38b91ed970f0d7442b795afca8fdc73ce3844f0ddb4a1d339c35f04bcde59929

Analysis

max time kernel
130s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
Size

208KB
MD5

b75e4c8ce41053926c4b5f75c17fb050
SHA1

379faf67b12d8daf795cc45aadccbee24ddec4f9
SHA256

38b91ed970f0d7442b795afca8fdc73ce3844f0ddb4a1d339c35f04bcde59929
SHA512

611c9744ebf8ce8dee96856cbe5bed51b7304b1ebd45509f4ecb9abbecf8df2c3836c94c051e294f7fcb1838c5251f020bb6033784a285c5422fdfb06df7480e
SSDEEP

3072:DusxPityuHe6N7XjtA+VXlbRCOMeH1ITAue5VtFNyFN24NLthEjQT6j:Gtyu+WXjlXhwRYvdNyKQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	MAEHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	OKSEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	LPK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	ZGYBJZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NRGA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	BMSTDY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	PSJPUY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	XGVVFW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	IDEBMD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	RKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	GNJQRY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	RWCG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	ANFJCW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	UGJ.exe

Executes dropped EXE 15 IoCs

pid	Process
544	IDEBMD.exe
716	RWCG.exe
5000	RKP.exe
416	ANFJCW.exe
1388	MAEHH.exe
3540	GNJQRY.exe
4732	ZGYBJZ.exe
3956	NRGA.exe
1252	BMSTDY.exe
2988	OKSEE.exe
5036	LPK.exe
3824	PSJPUY.exe
4388	XGVVFW.exe
2268	UGJ.exe
2460	YHMQ.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\GNJQRY.exe.bat	MAEHH.exe
File opened for modification	C:\windows\SysWOW64\LPK.exe	OKSEE.exe
File opened for modification	C:\windows\SysWOW64\UGJ.exe	XGVVFW.exe
File created	C:\windows\SysWOW64\RKP.exe.bat	RWCG.exe
File created	C:\windows\SysWOW64\MAEHH.exe.bat	ANFJCW.exe
File created	C:\windows\SysWOW64\GNJQRY.exe	MAEHH.exe
File opened for modification	C:\windows\SysWOW64\GNJQRY.exe	MAEHH.exe
File created	C:\windows\SysWOW64\LPK.exe	OKSEE.exe
File created	C:\windows\SysWOW64\LPK.exe.bat	OKSEE.exe
File created	C:\windows\SysWOW64\PSJPUY.exe.bat	LPK.exe
File created	C:\windows\SysWOW64\UGJ.exe	XGVVFW.exe
File created	C:\windows\SysWOW64\RKP.exe	RWCG.exe
File opened for modification	C:\windows\SysWOW64\ANFJCW.exe	RKP.exe
File opened for modification	C:\windows\SysWOW64\MAEHH.exe	ANFJCW.exe
File opened for modification	C:\windows\SysWOW64\PSJPUY.exe	LPK.exe
File created	C:\windows\SysWOW64\ANFJCW.exe	RKP.exe
File created	C:\windows\SysWOW64\ANFJCW.exe.bat	RKP.exe
File created	C:\windows\SysWOW64\MAEHH.exe	ANFJCW.exe
File created	C:\windows\SysWOW64\PSJPUY.exe	LPK.exe
File created	C:\windows\SysWOW64\UGJ.exe.bat	XGVVFW.exe
File opened for modification	C:\windows\SysWOW64\RKP.exe	RWCG.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\windows\system\RWCG.exe.bat	IDEBMD.exe
File created	C:\windows\system\NRGA.exe	ZGYBJZ.exe
File created	C:\windows\system\BMSTDY.exe.bat	NRGA.exe
File opened for modification	C:\windows\system\XGVVFW.exe	PSJPUY.exe
File created	C:\windows\system\XGVVFW.exe.bat	PSJPUY.exe
File opened for modification	C:\windows\IDEBMD.exe	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
File created	C:\windows\system\RWCG.exe	IDEBMD.exe
File opened for modification	C:\windows\system\ZGYBJZ.exe	GNJQRY.exe
File created	C:\windows\system\ZGYBJZ.exe.bat	GNJQRY.exe
File created	C:\windows\YHMQ.exe	UGJ.exe
File created	C:\windows\system\XGVVFW.exe	PSJPUY.exe
File created	C:\windows\IDEBMD.exe	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
File created	C:\windows\IDEBMD.exe.bat	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
File opened for modification	C:\windows\system\RWCG.exe	IDEBMD.exe
File created	C:\windows\system\ZGYBJZ.exe	GNJQRY.exe
File opened for modification	C:\windows\system\BMSTDY.exe	NRGA.exe
File created	C:\windows\OKSEE.exe	BMSTDY.exe
File created	C:\windows\OKSEE.exe.bat	BMSTDY.exe
File opened for modification	C:\windows\YHMQ.exe	UGJ.exe
File opened for modification	C:\windows\system\NRGA.exe	ZGYBJZ.exe
File created	C:\windows\system\NRGA.exe.bat	ZGYBJZ.exe
File created	C:\windows\system\BMSTDY.exe	NRGA.exe
File opened for modification	C:\windows\OKSEE.exe	BMSTDY.exe
File created	C:\windows\YHMQ.exe.bat	UGJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
2984	3728	WerFault.exe	80
4396	544	WerFault.exe	87
4140	716	WerFault.exe	93
1632	5000	WerFault.exe	98
976	416	WerFault.exe	103
816	1388	WerFault.exe	108
540	3540	WerFault.exe	113
2232	4732	WerFault.exe	118
3872	3956	WerFault.exe	123
372	1252	WerFault.exe	128
752	2988	WerFault.exe	133
3328	5036	WerFault.exe	138
1632	3824	WerFault.exe	144
416	4388	WerFault.exe	149
412	2268	WerFault.exe	154
836	2460	WerFault.exe	159

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
544	IDEBMD.exe
544	IDEBMD.exe
716	RWCG.exe
716	RWCG.exe
5000	RKP.exe
5000	RKP.exe
416	ANFJCW.exe
416	ANFJCW.exe
1388	MAEHH.exe
1388	MAEHH.exe
3540	GNJQRY.exe
3540	GNJQRY.exe
4732	ZGYBJZ.exe
4732	ZGYBJZ.exe
3956	NRGA.exe
3956	NRGA.exe
1252	BMSTDY.exe
1252	BMSTDY.exe
2988	OKSEE.exe
2988	OKSEE.exe
5036	LPK.exe
5036	LPK.exe
3824	PSJPUY.exe
3824	PSJPUY.exe
4388	XGVVFW.exe
4388	XGVVFW.exe
2268	UGJ.exe
2268	UGJ.exe
2460	YHMQ.exe
2460	YHMQ.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
544	IDEBMD.exe
544	IDEBMD.exe
716	RWCG.exe
716	RWCG.exe
5000	RKP.exe
5000	RKP.exe
416	ANFJCW.exe
416	ANFJCW.exe
1388	MAEHH.exe
1388	MAEHH.exe
3540	GNJQRY.exe
3540	GNJQRY.exe
4732	ZGYBJZ.exe
4732	ZGYBJZ.exe
3956	NRGA.exe
3956	NRGA.exe
1252	BMSTDY.exe
1252	BMSTDY.exe
2988	OKSEE.exe
2988	OKSEE.exe
5036	LPK.exe
5036	LPK.exe
3824	PSJPUY.exe
3824	PSJPUY.exe
4388	XGVVFW.exe
4388	XGVVFW.exe
2268	UGJ.exe
2268	UGJ.exe
2460	YHMQ.exe
2460	YHMQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4408	3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe	82
PID 3728 wrote to memory of 4408	3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe	82
PID 3728 wrote to memory of 4408	3728	NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe	82
PID 4408 wrote to memory of 544	4408	cmd.exe	87
PID 4408 wrote to memory of 544	4408	cmd.exe	87
PID 4408 wrote to memory of 544	4408	cmd.exe	87
PID 544 wrote to memory of 4900	544	IDEBMD.exe	89
PID 544 wrote to memory of 4900	544	IDEBMD.exe	89
PID 544 wrote to memory of 4900	544	IDEBMD.exe	89
PID 4900 wrote to memory of 716	4900	cmd.exe	93
PID 4900 wrote to memory of 716	4900	cmd.exe	93
PID 4900 wrote to memory of 716	4900	cmd.exe	93
PID 716 wrote to memory of 4784	716	RWCG.exe	94
PID 716 wrote to memory of 4784	716	RWCG.exe	94
PID 716 wrote to memory of 4784	716	RWCG.exe	94
PID 4784 wrote to memory of 5000	4784	cmd.exe	98
PID 4784 wrote to memory of 5000	4784	cmd.exe	98
PID 4784 wrote to memory of 5000	4784	cmd.exe	98
PID 5000 wrote to memory of 2828	5000	RKP.exe	99
PID 5000 wrote to memory of 2828	5000	RKP.exe	99
PID 5000 wrote to memory of 2828	5000	RKP.exe	99
PID 2828 wrote to memory of 416	2828	cmd.exe	103
PID 2828 wrote to memory of 416	2828	cmd.exe	103
PID 2828 wrote to memory of 416	2828	cmd.exe	103
PID 416 wrote to memory of 4468	416	ANFJCW.exe	104
PID 416 wrote to memory of 4468	416	ANFJCW.exe	104
PID 416 wrote to memory of 4468	416	ANFJCW.exe	104
PID 4468 wrote to memory of 1388	4468	cmd.exe	108
PID 4468 wrote to memory of 1388	4468	cmd.exe	108
PID 4468 wrote to memory of 1388	4468	cmd.exe	108
PID 1388 wrote to memory of 4172	1388	MAEHH.exe	109
PID 1388 wrote to memory of 4172	1388	MAEHH.exe	109
PID 1388 wrote to memory of 4172	1388	MAEHH.exe	109
PID 4172 wrote to memory of 3540	4172	cmd.exe	113
PID 4172 wrote to memory of 3540	4172	cmd.exe	113
PID 4172 wrote to memory of 3540	4172	cmd.exe	113
PID 3540 wrote to memory of 4440	3540	GNJQRY.exe	114
PID 3540 wrote to memory of 4440	3540	GNJQRY.exe	114
PID 3540 wrote to memory of 4440	3540	GNJQRY.exe	114
PID 4440 wrote to memory of 4732	4440	cmd.exe	118
PID 4440 wrote to memory of 4732	4440	cmd.exe	118
PID 4440 wrote to memory of 4732	4440	cmd.exe	118
PID 4732 wrote to memory of 1544	4732	ZGYBJZ.exe	119
PID 4732 wrote to memory of 1544	4732	ZGYBJZ.exe	119
PID 4732 wrote to memory of 1544	4732	ZGYBJZ.exe	119
PID 1544 wrote to memory of 3956	1544	cmd.exe	123
PID 1544 wrote to memory of 3956	1544	cmd.exe	123
PID 1544 wrote to memory of 3956	1544	cmd.exe	123
PID 3956 wrote to memory of 2716	3956	NRGA.exe	124
PID 3956 wrote to memory of 2716	3956	NRGA.exe	124
PID 3956 wrote to memory of 2716	3956	NRGA.exe	124
PID 2716 wrote to memory of 1252	2716	cmd.exe	128
PID 2716 wrote to memory of 1252	2716	cmd.exe	128
PID 2716 wrote to memory of 1252	2716	cmd.exe	128
PID 1252 wrote to memory of 4516	1252	BMSTDY.exe	129
PID 1252 wrote to memory of 4516	1252	BMSTDY.exe	129
PID 1252 wrote to memory of 4516	1252	BMSTDY.exe	129
PID 4516 wrote to memory of 2988	4516	cmd.exe	133
PID 4516 wrote to memory of 2988	4516	cmd.exe	133
PID 4516 wrote to memory of 2988	4516	cmd.exe	133
PID 2988 wrote to memory of 2700	2988	OKSEE.exe	134
PID 2988 wrote to memory of 2700	2988	OKSEE.exe	134
PID 2988 wrote to memory of 2700	2988	OKSEE.exe	134
PID 2700 wrote to memory of 5036	2700	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b75e4c8ce41053926c4b5f75c17fb050.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\IDEBMD.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\windows\IDEBMD.exe
    C:\windows\IDEBMD.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\windows\system\RWCG.exe
        
        C:\windows\system\RWCG.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKP.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\windows\SysWOW64\RKP.exe
        
        C:\windows\system32\RKP.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANFJCW.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\windows\SysWOW64\ANFJCW.exe
        
        C:\windows\system32\ANFJCW.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MAEHH.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\windows\SysWOW64\MAEHH.exe
        
        C:\windows\system32\MAEHH.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNJQRY.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\windows\SysWOW64\GNJQRY.exe
        
        C:\windows\system32\GNJQRY.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGYBJZ.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\windows\system\ZGYBJZ.exe
        
        C:\windows\system\ZGYBJZ.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NRGA.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\windows\system\NRGA.exe
        
        C:\windows\system\NRGA.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BMSTDY.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\windows\system\BMSTDY.exe
        
        C:\windows\system\BMSTDY.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OKSEE.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\windows\OKSEE.exe
        
        C:\windows\OKSEE.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LPK.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\windows\SysWOW64\LPK.exe
        
        C:\windows\system32\LPK.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSJPUY.exe.bat" "
        24⤵
        
        PID:1808
        
        C:\windows\SysWOW64\PSJPUY.exe
        
        C:\windows\system32\PSJPUY.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XGVVFW.exe.bat" "
        26⤵
        
        PID:5064
        
        C:\windows\system\XGVVFW.exe
        
        C:\windows\system\XGVVFW.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UGJ.exe.bat" "
        28⤵
        
        PID:4992
        
        C:\windows\SysWOW64\UGJ.exe
        
        C:\windows\system32\UGJ.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YHMQ.exe.bat" "
        30⤵
        
        PID:1864
        
        C:\windows\YHMQ.exe
        
        C:\windows\YHMQ.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 844
        32⤵
        Program crash
        
        PID:836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1292
        30⤵
        Program crash
        
        PID:412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1328
        28⤵
        Program crash
        
        PID:416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1336
        26⤵
        Program crash
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 996
        24⤵
        Program crash
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 964
        22⤵
        Program crash
        
        PID:752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1324
        20⤵
        Program crash
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 960
        18⤵
        Program crash
        
        PID:3872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1304
        16⤵
        Program crash
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1336
        14⤵
        Program crash
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1264
        12⤵
        Program crash
        
        PID:816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1208
        10⤵
        Program crash
        
        PID:976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1328
        8⤵
        Program crash
        
        PID:1632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 988
        6⤵
        Program crash
        
        PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1004
      4⤵
      Program crash
      PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 996
  2⤵
  - Program crash
  PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3728 -ip 3728
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 544 -ip 544
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 716 -ip 716
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 416 -ip 416
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1388 -ip 1388
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3540 -ip 3540
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4732 -ip 4732
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3956 -ip 3956
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1252 -ip 1252
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2988 -ip 2988
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5036 -ip 5036
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3824 -ip 3824
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 4388
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2268 -ip 2268
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2460 -ip 2460
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IDEBMD.exe

Filesize
208KB

MD5
4616238edf23233aecfa2869cf54df27

SHA1
1b4ef9f243a610c7a043333e64f3fe270f245b54

SHA256
4be1c29e626ba8b7566e4b85bcc8ce55b8c80147ed7cf84a92c6cfc0b5470643

SHA512
bea93eba71b685ec99cb0a1d8011720ee6fad13a0199061a62375fff16fe319bd1f9cc71399809bef527249942d9698630d4a90d75f15a6ca6c26cdfc1c88102

Download Submit
C:\Windows\OKSEE.exe

Filesize
208KB

MD5
907cc4c1dece539a1252a9d652b19353

SHA1
3956f562b4aedd54a58d6a67085179c38cb47bbd

SHA256
30658c7ab302e65eb58e3d273370c2a306a9250f37b4492c6058a59a9c2d54e3

SHA512
d511a8cfb6bf2d1b4d6778841e2bcd8a5ef6ca3bba1a962c5731300d5484aacdf897cbd9c7eee6a733bdea44f5ff07e2dfb6e5557e6333488bd8388e6efc3d1e

Download Submit
C:\Windows\SysWOW64\ANFJCW.exe

Filesize
208KB

MD5
3947333ebc4ed74f469d5f6decd8cda9

SHA1
028ab12369fe59c9e7d8c7a958006abd37976eb9

SHA256
84f9807005d855b6c6b47053c56c9238cb58c19366bc1b8776a896017e04ae08

SHA512
539f285baa142e5be2ead579e37c85add8fbfbfd352665855c16ca25cdb7259070a4ef00b72f1e3654a0eecea8fff4a9709e1678996a010fbf54a3ef0f929ff3

Download Submit
C:\Windows\SysWOW64\GNJQRY.exe

Filesize
208KB

MD5
d021bbbad88dff27fe91caeec7b42295

SHA1
ae82a9f6f933797c31a949bcc4f5b612d2127d90

SHA256
1cbd867878d1ba5a790d9a4b68332e529403d68c662b90add9c6cc1dda691db6

SHA512
19e126784f277c62ab6ad4bd50dd518e0008870a924c1e8fe24f8cbb6a65065fcdf3c052bd38e50a98c3bb5742a5a93b7d75c0fef76e77966c8d744caed5dfb6

Download Submit
C:\Windows\SysWOW64\LPK.exe

Filesize
208KB

MD5
1f33af742dd6d43a596c7ee51817fd11

SHA1
b23360a5a19772c86645b595a3437c6e2298f4c3

SHA256
1e40e97fd14cdef737952c7a0302ef1222b533c854b8b8a323c72a157030ebf0

SHA512
0458443a36876fcf4ded9fc95872c8d65ceacad26f17d0aed2534876f4a6992bc399cc3bd07b47e47c4bc9fd4e5c785dd86e36fc86e4b9a188cb11e23e44d805

Download Submit
C:\Windows\SysWOW64\MAEHH.exe

Filesize
208KB

MD5
d021bbbad88dff27fe91caeec7b42295

SHA1
ae82a9f6f933797c31a949bcc4f5b612d2127d90

SHA256
1cbd867878d1ba5a790d9a4b68332e529403d68c662b90add9c6cc1dda691db6

SHA512
19e126784f277c62ab6ad4bd50dd518e0008870a924c1e8fe24f8cbb6a65065fcdf3c052bd38e50a98c3bb5742a5a93b7d75c0fef76e77966c8d744caed5dfb6

Download Submit
C:\Windows\SysWOW64\PSJPUY.exe

Filesize
208KB

MD5
89a1036a4d6b7ae20d0718ee1da76ddf

SHA1
eb2ba12564d8c96590d7f4422d4932ff092e506c

SHA256
1ec3e0257644a5c26bce8dac577d3ed86e3029f437dbd5dc6a58e1d0d9f13aab

SHA512
768bb0382893b88e78bbdd874f5f24e6a3c62fc81e01873f11a8b42a373b53058455ae6e0731ac316f2e0b046bf2d1c94160ded46ecbdff8cea0898d0fc16e70

Download Submit
C:\Windows\SysWOW64\RKP.exe

Filesize
208KB

MD5
60de095b810b56e6da03918cc6eed6c4

SHA1
96a0475be185ffb4372c1a6e90147fb883d162e9

SHA256
3c975d8a9af9ddae79a949a2cdf61f8c89617f811ac14ba374f2fd9d73b0a39d

SHA512
d06c7aa49b5e6e8cc3a2524625f12a9131294746c5e2aa2472607e4028a33462fb6217eaff4a6f1b9d9f20f46da001ee74062325097f8ce470a6c116798ab1b9

Download Submit
C:\Windows\SysWOW64\UGJ.exe

Filesize
208KB

MD5
ccb11c35be35aca3e4ac2b6557cbcbea

SHA1
1ad9ade0a1121ade8eee206e198dfb80b5ef44f3

SHA256
3b68dfc5083cdad8224413ee81e9e0630e5977b2c2855044873b5afb7a2de46b

SHA512
8d377b86fa0ccc9d5f87a7acef087fdde41767e95295eb54f80617a655dcc036126c58699b0189620a0e9e388846af2fbcfad70bf2ecbd5977ea8aef151a80b2

Download Submit
C:\Windows\System\BMSTDY.exe

Filesize
208KB

MD5
9870ca4355d3f3b373ed53bf82fa6d75

SHA1
b1d2d301d3d1178bf98807f86cc803850cf52f4d

SHA256
c93b0b72f88ae042f0e029436bd0ec5e4b3be31e4c624d5b6dd29e5e3779778a

SHA512
f8c23fcbbfcb10a574728f0887642c798d52b020c2e953ddd273a3afab09e9a8f00f27dc705189a23d06cfa1a09f13c021c837498bb9b1cfe069b66b655c64d7

Download Submit
C:\Windows\System\NRGA.exe

Filesize
208KB

MD5
cfb30a40391dd70e04756709d63b1899

SHA1
d6d2d5eb643a4f37edc42d96f6546345cb491ad6

SHA256
dfede9d06922bcbdb1a32e5e9ad86922e86104242158b2d7d88eff49b9ffcd05

SHA512
222ed48aee31287ecc16e265d6214bd3d8d881c1f1cf7d6320d0d8bc83a90c75b65b027286c05df6f7942dcc6349e41da1739be0e04e1622ec228e6467ca92e2

Download Submit
C:\Windows\System\RWCG.exe

Filesize
208KB

MD5
0f2e02f62544dff139d06f1db689bf00

SHA1
b2b621c5a9466a747858f9f7cff5054a4df91ae8

SHA256
9ecabf0c3b162859760bb2589ba4000ebbe8076d4b76868623c4207f79b7f222

SHA512
7200c618f23b2e9d284cde77bc0225c3838e68adaa52441bb88c7c9c01dddb53e93a0e71aa1f68272ae8c4ee11596d88ce272d4e076afc1fa14bb44bffd02c30

Download Submit
C:\Windows\System\RWCG.exe

Filesize
208KB

MD5
0f2e02f62544dff139d06f1db689bf00

SHA1
b2b621c5a9466a747858f9f7cff5054a4df91ae8

SHA256
9ecabf0c3b162859760bb2589ba4000ebbe8076d4b76868623c4207f79b7f222

SHA512
7200c618f23b2e9d284cde77bc0225c3838e68adaa52441bb88c7c9c01dddb53e93a0e71aa1f68272ae8c4ee11596d88ce272d4e076afc1fa14bb44bffd02c30

Download Submit
C:\Windows\System\XGVVFW.exe

Filesize
208KB

MD5
89a1036a4d6b7ae20d0718ee1da76ddf

SHA1
eb2ba12564d8c96590d7f4422d4932ff092e506c

SHA256
1ec3e0257644a5c26bce8dac577d3ed86e3029f437dbd5dc6a58e1d0d9f13aab

SHA512
768bb0382893b88e78bbdd874f5f24e6a3c62fc81e01873f11a8b42a373b53058455ae6e0731ac316f2e0b046bf2d1c94160ded46ecbdff8cea0898d0fc16e70

Download Submit
C:\Windows\System\ZGYBJZ.exe

Filesize
208KB

MD5
3b3b2dadf9387cf376d6efb03a7d1095

SHA1
9cfddf5ff1581d948b1abb6536aeb943332d6e5d

SHA256
86f0a531ccd6b28b1d376a2a30062a3303db3662d74e3f7fc2b569b9e4580e30

SHA512
2567f68ae75672a01a8b023636bcd3699b02e00d1dc8954264fef3e7ff91ac2c204116e30a1cfc6f63b139f92ab2ab9bec5872ba915b76b484a09ec0ff81a698

Download Submit
C:\Windows\YHMQ.exe

Filesize
208KB

MD5
b6ca72930b738632655197783ee6f44a

SHA1
98abcca61c9c668d4dde8a33ee8d3651dca88e23

SHA256
14f12febd6589ae7e1595e8b1f0633fb52ac55fda1302f1985cc16cfca3521fa

SHA512
8b99163f81563b2164f64c1376ef57cafe902202280833ddae5ca1aa92e652f43ae71c4117ecc8b852fe13de48b3718460d54fc6641a92318575b02f650c2d30

Download Submit
C:\windows\IDEBMD.exe

Filesize
208KB

MD5
4616238edf23233aecfa2869cf54df27

SHA1
1b4ef9f243a610c7a043333e64f3fe270f245b54

SHA256
4be1c29e626ba8b7566e4b85bcc8ce55b8c80147ed7cf84a92c6cfc0b5470643

SHA512
bea93eba71b685ec99cb0a1d8011720ee6fad13a0199061a62375fff16fe319bd1f9cc71399809bef527249942d9698630d4a90d75f15a6ca6c26cdfc1c88102

Download Submit
C:\windows\IDEBMD.exe.bat

Filesize
58B

MD5
cd7cc8dc60fe0f251d5542a064f1c640

SHA1
972b311eedc84930c78d1252045f7a8aca272763

SHA256
852e03a3f87fe80ed2eb02d9e3104e48ded3c9280497cd6a073aedb9c1886161

SHA512
0ebf5ae48c7fab2a67f30a91bc47fc5a3091bc471a6e6515a5dec40b4f135429e14206e41def0534c282c8b12e41a77df57eda16ade10786ebcf160115dbf517

Download Submit
C:\windows\OKSEE.exe

Filesize
208KB

MD5
907cc4c1dece539a1252a9d652b19353

SHA1
3956f562b4aedd54a58d6a67085179c38cb47bbd

SHA256
30658c7ab302e65eb58e3d273370c2a306a9250f37b4492c6058a59a9c2d54e3

SHA512
d511a8cfb6bf2d1b4d6778841e2bcd8a5ef6ca3bba1a962c5731300d5484aacdf897cbd9c7eee6a733bdea44f5ff07e2dfb6e5557e6333488bd8388e6efc3d1e

Download Submit
C:\windows\OKSEE.exe.bat

Filesize
56B

MD5
982bba7586681c751f144ea43f60b29c

SHA1
202ce4ce89e2612a18815018c8136f96b088b8c2

SHA256
86f6e73f5b72217422f95749999d62eb013e0fc694e3572ce6e635e258f25e92

SHA512
70fa692e7efd35b6bb83ee142043d3b5a90e341c808f68997bb141f1201fe1320a67db9ebcf0e844015c85e85331da0943eebdfc6d34588995bb4beda0e554b1

Download Submit
C:\windows\SysWOW64\ANFJCW.exe

Filesize
208KB

MD5
3947333ebc4ed74f469d5f6decd8cda9

SHA1
028ab12369fe59c9e7d8c7a958006abd37976eb9

SHA256
84f9807005d855b6c6b47053c56c9238cb58c19366bc1b8776a896017e04ae08

SHA512
539f285baa142e5be2ead579e37c85add8fbfbfd352665855c16ca25cdb7259070a4ef00b72f1e3654a0eecea8fff4a9709e1678996a010fbf54a3ef0f929ff3

Download Submit
C:\windows\SysWOW64\ANFJCW.exe.bat

Filesize
76B

MD5
767131f5df0f55de02cca7eece201ff3

SHA1
54dc40d25a909c0dc9d3590220bf154d43789cc3

SHA256
8ac11c9abdc1b2002784d49b680a182be17b981f49689e495492c8a58bf64947

SHA512
cb8925cb40a17b4dcb3a60ce750506c60006c90b3cfd03132267c7b2c81838f99ace4a4f7989c32e61a83bef1214d2c0a24d91133722d76e9f6d8ce1bbed1a0e

Download Submit
C:\windows\SysWOW64\GNJQRY.exe

Filesize
208KB

MD5
d021bbbad88dff27fe91caeec7b42295

SHA1
ae82a9f6f933797c31a949bcc4f5b612d2127d90

SHA256
1cbd867878d1ba5a790d9a4b68332e529403d68c662b90add9c6cc1dda691db6

SHA512
19e126784f277c62ab6ad4bd50dd518e0008870a924c1e8fe24f8cbb6a65065fcdf3c052bd38e50a98c3bb5742a5a93b7d75c0fef76e77966c8d744caed5dfb6

Download Submit
C:\windows\SysWOW64\GNJQRY.exe.bat

Filesize
76B

MD5
27dfe02e12bc1b096ce134076d78eb26

SHA1
83e464711c502ae8ab22db326d60a05a9ca8245e

SHA256
0cfc0dcaab681672b0561f1350033629b1b4e9e7602142c4d6b8f3c910643c6c

SHA512
5d4400776b3674325f9a638a65a5b66860dc7f53180088891dba47b2734c8c866f14566b2094eb4126496ea4de8a137645e3e3610060b6114389b4e89c274e06

Download Submit
C:\windows\SysWOW64\LPK.exe

Filesize
208KB

MD5
1f33af742dd6d43a596c7ee51817fd11

SHA1
b23360a5a19772c86645b595a3437c6e2298f4c3

SHA256
1e40e97fd14cdef737952c7a0302ef1222b533c854b8b8a323c72a157030ebf0

SHA512
0458443a36876fcf4ded9fc95872c8d65ceacad26f17d0aed2534876f4a6992bc399cc3bd07b47e47c4bc9fd4e5c785dd86e36fc86e4b9a188cb11e23e44d805

Download Submit
C:\windows\SysWOW64\LPK.exe.bat

Filesize
70B

MD5
b7dfa8a0e2d38275ed132dd2204fd9a0

SHA1
a2a2bff2b9c5d33610397ceb69d85dd257f0629a

SHA256
139ed0fb66ab279c45d254ce80a386d8a96314f7844d25a0969b7c2a380c0d52

SHA512
a548bb2b77bfe59c27aa8173793d1f5c36cfadb5e5312d10d2ac7832c94d536572bb5022e6601429fd539727482424f7c43c3f899f1cb0eaca8bbb6657009121

Download Submit
C:\windows\SysWOW64\MAEHH.exe

Filesize
208KB

MD5
d021bbbad88dff27fe91caeec7b42295

SHA1
ae82a9f6f933797c31a949bcc4f5b612d2127d90

SHA256
1cbd867878d1ba5a790d9a4b68332e529403d68c662b90add9c6cc1dda691db6

SHA512
19e126784f277c62ab6ad4bd50dd518e0008870a924c1e8fe24f8cbb6a65065fcdf3c052bd38e50a98c3bb5742a5a93b7d75c0fef76e77966c8d744caed5dfb6

Download Submit
C:\windows\SysWOW64\MAEHH.exe.bat

Filesize
74B

MD5
a22af4423bbd664f4aefccead811a738

SHA1
fdf26cd6717ff4d95f765359fc680867d31f7c80

SHA256
00922ef87e80bd64bf8510f9a3e2071cc035a4676a138fab111411f7fcc25520

SHA512
f2fd0a41800dc0e2dbb4a458df4b747d78e7511eb303bb33115b06f0b4c7b53395ab6ee4ef8eec14b3f5920e31bfae25a51a142ff0f947e21c37c3133361a252

Download Submit
C:\windows\SysWOW64\PSJPUY.exe

Filesize
208KB

MD5
89a1036a4d6b7ae20d0718ee1da76ddf

SHA1
eb2ba12564d8c96590d7f4422d4932ff092e506c

SHA256
1ec3e0257644a5c26bce8dac577d3ed86e3029f437dbd5dc6a58e1d0d9f13aab

SHA512
768bb0382893b88e78bbdd874f5f24e6a3c62fc81e01873f11a8b42a373b53058455ae6e0731ac316f2e0b046bf2d1c94160ded46ecbdff8cea0898d0fc16e70

Download Submit
C:\windows\SysWOW64\PSJPUY.exe.bat

Filesize
76B

MD5
07c3a281be75f9460ba839e440be31b8

SHA1
b284aac904bc7c02cac3272221d8e98be289b205

SHA256
bf91ad024c3cb6f8ec3c437fe049200237297dbfc2b97f40afc232c6a24d6a9c

SHA512
35d26b520bb646882388e25bca9832214cbc7da75b06aec9629c589a7492fc339e63d6b9c37c393b75495854d4ed8301484c4fe9e4625f8aa1f37af54eb8f7d4

Download Submit
C:\windows\SysWOW64\RKP.exe

Filesize
208KB

MD5
60de095b810b56e6da03918cc6eed6c4

SHA1
96a0475be185ffb4372c1a6e90147fb883d162e9

SHA256
3c975d8a9af9ddae79a949a2cdf61f8c89617f811ac14ba374f2fd9d73b0a39d

SHA512
d06c7aa49b5e6e8cc3a2524625f12a9131294746c5e2aa2472607e4028a33462fb6217eaff4a6f1b9d9f20f46da001ee74062325097f8ce470a6c116798ab1b9

Download Submit
C:\windows\SysWOW64\RKP.exe.bat

Filesize
70B

MD5
8b1795b64c262a8dd8607fb5abc14650

SHA1
495c716afd324b1f888d6c265d14bd3b77aee764

SHA256
d36aaa8b402ad93108065cb3eb9a9b5f07b0a33b27770933240c90da4eae46ff

SHA512
c70ccdf5b464a4b790363ad0bd6a64479fa558928c2ccb8ce3040627a4c0669d1b9bd6d60f51ba2554e6cbdafb75ef52feded03f8148dbc15c33d1db7f1a1b73

Download Submit
C:\windows\SysWOW64\UGJ.exe

Filesize
208KB

MD5
ccb11c35be35aca3e4ac2b6557cbcbea

SHA1
1ad9ade0a1121ade8eee206e198dfb80b5ef44f3

SHA256
3b68dfc5083cdad8224413ee81e9e0630e5977b2c2855044873b5afb7a2de46b

SHA512
8d377b86fa0ccc9d5f87a7acef087fdde41767e95295eb54f80617a655dcc036126c58699b0189620a0e9e388846af2fbcfad70bf2ecbd5977ea8aef151a80b2

Download Submit
C:\windows\SysWOW64\UGJ.exe.bat

Filesize
70B

MD5
7a945f67178bdde6a29464fa84472be2

SHA1
535fef970b1d2690b2e1fb1c1a45cb4d7ff17e4a

SHA256
607b411d83f817e5f26bf4b05dd6939fb39340b78aa4fb156b7d20df7281c6c2

SHA512
0595f927c72b3337722c9d6ed637ba172a50517709ea027c585cd2c3d3893048d4234167dc8a51ad21e0273ada436b2335dfa657b8ddde17fff121c09b4f10e0

Download Submit
C:\windows\YHMQ.exe

Filesize
208KB

MD5
b6ca72930b738632655197783ee6f44a

SHA1
98abcca61c9c668d4dde8a33ee8d3651dca88e23

SHA256
14f12febd6589ae7e1595e8b1f0633fb52ac55fda1302f1985cc16cfca3521fa

SHA512
8b99163f81563b2164f64c1376ef57cafe902202280833ddae5ca1aa92e652f43ae71c4117ecc8b852fe13de48b3718460d54fc6641a92318575b02f650c2d30

Download Submit
C:\windows\YHMQ.exe.bat

Filesize
54B

MD5
c8318607daf5e6dc24a4f5c8eed68991

SHA1
7d64aeed66bc822612a5e9f36f26f9f843cfb597

SHA256
4f4e2767416ca6df68492c41989f09beef084a96872a45de7f54d8280e7a951b

SHA512
de5675e6f5124220c65c9a8844164b07ee5a0ac41ec4510411765dc6faf75a8c6faa7db1b5e2423c0ff3f44410d094000f95405ea159cafbafe2a68e7c066c0b

Download Submit
C:\windows\system\BMSTDY.exe

Filesize
208KB

MD5
9870ca4355d3f3b373ed53bf82fa6d75

SHA1
b1d2d301d3d1178bf98807f86cc803850cf52f4d

SHA256
c93b0b72f88ae042f0e029436bd0ec5e4b3be31e4c624d5b6dd29e5e3779778a

SHA512
f8c23fcbbfcb10a574728f0887642c798d52b020c2e953ddd273a3afab09e9a8f00f27dc705189a23d06cfa1a09f13c021c837498bb9b1cfe069b66b655c64d7

Download Submit
C:\windows\system\BMSTDY.exe.bat

Filesize
72B

MD5
2f98e14734140b88b729949f160416c7

SHA1
8d7cacf042b0f5a016e9e1672cad905a159699b7

SHA256
dd971d60c244624186d4d1ddb7ef28ac2febc28bf465aef1997d6d2992c61476

SHA512
cdcaacc00f00c68d59e2b38d8ad7b10b1cbf0a1e83abc222e5c0e0f470bafbea21689476fa1c0f5f52b6fe3f4e1460d34a19c9b478d1b4fce6c8849ffbc87812

Download Submit
C:\windows\system\NRGA.exe

Filesize
208KB

MD5
cfb30a40391dd70e04756709d63b1899

SHA1
d6d2d5eb643a4f37edc42d96f6546345cb491ad6

SHA256
dfede9d06922bcbdb1a32e5e9ad86922e86104242158b2d7d88eff49b9ffcd05

SHA512
222ed48aee31287ecc16e265d6214bd3d8d881c1f1cf7d6320d0d8bc83a90c75b65b027286c05df6f7942dcc6349e41da1739be0e04e1622ec228e6467ca92e2

Download Submit
C:\windows\system\NRGA.exe.bat

Filesize
68B

MD5
7ded1b87f80b68cc63da1b7c8069817c

SHA1
68072f13955ca33199045902937b2d50242e72a2

SHA256
9a27441551c937abeac83f9354f07251ca805491594db1f2085e89969cc444e2

SHA512
fd41356ba3cd00ad96621d6cb73a98e5f50bdb53d4055f32628d2ca2c2d4ddda422a4bd60c93186a889e7da1ce9f86e9ef27058e03e38cff712dad5d4dc49fdc

Download Submit
C:\windows\system\RWCG.exe

Filesize
208KB

MD5
0f2e02f62544dff139d06f1db689bf00

SHA1
b2b621c5a9466a747858f9f7cff5054a4df91ae8

SHA256
9ecabf0c3b162859760bb2589ba4000ebbe8076d4b76868623c4207f79b7f222

SHA512
7200c618f23b2e9d284cde77bc0225c3838e68adaa52441bb88c7c9c01dddb53e93a0e71aa1f68272ae8c4ee11596d88ce272d4e076afc1fa14bb44bffd02c30

Download Submit
C:\windows\system\RWCG.exe.bat

Filesize
68B

MD5
c1dd76884cfa7c84f65eec2a0f2c9def

SHA1
4f3a8e75c2e9a4bf97ba8f565b29cb183de700ea

SHA256
c7bf2f61a943089ec8e36d9bb759f5141b72326dc049579bbc6f0b9533af485c

SHA512
7de20023027f635db1837a09b41d4e41e1ec0c92dd28f6c795f39999fb93042bb43ea5780a01912a8f8051be4e4464170ce9a0f287fcc812468e1883c4b5c5b0

Download Submit
C:\windows\system\XGVVFW.exe

Filesize
208KB

MD5
89a1036a4d6b7ae20d0718ee1da76ddf

SHA1
eb2ba12564d8c96590d7f4422d4932ff092e506c

SHA256
1ec3e0257644a5c26bce8dac577d3ed86e3029f437dbd5dc6a58e1d0d9f13aab

SHA512
768bb0382893b88e78bbdd874f5f24e6a3c62fc81e01873f11a8b42a373b53058455ae6e0731ac316f2e0b046bf2d1c94160ded46ecbdff8cea0898d0fc16e70

Download Submit
C:\windows\system\XGVVFW.exe.bat

Filesize
72B

MD5
43edc11414f01918f8f5e308dba12198

SHA1
a44d42bbc8a34b60ed3204fdb71b4b7eb6931f77

SHA256
456975ffe22d4c6bd028723c019486be226397389711b3567aed048e61bfcc16

SHA512
cd41ded41a5b1230e9ca2abb35558474488f7ceb7ca4f7da81f7838a865114375c5a50239d22386215fa49da9fe13e4473cc250fae5490323cfd671f3d7194b1

Download Submit
C:\windows\system\ZGYBJZ.exe

Filesize
208KB

MD5
3b3b2dadf9387cf376d6efb03a7d1095

SHA1
9cfddf5ff1581d948b1abb6536aeb943332d6e5d

SHA256
86f0a531ccd6b28b1d376a2a30062a3303db3662d74e3f7fc2b569b9e4580e30

SHA512
2567f68ae75672a01a8b023636bcd3699b02e00d1dc8954264fef3e7ff91ac2c204116e30a1cfc6f63b139f92ab2ab9bec5872ba915b76b484a09ec0ff81a698

Download Submit
C:\windows\system\ZGYBJZ.exe.bat

Filesize
72B

MD5
1da5372994a24ac5f31e1a86eafe116d

SHA1
4b2463c922a31614992621c7ce318249eaee3d28

SHA256
1ddbe53ea4c6d14e51e8ba08ae50b57d14514b33db77d16456471bc3b51acb68

SHA512
490e307c10089b10792212e52608fbdc1fd72d96ea3c784ba07680665803b432f6986e231c1cf40b6f515bd9d5574fe785f9e76360c648f3ebdfa67be64c2d15

Download Submit
memory/416-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/416-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/544-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/544-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/716-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/716-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1252-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1252-126-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1388-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1388-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2268-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2268-165-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2460-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2460-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2988-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2988-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3540-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3540-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3728-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3728-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3824-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3824-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3956-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3956-114-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4388-181-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4388-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5000-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5000-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5036-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5036-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download