4883de39f6d11e0c6612f92f57c6762e6109011b2a2b9323d6d37e0cfd2b621f

Analysis

max time kernel
151s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 16:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
Size

336KB
MD5

8a636e70c6528bbba4a60fb23d5de1d7
SHA1

141f009be87471abbc04364961a17042efdf72f8
SHA256

4883de39f6d11e0c6612f92f57c6762e6109011b2a2b9323d6d37e0cfd2b621f
SHA512

6641e17cfe909c213a6c3d5921e3846dd3ee52e78e7b0ef7babd601d3b591cfbb31df576a5c301795ef3b02034b6d776552945df7b5c3a19f8be9f384debb0a5
SSDEEP

6144:lFNxO7lJJiQnTl1OwTJ8gVf5FYkEj4wNFD7Q3dBukv0HF89GpqGp3pZoKL:lg7l7Tlv8Gf5FYkq/Q3vuk+e9Gz3pZos

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	PNU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	MSBHBXJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	AAAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	QSWHVA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	QYHEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	GOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	HYXV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	MQHGVWL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	OREC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	YKXUVN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	TVAKD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	YKSVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	CHTBT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VERX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	DABGKT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VJE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	AQJTDI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	GIY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NNPXQE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	YVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	ICVHP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	HRNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	QVMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	ZQDQOZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	LOAHI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	SIPAQYL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	GECYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NITB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	MDWGQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	BDF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	OBQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	XJUN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VZSQOG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	ZUGXXSR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	CIPZJEY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	KZICWND.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	HAK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	MLHA.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVAKD.exe	TVAKD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YKSVG.exe	YKSVG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHTBT.exe	CHTBT.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIPAQYL.exe	SIPAQYL.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NNPXQE.exe	NNPXQE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VERX.exe	VERX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VJE.exe	VJE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NPOXSWJ.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VERX.exe	VERX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NITB.exe	NITB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYHEX.exe	QYHEX.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTXQDY.exe	PTXQDY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDF.exe	BDF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WGLEDXO.exe	WGLEDXO.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YKSVG.exe	YKSVG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DABGKT.exe	DABGKT.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KZICWND.exe	KZICWND.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBHBXJ.exe	MSBHBXJ.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AQJTDI.exe	AQJTDI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GOD.exe	GOD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ODEHIQB.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QSWHVA.exe	QSWHVA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KZICWND.exe	KZICWND.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GIY.exe	GIY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTXQDY.exe	PTXQDY.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GOD.exe	GOD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YKXUVN.exe	YKXUVN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NITB.exe	NITB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QVMV.exe	QVMV.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JLQDZI.exe	JLQDZI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHTBT.exe	CHTBT.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYHEX.exe	QYHEX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GIY.exe	GIY.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOAHI.exe	LOAHI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JKR.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MQHGVWL.exe	MQHGVWL.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MDWGQ.exe	MDWGQ.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AAAF.exe	AAAF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VJE.exe	VJE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIPAQYL.exe	SIPAQYL.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QSWHVA.exe	QSWHVA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DABGKT.exe	DABGKT.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HAK.exe	HAK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOAHI.exe	LOAHI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNU.exe	PNU.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNU.exe	PNU.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GECYY.exe	GECYY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HRNN.exe	HRNN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDF.exe	BDF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HAK.exe	HAK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JKR.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HYXV.exe	HYXV.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZSQOG.exe	VZSQOG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZQDQOZR.exe	ZQDQOZR.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MDWGQ.exe	MDWGQ.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QVMV.exe	QVMV.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CIPZJEY.exe	CIPZJEY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WGLEDXO.exe	WGLEDXO.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ODEHIQB.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YVZ.exe	YVZ.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICVHP.exe	ICVHP.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AQJTDI.exe	AQJTDI.exe

Executes dropped EXE 64 IoCs

pid	Process
1440	GOD.exe
4712	CHTBT.exe
1592	LOAHI.exe
496	JKR.exe
4444	ODEHIQB.exe
1864	PNU.exe
3776	SIPAQYL.exe
4128	HYXV.exe
5040	NNPXQE.exe
4896	YKXUVN.exe
668	YVZ.exe
3212	TVAKD.exe
3692	VZSQOG.exe
924	HRNN.exe
4552	YKSVG.exe
3900	VERX.exe
3932	GECYY.exe
4492	ICVHP.exe
5844	MSBHBXJ.exe
5888	NITB.exe
5968	ZUGXXSR.exe
5996	ZQDQOZR.exe
6012	DABGKT.exe
6028	MQHGVWL.exe
5988	QSWHVA.exe
6004	MDWGQ.exe
2900	AAAF.exe
4164	KZICWND.exe
4436	QYHEX.exe
392	QVMV.exe
4388	CIPZJEY.exe
6456	VJE.exe
7008	HAK.exe
6316	AQJTDI.exe
5312	NPOXSWJ.exe
1644	ILEAEFF.exe
5316	PTXQDY.exe
5216	BDF.exe
5612	WGLEDXO.exe
7316	WEPGI.exe
7340	GIY.exe
7372	JLQDZI.exe
7424	MLHA.exe
7560	FPWW.exe
7448	OREC.exe
7468	XJUN.exe
8096	OBQ.exe
8372	CBP.exe
8768	MZTVBF.exe
8776	EUTPZEP.exe
8784	QOEORHF.exe
8792	LMSWMX.exe
8800	UOIUC.exe
8760	GWYDP.exe
8844	cmd.exe
8912	OLSXO.exe
8920	GCZG.exe
8928	JNS.exe
7412	SPMP.exe
5328	MLV.exe
5684	EADLSW.exe
2188	ZYEA.exe
5180	YIP.exe
2148	TTAQCDU.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cd955ae = "C:\\windows\\SysWOW64\\QVMV.exe"	QVMV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1acff18f = "C:\\windows\\DABGKT.exe"	DABGKT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f452fcc7 = "C:\\windows\\system\\BDF.exe"	BDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c7dbaf39 = "C:\\windows\\CHTBT.exe"	CHTBT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d64d8512 = "C:\\windows\\GOD.exe"	GOD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86e0d3e1 = "C:\\windows\\system\\VZSQOG.exe"	VZSQOG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\479adb2b = "C:\\windows\\system\\PTXQDY.exe"	PTXQDY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1ea458a = "C:\\windows\\TVAKD.exe"	TVAKD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\36fab947 = "C:\\windows\\VERX.exe"	VERX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\75ced6b8 = "C:\\windows\\system\\VJE.exe"	VJE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9ace0782 = "C:\\windows\\system\\PNU.exe"	PNU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d8aeea15 = "C:\\windows\\SysWOW64\\ZUGXXSR.exe"	ZUGXXSR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18aa2fdb = "C:\\windows\\SysWOW64\\QYHEX.exe"	QYHEX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dff59157 = "C:\\windows\\system\\QSWHVA.exe"	QSWHVA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f45a4736 = "C:\\windows\\system\\AAAF.exe"	AAAF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\52b3ee7c = "C:\\windows\\CIPZJEY.exe"	CIPZJEY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8e997ad = "C:\\windows\\SysWOW64\\NITB.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9e97385a = "C:\\windows\\SysWOW64\\HAK.exe"	HAK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c07c81c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe"	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\136eff2e = "C:\\windows\\ODEHIQB.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ea458a = "C:\\windows\\TVAKD.exe"	TVAKD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\648dc162 = "C:\\windows\\WGLEDXO.exe"	WGLEDXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\52b3ee7c = "C:\\windows\\CIPZJEY.exe"	CIPZJEY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cec66ba0 = "C:\\windows\\SysWOW64\\JLQDZI.exe"	JLQDZI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a2500a96 = "C:\\windows\\system\\NPOXSWJ.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ace0782 = "C:\\windows\\system\\PNU.exe"	PNU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b2098a37 = "C:\\windows\\system\\HRNN.exe"	HRNN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b2cf4dda = "C:\\windows\\KZICWND.exe"	KZICWND.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b2cf4dda = "C:\\windows\\KZICWND.exe"	KZICWND.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1cd955ae = "C:\\windows\\SysWOW64\\QVMV.exe"	QVMV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cec66ba0 = "C:\\windows\\SysWOW64\\JLQDZI.exe"	JLQDZI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a2500a96 = "C:\\windows\\system\\NPOXSWJ.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4969c616 = "C:\\windows\\system\\HYXV.exe"	HYXV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\277a253e = "C:\\windows\\system\\YVZ.exe"	YVZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18aa2fdb = "C:\\windows\\SysWOW64\\QYHEX.exe"	QYHEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c07ba389 = "C:\\windows\\JKR.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6fd8abfd = "C:\\windows\\system\\YKSVG.exe"	YKSVG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f45a4736 = "C:\\windows\\system\\AAAF.exe"	AAAF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\425d614e = "C:\\windows\\system\\AQJTDI.exe"	AQJTDI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f61f59e9 = "C:\\windows\\SysWOW64\\GIY.exe"	GIY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58bc9607 = "C:\\windows\\SysWOW64\\SIPAQYL.exe"	SIPAQYL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277a253e = "C:\\windows\\system\\YVZ.exe"	YVZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a0337a0 = "C:\\windows\\SysWOW64\\MDWGQ.exe"	MDWGQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7a0337a0 = "C:\\windows\\SysWOW64\\MDWGQ.exe"	MDWGQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6fd8abfd = "C:\\windows\\system\\YKSVG.exe"	YKSVG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c4a881df = "C:\\windows\\ZQDQOZR.exe"	ZQDQOZR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f8e997ad = "C:\\windows\\SysWOW64\\NITB.exe"	NITB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c07ba389 = "C:\\windows\\JKR.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\86e0d3e1 = "C:\\windows\\system\\VZSQOG.exe"	VZSQOG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5815d066 = "C:\\windows\\SysWOW64\\NNPXQE.exe"	NNPXQE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8e997ad = "C:\\windows\\SysWOW64\\NITB.exe"	NITB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\479adb2b = "C:\\windows\\system\\PTXQDY.exe"	PTXQDY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7dbaf39 = "C:\\windows\\CHTBT.exe"	CHTBT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8090f372 = "C:\\windows\\system\\LOAHI.exe"	LOAHI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\136eff2e = "C:\\windows\\ODEHIQB.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\947fb468 = "C:\\windows\\SysWOW64\\MQHGVWL.exe"	MQHGVWL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e97385a = "C:\\windows\\SysWOW64\\HAK.exe"	HAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f452fcc7 = "C:\\windows\\system\\BDF.exe"	BDF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\591a96bf = "C:\\windows\\SysWOW64\\YKXUVN.exe"	YKXUVN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2efb68f9 = "C:\\windows\\GECYY.exe"	GECYY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f8e997ad = "C:\\windows\\SysWOW64\\NITB.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\648dc162 = "C:\\windows\\WGLEDXO.exe"	WGLEDXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d64d8512 = "C:\\windows\\GOD.exe"	GOD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8090f372 = "C:\\windows\\system\\LOAHI.exe"	LOAHI.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\SIPAQYL.exe.bat	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
File created	C:\windows\SysWOW64\NITB.exe	HYXV.exe
File created	C:\windows\SysWOW64\FPK.exe	MSBHBXJ.exe
File created	C:\windows\SysWOW64\VRGYJDQ.exe	YKSVG.exe
File opened for modification	C:\windows\SysWOW64\GZFSHC.exe	MDWGQ.exe
File created	C:\windows\SysWOW64\UOIUC.exe	YVZ.exe
File created	C:\windows\SysWOW64\OREC.exe.bat	NNPXQE.exe
File created	C:\windows\SysWOW64\ELTXH.exe.bat	VZSQOG.exe
File created	C:\windows\SysWOW64\ECSFZ.exe	AAAF.exe
File created	C:\windows\SysWOW64\GNMW.exe	MQHGVWL.exe
File opened for modification	C:\windows\SysWOW64\VMHDWT.exe	Process not Found
File created	C:\windows\SysWOW64\YKXUVN.exe	GOD.exe
File created	C:\windows\SysWOW64\ZUGXXSR.exe.bat	YVZ.exe
File opened for modification	C:\windows\SysWOW64\MLHA.exe	YKXUVN.exe
File opened for modification	C:\windows\SysWOW64\GWYDP.exe	VZSQOG.exe
File created	C:\windows\SysWOW64\GWYDP.exe.bat	VZSQOG.exe
File created	C:\windows\SysWOW64\ATZ.exe.bat	QSWHVA.exe
File created	C:\windows\SysWOW64\MMJ.exe	FPWW.exe
File opened for modification	C:\windows\SysWOW64\MMJ.exe	FPWW.exe
File opened for modification	C:\windows\SysWOW64\NNPXQE.exe	cmd.exe
File created	C:\windows\SysWOW64\NNPXQE.exe.bat	cmd.exe
File created	C:\windows\SysWOW64\HAK.exe.bat	VERX.exe
File opened for modification	C:\windows\SysWOW64\THAID.exe	ZUGXXSR.exe
File opened for modification	C:\windows\SysWOW64\YIJVKLC.exe	KZICWND.exe
File created	C:\windows\SysWOW64\TTAQCDU.exe.bat	NITB.exe
File created	C:\windows\SysWOW64\MLHA.exe.bat	YKXUVN.exe
File created	C:\windows\SysWOW64\HWXC.exe.bat	PNU.exe
File created	C:\windows\SysWOW64\YKXUVN.exe.bat	GOD.exe
File created	C:\windows\SysWOW64\MDWGQ.exe.bat	YVZ.exe
File created	C:\windows\SysWOW64\PAUFO.exe.bat	MDWGQ.exe
File created	C:\windows\SysWOW64\YIP.exe	DABGKT.exe
File created	C:\windows\SysWOW64\WXWK.exe.bat	MSBHBXJ.exe
File created	C:\windows\SysWOW64\WYD.exe	HYXV.exe
File created	C:\windows\SysWOW64\SPMP.exe	YVZ.exe
File opened for modification	C:\windows\SysWOW64\EAW.exe	AQJTDI.exe
File opened for modification	C:\windows\SysWOW64\OTTW.exe	HAK.exe
File created	C:\windows\SysWOW64\NNPXQE.exe	JKR.exe
File created	C:\windows\SysWOW64\ZUGXXSR.exe	YVZ.exe
File created	C:\windows\SysWOW64\GIY.exe	YKSVG.exe
File opened for modification	C:\windows\SysWOW64\UULSQN.exe	CIPZJEY.exe
File created	C:\windows\SysWOW64\MLV.exe	ICVHP.exe
File opened for modification	C:\windows\SysWOW64\TTAQCDU.exe	NITB.exe
File opened for modification	C:\windows\SysWOW64\OREC.exe	NNPXQE.exe
File created	C:\windows\SysWOW64\YIP.exe.bat	DABGKT.exe
File created	C:\windows\SysWOW64\IYSBUQ.exe	QVMV.exe
File created	C:\windows\SysWOW64\ZDIMMSL.exe.bat	HRNN.exe
File created	C:\windows\SysWOW64\SIPAQYL.exe	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
File opened for modification	C:\windows\SysWOW64\HAK.exe	VERX.exe
File opened for modification	C:\windows\SysWOW64\FPWW.exe	GOD.exe
File created	C:\windows\SysWOW64\RXCG.exe.bat	YKXUVN.exe
File opened for modification	C:\windows\SysWOW64\SPMP.exe	YVZ.exe
File created	C:\windows\SysWOW64\XWK.exe.bat	YKXUVN.exe
File opened for modification	C:\windows\SysWOW64\FIXZVE.exe	TVAKD.exe
File opened for modification	C:\windows\SysWOW64\WVB.exe	HRNN.exe
File opened for modification	C:\windows\SysWOW64\QVMV.exe	ICVHP.exe
File created	C:\windows\SysWOW64\RXCG.exe	YKXUVN.exe
File opened for modification	C:\windows\SysWOW64\YJK.exe	GECYY.exe
File created	C:\windows\SysWOW64\MLV.exe.bat	ICVHP.exe
File created	C:\windows\SysWOW64\PAUFO.exe	MDWGQ.exe
File created	C:\windows\SysWOW64\ZPKCF.exe	ZQDQOZR.exe
File created	C:\windows\SysWOW64\OTTW.exe	HAK.exe
File created	C:\windows\SysWOW64\VMHDWT.exe.bat	Process not Found
File created	C:\windows\SysWOW64\IJHPY.exe.bat	XJUN.exe
File created	C:\windows\SysWOW64\FMZRFVO.exe	BDF.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\system\YKSVG.exe	PNU.exe
File created	C:\windows\ILEAEFF.exe.bat	YKSVG.exe
File opened for modification	C:\windows\system\SSDHR.exe	cmd.exe
File created	C:\windows\KSZV.exe.bat	VJE.exe
File created	C:\windows\system\YKSVG.exe.bat	PNU.exe
File created	C:\windows\system\FTFAWM.exe.bat	PNU.exe
File created	C:\windows\system\HYXV.exe	CHTBT.exe
File created	C:\windows\system\AQJTDI.exe.bat	HRNN.exe
File created	C:\windows\AFGKFR.exe.bat	DABGKT.exe
File opened for modification	C:\windows\PRZZQJ.exe	GECYY.exe
File created	C:\windows\system\IUCOCBQ.exe	SIPAQYL.exe
File created	C:\windows\OZAC.exe	OBQ.exe
File created	C:\windows\CHTBT.exe	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
File opened for modification	C:\windows\system\PQCRQ.exe	GECYY.exe
File created	C:\windows\PRZZQJ.exe	GECYY.exe
File opened for modification	C:\windows\OZAC.exe	OBQ.exe
File created	C:\windows\system\VBUFLO.exe.bat	NNPXQE.exe
File created	C:\windows\AGTBPH.exe.bat	AAAF.exe
File opened for modification	C:\windows\OBQ.exe	QVMV.exe
File created	C:\windows\system\PWWNCL.exe.bat	MSBHBXJ.exe
File created	C:\windows\system\SSDHR.exe.bat	cmd.exe
File created	C:\windows\system\BDF.exe.bat	YKXUVN.exe
File created	C:\windows\ILEAEFF.exe	YKSVG.exe
File created	C:\windows\OBQ.exe.bat	QVMV.exe
File created	C:\windows\ZYEA.exe.bat	VZSQOG.exe
File created	C:\windows\system\KMEPFW.exe.bat	VERX.exe
File opened for modification	C:\windows\FTTVX.exe	YVZ.exe
File opened for modification	C:\windows\TVAKD.exe	ODEHIQB.exe
File created	C:\windows\GECYY.exe.bat	GOD.exe
File opened for modification	C:\windows\system\QSWHVA.exe	YKXUVN.exe
File created	C:\windows\system\USNR.exe	YVZ.exe
File opened for modification	C:\windows\LMSWMX.exe	YKSVG.exe
File created	C:\windows\NGYJ.exe	ZUGXXSR.exe
File created	C:\windows\GILELVG.exe	JLQDZI.exe
File created	C:\windows\system\JNS.exe	PNU.exe
File created	C:\windows\system\GCZG.exe	GOD.exe
File created	C:\windows\system\PQCRQ.exe.bat	GECYY.exe
File opened for modification	C:\windows\KKDLY.exe	SIPAQYL.exe
File created	C:\windows\system\XXND.exe.bat	CBP.exe
File created	C:\windows\BZDI.exe	DABGKT.exe
File opened for modification	C:\windows\ODEHIQB.exe	GOD.exe
File created	C:\windows\system\BDF.exe	YKXUVN.exe
File created	C:\windows\PRZZQJ.exe.bat	GECYY.exe
File opened for modification	C:\windows\system\XHSEW.exe	VERX.exe
File created	C:\windows\QTEZBM.exe	DABGKT.exe
File opened for modification	C:\windows\JKR.exe	CHTBT.exe
File created	C:\windows\system\PNU.exe.bat	LOAHI.exe
File created	C:\windows\system\XHSEW.exe	VERX.exe
File created	C:\windows\system\JAW.exe	PNU.exe
File created	C:\windows\system\SRE.exe	YKSVG.exe
File created	C:\windows\GOD.exe	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
File created	C:\windows\ODEHIQB.exe	GOD.exe
File created	C:\windows\system\HRNN.exe	PNU.exe
File opened for modification	C:\windows\system\VJE.exe	YVZ.exe
File created	C:\windows\WGLEDXO.exe.bat	ICVHP.exe
File created	C:\windows\PVYS.exe.bat	QYHEX.exe
File created	C:\windows\TKSGWY.exe.bat	HYXV.exe
File created	C:\windows\system\WRTLUL.exe.bat	WEPGI.exe
File created	C:\windows\TFAWMQZ.exe.bat	HYXV.exe
File opened for modification	C:\windows\KSZV.exe	VJE.exe
File created	C:\windows\system\VZSQOG.exe.bat	GOD.exe
File created	C:\windows\system\AQJTDI.exe	HRNN.exe
File created	C:\windows\system\XXND.exe	CBP.exe
File created	C:\windows\IOD.exe.bat	GIY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 44 IoCs

pid	pid_target	Process	procid_target
3548	3100	WerFault.exe	84
848	4712	WerFault.exe	91
1692	1592	WerFault.exe	95
3712	4444	WerFault.exe	101
5820	1440	WerFault.exe	92
8700	3692	WerFault.exe	136
8716	668	WerFault.exe	137
8724	3212	WerFault.exe	135
9740	3212	WerFault.exe	135
9724	3692	WerFault.exe	136
9708	668	WerFault.exe	137
1152	7008	WerFault.exe	247
6604	7448	WerFault.exe	313
7672	5312	WerFault.exe	311
10160	7340	WerFault.exe	368
9916	5312	WerFault.exe	311
6428	7448	WerFault.exe	313
708	7340	WerFault.exe	368
5480	7468	WerFault.exe	312
6064	7008	WerFault.exe	247
10384	924	WerFault.exe	147
13820	756	WerFault.exe	405
12284	6096	WerFault.exe	394
7064	6340	WerFault.exe	411
8304	4136	WerFault.exe	397
13432	10632	WerFault.exe	673
7808	8760	WerFault.exe	428
15268	6212	WerFault.exe	384
12408	8928	WerFault.exe	418
400	756	WerFault.exe	405
9360	2016	WerFault.exe	381
4716	6096	WerFault.exe	394
10112	8760	WerFault.exe	428
12108	5996	WerFault.exe	197
18244	5612	WerFault.exe	310
18088	5988	WerFault.exe	198
18080	5228	WerFault.exe	408
10948	5844	WerFault.exe	183
17132	10568	WerFault.exe	629
6172	5988	WerFault.exe	198
17624	6940	WerFault.exe	712
4128	7788	WerFault.exe	718
11468	10580	WerFault.exe	628
12356	10308	WerFault.exe	678

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
4712	CHTBT.exe
4712	CHTBT.exe
1440	GOD.exe
1440	GOD.exe
1592	LOAHI.exe
1592	LOAHI.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
4712	CHTBT.exe
4712	CHTBT.exe
1440	GOD.exe
1440	GOD.exe
1592	LOAHI.exe
496	JKR.exe
1592	LOAHI.exe
496	JKR.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
1592	LOAHI.exe
1592	LOAHI.exe
4712	CHTBT.exe
4712	CHTBT.exe
4444	ODEHIQB.exe
4444	ODEHIQB.exe
1440	GOD.exe
1440	GOD.exe
4712	CHTBT.exe
4712	CHTBT.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
1440	GOD.exe
1440	GOD.exe
4444	Process not Found
4444	Process not Found
496	cmd.exe
496	cmd.exe
1440	GOD.exe
1440	GOD.exe
1864	PNU.exe
1864	PNU.exe
1440	GOD.exe
1440	GOD.exe
4128	HYXV.exe
3776	SIPAQYL.exe
4128	HYXV.exe
3776	SIPAQYL.exe
1864	PNU.exe
1864	PNU.exe
1440	GOD.exe
1440	GOD.exe
4128	HYXV.exe
4128	HYXV.exe
3776	SIPAQYL.exe
3776	SIPAQYL.exe
1864	PNU.exe
1864	PNU.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
1440	GOD.exe
1440	GOD.exe
4712	CHTBT.exe
4712	CHTBT.exe
1592	LOAHI.exe
1592	LOAHI.exe
496	JKR.exe
496	JKR.exe
4444	ODEHIQB.exe
4444	ODEHIQB.exe
1864	PNU.exe
1864	PNU.exe
3776	SIPAQYL.exe
3776	SIPAQYL.exe
4128	HYXV.exe
4128	HYXV.exe
3692	VZSQOG.exe
3692	VZSQOG.exe
5040	NNPXQE.exe
5040	NNPXQE.exe
4896	YKXUVN.exe
4896	YKXUVN.exe
3212	TVAKD.exe
3212	TVAKD.exe
668	YVZ.exe
668	YVZ.exe
924	HRNN.exe
924	HRNN.exe
3900	VERX.exe
3900	VERX.exe
4552	YKSVG.exe
4552	YKSVG.exe
4492	ICVHP.exe
3932	GECYY.exe
4492	ICVHP.exe
3932	GECYY.exe
5844	MSBHBXJ.exe
5844	MSBHBXJ.exe
5968	ZUGXXSR.exe
6012	DABGKT.exe
6028	MQHGVWL.exe
5988	QSWHVA.exe
5996	ZQDQOZR.exe
6028	MQHGVWL.exe
6012	DABGKT.exe
5988	QSWHVA.exe
5996	ZQDQOZR.exe
6004	MDWGQ.exe
5968	ZUGXXSR.exe
6004	MDWGQ.exe
5888	NITB.exe
5888	NITB.exe
2900	AAAF.exe
2900	AAAF.exe
4164	KZICWND.exe
4164	KZICWND.exe
4436	QYHEX.exe
4436	QYHEX.exe
392	QVMV.exe
392	QVMV.exe
4388	CIPZJEY.exe
4388	CIPZJEY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4072	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	87
PID 3100 wrote to memory of 4072	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	87
PID 3100 wrote to memory of 4072	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	87
PID 3100 wrote to memory of 2184	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	89
PID 3100 wrote to memory of 2184	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	89
PID 3100 wrote to memory of 2184	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	89
PID 2184 wrote to memory of 1440	2184	cmd.exe	92
PID 2184 wrote to memory of 1440	2184	cmd.exe	92
PID 2184 wrote to memory of 1440	2184	cmd.exe	92
PID 4072 wrote to memory of 4712	4072	cmd.exe	91
PID 4072 wrote to memory of 4712	4072	cmd.exe	91
PID 4072 wrote to memory of 4712	4072	cmd.exe	91
PID 3100 wrote to memory of 1140	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	93
PID 3100 wrote to memory of 1140	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	93
PID 3100 wrote to memory of 1140	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	93
PID 1140 wrote to memory of 1592	1140	cmd.exe	95
PID 1140 wrote to memory of 1592	1140	cmd.exe	95
PID 1140 wrote to memory of 1592	1140	cmd.exe	95
PID 4712 wrote to memory of 3244	4712	CHTBT.exe	96
PID 4712 wrote to memory of 3244	4712	CHTBT.exe	96
PID 4712 wrote to memory of 3244	4712	CHTBT.exe	96
PID 1440 wrote to memory of 3152	1440	GOD.exe	98
PID 1440 wrote to memory of 3152	1440	GOD.exe	98
PID 1440 wrote to memory of 3152	1440	GOD.exe	98
PID 3244 wrote to memory of 496	3244	cmd.exe	100
PID 3244 wrote to memory of 496	3244	cmd.exe	100
PID 3244 wrote to memory of 496	3244	cmd.exe	100
PID 1592 wrote to memory of 3268	1592	LOAHI.exe	102
PID 1592 wrote to memory of 3268	1592	LOAHI.exe	102
PID 1592 wrote to memory of 3268	1592	LOAHI.exe	102
PID 3152 wrote to memory of 4444	3152	cmd.exe	101
PID 3152 wrote to memory of 4444	3152	cmd.exe	101
PID 3152 wrote to memory of 4444	3152	cmd.exe	101
PID 3100 wrote to memory of 1104	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	104
PID 3100 wrote to memory of 1104	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	104
PID 3100 wrote to memory of 1104	3100	NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe	104
PID 4712 wrote to memory of 4876	4712	CHTBT.exe	105
PID 4712 wrote to memory of 4876	4712	CHTBT.exe	105
PID 4712 wrote to memory of 4876	4712	CHTBT.exe	105
PID 1440 wrote to memory of 1600	1440	GOD.exe	239
PID 1440 wrote to memory of 1600	1440	GOD.exe	239
PID 1440 wrote to memory of 1600	1440	GOD.exe	239
PID 1440 wrote to memory of 2932	1440	GOD.exe	109
PID 1440 wrote to memory of 2932	1440	GOD.exe	109
PID 1440 wrote to memory of 2932	1440	GOD.exe	109
PID 4444 wrote to memory of 4164	4444	Process not Found	202
PID 4444 wrote to memory of 4164	4444	Process not Found	202
PID 4444 wrote to memory of 4164	4444	Process not Found	202
PID 496 wrote to memory of 1096	496	cmd.exe	111
PID 496 wrote to memory of 1096	496	cmd.exe	111
PID 496 wrote to memory of 1096	496	cmd.exe	111
PID 1104 wrote to memory of 3776	1104	cmd.exe	117
PID 1104 wrote to memory of 3776	1104	cmd.exe	117
PID 1104 wrote to memory of 3776	1104	cmd.exe	117
PID 3268 wrote to memory of 1864	3268	cmd.exe	118
PID 3268 wrote to memory of 1864	3268	cmd.exe	118
PID 3268 wrote to memory of 1864	3268	cmd.exe	118
PID 4876 wrote to memory of 4128	4876	cmd.exe	116
PID 4876 wrote to memory of 4128	4876	cmd.exe	116
PID 4876 wrote to memory of 4128	4876	cmd.exe	116
PID 1440 wrote to memory of 1232	1440	GOD.exe	129
PID 1440 wrote to memory of 1232	1440	GOD.exe	129
PID 1440 wrote to memory of 1232	1440	GOD.exe	129
PID 1864 wrote to memory of 396	1864	PNU.exe	222

C:\Users\Admin\AppData\Local\Temp\NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8a636e70c6528bbba4a60fb23d5de1d7_JC.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\CHTBT.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\windows\CHTBT.exe
    C:\windows\CHTBT.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\JKR.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\windows\JKR.exe
        
        C:\windows\JKR.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNPXQE.exe.bat" "
        6⤵
        
        PID:1096
        
        C:\windows\SysWOW64\NNPXQE.exe
        
        C:\windows\system32\NNPXQE.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MSBHBXJ.exe.bat" "
        8⤵
        
        PID:388
        
        C:\windows\system\MSBHBXJ.exe
        
        C:\windows\system\MSBHBXJ.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBP.exe.bat" "
        10⤵
        
        PID:6088
        
        C:\windows\SysWOW64\CBP.exe
        
        C:\windows\system32\CBP.exe
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:8372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XXND.exe.bat" "
        12⤵
        
        PID:6328
        
        C:\windows\system\XXND.exe
        
        C:\windows\system\XXND.exe
        13⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MUJ.exe.bat" "
        14⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TQAQF.exe.bat" "
        14⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WZYII.exe.bat" "
        14⤵
        
        PID:16324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FPK.exe.bat" "
        10⤵
        
        PID:6328
        
        C:\windows\SysWOW64\FPK.exe
        
        C:\windows\system32\FPK.exe
        11⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJOGNSS.exe.bat" "
        12⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZWEOTY.exe.bat" "
        12⤵
        
        PID:11848
        
        C:\windows\system\ZWEOTY.exe
        
        C:\windows\system\ZWEOTY.exe
        13⤵
        
        PID:15308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TEAMC.exe.bat" "
        10⤵
        
        PID:6796
        
        C:\windows\TEAMC.exe
        
        C:\windows\TEAMC.exe
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GHZFN.exe.bat" "
        12⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVPZP.exe.bat" "
        12⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MCLHVB.exe.bat" "
        12⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWWNCL.exe.bat" "
        10⤵
        
        PID:7772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:2312
        
        C:\windows\system\PWWNCL.exe
        
        C:\windows\system\PWWNCL.exe
        11⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TOSYVB.exe.bat" "
        12⤵
        
        PID:14472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UBE.exe.bat" "
        12⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WXWK.exe.bat" "
        10⤵
        
        PID:7440
        
        C:\windows\SysWOW64\WXWK.exe
        
        C:\windows\system32\WXWK.exe
        11⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXSOPD.exe.bat" "
        12⤵
        
        PID:11596
        
        C:\windows\system\LXSOPD.exe
        
        C:\windows\system\LXSOPD.exe
        13⤵
        
        PID:17392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VBWIU.exe.bat" "
        12⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOAQ.exe.bat" "
        10⤵
        
        PID:6800
        
        C:\windows\system\DOAQ.exe
        
        C:\windows\system\DOAQ.exe
        11⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FXF.exe.bat" "
        12⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UBCS.exe.bat" "
        10⤵
        
        PID:10096
        
        C:\windows\UBCS.exe
        
        C:\windows\UBCS.exe
        11⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QIWRN.exe.bat" "
        12⤵
        
        PID:17992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JLRRVC.exe.bat" "
        12⤵
        
        PID:16920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZC.exe.bat" "
        10⤵
        
        PID:11568
        
        C:\windows\SysWOW64\NZC.exe
        
        C:\windows\system32\NZC.exe
        11⤵
        
        PID:17224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TIQFKL.exe.bat" "
        10⤵
        
        PID:15960
        
        C:\windows\system\TIQFKL.exe
        
        C:\windows\system\TIQFKL.exe
        11⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LTQ.exe.bat" "
        10⤵
        
        PID:12056
        
        C:\windows\SysWOW64\LTQ.exe
        
        C:\windows\system32\LTQ.exe
        11⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1260
        10⤵
        Program crash
        
        PID:10948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DABGKT.exe.bat" "
        8⤵
        
        PID:4268
        
        C:\windows\DABGKT.exe
        
        C:\windows\DABGKT.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AFGKFR.exe.bat" "
        10⤵
        
        PID:7100
        
        C:\windows\AFGKFR.exe
        
        C:\windows\AFGKFR.exe
        11⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVXNN.exe.bat" "
        12⤵
        
        PID:10328
        
        C:\windows\SysWOW64\EVXNN.exe
        
        C:\windows\system32\EVXNN.exe
        13⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MPBLGIW.exe.bat" "
        12⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZMBGXLK.exe.bat" "
        12⤵
        
        PID:17164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QTEZBM.exe.bat" "
        10⤵
        
        PID:5748
        
        C:\windows\QTEZBM.exe
        
        C:\windows\QTEZBM.exe
        11⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XZEFHQ.exe.bat" "
        12⤵
        
        PID:6248
        
        C:\windows\XZEFHQ.exe
        
        C:\windows\XZEFHQ.exe
        13⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NMKJGJ.exe.bat" "
        14⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TOC.exe.bat" "
        12⤵
        
        PID:11176
        
        C:\windows\TOC.exe
        
        C:\windows\TOC.exe
        13⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZBSLC.exe.bat" "
        14⤵
        
        PID:17472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WRBAJ.exe.bat" "
        12⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SXOYHGK.exe.bat" "
        12⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PGNDYQB.exe.bat" "
        12⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIP.exe.bat" "
        10⤵
        
        PID:7688
        
        C:\windows\SysWOW64\YIP.exe
        
        C:\windows\system32\YIP.exe
        11⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KWTRX.exe.bat" "
        12⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BZDI.exe.bat" "
        10⤵
        
        PID:5656
        
        C:\windows\BZDI.exe
        
        C:\windows\BZDI.exe
        11⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DSNAL.exe.bat" "
        12⤵
        
        PID:9572
        
        C:\windows\SysWOW64\DSNAL.exe
        
        C:\windows\system32\DSNAL.exe
        13⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PXCR.exe.bat" "
        12⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VZD.exe.bat" "
        10⤵
        
        PID:7248
        
        C:\windows\system\VZD.exe
        
        C:\windows\system\VZD.exe
        11⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HAC.exe.bat" "
        10⤵
        
        PID:1792
        
        C:\windows\system\HAC.exe
        
        C:\windows\system\HAC.exe
        11⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NBIT.exe.bat" "
        10⤵
        
        PID:7940
        
        C:\windows\NBIT.exe
        
        C:\windows\NBIT.exe
        11⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KURMQU.exe.bat" "
        10⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JYZJK.exe.bat" "
        10⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OREC.exe.bat" "
        8⤵
        
        PID:3328
        
        C:\windows\SysWOW64\OREC.exe
        
        C:\windows\system32\OREC.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BHGEBWH.exe.bat" "
        10⤵
        
        PID:5392
        
        C:\windows\BHGEBWH.exe
        
        C:\windows\BHGEBWH.exe
        11⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1292
        10⤵
        Program crash
        
        PID:6604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1292
        10⤵
        Program crash
        
        PID:6428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EUTPZEP.exe.bat" "
        8⤵
        
        PID:5712
        
        C:\windows\EUTPZEP.exe
        
        C:\windows\EUTPZEP.exe
        9⤵
        Executes dropped EXE
        
        PID:8776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LAMC.exe.bat" "
        10⤵
        
        PID:7596
        
        C:\windows\LAMC.exe
        
        C:\windows\LAMC.exe
        11⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CIEITIM.exe.bat" "
        12⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZKTJV.exe.bat" "
        10⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBUFLO.exe.bat" "
        8⤵
        
        PID:9352
        
        C:\windows\system\VBUFLO.exe
        
        C:\windows\system\VBUFLO.exe
        9⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXHW.exe.bat" "
        10⤵
        
        PID:7656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\HYXV.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\windows\system\HYXV.exe
        
        C:\windows\system\HYXV.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VERX.exe.bat" "
        6⤵
        
        PID:2168
        
        C:\windows\VERX.exe
        
        C:\windows\VERX.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HAK.exe.bat" "
        8⤵
        
        PID:5572
        
        C:\windows\SysWOW64\HAK.exe
        
        C:\windows\system32\HAK.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIM.exe.bat" "
        10⤵
        
        PID:5248
        
        C:\windows\system\RIM.exe
        
        C:\windows\system\RIM.exe
        11⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LPPZF.exe.bat" "
        12⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JVBMQL.exe.bat" "
        12⤵
        
        PID:15396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SFCHKSM.exe.bat" "
        12⤵
        Executes dropped EXE
        
        PID:8844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OTTW.exe.bat" "
        10⤵
        
        PID:7228
        
        C:\windows\SysWOW64\OTTW.exe
        
        C:\windows\system32\OTTW.exe
        11⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FHWV.exe.bat" "
        12⤵
        
        PID:17648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRI.exe.bat" "
        12⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10580 -s 1360
        12⤵
        Program crash
        
        PID:11468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 1308
        10⤵
        Program crash
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 1308
        10⤵
        Program crash
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XHSEW.exe.bat" "
        8⤵
        
        PID:3552
        
        C:\windows\system\XHSEW.exe
        
        C:\windows\system\XHSEW.exe
        9⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XSZDD.exe.bat" "
        10⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMEPFW.exe.bat" "
        8⤵
        
        PID:6640
        
        C:\windows\system\KMEPFW.exe
        
        C:\windows\system\KMEPFW.exe
        9⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FLGZUWT.exe.bat" "
        10⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTWALG.exe.bat" "
        8⤵
        
        PID:9312
        
        C:\windows\system\TTWALG.exe
        
        C:\windows\system\TTWALG.exe
        9⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXGUTO.exe.bat" "
        10⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JHQVT.exe.bat" "
        10⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VNQ.exe.bat" "
        8⤵
        
        PID:820
        
        C:\windows\SysWOW64\VNQ.exe
        
        C:\windows\system32\VNQ.exe
        9⤵
        
        PID:14096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKC.exe.bat" "
        10⤵
        
        PID:14968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WWXN.exe.bat" "
        8⤵
        
        PID:11228
        
        C:\windows\WWXN.exe
        
        C:\windows\WWXN.exe
        9⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CIH.exe.bat" "
        10⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HFHQ.exe.bat" "
        8⤵
        
        PID:15936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MYRN.exe.bat" "
        8⤵
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NITB.exe.bat" "
        6⤵
        
        PID:2904
        
        C:\windows\SysWOW64\NITB.exe
        
        C:\windows\system32\NITB.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTXQDY.exe.bat" "
        8⤵
        
        PID:3948
        
        C:\windows\system\PTXQDY.exe
        
        C:\windows\system\PTXQDY.exe
        9⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MZRFVOW.exe.bat" "
        10⤵
        
        PID:5892
        
        C:\windows\MZRFVOW.exe
        
        C:\windows\MZRFVOW.exe
        11⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DWGXLOU.exe.bat" "
        12⤵
        
        PID:16756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TTAQCDU.exe.bat" "
        8⤵
        
        PID:5208
        
        C:\windows\SysWOW64\TTAQCDU.exe
        
        C:\windows\system32\TTAQCDU.exe
        9⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PFERYSN.exe.bat" "
        10⤵
        
        PID:7328
        
        C:\windows\PFERYSN.exe
        
        C:\windows\PFERYSN.exe
        11⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRXO.exe.bat" "
        12⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWXTZ.exe.bat" "
        10⤵
        
        PID:12832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FEWS.exe.bat" "
        10⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RRGYS.exe.bat" "
        10⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SSDHR.exe.bat" "
        8⤵
        
        PID:8624
        
        C:\windows\system\SSDHR.exe
        
        C:\windows\system\SSDHR.exe
        9⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SPWYYP.exe.bat" "
        10⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UUZCZU.exe.bat" "
        10⤵
        
        PID:11844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NPOXSWJ.exe.bat" "
        6⤵
        
        PID:5396
        
        C:\windows\system\NPOXSWJ.exe
        
        C:\windows\system\NPOXSWJ.exe
        7⤵
        Executes dropped EXE
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EGW.exe.bat" "
        8⤵
        
        PID:8544
        
        C:\windows\system\EGW.exe
        
        C:\windows\system\EGW.exe
        9⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 1332
        8⤵
        Program crash
        
        PID:7672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 1332
        8⤵
        Program crash
        
        PID:9916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TKSGWY.exe.bat" "
        6⤵
        
        PID:5504
        
        C:\windows\TKSGWY.exe
        
        C:\windows\TKSGWY.exe
        7⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSI.exe.bat" "
        8⤵
        
        PID:11628
        
        C:\windows\SysWOW64\HSI.exe
        
        C:\windows\system32\HSI.exe
        9⤵
        
        PID:17300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1300
        8⤵
        Program crash
        
        PID:8304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYD.exe.bat" "
        6⤵
        
        PID:7256
        
        C:\windows\SysWOW64\WYD.exe
        
        C:\windows\system32\WYD.exe
        7⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OZZ.exe.bat" "
        8⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VOWT.exe.bat" "
        8⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ODYB.exe.bat" "
        8⤵
        
        PID:16376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TFAWMQZ.exe.bat" "
        6⤵
        
        PID:9028
        
        C:\windows\TFAWMQZ.exe
        
        C:\windows\TFAWMQZ.exe
        7⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXBTPIJ.exe.bat" "
        8⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSLQ.exe.bat" "
        8⤵
        
        PID:13232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DBDPV.exe.bat" "
        6⤵
        
        PID:9704
        
        C:\windows\system\DBDPV.exe
        
        C:\windows\system\DBDPV.exe
        7⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WNYES.exe.bat" "
        8⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FYS.exe.bat" "
        8⤵
        
        PID:10212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRED.exe.bat" "
        6⤵
        
        PID:852
        
        C:\windows\SysWOW64\WRED.exe
        
        C:\windows\system32\WRED.exe
        7⤵
        
        PID:12900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GMHGZCQ.exe.bat" "
        6⤵
        
        PID:11672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBMQLKN.exe.bat" "
        6⤵
        
        PID:15372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RSC.exe.bat" "
        6⤵
        
        PID:9928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1332
      4⤵
      Program crash
      PID:848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\GOD.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\windows\GOD.exe
    C:\windows\GOD.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\ODEHIQB.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\windows\ODEHIQB.exe
        
        C:\windows\ODEHIQB.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TVAKD.exe.bat" "
        6⤵
        
        PID:4164
        
        C:\windows\TVAKD.exe
        
        C:\windows\TVAKD.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KZICWND.exe.bat" "
        8⤵
        
        PID:2312
        
        C:\windows\KZICWND.exe
        
        C:\windows\KZICWND.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIJVKLC.exe.bat" "
        10⤵
        
        PID:1436
        
        C:\windows\SysWOW64\YIJVKLC.exe
        
        C:\windows\system32\YIJVKLC.exe
        11⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZQMGA.exe.bat" "
        12⤵
        
        PID:6480
        
        C:\windows\ZQMGA.exe
        
        C:\windows\ZQMGA.exe
        13⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PIR.exe.bat" "
        14⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDCXIWW.exe.bat" "
        12⤵
        
        PID:10264
        
        C:\windows\SysWOW64\PDCXIWW.exe
        
        C:\windows\system32\PDCXIWW.exe
        13⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHS.exe.bat" "
        14⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IAXNQC.exe.bat" "
        14⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOUPWF.exe.bat" "
        12⤵
        
        PID:11420
        
        C:\windows\system\YOUPWF.exe
        
        C:\windows\system\YOUPWF.exe
        13⤵
        
        PID:17284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UJEMQHX.exe.bat" "
        12⤵
        
        PID:14804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BWJJQGU.exe.bat" "
        12⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQHGVWL.exe.bat" "
        8⤵
        
        PID:5592
        
        C:\windows\SysWOW64\MQHGVWL.exe
        
        C:\windows\system32\MQHGVWL.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJUN.exe.bat" "
        10⤵
        
        PID:5904
        
        C:\windows\SysWOW64\XJUN.exe
        
        C:\windows\system32\XJUN.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJHPY.exe.bat" "
        12⤵
        
        PID:8956
        
        C:\windows\SysWOW64\IJHPY.exe
        
        C:\windows\system32\IJHPY.exe
        13⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BAWT.exe.bat" "
        14⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 960
        12⤵
        Program crash
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YRGZ.exe.bat" "
        10⤵
        
        PID:6948
        
        C:\windows\YRGZ.exe
        
        C:\windows\YRGZ.exe
        11⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SISZH.exe.bat" "
        12⤵
        
        PID:8668
        
        C:\windows\SISZH.exe
        
        C:\windows\SISZH.exe
        13⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SQYECT.exe.bat" "
        12⤵
        
        PID:14344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KMKWNE.exe.bat" "
        12⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQGM.exe.bat" "
        10⤵
        
        PID:8836
        
        C:\windows\system\XQGM.exe
        
        C:\windows\system\XQGM.exe
        11⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\URM.exe.bat" "
        12⤵
        
        PID:10812
        
        C:\windows\system\URM.exe
        
        C:\windows\system\URM.exe
        13⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUYDSKB.exe.bat" "
        12⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZUI.exe.bat" "
        12⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNMW.exe.bat" "
        10⤵
        
        PID:9392
        
        C:\windows\SysWOW64\GNMW.exe
        
        C:\windows\system32\GNMW.exe
        11⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NLLB.exe.bat" "
        12⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RVGTK.exe.bat" "
        10⤵
        
        PID:4448
        
        C:\windows\RVGTK.exe
        
        C:\windows\RVGTK.exe
        11⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBYC.exe.bat" "
        12⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FHE.exe.bat" "
        12⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KIUJYT.exe.bat" "
        10⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYHG.exe.bat" "
        10⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QLTQY.exe.bat" "
        10⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OLSXO.exe.bat" "
        8⤵
        
        PID:6840
        
        C:\windows\system\OLSXO.exe
        
        C:\windows\system\OLSXO.exe
        9⤵
        Executes dropped EXE
        
        PID:8912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSFT.exe.bat" "
        10⤵
        
        PID:528
        
        C:\windows\SysWOW64\ZSFT.exe
        
        C:\windows\system32\ZSFT.exe
        11⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPO.exe.bat" "
        10⤵
        
        PID:11576
        
        C:\windows\SysWOW64\GPO.exe
        
        C:\windows\system32\GPO.exe
        11⤵
        
        PID:17308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OTIQFK.exe.bat" "
        10⤵
        
        PID:15628
        
        C:\windows\system\OTIQFK.exe
        
        C:\windows\system\OTIQFK.exe
        11⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DOAOEFK.exe.bat" "
        10⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UUCK.exe.bat" "
        8⤵
        
        PID:1592
        
        C:\windows\system\UUCK.exe
        
        C:\windows\system\UUCK.exe
        9⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CLY.exe.bat" "
        10⤵
        
        PID:11492
        
        C:\windows\CLY.exe
        
        C:\windows\CLY.exe
        11⤵
        
        PID:17324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPQEIMD.exe.bat" "
        10⤵
        
        PID:15892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FIXZVE.exe.bat" "
        8⤵
        
        PID:5916
        
        C:\windows\SysWOW64\FIXZVE.exe
        
        C:\windows\system32\FIXZVE.exe
        9⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATFGJW.exe.bat" "
        10⤵
        
        PID:11484
        
        C:\windows\ATFGJW.exe
        
        C:\windows\ATFGJW.exe
        11⤵
        
        PID:17700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SXDBE.exe.bat" "
        10⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYQ.exe.bat" "
        10⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1328
        8⤵
        Program crash
        
        PID:8724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1328
        8⤵
        Program crash
        
        PID:9740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1304
        6⤵
        Program crash
        
        PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKXUVN.exe.bat" "
      4⤵
      PID:1600
    - - C:\windows\SysWOW64\YKXUVN.exe
        
        C:\windows\system32\YKXUVN.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QSWHVA.exe.bat" "
        6⤵
        
        PID:4392
        
        C:\windows\system\QSWHVA.exe
        
        C:\windows\system\QSWHVA.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JVII.exe.bat" "
        8⤵
        
        PID:6544
        
        C:\windows\system\JVII.exe
        
        C:\windows\system\JVII.exe
        9⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOGNS.exe.bat" "
        10⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UGA.exe.bat" "
        10⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YJLAIBX.exe.bat" "
        8⤵
        
        PID:7616
        
        C:\windows\YJLAIBX.exe
        
        C:\windows\YJLAIBX.exe
        9⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BPT.exe.bat" "
        10⤵
        
        PID:6864
        
        C:\windows\BPT.exe
        
        C:\windows\BPT.exe
        11⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JQCMU.exe.bat" "
        10⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HPD.exe.bat" "
        10⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATZ.exe.bat" "
        8⤵
        
        PID:8996
        
        C:\windows\SysWOW64\ATZ.exe
        
        C:\windows\system32\ATZ.exe
        9⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QUSS.exe.bat" "
        10⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NZWFQS.exe.bat" "
        10⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKSS.exe.bat" "
        8⤵
        
        PID:9384
        
        C:\windows\system\PKSS.exe
        
        C:\windows\system\PKSS.exe
        9⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTADJNW.exe.bat" "
        10⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AHDJR.exe.bat" "
        8⤵
        
        PID:6644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5748
        
        C:\windows\SysWOW64\AHDJR.exe
        
        C:\windows\system32\AHDJR.exe
        9⤵
        
        PID:12852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJSTO.exe.bat" "
        10⤵
        
        PID:14660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXSL.exe.bat" "
        10⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YFNMG.exe.bat" "
        8⤵
        
        PID:5480
        
        C:\windows\YFNMG.exe
        
        C:\windows\YFNMG.exe
        9⤵
        
        PID:14080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JABDZ.exe.bat" "
        8⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OBJLXB.exe.bat" "
        8⤵
        
        PID:15972
        
        C:\windows\SysWOW64\OBJLXB.exe
        
        C:\windows\system32\OBJLXB.exe
        9⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EJOOSZ.exe.bat" "
        8⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1396
        8⤵
        Program crash
        
        PID:18088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1396
        8⤵
        Program crash
        
        PID:6172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDF.exe.bat" "
        6⤵
        
        PID:2052
        
        C:\windows\system\BDF.exe
        
        C:\windows\system\BDF.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ACI.exe.bat" "
        8⤵
        
        PID:6656
        
        C:\windows\SysWOW64\ACI.exe
        
        C:\windows\system32\ACI.exe
        9⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VTY.exe.bat" "
        10⤵
        
        PID:17364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFDJ.exe.bat" "
        10⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FMZRFVO.exe.bat" "
        8⤵
        
        PID:9616
        
        C:\windows\SysWOW64\FMZRFVO.exe
        
        C:\windows\system32\FMZRFVO.exe
        9⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WWCS.exe.bat" "
        10⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IRY.exe.bat" "
        8⤵
        
        PID:9592
        
        C:\windows\system\IRY.exe
        
        C:\windows\system\IRY.exe
        9⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IIJZEY.exe.bat" "
        10⤵
        
        PID:17936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UIR.exe.bat" "
        8⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VOVCQW.exe.bat" "
        8⤵
        
        PID:15456
        
        C:\windows\SysWOW64\VOVCQW.exe
        
        C:\windows\system32\VOVCQW.exe
        9⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUEGTDN.exe.bat" "
        8⤵
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLHA.exe.bat" "
        6⤵
        
        PID:6060
        
        C:\windows\SysWOW64\MLHA.exe
        
        C:\windows\system32\MLHA.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TWKTF.exe.bat" "
        8⤵
        
        PID:4576
        
        C:\windows\system\TWKTF.exe
        
        C:\windows\system\TWKTF.exe
        9⤵
        
        PID:8720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RXCG.exe.bat" "
        6⤵
        
        PID:3904
        
        C:\windows\SysWOW64\RXCG.exe
        
        C:\windows\system32\RXCG.exe
        7⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZSNC.exe.bat" "
        8⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 992
        8⤵
        Program crash
        
        PID:12284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 992
        8⤵
        Program crash
        
        PID:4716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ACE.exe.bat" "
        6⤵
        
        PID:7368
        
        C:\windows\system\ACE.exe
        
        C:\windows\system\ACE.exe
        7⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DJZKVA.exe.bat" "
        8⤵
        
        PID:15448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IYBKOAV.exe.bat" "
        8⤵
        
        PID:11780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWK.exe.bat" "
        6⤵
        
        PID:8224
        
        C:\windows\SysWOW64\XWK.exe
        
        C:\windows\system32\XWK.exe
        7⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PGY.exe.bat" "
        8⤵
        
        PID:13424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DVMVD.exe.bat" "
        6⤵
        
        PID:5292
        
        C:\windows\system\DVMVD.exe
        
        C:\windows\system\DVMVD.exe
        7⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EHMJZYC.exe.bat" "
        8⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BOW.exe.bat" "
        6⤵
        
        PID:4944
        
        C:\windows\BOW.exe
        
        C:\windows\BOW.exe
        7⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10632 -s 844
        8⤵
        Program crash
        
        PID:13432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FNMGMQV.exe.bat" "
        6⤵
        
        PID:8380
        
        C:\windows\system\FNMGMQV.exe
        
        C:\windows\system\FNMGMQV.exe
        7⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UAYD.exe.bat" "
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SWCT.exe.bat" "
        8⤵
        
        PID:16276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPCR.exe.bat" "
        6⤵
        
        PID:11520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\INAJEC.exe.bat" "
        6⤵
        
        PID:9772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BGRTM.exe.bat" "
        6⤵
        
        PID:12196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\YVZ.exe.bat" "
      4⤵
      PID:2932
    - - C:\windows\system\YVZ.exe
        
        C:\windows\system\YVZ.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUGXXSR.exe.bat" "
        6⤵
        
        PID:5020
        
        C:\windows\SysWOW64\ZUGXXSR.exe
        
        C:\windows\system32\ZUGXXSR.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THAID.exe.bat" "
        8⤵
        
        PID:6376
        
        C:\windows\SysWOW64\THAID.exe
        
        C:\windows\system32\THAID.exe
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TKOHG.exe.bat" "
        10⤵
        
        PID:11988
        
        C:\windows\TKOHG.exe
        
        C:\windows\TKOHG.exe
        11⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VSSMY.exe.bat" "
        10⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UAX.exe.bat" "
        10⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NGYJ.exe.bat" "
        8⤵
        
        PID:7652
        
        C:\windows\NGYJ.exe
        
        C:\windows\NGYJ.exe
        9⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TOMENH.exe.bat" "
        8⤵
        
        PID:3720
        
        C:\windows\TOMENH.exe
        
        C:\windows\TOMENH.exe
        9⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMCV.exe.bat" "
        10⤵
        
        PID:16536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXSXHBN.exe.bat" "
        8⤵
        
        PID:9240
        
        C:\windows\system\LXSXHBN.exe
        
        C:\windows\system\LXSXHBN.exe
        9⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BQI.exe.bat" "
        10⤵
        
        PID:18188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10308 -s 1348
        10⤵
        Program crash
        
        PID:12356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GCY.exe.bat" "
        8⤵
        
        PID:6600
        
        C:\windows\GCY.exe
        
        C:\windows\GCY.exe
        9⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FCBH.exe.bat" "
        10⤵
        
        PID:8972
        
        C:\windows\FCBH.exe
        
        C:\windows\FCBH.exe
        11⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WARLUZC.exe.bat" "
        8⤵
        
        PID:11680
        
        C:\windows\SysWOW64\WARLUZC.exe
        
        C:\windows\system32\WARLUZC.exe
        9⤵
        
        PID:17316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GWNC.exe.bat" "
        8⤵
        
        PID:15380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YDOAOEF.exe.bat" "
        8⤵
        
        PID:4232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDWGQ.exe.bat" "
        6⤵
        
        PID:5268
        
        C:\windows\SysWOW64\MDWGQ.exe
        
        C:\windows\system32\MDWGQ.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLQDZI.exe.bat" "
        8⤵
        
        PID:2148
        
        C:\windows\SysWOW64\JLQDZI.exe
        
        C:\windows\system32\JLQDZI.exe
        9⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:7372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VGTKKIF.exe.bat" "
        10⤵
        
        PID:2920
        
        C:\windows\VGTKKIF.exe
        
        C:\windows\VGTKKIF.exe
        11⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UUK.exe.bat" "
        12⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GILELVG.exe.bat" "
        10⤵
        
        PID:3220
        
        C:\windows\GILELVG.exe
        
        C:\windows\GILELVG.exe
        11⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XIGWN.exe.bat" "
        12⤵
        
        PID:15948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PIYICTZ.exe.bat" "
        12⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SXQA.exe.bat" "
        12⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RTA.exe.bat" "
        10⤵
        
        PID:10404
        
        C:\windows\RTA.exe
        
        C:\windows\RTA.exe
        11⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\REXYY.exe.bat" "
        10⤵
        
        PID:14404
        
        C:\windows\SysWOW64\REXYY.exe
        
        C:\windows\system32\REXYY.exe
        11⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NQKSAPA.exe.bat" "
        10⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PAUFO.exe.bat" "
        8⤵
        
        PID:6600
        
        C:\windows\SysWOW64\PAUFO.exe
        
        C:\windows\system32\PAUFO.exe
        9⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VVJDDV.exe.bat" "
        10⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZFSHC.exe.bat" "
        8⤵
        
        PID:7756
        
        C:\windows\SysWOW64\GZFSHC.exe
        
        C:\windows\system32\GZFSHC.exe
        9⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVCSD.exe.bat" "
        10⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CXELH.exe.bat" "
        10⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBLLDLC.exe.bat" "
        10⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AUE.exe.bat" "
        10⤵
        
        PID:11492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VJE.exe.bat" "
        6⤵
        
        PID:5544
        
        C:\windows\system\VJE.exe
        
        C:\windows\system\VJE.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:6456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PZY.exe.bat" "
        8⤵
        
        PID:5500
        
        C:\windows\system\PZY.exe
        
        C:\windows\system\PZY.exe
        9⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KQKRYJT.exe.bat" "
        10⤵
        
        PID:10036
        
        C:\windows\KQKRYJT.exe
        
        C:\windows\KQKRYJT.exe
        11⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BDBGFBK.exe.bat" "
        10⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDIZ.exe.bat" "
        8⤵
        
        PID:7744
        
        C:\windows\system\KDIZ.exe
        
        C:\windows\system\KDIZ.exe
        9⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NXM.exe.bat" "
        10⤵
        
        PID:11604
        
        C:\windows\system\NXM.exe
        
        C:\windows\system\NXM.exe
        11⤵
        
        PID:17292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KSZV.exe.bat" "
        8⤵
        
        PID:3296
        
        C:\windows\KSZV.exe
        
        C:\windows\KSZV.exe
        9⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PVO.exe.bat" "
        10⤵
        
        PID:9684
        
        C:\windows\system\PVO.exe
        
        C:\windows\system\PVO.exe
        11⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPDPBM.exe.bat" "
        10⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BBEH.exe.bat" "
        10⤵
        
        PID:16748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WDVM.exe.bat" "
        8⤵
        
        PID:7184
        
        C:\windows\system\WDVM.exe
        
        C:\windows\system\WDVM.exe
        9⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPRTSK.exe.bat" "
        10⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLCYZEE.exe.bat" "
        10⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ETHG.exe.bat" "
        8⤵
        
        PID:6524
        
        C:\windows\ETHG.exe
        
        C:\windows\ETHG.exe
        9⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GITD.exe.bat" "
        10⤵
        
        PID:15424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DJHD.exe.bat" "
        10⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NQFL.exe.bat" "
        10⤵
        
        PID:10880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\USNR.exe.bat" "
        6⤵
        
        PID:6348
        
        C:\windows\system\USNR.exe
        
        C:\windows\system\USNR.exe
        7⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OGVRXQV.exe.bat" "
        8⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDHMZGG.exe.bat" "
        8⤵
        
        PID:11748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SPMP.exe.bat" "
        6⤵
        
        PID:5004
        
        C:\windows\SysWOW64\SPMP.exe
        
        C:\windows\system32\SPMP.exe
        7⤵
        Executes dropped EXE
        
        PID:7412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATSNUG.exe.bat" "
        8⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JFPE.exe.bat" "
        8⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CYM.exe.bat" "
        8⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HHSUYJ.exe.bat" "
        8⤵
        
        PID:12104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UOIUC.exe.bat" "
        6⤵
        
        PID:8064
        
        C:\windows\SysWOW64\UOIUC.exe
        
        C:\windows\system32\UOIUC.exe
        7⤵
        Executes dropped EXE
        
        PID:8800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZKON.exe.bat" "
        8⤵
        
        PID:8324
        
        C:\windows\UZKON.exe
        
        C:\windows\UZKON.exe
        9⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYMPQK.exe.bat" "
        10⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RAM.exe.bat" "
        10⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PELPNIX.exe.bat" "
        8⤵
        
        PID:15364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJVW.exe.bat" "
        8⤵
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FTTVX.exe.bat" "
        6⤵
        
        PID:7244
        
        C:\windows\FTTVX.exe
        
        C:\windows\FTTVX.exe
        7⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFQLCWN.exe.bat" "
        8⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 972
        8⤵
        Program crash
        
        PID:7064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1392
        6⤵
        Program crash
        
        PID:8716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1392
        6⤵
        Program crash
        
        PID:9708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\VZSQOG.exe.bat" "
      4⤵
      PID:1232
    - - C:\windows\system\VZSQOG.exe
        
        C:\windows\system\VZSQOG.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QYHEX.exe.bat" "
        6⤵
        
        PID:1404
        
        C:\windows\SysWOW64\QYHEX.exe
        
        C:\windows\system32\QYHEX.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PVYS.exe.bat" "
        8⤵
        
        PID:7128
        
        C:\windows\PVYS.exe
        
        C:\windows\PVYS.exe
        9⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MGHZFNJ.exe.bat" "
        10⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YZKSYE.exe.bat" "
        10⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GFW.exe.bat" "
        10⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GYIZ.exe.bat" "
        8⤵
        
        PID:8644
        
        C:\windows\GYIZ.exe
        
        C:\windows\GYIZ.exe
        9⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IXMSZK.exe.bat" "
        10⤵
        
        PID:2164
        
        C:\windows\IXMSZK.exe
        
        C:\windows\IXMSZK.exe
        11⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GAWBDTR.exe.bat" "
        10⤵
        
        PID:6932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZYEA.exe.bat" "
        6⤵
        
        PID:6244
        
        C:\windows\ZYEA.exe
        
        C:\windows\ZYEA.exe
        7⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DBGFBKH.exe.bat" "
        8⤵
        
        PID:15556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WEOT.exe.bat" "
        8⤵
        
        PID:11724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ELTXH.exe.bat" "
        6⤵
        
        PID:5704
        
        C:\windows\SysWOW64\ELTXH.exe
        
        C:\windows\system32\ELTXH.exe
        7⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EOTY.exe.bat" "
        8⤵
        
        PID:11468
        
        C:\windows\system\EOTY.exe
        
        C:\windows\system\EOTY.exe
        9⤵
        
        PID:17400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GWYDP.exe.bat" "
        6⤵
        
        PID:8052
        
        C:\windows\SysWOW64\GWYDP.exe
        
        C:\windows\system32\GWYDP.exe
        7⤵
        Executes dropped EXE
        
        PID:8760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FKHLUNO.exe.bat" "
        8⤵
        
        PID:11620
        
        C:\windows\SysWOW64\FKHLUNO.exe
        
        C:\windows\system32\FKHLUNO.exe
        9⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VARX.exe.bat" "
        10⤵
        
        PID:13012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8760 -s 840
        8⤵
        Program crash
        
        PID:7808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8760 -s 840
        8⤵
        Program crash
        
        PID:10112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1300
        6⤵
        Program crash
        
        PID:8700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1300
        6⤵
        Program crash
        
        PID:9724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\GECYY.exe.bat" "
      4⤵
      PID:2580
    - - C:\windows\GECYY.exe
        
        C:\windows\GECYY.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WEPGI.exe.bat" "
        6⤵
        
        PID:5776
        
        C:\windows\SysWOW64\WEPGI.exe
        
        C:\windows\system32\WEPGI.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:7316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WRTLUL.exe.bat" "
        8⤵
        
        PID:8116
        
        C:\windows\system\WRTLUL.exe
        
        C:\windows\system\WRTLUL.exe
        9⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUEUM.exe.bat" "
        10⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6940 -s 1308
        10⤵
        Program crash
        
        PID:17624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YJK.exe.bat" "
        6⤵
        
        PID:5912
        
        C:\windows\SysWOW64\YJK.exe
        
        C:\windows\system32\YJK.exe
        7⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFLJCGO.exe.bat" "
        8⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FONIM.exe.bat" "
        8⤵
        
        PID:14728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PQCRQ.exe.bat" "
        6⤵
        
        PID:6152
        
        C:\windows\system\PQCRQ.exe
        
        C:\windows\system\PQCRQ.exe
        7⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LAGZQT.exe.bat" "
        8⤵
        
        PID:11644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PRZZQJ.exe.bat" "
        6⤵
        
        PID:3580
        
        C:\windows\PRZZQJ.exe
        
        C:\windows\PRZZQJ.exe
        7⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QZWK.exe.bat" "
        8⤵
        
        PID:11716
        
        C:\windows\QZWK.exe
        
        C:\windows\QZWK.exe
        9⤵
        
        PID:17384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\System\QCPVA.exe.bat" "
        10⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 988
        8⤵
        Program crash
        
        PID:9360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SDH.exe.bat" "
        6⤵
        
        PID:8140
        
        C:\windows\SDH.exe
        
        C:\windows\SDH.exe
        7⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DAUQT.exe.bat" "
        8⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AFXO.exe.bat" "
        8⤵
        
        PID:9336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTOUEX.exe.bat" "
        6⤵
        
        PID:5412
        
        C:\windows\system\PTOUEX.exe
        
        C:\windows\system\PTOUEX.exe
        7⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHVF.exe.bat" "
        8⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PGN.exe.bat" "
        8⤵
        
        PID:3680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VJABDZ.exe.bat" "
        6⤵
        
        PID:1620
        
        C:\windows\system\VJABDZ.exe
        
        C:\windows\system\VJABDZ.exe
        7⤵
        
        PID:3360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LYERBJ.exe.bat" "
        6⤵
        
        PID:15432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWYDU.exe.bat" "
        6⤵
        
        PID:12336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FPWW.exe.bat" "
      4⤵
      PID:6116
    - - C:\windows\SysWOW64\FPWW.exe
        
        C:\windows\system32\FPWW.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMJ.exe.bat" "
        6⤵
        
        PID:7000
        
        C:\windows\SysWOW64\MMJ.exe
        
        C:\windows\system32\MMJ.exe
        7⤵
        
        PID:12912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XSNXJJ.exe.bat" "
        8⤵
        
        PID:5588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\GCZG.exe.bat" "
      4⤵
      PID:396
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1600
    - - C:\windows\system\GCZG.exe
        
        C:\windows\system\GCZG.exe
        5⤵
        Executes dropped EXE
        
        PID:8920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XNXJF.exe.bat" "
        6⤵
        
        PID:8828
        
        C:\windows\system\XNXJF.exe
        
        C:\windows\system\XNXJF.exe
        7⤵
        
        PID:2928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UMVVL.exe.bat" "
        6⤵
        
        PID:11880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1332
      4⤵
      Program crash
      PID:5820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\LOAHI.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\windows\system\LOAHI.exe
    C:\windows\system\LOAHI.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNU.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3268
    - - C:\windows\system\PNU.exe
        
        C:\windows\system\PNU.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HRNN.exe.bat" "
        6⤵
        
        PID:396
        
        C:\windows\system\HRNN.exe
        
        C:\windows\system\HRNN.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AQJTDI.exe.bat" "
        8⤵
        
        PID:5656
        
        C:\windows\system\AQJTDI.exe
        
        C:\windows\system\AQJTDI.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAW.exe.bat" "
        10⤵
        
        PID:5732
        
        C:\windows\SysWOW64\EAW.exe
        
        C:\windows\system32\EAW.exe
        11⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WXYIC.exe.bat" "
        12⤵
        
        PID:7748
        
        C:\windows\SysWOW64\WXYIC.exe
        
        C:\windows\system32\WXYIC.exe
        13⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WICQBB.exe.bat" "
        14⤵
        
        PID:18028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GJQZ.exe.bat" "
        14⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QEGBLEY.exe.bat" "
        12⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 1388
        12⤵
        Program crash
        
        PID:15268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LJFPELP.exe.bat" "
        12⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GRT.exe.bat" "
        12⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ABDMO.exe.bat" "
        10⤵
        
        PID:6132
        
        C:\windows\ABDMO.exe
        
        C:\windows\ABDMO.exe
        11⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CENUH.exe.bat" "
        12⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KKGIH.exe.bat" "
        12⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\THGFJGH.exe.bat" "
        10⤵
        
        PID:3868
        
        C:\windows\THGFJGH.exe
        
        C:\windows\THGFJGH.exe
        11⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DIOFVLH.exe.bat" "
        12⤵
        
        PID:15464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7788 -s 996
        12⤵
        Program crash
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BEY.exe.bat" "
        10⤵
        
        PID:10276
        
        C:\windows\BEY.exe
        
        C:\windows\BEY.exe
        11⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAUA.exe.bat" "
        10⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MZTVBF.exe.bat" "
        8⤵
        
        PID:7096
        
        C:\windows\MZTVBF.exe
        
        C:\windows\MZTVBF.exe
        9⤵
        Executes dropped EXE
        
        PID:8768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BKT.exe.bat" "
        10⤵
        
        PID:9140
        
        C:\windows\BKT.exe
        
        C:\windows\BKT.exe
        11⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JVKT.exe.bat" "
        12⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AUQTPUD.exe.bat" "
        10⤵
        
        PID:15100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EWSJ.exe.bat" "
        10⤵
        
        PID:13220
        
        C:\windows\EWSJ.exe
        
        C:\windows\EWSJ.exe
        11⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\APD.exe.bat" "
        10⤵
        
        PID:17416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVB.exe.bat" "
        8⤵
        
        PID:7728
        
        C:\windows\SysWOW64\WVB.exe
        
        C:\windows\system32\WVB.exe
        9⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSISZHV.exe.bat" "
        10⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFTCOCQ.exe.bat" "
        10⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NPZTVM.exe.bat" "
        10⤵
        
        PID:13248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZDIMMSL.exe.bat" "
        8⤵
        
        PID:9316
        
        C:\windows\SysWOW64\ZDIMMSL.exe
        
        C:\windows\system32\ZDIMMSL.exe
        9⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ISBKLRE.exe.bat" "
        8⤵
        
        PID:7588
        
        C:\windows\ISBKLRE.exe
        
        C:\windows\ISBKLRE.exe
        9⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1392
        8⤵
        Program crash
        
        PID:10384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YKSVG.exe.bat" "
        6⤵
        
        PID:3636
        
        C:\windows\system\YKSVG.exe
        
        C:\windows\system\YKSVG.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CIPZJEY.exe.bat" "
        8⤵
        
        PID:5628
        
        C:\windows\CIPZJEY.exe
        
        C:\windows\CIPZJEY.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UULSQN.exe.bat" "
        10⤵
        
        PID:7016
        
        C:\windows\SysWOW64\UULSQN.exe
        
        C:\windows\system32\UULSQN.exe
        11⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZWKNT.exe.bat" "
        12⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GVRXQV.exe.bat" "
        12⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GIY.exe.bat" "
        8⤵
        
        PID:5880
        
        C:\windows\SysWOW64\GIY.exe
        
        C:\windows\system32\GIY.exe
        9⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:7340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IOD.exe.bat" "
        10⤵
        
        PID:10192
        
        C:\windows\IOD.exe
        
        C:\windows\IOD.exe
        11⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYMU.exe.bat" "
        12⤵
        
        PID:10488
        
        C:\windows\SysWOW64\WYMU.exe
        
        C:\windows\system32\WYMU.exe
        13⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 988
        10⤵
        Program crash
        
        PID:10160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 988
        10⤵
        Program crash
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ILEAEFF.exe.bat" "
        8⤵
        
        PID:4776
        
        C:\windows\ILEAEFF.exe
        
        C:\windows\ILEAEFF.exe
        9⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "
        10⤵
        
        PID:452
        
        C:\windows\SysWOW64\VMHDWT.exe
        
        C:\windows\system32\VMHDWT.exe
        11⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QOXSLP.exe.bat" "
        12⤵
        
        PID:16764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VRGYJDQ.exe.bat" "
        8⤵
        
        PID:6812
        
        C:\windows\SysWOW64\VRGYJDQ.exe
        
        C:\windows\system32\VRGYJDQ.exe
        9⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZZDOINX.exe.bat" "
        10⤵
        
        PID:1484
        
        C:\windows\ZZDOINX.exe
        
        C:\windows\ZZDOINX.exe
        11⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BFYFBET.exe.bat" "
        12⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PUNFE.exe.bat" "
        10⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBEDHN.exe.bat" "
        10⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJODN.exe.bat" "
        8⤵
        
        PID:7140
        
        C:\windows\SysWOW64\QJODN.exe
        
        C:\windows\system32\QJODN.exe
        9⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IRAEQZP.exe.bat" "
        10⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTTV.exe.bat" "
        10⤵
        
        PID:11912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LMSWMX.exe.bat" "
        8⤵
        
        PID:1124
        
        C:\windows\LMSWMX.exe
        
        C:\windows\LMSWMX.exe
        9⤵
        Executes dropped EXE
        
        PID:8792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SRE.exe.bat" "
        8⤵
        
        PID:7404
        
        C:\windows\system\SRE.exe
        
        C:\windows\system\SRE.exe
        9⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKKIU.exe.bat" "
        10⤵
        
        PID:13812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VKTG.exe.bat" "
        10⤵
        
        PID:17852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ROBKIY.exe.bat" "
        10⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JRBW.exe.bat" "
        8⤵
        
        PID:6588
        
        C:\windows\SysWOW64\JRBW.exe
        
        C:\windows\system32\JRBW.exe
        9⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDLZUOD.exe.bat" "
        8⤵
        
        PID:3288
        
        C:\windows\system\EDLZUOD.exe
        
        C:\windows\system\EDLZUOD.exe
        9⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HNUB.exe.bat" "
        10⤵
        
        PID:16516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SMDM.exe.bat" "
        10⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JYOUP.exe.bat" "
        8⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FHQX.exe.bat" "
        8⤵
        
        PID:15296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VRS.exe.bat" "
        8⤵
        
        PID:7712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZQDQOZR.exe.bat" "
        6⤵
        
        PID:5560
        
        C:\windows\ZQDQOZR.exe
        
        C:\windows\ZQDQOZR.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QOEORHF.exe.bat" "
        8⤵
        
        PID:6168
        
        C:\windows\QOEORHF.exe
        
        C:\windows\QOEORHF.exe
        9⤵
        Executes dropped EXE
        
        PID:8784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPKCF.exe.bat" "
        8⤵
        
        PID:7720
        
        C:\windows\SysWOW64\ZPKCF.exe
        
        C:\windows\system32\ZPKCF.exe
        9⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ARLU.exe.bat" "
        10⤵
        
        PID:11944
        
        C:\windows\ARLU.exe
        
        C:\windows\ARLU.exe
        11⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVVJDDV.exe.bat" "
        10⤵
        
        PID:6124
        
        C:\windows\SysWOW64\SVVJDDV.exe
        
        C:\windows\system32\SVVJDDV.exe
        11⤵
        
        PID:16796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 1328
        10⤵
        Program crash
        
        PID:18080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ANI.exe.bat" "
        8⤵
        
        PID:8812
        
        C:\windows\system\ANI.exe
        
        C:\windows\system\ANI.exe
        9⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HJYUQ.exe.bat" "
        10⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHFCP.exe.bat" "
        10⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HBNYIE.exe.bat" "
        8⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5888
        
        C:\windows\HBNYIE.exe
        
        C:\windows\HBNYIE.exe
        9⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XURP.exe.bat" "
        10⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EZCEFS.exe.bat" "
        8⤵
        
        PID:8212
        
        C:\windows\system\EZCEFS.exe
        
        C:\windows\system\EZCEFS.exe
        9⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TOIAT.exe.bat" "
        10⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QXIMJUN.exe.bat" "
        8⤵
        
        PID:11512
        
        C:\windows\QXIMJUN.exe
        
        C:\windows\QXIMJUN.exe
        9⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NHFH.exe.bat" "
        8⤵
        
        PID:15604
        
        C:\windows\system\NHFH.exe
        
        C:\windows\system\NHFH.exe
        9⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UEGTD.exe.bat" "
        8⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 1472
        8⤵
        Program crash
        
        PID:12108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JNS.exe.bat" "
        6⤵
        Checks computer location settings
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\windows\system\JNS.exe
        
        C:\windows\system\JNS.exe
        7⤵
        Executes dropped EXE
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZHMW.exe.bat" "
        8⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8928 -s 848
        8⤵
        Program crash
        
        PID:12408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JAW.exe.bat" "
        6⤵
        
        PID:5512
        
        C:\windows\system\JAW.exe
        
        C:\windows\system\JAW.exe
        7⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XJGWXO.exe.bat" "
        8⤵
        
        PID:11584
        
        C:\windows\XJGWXO.exe
        
        C:\windows\XJGWXO.exe
        9⤵
        
        PID:17340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTQHTDS.exe.bat" "
        8⤵
        
        PID:14796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LZTHAD.exe.bat" "
        8⤵
        
        PID:7620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HWXC.exe.bat" "
        6⤵
        
        PID:8020
        
        C:\windows\SysWOW64\HWXC.exe
        
        C:\windows\system32\HWXC.exe
        7⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERF.exe.bat" "
        8⤵
        
        PID:15388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DMKYZSQ.exe.bat" "
        8⤵
        
        PID:11816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EADLSW.exe.bat" "
        6⤵
        
        PID:7844
        
        C:\windows\SysWOW64\EADLSW.exe
        
        C:\windows\system32\EADLSW.exe
        7⤵
        Executes dropped EXE
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JHJ.exe.bat" "
        8⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SGAGW.exe.bat" "
        8⤵
        
        PID:11872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FTFAWM.exe.bat" "
        6⤵
        
        PID:9336
        
        C:\windows\system\FTFAWM.exe
        
        C:\windows\system\FTFAWM.exe
        7⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVYX.exe.bat" "
        8⤵
        
        PID:4588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 900
      4⤵
      Program crash
      PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIPAQYL.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\windows\SysWOW64\SIPAQYL.exe
    C:\windows\system32\SIPAQYL.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICVHP.exe.bat" "
      4⤵
      PID:4140
    - - C:\windows\system\ICVHP.exe
        
        C:\windows\system\ICVHP.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVMV.exe.bat" "
        6⤵
        
        PID:5484
        
        C:\windows\SysWOW64\QVMV.exe
        
        C:\windows\system32\QVMV.exe
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OBQ.exe.bat" "
        8⤵
        
        PID:6768
        
        C:\windows\OBQ.exe
        
        C:\windows\OBQ.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:8096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OZAC.exe.bat" "
        10⤵
        
        PID:5688
        
        C:\windows\OZAC.exe
        
        C:\windows\OZAC.exe
        11⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOOS.exe.bat" "
        12⤵
        
        PID:9492
        
        C:\windows\SysWOW64\JOOS.exe
        
        C:\windows\system32\JOOS.exe
        13⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWZ.exe.bat" "
        12⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IYSBUQ.exe.bat" "
        8⤵
        
        PID:8592
        
        C:\windows\SysWOW64\IYSBUQ.exe
        
        C:\windows\system32\IYSBUQ.exe
        9⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10568 -s 1316
        10⤵
        Program crash
        
        PID:17132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WGLEDXO.exe.bat" "
        6⤵
        
        PID:5452
        
        C:\windows\WGLEDXO.exe
        
        C:\windows\WGLEDXO.exe
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGJ.exe.bat" "
        8⤵
        
        PID:11200
        
        C:\windows\system\UGJ.exe
        
        C:\windows\system\UGJ.exe
        9⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LINMAR.exe.bat" "
        10⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LNOFGK.exe.bat" "
        8⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTH.exe.bat" "
        8⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1324
        8⤵
        Program crash
        
        PID:18244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLV.exe.bat" "
        6⤵
        
        PID:6672
        
        C:\windows\SysWOW64\MLV.exe
        
        C:\windows\system32\MLV.exe
        7⤵
        Executes dropped EXE
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JMHJOSY.exe.bat" "
        8⤵
        
        PID:4476
        
        C:\windows\system\JMHJOSY.exe
        
        C:\windows\system\JMHJOSY.exe
        9⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TJJ.exe.bat" "
        10⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATZK.exe.bat" "
        8⤵
        
        PID:4228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HUPZXL.exe.bat" "
        6⤵
        
        PID:4100
        
        C:\windows\system\HUPZXL.exe
        
        C:\windows\system\HUPZXL.exe
        7⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MDPC.exe.bat" "
        8⤵
        
        PID:14764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUET.exe.bat" "
        8⤵
        
        PID:8684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NHW.exe.bat" "
        6⤵
        
        PID:7708
        
        C:\windows\system\NHW.exe
        
        C:\windows\system\NHW.exe
        7⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGPQEI.exe.bat" "
        8⤵
        
        PID:14756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DQN.exe.bat" "
        8⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XVSGFCK.exe.bat" "
        8⤵
        
        PID:8312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XZRZUKA.exe.bat" "
        6⤵
        
        PID:7296
        
        C:\windows\XZRZUKA.exe
        
        C:\windows\XZRZUKA.exe
        7⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FIEQK.exe.bat" "
        8⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 996
        8⤵
        Program crash
        
        PID:13820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 996
        8⤵
        Program crash
        
        PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\AAAF.exe.bat" "
      4⤵
      PID:1852
    - - C:\windows\system\AAAF.exe
        
        C:\windows\system\AAAF.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AGTBPH.exe.bat" "
        6⤵
        
        PID:1820
        
        C:\windows\AGTBPH.exe
        
        C:\windows\AGTBPH.exe
        7⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ESCN.exe.bat" "
        8⤵
        
        PID:11156
        
        C:\windows\system\ESCN.exe
        
        C:\windows\system\ESCN.exe
        9⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\POC.exe.bat" "
        8⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YIDC.exe.bat" "
        8⤵
        
        PID:3848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ECSFZ.exe.bat" "
        6⤵
        
        PID:7732
        
        C:\windows\SysWOW64\ECSFZ.exe
        
        C:\windows\system32\ECSFZ.exe
        7⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VCSD.exe.bat" "
        8⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GVOWTA.exe.bat" "
        8⤵
        
        PID:14832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKSZVWQ.exe.bat" "
        6⤵
        
        PID:4220
        
        C:\windows\system\OKSZVWQ.exe
        
        C:\windows\system\OKSZVWQ.exe
        7⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LCJVJZ.exe.bat" "
        8⤵
        
        PID:9676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UHNOYKE.exe.bat" "
        6⤵
        
        PID:6572
        
        C:\windows\SysWOW64\UHNOYKE.exe
        
        C:\windows\system32\UHNOYKE.exe
        7⤵
        
        PID:12048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RBAJ.exe.bat" "
        6⤵
        
        PID:5124
        
        C:\windows\RBAJ.exe
        
        C:\windows\RBAJ.exe
        7⤵
        
        PID:17688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MMSIVQ.exe.bat" "
        6⤵
        
        PID:11972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AXTIGMX.exe.bat" "
        6⤵
        
        PID:18404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\VHHNZ.exe.bat" "
      4⤵
      PID:7048
    - - C:\windows\VHHNZ.exe
        
        C:\windows\VHHNZ.exe
        5⤵
        
        PID:3244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NCWR.exe.bat" "
        6⤵
        
        PID:8472
        
        C:\windows\NCWR.exe
        
        C:\windows\NCWR.exe
        7⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDFCXK.exe.bat" "
        8⤵
        
        PID:5732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QQUSS.exe.bat" "
        6⤵
        
        PID:8496
        
        C:\windows\QQUSS.exe
        
        C:\windows\QQUSS.exe
        7⤵
        
        PID:13680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JYS.exe.bat" "
        6⤵
        
        PID:11756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XESHX.exe.bat" "
        6⤵
        
        PID:12604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\KKDLY.exe.bat" "
      4⤵
      PID:7788
    - - C:\windows\KKDLY.exe
        
        C:\windows\KKDLY.exe
        5⤵
        
        PID:6468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WHLYNQ.exe.bat" "
        6⤵
        
        PID:8548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YMCOOT.exe.bat" "
        6⤵
        
        PID:14780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\IUCOCBQ.exe.bat" "
      4⤵
      PID:8860
    - - C:\windows\system\IUCOCBQ.exe
        
        C:\windows\system\IUCOCBQ.exe
        5⤵
        
        PID:10700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLKNNNH.exe.bat" "
        6⤵
        
        PID:15632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SCALV.exe.bat" "
        6⤵
        
        PID:8312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SDWAQ.exe.bat" "
        6⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPT.exe.bat" "
      4⤵
      PID:6688
    - - C:\windows\system\LPT.exe
        
        C:\windows\system\LPT.exe
        5⤵
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KGGDV.exe.bat" "
        6⤵
        
        PID:8788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LEB.exe.bat" "
      4⤵
      PID:3464
    - - C:\windows\SysWOW64\LEB.exe
        
        C:\windows\system32\LEB.exe
        5⤵
        
        PID:12920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFE.exe.bat" "
        6⤵
        
        PID:10824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGMHG.exe.bat" "
      4⤵
      PID:11148
    - - C:\windows\SysWOW64\QGMHG.exe
        
        C:\windows\system32\QGMHG.exe
        5⤵
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJQCMUG.exe.bat" "
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\ABDZVY.exe.bat" "
      4⤵
      PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1288
  2⤵
  - Program crash
  PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3100 -ip 3100
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4712 -ip 4712
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 496 -ip 496
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1592 -ip 1592
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4444 -ip 4444
1⤵
PID:1304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 668 -ip 668
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3212 -ip 3212
1⤵
PID:7568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3692 -ip 3692
1⤵
PID:7396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1440 -ip 1440
1⤵
PID:7640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4492 -ip 4492
1⤵
PID:8496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4388 -ip 4388
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4164 -ip 4164
1⤵
PID:9924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1864 -ip 1864
1⤵
PID:9896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5040 -ip 5040
1⤵
PID:9752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7008 -ip 7008
1⤵
PID:9732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 392 -ip 392
1⤵
PID:9716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5888 -ip 5888
1⤵
PID:9696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4436 -ip 4436
1⤵
PID:9688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6004 -ip 6004
1⤵
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7340 -ip 7340
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7448 -ip 7448
1⤵
PID:9844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1644 -ip 1644
1⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5316 -ip 5316
1⤵
PID:8468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 7560 -ip 7560
1⤵
PID:8032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7316 -ip 7316
1⤵
PID:7032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 8792 -ip 8792
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 8844 -ip 8844
1⤵
PID:7440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8096 -ip 8096
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 8784 -ip 8784
1⤵
PID:7596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 6456 -ip 6456
1⤵
PID:8480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8372 -ip 8372
1⤵
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7424 -ip 7424
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5312 -ip 5312
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7468 -ip 7468
1⤵
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 924 -ip 924
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 756 -ip 756
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 8760 -ip 8760
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016
1⤵
PID:9200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 8928 -ip 8928
1⤵
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6096 -ip 6096
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5484 -ip 5484
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 8900 -ip 8900
1⤵
PID:13184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6340 -ip 6340
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9996 -ip 9996
1⤵
PID:13056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 9896 -ip 9896
1⤵
PID:6152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6316 -ip 6316
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6040 -ip 6040
1⤵
PID:9168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 10632 -ip 10632
1⤵
PID:13444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4136 -ip 4136
1⤵
PID:12444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5180 -ip 5180
1⤵
PID:14080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 8776 -ip 8776
1⤵
PID:13608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 7040 -ip 7040
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5328 -ip 5328
1⤵
PID:14104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 10188 -ip 10188
1⤵
PID:15024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 10056 -ip 10056
1⤵
PID:15756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 8800 -ip 8800
1⤵
PID:16808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2580 -ip 2580
1⤵
PID:16928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6296 -ip 6296
1⤵
PID:16996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3920 -ip 3920
1⤵
PID:16672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5496 -ip 5496
1⤵
PID:15572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3268 -ip 3268
1⤵
PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3932 -ip 3932
1⤵
PID:17088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5216 -ip 5216
1⤵
PID:17184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 10592 -ip 10592
1⤵
PID:17156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5228 -ip 5228
1⤵
PID:17672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5988 -ip 5988
1⤵
PID:17976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2052 -ip 2052
1⤵
PID:17764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 9368 -ip 9368
1⤵
PID:17600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5612 -ip 5612
1⤵
PID:17260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2188 -ip 2188
1⤵
PID:17208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4196 -ip 4196
1⤵
PID:15024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5240 -ip 5240
1⤵
PID:14928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1488 -ip 1488
1⤵
PID:6392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6212 -ip 6212
1⤵
PID:7396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 9892 -ip 9892
1⤵
PID:7320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 17292 -ip 17292
1⤵
PID:18224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 9368 -ip 9368
1⤵
PID:12060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 2900 -ip 2900
1⤵
PID:17652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 10568 -ip 10568
1⤵
PID:17356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 5844 -ip 5844
1⤵
PID:12312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4384 -ip 4384
1⤵
PID:17232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1032 -p 2148 -ip 2148
1⤵
PID:5576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1260 -ip 1260
1⤵
PID:16376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 6792 -ip 6792
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 12168 -ip 12168
1⤵
PID:10900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6940 -ip 6940
1⤵
PID:16508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 11804 -ip 11804
1⤵
PID:6704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4896 -ip 4896
1⤵
PID:17868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5288 -ip 5288
1⤵
PID:12116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4216 -ip 4216
1⤵
PID:17964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 5968 -ip 5968
1⤵
PID:13224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6160 -ip 6160
1⤵
PID:16952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4128 -ip 4128
1⤵
PID:18380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2344 -ip 2344
1⤵
PID:13380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 12048 -ip 12048
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4552 -ip 4552
1⤵
PID:13480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 12020 -ip 12020
1⤵
PID:10400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 11412 -ip 11412
1⤵
PID:10248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3776 -ip 3776
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 10712 -ip 10712
1⤵
PID:16800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 12200 -ip 12200
1⤵
PID:15568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 6524 -ip 6524
1⤵
PID:12808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4148 -ip 4148
1⤵
PID:13360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 11308 -ip 11308
1⤵
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6028 -ip 6028
1⤵
PID:13784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7788 -ip 7788
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 6468 -ip 6468
1⤵
PID:15840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 12416 -ip 12416
1⤵
PID:11800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 10580 -ip 10580
1⤵
PID:14920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 10308 -ip 10308
1⤵
PID:12344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1040 -p 10780 -ip 10780
1⤵
PID:14680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 12128 -ip 12128
1⤵
PID:15788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 12944 -ip 12944
1⤵
PID:12908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CHTBT.exe

Filesize
336KB

MD5
38ca8fea920cc3463e124346017949a6

SHA1
f146ad7373f7e36b7d0aff8f37477557971f3889

SHA256
5fad7f0c09dde531909fdfdef746ce0c78a19a9ebe7793aa89d2eac2402c9a5c

SHA512
e3706fe0b7fcaaeec9bf144cd12683d69212d01e74f375f322bd35709ce6de95d03b18b2887d41aa54903156150ece848c652ad56f82b1e79198e7fe9cd750e6

Download Submit
C:\Windows\GECYY.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\Windows\GOD.exe

Filesize
336KB

MD5
a8c23bb72b7837ec0171242e5dcab3f9

SHA1
99d6c658ec48467c5277c1ba8b172f8de3ecefae

SHA256
81ed66b1fc6d26ceef3a8544aaf313987dbf07889ab71c53e1738693180c682c

SHA512
1a17e95f40052a69b5c74c3864d24bb03574934a44a1151c668ce400f39d1fda59e19e4196843736a63eab13880301dbf19cf64670948ac80f605f5120978a18

Download Submit
C:\Windows\GOD.exe

Filesize
336KB

MD5
a8c23bb72b7837ec0171242e5dcab3f9

SHA1
99d6c658ec48467c5277c1ba8b172f8de3ecefae

SHA256
81ed66b1fc6d26ceef3a8544aaf313987dbf07889ab71c53e1738693180c682c

SHA512
1a17e95f40052a69b5c74c3864d24bb03574934a44a1151c668ce400f39d1fda59e19e4196843736a63eab13880301dbf19cf64670948ac80f605f5120978a18

Download Submit
C:\Windows\JKR.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\Windows\ODEHIQB.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\Windows\SysWOW64\NITB.exe

Filesize
336KB

MD5
526d0205fca75f64b979a9539c4c6517

SHA1
0fe6f4c38ddbae117ca8fefe0979147c7178bf3e

SHA256
48537db69d73e91b203aecb4deb678a38f3afbe71cf0c830d1a8d01b3fafd0d2

SHA512
c36c3ad0149ae8423efb80f9eefe4931785f82bd5ffa97405989a58414e79cf8e51f593aba660613edf3ce0cffc0dffa6f4a21161546d104c50d8e771cb36b78

Download Submit
C:\Windows\SysWOW64\NNPXQE.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\Windows\SysWOW64\SIPAQYL.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\Windows\SysWOW64\YKXUVN.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\Windows\System\HRNN.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\Windows\System\HYXV.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\Windows\System\ICVHP.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\Windows\System\LOAHI.exe

Filesize
336KB

MD5
a8c23bb72b7837ec0171242e5dcab3f9

SHA1
99d6c658ec48467c5277c1ba8b172f8de3ecefae

SHA256
81ed66b1fc6d26ceef3a8544aaf313987dbf07889ab71c53e1738693180c682c

SHA512
1a17e95f40052a69b5c74c3864d24bb03574934a44a1151c668ce400f39d1fda59e19e4196843736a63eab13880301dbf19cf64670948ac80f605f5120978a18

Download Submit
C:\Windows\System\MSBHBXJ.exe

Filesize
336KB

MD5
526d0205fca75f64b979a9539c4c6517

SHA1
0fe6f4c38ddbae117ca8fefe0979147c7178bf3e

SHA256
48537db69d73e91b203aecb4deb678a38f3afbe71cf0c830d1a8d01b3fafd0d2

SHA512
c36c3ad0149ae8423efb80f9eefe4931785f82bd5ffa97405989a58414e79cf8e51f593aba660613edf3ce0cffc0dffa6f4a21161546d104c50d8e771cb36b78

Download Submit
C:\Windows\System\PNU.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\Windows\System\VZSQOG.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\Windows\System\YKSVG.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\Windows\System\YVZ.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\Windows\TVAKD.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\Windows\VERX.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\windows\CHTBT.exe

Filesize
336KB

MD5
38ca8fea920cc3463e124346017949a6

SHA1
f146ad7373f7e36b7d0aff8f37477557971f3889

SHA256
5fad7f0c09dde531909fdfdef746ce0c78a19a9ebe7793aa89d2eac2402c9a5c

SHA512
e3706fe0b7fcaaeec9bf144cd12683d69212d01e74f375f322bd35709ce6de95d03b18b2887d41aa54903156150ece848c652ad56f82b1e79198e7fe9cd750e6

Download Submit
C:\windows\CHTBT.exe.bat

Filesize
56B

MD5
c9fbacc966a52ab970516aa53f4717dc

SHA1
853a487380903ad16bdfec310f2a705f92ce1b0a

SHA256
2cf99a00dcfa147aa805c92f9868a0396c0cde3fc005393896341425a50de67e

SHA512
38716f6b18ba786ebd078ee33edfd3ef8ad34e864130eff184cdba44026d65cb5d5109998c42f47ecb3f1922f6daec889abeadf62d03665e8984042272abd250

Download Submit
C:\windows\DABGKT.exe.bat

Filesize
58B

MD5
6f9f6deade4d0cc9d3242d5ca47696b7

SHA1
e4d4ee757bc7f950ea647b24380589fa9625afc0

SHA256
057f2f78a14fbe25f376e2ef4b81c58d03553eae34376276f8462ad4a6b4caf8

SHA512
4b6f6af66b04f7c2b5b36a2927e307f593cc3549abceb70da43f5a98935fc9dada54444f9abe8bdfa99468ad24c641e146aacacab86ac6efd70da59ea550a53e

Download Submit
C:\windows\GECYY.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\windows\GECYY.exe.bat

Filesize
56B

MD5
46ecbb6e58354550f0a1da2ca4e9b703

SHA1
c2360ad3a3f17ca74ba1d241a169e01595bb676d

SHA256
b21e6a48b25f32c3598f38b1785605dc323f31c21f2d0e285f28ad4762c1f357

SHA512
48f53b7bcca3ecc238585a78080e7473fbd9013ada7a6a97e5fbb675f48aacb998cbdcfb2df850b3253a6a2dc8f76cf7584effa634cd9fda4e2f2890f8a16efb

Download Submit
C:\windows\GOD.exe

Filesize
336KB

MD5
a8c23bb72b7837ec0171242e5dcab3f9

SHA1
99d6c658ec48467c5277c1ba8b172f8de3ecefae

SHA256
81ed66b1fc6d26ceef3a8544aaf313987dbf07889ab71c53e1738693180c682c

SHA512
1a17e95f40052a69b5c74c3864d24bb03574934a44a1151c668ce400f39d1fda59e19e4196843736a63eab13880301dbf19cf64670948ac80f605f5120978a18

Download Submit
C:\windows\GOD.exe.bat

Filesize
52B

MD5
bd09d035d0343b8feb997d42a2623eb0

SHA1
5dc39ebc3c4fc9e0dea4a3e4d2893cb2966e5601

SHA256
602b64a7e214acb4c9edb1e6182204f2a3197a9e542ea4c40d8989f9ddf7fbea

SHA512
aef98488894e070ab0f9db57d16a44089b593962c7a76a37068f108630969022388960cc5ea62c22ff1d6dcb5730aa5937221116e053d68cb58c2c617c69eaca

Download Submit
C:\windows\JKR.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\windows\JKR.exe.bat

Filesize
52B

MD5
204f2ce2b4c08d484ecbd3d8a690248c

SHA1
11127062ede4b09409afe6d971dd46bfdc50a424

SHA256
28b6d60cab06a79e63ab0632fad60f9fe0e0b4efc4c3e371823e6fb7edd53968

SHA512
28d25721f8cc1eb0ff88ea0d7efbf7136710b4dfd6d7846cabed8f065cb2b5480806ab71fe0decf8ecd2bc2c894faee61782947e0a0ef40685e7e061d4312f03

Download Submit
C:\windows\KZICWND.exe.bat

Filesize
60B

MD5
3c93301ee02bb25696492f570533af8e

SHA1
9c32aee38fa052e0daeb6792a969d2b6d43004c3

SHA256
ae0d8f8cae198620ac2fd56e0235b06476a57c67cf9b9f59a3936a15dd53b8de

SHA512
7d6ad0bc0b70ebfdf9f4f3658bc60602010ea751e01fb71b106ee98edb2ca62c4e8f7a27c56b2c6ff09f0d8f97aea3790f2b14219b59a0ee70c2581794ea5776

Download Submit
C:\windows\ODEHIQB.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\windows\ODEHIQB.exe.bat

Filesize
60B

MD5
84f2a594085f732518b11b9846297324

SHA1
ae368b718a800d73daf2f66661583f6eea5efaa2

SHA256
c51dca9cea60ceb9556440348151aaae1a0f2c4a1e3f1867a16a2b2961fc160e

SHA512
b4b847c3e2207a84dbf2d5cbe264a24605a851d6aabf3835c32de7981c62b131791efc6d0727850206de167045eb804e0285bc60787e37d4cfed598a3b5f5965

Download Submit
C:\windows\SysWOW64\NITB.exe.bat

Filesize
72B

MD5
0f15d4cb1b195811b6fea25b8c36fb1b

SHA1
9f97d6b97e55270744fe30198b8fa3a8a37eb7c0

SHA256
8bf8634b2e30341a0d012a75088e6e1b9844209208fbbab78d9d5a51fdfd0d56

SHA512
4f9da493766e48bc98b8033439247c2efe5e53a2191a154956feffe4de1530ca28b8a529a54e8a8f8613fe247558ea31a1f5629f70264eb8bd6bc43a938398ea

Download Submit
C:\windows\SysWOW64\NNPXQE.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\windows\SysWOW64\NNPXQE.exe.bat

Filesize
76B

MD5
cb27ce920e0ec6080b471a8220f97041

SHA1
ac24772bbea7e6bd193c78f5830510c4c44d3272

SHA256
a281d467d385f89e711ae678b270b712f367ba0707a139fdb65d46afc050246d

SHA512
232da2429dd758b5988644ff4a044425c020c7b4ea53ac01892722e04fca7b8cb589c8dd66248f25ccae9df4c2882c460dfd12accc737483cbec7ac349f4e53a

Download Submit
C:\windows\SysWOW64\QYHEX.exe.bat

Filesize
74B

MD5
fb56dc09371f5e8e02e0ee450360d14a

SHA1
dd3233c07f6064da69ac91f063f9eff214e9aa01

SHA256
2430b449d6b5ab50aa9020f10948345e6aa3981a4fbc6394b65e018117e48ba7

SHA512
2fcc20f5a60f9e5a49db93d8be9b032dffc60402359986ac27a6d329ac0bc942253e217bd46ed563ee5ec99f4fdf8fefa73662fdb114803b27c733ae25cc6395

Download Submit
C:\windows\SysWOW64\SIPAQYL.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\windows\SysWOW64\SIPAQYL.exe.bat

Filesize
78B

MD5
a94eebabccf737feb7a7cb09fabad9c7

SHA1
c431d6e54164bb8cd5df0dd5093e1d8156ea05eb

SHA256
5c8c2e897156d8f5dfdc029b1e9c24ce792cad8a5e09871dfe048198408312e8

SHA512
225d0e9d292c7e4e6c4c52ecf5f0633806fdaf3c56777fbc9bcc302fea2e1cd5c271ee2c3d2bcb5608ba94a724d0d265dd67a850198619549ae79707bb5a51f8

Download Submit
C:\windows\SysWOW64\YKXUVN.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\windows\SysWOW64\YKXUVN.exe.bat

Filesize
76B

MD5
64329baa9d55017cfe779476312b8319

SHA1
a121bc8002f2a9d8cc3062bb0df92b9ce261906b

SHA256
5b7784fe6ae3328c4d6249d7a10e72c252a1f336df0a0b45dc888e1033b29f5f

SHA512
63195063ed7ec11c7b5380659041e093eaa64f4febca171fbb2320fc65461cdb63399682364fa9392618c07995fe691265dc28175fba56e6488d33b708d133d7

Download Submit
C:\windows\SysWOW64\ZUGXXSR.exe.bat

Filesize
78B

MD5
b62023cb868e7e6ac8b5429435b168aa

SHA1
206ce91e1d2de72b403626e02ddf3be87f62028a

SHA256
0d8b1efef907ac079a15050dba8b0d28ab8c8d8e4db20b0e1b495ffa5d6e59ea

SHA512
dfd67cadfe4b5d9cd9c7a0c1f29e30d7498fbf1a4e89dbc31f09c6e34557dbeb6ae4b6ceff0fe50521f9850ebb413404f6d05afded0f47232d595cf5f95df78b

Download Submit
C:\windows\TVAKD.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\windows\TVAKD.exe.bat

Filesize
56B

MD5
5335958adb8dcd21bdd915f5fd596632

SHA1
9196f025e15a3c4362eb99f30b36a3abe762b69d

SHA256
e8e00a3e2806adbd1ebb0de76d9107a0eaa36f6d879ca0ec7cbc360e3e9b8b07

SHA512
6e2b6bed16308fb8f148a96f21cdd9a8ba3b90b2281a26ff0d8a82a0273fd8d82a0e676a1905674b46107d54c9cd47ab6f92ebbfb646ecc284fa4fb038926482

Download Submit
C:\windows\VERX.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\windows\VERX.exe.bat

Filesize
54B

MD5
d5d3df7189bcf78aba43105133831fa4

SHA1
a86bba93a7d5af5f8e8c91f095a80565c247b8fb

SHA256
66421c7418a7d5775415485f8a50c5ea15efe2730974d17edd37b3c47b1faab1

SHA512
96f64caff68fd6fabee97b80a8b00ea1562cd494273471409f88b1621fe93c2a09b7c98f5e30aa0df2da1840868039b7f49e1cafa508c830d4b9d16d5296f598

Download Submit
C:\windows\system\AAAF.exe.bat

Filesize
68B

MD5
943245c3f4b31506eef606c41f4a982f

SHA1
a9a01c45cb85bcee317fd67cc850c16b687e0cde

SHA256
59b2f4d2951d43bb2200b1121d79cf086bae43c503cfa44a3bb38a7033d1dc66

SHA512
b61b447951e769f6ee36fb2e97f9a321ff2ab57d78219a01eebcca0dd499aea32bc54e65b65be7d8df0fa1da9e10528b4ace4e8ef2a3d209172e063b24a5b80a

Download Submit
C:\windows\system\HRNN.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\windows\system\HRNN.exe.bat

Filesize
68B

MD5
6bf2edd0442a202f715586766c8b3b45

SHA1
dbf7433b818f1a696ef02f2a1d2a5107b237a861

SHA256
aeec725cc11d1bb24a5a7503a2922fd1091b6b23e7f1d4d571a68587743de9b4

SHA512
c885405e11027c8bdb23c83614fd184c2c210daa99a35141bab7409b79cca5237765a4cd724570a8189792b34b86577844af089d59e5840a459cbb91cd91b682

Download Submit
C:\windows\system\HYXV.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\windows\system\HYXV.exe.bat

Filesize
68B

MD5
12991c137b8e8198b8919fdcf4e95c64

SHA1
4ea2e9fa4e263799d0a98ba400fc93b2e869b5dd

SHA256
54bd18ca572344bdf50eb41b1d8788c4b7fe151fa6f4c64590d60b4df3224156

SHA512
0f27300e1bb61c125b34ce7953087f839931c0c97c4fd8bebdee383caaa2b7e63530a717fe1079a83eb17148886d5e20c31afeb5279eb65caaf0c44f89bc2199

Download Submit
C:\windows\system\ICVHP.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\windows\system\ICVHP.exe.bat

Filesize
70B

MD5
3f3d74b00920b21a39d9536551112ca1

SHA1
262b0bda4a8c22e33abe007ee4b3f493b4e6ef02

SHA256
0e97478de8f5c9912acdc72488144cfd87d29eb13acde8ba607e67d670f0626f

SHA512
3c5460a958849c9b3dfaba310bdc5bc976a071abc4c48b038fdd0a5fc2e49b8afeda82cde21f4c1d578d22c1397cceb78b42f3d1683f1d532739dab3d5bb788e

Download Submit
C:\windows\system\LOAHI.exe

Filesize
336KB

MD5
a8c23bb72b7837ec0171242e5dcab3f9

SHA1
99d6c658ec48467c5277c1ba8b172f8de3ecefae

SHA256
81ed66b1fc6d26ceef3a8544aaf313987dbf07889ab71c53e1738693180c682c

SHA512
1a17e95f40052a69b5c74c3864d24bb03574934a44a1151c668ce400f39d1fda59e19e4196843736a63eab13880301dbf19cf64670948ac80f605f5120978a18

Download Submit
C:\windows\system\LOAHI.exe.bat

Filesize
70B

MD5
90361518055b456add1aee591f67f3ec

SHA1
1551413831cace50f47c94962df4835c16a305f6

SHA256
7c9fe3bbd513b072ed8f0939e5951c79fcbd4b8394ed6bf8eba90142b6449c25

SHA512
35b1bfbf48cdfc6b6701e8cf4f6e5777b61a7e7df48758fc992b86940970055158115169ce01c3d1acf149f3f358f56a900ab5513d29011b724a46177017ec0a

Download Submit
C:\windows\system\MSBHBXJ.exe.bat

Filesize
74B

MD5
67deecbf9a62bffb89c9cfad728cdbbb

SHA1
84b5532500c4e047ee73910e0d2fd3f98b16a0bb

SHA256
e1cc914113f2bbeb6090c779349eeb4d954b2257570b08e05dd66aec8673434d

SHA512
ec0b15202dbb843ec466933ea27d3609dd5103d8dfd75d0e43a34234875aed2ce27bdea8e61c6514930f33256dc29889fc0521d508bc46314b5d19b0142c258d

Download Submit
C:\windows\system\PNU.exe

Filesize
336KB

MD5
74f806f54e846a496b17a72e702da76c

SHA1
3b4e4e3c4b7b8f65c4a3e9e1bba37871cc9ece3f

SHA256
311e8781e20f87cf795cc3cb58e0bece392dfc8e32f485bb5399e2d4421fc4f4

SHA512
2b3d2d4bf4abdf02f71507c65c5f7a0dc7904898d1fb14d5d5805897fa4f936454492d07ee9aa9677b0a5f9029e7921a5b847ac6256089e8aabf51c0bc19198a

Download Submit
C:\windows\system\PNU.exe.bat

Filesize
66B

MD5
4fe8e4d6019ad570e0809bcc5884f915

SHA1
f467caf1c163604c7577425b2bf7a9285d98f070

SHA256
e09ad2fec3c55391a3cd6a4249b95e946f3a93016643d82d629a52cb8ea940cc

SHA512
b7cfc66d2321e5c14d350d7f8746cb0252b7a9af0b14f6a6f08db5834e29fe6f31824636690efcc4d64984341881d5c8d0979458069067089e70bd30f310ea35

Download Submit
C:\windows\system\QSWHVA.exe.bat

Filesize
72B

MD5
4aab7f0790309b166d2b84678b3fdd03

SHA1
b47fccbc7c0f28f6109b1b91a1771798aeed000d

SHA256
9a564a6e9712db0d6bb5df8bf7e65c9420cab36df8f6f0a1f4a201ec3ec49739

SHA512
2caf0c2da42e3c20f6dac43cb7459f98c1a158496006ee60fe307e434f638f56bf4797b12b22564604945284bf55ba2ec306f0a6e19c2f08251d6253aefb6d0b

Download Submit
C:\windows\system\VZSQOG.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\windows\system\VZSQOG.exe.bat

Filesize
72B

MD5
78d4cd28ae80228f5352f610a1089d43

SHA1
c39d9177e03c7de6b505a2b6dcaecaa915b921c6

SHA256
e9a81e69964df2a4689eb293a679dff8b81bc2884a914627c5e3f5f136aa0bd3

SHA512
fdbd7f18b7c4b4fb5ab3009b0826888b1cf9dee0a112799b5cbec71c39e9f5dbf0c7546e3be639456a5fd22b51615f325c6736140afe34793232f70612bc281f

Download Submit
C:\windows\system\YKSVG.exe

Filesize
336KB

MD5
48541cf9b5d8157cfdcf571cb3d8cc97

SHA1
c93830e2afd7c430872f8ad8b6b20f479093085d

SHA256
a5d571c1b3c48294ad74154853c49ecb025422f0c870605c37d0cbbc1badd3e4

SHA512
df546b3584f921f005de9b36ccd751fce3c955a81e50c5553f89871bfcc6a46da778d474475cca219343b496d2dba98d6e9abf2aaec6d9dfeff5e62fbe686e4f

Download Submit
C:\windows\system\YKSVG.exe.bat

Filesize
70B

MD5
4f82f8ba5e17d175ed0e0a5e610ad082

SHA1
e4074e46640244bd9b0256020a07d92a703af4c5

SHA256
953bdf3dc86b82cf0c685584520873e440adf6be6ade1d8241881815cd8957bc

SHA512
7011ee48d383e8ff07cb7f73c2f24b991895ae112805e65dc15995a373fc34aed2dcf2003204b16959c52d96db3866ffb9d195dfd3c8bc1d4ec6f75daf70c3a9

Download Submit
C:\windows\system\YVZ.exe

Filesize
336KB

MD5
fb0725318721dc776e7360b3438e5488

SHA1
a49e090907d22daf28d401e4e8b249f77bf4f0f7

SHA256
a5a742843674a612a86f00a75107d78771736e9d4d803953cbb63cf9b68736c7

SHA512
0a8fd0cc55f111d14736b807f75f96724c9d36e8477d195c2292c537ef9115b216ef1684ea737ea112851e35c0049bc50d1e14c5ccbc61a095dfb8f022fa2b33

Download Submit
C:\windows\system\YVZ.exe.bat

Filesize
66B

MD5
ac1d52a720aa1f45cf25385b463ac381

SHA1
c495cbcbcfa2c1bcfc9d8f69d00c32267978eda1

SHA256
aa2517a39524fd07438614b8f8a23013835ff738e2b0ae7eddf4beddf0401a52

SHA512
4e726f78af6c421e6f1c2a780a9618bb6c5f4ec9a3a68d246487ab026b2564304b7e63fcf022c5fe5ad43ed9444ed1fdcf57e9ac5193eea1f6720fa673ed7b84

Download Submit
memory/392-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-51-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/496-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/668-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/924-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1440-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1592-660-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1644-767-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1864-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2900-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3100-674-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3100-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3212-169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3692-170-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3932-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4128-114-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4164-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4388-447-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4436-427-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-642-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4492-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4552-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-661-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4896-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5040-158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5216-793-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5312-714-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5316-782-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5328-1012-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5612-867-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5684-1013-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5844-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5888-335-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5968-356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5988-398-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5996-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6004-411-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6012-371-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6028-380-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6316-605-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6456-529-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7008-577-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7316-797-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7340-816-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7372-833-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7424-844-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7448-869-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7468-865-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/7560-861-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8096-870-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8372-872-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8760-1007-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8768-984-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8776-993-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8784-994-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8792-1002-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8800-1005-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8844-1008-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8912-1009-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8920-1010-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8928-1011-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download