37a692b7cd7955a858ea03cc3a43f609a6fad55ff8424645a7732765a881d3e9

Analysis

max time kernel
160s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
Size

320KB
MD5

3ec55276c135dfb48c1874c735fc2e00
SHA1

0e00b9f177ce9a27883cba9a2c8bd2aec1523a7c
SHA256

37a692b7cd7955a858ea03cc3a43f609a6fad55ff8424645a7732765a881d3e9
SHA512

558506b362cf6c8b753293e606f6d69940dc73d84ed76e6fba0caf55cf3fd22569c67d9ae19225fdd67e2b21b549bde44acc02af0b24173351941efdd453c49e
SSDEEP

6144:AGuTZB2KKoEOfXoLYl/kEjWbjcSbcY+CA:AGuTf2KmGXoLm/kFbzs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	SUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VSS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UOMRYV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	SEIID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	BTFM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	EXCVXFY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UFWWFMF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	IQI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	KUF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	PGITSXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	USS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	RCGSZE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CNB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WLMYJA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XZV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	YCPF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ARZHJD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WUC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ASDJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	JPJCBVA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CVUBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FAHE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UCAAWL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VJSIOCT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HWFNHIH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	GXCBI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ZDFDTM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	MGSPN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WORJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	PFDH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	AVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	KKT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	COAMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FWXZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	JUVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HERB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	YLNPZJL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UOZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	LWHQG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HXWEAQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XSHB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WBZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	YKWQJSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FPOAUPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	BORABFJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	BZDC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	TSCIO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FFI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	OMFPRX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	GNDG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	BARKF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	KRE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UQN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NKKO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	TSAEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ETOSRH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CJASCQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	JADMO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	OFRSUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	RKYR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	OIAKHN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ARPBQZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ABDSVX.exe

Executes dropped EXE 64 IoCs

pid	Process
2516	DFNZSQ.exe
1968	YKWQJSN.exe
2808	PFDH.exe
3816	OIAKHN.exe
3968	PGITSXQ.exe
3104	USS.exe
3872	AVE.exe
1668	BORABFJ.exe
884	NKKO.exe
2604	VSS.exe
3460	TSAEX.exe
468	ARPBQZR.exe
4040	JPJCBVA.exe
4568	ZDFDTM.exe
4500	LWHQG.exe
4468	RCGSZE.exe
3272	UOMRYV.exe
2520	VJSIOCT.exe
4300	YCPF.exe
3852	CVUBA.exe
4412	ARZHJD.exe
3556	HWFNHIH.exe
3424	FFI.exe
1188	COAMS.exe
1536	BZDC.exe
3672	BTFM.exe
4140	MGSPN.exe
4356	GXCBI.exe
3092	FAHE.exe
3480	ABDSVX.exe
3888	WUC.exe
4888	JADMO.exe
4716	FWXZ.exe
3920	HXWEAQ.exe
4248	ASDJV.exe
5008	ABOIO.exe
4632	FPOAUPT.exe
556	XSHB.exe
4356	SEIID.exe
2412	HERB.exe
4112	EXCVXFY.exe
3572	ETOSRH.exe
3084	SUE.exe
1472	OFRSUE.exe
5068	YLNPZJL.exe
1808	JUVW.exe
3788	BARKF.exe
2456	KRE.exe
5008	TSCIO.exe
2964	WLMYJA.exe
1732	WORJU.exe
3468	OMFPRX.exe
3944	KKT.exe
3064	UOZ.exe
1296	UFWWFMF.exe
3888	IQI.exe
5080	KUF.exe
3092	CNB.exe
216	GNDG.exe
3944	WBZ.exe
2120	UCAAWL.exe
228	UQN.exe
4108	CJASCQ.exe
1168	XZV.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\PFDH.exe.bat	YKWQJSN.exe
File opened for modification	C:\windows\SysWOW64\PFDH.exe	YKWQJSN.exe
File created	C:\windows\SysWOW64\BORABFJ.exe.bat	AVE.exe
File opened for modification	C:\windows\SysWOW64\ARPBQZR.exe	TSAEX.exe
File created	C:\windows\SysWOW64\RCGSZE.exe	LWHQG.exe
File opened for modification	C:\windows\SysWOW64\FAHE.exe	GXCBI.exe
File created	C:\windows\SysWOW64\JADMO.exe.bat	WUC.exe
File created	C:\windows\SysWOW64\UFWWFMF.exe	UOZ.exe
File opened for modification	C:\windows\SysWOW64\YKWQJSN.exe	DFNZSQ.exe
File opened for modification	C:\windows\SysWOW64\WBZ.exe	GNDG.exe
File created	C:\windows\SysWOW64\RKYR.exe.bat	XZV.exe
File created	C:\windows\SysWOW64\GNDG.exe	CNB.exe
File created	C:\windows\SysWOW64\JPJCBVA.exe	ARPBQZR.exe
File opened for modification	C:\windows\SysWOW64\JPJCBVA.exe	ARPBQZR.exe
File created	C:\windows\SysWOW64\GNDG.exe.bat	CNB.exe
File opened for modification	C:\windows\SysWOW64\RKYR.exe	XZV.exe
File created	C:\windows\SysWOW64\AVE.exe.bat	USS.exe
File created	C:\windows\SysWOW64\LWHQG.exe.bat	ZDFDTM.exe
File created	C:\windows\SysWOW64\YCPF.exe.bat	VJSIOCT.exe
File created	C:\windows\SysWOW64\HXWEAQ.exe	FWXZ.exe
File opened for modification	C:\windows\SysWOW64\UFWWFMF.exe	UOZ.exe
File created	C:\windows\SysWOW64\PFDH.exe	YKWQJSN.exe
File created	C:\windows\SysWOW64\YCPF.exe	VJSIOCT.exe
File opened for modification	C:\windows\SysWOW64\ABOIO.exe	ASDJV.exe
File created	C:\windows\SysWOW64\XSHB.exe.bat	FPOAUPT.exe
File opened for modification	C:\windows\SysWOW64\EXCVXFY.exe	HERB.exe
File created	C:\windows\SysWOW64\VJSIOCT.exe.bat	UOMRYV.exe
File opened for modification	C:\windows\SysWOW64\BORABFJ.exe	AVE.exe
File created	C:\windows\SysWOW64\ABOIO.exe.bat	ASDJV.exe
File created	C:\windows\SysWOW64\EXCVXFY.exe.bat	HERB.exe
File created	C:\windows\SysWOW64\ZYHI.exe	RKYR.exe
File created	C:\windows\SysWOW64\USS.exe.bat	PGITSXQ.exe
File opened for modification	C:\windows\SysWOW64\ARZHJD.exe	CVUBA.exe
File created	C:\windows\SysWOW64\FAHE.exe	GXCBI.exe
File created	C:\windows\SysWOW64\HXWEAQ.exe.bat	FWXZ.exe
File created	C:\windows\SysWOW64\ABOIO.exe	ASDJV.exe
File created	C:\windows\SysWOW64\IQI.exe	UFWWFMF.exe
File opened for modification	C:\windows\SysWOW64\YCPF.exe	VJSIOCT.exe
File opened for modification	C:\windows\SysWOW64\RCGSZE.exe	LWHQG.exe
File created	C:\windows\SysWOW64\ARZHJD.exe	CVUBA.exe
File opened for modification	C:\windows\SysWOW64\BZDC.exe	COAMS.exe
File opened for modification	C:\windows\SysWOW64\JADMO.exe	WUC.exe
File created	C:\windows\SysWOW64\SUE.exe	ETOSRH.exe
File opened for modification	C:\windows\SysWOW64\SUE.exe	ETOSRH.exe
File created	C:\windows\SysWOW64\JPJCBVA.exe.bat	ARPBQZR.exe
File opened for modification	C:\windows\SysWOW64\ZYHI.exe	RKYR.exe
File created	C:\windows\SysWOW64\ZYHI.exe.bat	RKYR.exe
File opened for modification	C:\windows\SysWOW64\XSHB.exe	FPOAUPT.exe
File created	C:\windows\SysWOW64\BZDC.exe.bat	COAMS.exe
File opened for modification	C:\windows\SysWOW64\IQI.exe	UFWWFMF.exe
File opened for modification	C:\windows\SysWOW64\AVE.exe	USS.exe
File created	C:\windows\SysWOW64\USS.exe	PGITSXQ.exe
File opened for modification	C:\windows\SysWOW64\USS.exe	PGITSXQ.exe
File created	C:\windows\SysWOW64\AVE.exe	USS.exe
File created	C:\windows\SysWOW64\LWHQG.exe	ZDFDTM.exe
File opened for modification	C:\windows\SysWOW64\HXWEAQ.exe	FWXZ.exe
File created	C:\windows\SysWOW64\UFWWFMF.exe.bat	UOZ.exe
File created	C:\windows\SysWOW64\WBZ.exe	GNDG.exe
File created	C:\windows\SysWOW64\YKWQJSN.exe	DFNZSQ.exe
File created	C:\windows\SysWOW64\WBZ.exe.bat	GNDG.exe
File created	C:\windows\SysWOW64\ARPBQZR.exe.bat	TSAEX.exe
File created	C:\windows\SysWOW64\FAHE.exe.bat	GXCBI.exe
File created	C:\windows\SysWOW64\JADMO.exe	WUC.exe
File created	C:\windows\SysWOW64\XSHB.exe	FPOAUPT.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\CNB.exe	KUF.exe
File created	C:\windows\system\ZDFDTM.exe	JPJCBVA.exe
File opened for modification	C:\windows\system\UOMRYV.exe	RCGSZE.exe
File opened for modification	C:\windows\system\CVUBA.exe	YCPF.exe
File created	C:\windows\system\BARKF.exe	JUVW.exe
File created	C:\windows\system\WLMYJA.exe	TSCIO.exe
File opened for modification	C:\windows\system\UCAAWL.exe	WBZ.exe
File created	C:\windows\system\XZV.exe	CJASCQ.exe
File opened for modification	C:\windows\system\XZV.exe	CJASCQ.exe
File created	C:\windows\ABDSVX.exe.bat	FAHE.exe
File opened for modification	C:\windows\FPOAUPT.exe	ABOIO.exe
File created	C:\windows\KRE.exe.bat	BARKF.exe
File created	C:\windows\system\WLMYJA.exe.bat	TSCIO.exe
File created	C:\windows\KKT.exe.bat	OMFPRX.exe
File created	C:\windows\system\MGSPN.exe.bat	BTFM.exe
File opened for modification	C:\windows\ETOSRH.exe	EXCVXFY.exe
File created	C:\windows\OFRSUE.exe	SUE.exe
File opened for modification	C:\windows\system\BTFM.exe	BZDC.exe
File created	C:\windows\WUC.exe.bat	ABDSVX.exe
File opened for modification	C:\windows\FWXZ.exe	JADMO.exe
File opened for modification	C:\windows\CNB.exe	KUF.exe
File opened for modification	C:\windows\WEZYXQX.exe	ZYHI.exe
File created	C:\windows\VSS.exe	NKKO.exe
File created	C:\windows\FWXZ.exe	JADMO.exe
File opened for modification	C:\windows\system\UOZ.exe	KKT.exe
File created	C:\windows\PGITSXQ.exe.bat	OIAKHN.exe
File created	C:\windows\system\HWFNHIH.exe.bat	ARZHJD.exe
File created	C:\windows\system\ASDJV.exe.bat	HXWEAQ.exe
File opened for modification	C:\windows\OFRSUE.exe	SUE.exe
File created	C:\windows\system\ZDFDTM.exe.bat	JPJCBVA.exe
File created	C:\windows\system\UOMRYV.exe.bat	RCGSZE.exe
File created	C:\windows\system\WORJU.exe.bat	WLMYJA.exe
File created	C:\windows\WEZYXQX.exe.bat	ZYHI.exe
File created	C:\windows\system\DFNZSQ.exe	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
File created	C:\windows\system\DFNZSQ.exe.bat	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
File opened for modification	C:\windows\PGITSXQ.exe	OIAKHN.exe
File opened for modification	C:\windows\system\FFI.exe	HWFNHIH.exe
File created	C:\windows\FPOAUPT.exe.bat	ABOIO.exe
File created	C:\windows\system\KUF.exe.bat	IQI.exe
File opened for modification	C:\windows\CJASCQ.exe	UQN.exe
File created	C:\windows\PGITSXQ.exe	OIAKHN.exe
File opened for modification	C:\windows\VSS.exe	NKKO.exe
File created	C:\windows\system\COAMS.exe.bat	FFI.exe
File created	C:\windows\TSCIO.exe	KRE.exe
File opened for modification	C:\windows\OMFPRX.exe	WORJU.exe
File opened for modification	C:\windows\system\COAMS.exe	FFI.exe
File created	C:\windows\SEIID.exe	XSHB.exe
File created	C:\windows\ETOSRH.exe	EXCVXFY.exe
File created	C:\windows\system\TSAEX.exe	VSS.exe
File created	C:\windows\ETOSRH.exe.bat	EXCVXFY.exe
File created	C:\windows\WEZYXQX.exe	ZYHI.exe
File created	C:\windows\NKKO.exe	BORABFJ.exe
File created	C:\windows\KKT.exe	OMFPRX.exe
File created	C:\windows\OMFPRX.exe	WORJU.exe
File created	C:\windows\system\KUF.exe	IQI.exe
File opened for modification	C:\windows\UQN.exe	UCAAWL.exe
File created	C:\windows\NKKO.exe.bat	BORABFJ.exe
File created	C:\windows\system\MGSPN.exe	BTFM.exe
File created	C:\windows\system\GXCBI.exe	MGSPN.exe
File opened for modification	C:\windows\WUC.exe	ABDSVX.exe
File created	C:\windows\FWXZ.exe.bat	JADMO.exe
File opened for modification	C:\windows\system\WORJU.exe	WLMYJA.exe
File created	C:\windows\CJASCQ.exe.bat	UQN.exe
File opened for modification	C:\windows\system\BARKF.exe	JUVW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 59 IoCs

pid	pid_target	Process	procid_target
4752	2632	WerFault.exe	89
3672	2516	WerFault.exe	98
2628	1968	WerFault.exe	104
1312	2808	WerFault.exe	109
2692	4568	WerFault.exe	156
2780	4500	WerFault.exe	161
644	4468	WerFault.exe	166
3936	3272	WerFault.exe	171
944	2520	WerFault.exe	176
4904	4300	WerFault.exe	181
2156	3852	WerFault.exe	186
3224	4412	WerFault.exe	191
3788	3556	WerFault.exe	198
2812	3424	WerFault.exe	203
4100	1188	WerFault.exe	208
4924	1536	WerFault.exe	214
884	3672	WerFault.exe	220
2156	4140	WerFault.exe	225
2668	4356	WerFault.exe	231
5080	3092	WerFault.exe	236
3608	3480	WerFault.exe	242
216	3888	WerFault.exe	247
4544	4888	WerFault.exe	252
744	4716	WerFault.exe	257
2432	3920	WerFault.exe	262
4016	4248	WerFault.exe	267
4992	5008	WerFault.exe	272
2380	4632	WerFault.exe	278
4500	556	WerFault.exe	283
1408	4356	WerFault.exe	288
492	2412	WerFault.exe	293
3292	4112	WerFault.exe	299
3144	3572	WerFault.exe	304
2056	3084	WerFault.exe	309
1336	1472	WerFault.exe	314
3208	5068	WerFault.exe	319
4400	1808	WerFault.exe	324
2672	3788	WerFault.exe	329
2120	2456	WerFault.exe	334
2380	5008	WerFault.exe	339
4476	2964	WerFault.exe	344
2368	1732	WerFault.exe	349
1528	3468	WerFault.exe	354
4716	3944	WerFault.exe	359
4840	3064	WerFault.exe	364
4412	1296	WerFault.exe	369
4332	3888	WerFault.exe	374
4380	5080	WerFault.exe	379
1528	3092	WerFault.exe	384
3732	216	WerFault.exe	389
2176	3944	WerFault.exe	395
5048	2120	WerFault.exe	400
1536	228	WerFault.exe	405
1500	4108	WerFault.exe	410
3132	1168	WerFault.exe	415
3920	1324	WerFault.exe	420
1244	3460	WerFault.exe	425
540	216	WerFault.exe	431
4956	4208	WerFault.exe	436

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
2516	DFNZSQ.exe
2516	DFNZSQ.exe
1968	YKWQJSN.exe
1968	YKWQJSN.exe
2808	PFDH.exe
2808	PFDH.exe
3816	OIAKHN.exe
3816	OIAKHN.exe
3968	PGITSXQ.exe
3968	PGITSXQ.exe
3104	USS.exe
3104	USS.exe
3872	AVE.exe
3872	AVE.exe
1668	BORABFJ.exe
1668	BORABFJ.exe
884	NKKO.exe
884	NKKO.exe
2604	VSS.exe
2604	VSS.exe
3460	TSAEX.exe
3460	TSAEX.exe
468	ARPBQZR.exe
468	ARPBQZR.exe
4040	JPJCBVA.exe
4040	JPJCBVA.exe
4568	ZDFDTM.exe
4568	ZDFDTM.exe
4500	LWHQG.exe
4500	LWHQG.exe
4468	RCGSZE.exe
4468	RCGSZE.exe
3272	UOMRYV.exe
3272	UOMRYV.exe
2520	VJSIOCT.exe
2520	VJSIOCT.exe
4300	YCPF.exe
4300	YCPF.exe
3852	CVUBA.exe
3852	CVUBA.exe
4412	ARZHJD.exe
4412	ARZHJD.exe
3556	HWFNHIH.exe
3556	HWFNHIH.exe
3424	FFI.exe
3424	FFI.exe
1188	COAMS.exe
1188	COAMS.exe
1536	BZDC.exe
1536	BZDC.exe
3672	BTFM.exe
3672	BTFM.exe
4140	MGSPN.exe
4140	MGSPN.exe
4356	GXCBI.exe
4356	GXCBI.exe
3092	FAHE.exe
3092	FAHE.exe
3480	ABDSVX.exe
3480	ABDSVX.exe
3888	WUC.exe
3888	WUC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
2516	DFNZSQ.exe
2516	DFNZSQ.exe
1968	YKWQJSN.exe
1968	YKWQJSN.exe
2808	PFDH.exe
2808	PFDH.exe
3816	OIAKHN.exe
3816	OIAKHN.exe
3968	PGITSXQ.exe
3968	PGITSXQ.exe
3104	USS.exe
3104	USS.exe
3872	AVE.exe
3872	AVE.exe
1668	BORABFJ.exe
1668	BORABFJ.exe
884	NKKO.exe
884	NKKO.exe
2604	VSS.exe
2604	VSS.exe
3460	TSAEX.exe
3460	TSAEX.exe
468	ARPBQZR.exe
468	ARPBQZR.exe
4040	JPJCBVA.exe
4040	JPJCBVA.exe
4568	ZDFDTM.exe
4568	ZDFDTM.exe
4500	LWHQG.exe
4500	LWHQG.exe
4468	RCGSZE.exe
4468	RCGSZE.exe
3272	UOMRYV.exe
3272	UOMRYV.exe
2520	VJSIOCT.exe
2520	VJSIOCT.exe
4300	YCPF.exe
4300	YCPF.exe
3852	CVUBA.exe
3852	CVUBA.exe
4412	ARZHJD.exe
4412	ARZHJD.exe
3556	HWFNHIH.exe
3556	HWFNHIH.exe
3424	FFI.exe
3424	FFI.exe
1188	COAMS.exe
1188	COAMS.exe
1536	BZDC.exe
1536	BZDC.exe
3672	BTFM.exe
3672	BTFM.exe
4140	MGSPN.exe
4140	MGSPN.exe
4356	GXCBI.exe
4356	GXCBI.exe
3092	FAHE.exe
3092	FAHE.exe
3480	ABDSVX.exe
3480	ABDSVX.exe
3888	WUC.exe
3888	WUC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2792	2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe	95
PID 2632 wrote to memory of 2792	2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe	95
PID 2632 wrote to memory of 2792	2632	NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe	95
PID 2792 wrote to memory of 2516	2792	cmd.exe	98
PID 2792 wrote to memory of 2516	2792	cmd.exe	98
PID 2792 wrote to memory of 2516	2792	cmd.exe	98
PID 2516 wrote to memory of 4828	2516	DFNZSQ.exe	100
PID 2516 wrote to memory of 4828	2516	DFNZSQ.exe	100
PID 2516 wrote to memory of 4828	2516	DFNZSQ.exe	100
PID 4828 wrote to memory of 1968	4828	cmd.exe	104
PID 4828 wrote to memory of 1968	4828	cmd.exe	104
PID 4828 wrote to memory of 1968	4828	cmd.exe	104
PID 1968 wrote to memory of 2380	1968	YKWQJSN.exe	105
PID 1968 wrote to memory of 2380	1968	YKWQJSN.exe	105
PID 1968 wrote to memory of 2380	1968	YKWQJSN.exe	105
PID 2380 wrote to memory of 2808	2380	cmd.exe	109
PID 2380 wrote to memory of 2808	2380	cmd.exe	109
PID 2380 wrote to memory of 2808	2380	cmd.exe	109
PID 2808 wrote to memory of 3716	2808	PFDH.exe	110
PID 2808 wrote to memory of 3716	2808	PFDH.exe	110
PID 2808 wrote to memory of 3716	2808	PFDH.exe	110
PID 3716 wrote to memory of 3816	3716	cmd.exe	113
PID 3716 wrote to memory of 3816	3716	cmd.exe	113
PID 3716 wrote to memory of 3816	3716	cmd.exe	113
PID 3816 wrote to memory of 5076	3816	OIAKHN.exe	115
PID 3816 wrote to memory of 5076	3816	OIAKHN.exe	115
PID 3816 wrote to memory of 5076	3816	OIAKHN.exe	115
PID 5076 wrote to memory of 3968	5076	cmd.exe	118
PID 5076 wrote to memory of 3968	5076	cmd.exe	118
PID 5076 wrote to memory of 3968	5076	cmd.exe	118
PID 3968 wrote to memory of 3932	3968	PGITSXQ.exe	119
PID 3968 wrote to memory of 3932	3968	PGITSXQ.exe	119
PID 3968 wrote to memory of 3932	3968	PGITSXQ.exe	119
PID 3932 wrote to memory of 3104	3932	cmd.exe	122
PID 3932 wrote to memory of 3104	3932	cmd.exe	122
PID 3932 wrote to memory of 3104	3932	cmd.exe	122
PID 3104 wrote to memory of 4776	3104	USS.exe	123
PID 3104 wrote to memory of 4776	3104	USS.exe	123
PID 3104 wrote to memory of 4776	3104	USS.exe	123
PID 4776 wrote to memory of 3872	4776	cmd.exe	126
PID 4776 wrote to memory of 3872	4776	cmd.exe	126
PID 4776 wrote to memory of 3872	4776	cmd.exe	126
PID 3872 wrote to memory of 4248	3872	AVE.exe	127
PID 3872 wrote to memory of 4248	3872	AVE.exe	127
PID 3872 wrote to memory of 4248	3872	AVE.exe	127
PID 4248 wrote to memory of 1668	4248	cmd.exe	130
PID 4248 wrote to memory of 1668	4248	cmd.exe	130
PID 4248 wrote to memory of 1668	4248	cmd.exe	130
PID 1668 wrote to memory of 1996	1668	BORABFJ.exe	131
PID 1668 wrote to memory of 1996	1668	BORABFJ.exe	131
PID 1668 wrote to memory of 1996	1668	BORABFJ.exe	131
PID 1996 wrote to memory of 884	1996	cmd.exe	134
PID 1996 wrote to memory of 884	1996	cmd.exe	134
PID 1996 wrote to memory of 884	1996	cmd.exe	134
PID 884 wrote to memory of 4140	884	NKKO.exe	135
PID 884 wrote to memory of 4140	884	NKKO.exe	135
PID 884 wrote to memory of 4140	884	NKKO.exe	135
PID 4140 wrote to memory of 2604	4140	cmd.exe	138
PID 4140 wrote to memory of 2604	4140	cmd.exe	138
PID 4140 wrote to memory of 2604	4140	cmd.exe	138
PID 2604 wrote to memory of 824	2604	VSS.exe	139
PID 2604 wrote to memory of 824	2604	VSS.exe	139
PID 2604 wrote to memory of 824	2604	VSS.exe	139
PID 824 wrote to memory of 3460	824	cmd.exe	142

C:\Users\Admin\AppData\Local\Temp\NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3ec55276c135dfb48c1874c735fc2e00_JC.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\DFNZSQ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\windows\system\DFNZSQ.exe
    C:\windows\system\DFNZSQ.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKWQJSN.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\windows\SysWOW64\YKWQJSN.exe
        
        C:\windows\system32\YKWQJSN.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFDH.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\windows\SysWOW64\PFDH.exe
        
        C:\windows\system32\PFDH.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OIAKHN.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\windows\OIAKHN.exe
        
        C:\windows\OIAKHN.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PGITSXQ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\windows\PGITSXQ.exe
        
        C:\windows\PGITSXQ.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\USS.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\windows\SysWOW64\USS.exe
        
        C:\windows\system32\USS.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVE.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\windows\SysWOW64\AVE.exe
        
        C:\windows\system32\AVE.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BORABFJ.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\windows\SysWOW64\BORABFJ.exe
        
        C:\windows\system32\BORABFJ.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NKKO.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\windows\NKKO.exe
        
        C:\windows\NKKO.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VSS.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\windows\VSS.exe
        
        C:\windows\VSS.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TSAEX.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\windows\system\TSAEX.exe
        
        C:\windows\system\TSAEX.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARPBQZR.exe.bat" "
        24⤵
        
        PID:1536
        
        C:\windows\SysWOW64\ARPBQZR.exe
        
        C:\windows\system32\ARPBQZR.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPJCBVA.exe.bat" "
        26⤵
        
        PID:3900
        
        C:\windows\SysWOW64\JPJCBVA.exe
        
        C:\windows\system32\JPJCBVA.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZDFDTM.exe.bat" "
        28⤵
        
        PID:384
        
        C:\windows\system\ZDFDTM.exe
        
        C:\windows\system\ZDFDTM.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWHQG.exe.bat" "
        30⤵
        
        PID:3944
        
        C:\windows\SysWOW64\LWHQG.exe
        
        C:\windows\system32\LWHQG.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCGSZE.exe.bat" "
        32⤵
        
        PID:5068
        
        C:\windows\SysWOW64\RCGSZE.exe
        
        C:\windows\system32\RCGSZE.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UOMRYV.exe.bat" "
        34⤵
        
        PID:3920
        
        C:\windows\system\UOMRYV.exe
        
        C:\windows\system\UOMRYV.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJSIOCT.exe.bat" "
        36⤵
        
        PID:2284
        
        C:\windows\SysWOW64\VJSIOCT.exe
        
        C:\windows\system32\VJSIOCT.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YCPF.exe.bat" "
        38⤵
        
        PID:1212
        
        C:\windows\SysWOW64\YCPF.exe
        
        C:\windows\system32\YCPF.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CVUBA.exe.bat" "
        40⤵
        
        PID:4148
        
        C:\windows\system\CVUBA.exe
        
        C:\windows\system\CVUBA.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARZHJD.exe.bat" "
        42⤵
        
        PID:2948
        
        C:\windows\SysWOW64\ARZHJD.exe
        
        C:\windows\system32\ARZHJD.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HWFNHIH.exe.bat" "
        44⤵
        
        PID:4856
        
        C:\windows\system\HWFNHIH.exe
        
        C:\windows\system\HWFNHIH.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FFI.exe.bat" "
        46⤵
        
        PID:3476
        
        C:\windows\system\FFI.exe
        
        C:\windows\system\FFI.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\COAMS.exe.bat" "
        48⤵
        
        PID:1532
        
        C:\windows\system\COAMS.exe
        
        C:\windows\system\COAMS.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BZDC.exe.bat" "
        50⤵
        
        PID:4040
        
        C:\windows\SysWOW64\BZDC.exe
        
        C:\windows\system32\BZDC.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTFM.exe.bat" "
        52⤵
        
        PID:4240
        
        C:\windows\system\BTFM.exe
        
        C:\windows\system\BTFM.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MGSPN.exe.bat" "
        54⤵
        
        PID:4888
        
        C:\windows\system\MGSPN.exe
        
        C:\windows\system\MGSPN.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GXCBI.exe.bat" "
        56⤵
        
        PID:2052
        
        C:\windows\system\GXCBI.exe
        
        C:\windows\system\GXCBI.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FAHE.exe.bat" "
        58⤵
        
        PID:4560
        
        C:\windows\SysWOW64\FAHE.exe
        
        C:\windows\system32\FAHE.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ABDSVX.exe.bat" "
        60⤵
        
        PID:2468
        
        C:\windows\ABDSVX.exe
        
        C:\windows\ABDSVX.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WUC.exe.bat" "
        62⤵
        
        PID:3064
        
        C:\windows\WUC.exe
        
        C:\windows\WUC.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JADMO.exe.bat" "
        64⤵
        
        PID:4608
        
        C:\windows\SysWOW64\JADMO.exe
        
        C:\windows\system32\JADMO.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FWXZ.exe.bat" "
        66⤵
        
        PID:1296
        
        C:\windows\FWXZ.exe
        
        C:\windows\FWXZ.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXWEAQ.exe.bat" "
        68⤵
        
        PID:4412
        
        C:\windows\SysWOW64\HXWEAQ.exe
        
        C:\windows\system32\HXWEAQ.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ASDJV.exe.bat" "
        70⤵
        
        PID:4356
        
        C:\windows\system\ASDJV.exe
        
        C:\windows\system\ASDJV.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABOIO.exe.bat" "
        72⤵
        
        PID:1528
        
        C:\windows\SysWOW64\ABOIO.exe
        
        C:\windows\system32\ABOIO.exe
        73⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FPOAUPT.exe.bat" "
        74⤵
        
        PID:4620
        
        C:\windows\FPOAUPT.exe
        
        C:\windows\FPOAUPT.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSHB.exe.bat" "
        76⤵
        
        PID:4328
        
        C:\windows\SysWOW64\XSHB.exe
        
        C:\windows\system32\XSHB.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SEIID.exe.bat" "
        78⤵
        
        PID:3024
        
        C:\windows\SEIID.exe
        
        C:\windows\SEIID.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HERB.exe.bat" "
        80⤵
        
        PID:1472
        
        C:\windows\system\HERB.exe
        
        C:\windows\system\HERB.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EXCVXFY.exe.bat" "
        82⤵
        
        PID:2604
        
        C:\windows\SysWOW64\EXCVXFY.exe
        
        C:\windows\system32\EXCVXFY.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ETOSRH.exe.bat" "
        84⤵
        
        PID:1688
        
        C:\windows\ETOSRH.exe
        
        C:\windows\ETOSRH.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUE.exe.bat" "
        86⤵
        
        PID:3472
        
        C:\windows\SysWOW64\SUE.exe
        
        C:\windows\system32\SUE.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OFRSUE.exe.bat" "
        88⤵
        
        PID:4240
        
        C:\windows\OFRSUE.exe
        
        C:\windows\OFRSUE.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YLNPZJL.exe.bat" "
        90⤵
        
        PID:3608
        
        C:\windows\YLNPZJL.exe
        
        C:\windows\YLNPZJL.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUVW.exe.bat" "
        92⤵
        
        PID:2780
        
        C:\windows\SysWOW64\JUVW.exe
        
        C:\windows\system32\JUVW.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BARKF.exe.bat" "
        94⤵
        
        PID:4108
        
        C:\windows\system\BARKF.exe
        
        C:\windows\system\BARKF.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KRE.exe.bat" "
        96⤵
        
        PID:2856
        
        C:\windows\KRE.exe
        
        C:\windows\KRE.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TSCIO.exe.bat" "
        98⤵
        
        PID:636
        
        C:\windows\TSCIO.exe
        
        C:\windows\TSCIO.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLMYJA.exe.bat" "
        100⤵
        
        PID:3628
        
        C:\windows\system\WLMYJA.exe
        
        C:\windows\system\WLMYJA.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WORJU.exe.bat" "
        102⤵
        
        PID:1628
        
        C:\windows\system\WORJU.exe
        
        C:\windows\system\WORJU.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OMFPRX.exe.bat" "
        104⤵
        
        PID:1752
        
        C:\windows\OMFPRX.exe
        
        C:\windows\OMFPRX.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KKT.exe.bat" "
        106⤵
        
        PID:4112
        
        C:\windows\KKT.exe
        
        C:\windows\KKT.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UOZ.exe.bat" "
        108⤵
        
        PID:4500
        
        C:\windows\system\UOZ.exe
        
        C:\windows\system\UOZ.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFWWFMF.exe.bat" "
        110⤵
        
        PID:4588
        
        C:\windows\SysWOW64\UFWWFMF.exe
        
        C:\windows\system32\UFWWFMF.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IQI.exe.bat" "
        112⤵
        
        PID:1188
        
        C:\windows\SysWOW64\IQI.exe
        
        C:\windows\system32\IQI.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KUF.exe.bat" "
        114⤵
        
        PID:3096
        
        C:\windows\system\KUF.exe
        
        C:\windows\system\KUF.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CNB.exe.bat" "
        116⤵
        
        PID:4768
        
        C:\windows\CNB.exe
        
        C:\windows\CNB.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNDG.exe.bat" "
        118⤵
        
        PID:4904
        
        C:\windows\SysWOW64\GNDG.exe
        
        C:\windows\system32\GNDG.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WBZ.exe.bat" "
        120⤵
        
        PID:2784
        
        C:\windows\SysWOW64\WBZ.exe
        
        C:\windows\system32\WBZ.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UCAAWL.exe.bat" "
        122⤵
        
        PID:4844
        
        C:\windows\system\UCAAWL.exe
        
        C:\windows\system\UCAAWL.exe
        123⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UQN.exe.bat" "
        124⤵
        
        PID:3004
        
        C:\windows\UQN.exe
        
        C:\windows\UQN.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CJASCQ.exe.bat" "
        126⤵
        
        PID:4956
        
        C:\windows\CJASCQ.exe
        
        C:\windows\CJASCQ.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XZV.exe.bat" "
        128⤵
        
        PID:184
        
        C:\windows\system\XZV.exe
        
        C:\windows\system\XZV.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKYR.exe.bat" "
        130⤵
        
        PID:824
        
        C:\windows\SysWOW64\RKYR.exe
        
        C:\windows\system32\RKYR.exe
        131⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZYHI.exe.bat" "
        132⤵
        
        PID:1996
        
        C:\windows\SysWOW64\ZYHI.exe
        
        C:\windows\system32\ZYHI.exe
        133⤵
        Drops file in Windows directory
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WEZYXQX.exe.bat" "
        134⤵
        
        PID:4844
        
        C:\windows\WEZYXQX.exe
        
        C:\windows\WEZYXQX.exe
        135⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RJLBI.exe.bat" "
        136⤵
        
        PID:736
        
        C:\windows\SysWOW64\RJLBI.exe
        
        C:\windows\system32\RJLBI.exe
        137⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HIDD.exe.bat" "
        138⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 960
        138⤵
        Program crash
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 976
        136⤵
        Program crash
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 988
        134⤵
        Program crash
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 960
        132⤵
        Program crash
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1264
        130⤵
        Program crash
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 960
        128⤵
        Program crash
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1324
        126⤵
        Program crash
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 988
        124⤵
        Program crash
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 988
        122⤵
        Program crash
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1240
        120⤵
        Program crash
        
        PID:3732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 960
        118⤵
        Program crash
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 980
        116⤵
        Program crash
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1304
        114⤵
        Program crash
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 872
        112⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1328
        110⤵
        Program crash
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1336
        108⤵
        Program crash
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1324
        106⤵
        Program crash
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1304
        104⤵
        Program crash
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 960
        102⤵
        Program crash
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 964
        100⤵
        Program crash
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1324
        98⤵
        Program crash
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1304
        96⤵
        Program crash
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1336
        94⤵
        Program crash
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 960
        92⤵
        Program crash
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960
        90⤵
        Program crash
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 992
        88⤵
        Program crash
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1328
        86⤵
        Program crash
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 988
        84⤵
        Program crash
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 960
        82⤵
        Program crash
        
        PID:492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 960
        80⤵
        Program crash
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 984
        78⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1328
        76⤵
        Program crash
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1304
        74⤵
        Program crash
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 960
        72⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1184
        70⤵
        Program crash
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1312
        68⤵
        Program crash
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1292
        66⤵
        Program crash
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1328
        64⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1324
        62⤵
        Program crash
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1324
        60⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1264
        58⤵
        Program crash
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 988
        56⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 988
        54⤵
        Program crash
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1248
        52⤵
        Program crash
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1328
        50⤵
        Program crash
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1308
        48⤵
        Program crash
        
        PID:2812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1336
        46⤵
        Program crash
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 992
        44⤵
        Program crash
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 976
        42⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 988
        40⤵
        Program crash
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 960
        38⤵
        Program crash
        
        PID:944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1308
        36⤵
        Program crash
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 960
        34⤵
        Program crash
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1328
        32⤵
        Program crash
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1296
        30⤵
        Program crash
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1296
        8⤵
        Program crash
        
        PID:1312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1328
        6⤵
        Program crash
        
        PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1300
      4⤵
      Program crash
      PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1320
  2⤵
  - Program crash
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2632 -ip 2632
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2516 -ip 2516
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2808 -ip 2808
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3816 -ip 3816
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3968 -ip 3968
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3104 -ip 3104
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3872 -ip 3872
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1668 -ip 1668
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 884 -ip 884
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2604 -ip 2604
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3460 -ip 3460
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 468 -ip 468
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4040 -ip 4040
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4500 -ip 4500
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4468 -ip 4468
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3272 -ip 3272
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2520 -ip 2520
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4300 -ip 4300
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3852 -ip 3852
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4412 -ip 4412
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3556 -ip 3556
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3424 -ip 3424
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1188 -ip 1188
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1536 -ip 1536
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3672 -ip 3672
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4140 -ip 4140
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4356 -ip 4356
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3092 -ip 3092
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3480 -ip 3480
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3888 -ip 3888
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4888 -ip 4888
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4716 -ip 4716
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3920 -ip 3920
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4248 -ip 4248
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5008 -ip 5008
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4632 -ip 4632
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 556 -ip 556
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4356 -ip 4356
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2412 -ip 2412
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4112 -ip 4112
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3572 -ip 3572
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3084 -ip 3084
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1472 -ip 1472
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5068 -ip 5068
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1808 -ip 1808
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3788 -ip 3788
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2456 -ip 2456
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5008 -ip 5008
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2964 -ip 2964
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1732 -ip 1732
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3468 -ip 3468
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3944 -ip 3944
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3064 -ip 3064
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1296 -ip 1296
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3888 -ip 3888
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5080 -ip 5080
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3092 -ip 3092
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 216 -ip 216
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3944 -ip 3944
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2120 -ip 2120
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 228 -ip 228
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4108 -ip 4108
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1168 -ip 1168
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1324 -ip 1324
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3460 -ip 3460
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 216 -ip 216
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4208 -ip 4208
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\NKKO.exe

Filesize
320KB

MD5
87c0d6fc21fab6ada32ba693b3ba2b34

SHA1
ce95c07237b64f6fb7d960bdb00fbd892f0a38cd

SHA256
9d721d9c347b712a1003067c27bd94b46b2eb2e1911194d375c718253a45eb69

SHA512
0ee8e19cf720d0ca3e01b394818d961ebc2a1afb62f056b7c19a602a708e67f4391fb42fdb993f28a9b97b5c691e2f90d5db7ee2a95d0fe062f8987d028e3cc7

Download Submit
C:\Windows\OIAKHN.exe

Filesize
320KB

MD5
0787e4ea4ea263306673e2fabac554fe

SHA1
8b2a69f07da080dcfc633f2cad8e43fa307e1fef

SHA256
e2e01728cb0696c7eb7b171a6c79ec1d1958469c5f92241dff4b02069bffcc59

SHA512
793dc869b0be517e4fb2f9059cd55cb918f471f48c7f75f3550def8d6036a663c83104b2f4b9f481705645f88c69ac3a07640c08762826591be16d3b494b58e7

Download Submit
C:\Windows\PGITSXQ.exe

Filesize
320KB

MD5
837d7b05786ebc699f31dabc43ac4ac2

SHA1
9e4e60287cc2e3058fa20be6f222f088c64e8e47

SHA256
3c0b6a6b9d271ff6c7ed5c24ff77e210ed19f93f4a3e64d5dc738751af851d98

SHA512
759afe70928038f747b7f8fa2bbbc92d0184648aad0b096a7510438861dbb01afeee775db595b2d0e030dd91fbc77bae33e8a62f2003c262492d590a9cd76fd5

Download Submit
C:\Windows\SysWOW64\ARPBQZR.exe

Filesize
320KB

MD5
0989503f0746a21f08de686d5a5189af

SHA1
ab79fa4f9ace6abbc9fc268c26f2763eb9ba484a

SHA256
2e02d7ce35ed2af86784c5b069e3bdf05c52684c0fedbe2f648e071f2334aa58

SHA512
bc984e47ece697bf887946791aeb30c5b241fe6e2ac794048be0f436e8203d060fb488acbc99f6abb05f606a79b54df354f7d4a3587596b1e356c53c9730f7aa

Download Submit
C:\Windows\SysWOW64\ARZHJD.exe

Filesize
320KB

MD5
0bd5652de6cc0620ef6326f61d85778e

SHA1
1f17f0407ef44e5f9297da8920f81840b0160c63

SHA256
9cc38bea48b9fe78a305d62e1ee0bf5f96950abc2310117b8d3ebae6d39b75cf

SHA512
9ff45c2a289ad79f73dfc58a4fafa624803dc28916ac9ce40ec7d7ca53c6f7560a791c897a25124e1d166d2a034163d1783687a8ed2797b8287a6be37da056f8

Download Submit
C:\Windows\SysWOW64\AVE.exe

Filesize
320KB

MD5
c99e4bb58c8a13d08e1e6c3ea38ce8e7

SHA1
856940a9ed9653201b0d36d57394693dd46c34f5

SHA256
b22f705db2e19761a590ed993fc356d7e7cb1b80b0439559bca2e51ec27749d2

SHA512
53f79d6074c977f791364dddfb5c72c02b289d59f0368de5c3d7bc8e52f96f8224d56b4d2ed249892cd46bab807b7506e5b426c30ee3a7b44cd8b34870c5f18e

Download Submit
C:\Windows\SysWOW64\BORABFJ.exe

Filesize
320KB

MD5
f743ffe197dc836c4598627c3d7279d3

SHA1
7ef6b29bd83df8ab5bc991531ca5146f7dc47969

SHA256
aba5504ace0277355ed0d1cf56aeed3d285c4b271ba22f0142fb7728f201ee1f

SHA512
4a634060c7fd46edcd0e8164b4b2ac19d85d7a38dae1293383c2450a1445d990a48b7b0e315ee5cc93d3f24fc5eee2591e02c0380f687c5b18322813df98c7e8

Download Submit
C:\Windows\SysWOW64\JPJCBVA.exe

Filesize
320KB

MD5
14247406ab9dd5239fb7a447e5bc5eca

SHA1
44fef1b48f7c18ba013dfbc3227525f2934103cc

SHA256
46749942f652cfaae98ddc5141039b06e8325269485a91e9fb3bbefedd94ed74

SHA512
3c69c5ede5482e490d92ce699a69da86732d9c8f70c084d8c4f54d768fc090e793ae2f0759877d11cb2b5db4c6843ece205a9eb242ec17e4d036b6d909b55009

Download Submit
C:\Windows\SysWOW64\LWHQG.exe

Filesize
320KB

MD5
f0a65889737c02ad3b3101254405f1d3

SHA1
e35edcdbefd4ef08104c8eb3ae02a39566e82462

SHA256
0086a276e7ca2547cc0144b2766cdd97db73be37d9c51a5fc474d44d51182bfb

SHA512
8ea8e6534b51e0c75deaa983ba9794fa01b479e19fff842c95c5f6eb34fd598df0c0ba1298bd373309e237c224511a8acedd57686b35b720089b64a0b93826f3

Download Submit
C:\Windows\SysWOW64\PFDH.exe

Filesize
320KB

MD5
691ba30716b3221e5546f8dc821a1ec6

SHA1
a48b9e3acf604b2099848e3d5efd4269786689b4

SHA256
8d550ccc2b7169e41f08f4533bc3bc1a9978c989ed323f0d2e4e37eb02c83235

SHA512
a1f1a3d30c27a64ebd4d7b639a9d021ec784b3ccc5a8b7ab673eaf3063577749724ee17e83f763243fb176df11ff2d2d815cbe56e18cd71e625820ff1dd5e687

Download Submit
C:\Windows\SysWOW64\RCGSZE.exe

Filesize
320KB

MD5
977e5f87d08ff44a15b6f78ccd1aded0

SHA1
245137527b5f97a9db1caccd863db93aa9d2daf8

SHA256
47a8d364f1a130e4fa14c43d42f95391c6b10b2c017f3ed57fa0eae4e5fdf045

SHA512
890d6be76416bdc2a529474ace81bbfeb96d614b59426b92738e3803c254481372b46646980b16c7f856e77a2db55b5965ff5212cb5fc018ce7af5cb45d94d41

Download Submit
C:\Windows\SysWOW64\USS.exe

Filesize
320KB

MD5
ca97a60e00308d4327192c523d3df790

SHA1
fc61cfbf37e82bc34884e17e094f862f8cb872cc

SHA256
0333ba4f9801a5cb0fd1759819ffd5daa287602a82ce473048e7334f618e0e94

SHA512
0314c61a5b4b9235e830b78b45a033b6df3d6406d03e5c14fba1559211a8d8e752d14cff53f04acd4635249880e1d837be12daee10d5299e63b06935a077c63a

Download Submit
C:\Windows\SysWOW64\VJSIOCT.exe

Filesize
320KB

MD5
16ee49bd2e30d5c91c21efd1d7403c68

SHA1
0014aee97198f996c24fe3d7258506ad608da8db

SHA256
ebf9adeac9dce38a77293735470cb8a1d2532a8feadcce2628d9ac19baceabdd

SHA512
730304bda4e0ffef1294bbf2eeceb0ad557bfb0cfbd7996a6071df435ecc4dfd111a2987c679ca865e7f5d1064b24857ae47a6680f6c363d6cfdf2507daee028

Download Submit
C:\Windows\SysWOW64\YCPF.exe

Filesize
320KB

MD5
83126d8410891dbfd6b517ef8dd64f32

SHA1
ef8aff8f08c38a41fde49cfd6ff32b02ec6f284a

SHA256
9a9939a9727fe9d0a881537ca5f056cc2e780eb9bbcc7c842e89f2f231bd2dbd

SHA512
f8551cf5c0e505aaff7b265c08cf6d8b283188c2590b9945d1f47533828ca99864d73f045d7a4062cc5c2a6594a0da78c4964fb5f5a76a25a0e763fadd2e4508

Download Submit
C:\Windows\SysWOW64\YKWQJSN.exe

Filesize
320KB

MD5
59fa096ce2e21a26ea330ce2b140bad2

SHA1
fe645399e6ea7cce86246a4a8059f99c45145365

SHA256
71d4b0996e5be46afe05e88984dce3abbc5cfefe35c28c06a3555d3668c150ad

SHA512
5554010c2a7f6df3865fe3dee2972e73b028b83a170f73c331eb798f3af3d7cbac3dd5eaceec1645f6e9d8ce34fa1bd8ddc9a9b05e9654019233d2c0a24634f7

Download Submit
C:\Windows\SysWOW64\YKWQJSN.exe

Filesize
320KB

MD5
f1ab63366fef249432083ace70898122

SHA1
a4edfc6ff23493c4d1b18b1ab8d63b0d38e51006

SHA256
78a736b35f4c127b130f562ae6c786440d97b77baa97eb8658ddc4f4f2cb0bad

SHA512
75ee9fd6ead67c0f9930365f53075735dde6fc3aa690b257aa498f47c7a02ff4dbf73dd070ff7248bc870287ef00eb63fcf8219606d0ab995ba6e504b4e8a4c4

Download Submit
C:\Windows\System\CVUBA.exe

Filesize
320KB

MD5
72a286f63575285a93ccaef4e3d78a05

SHA1
3fbfed6493152bc3e667840c3225a021c8e10674

SHA256
ac8413da3e30b71bb4322b81eacf24664b954183c71215541a27369d20c756d7

SHA512
1c16316348f0c896db550420d703a60568d82200ceebbd96d3c2de05e7d02fce4f0cc565c053e791503412c3c0c9d9a517ef65780299a388679845ee5b93e322

Download Submit
C:\Windows\System\DFNZSQ.exe

Filesize
320KB

MD5
c121811475860a7ed00c077ccc120d83

SHA1
61a13acb3a72cc4124a49dbdd97e57e5e5eec8bb

SHA256
ec807225b8ed83d872e1a75b0c9d1471a9be363a7cabf204aff75b406a0e7c9f

SHA512
0b185c591860c14b44b574563f48835ed736b02ad5a7b20b2af6fbbcc0c4fb1c854ec2ef5a04f933c28c862bd3da7057ac4013b822cace0886924e3ff7e43fbe

Download Submit
C:\Windows\System\TSAEX.exe

Filesize
320KB

MD5
9040620b6670528d996cffbff47a787e

SHA1
5a1e863cb481b0ae20951c2366c71fedb0aafec8

SHA256
e5b25b2f07de046f581d5338c90b924b74a49363f699f7bec328edd252b48357

SHA512
8d3d642d16e43ae9777ceaf284901ef176f3335ec41a79314bffcbe4ee17f9ecdf9de2b72ff3395608e34bbe02b4168f49aaa78adf703f56e2a9f15fc05e4f36

Download Submit
C:\Windows\System\UOMRYV.exe

Filesize
320KB

MD5
f010c2e674674ad5d5bc760779f6f7d6

SHA1
c15503219ff04bd1ef3003029a5193b78bb3fd2a

SHA256
257d81e84a04bf86b337913b59b37a2c57cfd5345618e1914a2cfdda06016cd3

SHA512
1d58c56deb9c4eeda506fc8043ccecebd5413bff33fcd422cc096e73ab57ef0f7d1f9ebf1a1515f6a2dd49530a24d94bcec15a0dd2c7116a0608982b87418fa3

Download Submit
C:\Windows\System\ZDFDTM.exe

Filesize
320KB

MD5
1fa9196a489c25a71be21b5151e28e18

SHA1
3c8c4b7f8180d44583ecde439c52f8f39cbbd370

SHA256
cb24c3fea7d93d07fbea908c28c526fcb6dd2d00423f875f54ce47188724b818

SHA512
623c06df60561da2a1842ec34ff9a807f18fffe637ddac527d153fb50a21a5cb059841370484aa0de4a3cd6756af174aefa946e6d587ae6ea74b3f201deb6b4c

Download Submit
C:\Windows\VSS.exe

Filesize
320KB

MD5
6ba1fddb8c4a245de3c6a6747655940c

SHA1
e0ff4dd16d536cd3eb747af421f6b0078232966c

SHA256
544f060943e7d05e6c65402a7c27012002f1810db3648d7b4e03434529a65233

SHA512
426f1e276b133ab186ee79d70e2f4905141e5ed5e658f0c4a0bc46ddcbe0e8068c5b8177bb140ff284cd5b9626f49915f72936b0ffdc9b32caca7d0035d340c3

Download Submit
C:\windows\NKKO.exe

Filesize
320KB

MD5
87c0d6fc21fab6ada32ba693b3ba2b34

SHA1
ce95c07237b64f6fb7d960bdb00fbd892f0a38cd

SHA256
9d721d9c347b712a1003067c27bd94b46b2eb2e1911194d375c718253a45eb69

SHA512
0ee8e19cf720d0ca3e01b394818d961ebc2a1afb62f056b7c19a602a708e67f4391fb42fdb993f28a9b97b5c691e2f90d5db7ee2a95d0fe062f8987d028e3cc7

Download Submit
C:\windows\NKKO.exe.bat

Filesize
54B

MD5
eb2a6e23761ff97fd97bd892343f6eaf

SHA1
4ac999e52d2a95064b4eaf3b8b8729dff464a029

SHA256
dbc581bfc91747844ad1434318626e86b9628cb3ae3d80e00137cb701b830d7d

SHA512
639370fa565a2360f35fdb7c0238677c22a64587543f95dcf0ea8f161fd3969e4fb767065cd99c83772a6d633836157b9eeecb80430d5dbee1a165afca2a58f6

Download Submit
C:\windows\OIAKHN.exe

Filesize
320KB

MD5
0787e4ea4ea263306673e2fabac554fe

SHA1
8b2a69f07da080dcfc633f2cad8e43fa307e1fef

SHA256
e2e01728cb0696c7eb7b171a6c79ec1d1958469c5f92241dff4b02069bffcc59

SHA512
793dc869b0be517e4fb2f9059cd55cb918f471f48c7f75f3550def8d6036a663c83104b2f4b9f481705645f88c69ac3a07640c08762826591be16d3b494b58e7

Download Submit
C:\windows\OIAKHN.exe.bat

Filesize
58B

MD5
0b07050956a70ee4fb0ce52895686681

SHA1
1fc5b42d642d43c9bff45b70f8418c58ec85d594

SHA256
2f9066927922a3f7679a5e7953a394ab0fda5ae8a34eee2616a77cac667a4edb

SHA512
3b8f068cca1c917886f23acb8625a64688859791774aeaf189dd30d0c5ed395d4f2db87424ec72d549326c88a554dd038bfa63507fa7f00157985513e50d0f15

Download Submit
C:\windows\PGITSXQ.exe

Filesize
320KB

MD5
837d7b05786ebc699f31dabc43ac4ac2

SHA1
9e4e60287cc2e3058fa20be6f222f088c64e8e47

SHA256
3c0b6a6b9d271ff6c7ed5c24ff77e210ed19f93f4a3e64d5dc738751af851d98

SHA512
759afe70928038f747b7f8fa2bbbc92d0184648aad0b096a7510438861dbb01afeee775db595b2d0e030dd91fbc77bae33e8a62f2003c262492d590a9cd76fd5

Download Submit
C:\windows\PGITSXQ.exe.bat

Filesize
60B

MD5
66a520ab06232e6d245a6c632c0021c0

SHA1
185629e71fe8ebfbbb43edbe08e05ff7d7f77dd9

SHA256
051be4941c1152006426fd52eeb49b85595fce975f2e0e4e5c6e1c9ac067baed

SHA512
ebf4a5ba6d99f5d646f0fed5b0e622bbb145c6953ace8a638980e339b58e0c63ee371981469792e07a9e9abacf0f3ac47cc4a512c075ce242c1b400a3fc8037b

Download Submit
C:\windows\SysWOW64\ARPBQZR.exe

Filesize
320KB

MD5
0989503f0746a21f08de686d5a5189af

SHA1
ab79fa4f9ace6abbc9fc268c26f2763eb9ba484a

SHA256
2e02d7ce35ed2af86784c5b069e3bdf05c52684c0fedbe2f648e071f2334aa58

SHA512
bc984e47ece697bf887946791aeb30c5b241fe6e2ac794048be0f436e8203d060fb488acbc99f6abb05f606a79b54df354f7d4a3587596b1e356c53c9730f7aa

Download Submit
C:\windows\SysWOW64\ARPBQZR.exe.bat

Filesize
78B

MD5
1debdd9ffe31122b9187d9d67b04a456

SHA1
f7511c7a2cb9c236cd1d2c505cc9d6d6c8dc9dda

SHA256
fe7766d19c21d4652dc8ad0adc685272e3cdce7c657ce6cd68d3594ba05352e4

SHA512
91698328dfc0573ef820f246fa738283d8ba0a6455dd75c2e33e7927bc337badc25adfc5c7dff0180a1edb3a8d939d0387a43ed3d1ba078894e65e495beca8dc

Download Submit
C:\windows\SysWOW64\ARZHJD.exe

Filesize
320KB

MD5
0bd5652de6cc0620ef6326f61d85778e

SHA1
1f17f0407ef44e5f9297da8920f81840b0160c63

SHA256
9cc38bea48b9fe78a305d62e1ee0bf5f96950abc2310117b8d3ebae6d39b75cf

SHA512
9ff45c2a289ad79f73dfc58a4fafa624803dc28916ac9ce40ec7d7ca53c6f7560a791c897a25124e1d166d2a034163d1783687a8ed2797b8287a6be37da056f8

Download Submit
C:\windows\SysWOW64\ARZHJD.exe.bat

Filesize
76B

MD5
c3b16df63717a501e6e5e39ec44d3086

SHA1
924646beacc6857de1d700e9a70352c6f316d45b

SHA256
89cf1d3ee28ab5aa5052629a873afb10eabcb7b7175d3e117c3e66830ec154e6

SHA512
8ea362841f9352c675bc43708cea93bc66a5f1f87bbfc14808be4d49abbc65e7c380d4ba2b0a8fa1eabd44db51fe2979f1d282d2a747be5897b4f0058658edbd

Download Submit
C:\windows\SysWOW64\AVE.exe

Filesize
320KB

MD5
c99e4bb58c8a13d08e1e6c3ea38ce8e7

SHA1
856940a9ed9653201b0d36d57394693dd46c34f5

SHA256
b22f705db2e19761a590ed993fc356d7e7cb1b80b0439559bca2e51ec27749d2

SHA512
53f79d6074c977f791364dddfb5c72c02b289d59f0368de5c3d7bc8e52f96f8224d56b4d2ed249892cd46bab807b7506e5b426c30ee3a7b44cd8b34870c5f18e

Download Submit
C:\windows\SysWOW64\AVE.exe.bat

Filesize
70B

MD5
a0e14aa382a686443a43f56cadcdc709

SHA1
241871dc5029d1c116ec4f749611b7edbaa30d68

SHA256
db98afc48a2ae3c8932b779d2c6528c4c5b27c2540d99d4a4f498b73bf2343f5

SHA512
44b44243d330e5cfb125c972e23589f198a3bdd2ad5f8bc84fb091b8a8a7168b7a794e0b00a369e851c727ae2e9b7ba8e4df9a0b459bdeaf1d9a6a9aa44d9b3b

Download Submit
C:\windows\SysWOW64\BORABFJ.exe

Filesize
320KB

MD5
f743ffe197dc836c4598627c3d7279d3

SHA1
7ef6b29bd83df8ab5bc991531ca5146f7dc47969

SHA256
aba5504ace0277355ed0d1cf56aeed3d285c4b271ba22f0142fb7728f201ee1f

SHA512
4a634060c7fd46edcd0e8164b4b2ac19d85d7a38dae1293383c2450a1445d990a48b7b0e315ee5cc93d3f24fc5eee2591e02c0380f687c5b18322813df98c7e8

Download Submit
C:\windows\SysWOW64\BORABFJ.exe.bat

Filesize
78B

MD5
dd9bf7c2a7524ffdb14f45887ed38350

SHA1
b378ac515642cb65a7cc51dc2429b5ba6cc8a9f8

SHA256
e5ed1741b50b27a61e0711df2fa5ed36efc6d73c008d487a2f5d50757caa1045

SHA512
a3ec902d67024ae9df2172812365daa42d72893d22b9169c56eb6051a2a03ad66a7a997944abe92bafc8091100aa90484c5ecc59b7fddae46128f3a381c6501f

Download Submit
C:\windows\SysWOW64\JPJCBVA.exe

Filesize
320KB

MD5
14247406ab9dd5239fb7a447e5bc5eca

SHA1
44fef1b48f7c18ba013dfbc3227525f2934103cc

SHA256
46749942f652cfaae98ddc5141039b06e8325269485a91e9fb3bbefedd94ed74

SHA512
3c69c5ede5482e490d92ce699a69da86732d9c8f70c084d8c4f54d768fc090e793ae2f0759877d11cb2b5db4c6843ece205a9eb242ec17e4d036b6d909b55009

Download Submit
C:\windows\SysWOW64\JPJCBVA.exe.bat

Filesize
78B

MD5
1dbda474b39520dc72d5afabb989e7d7

SHA1
971e5c01e366241f0b9070aa8c865f0b167ea345

SHA256
f9677fc8421d8afab35484ce432cdf7dd7e0f0b7c190cfc2818cc4b2cd9927c1

SHA512
22e39729300f9ce7abc36ef246e90e9002c61cd917345b141770d586688cbb9c94ef6db56fd70782766dd1c39be84a1a550c45dda47f5efb1c63e8bfea41b0b1

Download Submit
C:\windows\SysWOW64\LWHQG.exe

Filesize
320KB

MD5
f0a65889737c02ad3b3101254405f1d3

SHA1
e35edcdbefd4ef08104c8eb3ae02a39566e82462

SHA256
0086a276e7ca2547cc0144b2766cdd97db73be37d9c51a5fc474d44d51182bfb

SHA512
8ea8e6534b51e0c75deaa983ba9794fa01b479e19fff842c95c5f6eb34fd598df0c0ba1298bd373309e237c224511a8acedd57686b35b720089b64a0b93826f3

Download Submit
C:\windows\SysWOW64\LWHQG.exe.bat

Filesize
74B

MD5
c699eccc3bee1c077037fd630bd2631f

SHA1
2c9fbf121045f780f91e7f03030101a05e07338c

SHA256
0d6e77d15532255056dc7094aec14c8706526f9b8b2277ade6461e9650c340e0

SHA512
3222c5f36905e9c034893f4b30c66e21628ff310f0e5983a5817fc059a1f080aafa26e555643212f1c627062db91cfd291f6934d6aaddf8f98358f69a11277de

Download Submit
C:\windows\SysWOW64\PFDH.exe

Filesize
320KB

MD5
691ba30716b3221e5546f8dc821a1ec6

SHA1
a48b9e3acf604b2099848e3d5efd4269786689b4

SHA256
8d550ccc2b7169e41f08f4533bc3bc1a9978c989ed323f0d2e4e37eb02c83235

SHA512
a1f1a3d30c27a64ebd4d7b639a9d021ec784b3ccc5a8b7ab673eaf3063577749724ee17e83f763243fb176df11ff2d2d815cbe56e18cd71e625820ff1dd5e687

Download Submit
C:\windows\SysWOW64\PFDH.exe.bat

Filesize
72B

MD5
2b5942bb268d4434c211041bc717ec91

SHA1
47cae9d587232784ca9ea046d441924559dba14a

SHA256
a520052de32d37850b9ce76c28d2e0faa1b73e41ca4752ad1981bcb22851502a

SHA512
75d225009f5f22e5f41be7db4dd9b30df95cf52efcec700d8b13e8a9a4d082f56c998d2869147885047e2c9ac2bdcf1a8d928acb993e8697fc55e6767d2b517a

Download Submit
C:\windows\SysWOW64\RCGSZE.exe

Filesize
320KB

MD5
977e5f87d08ff44a15b6f78ccd1aded0

SHA1
245137527b5f97a9db1caccd863db93aa9d2daf8

SHA256
47a8d364f1a130e4fa14c43d42f95391c6b10b2c017f3ed57fa0eae4e5fdf045

SHA512
890d6be76416bdc2a529474ace81bbfeb96d614b59426b92738e3803c254481372b46646980b16c7f856e77a2db55b5965ff5212cb5fc018ce7af5cb45d94d41

Download Submit
C:\windows\SysWOW64\RCGSZE.exe.bat

Filesize
76B

MD5
d697d141fca4cc3bbab1a71b4e12a4e6

SHA1
a2241f2fa7909416663ce93f77df94d486411fe6

SHA256
3d11558aa4eee7027eaacda6621e5dd5699e1623ef3cfe6b3d314083bfe2e2dd

SHA512
e6b0c5b81a95d9fe25f9aa26d028bf122c439155fdedc86e50f5ad84500c40d0f945225a015abfb87c597255384f8f9c16ce742f17c808c0f9475693fd2260cb

Download Submit
C:\windows\SysWOW64\USS.exe

Filesize
320KB

MD5
ca97a60e00308d4327192c523d3df790

SHA1
fc61cfbf37e82bc34884e17e094f862f8cb872cc

SHA256
0333ba4f9801a5cb0fd1759819ffd5daa287602a82ce473048e7334f618e0e94

SHA512
0314c61a5b4b9235e830b78b45a033b6df3d6406d03e5c14fba1559211a8d8e752d14cff53f04acd4635249880e1d837be12daee10d5299e63b06935a077c63a

Download Submit
C:\windows\SysWOW64\USS.exe.bat

Filesize
70B

MD5
622a5e55f099a8c7f8459f30c9af34da

SHA1
432c69a841da8aa108919ca1aa96b0eb0b167a87

SHA256
dfb402bfafe345db7878f35bfc86cb4baaa57ed895eace3fe8d3b3c1525a42f0

SHA512
1553ca078be4f3218754ff6d7a678e8c5db94676a58f9de53a453ab9d33a67855d349fb7d432f8b93e0beb90a5815e1b0f9ec667f6bc871bdab1e7dbd5d0654b

Download Submit
C:\windows\SysWOW64\VJSIOCT.exe

Filesize
320KB

MD5
16ee49bd2e30d5c91c21efd1d7403c68

SHA1
0014aee97198f996c24fe3d7258506ad608da8db

SHA256
ebf9adeac9dce38a77293735470cb8a1d2532a8feadcce2628d9ac19baceabdd

SHA512
730304bda4e0ffef1294bbf2eeceb0ad557bfb0cfbd7996a6071df435ecc4dfd111a2987c679ca865e7f5d1064b24857ae47a6680f6c363d6cfdf2507daee028

Download Submit
C:\windows\SysWOW64\VJSIOCT.exe.bat

Filesize
78B

MD5
33f66ddefca7e2e5f12aa5142754aea0

SHA1
e4b0259cee2c08336609770912771dcad4302b4f

SHA256
74b676dd7fb45690c4089a3e36eecd59eb686886e1e16539cc7ed45ee49870aa

SHA512
59b837cb876cf73db0f05d7ec29bd8454eb0086b04109c3633b8caf4cd173d2cf5ee5e1545e0084569e98b6648e4de38f0903c9b848f429f903e6b1e50596b8f

Download Submit
C:\windows\SysWOW64\YCPF.exe

Filesize
320KB

MD5
83126d8410891dbfd6b517ef8dd64f32

SHA1
ef8aff8f08c38a41fde49cfd6ff32b02ec6f284a

SHA256
9a9939a9727fe9d0a881537ca5f056cc2e780eb9bbcc7c842e89f2f231bd2dbd

SHA512
f8551cf5c0e505aaff7b265c08cf6d8b283188c2590b9945d1f47533828ca99864d73f045d7a4062cc5c2a6594a0da78c4964fb5f5a76a25a0e763fadd2e4508

Download Submit
C:\windows\SysWOW64\YCPF.exe.bat

Filesize
72B

MD5
dc84fd5603ab2ef22de1379e4f0b37c1

SHA1
91e55bbf377a19404f5c47c7174b4cbbd2d154c9

SHA256
ddbfd78355270be59f34d00fc457e8ecccf4a10a97512edeeccdd5601a197eeb

SHA512
87771c7eea5b0079c720ea9e3796899f6d26744a4ffd7dc079172be177b097a106406232daa277e682594e7ea0c506bff49039922c3443d5d78cde56df6467f3

Download Submit
C:\windows\SysWOW64\YKWQJSN.exe

Filesize
320KB

MD5
f1ab63366fef249432083ace70898122

SHA1
a4edfc6ff23493c4d1b18b1ab8d63b0d38e51006

SHA256
78a736b35f4c127b130f562ae6c786440d97b77baa97eb8658ddc4f4f2cb0bad

SHA512
75ee9fd6ead67c0f9930365f53075735dde6fc3aa690b257aa498f47c7a02ff4dbf73dd070ff7248bc870287ef00eb63fcf8219606d0ab995ba6e504b4e8a4c4

Download Submit
C:\windows\SysWOW64\YKWQJSN.exe.bat

Filesize
78B

MD5
b42d2a1ba2646ee9953dd0cbd2180531

SHA1
ce28ca888502aca1bc416ec10fc98f1922fe5bd5

SHA256
20c6e108720ca5a33d30a03ef675b34d8cc9d8eeba7d49575a62a082196000f0

SHA512
ccccc42a4009daf19fc3eb6e30a0ef4a1da793d83dfa009c54550ec6806d12618216eb324f6b966a5506551a53913e44746b00a83714570c34417d03f8da4749

Download Submit
C:\windows\VSS.exe

Filesize
320KB

MD5
6ba1fddb8c4a245de3c6a6747655940c

SHA1
e0ff4dd16d536cd3eb747af421f6b0078232966c

SHA256
544f060943e7d05e6c65402a7c27012002f1810db3648d7b4e03434529a65233

SHA512
426f1e276b133ab186ee79d70e2f4905141e5ed5e658f0c4a0bc46ddcbe0e8068c5b8177bb140ff284cd5b9626f49915f72936b0ffdc9b32caca7d0035d340c3

Download Submit
C:\windows\VSS.exe.bat

Filesize
52B

MD5
4a391360db78215206836bfa8a3702e4

SHA1
eae6a87f2b78c9a10fcff0d2a8ab66e36296c000

SHA256
c41362e56073bd66c5d555629699ec2b63c17caa64181c1583e9dadd72631430

SHA512
d8c6225ea3065cf767e5889a00dfe6722362350c4cbfb15b42d2b8f0cc1bd47612ea6701f71ac188a76dccc265e94f371bd371d0e97df9298d73692102d2980f

Download Submit
C:\windows\system\CVUBA.exe

Filesize
320KB

MD5
72a286f63575285a93ccaef4e3d78a05

SHA1
3fbfed6493152bc3e667840c3225a021c8e10674

SHA256
ac8413da3e30b71bb4322b81eacf24664b954183c71215541a27369d20c756d7

SHA512
1c16316348f0c896db550420d703a60568d82200ceebbd96d3c2de05e7d02fce4f0cc565c053e791503412c3c0c9d9a517ef65780299a388679845ee5b93e322

Download Submit
C:\windows\system\CVUBA.exe.bat

Filesize
70B

MD5
350fd1b8d9f3ae1b3a750b16a90204ee

SHA1
ce071721db16ffb0b0024a426365cc2fa6d28567

SHA256
2a248e28e87e5086d50e80a504b597e4d38b71d60373dd87b44516b5816cdcd4

SHA512
6c7f1382560e64bc477ef11eb29932149e248c007f83bb989d92f57529a2d04d861290760dcdde50210935cecc7e21589d8d43fc078605e3f12efc7799c30cd1

Download Submit
C:\windows\system\DFNZSQ.exe

Filesize
320KB

MD5
c121811475860a7ed00c077ccc120d83

SHA1
61a13acb3a72cc4124a49dbdd97e57e5e5eec8bb

SHA256
ec807225b8ed83d872e1a75b0c9d1471a9be363a7cabf204aff75b406a0e7c9f

SHA512
0b185c591860c14b44b574563f48835ed736b02ad5a7b20b2af6fbbcc0c4fb1c854ec2ef5a04f933c28c862bd3da7057ac4013b822cace0886924e3ff7e43fbe

Download Submit
C:\windows\system\DFNZSQ.exe.bat

Filesize
72B

MD5
436889ca5ba27e24f3d28062c3afc7e4

SHA1
102dafac05404c270c28cf12f2ea319a9bb5eef8

SHA256
3d1489aeca846161e9c135746e2681630457682d14d9e3573aeb310204f8a6f8

SHA512
9502649750deca3a1a07a996f3e0f35880a4dc83172391ac134fba2cde82803f86d1afd3e005af6705509633c250e31222cef95b79a5cb45b8733f354247fc41

Download Submit
C:\windows\system\HWFNHIH.exe.bat

Filesize
74B

MD5
019dc8d7ccb3c73a4281faec2edd5c6e

SHA1
f058d4c19e3420af28b0b8468b71646b69815280

SHA256
ebfc1b9afd74f73bf35bdefedf65d9ef54bb043c316f5e862a0a4f5216b8a2b6

SHA512
aed0c816c65acfe3195866b604170c9f6d11c3b866f939cb6d0f28c16038e38985cc2aae12a347270f8c3e1ddba0520ae9869b6527dee0ab5a4bc066ad3f4318

Download Submit
C:\windows\system\TSAEX.exe

Filesize
320KB

MD5
9040620b6670528d996cffbff47a787e

SHA1
5a1e863cb481b0ae20951c2366c71fedb0aafec8

SHA256
e5b25b2f07de046f581d5338c90b924b74a49363f699f7bec328edd252b48357

SHA512
8d3d642d16e43ae9777ceaf284901ef176f3335ec41a79314bffcbe4ee17f9ecdf9de2b72ff3395608e34bbe02b4168f49aaa78adf703f56e2a9f15fc05e4f36

Download Submit
C:\windows\system\TSAEX.exe.bat

Filesize
70B

MD5
d0a6ea1ef5f0e6dbb3be0595ff1636e7

SHA1
607aa0286a40435ea3316f0b0eaea2ac5d43a925

SHA256
67586574fd712f298bb247aa93902fbafc8ef476bab26c0500306bb644ca9365

SHA512
a7c32db93509d58f1727e85abf3798679a737f4f80cacf1a5bfe03434df5c2c9029167c985061f6054fb3740ec7e8a1b44d4a6dddf3824ed46283d73855f0e4e

Download Submit
C:\windows\system\UOMRYV.exe

Filesize
320KB

MD5
f010c2e674674ad5d5bc760779f6f7d6

SHA1
c15503219ff04bd1ef3003029a5193b78bb3fd2a

SHA256
257d81e84a04bf86b337913b59b37a2c57cfd5345618e1914a2cfdda06016cd3

SHA512
1d58c56deb9c4eeda506fc8043ccecebd5413bff33fcd422cc096e73ab57ef0f7d1f9ebf1a1515f6a2dd49530a24d94bcec15a0dd2c7116a0608982b87418fa3

Download Submit
C:\windows\system\UOMRYV.exe.bat

Filesize
72B

MD5
73798dd4334382bc11ffc8d19b2cc59d

SHA1
93894e062b9eda9ce5db4f948244c6025f50383d

SHA256
8fa07c9abce6a486d28a3107e3fbf9a1ea8028f7c1b4c4d9f83b476106b6f1fd

SHA512
7149fe0cba0f3685170477f03771c25944ef235a995394a90cb8babd83a31c278365565ed8a813344ad630a8fd8640cba0ebad90f26d507e946632568d84271c

Download Submit
C:\windows\system\ZDFDTM.exe

Filesize
320KB

MD5
1fa9196a489c25a71be21b5151e28e18

SHA1
3c8c4b7f8180d44583ecde439c52f8f39cbbd370

SHA256
cb24c3fea7d93d07fbea908c28c526fcb6dd2d00423f875f54ce47188724b818

SHA512
623c06df60561da2a1842ec34ff9a807f18fffe637ddac527d153fb50a21a5cb059841370484aa0de4a3cd6756af174aefa946e6d587ae6ea74b3f201deb6b4c

Download Submit
C:\windows\system\ZDFDTM.exe.bat

Filesize
72B

MD5
1b3c14100ce10b972204999251e2b328

SHA1
30db0c493cc8895ebd4ab235ee191efc55ed37ea

SHA256
88c0bddd942d9f386672e05f4843b14b12aa9844b6d70d3abb3098b7d3cc0687

SHA512
34270cc3e7698c6a0dd90b8fda68375156b430cf6ad0d4065625c7000900e01b00a4d2b718e61e869a4959e45f896eb9d724c51ba102bb9c2e2e8f02df93ddae

Download Submit
memory/468-151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/468-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/884-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1188-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1188-295-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1536-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1536-303-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-110-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-91-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2516-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2516-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2520-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2520-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2604-115-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2604-127-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2632-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2632-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2808-162-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2808-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3092-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3092-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3104-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3104-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3272-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3272-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-293-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3460-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3460-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3480-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3480-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3556-282-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3556-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3672-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3672-320-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3816-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3816-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3852-266-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3852-236-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3872-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3872-92-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3888-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3968-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3968-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4040-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4040-158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4468-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4468-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4500-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4500-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4568-165-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4568-187-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4716-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4888-349-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download