1
47289bc221a253f8271f1e290d680a777b171aa5

SHA256
91a89975c695140d8947b35fc3e8276eac5fe981e195f90dc27217b939791320

SHA512
3260c11d5aeac13d2da9994792058b37ec73354d0e8b96aa3d4c245b4f25ab745fdb1ad580e359794531ae07c0b97a320b143725da1f516f531aa65643b8f9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2e9f7361dc3f30d65a1c55489018bf8d

SHA1
e5fc63de13388d8ba7dc33e35cc4adba384eb3c5

SHA256
09c8ab61dcf636f23efeeaafdf22e12959ec1ac38c1e850f14eeba9a14c84aac

SHA512
fd22bbbd75d7faa36650f6b0a528509132e17e72c1818a03ae708fe7f6c4d46a22dfecf3048c2195a1007c4acd68db64b34da708a7e6820bf43f9654705138ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
da44d72028bbfe2175a8f95837290b81

SHA1
5c409b555f9b76efd2c8041ff081e6a37eb9a753

SHA256
60b08073c7033f9463e515762e0db3b781320e1c30af08ff678db2c6b5a006c9

SHA512
2fe5310bc0b47eb5cbdb4cbfcf9f3d6a0b958f1b7df3d194a9a1dcac9fa7992660b9ae79a4981fb2a436826ca49b28ad9bf5d5ab9d0601ba1fe9fdeeee762fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7990b92809149d00cd42c1f813e2e56a

SHA1
1b24cc57172962ef8a7cd638f5d7792f928089c1

SHA256
507d5cdcb3dc462486c1100ea5ce4aeb8db0f85c4897c5f7784d21335704d155

SHA512
a98eefd4374d7d79dce3ba76bf3791fe0f92cedaa33e379a192f2c71bf2ab41c028c0a6e3d24646739839ed4f68db7aaf5176315b00d95ae90ef0e78b97ded5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
edc9dfaa7cbbb4a3c5459e0db2188326

SHA1
a5358796066232b93854381c9dc597964dcda2d1

SHA256
54299fcf939f4006a5d3d67a008093a10bbb3b1fb600a392fa5f814b1d310285

SHA512
7ce614341067718383ee92f50eee2705b6573cec62f2a3a326094757b5ee36cd35334022a94901503e520777d7a2ff91a35da882e4fc92c81b8ce6fecb691a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
62ba1f095eddfeba3c472a4ce0c7d738

SHA1
0c4f77015dcb6c7fb58fdf1ff8fe4a623d77ab0a

SHA256
0a72aece5ebb3a7f801f3f61dcb12cb125f87962ad60191057fc0f4c3785cfb2

SHA512
7c66e7e3186c19e4b68cfb94a9f4fc2691823c8987a028a4ec9d7fa05426348829511b577632d31cd2974b78d6cad9020944bc77d5e40a57a8409fbd61ae2ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
222257230d58fd8b5fc63b2aea06c6d5

SHA1
1002a22a41357046693ba0393928bf6ae7f4c717

SHA256
6adbd78d015491111401f32b57f6627b243b316f93c91cb1ff80c8945043b045

SHA512
d49d8d96308c93d63258ff397b81e9c6edc99d79b5247f365171f09ecb892b5bbd538f53c79467c4344250be806c5f39ada327ee99d3f01ed6929f4e3a1c3e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e40cd67170eb3272dfdeb981e0048985

SHA1
02475b9413c5e247c51a88864895497f6e0c4c30

SHA256
f8e25dc71a3886b1b5d157495b15e2031b30d053cb8f90cca80f88ec856582dd

SHA512
b987d5e2fdc4416268ae71f65cd16be36d8a49555ecbfafcd01be6bc2cd305215e86eadc1d1086baf033a55cfdd80124631f5f8ec3ef90565ac594aa99b7ee55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cc4fdfcce7f99794f68740258371cf2a

SHA1
86a3047915fdfe5d9cb189104ec4405fb23adf9f

SHA256
b0f3c8ac6365b1c9384d7e404c6a1e637694c8d8bde1605945b03a8b1a921ac4

SHA512
d60cc5ecd3304ff064da46213d789961ef33b51ee9ea8a1b89d67a4d21070c787ccf8d1cc9e86e70ac1e95d3cb64974801c6ce1a43d857f7db4084bedb2d3e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
68c71ddf649bffa8ef9ebd09516af482

SHA1
5436aeda07a1674a33e78cad184459b585ff47c2

SHA256
6093e1aee780ff5e42f02d2ea892a3f7829488109c7cd8dad91b69cd2ddda25a

SHA512
76fea5889029e832c2ca3e5334da050c7d21d646dc9f7252b8299eff9a92e1f42df1f7135b78f95b227b2962562ede24f1b4c0517a06fbf9ec47bf25839f8c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e528b1d2270b3cd96878fd9abaee9938

SHA1
af0a384f9ec65b063925b50e9bd6386f89a7d79a

SHA256
3079a1719365f08adb915d280988574bdc382edd183f3ea0fb118526d91b8657

SHA512
485e2b1d5b5461a0a830e1c6f149affa4516d475bfcbadc36af5eb2623416e6986f8b98ea50050550205a8c11114741e1bba0bfe3cdcd2c38eb3701db6122d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f86e5df4c4227a534673b529991a1476

SHA1
7029aac5c374da00459d6c637c7b4c4dcd43cd43

SHA256
254d5c8b27d0dd598b0c6e4764d96fb20c222adfcd2dc67b7d46ad14ff499836

SHA512
5288b11291146ff8c89e88baf58c0fa6fad484c7acf7821e116a5b64559a34825d169bf20da20cbd8ab875c02ab438524caa9b71294b650c2ce0a433f8f3995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9ad68973851c49bca93ecde2b2efbeb6

SHA1
8d78989d3cf9370175287e5133b281cba041730f

SHA256
a51f22c72383ee54a95f6d9cf554478f7df699ec32c55ad4c4a942d2474d11db

SHA512
3a883913fbf4bbbdc522aee01517b1f72efded9d7217ada53f26aaec683c89c729ad4eb601dd4a7eded46a19419ec007dbee344f5096e405c89c92e3a56acc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\F537.tmp

Filesize
24KB

MD5
624945fdfc97a50947f0a253876d8300

SHA1
7108c00bfa3f35d3bdd5b329608a15522c7dfe7f

SHA256
f3e69b65007a65624adc0684fc0f3d75048121f9d30d96dca31960a0e0edb7bb

SHA512
882572e651cd585f307a6ae0bcdf24e55c41be61f45def564bbdfb01f17e66da461c895e1df263bdf1707d229ad7ad57dab10084088cbf0d4ccbaa91989db45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F547.tmp

Filesize
1KB

MD5
a25af9d1b42599a44fd591eb121f3d46

SHA1
2be5107527000c124202987dedf613505b3eb0a6

SHA256
ad2cbd320233769cfd61f0faaf5d7b5e18278e2e2a7739d23c756282bef2a82a

SHA512
e0651c6abef0b5786fe0c23c45c73a9b7bcca7b03a0b8dc48e315032c4d6de39c78a9e6c06975b59154cdcf068548e638e7f0d58237240f042a847e888206a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F682.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows110\ChromeUpdate.cmd

Filesize
201B

MD5
2e8c25072149311a512c29ed03c54163

SHA1
359e87a9f2d37809075ce7de2098113db019a142

SHA256
a6ff408ff7b6f521bb3689c6c5f58cc7c6ae2a25757b4edc648e71392cf0ad9c

SHA512
a78392e48125533116deec39d2da84213ad7290a40018cedaf7a8412bdf636f8df9c32e8978a1dd1f885d68627c11cd705209cdcc26b3e4acd3cf4f0fe2029bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows110\Google Chrome.vbs

Filesize
265B

MD5
1656f38dfc211a51999188ab7ae85722

SHA1
ed79a5e92a4fb8450517c9b5f3c135ea6ce635e0

SHA256
00b391bdc75a8ca8e7b4dfd0c1fa609bfac059ba24351225b9cb98c32b43ad1c

SHA512
22304c131e0f5055482ca9452e7af46f7fbc9b34658852e2e6ffd3a40f185711d3efc73b3109e952b8b32ff6d6c3489f4459a6b517b7390965ca4d4cb08767a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows110\msedge.cmd

Filesize
3KB

MD5
928536a312c8cd52577010a7ea4d3a9c

SHA1
1ff84ec9f0226e8f545895ae7ea27c7a9e92ff58

SHA256
734fbd5637f3bc17f2b375373da4881c081ac67e261167a38a359d338c14b80f

SHA512
dbdb83f88c7f74674290c1ac80f2df0344074a38eaab5cdb11610430b6c1e24d4bc6281d1f866dd8edcdf64b61880087035c849fd88266b3feb306b90258cd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows110\msedgeUpdater.cmd

Filesize
65B

MD5
bfdf25beb2bf5734acad5248a05828b6

SHA1
e8fd6f69914e6b56b6e2cb878f359d334cb8714e

SHA256
d0724d8fdf29a27df393ed2ad781c7ea8d1d6f86dcfcfa30ebfd8eef64582857

SHA512
4d99c159cd5a5ef3dc78dbcf1eead7c9919da7ebe238e57c409a25f8cdcd10379e465671d35932479726067318faa4a1b76f53334e6d56832febfdd128231f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows110\usrinit.cmd

Filesize
145B

MD5
c7d78fe81a6b2ef35b6ab2e9f62a9cd3

SHA1
efdacfeb15835e3a7509db74ef4eab2bf8b377cd

SHA256
3c190ba323db34b01c8c854090986e1d396dcc08d17f339e476329fd8c63601f

SHA512
517411a187da0bbb9ceed1ae2c52d6f693e9f904ad6418e668eacd23b3cdc3eb287c677ac04882facb9600ce3528da1e42c2b8ea48082d0deb376606b828da4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_bz2.pyd

Filesize
83KB

MD5
dd26ed92888de9c57660a7ad631bb916

SHA1
77d479d44d9e04f0a1355569332233459b69a154

SHA256
324268786921ec940cbd4b5e2f71dafd08e578a12e373a715658527e5b211697

SHA512
d693367565005c1b87823e781dc5925146512182c8d8a3a2201e712c88df1c0e66e65ecaec9af22037f0a8f8b3fb3f511ea47cfd5774651d71673fab612d2897

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_cffi_backend.cp312-win_amd64.pyd

Filesize
175KB

MD5
d8caf1c098db12b2eba8edae51f31c10

SHA1
e533ac6c614d95c09082ae951b3b685daca29a8f

SHA256
364208a97336f577d99bbaaed6d2cf8a4a24d6693b323de4665f75a964ca041d

SHA512
77e36f4fb44374b7c58a9005a1d7dfeb3214eabb90786e8a7c6593b5b1c7a305d6aa446be7a06ae0ff38f2bedea68cacb39053b7b7ec297bff3571b3922fd938

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_ctypes.pyd

Filesize
122KB

MD5
c8afa1ebb28828e1115c110313d2a810

SHA1
1d0d28799a5dbe313b6f4ddfdb7986d2902fa97a

SHA256
8978972cf341ccd0edf8435d63909a739df7ef29ec7dd57ed5cab64b342891f0

SHA512
4d9f41bd23b62600d1eb097d1578ba656b5e13fd2f31ef74202aa511111969bb8cfc2a8e903de73bd6e63fadaa59b078714885b8c5b8ecc5c4128ff9d06c1e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_decimal.pyd

Filesize
251KB

MD5
cea3b419c7ca87140a157629c6dbd299

SHA1
7dbff775235b1937b150ae70302b3208833dc9be

SHA256
95b9850e6fb335b235589dd1348e007507c6b28e332c9abb111f2a0035c358e5

SHA512
6e3a6781c0f05bb5182073cca1e69b6df55f05ff7cdcea394bacf50f88605e2241b7387f1d8ba9f40a96832d04f55edb80003f0cf1e537a26f99408ee9312f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_hashlib.pyd

Filesize
64KB

MD5
d19cb5ca144ae1fd29b6395b0225cf40

SHA1
5b9ec6e656261ce179dfcfd5c6a3cfe07c2dfeb4

SHA256
f95ec2562a3c70fb1a6e44d72f4223ce3c7a0f0038159d09dce629f59591d5aa

SHA512
9ac3a8a4dbdb09be3760e7ccb11269f82a47b24c03d10d289bcdded9a43e57d3cd656f8d060d66b810382ecac3a62f101f83ea626b58cd0b5a3cca25b67b1519

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_lzma.pyd

Filesize
156KB

MD5
8cfbafe65d6e38dde8e2e8006b66bb3e

SHA1
cb63addd102e47c777d55753c00c29c547e2243c

SHA256
6d548db0ab73291f82cf0f4ca9ec0c81460185319c8965e829faeacae19444ff

SHA512
fa021615d5c080aadcd5b84fd221900054eb763a7af8638f70cf6cd49bd92773074f1ac6884f3ce1d8a15d59439f554381377faee4842ed5beb13ff3e1b510f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_queue.pyd

Filesize
31KB

MD5
7d91dd8e5f1dbc3058ea399f5f31c1e6

SHA1
b983653b9f2df66e721ece95f086c2f933d303fc

SHA256
76bba42b1392dc57a867aef385b990fa302a4f1dcf453705ac119c9c98a36e8d

SHA512
b8e7369da79255a4bb2ed91ba0c313b4578ee45c94e6bc74582fc14f8b2984ed8fcda0434a5bd3b72ea704e6e8fd8cbf1901f325e774475e4f28961483d6c7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_socket.pyd

Filesize
81KB

MD5
e43aed7d6a8bcd9ddfc59c2d1a2c4b02

SHA1
36f367f68fb9868412246725b604b27b5019d747

SHA256
2c2a6a6ba360e38f0c2b5a53b4626f833a3111844d95615ebf35be0e76b1ef7a

SHA512
d92e26eb88db891de389a464f850a8da0a39af8a4d86d9894768cb97182b8351817ce14fe1eb8301b18b80d1d5d8876a48ba66eb7b874c7c3d7b009fcdbc8c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
a58f3fbbbbb1ecb4260d626b07be2cda

SHA1
aed4398a71905952064fc5da1191f57846bbd2d6

SHA256
89dd6fbea61edb8f1c934b7e5e822b4ce9bea939ff585c83c197e06a1fd8311a

SHA512
7fd371818932384b014d219bb318fb86c1787f3a58a3f08e904b7bbe3486f7ad6bc3776b335c178658c87efd663b913a14fb16d1e52198801659e132fa830d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
adf9263b966cea234762c0782aba6e78

SHA1
e97047edecf92a0b654f7a25efd5484f13ded88f

SHA256
10cd6bf518350f93ab4643f701efdac851cdd7a26a0d8bcabfbb2bd273e1f529

SHA512
56c09d786f4ba401d4827da4148d96b140f28f647a03ac6ab94f64de9be4c75ecb8b583efad28aa0c51356978caa96f0cb9d56cc4883ff42c1ee7f736e481c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
28840d7d1ea0a873fb8f91c3e93d6108

SHA1
0856b3ceb5e300510b9791b031fffceaa78ee929

SHA256
d3fad206a52d9b1dd954c37a45e63e691ebc7bfe8af27a87553203fb445224ce

SHA512
93596ec710bd738fcbddf4db0f102f537355bbbaea347d2314d62064d5110cf1deb3ecb6d1e0922f019351acfe2d1c694684d0e62e22c004d5a20a6cae5c7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
586d46d392348ad2ee25404b9d005a4e

SHA1
4bece51a5daacf3c7dcff0edf34bcb813512027f

SHA256
2859fe2fe069e5f4300dd0106733750b1c8c67ee5d8788c4556b7d21c6da651d

SHA512
daad865dbb4ca7542d5bd50186ffa633a709bfe1cf79d0d98e738760634da49afef1c418357d9482dbe33fe995847e05f653b6e3bba00aa42badce47dd072115

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
221f63ee94e3ffb567d2342df588bebc

SHA1
4831d769ebe1f44bf4c1245ee319f1452d45f3cd

SHA256
fd7c5503aa81dea1de9baee318e6a53663f7a4634f42e116e83c6a0f36d11143

SHA512
3d36175eaa6dc035f2b26b5638e332408579aa461d663f1cf5a3e9df20e11a7cca982b80c9dcf35ba9a8bc4203ac2f64f5dc043b60a6f16720f4d4ce052096c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
6ee268f365dc48d407c337d1c7924b0c

SHA1
3eb808e972ae127c5cfcd787c473526a0caee699

SHA256
eb50cc53863c5a1c0b2fe805d9ecefef3f2dbd0e749a6cc142f89406f4ffdb10

SHA512
914da19994d7c9b1b02adb118d0b9cb2fdd5433ee448b15e21445ecfc30941045246b7c389a2d9c59fb6487bb00426579b054c946e52982516d09b095279c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
852904535068e569e2b157f3bca0c08f

SHA1
c79b4d109178f4ab8c19ab549286eee4edf6eddb

SHA256
202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225

SHA512
3e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
cdfc83e189bda0ac9eab447671754e87

SHA1
cf597ee626366738d0ea1a1d8be245f26abbea72

SHA256
f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007

SHA512
659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
c79ccd7c5b752b1289980b0be29804c4

SHA1
2054a8f9ebf739adfcfc23534759ae52901c189f

SHA256
8e910589f3f9a27ed6ce1d4f2d579b4ef99cfa80c0bf6f59b48ba6556e1578a0

SHA512
92de7aec7f91f6f4f7cc3dd575b11ea0f4fe516682ba2d05d605380a785597bc953b575cf0ff722980f0849a65d8c4a14c7717eeed8631a7aac0cb626d050e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
aa20afdb5cbf1041d355a4234c2c1d45

SHA1
811f508bd33e89bbd13e37623b6e2e9e88fdcd7c

SHA256
ef6657aac4aa97a57e034fd5baf4490706128ffafce7c285dc8736b1f7ee4d09

SHA512
06740552875ff2df234ec76f45cce3c66b7d5280a3d1b90874799780ff534437e5dffacf9e40bfddc301507d833235e25eab8119ac80d2587a43a80d4f0068b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
f8203547595aa86bfe2cf85e579de087

SHA1
ca31fc30201196931595ac90f87c53e736f64acf

SHA256
e2d698823ba78b85d221744f38d3f9e8acccd0eedbb62c13e7d0dff4a04bd2b1

SHA512
d0818ee6b1a775793305828ba59c6c0f721d3fe2fcaca5bbfe047f25a500243ab4486c368302636e1c3934becc88c8178606a29871fe019d68b932ad1be3ee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
0ccdef1404dbe551cd48604ff4252055

SHA1
38a8d492356dc2b1f1376bdeacab82d266a9d658

SHA256
4863006b0c2aa2a39dff2050b64fbbe448b3e28a239e9e58a9a6d32f5f5a3549

SHA512
0846489a418d2480e65f7bef4a564fe68fe554f4a603a6f372ddd03eed7ee6299649b61172a7a9ca9a9500a924c2642493cce1040fcd6601d5862c248c902e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
f1d0595773886d101e684e772118d1ef

SHA1
290276053a75cbeb794441965284b18311ab355d

SHA256
040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a

SHA512
db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
3abf2eb0c597131b05ee5b8550a13079

SHA1
5197da49b5e975675d1b954febb3738d6141f0c8

SHA256
ff611cc2cb492c84748fa148eda80dec0cb23fc3b71828475ecea29597c26cd8

SHA512
656213a8785fe937c38c58f0f01f693dc10dff1192b232f00fb18aa32c05c76a95566a9148462ea39b39f1740a7fee1c9ac9a90c6810f38512b3103d18c89b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
83a0b483d37ed23c6e67896d91cea3f0

SHA1
6b5045ed8717c5b9f50e6a23643357c8c024abdb

SHA256
d7511eb9191a63eb293af941667aa2318fa6da79f06119b280e0b11e6b6b1d25

SHA512
dab0203fc26c0249b7a8882d41365d82690d908db359c3a6880f41a1c4eebde51ae084bd123864c32d8574cb0a22cfbc94bcd8e33b51f37f49575e2b9de93807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
8b0fe1a0ea86820020d2662873425bc4

SHA1
3c2292c34a2b53b29f62cc57838e087e98498012

SHA256
070d8827798ee2aa4c2dc70d7faef8ef680eca4c46ecc2dad3ce16380cab1f82

SHA512
0c29c8fae6c5a8de2f0047cbe66e0b2ae7c30cbeced6df1ea2e472ba123bf9e542d9e6cd8eb06b4f0cbe2e343b7929cf25bce1e79937076bf1d0480d91d2c9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
eaa2228507c1fbde1698256c01cd97b7

SHA1
c98936c79b769cf03e2163624b195c152324c88a

SHA256
4297033ef8061c797127f0382df24f69264dca5c14d4f5b6cd2bcca33e26c1f5

SHA512
8319949a1e1acca312dbe99dfd9eedd1b5e4a13946a6ff829d6792d72f0a3a618ce10140954c035a5390a5a6e3b8ae2f23513629007cd3b7a88d5fb6fd81d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e26a5e364a76bf00feaab920c535adbb

SHA1
411eaf1ca1d8f1aebcd816d93933561c927f2754

SHA256
b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15

SHA512
333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
82e58246846b6daf6ad4e4b208d322d4

SHA1
80f3b8460ab80d9abe54886417a6bc53fd9289fa

SHA256
f6eb755c146d0a0ebf59d24fb9e1e87dc0220b31b33c6acbc8bebaf31493c785

SHA512
e1a032846c6110758fbc8eb84dbd3d228e83b3200bf5820c67d9740f6f8c7e926e4c89b92e8d34721d84fd597ab64455fd3029138e35f22329af23f599afdadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
650c005113599fb8b0b2e0d357756ac7

SHA1
56791db00766dc400df477dcb4bd59c6fa509de6

SHA256
5f16a1131c8f00ebbe3c4b108bd772071a2d9b4ca01b669b8aeb3ffb43dabcda

SHA512
4bc54ad70b75f550e623311dc48ea0fd8ff71207f64127379fcd48027ee2458d27a2aaa454637b4f09d713cc9e1f2cc09bb6cd55b0c6b7ed25e52cb46827fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
f6afbc523b86f27b93074bc04668d3f2

SHA1
6311708ab0f04cb82accc6c06ae6735a2c691c1d

SHA256
71c0c7c163d1a3d35e74f8d7299eb38ef7268af1fa276e9a3966761212c570f0

SHA512
9ab0c2d025525fe047e27769c3b2be7526ad0d0cbe76eb1e3a84dc2cff60ab3c4a218388892f600f7b3b003909ae133b0e7da19c9ba96b624fa8f5123c3a97cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
445571331c2fc8a153952a6980c1950a

SHA1
bea310d6243f2b25f2de8d8d69abaeb117cf2b82

SHA256
1dda55027f7d215442e11c88a82c95f312673b7e7454569e5c969c1c24047915

SHA512
853797dd50d0ad6018e7e7d11aefbca61653baa8c60b22fdd34133fce6bf6f02ed0c747457c2783e699e8e7097f14429286904267c13521ee9cb255d3ea79806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
5da5938e0d3a9024f42d55e1fd4c0cd7

SHA1
7e83fec64b4c4a96cfcae26ced9a48d4447f12b7

SHA256
0ea1cf78c0be94554ff7cd17a9c863c951c1e1eaa54191d7f2b0e043697c8d00

SHA512
9a302c664bfddf509c0489af24a238b15612802c7d6dccbbfb57b39691b80af79ed35cab31e84424a34e0de32179054277ca09a0457b90c72af195f8328c82dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
c1919eacf044d5c47cc2c83d3d9c9cd9

SHA1
0a80158c5999ea9f1c4ca11988456634d7491fcc

SHA256
9b82643497092524e0aed6cfbaf7467849cde82292313bbd745c61ed2fd32ea8

SHA512
ad2ccabbdc769cbeb3c0b4d8d647647c8f43d3c3f3c85ab638ce00665379f9a0f5bfc24fe25184003d180143c29da0c36c6d2c7ffeae68a81c27b90f69336cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
566232dabd645dcd37961d7ec8fde687

SHA1
88a7a8c777709ae4b6d47bed6678d0192eb3bc3f

SHA256
1290d332718c47961052ebc97a3a71db2c746a55c035a32b72e5ff00eb422f96

SHA512
e5d549c461859445006a4083763ce855adbb72cf9a0bcb8958daa99e20b1ca8a82dec12e1062787e2ae8aee94224b0c92171a4d99ed348b94eab921ede205220

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
0793ca01735f1d6a40dd6767e06dbb67

SHA1
6abea799a4a6e94d5a68fab51e79734751e940c5

SHA256
cdf7915f619a728fb64c257bfaa8257ee2353bf3c0b88214d5624931a1ac247b

SHA512
33f703cea3b6cef3fcbd973812635129ef204c2b1590ffe027dbd55ba35cbd481cf769de16634bd02acbdbd59e6af52cad0964d4d36327606c1948f38048703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
eeafb70f56cc0052435c2268021588e9

SHA1
89c89278c2ac4846ac7b8bd4177965e6f8f3a750

SHA256
b529fed3875c6f4eecf2d9c012bc0e27cb2d124c2dd1da155f8337b4cb002030

SHA512
ce211b79f4d0dc942dbe1544d7e26e8e6f2c116dce6bc678aede9cb2104771758c0bd670e1eca2d5a9a6728346d093f44459e9791317b215c6ff73e47d1203f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
17680cd553168e9126ca9d7437caecc7

SHA1
8acafcb5f01d3b01a7c48a3b91bdeeb8bf1cf841

SHA256
6438c683e376583f6368c582ce3caab274cf3f7d7320e7f6cda427ba338847ca

SHA512
146ae3230c213ffab4b2c7805374ccb5f53155266ba9213d8f22e073deef0bd733b9488c2091c3db037c1d1dfaa4bbfb90e2afd041a447603c25690681239ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
e9d4a1374a200a6e195e3c5ab42e6bbd

SHA1
c0c79309a6ab14592b91087bec0cc519979e5ebf

SHA256
612df2aaf3435c2be575581d1b2deddcef33f1b53179acff3e4ac24a0fcd3d50

SHA512
1de9d70036eb5211184b3b40f671608cf75b539f6fd36b812facdd9722927eb8e5c4c579db6a360003d06cc139f2ddbda8d19de17cb3a36fcfb53e462a9d7b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
10a42548fcf16732d354a6ed24f53ec5

SHA1
b6b28307c0cc79e0abef15ed25758947c1ccab85

SHA256
ca3e5b21f83d87a958ba7934c5e4d8e7939b2e9013fe2deaeba1f9088b4277bb

SHA512
ecebb5973ecf8f34115985ae24061c29a9d943592389a4e8f215df7408c770a1f7c6c8927d30403d5c43814a4b64ac622ec018be02532f88dbbca6d6208266ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
5d3da2f634470ab215345829c1518456

SHA1
fec712a88415e68925f63257d3a20ab496c2aac0

SHA256
d2ed53111a652fde26c08504803f76301fce2fba04f33a7f250b5b2569e4f240

SHA512
16079ce0bcc9816297f23c95573bd52da08b29b90da4855b4315b3fa98947b1b35ffd30760064144f3f5647c27e0c1bd3aba623d17364fff45c9b2fa598a2ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
c74e10b82c8e652efdec8e4d6ad6deaa

SHA1
bad903bb9f9ecfda83f0db58d4b281ea458a06bd

SHA256
d42b2d466a81e8e64d8132fad0f4df61d33875449ead8d4f76732b04f74bbce6

SHA512
5cc4b0d7e862fd32e8374501d1b8798e369b19dc483cdb568915b48a956e4f0a79b1d2c59322394128a330fea7c939161a7af1787b4dc5f250e74f8df8805f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
e07a207d5d3cc852aa6d60325b68ed03

SHA1
64ba9a5c2ca4b6af03e369a7c2a2b3c79cac6c51

SHA256
b8fdf7893ff152a08fbc4d3f962905da3161b0b9fe71393ab68c56199277e322

SHA512
0dbafab60618ec0c815ae91994490c55878c904af625ba6931fe0ea80eb229c98e367623e472e3b4c0e27e0af6feeb4d2cdacd4c426e1a99a1291b41cc52f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-process-l1-1-0.dll

Filesize
22KB

MD5
98bf2202e52b98a742f24724bb534166

SHA1
60a24df76b24aa6946bb16ead9575c7828d264b0

SHA256
fe005d1a7908e36d4fd6cb2711de251462c9bebf99e4060687df11bd0bbedc8a

SHA512
d346eaf8a966720e47099293d91f2856c816acb7e5f952e6700e007ba176147218798648a4a3e1b928e7a46622ef3603aa4d909113fb02d5551c40ed0e243441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
6edcd747d5beb5d5b0550b9e8c84e3a3

SHA1
8b8baf8f112ac0a64ee79091b02a412d19497e69

SHA256
d5b5c4ee347678e60af236c5e6fd6b47ad5786e080d14fdb11af0aa5740e7760

SHA512
1bc72f7b6b13374dab05f8914dc96f194bfa86cad4549a3fca1dd79485cfdbe1d45053f197e2bdd280b8787edcbd96c4c74dffdf044c99520148d153bb0a438e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
374349666a3b260411281ab95c5405a2

SHA1
42a9a8f5d1933ec140bd89aa6c42c894285f14d1

SHA256
2a6f53be6e8b8fabbf8fcc2ac1224f70628f4ab35e0b36612a6728df7685d56a

SHA512
5c4a79503f83eb8e12a38605c1ab2cf6332f7ef845dc7ac5c34dc71cb86e903dc002c91a7142a56433fff97ff21ec926c9cc0be92a31ecffe2a7c5e042d6fc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
06f29e2e2ebc8e3d8d0110a48aa7b289

SHA1
b9047a9aa94d25f331e85aa343729a7f3ff23773

SHA256
6c24d050afc07bc5d2ba5eb07840345569b52e97442bcc7c4413fccedc11e6c4

SHA512
9de0b3f3ab2c0ed61920d99e3a931bbc08015d848907bf4cd5cb2c81017de4d23f2f8977a3a7895b92208ae7e5753ab8c4b00c00e375da005b432b5534ea7838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
a1002f4a501f4a8de33d63f561a9fbc6

SHA1
e1217b42c831ce595609cfde857cd1b6727c966d

SHA256
fe94985959fe310cafa1eb3e32f28001ef03afefd32497d0c099eb9393bf6f4b

SHA512
123a5ebca5d8a1292f238bab3bd8cc12ab3157672a904361a72f5f7177f4ce0dd4708fdfda34f2ed0b4973ad7d92bc69b85651687a4604def4bf7bdca5d49b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
9f15a5d2f28cca5f4c2b51451fa2db7c

SHA1
cef982e7cb6b31787c462d21578c3c750d1f3edb

SHA256
33af8b4a4f1f9a76d5d59fdf634bb469ca9a830133a293a5eef1236b27e37e63

SHA512
7668d42fd8cce5daa7e0c8c276edd3bda0d4ee1c5450fa8d46cf7600f40b2f56e024f98157a86e9843d0b7d33cb281ebdca3a25275e08981f5d9cbaad1cfe371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\base_library.zip

Filesize
1.3MB

MD5
763d1a751c5d47212fbf0caea63f46f5

SHA1
845eaa1046a47b5cf376b3dbefcf7497af25f180

SHA256
378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7

SHA512
bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\python3.DLL

Filesize
66KB

MD5
8dbe9bbf7118f4862e02cd2aaf43f1ab

SHA1
935bc8c5cea4502d0facf0c49c5f2b9c138608ed

SHA256
29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db

SHA512
938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\select.pyd

Filesize
30KB

MD5
79ce1ae3a23dff6ed5fc66e6416600cd

SHA1
6204374d99144b0a26fd1d61940ff4f0d17c2212

SHA256
678e09ad44be42fa9bc9c7a18c25dbe995a59b6c36a13eecc09c0f02a647b6f0

SHA512
a4e48696788798a7d061c0ef620d40187850741c2bec357db0e37a2dd94d3a50f9f55ba75dc4d95e50946cbab78b84ba1fc42d51fd498640a231321566613daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\ucrtbase.dll

Filesize
1.1MB

MD5
a9f5b06fae677c9eb5be8b37d5fb1cb9

SHA1
5c37b880a1479445dd583f85c58a8790584f595d

SHA256
4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52

SHA512
5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\unicodedata.pyd

Filesize
1.1MB

MD5
b848e259fabaf32b4b3c980a0a12488d

SHA1
da2e864e18521c86c7d8968db74bb2b28e4c23e2

SHA256
c65073b65f107e471c9be3c699fb11f774e9a07581f41229582f7b2154b6fc3c

SHA512
4c6953504d1401fe0c74435bceebc5ec7bf8991fd42b659867a3529cee5cc64da54f1ab404e88160e747887a7409098f1a85a546bc40f12f0dde0025408f9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xk4jolqf.ap0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEGJA.txt

Filesize
152B

MD5
49bb161b07149b1bda99901c71d98b1f

SHA1
e5e3b389c09d551bd8f3a4cf71ee30e566fdf6e2

SHA256
734c4f48449a118dbdfbbe4971ecf112b26b2b45d1889678c01dea98eb5767d8

SHA512
da09a2af9b7f9528916ab719ed97ee8b61179bba92016eaed64b3e7d6bf08646801aeeb0eb332bdde175eb64b48106f7cf2fe2bf01ea6128753e4ce1d48707be

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2539\s2539.exe

Filesize
350KB

MD5
d438749bcfe5bcdf1d59cbbb82341315

SHA1
2f4176c631e0190f35eb2963a4f8ad692fdcd6b7

SHA256
0aa566ada2feeb1714acd636da309edc6c3a9b0b8873d97942b55e053e55dd42

SHA512
f6ea2cf132c6564d685a6386705f2ff9b3912697f70d3e97e1754084c6c589141f3f72d6d82eeb6cc677a331325ab486389b1e3a202b7b21149499e8c020c67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm2F47.tmp\NSISEncrypt.dll

Filesize
129KB

MD5
5731aacc9ff9f6e448db1c63e611eea3

SHA1
96d097faa2c90f20b3a269a2fcf04b4b15ec7b2c

SHA256
34bf696f400fafe6b88bcf4cf5521b2e54353f34009c38840dafb036db08c84d

SHA512
797f5637259e3fb0662bd512476787f544b81ff841e76332e23260cf04f2c23f5b70503085d304813815cf8475d8a536b43f0ce6cca8e60e4c5983b21ebdd84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm2F47.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm2F47.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC3DB.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC3DB.tmp\NSISEncrypt.dll

Filesize
129KB

MD5
2b2339e9140eb06f1c42943dae46dcae

SHA1
4cfcabbe11356969ae787b89627d2e1946dccc0f

SHA256
41cb7b05620e4fca86042b52d90e1861ede37b11b74a31ef4f3f02d6c658ce60

SHA512
244dfd67f2892e0ea15e79617096689be8971300e05e64c958acf0c1c0306f1875228959dfa18b4bbaeb5c23efe38742ceae06742600fc99270b9687b44877cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC3DB.tmp\WmiInspector.dll

Filesize
93KB

MD5
cd390387039d7d2928e297b3d23edbc8

SHA1
9d6fb8ca71214be21a0a57ed5abdffde71870549

SHA256
6a91606c5b6de503e35d30112368ed5fdf30eaeabe0f0ecef8b50b08c4ca1870

SHA512
f96711484dd1730c6b1108ec0356aeb3b8f0a3aabe8b13c09ce8c1454dc7b0d64859ac0b8eadedecf8a1a21d43e29576c779625b6571202f7469bf74e1c86483

Download Submit
C:\Users\Admin\AppData\Local\cftmon.exe

Filesize
7.7MB

MD5
1f16d8933b32fa7a3f15fc94319fff8e

SHA1
fbeba54adb498355afeb5a7e8cc2f96b122e006b

SHA256
e8eafa279b626cc234e36ebe87651812118ebb173e1d751aa0b8892553a2ada2

SHA512
fc4fd7fff18b6457747fc041cb0beaeb8e002583a9a1baae10a76646e1c7a29d6c9372f5b628137ecc7ee15c531c33f39d0328e6bd15317b40ed3fb57c5a33ac

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\IbwIIBmUDWimTZ.exe

Filesize
1.4MB

MD5
7c89b48a2752a771eb6457fe2fea1d8e

SHA1
afb602ef798b23f400fd3d474cb570aa781797c4

SHA256
3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce

SHA512
9338a3817216563677573599d5dd3cacb4be084a2e46c77516d56a207ce7d8d06a376ea4be1a7863ffeb823ae803b891ef947cfb81d4813a52ce152038e97d48

Download Submit
C:\Users\Admin\AppData\Roaming\TESAYt.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Users\Admin\AppData\Roaming\Window Updates\winupdt2.txt

Filesize
1.8MB

MD5
828613282891c217109ad7bf6ac1011b

SHA1
9ae3374df8b9160ab43370cb229bb23afecd4ffe

SHA256
5dc3bbc8572573b04e3e69a89440f3b983445b3887a17c3d1d5e651af9e9a2d4

SHA512
bbbd3def57ced4dfca8ebe0a0e39e450e2fd630b27b775587372a334830277b5c9f28c54093be63d0eb8d8d08460f256b35eece43aa585fe74c886840840e248

Download Submit
C:\Users\Admin\AppData\Roaming\data.dat

Filesize
34B

MD5
cc5055e203c83ab3e582a14f47ebd00b

SHA1
695509236c6e1f3b9c04b3e2e68ec839c735aa78

SHA256
379d72a2b0279013cc7a5a7066aaa79a0677bb3a4bb0e9bea2d4acf350211bf3

SHA512
0391cd21030d71f6c1023b697db06a6c5d6f04ccf20d7b7e46c1bd43a89660fb83ea7aada454af744c2b81fe07b3e18c0c40f9b82dd7ae57d040736eaff9c1f8

Download Submit
C:\Users\Admin\AppData\Roaming\refghjgiuy.exe

Filesize
583KB

MD5
efba2f0fef43c9d866b89e8757e898bd

SHA1
e10321ce870752b5a630c56461dc630a6b69a246

SHA256
2ca4f8006b5eddcbf87895299660f90ff6bad708c5b4b5be93d4d430288216f1

SHA512
dd36c21438e6c32e4104e30bf44e0462dab0fe598cb8e21576eca193758e3d04465f7f96d9d557f19a42306a2f1b49252899ea6aa42e7252df330054ed80e5d7

Download Submit
C:\Users\Admin\Desktop\system32_.exe

Filesize
648KB

MD5
efbab66abe4041350ddd3e6a046a8145

SHA1
7948e8171cc408c36b550015f334567597c97db5

SHA256
9384a0a28b90ecf51b482d7adb36f3f6a38c0809887601cccb158ea58fb557df

SHA512
dc69ce5466329b1018ce768e6a6ddb2bda2c4e0e4b72008a8e0c4e64d1744282566026893b1b19e93eefcdbd2c01ceb35f484a5e2f40985d3ee5013ad1752259

Download Submit
C:\Users\Admin\Downloads\240921-n12zwa1aqdefbbe0f30b75897e3cbc96f24f397cb7_JaffaCakes118.exe

Filesize
512KB

MD5
efbbe0f30b75897e3cbc96f24f397cb7

SHA1
6dace5981071aaee5e22ab4187bc39aa98ea3ece

SHA256
5803af5a87d6d1ba4abc63970e92f70226f7185938d6606b69bd987493a2e0a2

SHA512
676605febbdfa77d0532e397b0e81a9b84582fc5da9dfcc0506d1ca5c3af0363f23b626581099aaa29eba7b88cc3d9c68a70b466e6d9baa3b0c7bb4a81c5f4ae

Download Submit
C:\Users\Admin\Downloads\240921-n1evca1djqefbb5f07c3fd85ca72c32e6925ea64e3_JaffaCakes118.exe

Filesize
148KB

MD5
c5013b46e0877a4c570caea90ecde669

SHA1
b05e539809c0b2a3bdfb255965129917c62d39c8

SHA256
8f1b1aaa5a9ce4e31097c207dfdd6d090ac9fe93d6474cd96aa328ff5a9c0623

SHA512
92dbc38a5df0bbf817322126783e72c94b0217da807c2d906b096028dc93e9a1d3435b0eb418a0c5010771254cb98d1a59e95072e897ccb90e8561de2919ea9f

Download Submit
C:\Users\Admin\Downloads\240921-n26pfs1blbefd466f61d8a6c7985c55f7aa26e9ebe07f0ec112979191fd9e22b923ac4a4b0N.exe

Filesize
38KB

MD5
5ffe0beee53596923f5767610a13d400

SHA1
e455383102f6474b0aec21df2273c61c420dfb9c

SHA256
efd466f61d8a6c7985c55f7aa26e9ebe07f0ec112979191fd9e22b923ac4a4b0

SHA512
a9d4ab27a86d7c6c3a99ee0c0907884c7ed4bcc175469601aada879d08e3e0637f846054d68eef4a4e9aa4119844c437f36dcf65b24e7d91ae727504d0d1b25c

Download Submit
C:\Users\Admin\Downloads\240921-n2yc3s1dpn69b2c233d4fdb8080ed851c14f8d35bbf2a1d0722b9fcd25881cef408c03cc31.exe

Filesize
148KB

MD5
750b024cd1e46a36a8f40aa1f60327b0

SHA1
007a5a7cbe4c6e616549ce28dd3f7bd047860f89

SHA256
ac4438c492d1ae1fef9449d3224a161ced2076ed3183b86b0bb976f6293321f7

SHA512
944a4e95a33dffbb91f5625bbfa4d1afcf3d4ffb535cc5bfece2293fb8deeafe77b6fc9f0ca0530430b1532b14387b4ea8676c9cbd93cf88c01ca6823a9185c1

Download Submit
C:\Users\Admin\Downloads\240921-nlynxazdkf5cay-43sx209jsf21.exe

Filesize
7.8MB

MD5
df1d332701dba8a7312877093b0786c1

SHA1
f6461519a41c70f8f7a93f1b42e5c3aa72ab6e32

SHA256
0af3c3c3ddc5761a8a02a38b827eedcb6669096da5222e4c93e39ea79b1df392

SHA512
140832ec54b8c240b92a1d004530b46e48312d4a38311dc90ed504b96942c1708e660a69e665b8917fb5a2c2d73072e2b1329bd5bcb507bc4f88a7830fc0ec4b

Download Submit
C:\Users\Admin\Downloads\240921-nwct7azgrde36bbe4fe30a92025f98b1eb83b7f895cb9e87fcb0d18f4e41daed725b9514cfN.dat

Filesize
1001B

MD5
f9575614387b2862d4e678197b9a7226

SHA1
fc892009f6cd21dab879a2d8856fcb4e835f1534

SHA256
d50d12d8bc3d004db64660548b9562d0eafa8ef37892d8ffb5c042c5ab9ed98f

SHA512
7ce759088c4f939de6ac4b8b526d96fd928c98f08d8c23254d9ed9e3f2ef2b39a2b46b89d0b32efebc19485c09b543ad0a7e7529fa6e75ef5a98d7b05be14b10

Download Submit
C:\Users\Admin\Downloads\240921-nwct7azgrde36bbe4fe30a92025f98b1eb83b7f895cb9e87fcb0d18f4e41daed725b9514cfN.zip

Filesize
22KB

MD5
7040be1d35edf38f1a91cdad57b115e8

SHA1
036da0d3a791e2cbeb1a31e111d8a0bef100c881

SHA256
1c9cdb88861b264d986d87f19ae178e4c3026aaafcd095040a9abd44909271a5

SHA512
36ff272817201ba1e01c2661c5a5dedfa638a0e83977a6ee5ac50ec229d08ce77ff4cf8aa17e70c108552c19967715294474d73e0506587743c5998cc51ec3e9

Download Submit
C:\Users\Admin\Downloads\240921-nyz3hazhrh637945b594925ffab100bc0fdfe4ceda9973beb9fc9a9bb1d58d5b3c9c5b15af.exe

Filesize
148KB

MD5
cc23a7d1189295806e056b96737cf965

SHA1
a2b5d5a881eff8778aaa785c8e39d66a2b1a0452

SHA256
5b1a059b10e9e5b734a43f8a719e0661dea1aa2b828b0698f31e3c8dca2324b2

SHA512
e59d87dce074e96972f95a123cd192e9c908fc1cf6f4cb902d3ccca885843ba4fe2335d23bcf928cdcde4c065b8b5ac004fadef5ae9e8e9bb5b503e192ebfab1

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
21KB

MD5
9a223691e1fa619163625b1d8c822cde

SHA1
80432049e9e502ba9ea3a0d2ea9989dae521b975

SHA256
c609d7312ec60af71c1e63e271704d6cbad77e750aa00350fd4c7a7507eff520

SHA512
12849885a490928a5dcbe64a8932f97506aeb955ea15f3b5c6e2bcce45aa469002214a39383ae043b1952539c11fc6452256fadd663be15563a1b78e7a83ca85

Download Submit
C:\Users\Admin\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Users\Admin\peogo.exe

Filesize
100KB

MD5
97cb7893d3c901a9188503f1ebb61137

SHA1
b02fb910ef02f3d906dc86ce0745ea91460e1269

SHA256
4a2a637ba3644d234de4fae860293be0cfbbadcf9cdcb89fd5228dd9c8e7e84c

SHA512
908135a4c082a77b7946a5d201af69896ce6a2dd23fa0baa2f097b402f1a62c2b2aa53bd515351eee2629defdb038f29dc54c4f13498dcde7e543fb0c7207a23

Download Submit
C:\Users\Admin\xuaroat.exe

Filesize
156KB

MD5
3db72fb03f0d6f5457cd63a59dd1b9b3

SHA1
cce60fbe61ee406da69bc0ecd2eb777bfaad4d5a

SHA256
509d961280b1784ed29ff74ab088279b268ee1298bcdea3527d40621330337a3

SHA512
d461da022eca37f9afd9bc6d7a59c12e7ba30c7a88ddfa552a04614f71cf9c8db4aca197acd9136b6148bcd58fd9458f9d43146d57c8ee9fb4094aba5c4b3771

Download Submit
C:\Users\update.exe

Filesize
199KB

MD5
87a2606bc3efbad8cedfa1c55f466664

SHA1
75b59a602b50b39b4c0b93d043f9626b29696bf5

SHA256
0bc7e39202160ce866a4bb9ea400f14ca802c320d3055c82d2c1b323823f89dc

SHA512
a77adb5b046cd459f9b19566d6745ed475954476869d5ad234e29273cebc7f72f90463e8e285fea2981f7c3a79f1f6518a9637c903db8a9726a93478b5eb5ff8

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
d5d9761edca88102e66034f29378f5af

SHA1
f3465081e3bae78d5815564bf184c197f2f13e97

SHA256
2bda7c73c1e0ea3b7a09652ee6a936d928c3ae91583f3f64fd0c86a0f3dddb8a

SHA512
3b845a8f35cdc85716133519cf8a1e65fea0077a525f0e446c778ed91d981b1a0798c0dc4116a17a85efa3088dce60a73063ae25ac3688e0fa9e32653e3ad0d5

Download Submit
C:\Windows\Branding\Basebrd\hvYIVoI.exe

Filesize
1.9MB

MD5
50101e938a3d3ba094c877785e695be7

SHA1
f863b8096fa72b6339ead663531d95d7aeea9f6a

SHA256
45a5b12df03add99df47e23daa08a65ffa4bd69911ea5046f066a28391320584

SHA512
b0e8f625e988baab6a3ed46f8979c8b943715f780adfa555b83b494f81fc9416689e4f67e94673dd3894b4f967ca3d2acd2bbc121c754d3086f5d06748396a9c

Download Submit
C:\Windows\Fonts\ghibwzx\ofqhicn.exe

Filesize
3.2MB

MD5
6fe784ed88814def758d65bc221369e4

SHA1
1eba54e0900a6e57a59a99b1eb3c82b318062054

SHA256
346b97cb05e56b904d16f66b44b4347a9c294a662ed15c9c28112ca0625c624d

SHA512
d0d4c715936a5628f43883343d68fb7430076aae4684256095e6e14ec61ec369c71387adfa83c34970400cb96ab8208da69c298343bf3fff31fb5f9220ff3d59

Download Submit
C:\Windows\Googlekm.exe

Filesize
4.0MB

MD5
b22d229d14983b54c67e4d740efdb9dc

SHA1
ed77d35859cfe68524bbea6f6e8c7106cac1b0da

SHA256
0e723ef513fe92b9a71513d71626135cf039ae409a34089d8237790340072b17

SHA512
89248a38835d907f308a9d26dba8e4aaa9e289fb3dbac12d54d4f79bc5a3a2be30a22a25760c6ff9537214767d832ede279077728e3abc7e255406e095aa9b47

Download Submit
C:\Windows\Installer\e5cd374.msi

Filesize
66KB

MD5
c431de60026398b9bd87490959e5cd05

SHA1
0b5899c85edb8dd1ed8a47c7fa8a51828ac29139

SHA256
230816873614b9a1c1bf9f8217886b5ca4b6f51809030a1a4eceeb35b18e1315

SHA512
3a9802b4c5fc4d83f36aba80080914346b893f946216eec9088c1183fa9ee049fa156d72edb59fa9592418fb9e8d7f53e2b19c8fbbc6ab2dc2c90bf78ae6f30a

Download Submit
C:\Windows\SysWOW64\Afgacokc.exe

Filesize
64KB

MD5
45d5fdc7ea1db00c7e2134f7e7483d3e

SHA1
b0851afb08dd461a9d2cf003b96049d1df137970

SHA256
49b9082bd7b7718f5266f49c880685d7186f5c39cfd3e7db71d6164de8f8cc65

SHA512
30ee8b90d88dade5a2cfc362144f3d9bdff3ce504d225e2192bf31ae7caadaf1f6982ccb5c2b878b6286b2dab9c3c92980356515f53136197616ac110136d0e0

Download Submit
C:\Windows\SysWOW64\Ajbmdn32.exe

Filesize
320KB

MD5
6c0c1304cd8ab805ae9ce15ad3a08127

SHA1
51558dca1353cbbbec825e26a1c33016cbb92e0f

SHA256
938c69080bd7a2031b12d84b92f5773b2163653cba9fe25a496a5a1e5a0e1068

SHA512
577445e80018a999ebb1efd90829f29389e129ac72c55fa5a8f0701094b9292dd0697a0238c561cc892d0497067c3a9858ea67db36a23801656d066b456f2692

Download Submit
C:\Windows\SysWOW64\Apedgj32.dll

Filesize
6KB

MD5
8af2ae573f04fc9278d65bf48ed205f7

SHA1
94b31319ee7efb0c8c11427b23756e6c1c709972

SHA256
bb2ae1ca02ecc76027cd89631b9f24a7b5c8dedd81671c9bb4455247ba998880

SHA512
79165dab47e58d5c868d4c685b079fdc4a486fe8c2b8a43f5ef3ede34177a0b8f77ff17a90a0145b5baafc6a65ac2d9da0848579c27a936174f7f58f346c2a27

Download Submit
C:\Windows\SysWOW64\Iglhob32.exe

Filesize
52KB

MD5
2ca0631d147c1910088999a24da64251

SHA1
35bf5bca9ed752d859dd7f9e926b38b4b2e78674

SHA256
49efcfb90bc149d7c99ad7a29ad01d20ec4dfe70eb1c10e262934ebac05d9fa6

SHA512
b40affc3e8c01b551cecf7dec9ad1b79762475e63084ced31535bc6aa4558205b4df7c1c6438be2ce6e181de243a345134dbd638a5c22a0c6257645bcec50c58

Download Submit
C:\Windows\SysWOW64\Inpccihl.exe

Filesize
67KB

MD5
4677126e22cca9848d3bedfd20b91fcb

SHA1
cfb651dd84e0cafe23e24cd56d03285283ec6801

SHA256
012e2724408773900b2b88c488368a56166f0447e819095850c28f1414f88a12

SHA512
cde90ca18125f671b7711c8170cea9d3c88e894633732d19b0b11c6e47c83b3c7f4e607769e96ff35ce5804edb75549969c52c1024e6a5b3df70ab93aed81835

Download Submit
C:\Windows\SysWOW64\Inqbclob.exe

Filesize
94KB

MD5
93a3260f2d8ab11a9500a55710689f1d

SHA1
b7c578c489f7951661a0c2a7abce1581cb424fd1

SHA256
3e42b7e6e4e4327a4be2230341d72258e94a9c4d884f98572b0fb42c8ba7b1b4

SHA512
ec8942306a0c6b8024ea209bc84c9b8646ed326254ff5087562a50ff66120ff5dee54a4c56f93112ade656876bbbd27da975b154202c1641fd0d46dab17d4d77

Download Submit
C:\Windows\SysWOW64\Jhpqaiji.exe

Filesize
379KB

MD5
26b44def42dc281999f3bcb5970236d0

SHA1
fc44a2c490ac168fbbd69a2dd85db98290a0220a

SHA256
6d48fa64b002b0241a4efed06c7ca7afefb361b5967c60090d50c497f305fdd4

SHA512
3dae513ff48ed68b8992e2790b418fa0413aae75b42d557e447c86e4bd4c520461f4c61874f1dee74f46eac70cec2f75c93d4bc1db55051225839dc654f6df68

Download Submit
C:\Windows\SysWOW64\Kaehljpj.exe

Filesize
256KB

MD5
940a2125366817bf7882c56cae90e700

SHA1
92bac40ce620c643d36864fdcad1a71c5f62160a

SHA256
abcf904154e7389e71c9b0a97fbe57ccb72cb10618b93aade37fb35afd9f0688

SHA512
88d4a7db397969aecded39996299f3bd200fbb72590c144276fb6d3f4cc9159d1a09adb6aa71eee896adc65c32fb6337617455dd2a1dd43d1f7cf990ad27e590

Download Submit
C:\Windows\SysWOW64\Lcjcnoej.exe

Filesize
94KB

MD5
255ed8e10ce86bf6e376a681b99cd3b1

SHA1
09fb391d4c9b21a9a4d5f09310da1a45d2eecb54

SHA256
421f214da27140bff7261be752701f25df294141702f9b5c62a9f6ab37ca5aa1

SHA512
e3d1b30dfad4be19d769fdc30c2d3a5fdf2166c8d02f34b7ef17165bb1c4b357b9e5cb852d3db4f6162f8c7eaf00e192bd0510c1ff23a21056b5915156c4ea1a

Download Submit
C:\Windows\SysWOW64\Ldgccb32.exe

Filesize
384KB

MD5
c7546a9f9eb0f8c58d461728316e8eb4

SHA1
fcf71aeb0c5932f5a07881926e234f151736fd9c

SHA256
2957943dd46db4d82f0eb34593c309acd6359745444415f18910353897a6fe06

SHA512
32de06781e86ead14b595c82a36f0388e8b7497f3429dd0980f309f45f02b6cfe81fe9ee611c4bfa5e3e76a9381954466af329a10e319fe12860933052afca58

Download Submit
C:\Windows\SysWOW64\Mcnggo32.dll

Filesize
7KB

MD5
1e5a7e32323b7c25e04b12e90093a427

SHA1
9aeeb0001c90f9e744f01066e87373c5014fe277

SHA256
585de8734f0d23b8e062b8b266013723575f5fd3db6c7cf21ea0f593b0498be0

SHA512
f58ec8ad2feada3bdce41072fb587e1470c96c7e0afcbaa8396a061fb203789a42fc0ee72fc83f75c3f0cc88df4a196517d8cf365906aa0407d799b353cdeeac

Download Submit
C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
C:\Windows\SysWOW64\Pghaghfn.exe

Filesize
276KB

MD5
4a10104f36934b1a45cea314c7c7cf92

SHA1
1162865833fd26af1d3350b72723346c0cc14e46

SHA256
6acdf951b015178402abb9a26cc19b4e3b8968c5f8382c652260dfcee2032b54

SHA512
4ba721b1a1bb0fbc5dae830eee2d32899a23274b0a11a8c6560bd34d4ec375006c5270eb8d72ca7cd2da43a0b9c7d347adb7a18c8914d958b27d3a667c7fa0a8

Download Submit
C:\Windows\SysWOW64\fvbiptfykd.exe

Filesize
255KB

MD5
c3a7d155b1fe0c6dabff1136beb31231

SHA1
c94f7d89fa148e3dab25d45d77a0ca1ec772d91a

SHA256
4afb0a472c78a191e65154d061cd395e9728dd337afcd98942ed5c73d5f5fab2

SHA512
39b2f13d4af8f8873877c43b1b2c5e2685588657e677dcbfe1df18080e4e901231e10de4b637c4869ec89ab6e6c424cd40c7aa5f50a6711f6bdf1c05954002b3

Download Submit
C:\Windows\SysWOW64\xdccPrograms\0048222.exe

Filesize
2.5MB

MD5
57dbf585672b1cfaa8e22faaab2eee1e

SHA1
c31c1f941abb279c1e72e30b047818837875f49b

SHA256
00b44c757fbd8f51095bd65c162eff7435a9e46e32bdd6413dd80c8452ad8aef

SHA512
a0021c892f8fc715a7ecb61f8f718017e0dff78b4b544f93fb5f66d9624aff13a787fa7f09a3d1ec9bd995f2b00f9805009df73197d331c9076504cb8da6d02a

Download Submit
C:\Windows\Sysinf.bat

Filesize
460B

MD5
7db3d565d6ddbe65a8b0e093910e7dcd

SHA1
d4804e6180c6e74ba79d3343f2f2ccb15e502f12

SHA256
a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f

SHA512
0b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b

Download Submit
C:\Windows\System\FqPkDdx.exe

Filesize
1.3MB

MD5
09f4f882c669da085a70c204eed3226e

SHA1
d3e1f746ea785561a92da3c3c6bfc6b36a6d73ba

SHA256
00b9eff0d02445143724d04c53a07a24025a149a5ca3e8827f706b14aa68b38d

SHA512
d4eaa944c9bf604b03bce7746e5102b07f6d1d9b2a6e5213f1961782d61a3de2b216378074059ec51444736c60ad65a441f0e51e8dc4c387ccb53d99be3a345a

Download Submit
C:\Windows\regedt32.sys

Filesize
2KB

MD5
e7d7ec66bd61fac3843c98650b0c68f6

SHA1
a15ae06e1be51038863650746368a71024539bac

SHA256
6475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8

SHA512
ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6

Download Submit
C:\Windows\svchest425075242507520.exe

Filesize
376KB

MD5
efb31465841e7e51bc2cd72c26601d2e

SHA1
5fa0e3fc40e8b1afd9acc12ae4b3ab17a963e3f1

SHA256
2c38fcdab9b636c4f046b29c3deb36560c3f5720c8967379efd24289d6f0fbf9

SHA512
f9c48056d767e3458db81d1461bde9fe9cea82eeaa55e1b4081e12cae59a95374efc6b2ec3b1fd51225728fb80517c08b0db01f3c050de1e8df4eba380df4907

Download Submit
C:\backup.exe

Filesize
122KB

MD5
000617c1651c3c7b7f0d6667874bded6

SHA1
1b50feefbe65ca00813912e4874504ecd6359601

SHA256
cea5bc4bd6842c8ddee5d2fd770de2549e3443c5f941bf771fe2ab847cce0e9e

SHA512
ca9a2795dc29e220e98e6e1470688e1a969d6024bb6db6366e67dc6946a46ca50b29997366eab3129163a19bea598f982341cd7af3786d7a971995644b946460

Download Submit
C:\i842042.exe

Filesize
65KB

MD5
5f223dff632f493e1707d443c40c8285

SHA1
19cb09d55c17fba3a63ac086529e9bea2a4a166f

SHA256
099f1e0f06ca22e7776fe70d5c59a34401ab59c782bc1ba4111dc8604da4d49d

SHA512
79521f77e9e14e73b3b5a8ffe6534ce300dac9d300e6072dc72de7b98adfa12a51301dcfd61fb3698b895d41b6afd89b1be075263a254d84d7600c9e6a61718e

Download Submit
C:\ntldr~6

Filesize
3KB

MD5
ebf9215d323e04cbe0e23aeb189f9ad9

SHA1
7ff07bc876d46cbf9bd7edb9f32660cae0719145

SHA256
ecf162dd8cc4d625f306ad8a060b689817ec9bfc368887e75d237d9485e0709a

SHA512
981640e3e8b44bfb5e16005a51eced258ba7bc6d6b45ea8aaac4aa1300aaf294516975cc0962e41c8618c1f37307984e8850f1ba1ad8251b246bfdec717d2d46

Download Submit
C:\ntldr~6

Filesize
3KB

MD5
2f0ad40e896a36ce8372c3f1b9969166

SHA1
46968d96f2ebcbd74caba8a2b7821414f54b90c8

SHA256
beccfc15ee83e9f00c10da4ad6a4ee15b6b88ab637275f19642554c720a47baa

SHA512
fdee583e0fe51ea58cb8517b0394cc024e870a4808c50e0683424838b6fbe1762209e158a4bb191ed8b58860fb585c5fc43b075f99eeb8dea7f1adeee4a6692e

Download Submit
C:\ntldr~6

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\ntldr~6

Filesize
2.3MB

MD5
5ad134e767876f5a7fd2e7e0ccf86ff7

SHA1
df1fdb6fda54c04eefb0ff8815d7beaed8614516

SHA256
ddbc5e0aad50d1fadab48685e3e2cff0c009ae30d6504493ceb94c8565ef2eb5

SHA512
3f04789d7d20829a4275eeee980475bdfd14c2c2f18a7be2015bb259207bc25281c86229a5349ba0990c15df4bbc1cac59a57906c33c7a9028a469d95cbbadc4

Download Submit
C:\ntldr~6

Filesize
3KB

MD5
a6dc927bfe4e8a69b07166f3a3259bfd

SHA1
2c495f343649bc9ca61b3e7fe38545e5aaf64302

SHA256
3bec7df73dcf0ea6f99e782a4640e7452a652011d91d3498d4660984d021e427

SHA512
479b144291c33083c11bd5729bfabebc34559400b9acc4eb37b4b59a0e5226c0e98946a6dd958b4928ae204efb5a780953c82ca2e50899ccb4bad0ff6b46a589

Download Submit
F:\Autorun.inf

Filesize
237B

MD5
94bcd02c5afd5918b4446345e7a5ded9

SHA1
79839238e84be225132e1382fae6333dfc4906a1

SHA256
5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1

SHA512
149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500

Download Submit
memory/396-489-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/592-182-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/600-636-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-212-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/756-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-613-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-699-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1780-803-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1828-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-434-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1864-176-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2304-463-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2304-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2404-739-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-673-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-168-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-170-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2888-171-0x0000000000427000-0x0000000000428000-memory.dmp

Filesize
4KB

Download
memory/2888-172-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2980-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-428-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3096-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3096-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3572-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3572-788-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3684-159-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/4052-315-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4052-193-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4132-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-334-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4240-614-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-998-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4364-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4396-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-572-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4856-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-612-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-288-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4984-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4988-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-770-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/5020-665-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5076-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-260-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5112-849-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5132-573-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5160-574-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5160-625-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5172-736-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5172-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5192-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5200-737-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5200-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5208-702-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5216-622-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/5216-618-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/5252-569-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5308-611-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5384-615-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5416-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5460-464-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5476-465-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5504-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5536-717-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5536-467-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5536-634-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5556-919-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5556-920-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5568-667-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5572-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5576-829-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5596-635-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5596-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5616-576-0x000000001C130000-0x000000001C1D6000-memory.dmp

Filesize
664KB

Download
memory/5616-700-0x0000000001010000-0x0000000001018000-memory.dmp

Filesize
32KB

Download
memory/5616-568-0x000000001BBB0000-0x000000001C07E000-memory.dmp

Filesize
4.8MB

Download
memory/5616-695-0x000000001C3F0000-0x000000001C48C000-memory.dmp

Filesize
624KB

Download
memory/5640-668-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5640-490-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5660-847-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5676-492-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5708-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5708-694-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5736-507-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5756-666-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5768-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5768-697-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5804-758-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/5804-762-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5832-755-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5924-718-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5924-669-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5928-675-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5928-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5940-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5964-738-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5964-660-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6016-670-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6016-729-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6032-648-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6032-513-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6064-512-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6136-674-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download