d449f9491f1f7aebd7557803f7e1485364adaac4fb4895d0f6433c77503605d5

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4cf37471c49535d9a6990e4652d24aa0_exe32.exe
Size

208KB
MD5

4cf37471c49535d9a6990e4652d24aa0
SHA1

569b1deeee2a4f2b3690938ff8c7ef606b36393b
SHA256

d449f9491f1f7aebd7557803f7e1485364adaac4fb4895d0f6433c77503605d5
SHA512

67cd7de799333a7cac2de13ea7173ec702795d393986f5d38d5fb388c18b3b59c0441aba9d9f836e05dc0b6c0d39dd39a2172547d81d5badc3ec05d2378919a0
SSDEEP

3072:grBKsBIqAvRItO+wb/oWCuGU5DcW2fv/7bFhgcbSIZwuMcxaiM/pu0h4NLthEjQS:gN61GUvsbFnOFdcnM/pumQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	RSTMG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	HBZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	FRUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NKYM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	IUHKSTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VLWVX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	XBXKEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	FUCCET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	UKQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VNBPZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	BJFQF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WRMGP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	AMQACX.exe

Executes dropped EXE 14 IoCs

pid	Process
408	RSTMG.exe
1728	VLWVX.exe
3684	XBXKEF.exe
1384	HBZ.exe
4092	WRMGP.exe
4836	FUCCET.exe
4392	UKQ.exe
1128	VNBPZ.exe
2168	BJFQF.exe
4688	FRUQ.exe
1104	AMQACX.exe
5016	NKYM.exe
4980	IUHKSTO.exe
2656	JDXV.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\XBXKEF.exe	VLWVX.exe
File created	C:\windows\SysWOW64\FRUQ.exe	BJFQF.exe
File created	C:\windows\SysWOW64\IUHKSTO.exe	NKYM.exe
File opened for modification	C:\windows\SysWOW64\IUHKSTO.exe	NKYM.exe
File created	C:\windows\SysWOW64\JDXV.exe.bat	IUHKSTO.exe
File opened for modification	C:\windows\SysWOW64\RSTMG.exe	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
File created	C:\windows\SysWOW64\RSTMG.exe.bat	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
File created	C:\windows\SysWOW64\VNBPZ.exe	UKQ.exe
File created	C:\windows\SysWOW64\BJFQF.exe.bat	VNBPZ.exe
File created	C:\windows\SysWOW64\FRUQ.exe.bat	BJFQF.exe
File created	C:\windows\SysWOW64\IUHKSTO.exe.bat	NKYM.exe
File created	C:\windows\SysWOW64\JDXV.exe	IUHKSTO.exe
File created	C:\windows\SysWOW64\RSTMG.exe	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
File created	C:\windows\SysWOW64\XBXKEF.exe	VLWVX.exe
File created	C:\windows\SysWOW64\XBXKEF.exe.bat	VLWVX.exe
File created	C:\windows\SysWOW64\VNBPZ.exe.bat	UKQ.exe
File opened for modification	C:\windows\SysWOW64\BJFQF.exe	VNBPZ.exe
File opened for modification	C:\windows\SysWOW64\FRUQ.exe	BJFQF.exe
File opened for modification	C:\windows\SysWOW64\JDXV.exe	IUHKSTO.exe
File opened for modification	C:\windows\SysWOW64\VNBPZ.exe	UKQ.exe
File created	C:\windows\SysWOW64\BJFQF.exe	VNBPZ.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\windows\FUCCET.exe	WRMGP.exe
File opened for modification	C:\windows\FUCCET.exe	WRMGP.exe
File created	C:\windows\NKYM.exe.bat	AMQACX.exe
File opened for modification	C:\windows\system\VLWVX.exe	RSTMG.exe
File created	C:\windows\HBZ.exe	XBXKEF.exe
File created	C:\windows\WRMGP.exe	HBZ.exe
File created	C:\windows\FUCCET.exe.bat	WRMGP.exe
File created	C:\windows\system\UKQ.exe	FUCCET.exe
File created	C:\windows\system\UKQ.exe.bat	FUCCET.exe
File created	C:\windows\AMQACX.exe	FRUQ.exe
File opened for modification	C:\windows\NKYM.exe	AMQACX.exe
File created	C:\windows\system\VLWVX.exe.bat	RSTMG.exe
File opened for modification	C:\windows\HBZ.exe	XBXKEF.exe
File opened for modification	C:\windows\WRMGP.exe	HBZ.exe
File created	C:\windows\HBZ.exe.bat	XBXKEF.exe
File opened for modification	C:\windows\system\UKQ.exe	FUCCET.exe
File opened for modification	C:\windows\AMQACX.exe	FRUQ.exe
File created	C:\windows\NKYM.exe	AMQACX.exe
File created	C:\windows\system\VLWVX.exe	RSTMG.exe
File created	C:\windows\WRMGP.exe.bat	HBZ.exe
File created	C:\windows\AMQACX.exe.bat	FRUQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4364	2256	WerFault.exe	80
2608	408	WerFault.exe	86
3940	1728	WerFault.exe	92
3272	3684	WerFault.exe	98
2576	1384	WerFault.exe	103
4652	4092	WerFault.exe	110
4284	4836	WerFault.exe	117
3324	4392	WerFault.exe	121
824	1128	WerFault.exe	126
2924	2168	WerFault.exe	132
1728	4688	WerFault.exe	138
4188	1104	WerFault.exe	143
4456	5016	WerFault.exe	148
2148	4980	WerFault.exe	154
2460	2656	WerFault.exe	159

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
408	RSTMG.exe
408	RSTMG.exe
1728	VLWVX.exe
1728	VLWVX.exe
3684	XBXKEF.exe
3684	XBXKEF.exe
1384	HBZ.exe
1384	HBZ.exe
4092	WRMGP.exe
4092	WRMGP.exe
4836	FUCCET.exe
4836	FUCCET.exe
4392	UKQ.exe
4392	UKQ.exe
1128	VNBPZ.exe
1128	VNBPZ.exe
2168	BJFQF.exe
2168	BJFQF.exe
4688	FRUQ.exe
4688	FRUQ.exe
1104	AMQACX.exe
1104	AMQACX.exe
5016	NKYM.exe
5016	NKYM.exe
4980	IUHKSTO.exe
4980	IUHKSTO.exe
2656	JDXV.exe
2656	JDXV.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe
408	RSTMG.exe
408	RSTMG.exe
1728	VLWVX.exe
1728	VLWVX.exe
3684	XBXKEF.exe
3684	XBXKEF.exe
1384	HBZ.exe
1384	HBZ.exe
4092	WRMGP.exe
4092	WRMGP.exe
4836	FUCCET.exe
4836	FUCCET.exe
4392	UKQ.exe
4392	UKQ.exe
1128	VNBPZ.exe
1128	VNBPZ.exe
2168	BJFQF.exe
2168	BJFQF.exe
4688	FRUQ.exe
4688	FRUQ.exe
1104	AMQACX.exe
1104	AMQACX.exe
5016	NKYM.exe
5016	NKYM.exe
4980	IUHKSTO.exe
4980	IUHKSTO.exe
2656	JDXV.exe
2656	JDXV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1508	2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe	82
PID 2256 wrote to memory of 1508	2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe	82
PID 2256 wrote to memory of 1508	2256	4cf37471c49535d9a6990e4652d24aa0_exe32.exe	82
PID 1508 wrote to memory of 408	1508	cmd.exe	86
PID 1508 wrote to memory of 408	1508	cmd.exe	86
PID 1508 wrote to memory of 408	1508	cmd.exe	86
PID 408 wrote to memory of 4928	408	RSTMG.exe	88
PID 408 wrote to memory of 4928	408	RSTMG.exe	88
PID 408 wrote to memory of 4928	408	RSTMG.exe	88
PID 4928 wrote to memory of 1728	4928	cmd.exe	92
PID 4928 wrote to memory of 1728	4928	cmd.exe	92
PID 4928 wrote to memory of 1728	4928	cmd.exe	92
PID 1728 wrote to memory of 752	1728	VLWVX.exe	94
PID 1728 wrote to memory of 752	1728	VLWVX.exe	94
PID 1728 wrote to memory of 752	1728	VLWVX.exe	94
PID 752 wrote to memory of 3684	752	cmd.exe	98
PID 752 wrote to memory of 3684	752	cmd.exe	98
PID 752 wrote to memory of 3684	752	cmd.exe	98
PID 3684 wrote to memory of 1692	3684	XBXKEF.exe	100
PID 3684 wrote to memory of 1692	3684	XBXKEF.exe	100
PID 3684 wrote to memory of 1692	3684	XBXKEF.exe	100
PID 1692 wrote to memory of 1384	1692	cmd.exe	103
PID 1692 wrote to memory of 1384	1692	cmd.exe	103
PID 1692 wrote to memory of 1384	1692	cmd.exe	103
PID 1384 wrote to memory of 2212	1384	HBZ.exe	106
PID 1384 wrote to memory of 2212	1384	HBZ.exe	106
PID 1384 wrote to memory of 2212	1384	HBZ.exe	106
PID 2212 wrote to memory of 4092	2212	cmd.exe	110
PID 2212 wrote to memory of 4092	2212	cmd.exe	110
PID 2212 wrote to memory of 4092	2212	cmd.exe	110
PID 4092 wrote to memory of 5032	4092	WRMGP.exe	112
PID 4092 wrote to memory of 5032	4092	WRMGP.exe	112
PID 4092 wrote to memory of 5032	4092	WRMGP.exe	112
PID 5032 wrote to memory of 4836	5032	cmd.exe	117
PID 5032 wrote to memory of 4836	5032	cmd.exe	117
PID 5032 wrote to memory of 4836	5032	cmd.exe	117
PID 4836 wrote to memory of 3756	4836	FUCCET.exe	118
PID 4836 wrote to memory of 3756	4836	FUCCET.exe	118
PID 4836 wrote to memory of 3756	4836	FUCCET.exe	118
PID 3756 wrote to memory of 4392	3756	cmd.exe	121
PID 3756 wrote to memory of 4392	3756	cmd.exe	121
PID 3756 wrote to memory of 4392	3756	cmd.exe	121
PID 4392 wrote to memory of 2984	4392	UKQ.exe	123
PID 4392 wrote to memory of 2984	4392	UKQ.exe	123
PID 4392 wrote to memory of 2984	4392	UKQ.exe	123
PID 2984 wrote to memory of 1128	2984	cmd.exe	126
PID 2984 wrote to memory of 1128	2984	cmd.exe	126
PID 2984 wrote to memory of 1128	2984	cmd.exe	126
PID 1128 wrote to memory of 4972	1128	VNBPZ.exe	128
PID 1128 wrote to memory of 4972	1128	VNBPZ.exe	128
PID 1128 wrote to memory of 4972	1128	VNBPZ.exe	128
PID 4972 wrote to memory of 2168	4972	cmd.exe	132
PID 4972 wrote to memory of 2168	4972	cmd.exe	132
PID 4972 wrote to memory of 2168	4972	cmd.exe	132
PID 2168 wrote to memory of 3664	2168	BJFQF.exe	134
PID 2168 wrote to memory of 3664	2168	BJFQF.exe	134
PID 2168 wrote to memory of 3664	2168	BJFQF.exe	134
PID 3664 wrote to memory of 4688	3664	cmd.exe	138
PID 3664 wrote to memory of 4688	3664	cmd.exe	138
PID 3664 wrote to memory of 4688	3664	cmd.exe	138
PID 4688 wrote to memory of 4076	4688	FRUQ.exe	139
PID 4688 wrote to memory of 4076	4688	FRUQ.exe	139
PID 4688 wrote to memory of 4076	4688	FRUQ.exe	139
PID 4076 wrote to memory of 1104	4076	cmd.exe	143

C:\Users\Admin\AppData\Local\Temp\4cf37471c49535d9a6990e4652d24aa0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\4cf37471c49535d9a6990e4652d24aa0_exe32.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSTMG.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\windows\SysWOW64\RSTMG.exe
    C:\windows\system32\RSTMG.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\VLWVX.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\windows\system\VLWVX.exe
        
        C:\windows\system\VLWVX.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBXKEF.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\windows\SysWOW64\XBXKEF.exe
        
        C:\windows\system32\XBXKEF.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HBZ.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\windows\HBZ.exe
        
        C:\windows\HBZ.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\windows\WRMGP.exe
        
        C:\windows\WRMGP.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FUCCET.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\windows\FUCCET.exe
        
        C:\windows\FUCCET.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UKQ.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\windows\system\UKQ.exe
        
        C:\windows\system\UKQ.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VNBPZ.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\windows\SysWOW64\VNBPZ.exe
        
        C:\windows\system32\VNBPZ.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BJFQF.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\windows\SysWOW64\BJFQF.exe
        
        C:\windows\system32\BJFQF.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRUQ.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\windows\SysWOW64\FRUQ.exe
        
        C:\windows\system32\FRUQ.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AMQACX.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\windows\AMQACX.exe
        
        C:\windows\AMQACX.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NKYM.exe.bat" "
        24⤵
        
        PID:2792
        
        C:\windows\NKYM.exe
        
        C:\windows\NKYM.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IUHKSTO.exe.bat" "
        26⤵
        
        PID:2480
        
        C:\windows\SysWOW64\IUHKSTO.exe
        
        C:\windows\system32\IUHKSTO.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JDXV.exe.bat" "
        28⤵
        
        PID:5020
        
        C:\windows\SysWOW64\JDXV.exe
        
        C:\windows\system32\JDXV.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 844
        30⤵
        Program crash
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1292
        28⤵
        Program crash
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1296
        26⤵
        Program crash
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1260
        24⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 960
        22⤵
        Program crash
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 988
        20⤵
        Program crash
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 960
        18⤵
        Program crash
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1296
        16⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 984
        14⤵
        Program crash
        
        PID:4284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 960
        12⤵
        Program crash
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 976
        10⤵
        Program crash
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 960
        8⤵
        Program crash
        
        PID:3272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 960
        6⤵
        Program crash
        
        PID:3940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 976
      4⤵
      Program crash
      PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1000
  2⤵
  - Program crash
  PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2256 -ip 2256
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 408 -ip 408
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1728 -ip 1728
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3684 -ip 3684
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1384 -ip 1384
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4092 -ip 4092
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4836 -ip 4836
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4392 -ip 4392
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1128 -ip 1128
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2168 -ip 2168
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4688 -ip 4688
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1104 -ip 1104
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5016 -ip 5016
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4980 -ip 4980
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2656 -ip 2656
1⤵
PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AMQACX.exe

Filesize
208KB

MD5
8aee697fcd7127a80f8e8953ba5f15ad

SHA1
6984e246a8429293386c78ed45ae8a23c610d9a0

SHA256
9148f0584f80d5681be6e18126b69aa6c8c6a009deedd8b2341599560f25c25a

SHA512
9464a2a870cb0dc1f62fb917ad4459735fa05a9770e50d64d055d9c9bf99210193d025ec52120768d2dd10330481a0be8194877c9081c3666065a08bcb3110c6

Download Submit
C:\Windows\FUCCET.exe

Filesize
208KB

MD5
b03ddc8e9456dcc906be50a064997f15

SHA1
0678fb24e4af2b9183bab87252d78be12634b3b0

SHA256
7f4073a4baca340c1511cad08b58765c5e96573e09ecceb532fc3f8c79f92358

SHA512
8dc6d156fe5a742e1f8683a8e2bcf08e2305e95ccb9e92ccb46c307e91e562845e3ad43aeeb2bd952d3603434f51fa1ebcb64f8b53e8d3c701588e8e68e873fe

Download Submit
C:\Windows\HBZ.exe

Filesize
208KB

MD5
2ad6abd6773e6ac5eea042294fa2a8b4

SHA1
8734b02e31c973847ea07ea0f939ba6b11184353

SHA256
fcbd6ece2ea4b4eff8e89ba7b4d1ef8771725b38fe6edf5bfa045ea691136b77

SHA512
f06c0182cc30a25850afdc0eb4de4724399e834575845ea8281fe893bf73832d9ea0a406e4b1df544c6da8949dd6e3eafa357c56fda8506bec0a0bfdccf2484e

Download Submit
C:\Windows\NKYM.exe

Filesize
208KB

MD5
425cd85f4439e11ebb20771d0af378b0

SHA1
5792841f2da983bf4850c83a51a0022a49bc3eea

SHA256
3e70c40e930c15f1faab8ee348734d54da62e2ca0b19489e9119a3717959141b

SHA512
4f0693cf4169e60077157a6187b88b72a555762321df023ad45357789ebba6c02c3f7a919bc8cf8fc35a47fe85f791da73bb5be196ead6a89e3f5c7fae1253ec

Download Submit
C:\Windows\SysWOW64\BJFQF.exe

Filesize
208KB

MD5
1a894b4044582676278488804317e7d4

SHA1
7c9566b2af9dadfcbc4ce8619e5d992827d87975

SHA256
44401aef651434ed806369d01f155a1903b33879779a044df3db8e3c37526f78

SHA512
101f079abc46d2d6d310b2cb38e5d7a4157e9df3183a79eab33a3f1f02f9907db237c692ef6365211beab06e9eabd537f508042c068a610661d9de3b41488677

Download Submit
C:\Windows\SysWOW64\FRUQ.exe

Filesize
208KB

MD5
8aee697fcd7127a80f8e8953ba5f15ad

SHA1
6984e246a8429293386c78ed45ae8a23c610d9a0

SHA256
9148f0584f80d5681be6e18126b69aa6c8c6a009deedd8b2341599560f25c25a

SHA512
9464a2a870cb0dc1f62fb917ad4459735fa05a9770e50d64d055d9c9bf99210193d025ec52120768d2dd10330481a0be8194877c9081c3666065a08bcb3110c6

Download Submit
C:\Windows\SysWOW64\IUHKSTO.exe

Filesize
208KB

MD5
9964baeb2abcc4b8a57a0b5b4a418928

SHA1
16ec2517d00187cd6496d62d79c7e303162d9a7d

SHA256
97684e28751bd9f85fa71562d22952143f116b3a38473a7b86ec7b5bb2fd1ea1

SHA512
a40b2dae3fdec2ba88616a0202f2c1cc6cd043d2d862c9ac7a64f387f42c27a346e35dcf877198cce66d812a9e65d8ae56702694b42d3fb3d9631d637eca5d64

Download Submit
C:\Windows\SysWOW64\JDXV.exe

Filesize
208KB

MD5
f416ccdd12ab5d0f89aa813c35cf8338

SHA1
5ce90ff459605d1a52385ba2b132dc6ab9a1f61a

SHA256
32e23aae5c3c61bc90e621343a9758284d9c012b04a7522231461b93f6b3cbbd

SHA512
eaa70333343f1126c15130456c1a86304888eb6c5e8115849f50625bbcb194bf3ca94efb15354f23fe19224080d3c192893fefa243d7089319cc38c9ce9651aa

Download Submit
C:\Windows\SysWOW64\RSTMG.exe

Filesize
208KB

MD5
47ddbdfad2fb555b921b89bd215e2b5f

SHA1
8171c420e27da8418c4773b0e1b524c233d20c3b

SHA256
fa4d4fb2a099666f433cc6ce5425c1708e2ec2a36e2a8dcd3b9f1c439ce1a57e

SHA512
d1f865ed60a57ea5fb082946a8dacdede5b376081566088c3d83bf7af0141f8fa3904c1380be858da99eac9a64c0055cc5a2abfe34b577c92290f0e6f012691e

Download Submit
C:\Windows\SysWOW64\VNBPZ.exe

Filesize
208KB

MD5
bd020d21a03336f2ddb62ced66c8366f

SHA1
a99e7549e3a54d8af1d7c0800678dc4729208467

SHA256
a077776ed80aa371014fe93ea55c82622a2374703c727f0258b434918f6eef11

SHA512
7df83edc941298de0c85c45e6912144210be7ea3da7aeab224385004cc726ffc37431055e8999995d86e0b8aa37c795469a10a0a45bf7dd96e16b0d594f2eec7

Download Submit
C:\Windows\SysWOW64\XBXKEF.exe

Filesize
208KB

MD5
2ad6abd6773e6ac5eea042294fa2a8b4

SHA1
8734b02e31c973847ea07ea0f939ba6b11184353

SHA256
fcbd6ece2ea4b4eff8e89ba7b4d1ef8771725b38fe6edf5bfa045ea691136b77

SHA512
f06c0182cc30a25850afdc0eb4de4724399e834575845ea8281fe893bf73832d9ea0a406e4b1df544c6da8949dd6e3eafa357c56fda8506bec0a0bfdccf2484e

Download Submit
C:\Windows\System\UKQ.exe

Filesize
208KB

MD5
48aa260ca80ebee7f578d7030f756afd

SHA1
3141ef61962eee3cbd3ab9d44f90ee8bd6fd2b83

SHA256
314b2bba1daa9db93cbda44600456a870c7087f2d68028474939f61d2d3fd878

SHA512
6b57a529be431e4b6c53f593fc97e950db47ba3534b8961f3e54fcd237ff3a6d62850e2c52f86c23857ce1e90f40b1ebec7f76b00b783ac79920423a1b818c66

Download Submit
C:\Windows\System\VLWVX.exe

Filesize
208KB

MD5
c4a545c22f3f1d758d6a3699ec699844

SHA1
9322633293a91e1d7fef46cc70394b33e4829284

SHA256
6ad64576e7f089580ef7e1a207e128cccf992babdcb95905d2dcd1f56d7fd646

SHA512
899903956b1eee7aff215e23bb21247ba5a53c8c1642a93adb6afccfe5bfaf465c34cba5a82064572686ac6674d3f85b12d61afea2016540cdbc16977524433f

Download Submit
C:\Windows\System\VLWVX.exe

Filesize
208KB

MD5
38a865d1881563c8a6d036643fe901ab

SHA1
a5e51c210982c7a759917b893d64aa5101027f5d

SHA256
607714efa1322a071528d31e1731d0ae7e72fea0b3e77de75a6b2c06e79309d5

SHA512
49b9b125198b7866d81f395a219c3719ec97a776cf41c7ff049f5e04aa64b32a26584bd15b66b94ad14277132a9c71491fdbfdf51eca6591ae66d437893646f7

Download Submit
C:\Windows\WRMGP.exe

Filesize
208KB

MD5
9cb03a60311bd866002c7ba0a90eb862

SHA1
cfc50ad0fedfc7c0370fa1b74a626d42109dd8c0

SHA256
e32804fa787bb3b8d2eb12d8bd825e75937bfe1bf12fce2dd04b9cee1d03f794

SHA512
7c277455d0fa104bbfd8100d83d204f35ea43e820abd6f9093c0c114b8aa0092f2a5997ba43f3d62b3efd4ff768c28627f5ee0fcf3509fb1ff40c8c4e248e695

Download Submit
C:\windows\AMQACX.exe

Filesize
208KB

MD5
8aee697fcd7127a80f8e8953ba5f15ad

SHA1
6984e246a8429293386c78ed45ae8a23c610d9a0

SHA256
9148f0584f80d5681be6e18126b69aa6c8c6a009deedd8b2341599560f25c25a

SHA512
9464a2a870cb0dc1f62fb917ad4459735fa05a9770e50d64d055d9c9bf99210193d025ec52120768d2dd10330481a0be8194877c9081c3666065a08bcb3110c6

Download Submit
C:\windows\AMQACX.exe.bat

Filesize
58B

MD5
65e11022c279507e52e125d86e7affdf

SHA1
c2e152cc86582db5496e154b460d0f93b8d9122c

SHA256
3a071c6fe7c1d6fac5196b257c134f1b79a28afcd95b88558f315f80eba168d0

SHA512
daa8929325cb50790de3e5f3a20eea529748353919e7224ea312d5445ae38c9952c9d49c67c4b0d73bb8e7fb5464d7d29d684d488cdf9d25356de0f6ab6defe2

Download Submit
C:\windows\FUCCET.exe

Filesize
208KB

MD5
b03ddc8e9456dcc906be50a064997f15

SHA1
0678fb24e4af2b9183bab87252d78be12634b3b0

SHA256
7f4073a4baca340c1511cad08b58765c5e96573e09ecceb532fc3f8c79f92358

SHA512
8dc6d156fe5a742e1f8683a8e2bcf08e2305e95ccb9e92ccb46c307e91e562845e3ad43aeeb2bd952d3603434f51fa1ebcb64f8b53e8d3c701588e8e68e873fe

Download Submit
C:\windows\FUCCET.exe.bat

Filesize
58B

MD5
09f643a45e290c5a4fe52ed27f73dcbb

SHA1
bb14d912a5bfdb22eb75c92363e3a0091ce8fe3f

SHA256
ffe067f9a41a600a68082f05ff2642854bb296e7cc28c5d55d02300ffd1a0dbc

SHA512
aaa64ad4e101f8b2aeb8e6b05cd6586bebf80e1d76e7b372148ae7d3a5f06091a275bbd8f4dd3442d24744fd119cbbbba18d0a2465339ecfa3f9cdb081cb74e3

Download Submit
C:\windows\HBZ.exe

Filesize
208KB

MD5
2ad6abd6773e6ac5eea042294fa2a8b4

SHA1
8734b02e31c973847ea07ea0f939ba6b11184353

SHA256
fcbd6ece2ea4b4eff8e89ba7b4d1ef8771725b38fe6edf5bfa045ea691136b77

SHA512
f06c0182cc30a25850afdc0eb4de4724399e834575845ea8281fe893bf73832d9ea0a406e4b1df544c6da8949dd6e3eafa357c56fda8506bec0a0bfdccf2484e

Download Submit
C:\windows\HBZ.exe.bat

Filesize
52B

MD5
2e0e00883a3191263e36d06fcf659c3f

SHA1
3f3ae6e39fb5ca692e276ca728c51afdd45a3da4

SHA256
8b01b343b737c4d352c5c8025ca2edb0f0895bb88f849a181390a543b1359049

SHA512
18bac387e359d8163011aa30b4455ceacdc231ce930aadd965b36b9cc62bb97d6f95f93c31a3282c98b9241e8ba742f99b4b46ab2c6f589c5005cbfdeb88ef5d

Download Submit
C:\windows\NKYM.exe

Filesize
208KB

MD5
425cd85f4439e11ebb20771d0af378b0

SHA1
5792841f2da983bf4850c83a51a0022a49bc3eea

SHA256
3e70c40e930c15f1faab8ee348734d54da62e2ca0b19489e9119a3717959141b

SHA512
4f0693cf4169e60077157a6187b88b72a555762321df023ad45357789ebba6c02c3f7a919bc8cf8fc35a47fe85f791da73bb5be196ead6a89e3f5c7fae1253ec

Download Submit
C:\windows\NKYM.exe.bat

Filesize
54B

MD5
e423450583613b9fa5835e51c8d54e86

SHA1
cdcb9c3c747744b2c8c82d8ddef9f544a06661ec

SHA256
426ca4986a21067e84b996e6893115016fcbd9f6a5a062e3918f3446a40eb8ec

SHA512
e143538faf9260c8d54ff918ea2f744634268130b388e790d667ea7d4a39237a21cef11abc67593a1bf035d8b76fd463150dfa25ad9ca32537a0a9696c875843

Download Submit
C:\windows\SysWOW64\BJFQF.exe

Filesize
208KB

MD5
1a894b4044582676278488804317e7d4

SHA1
7c9566b2af9dadfcbc4ce8619e5d992827d87975

SHA256
44401aef651434ed806369d01f155a1903b33879779a044df3db8e3c37526f78

SHA512
101f079abc46d2d6d310b2cb38e5d7a4157e9df3183a79eab33a3f1f02f9907db237c692ef6365211beab06e9eabd537f508042c068a610661d9de3b41488677

Download Submit
C:\windows\SysWOW64\BJFQF.exe.bat

Filesize
74B

MD5
e1d8e73008ee5846f58b46df6df28e53

SHA1
87bab25762e3838d237b89b81425ad433aff501f

SHA256
866171339df1efdbc4224199725dbb8601992c0995044b3efecc9fc7d2774617

SHA512
0e479209929b00c6d988ed89c9dc57efd4e8de148ddfcd0a65dd6b8486cdf5039a09ef3d7b4ea019f5e010dbff4b3e24c28a9ac004389ca948efd08bc5f7ebfd

Download Submit
C:\windows\SysWOW64\FRUQ.exe

Filesize
208KB

MD5
8aee697fcd7127a80f8e8953ba5f15ad

SHA1
6984e246a8429293386c78ed45ae8a23c610d9a0

SHA256
9148f0584f80d5681be6e18126b69aa6c8c6a009deedd8b2341599560f25c25a

SHA512
9464a2a870cb0dc1f62fb917ad4459735fa05a9770e50d64d055d9c9bf99210193d025ec52120768d2dd10330481a0be8194877c9081c3666065a08bcb3110c6

Download Submit
C:\windows\SysWOW64\FRUQ.exe.bat

Filesize
72B

MD5
e7824f756c29dc1fb882a3402dd92e10

SHA1
440c3d5f699670739c22601c7087b448a4c6add1

SHA256
e136e4eedfeea390b0b82abcd13addec7c71bfe8ae8c6a56dfe5ff30c1c1960c

SHA512
c960728e01212965f78081320ae041f8e3f23c1ce455a733b2c894faf9f9542672cf5c2bc7c1c7bd1afb8313bc5407e306779bf79bc674f4740109c52f011f75

Download Submit
C:\windows\SysWOW64\IUHKSTO.exe

Filesize
208KB

MD5
9964baeb2abcc4b8a57a0b5b4a418928

SHA1
16ec2517d00187cd6496d62d79c7e303162d9a7d

SHA256
97684e28751bd9f85fa71562d22952143f116b3a38473a7b86ec7b5bb2fd1ea1

SHA512
a40b2dae3fdec2ba88616a0202f2c1cc6cd043d2d862c9ac7a64f387f42c27a346e35dcf877198cce66d812a9e65d8ae56702694b42d3fb3d9631d637eca5d64

Download Submit
C:\windows\SysWOW64\IUHKSTO.exe.bat

Filesize
78B

MD5
58164488024739df207fb116a877ef37

SHA1
27bf11d3c648b0e53e538c66d5fdf56ce9f15fce

SHA256
294cf75c3270f5c960263799bb649bd4560cf42867f0302ef06fac3fa55bb5da

SHA512
5cf426c6b28539393cf89b285f8689b619c634c083d07b5a775a27aca5afd5ef8a12b8782b6245a5129a553c93b82afb5366f7a212735c135a2f735e7f1220bd

Download Submit
C:\windows\SysWOW64\JDXV.exe

Filesize
208KB

MD5
f416ccdd12ab5d0f89aa813c35cf8338

SHA1
5ce90ff459605d1a52385ba2b132dc6ab9a1f61a

SHA256
32e23aae5c3c61bc90e621343a9758284d9c012b04a7522231461b93f6b3cbbd

SHA512
eaa70333343f1126c15130456c1a86304888eb6c5e8115849f50625bbcb194bf3ca94efb15354f23fe19224080d3c192893fefa243d7089319cc38c9ce9651aa

Download Submit
C:\windows\SysWOW64\JDXV.exe.bat

Filesize
72B

MD5
c4c372dbe964260bd1a6cecb50b5874e

SHA1
f08b0aea4e3c9925c8f76eeeb88dd6a4c478a07d

SHA256
26798876991733a1b43f34ef500ccc8d467e4d6cf150e4a34c46a526d7c8ec9a

SHA512
534807ee7d073227fc46a6d11ba2f33cebcc16099ff432cab8854d7d2b17473d26dd204930ae18a4c8f3119a89eb346d00c74843995104318fc96d2cf2d0a844

Download Submit
C:\windows\SysWOW64\RSTMG.exe

Filesize
208KB

MD5
47ddbdfad2fb555b921b89bd215e2b5f

SHA1
8171c420e27da8418c4773b0e1b524c233d20c3b

SHA256
fa4d4fb2a099666f433cc6ce5425c1708e2ec2a36e2a8dcd3b9f1c439ce1a57e

SHA512
d1f865ed60a57ea5fb082946a8dacdede5b376081566088c3d83bf7af0141f8fa3904c1380be858da99eac9a64c0055cc5a2abfe34b577c92290f0e6f012691e

Download Submit
C:\windows\SysWOW64\RSTMG.exe.bat

Filesize
74B

MD5
4ad7ab46b37f7f572065d0346b60ce8c

SHA1
defcd082fd6db9a84741581e9e8d7edb4439494b

SHA256
6f72b20f1259aef9e94610f036bc86926f7ec7ab1f1254e3e50e8dbd5709bd1f

SHA512
77d17a861ad6d20f000a8d9aa59c781e5b319d7c07ac8f44d569029286f2d396d47aa762bee8482de481f1402ceaf12c03f8e68c84020102eca43d74b89d8549

Download Submit
C:\windows\SysWOW64\VNBPZ.exe

Filesize
208KB

MD5
bd020d21a03336f2ddb62ced66c8366f

SHA1
a99e7549e3a54d8af1d7c0800678dc4729208467

SHA256
a077776ed80aa371014fe93ea55c82622a2374703c727f0258b434918f6eef11

SHA512
7df83edc941298de0c85c45e6912144210be7ea3da7aeab224385004cc726ffc37431055e8999995d86e0b8aa37c795469a10a0a45bf7dd96e16b0d594f2eec7

Download Submit
C:\windows\SysWOW64\VNBPZ.exe.bat

Filesize
74B

MD5
43380c422380799d2615be0880a75feb

SHA1
425769b3bee62f66661028887f88b685f38c0f27

SHA256
755f0bf986746fa45a43686306fb902dd077d33a0d595b64f126e1a93e7df599

SHA512
2c3b02730b9a36340f7c916ac1f361cb402502db1ea07f62989dc022ed677542ee39226a034b6fa32494e21fbea00a6384c0f4cf625e21b26394b1321e18dbe2

Download Submit
C:\windows\SysWOW64\XBXKEF.exe

Filesize
208KB

MD5
2ad6abd6773e6ac5eea042294fa2a8b4

SHA1
8734b02e31c973847ea07ea0f939ba6b11184353

SHA256
fcbd6ece2ea4b4eff8e89ba7b4d1ef8771725b38fe6edf5bfa045ea691136b77

SHA512
f06c0182cc30a25850afdc0eb4de4724399e834575845ea8281fe893bf73832d9ea0a406e4b1df544c6da8949dd6e3eafa357c56fda8506bec0a0bfdccf2484e

Download Submit
C:\windows\SysWOW64\XBXKEF.exe.bat

Filesize
76B

MD5
0815018b9f950fa92618b324f21db11b

SHA1
8a94c615d8a237fe89a4b7104fa6acf2aedbbcbd

SHA256
2793fd6e0751ee0b56c2396446bce337ddd8cfc07828fa3e6f5b87520b812322

SHA512
f3428490e36f73f5afda406e19359f552febe1f9ed1d5d0918ad4984844a0253dbeb492a3727766e4865ef00dadab670d24818af131b9ca2f6109875c42da49a

Download Submit
C:\windows\WRMGP.exe

Filesize
208KB

MD5
9cb03a60311bd866002c7ba0a90eb862

SHA1
cfc50ad0fedfc7c0370fa1b74a626d42109dd8c0

SHA256
e32804fa787bb3b8d2eb12d8bd825e75937bfe1bf12fce2dd04b9cee1d03f794

SHA512
7c277455d0fa104bbfd8100d83d204f35ea43e820abd6f9093c0c114b8aa0092f2a5997ba43f3d62b3efd4ff768c28627f5ee0fcf3509fb1ff40c8c4e248e695

Download Submit
C:\windows\WRMGP.exe.bat

Filesize
56B

MD5
7107bc79d4a9ed9bc165ff23836d6fda

SHA1
037dc7459eeaa353318934e34d98f4df9f8c6eb2

SHA256
4ae6be892d5542a9ad05c79bd1ee0a31cf14f9dceb6b0a076f84dc8c8c759f9e

SHA512
5e0ccfc3e43f635b93a27f308f65a1caf29712acedd00d87a8f0bbe8a7ab08c5873fe8a08d563c1430af531eee2fc89fa8415c079748368b73acb307f8e71600

Download Submit
C:\windows\system\UKQ.exe

Filesize
208KB

MD5
48aa260ca80ebee7f578d7030f756afd

SHA1
3141ef61962eee3cbd3ab9d44f90ee8bd6fd2b83

SHA256
314b2bba1daa9db93cbda44600456a870c7087f2d68028474939f61d2d3fd878

SHA512
6b57a529be431e4b6c53f593fc97e950db47ba3534b8961f3e54fcd237ff3a6d62850e2c52f86c23857ce1e90f40b1ebec7f76b00b783ac79920423a1b818c66

Download Submit
C:\windows\system\UKQ.exe.bat

Filesize
66B

MD5
b214af937e1cc462ef015d8017d8ae94

SHA1
1752b9e533f925308a8afbd481eac1ef4f63cedb

SHA256
d64ccbe7d8ca23cce714a2cf1f11f8b5b78eb330a8a8a2a17b889dbbb972f0a9

SHA512
64e0b929d4b9e1a0f7535cf3f8e222b2885dce0c735848df188ca450a58e0f4b27141e4d767fef5550c4d22910a235b7075d037c6b28498822e6234f99419bd0

Download Submit
C:\windows\system\VLWVX.exe

Filesize
208KB

MD5
38a865d1881563c8a6d036643fe901ab

SHA1
a5e51c210982c7a759917b893d64aa5101027f5d

SHA256
607714efa1322a071528d31e1731d0ae7e72fea0b3e77de75a6b2c06e79309d5

SHA512
49b9b125198b7866d81f395a219c3719ec97a776cf41c7ff049f5e04aa64b32a26584bd15b66b94ad14277132a9c71491fdbfdf51eca6591ae66d437893646f7

Download Submit
C:\windows\system\VLWVX.exe.bat

Filesize
70B

MD5
f42d66e928bf8dda4fc703862f963e5c

SHA1
f1cd1126947095bf4f8fe82f1d497359d4f7958b

SHA256
1d0ad62f521c0a31d4d71b569e015d93467d72dbf44db605e2433ac50428897c

SHA512
4525ac7db2d7c02c3f781699dbd19e53d69e269e929d5c26041f8bd4699aa2a285e1a535f1e37c390e5e86be12ed582579b6d983b95d4562adb77315c64ea0b3

Download Submit
memory/408-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/408-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1104-165-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1128-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1128-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1384-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1384-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1728-41-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1728-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2256-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2256-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2656-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2656-163-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-52-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4092-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4092-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4392-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4392-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4688-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4688-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4980-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4980-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5016-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5016-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download