62404a4e093cbea6649d1cd97bfe10ee8dd94179efe1f3d4928611f130ff3598

Analysis

max time kernel
127s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5305d802ba1082c7d4c585c4db972810.exe
Size

289KB
MD5

5305d802ba1082c7d4c585c4db972810
SHA1

301a9f40463b0761a13b253b9a9a5f69637eff8c
SHA256

62404a4e093cbea6649d1cd97bfe10ee8dd94179efe1f3d4928611f130ff3598
SHA512

324adc250e4a66359fc354958e6b53aee451a9685fba847da7ae11a8dd2e75637f83fa824b30b83fb72b922bbbd63510cc479117fb6a9488da65273e2f66a993
SSDEEP

6144:psyWVAPU2aEEF+KMRErjBOrChaqsauMPkECzJLaQVbU5:pscU2aEguRteasklJLJbU5

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 43 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022ce4-9.dat	family_berbew
behavioral2/files/0x0006000000022ce4-11.dat	family_berbew
behavioral2/files/0x000a000000022cec-12.dat	family_berbew
behavioral2/files/0x000a000000022cec-20.dat	family_berbew
behavioral2/files/0x000a000000022cec-21.dat	family_berbew
behavioral2/files/0x0006000000022cf7-31.dat	family_berbew
behavioral2/files/0x0006000000022cf7-32.dat	family_berbew
behavioral2/files/0x0006000000022cfd-43.dat	family_berbew
behavioral2/files/0x0006000000022cfd-42.dat	family_berbew
behavioral2/files/0x0006000000022d03-54.dat	family_berbew
behavioral2/files/0x0006000000022d03-55.dat	family_berbew
behavioral2/files/0x0002000000022307-70.dat	family_berbew
behavioral2/files/0x0002000000022307-71.dat	family_berbew
behavioral2/files/0x0005000000022308-81.dat	family_berbew
behavioral2/files/0x0005000000022308-83.dat	family_berbew
behavioral2/files/0x0008000000022cf2-93.dat	family_berbew
behavioral2/files/0x0008000000022cf2-92.dat	family_berbew
behavioral2/files/0x000f000000022bfb-105.dat	family_berbew
behavioral2/files/0x000f000000022bfb-104.dat	family_berbew
behavioral2/files/0x000e000000022cf4-116.dat	family_berbew
behavioral2/files/0x000e000000022cf4-118.dat	family_berbew
behavioral2/files/0x000a000000022cfc-130.dat	family_berbew
behavioral2/files/0x000a000000022cfc-128.dat	family_berbew
behavioral2/files/0x0013000000022ced-140.dat	family_berbew
behavioral2/files/0x0013000000022ced-141.dat	family_berbew
behavioral2/files/0x0015000000022cf1-152.dat	family_berbew
behavioral2/files/0x0015000000022cf1-154.dat	family_berbew
behavioral2/files/0x0012000000022cf0-164.dat	family_berbew
behavioral2/files/0x0012000000022cf0-165.dat	family_berbew
behavioral2/files/0x0013000000022cf6-177.dat	family_berbew
behavioral2/files/0x0013000000022cf6-176.dat	family_berbew
behavioral2/files/0x0009000000022d09-190.dat	family_berbew
behavioral2/files/0x0009000000022d09-188.dat	family_berbew
behavioral2/files/0x0011000000022d00-201.dat	family_berbew
behavioral2/files/0x0011000000022d00-203.dat	family_berbew
behavioral2/files/0x0012000000022d05-213.dat	family_berbew
behavioral2/files/0x0012000000022d05-212.dat	family_berbew
behavioral2/files/0x0013000000022cfe-225.dat	family_berbew
behavioral2/files/0x0013000000022cfe-227.dat	family_berbew
behavioral2/files/0x0016000000022d06-237.dat	family_berbew
behavioral2/files/0x0016000000022d06-236.dat	family_berbew
behavioral2/files/0x0011000000022d0a-248.dat	family_berbew
behavioral2/files/0x0011000000022d0a-249.dat	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	QXUWJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FNYIWPE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	RSMD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HWSL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	LII.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FPLN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	MNPTZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ZCYSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	AVANI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VUTH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XJXWF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FBKXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CYGTYBP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	USSKNP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	DTTLGUZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	AYYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CLFQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	IVGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.5305d802ba1082c7d4c585c4db972810.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	JLSCWXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	YREA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	JOBDWG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	GKPJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CDIIPO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XYR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ARXJN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	SUACAQP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	AYM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UXT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XTDO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	SJNAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	OKEKRF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	FBPWXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NWNAI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NSZN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	BDR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	TUWXW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CUCS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	KRS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	KMDA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	VKNPS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	AQN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NVMY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	TMAAZNV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	YKWQJSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	TEJZWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XPGXW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	QBPRB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	DIQSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HTBFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	RAXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ZLO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	XHGBAZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	AMILOB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	UHQQQBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	JQHR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	TJOHO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	CXOFVZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	MHXBDGJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NYJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	HSHHG.exe

Executes dropped EXE 64 IoCs

pid	Process
2260	CXOFVZK.exe
4048	HBD.exe
1768	TMAAZNV.exe
4536	FPLN.exe
4580	JLSCWXP.exe
1684	QXUWJ.exe
2172	DIQSK.exe
2916	HTBFT.exe
4848	YREA.exe
4192	MNPTZ.exe
3244	BDR.exe
4300	DTTLGUZ.exe
3692	TUWXW.exe
1736	cmd.exe
1400	AYM.exe
4524	XJXWF.exe
5040	UXT.exe
2584	FBKXP.exe
940	CUCS.exe
312	YKWQJSN.exe
1520	AYYA.exe
1676	JOBDWG.exe
1664	GKPJ.exe
2228	QADWJMS.exe
3144	KRS.exe
4552	ZCYSU.exe
3140	CDIIPO.exe
4524	XTDO.exe
3948	TEJZWM.exe
1056	RAXP.exe
2904	SJNAA.exe
2612	URDDLKI.exe
2056	AVANI.exe
4560	FBPWXQ.exe
3656	ARXJN.exe
3568	FNYIWPE.exe
4672	OKEKRF.exe
4572	ZLO.exe
1644	MHXBDGJ.exe
4036	VKNPS.exe
4044	AQN.exe
4048	NWNAI.exe
5016	XHGBAZR.exe
2228	Conhost.exe
2892	KMDA.exe
548	WerFault.exe
4684	NSZN.exe
436	CLFQ.exe
3568	SUACAQP.exe
4672	Conhost.exe
2584	NYJ.exe
3060	CYGTYBP.exe
2032	VUTH.exe
1384	HSHHG.exe
4424	NVMY.exe
1408	AMILOB.exe
3596	LII.exe
3384	RSMD.exe
1528	HWSL.exe
184	UHQQQBA.exe
1680	WerFault.exe
1400	IVGD.exe
2372	NRYKJG.exe
2240	WPSMUK.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\KZWU.exe	QBPRB.exe
File created	C:\windows\SysWOW64\MNPTZ.exe	YREA.exe
File created	C:\windows\SysWOW64\TEJZWM.exe	XTDO.exe
File opened for modification	C:\windows\SysWOW64\MHXBDGJ.exe	ZLO.exe
File created	C:\windows\SysWOW64\MNPTZ.exe.bat	YREA.exe
File created	C:\windows\SysWOW64\AVANI.exe	URDDLKI.exe
File created	C:\windows\SysWOW64\NVMY.exe.bat	HSHHG.exe
File created	C:\windows\SysWOW64\UXT.exe.bat	XJXWF.exe
File created	C:\windows\SysWOW64\JOBDWG.exe	AYYA.exe
File created	C:\windows\SysWOW64\SUACAQP.exe	CLFQ.exe
File created	C:\windows\SysWOW64\CYGTYBP.exe	NYJ.exe
File opened for modification	C:\windows\SysWOW64\HSHHG.exe	VUTH.exe
File created	C:\windows\SysWOW64\JOBDWG.exe.bat	AYYA.exe
File created	C:\windows\SysWOW64\FNYIWPE.exe.bat	ARXJN.exe
File created	C:\windows\SysWOW64\VFNBZ.exe	SUACAQP.exe
File opened for modification	C:\windows\SysWOW64\NVMY.exe	HSHHG.exe
File opened for modification	C:\windows\SysWOW64\MNPTZ.exe	YREA.exe
File created	C:\windows\SysWOW64\DTTLGUZ.exe	BDR.exe
File opened for modification	C:\windows\SysWOW64\AVANI.exe	URDDLKI.exe
File created	C:\windows\SysWOW64\MHXBDGJ.exe.bat	ZLO.exe
File opened for modification	C:\windows\SysWOW64\YKWQJSN.exe	CUCS.exe
File created	C:\windows\SysWOW64\CDIIPO.exe	ZCYSU.exe
File created	C:\windows\SysWOW64\AVANI.exe.bat	URDDLKI.exe
File opened for modification	C:\windows\SysWOW64\FBPWXQ.exe	AVANI.exe
File opened for modification	C:\windows\SysWOW64\FNYIWPE.exe	ARXJN.exe
File created	C:\windows\SysWOW64\HTBFT.exe	DIQSK.exe
File opened for modification	C:\windows\SysWOW64\HTBFT.exe	DIQSK.exe
File created	C:\windows\SysWOW64\UXT.exe	XJXWF.exe
File created	C:\windows\SysWOW64\CYGTYBP.exe.bat	NYJ.exe
File opened for modification	C:\windows\SysWOW64\FBKXP.exe	UXT.exe
File created	C:\windows\SysWOW64\ZCYSU.exe	KRS.exe
File created	C:\windows\SysWOW64\VFNBZ.exe.bat	SUACAQP.exe
File opened for modification	C:\windows\SysWOW64\ZCYSU.exe	KRS.exe
File created	C:\windows\SysWOW64\HSHHG.exe	VUTH.exe
File created	C:\windows\SysWOW64\NVMY.exe	HSHHG.exe
File created	C:\windows\SysWOW64\TMAAZNV.exe	HBD.exe
File created	C:\windows\SysWOW64\FBKXP.exe.bat	UXT.exe
File opened for modification	C:\windows\SysWOW64\JOBDWG.exe	AYYA.exe
File created	C:\windows\SysWOW64\TEJZWM.exe.bat	XTDO.exe
File opened for modification	C:\windows\SysWOW64\CYGTYBP.exe	NYJ.exe
File created	C:\windows\SysWOW64\HSHHG.exe.bat	VUTH.exe
File opened for modification	C:\windows\SysWOW64\TMAAZNV.exe	HBD.exe
File created	C:\windows\SysWOW64\TMAAZNV.exe.bat	HBD.exe
File opened for modification	C:\windows\SysWOW64\CDIIPO.exe	ZCYSU.exe
File created	C:\windows\SysWOW64\YKWQJSN.exe.bat	CUCS.exe
File created	C:\windows\SysWOW64\WPSMUK.exe	NRYKJG.exe
File opened for modification	C:\windows\SysWOW64\WPSMUK.exe	NRYKJG.exe
File created	C:\windows\SysWOW64\KZWU.exe.bat	QBPRB.exe
File created	C:\windows\SysWOW64\DTTLGUZ.exe.bat	BDR.exe
File opened for modification	C:\windows\SysWOW64\UXT.exe	XJXWF.exe
File created	C:\windows\SysWOW64\YKWQJSN.exe	CUCS.exe
File created	C:\windows\SysWOW64\KZWU.exe	QBPRB.exe
File created	C:\windows\SysWOW64\CDIIPO.exe.bat	ZCYSU.exe
File created	C:\windows\SysWOW64\FBPWXQ.exe	AVANI.exe
File created	C:\windows\SysWOW64\FBPWXQ.exe.bat	AVANI.exe
File created	C:\windows\SysWOW64\FBKXP.exe	UXT.exe
File opened for modification	C:\windows\SysWOW64\TEJZWM.exe	XTDO.exe
File opened for modification	C:\windows\SysWOW64\VFNBZ.exe	SUACAQP.exe
File created	C:\windows\SysWOW64\MHXBDGJ.exe	ZLO.exe
File opened for modification	C:\windows\SysWOW64\SUACAQP.exe	CLFQ.exe
File created	C:\windows\SysWOW64\SUACAQP.exe.bat	CLFQ.exe
File opened for modification	C:\windows\SysWOW64\DTTLGUZ.exe	BDR.exe
File created	C:\windows\SysWOW64\FNYIWPE.exe	ARXJN.exe
File created	C:\windows\SysWOW64\CXOFVZK.exe	NEAS.5305d802ba1082c7d4c585c4db972810.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\XJXWF.exe.bat	AYM.exe
File created	C:\windows\system\CUCS.exe	FBKXP.exe
File created	C:\windows\system\CUCS.exe.bat	FBKXP.exe
File created	C:\windows\RAXP.exe.bat	TEJZWM.exe
File opened for modification	C:\windows\system\CLFQ.exe	NSZN.exe
File created	C:\windows\system\TJOHO.exe	cmd.exe
File created	C:\windows\system\TJOHO.exe.bat	cmd.exe
File opened for modification	C:\windows\system\XPGXW.exe	TJOHO.exe
File created	C:\windows\system\YREA.exe	HTBFT.exe
File opened for modification	C:\windows\system\GKPJ.exe	JOBDWG.exe
File created	C:\windows\system\SJNAA.exe	RAXP.exe
File created	C:\windows\system\AQN.exe	VKNPS.exe
File opened for modification	C:\windows\system\IVGD.exe	WerFault.exe
File opened for modification	C:\windows\system\USSKNP.exe	WPSMUK.exe
File created	C:\windows\system\DIQSK.exe.bat	QXUWJ.exe
File opened for modification	C:\windows\system\XJXWF.exe	AYM.exe
File opened for modification	C:\windows\system\AQN.exe	VKNPS.exe
File created	C:\windows\XHGBAZR.exe	NWNAI.exe
File created	C:\windows\system\KMDA.exe.bat	Conhost.exe
File created	C:\windows\system\USSKNP.exe	WPSMUK.exe
File created	C:\windows\JQHR.exe	KZWU.exe
File created	C:\windows\system\UTAJ.exe.bat	XPGXW.exe
File created	C:\windows\system\FPLN.exe	TMAAZNV.exe
File opened for modification	C:\windows\system\JLSCWXP.exe	FPLN.exe
File created	C:\windows\system\TUWXW.exe	DTTLGUZ.exe
File created	C:\windows\system\ARXJN.exe	FBPWXQ.exe
File created	C:\windows\system\CLFQ.exe.bat	NSZN.exe
File created	C:\windows\system\XJXWF.exe	AYM.exe
File opened for modification	C:\windows\AYYA.exe	YKWQJSN.exe
File created	C:\windows\RAXP.exe	TEJZWM.exe
File created	C:\windows\LII.exe.bat	AMILOB.exe
File opened for modification	C:\windows\system\TRHX.exe	XYR.exe
File created	C:\windows\system\DIQSK.exe	QXUWJ.exe
File created	C:\windows\system\AYM.exe	cmd.exe
File opened for modification	C:\windows\system\KRS.exe	QADWJMS.exe
File created	C:\windows\XTDO.exe.bat	CDIIPO.exe
File opened for modification	C:\windows\system\ZLO.exe	OKEKRF.exe
File opened for modification	C:\windows\system\OKEKRF.exe	FNYIWPE.exe
File created	C:\windows\system\XYR.exe	USSKNP.exe
File created	C:\windows\system\HBD.exe.bat	CXOFVZK.exe
File created	C:\windows\system\FPLN.exe.bat	TMAAZNV.exe
File opened for modification	C:\windows\QADWJMS.exe	GKPJ.exe
File created	C:\windows\QADWJMS.exe.bat	GKPJ.exe
File opened for modification	C:\windows\XTDO.exe	CDIIPO.exe
File created	C:\windows\system\QXUWJ.exe.bat	JLSCWXP.exe
File created	C:\windows\system\NSZN.exe	WerFault.exe
File created	C:\windows\AMILOB.exe.bat	NVMY.exe
File created	C:\windows\system\OKEKRF.exe	FNYIWPE.exe
File opened for modification	C:\windows\JQHR.exe	KZWU.exe
File created	C:\windows\system\XPGXW.exe	TJOHO.exe
File created	C:\windows\system\AYM.exe.bat	cmd.exe
File created	C:\windows\system\KMDA.exe	Conhost.exe
File created	C:\windows\NYJ.exe	Conhost.exe
File opened for modification	C:\windows\LII.exe	AMILOB.exe
File created	C:\windows\system\USSKNP.exe.bat	WPSMUK.exe
File opened for modification	C:\windows\system\CUCS.exe	FBKXP.exe
File created	C:\windows\QADWJMS.exe	GKPJ.exe
File opened for modification	C:\windows\NRYKJG.exe	IVGD.exe
File opened for modification	C:\windows\system\VKNPS.exe	MHXBDGJ.exe
File created	C:\windows\system\TRHX.exe	XYR.exe
File created	C:\windows\system\IBK.exe.bat	JQHR.exe
File opened for modification	C:\windows\system\UTAJ.exe	XPGXW.exe
File opened for modification	C:\windows\system\FPLN.exe	TMAAZNV.exe
File opened for modification	C:\windows\NYJ.exe	Conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4520	2468	WerFault.exe	85
2288	2260	WerFault.exe	94
4600	4048	WerFault.exe	100
1912	1768	WerFault.exe	105
864	1684	WerFault.exe	118
4728	2172	WerFault.exe	123
3076	2916	WerFault.exe	128
336	4848	WerFault.exe	133
2216	4192	WerFault.exe	140
2380	3244	WerFault.exe	145
1528	4300	WerFault.exe	150
4264	3692	WerFault.exe	158
5028	1736	WerFault.exe	164
408	1400	WerFault.exe	169
2572	4524	WerFault.exe	176
1916	5040	WerFault.exe	181
1896	2584	WerFault.exe	186
1984	940	WerFault.exe	191
3204	312	WerFault.exe	196
4548	1520	WerFault.exe	201
1360	1676	WerFault.exe	206
4036	1664	WerFault.exe	211
1484	2228	WerFault.exe	216
3516	3144	WerFault.exe	221
4504	4552	WerFault.exe	226
2104	3140	WerFault.exe	231
4708	4524	WerFault.exe	236
1764	3948	WerFault.exe	241
1640	1056	WerFault.exe	246
2120	2904	WerFault.exe	251
1368	2612	WerFault.exe	256
1868	2056	WerFault.exe	261
4988	4560	WerFault.exe	266
1816	3656	WerFault.exe	271
2820	3568	WerFault.exe	276
3516	4672	WerFault.exe	281
772	4572	WerFault.exe	286
2104	1644	WerFault.exe	291
4824	4036	WerFault.exe	296
1664	4044	WerFault.exe	301
3144	4048	WerFault.exe	306
644	5016	WerFault.exe	311
3516	2228	WerFault.exe	316
2928	2892	WerFault.exe	321
260	548	WerFault.exe	326
4004	4684	WerFault.exe	332
1896	436	WerFault.exe	337
1564	3568	WerFault.exe	342
1472	4672	WerFault.exe	347
2960	2584	WerFault.exe	352
4868	3060	WerFault.exe	357
4564	2032	WerFault.exe	362
1100	1384	WerFault.exe	367
5044	4424	WerFault.exe	372
1224	1408	WerFault.exe	377
2472	3596	WerFault.exe	382
4312	3384	WerFault.exe	387
1716	1528	WerFault.exe	392
4972	184	WerFault.exe	397
4288	1680	WerFault.exe	402
3064	1400	WerFault.exe	407
4520	2372	WerFault.exe	412
4032	2240	WerFault.exe	417
260	2956	WerFault.exe	422

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe
2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe
2260	CXOFVZK.exe
2260	CXOFVZK.exe
4048	HBD.exe
4048	HBD.exe
1768	TMAAZNV.exe
1768	TMAAZNV.exe
4536	FPLN.exe
4536	FPLN.exe
4580	JLSCWXP.exe
4580	JLSCWXP.exe
1684	QXUWJ.exe
1684	QXUWJ.exe
2172	DIQSK.exe
2172	DIQSK.exe
2916	HTBFT.exe
2916	HTBFT.exe
4848	YREA.exe
4848	YREA.exe
4192	MNPTZ.exe
4192	MNPTZ.exe
3244	BDR.exe
3244	BDR.exe
4300	DTTLGUZ.exe
4300	DTTLGUZ.exe
3692	TUWXW.exe
3692	TUWXW.exe
1736	cmd.exe
1736	cmd.exe
1400	AYM.exe
1400	AYM.exe
4524	XJXWF.exe
4524	XJXWF.exe
5040	UXT.exe
5040	UXT.exe
2584	FBKXP.exe
2584	FBKXP.exe
940	CUCS.exe
940	CUCS.exe
312	YKWQJSN.exe
312	YKWQJSN.exe
1520	AYYA.exe
1520	AYYA.exe
1676	JOBDWG.exe
1676	JOBDWG.exe
1664	GKPJ.exe
1664	GKPJ.exe
2228	QADWJMS.exe
2228	QADWJMS.exe
3144	KRS.exe
3144	KRS.exe
4552	ZCYSU.exe
4552	ZCYSU.exe
3140	CDIIPO.exe
3140	CDIIPO.exe
4524	XTDO.exe
4524	XTDO.exe
3948	TEJZWM.exe
3948	TEJZWM.exe
1056	RAXP.exe
1056	RAXP.exe
2904	SJNAA.exe
2904	SJNAA.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe
2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe
2260	CXOFVZK.exe
2260	CXOFVZK.exe
4048	HBD.exe
4048	HBD.exe
1768	TMAAZNV.exe
1768	TMAAZNV.exe
4536	FPLN.exe
4536	FPLN.exe
4580	JLSCWXP.exe
4580	JLSCWXP.exe
1684	QXUWJ.exe
1684	QXUWJ.exe
2172	DIQSK.exe
2172	DIQSK.exe
2916	HTBFT.exe
2916	HTBFT.exe
4848	YREA.exe
4848	YREA.exe
4192	MNPTZ.exe
4192	MNPTZ.exe
3244	BDR.exe
3244	BDR.exe
4300	DTTLGUZ.exe
4300	DTTLGUZ.exe
3692	TUWXW.exe
3692	TUWXW.exe
1736	cmd.exe
1736	cmd.exe
1400	AYM.exe
1400	AYM.exe
4524	XJXWF.exe
4524	XJXWF.exe
5040	UXT.exe
5040	UXT.exe
2584	FBKXP.exe
2584	FBKXP.exe
940	CUCS.exe
940	CUCS.exe
312	YKWQJSN.exe
312	YKWQJSN.exe
1520	AYYA.exe
1520	AYYA.exe
1676	JOBDWG.exe
1676	JOBDWG.exe
1664	GKPJ.exe
1664	GKPJ.exe
2228	QADWJMS.exe
2228	QADWJMS.exe
3144	KRS.exe
3144	KRS.exe
4552	ZCYSU.exe
4552	ZCYSU.exe
3140	CDIIPO.exe
3140	CDIIPO.exe
4524	XTDO.exe
4524	XTDO.exe
3948	TEJZWM.exe
3948	TEJZWM.exe
1056	RAXP.exe
1056	RAXP.exe
2904	SJNAA.exe
2904	SJNAA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2888	2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe	91
PID 2468 wrote to memory of 2888	2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe	91
PID 2468 wrote to memory of 2888	2468	NEAS.5305d802ba1082c7d4c585c4db972810.exe	91
PID 2888 wrote to memory of 2260	2888	cmd.exe	94
PID 2888 wrote to memory of 2260	2888	cmd.exe	94
PID 2888 wrote to memory of 2260	2888	cmd.exe	94
PID 2260 wrote to memory of 1508	2260	CXOFVZK.exe	96
PID 2260 wrote to memory of 1508	2260	CXOFVZK.exe	96
PID 2260 wrote to memory of 1508	2260	CXOFVZK.exe	96
PID 1508 wrote to memory of 4048	1508	cmd.exe	100
PID 1508 wrote to memory of 4048	1508	cmd.exe	100
PID 1508 wrote to memory of 4048	1508	cmd.exe	100
PID 4048 wrote to memory of 2212	4048	HBD.exe	101
PID 4048 wrote to memory of 2212	4048	HBD.exe	101
PID 4048 wrote to memory of 2212	4048	HBD.exe	101
PID 2212 wrote to memory of 1768	2212	cmd.exe	105
PID 2212 wrote to memory of 1768	2212	cmd.exe	105
PID 2212 wrote to memory of 1768	2212	cmd.exe	105
PID 1768 wrote to memory of 3112	1768	TMAAZNV.exe	106
PID 1768 wrote to memory of 3112	1768	TMAAZNV.exe	106
PID 1768 wrote to memory of 3112	1768	TMAAZNV.exe	106
PID 3112 wrote to memory of 4536	3112	cmd.exe	110
PID 3112 wrote to memory of 4536	3112	cmd.exe	110
PID 3112 wrote to memory of 4536	3112	cmd.exe	110
PID 4536 wrote to memory of 1408	4536	FPLN.exe	111
PID 4536 wrote to memory of 1408	4536	FPLN.exe	111
PID 4536 wrote to memory of 1408	4536	FPLN.exe	111
PID 1408 wrote to memory of 4580	1408	cmd.exe	114
PID 1408 wrote to memory of 4580	1408	cmd.exe	114
PID 1408 wrote to memory of 4580	1408	cmd.exe	114
PID 4580 wrote to memory of 2752	4580	JLSCWXP.exe	115
PID 4580 wrote to memory of 2752	4580	JLSCWXP.exe	115
PID 4580 wrote to memory of 2752	4580	JLSCWXP.exe	115
PID 2752 wrote to memory of 1684	2752	cmd.exe	118
PID 2752 wrote to memory of 1684	2752	cmd.exe	118
PID 2752 wrote to memory of 1684	2752	cmd.exe	118
PID 1684 wrote to memory of 1368	1684	QXUWJ.exe	119
PID 1684 wrote to memory of 1368	1684	QXUWJ.exe	119
PID 1684 wrote to memory of 1368	1684	QXUWJ.exe	119
PID 1368 wrote to memory of 2172	1368	cmd.exe	123
PID 1368 wrote to memory of 2172	1368	cmd.exe	123
PID 1368 wrote to memory of 2172	1368	cmd.exe	123
PID 2172 wrote to memory of 4864	2172	DIQSK.exe	124
PID 2172 wrote to memory of 4864	2172	DIQSK.exe	124
PID 2172 wrote to memory of 4864	2172	DIQSK.exe	124
PID 4864 wrote to memory of 2916	4864	cmd.exe	128
PID 4864 wrote to memory of 2916	4864	cmd.exe	128
PID 4864 wrote to memory of 2916	4864	cmd.exe	128
PID 2916 wrote to memory of 4272	2916	HTBFT.exe	129
PID 2916 wrote to memory of 4272	2916	HTBFT.exe	129
PID 2916 wrote to memory of 4272	2916	HTBFT.exe	129
PID 4272 wrote to memory of 4848	4272	cmd.exe	133
PID 4272 wrote to memory of 4848	4272	cmd.exe	133
PID 4272 wrote to memory of 4848	4272	cmd.exe	133
PID 4848 wrote to memory of 3112	4848	YREA.exe	165
PID 4848 wrote to memory of 3112	4848	YREA.exe	165
PID 4848 wrote to memory of 3112	4848	YREA.exe	165
PID 3112 wrote to memory of 4192	3112	cmd.exe	140
PID 3112 wrote to memory of 4192	3112	cmd.exe	140
PID 3112 wrote to memory of 4192	3112	cmd.exe	140
PID 4192 wrote to memory of 5044	4192	MNPTZ.exe	141
PID 4192 wrote to memory of 5044	4192	MNPTZ.exe	141
PID 4192 wrote to memory of 5044	4192	MNPTZ.exe	141
PID 5044 wrote to memory of 3244	5044	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\NEAS.5305d802ba1082c7d4c585c4db972810.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5305d802ba1082c7d4c585c4db972810.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXOFVZK.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\windows\SysWOW64\CXOFVZK.exe
    C:\windows\system32\CXOFVZK.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBD.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\windows\system\HBD.exe
        
        C:\windows\system\HBD.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TMAAZNV.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\windows\SysWOW64\TMAAZNV.exe
        
        C:\windows\system32\TMAAZNV.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FPLN.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\windows\system\FPLN.exe
        
        C:\windows\system\FPLN.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JLSCWXP.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\windows\system\JLSCWXP.exe
        
        C:\windows\system\JLSCWXP.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QXUWJ.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\windows\system\QXUWJ.exe
        
        C:\windows\system\QXUWJ.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DIQSK.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\windows\system\DIQSK.exe
        
        C:\windows\system\DIQSK.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\windows\SysWOW64\HTBFT.exe
        
        C:\windows\system32\HTBFT.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YREA.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\windows\system\YREA.exe
        
        C:\windows\system\YREA.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MNPTZ.exe.bat" "
        20⤵
        
        PID:3112
        
        C:\windows\SysWOW64\MNPTZ.exe
        
        C:\windows\system32\MNPTZ.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BDR.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\windows\BDR.exe
        
        C:\windows\BDR.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTTLGUZ.exe.bat" "
        24⤵
        
        PID:2260
        
        C:\windows\SysWOW64\DTTLGUZ.exe
        
        C:\windows\system32\DTTLGUZ.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TUWXW.exe.bat" "
        26⤵
        
        PID:4212
        
        C:\windows\system\TUWXW.exe
        
        C:\windows\system\TUWXW.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CFVW.exe.bat" "
        28⤵
        
        PID:1676
        
        C:\windows\CFVW.exe
        
        C:\windows\CFVW.exe
        29⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AYM.exe.bat" "
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\windows\system\AYM.exe
        
        C:\windows\system\AYM.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJXWF.exe.bat" "
        32⤵
        
        PID:2612
        
        C:\windows\system\XJXWF.exe
        
        C:\windows\system\XJXWF.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXT.exe.bat" "
        34⤵
        
        PID:5084
        
        C:\windows\SysWOW64\UXT.exe
        
        C:\windows\system32\UXT.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBKXP.exe.bat" "
        36⤵
        
        PID:1348
        
        C:\windows\SysWOW64\FBKXP.exe
        
        C:\windows\system32\FBKXP.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CUCS.exe.bat" "
        38⤵
        
        PID:5044
        
        C:\windows\system\CUCS.exe
        
        C:\windows\system\CUCS.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKWQJSN.exe.bat" "
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\windows\SysWOW64\YKWQJSN.exe
        
        C:\windows\system32\YKWQJSN.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AYYA.exe.bat" "
        42⤵
        
        PID:4888
        
        C:\windows\AYYA.exe
        
        C:\windows\AYYA.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOBDWG.exe.bat" "
        44⤵
        
        PID:1240
        
        C:\windows\SysWOW64\JOBDWG.exe
        
        C:\windows\system32\JOBDWG.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKPJ.exe.bat" "
        46⤵
        
        PID:3612
        
        C:\windows\system\GKPJ.exe
        
        C:\windows\system\GKPJ.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QADWJMS.exe.bat" "
        48⤵
        
        PID:4916
        
        C:\windows\QADWJMS.exe
        
        C:\windows\QADWJMS.exe
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KRS.exe.bat" "
        50⤵
        
        PID:1896
        
        C:\windows\system\KRS.exe
        
        C:\windows\system\KRS.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZCYSU.exe.bat" "
        52⤵
        
        PID:4736
        
        C:\windows\SysWOW64\ZCYSU.exe
        
        C:\windows\system32\ZCYSU.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CDIIPO.exe.bat" "
        54⤵
        
        PID:3244
        
        C:\windows\SysWOW64\CDIIPO.exe
        
        C:\windows\system32\CDIIPO.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XTDO.exe.bat" "
        56⤵
        
        PID:3884
        
        C:\windows\XTDO.exe
        
        C:\windows\XTDO.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TEJZWM.exe.bat" "
        58⤵
        
        PID:1224
        
        C:\windows\SysWOW64\TEJZWM.exe
        
        C:\windows\system32\TEJZWM.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RAXP.exe.bat" "
        60⤵
        
        PID:2900
        
        C:\windows\RAXP.exe
        
        C:\windows\RAXP.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SJNAA.exe.bat" "
        62⤵
        
        PID:4320
        
        C:\windows\system\SJNAA.exe
        
        C:\windows\system\SJNAA.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\URDDLKI.exe.bat" "
        64⤵
        
        PID:180
        
        C:\windows\URDDLKI.exe
        
        C:\windows\URDDLKI.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVANI.exe.bat" "
        66⤵
        
        PID:2480
        
        C:\windows\SysWOW64\AVANI.exe
        
        C:\windows\system32\AVANI.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBPWXQ.exe.bat" "
        68⤵
        
        PID:2004
        
        C:\windows\SysWOW64\FBPWXQ.exe
        
        C:\windows\system32\FBPWXQ.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARXJN.exe.bat" "
        70⤵
        
        PID:3112
        
        C:\windows\system\ARXJN.exe
        
        C:\windows\system\ARXJN.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FNYIWPE.exe.bat" "
        72⤵
        
        PID:2900
        
        C:\windows\SysWOW64\FNYIWPE.exe
        
        C:\windows\system32\FNYIWPE.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKEKRF.exe.bat" "
        74⤵
        
        PID:32
        
        C:\windows\system\OKEKRF.exe
        
        C:\windows\system\OKEKRF.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZLO.exe.bat" "
        76⤵
        
        PID:4860
        
        C:\windows\system\ZLO.exe
        
        C:\windows\system\ZLO.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MHXBDGJ.exe.bat" "
        78⤵
        
        PID:5056
        
        C:\windows\SysWOW64\MHXBDGJ.exe
        
        C:\windows\system32\MHXBDGJ.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKNPS.exe.bat" "
        80⤵
        
        PID:3288
        
        C:\windows\system\VKNPS.exe
        
        C:\windows\system\VKNPS.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AQN.exe.bat" "
        82⤵
        
        PID:4448
        
        C:\windows\system\AQN.exe
        
        C:\windows\system\AQN.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NWNAI.exe.bat" "
        84⤵
        
        PID:4988
        
        C:\windows\system\NWNAI.exe
        
        C:\windows\system\NWNAI.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XHGBAZR.exe.bat" "
        86⤵
        
        PID:4920
        
        C:\windows\XHGBAZR.exe
        
        C:\windows\XHGBAZR.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\USMNI.exe.bat" "
        88⤵
        
        PID:2260
        
        C:\windows\system\USMNI.exe
        
        C:\windows\system\USMNI.exe
        89⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMDA.exe.bat" "
        90⤵
        
        PID:1564
        
        C:\windows\system\KMDA.exe
        
        C:\windows\system\KMDA.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXNEV.exe.bat" "
        92⤵
        
        PID:4080
        
        C:\windows\system\OXNEV.exe
        
        C:\windows\system\OXNEV.exe
        93⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSZN.exe.bat" "
        94⤵
        
        PID:2104
        
        C:\windows\system\NSZN.exe
        
        C:\windows\system\NSZN.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CLFQ.exe.bat" "
        96⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4988
        
        C:\windows\system\CLFQ.exe
        
        C:\windows\system\CLFQ.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUACAQP.exe.bat" "
        98⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4860
        
        C:\windows\SysWOW64\SUACAQP.exe
        
        C:\windows\system32\SUACAQP.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFNBZ.exe.bat" "
        100⤵
        
        PID:320
        
        C:\windows\SysWOW64\VFNBZ.exe
        
        C:\windows\system32\VFNBZ.exe
        101⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NYJ.exe.bat" "
        102⤵
        
        PID:2612
        
        C:\windows\NYJ.exe
        
        C:\windows\NYJ.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYGTYBP.exe.bat" "
        104⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2228
        
        C:\windows\SysWOW64\CYGTYBP.exe
        
        C:\windows\system32\CYGTYBP.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VUTH.exe.bat" "
        106⤵
        
        PID:3140
        
        C:\windows\VUTH.exe
        
        C:\windows\VUTH.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "
        108⤵
        
        PID:4572
        
        C:\windows\SysWOW64\HSHHG.exe
        
        C:\windows\system32\HSHHG.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NVMY.exe.bat" "
        110⤵
        
        PID:1768
        
        C:\windows\SysWOW64\NVMY.exe
        
        C:\windows\system32\NVMY.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AMILOB.exe.bat" "
        112⤵
        
        PID:3100
        
        C:\windows\AMILOB.exe
        
        C:\windows\AMILOB.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LII.exe.bat" "
        114⤵
        
        PID:3132
        
        C:\windows\LII.exe
        
        C:\windows\LII.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RSMD.exe.bat" "
        116⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:5028
        
        C:\windows\RSMD.exe
        
        C:\windows\RSMD.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HWSL.exe.bat" "
        118⤵
        
        PID:2140
        
        C:\windows\system\HWSL.exe
        
        C:\windows\system\HWSL.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UHQQQBA.exe.bat" "
        120⤵
        
        PID:4348
        
        C:\windows\UHQQQBA.exe
        
        C:\windows\UHQQQBA.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LASXIK.exe.bat" "
        122⤵
        
        PID:1984
        
        C:\windows\system\LASXIK.exe
        
        C:\windows\system\LASXIK.exe
        123⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IVGD.exe.bat" "
        124⤵
        
        PID:2028
        
        C:\windows\system\IVGD.exe
        
        C:\windows\system\IVGD.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NRYKJG.exe.bat" "
        126⤵
        
        PID:4944
        
        C:\windows\NRYKJG.exe
        
        C:\windows\NRYKJG.exe
        127⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WPSMUK.exe.bat" "
        128⤵
        
        PID:4948
        
        C:\windows\SysWOW64\WPSMUK.exe
        
        C:\windows\system32\WPSMUK.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\USSKNP.exe.bat" "
        130⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4672
        
        C:\windows\system\USSKNP.exe
        
        C:\windows\system\USSKNP.exe
        131⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XYR.exe.bat" "
        132⤵
        
        PID:1124
        
        C:\windows\system\XYR.exe
        
        C:\windows\system\XYR.exe
        133⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TRHX.exe.bat" "
        134⤵
        
        PID:4988
        
        C:\windows\system\TRHX.exe
        
        C:\windows\system\TRHX.exe
        135⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZWU.exe.bat" "
        136⤵
        
        PID:4784
        
        C:\windows\SysWOW64\KZWU.exe
        
        C:\windows\system32\KZWU.exe
        137⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JQHR.exe.bat" "
        138⤵
        
        PID:2260
        
        C:\windows\JQHR.exe
        
        C:\windows\JQHR.exe
        139⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBK.exe.bat" "
        140⤵
        
        PID:3288
        
        C:\windows\system\IBK.exe
        
        C:\windows\system\IBK.exe
        141⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TJOHO.exe.bat" "
        142⤵
        
        PID:2448
        
        C:\windows\system\TJOHO.exe
        
        C:\windows\system\TJOHO.exe
        143⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XPGXW.exe.bat" "
        144⤵
        
        PID:2920
        
        C:\windows\system\XPGXW.exe
        
        C:\windows\system\XPGXW.exe
        145⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTAJ.exe.bat" "
        146⤵
        
        PID:2472
        
        C:\windows\system\UTAJ.exe
        
        C:\windows\system\UTAJ.exe
        147⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBAQJD.exe.bat" "
        148⤵
        
        PID:1244
        
        C:\windows\SysWOW64\FBAQJD.exe
        
        C:\windows\system32\FBAQJD.exe
        149⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KPIS.exe.bat" "
        150⤵
        
        PID:3100
        
        C:\windows\KPIS.exe
        
        C:\windows\KPIS.exe
        151⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FINQNXL.exe.bat" "
        152⤵
        
        PID:644
        
        C:\windows\FINQNXL.exe
        
        C:\windows\FINQNXL.exe
        153⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QYNXEW.exe.bat" "
        154⤵
        
        PID:1412
        
        C:\windows\QYNXEW.exe
        
        C:\windows\QYNXEW.exe
        155⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UJXBW.exe.bat" "
        156⤵
        
        PID:3868
        
        C:\windows\UJXBW.exe
        
        C:\windows\UJXBW.exe
        157⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DUKWI.exe.bat" "
        158⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1124
        
        C:\windows\DUKWI.exe
        
        C:\windows\DUKWI.exe
        159⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GZJSCZ.exe.bat" "
        160⤵
        
        PID:760
        
        C:\windows\GZJSCZ.exe
        
        C:\windows\GZJSCZ.exe
        161⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UIZ.exe.bat" "
        162⤵
        
        PID:3960
        
        C:\windows\system\UIZ.exe
        
        C:\windows\system\UIZ.exe
        163⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QBPRB.exe.bat" "
        164⤵
        
        PID:2044
        
        C:\windows\SysWOW64\QBPRB.exe
        
        C:\windows\system32\QBPRB.exe
        165⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GUGE.exe.bat" "
        166⤵
        
        PID:2796
        
        C:\windows\system\GUGE.exe
        
        C:\windows\system\GUGE.exe
        167⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXXA.exe.bat" "
        168⤵
        
        PID:2104
        
        C:\windows\SysWOW64\HXXA.exe
        
        C:\windows\system32\HXXA.exe
        169⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LIPECA.exe.bat" "
        170⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4496
        
        C:\windows\system\LIPECA.exe
        
        C:\windows\system\LIPECA.exe
        171⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YEHMMK.exe.bat" "
        172⤵
        
        PID:2212
        
        C:\windows\YEHMMK.exe
        
        C:\windows\YEHMMK.exe
        173⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BER.exe.bat" "
        174⤵
        
        PID:5016
        
        C:\windows\BER.exe
        
        C:\windows\BER.exe
        175⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FFNWUYN.exe.bat" "
        176⤵
        
        PID:4724
        
        C:\windows\SysWOW64\FFNWUYN.exe
        
        C:\windows\system32\FFNWUYN.exe
        177⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DVJIRXF.exe.bat" "
        178⤵
        
        PID:1708
        
        C:\windows\system\DVJIRXF.exe
        
        C:\windows\system\DVJIRXF.exe
        179⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MTDJCBO.exe.bat" "
        180⤵
        
        PID:5040
        
        C:\windows\system\MTDJCBO.exe
        
        C:\windows\system\MTDJCBO.exe
        181⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QFCT.exe.bat" "
        182⤵
        
        PID:3436
        
        C:\windows\SysWOW64\QFCT.exe
        
        C:\windows\system32\QFCT.exe
        183⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HNRY.exe.bat" "
        184⤵
        
        PID:4948
        
        C:\windows\SysWOW64\HNRY.exe
        
        C:\windows\system32\HNRY.exe
        185⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QQDOY.exe.bat" "
        186⤵
        
        PID:1272
        
        C:\windows\system\QQDOY.exe
        
        C:\windows\system\QQDOY.exe
        187⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 960
        186⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1328
        184⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1308
        182⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1336
        180⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 988
        178⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1268
        176⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 960
        174⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 960
        172⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1336
        170⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 872
        168⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 960
        166⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 960
        164⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 960
        162⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1324
        160⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1304
        158⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 988
        156⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1324
        154⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 960
        152⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1324
        150⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 960
        148⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 960
        146⤵
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 960
        144⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1316
        142⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1336
        140⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1292
        138⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 988
        136⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1316
        134⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 960
        132⤵
        Program crash
        
        PID:260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 988
        130⤵
        Program crash
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1328
        128⤵
        Program crash
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1324
        126⤵
        Program crash
        
        PID:3064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 960
        124⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 960
        122⤵
        Program crash
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1324
        120⤵
        Program crash
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1324
        118⤵
        Program crash
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1292
        116⤵
        Program crash
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 960
        114⤵
        Program crash
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1188
        112⤵
        Program crash
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1328
        110⤵
        Program crash
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1308
        108⤵
        Program crash
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 872
        106⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 960
        104⤵
        Program crash
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 988
        102⤵
        Program crash
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1300
        100⤵
        Program crash
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 960
        98⤵
        Program crash
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 960
        96⤵
        Program crash
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 960
        94⤵
        Program crash
        
        PID:260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 960
        92⤵
        Program crash
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 988
        90⤵
        Program crash
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 960
        88⤵
        Program crash
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1004
        86⤵
        Program crash
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 960
        84⤵
        Program crash
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 988
        82⤵
        Program crash
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 960
        80⤵
        Program crash
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 960
        78⤵
        Program crash
        
        PID:772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 960
        76⤵
        Program crash
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 960
        74⤵
        Program crash
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 988
        72⤵
        Program crash
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 960
        70⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 964
        68⤵
        Program crash
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1320
        66⤵
        Program crash
        
        PID:1368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1324
        64⤵
        Program crash
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 988
        62⤵
        Program crash
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1296
        60⤵
        Program crash
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1304
        58⤵
        Program crash
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1292
        56⤵
        Program crash
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 988
        54⤵
        Program crash
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 960
        52⤵
        Program crash
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1336
        50⤵
        Program crash
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1324
        48⤵
        Program crash
        
        PID:4036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1336
        46⤵
        Program crash
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1328
        44⤵
        Program crash
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1292
        42⤵
        Program crash
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 988
        40⤵
        Program crash
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1332
        38⤵
        Program crash
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 876
        36⤵
        Program crash
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1308
        34⤵
        Program crash
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1336
        32⤵
        Program crash
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 988
        30⤵
        Program crash
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1332
        28⤵
        Program crash
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 988
        26⤵
        Program crash
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 960
        24⤵
        Program crash
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1004
        22⤵
        Program crash
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1328
        20⤵
        Program crash
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 960
        18⤵
        Program crash
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 960
        16⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 872
        14⤵
        Program crash
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 960
        8⤵
        Program crash
        
        PID:1912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 960
        6⤵
        Program crash
        
        PID:4600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1336
      4⤵
      Program crash
      PID:2288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1304
  2⤵
  - Program crash
  PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2468 -ip 2468
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2260 -ip 2260
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4048 -ip 4048
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1768 -ip 1768
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4536 -ip 4536
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4580 -ip 4580
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1684 -ip 1684
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2172 -ip 2172
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2916 -ip 2916
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4848 -ip 4848
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4192 -ip 4192
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3244 -ip 3244
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4300 -ip 4300
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3692 -ip 3692
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1736 -ip 1736
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1400 -ip 1400
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4524 -ip 4524
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5040 -ip 5040
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2584 -ip 2584
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 940 -ip 940
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 312 -ip 312
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1520 -ip 1520
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1676 -ip 1676
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1664 -ip 1664
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2228 -ip 2228
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3144 -ip 3144
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4552 -ip 4552
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3140 -ip 3140
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4524 -ip 4524
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3948 -ip 3948
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1056 -ip 1056
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2904 -ip 2904
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2612 -ip 2612
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2056 -ip 2056
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4560 -ip 4560
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3656 -ip 3656
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3568 -ip 3568
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4672 -ip 4672
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4572 -ip 4572
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1644 -ip 1644
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4036 -ip 4036
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4044 -ip 4044
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4048 -ip 4048
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5016 -ip 5016
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2228 -ip 2228
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2892 -ip 2892
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 548 -ip 548
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4684 -ip 4684
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 436 -ip 436
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3568 -ip 3568
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4672 -ip 4672
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2584 -ip 2584
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3060 -ip 3060
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2032 -ip 2032
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1384 -ip 1384
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4424 -ip 4424
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1408 -ip 1408
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3596 -ip 3596
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3384 -ip 3384
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1528 -ip 1528
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 184 -ip 184
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1680 -ip 1680
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1400 -ip 1400
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2372 -ip 2372
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2240 -ip 2240
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2956 -ip 2956
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3080 -ip 3080
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1920 -ip 1920
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 208 -ip 208
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1476 -ip 1476
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4496 -ip 4496
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2584 -ip 2584
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3356 -ip 3356
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3972 -ip 3972
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3056 -ip 3056
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1316 -ip 1316
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2364 -ip 2364
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1472 -ip 1472
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4044 -ip 4044
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4536 -ip 4536
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3732 -ip 3732
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1736 -ip 1736
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1920 -ip 1920
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 112 -ip 112
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3596 -ip 3596
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1408 -ip 1408
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3128 -ip 3128
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2964 -ip 2964
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3280 -ip 3280
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3132 -ip 3132
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5044 -ip 5044
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 768 -ip 768
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4736 -ip 4736
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AYYA.exe

Filesize
289KB

MD5
01a87de1abbabefe4e379877cc9176a3

SHA1
f6550cc124e3151452285984ef0b845055470c87

SHA256
c0cb001a275c28a75324c660c7f7adf153e5a4de3127e613ca6630c23c26eb72

SHA512
0265a0ffefa189d29c8874fed6c0d34dc5f0b850d8b1ee087a4f6f5d9d493be97f9aa4658a2619dd058b458fbd54c5f5a10c9414639545d637700b17f05fcb08

Download Submit
C:\Windows\BDR.exe

Filesize
289KB

MD5
9c98361aef7210e28729d6d07d7a2471

SHA1
31a853829902a771f8ac0f4bd5a2280c07bff154

SHA256
340950c88e9bb5526ffdf6584a4208db2eb5bc54a291fc0d5d95e95130d734b5

SHA512
32e633ffc336757b446e7b486190c9a9501a612d3dbf8e5091a5cee3839d56b4d555a1a7ee892025004b5ae3f5b55792cb27db1d679f72923f2d8affd6e65ab5

Download Submit
C:\Windows\CFVW.exe

Filesize
289KB

MD5
33da2aa0505e6f61a3a89b8f1785e496

SHA1
f481d3f4e99265a274674a3ebf85061bdb274f19

SHA256
66904ca630650ce8e63e2bdd43f48b43991ab595b504b0db894ec2c8f88090fd

SHA512
c16835dcfcb542a1284b90143f56c6fe26bee5e073d3eb9c4e61ce5b244616b9e2c05e516cb8605a084967a185d34d22ccc0d75bb8790d2edea7fda34cecae9f

Download Submit
C:\Windows\SysWOW64\CXOFVZK.exe

Filesize
289KB

MD5
10ea8d23c37bb83c1c159e0a9f3476e6

SHA1
f07a29c7fd8f3110bcfac00927cc3c12cf4f4d1b

SHA256
129746644fd7be86b3ef157d950be029ccea179f567bb1d99aa0545cebab67e6

SHA512
2793d723fc9143c7ce1e544b831fd5f50d67355a711c1161a9bc38f0db46e20c05e2ea97d48626508a4b48b4edebf91051e82f44dfed7e347dbc2f1932016d04

Download Submit
C:\Windows\SysWOW64\DTTLGUZ.exe

Filesize
289KB

MD5
9906770f82fa05e64e6085ab94911369

SHA1
e03c3c64b467d187a7c8549d1a82ded83e210345

SHA256
3c67b21c62c9d439ec086e0b4791dfac19a5575afb70751eedf6178958153fb4

SHA512
3a6b43428be1e1426dc67ddd0c1ccc8e50c5e76a38593cd5b3f109fec6e725abd1f8d2c24ffcb2dafbd85b315b2a3b1c37f3356b312429da08a38e9b801c5d02

Download Submit
C:\Windows\SysWOW64\FBKXP.exe

Filesize
289KB

MD5
34ae0e44e9086d71c8dc100769271e94

SHA1
6476a85452157b05e09770f5b745cce994fe5562

SHA256
368340e8dd6724e56b95a8cb35b830c7e1ab9534dc2eb464fae67f6051f3bd3a

SHA512
2faf507013440aa70645079822fb9ff9d15f3993e27d23946f17b9d19d6c532b8076b31aa18e6542f4f62f253aef9a725f80b6ac3d7dc48388ec2616a33e6c45

Download Submit
C:\Windows\SysWOW64\HTBFT.exe

Filesize
289KB

MD5
39fd9d76955ed53ab918d184b58853eb

SHA1
02d72b03ddf8b4988b2c063a689cd9138a18eb02

SHA256
21d2c684a1cebe9392ac8ebee9f27bcf1bdb8cde5b26da69296b46e71996f4e1

SHA512
8cc71a8ed8eecadd61f436d0798e9316727b8b8b0ea9a8e6ef92b9fccd474bd56a6282bb53987432aca6606a624cce31c5c807a1bf44fc40b08c8c1c2048027e

Download Submit
C:\Windows\SysWOW64\MNPTZ.exe

Filesize
289KB

MD5
fe5bcc3c4e81fc464d9ac1e3ecbd6aa5

SHA1
7706a23dde32992dcc8f419efe7349de2978cf38

SHA256
e457737ff09ec8168c2320415aae88484b20ff97bfc0cf38ca688bd08fd4da95

SHA512
0043d3f32593c8154dbd3834a4f05895f98f53205c9e7efe437933ffd9b1ddfb045c349850c0679a7f4f325810f42bb055a3a3e61490b88d1ce334466c8cf7a1

Download Submit
C:\Windows\SysWOW64\TMAAZNV.exe

Filesize
289KB

MD5
2091f32e93e234640a41cb8fe484181f

SHA1
c5ff12819de80bd03ece9b406d4310ec4ce8a750

SHA256
2177a6d6c8a510f446ba734825f38fd3cbb3fc20f8111a997d4fab8fadddb6cb

SHA512
5ef4418081256e5c8b4d285e680e63f294e2401415dc81fa8d10f453fd83817ce9e46e65acd15478d5727f8d83e59a1984c22d8fc2c488e2a1b0a16546cdcf79

Download Submit
C:\Windows\SysWOW64\UXT.exe

Filesize
289KB

MD5
d981f3cd485e548827bfb7fa8efb9055

SHA1
2638824200ee5658407ba83a7dab8ccb8037f782

SHA256
df37484eea57367a50419d3e85ffc4ce1f27b8f42b2ed8e5e0f0e55fa8f02f6a

SHA512
d2a8af6df22eb0ea64acc11b31381a37c2fc59f1f8744f1a69b2c1af13d4577866100d228b8a453643cd17bfc077b03ed03d1d6388daa4cb74c2e36cd3aeb60f

Download Submit
C:\Windows\SysWOW64\YKWQJSN.exe

Filesize
289KB

MD5
9a98cb6fbb6aa0ad034208afa7dce702

SHA1
8c6abfd98958092f483734cd3f9e35026bf0ddb0

SHA256
2593af38bfab9788cd86b63a8069bf17e0126e5336b099ec20dc22fcc81eddab

SHA512
45e6dde9b28e2dcf3d5c3cf50853b87a3a9a12c2e06cc52e727a7a1647c004b7fd3068c011adb023120cd01c573ec5222d3ec99d5625cbf83fccd788e163343a

Download Submit
C:\Windows\System\AYM.exe

Filesize
289KB

MD5
ad73875dfecc4a14f3da0b8efd3525cb

SHA1
d16a71bba56008cea02284492d5dabb5e0bca269

SHA256
7db345f93f1b37f65a2f79aef52765082a40be8f01b71f2e33c1461b9ccf4850

SHA512
f8bcefa261784f20b8273e58ce933dbc2a44affde95f624e3fc818e4fbfee34b77285b924351c4dde158e099128e0d198ce10c6f6a812b81b5517d5387b36189

Download Submit
C:\Windows\System\CUCS.exe

Filesize
289KB

MD5
c05c27a2d2b556d2715c6369463c5cb5

SHA1
227698ba41df72cfef5c86491632133a64ac6ea3

SHA256
82cdc8df108bffe0cda450e0892172ff728be644f1eeca5d0aed5e6082c6837c

SHA512
3d444c3b0326a2c59f6c7932aeaca6cb16986febf9c69c74c4efc05ff0e8f5ec03d8f305aaa7b19c890c4182e162e70eb0b50b41253e3eaa3c3f6c801ba37b57

Download Submit
C:\Windows\System\DIQSK.exe

Filesize
289KB

MD5
4675449ced2690c342b4de79ff5c780c

SHA1
1ac751abbae96372a6fbe7b0cabd4a064180c35b

SHA256
bc04b22c5be65bd90352ff7133a9d86bd1991c2248c54441fed0d2d15b017f04

SHA512
c8472bbc33b0f9ddde5bafafd682b4417987ea1af15647a3112564196ceb83824f071988c204297a5448c78011d56845248be825772c6833d456b7ebf2b4ca3e

Download Submit
C:\Windows\System\FPLN.exe

Filesize
289KB

MD5
a1ce00a7dd2310729bd53739f5e9a6c6

SHA1
880c92e59994b05f8f09d1f29edb9fe2a3bf3f68

SHA256
dda468b3fe91c8274fefacbbf33300abcec0e5736766765ca20844e5a0802ed6

SHA512
5682a6a4a614436797e495c0fa9492b18eed468ad4205ffa617b398c0c0bc8d46431a329d4d3e1cc330eeff2f44a337d329ccf166381425175989b5bb9964ec4

Download Submit
C:\Windows\System\HBD.exe

Filesize
289KB

MD5
40c81fe554af37b13b78db47bdd3885f

SHA1
4d001e3eabd6c6e75c7eb6fb5ec29815238a1aa6

SHA256
46382282225053d6f025ab3f7bf216679aab8bf7f12e20da724b442e99481fcf

SHA512
7d588a0d7dd1ff944cab0575883cb1843cf491249ade351383c36807a17065445c226eac77c399c5018feec6abf76cdb8da69786568c1a1bf77b623429b50f93

Download Submit
C:\Windows\System\HBD.exe

Filesize
289KB

MD5
e18c571cf5aa63bddc4ed2ffcf93985d

SHA1
86cdf8c14030f5bd1f8b8079932bf80096b8fd8a

SHA256
00e266fff67587000f70c7afaf24a3a84b9c152589828b5766a281e6efc69ffd

SHA512
bcbd3f655058b2c002c7e37765b13911f5920967ce3c048a7504f0b835cce590fdd448235d0baad52b4f0d39ec2683c1c55177fa320d08517466481fa0c64486

Download Submit
C:\Windows\System\JLSCWXP.exe

Filesize
289KB

MD5
7d94ce9965245726ca1b2be9a0d3117b

SHA1
284f312535f82ea7f4443e9a6b2156b600415005

SHA256
c011c2867f11c22a7884c5150783e930dfc4a9011bf51d835f33d285e8c7a043

SHA512
b664479b4929bdbcb2f0a0f20cc2fe1e56045d062bedd8d6e2f55355af8b6459366e3d4a7562278287d3b2cd7142cdfc85b93c0957e0576db6f5dcf316e217f3

Download Submit
C:\Windows\System\QXUWJ.exe

Filesize
289KB

MD5
8f1831e91ba081652d8954e0f98af11b

SHA1
e821e2021ddc8136d46fe293745af1b729795b80

SHA256
c7e43e3067598d85a76f636dff008f7bf2a61f8ee2098559ec354f30bce14640

SHA512
5228edcf04b729c296bc84c21491d3b8b8fdbd0457c6cd57b4a19b1a331a7aa997f32a0dd5c280bbe13dadcb86f21145db17c3e2829157d7e3c65636a08f370c

Download Submit
C:\Windows\System\TUWXW.exe

Filesize
289KB

MD5
5b122eaf48cd79e8bc2985614bc6a66f

SHA1
fe97a188aa03880217a3cc84506898fc59660cb4

SHA256
33e6ebd7348fcf7c27dadd87f70f2137fc5ae990a6601acad548828e96cfb7c3

SHA512
93206bdfe5497f066786d7dedcf76dc38944058a4b4cca8f80a627a7179b30e02ce48016c29b5042598c0677aa687e974fd0ad4c9a29cd3d5918eb2a30ad887c

Download Submit
C:\Windows\System\XJXWF.exe

Filesize
289KB

MD5
86b18c5d267cf4bc5d7727a07916e52b

SHA1
8c44c76bae67c38341f718be79fa66d196b65fb5

SHA256
d03c9fb6ae180f9e6ec766571db8743d7431919d1f977e08ba008f6e70c32838

SHA512
5a74d5067518a65dcf6dc06914e0e214222d63642ea2985a6a1e53395c3428dd71bab0f6f6a6455db9a13627e2c117f7ac74fa3ff84956387537b00ee4d07602

Download Submit
C:\Windows\System\YREA.exe

Filesize
289KB

MD5
7d8da5a57f45825203628462aa43d786

SHA1
b947acc54726a9a958d569a1fcd64dbe2547ef1f

SHA256
e5e99efe346947c233553bb6af1c1d1d98e9bc13fdbb2000e756755ca71d085f

SHA512
15db60bc5a6994e1a9306a3dfb0033042048140e997a26580c4abfac0accf3a556a77a3499e98a53f0d14e69b319e1aad75bbaa957afad2280224106b08594a7

Download Submit
C:\windows\AYYA.exe

Filesize
289KB

MD5
01a87de1abbabefe4e379877cc9176a3

SHA1
f6550cc124e3151452285984ef0b845055470c87

SHA256
c0cb001a275c28a75324c660c7f7adf153e5a4de3127e613ca6630c23c26eb72

SHA512
0265a0ffefa189d29c8874fed6c0d34dc5f0b850d8b1ee087a4f6f5d9d493be97f9aa4658a2619dd058b458fbd54c5f5a10c9414639545d637700b17f05fcb08

Download Submit
C:\windows\AYYA.exe.bat

Filesize
54B

MD5
7f6aba299692354adc3e40a1e5de9237

SHA1
7efe9187d3d03d0466cca740dd721c5c16447225

SHA256
4d08f48a70827484712589274fd6f3714793c66a63c021942223eb1b24c1ed0a

SHA512
86b9e4f584632f67155b9f64ff90d65159d014212e960aba3d250c85fcc145326ce7ca2c23ff119fec5148ce12ef85d95e9392e60b61cde6a016b2f1e3ef3bef

Download Submit
C:\windows\BDR.exe

Filesize
289KB

MD5
9c98361aef7210e28729d6d07d7a2471

SHA1
31a853829902a771f8ac0f4bd5a2280c07bff154

SHA256
340950c88e9bb5526ffdf6584a4208db2eb5bc54a291fc0d5d95e95130d734b5

SHA512
32e633ffc336757b446e7b486190c9a9501a612d3dbf8e5091a5cee3839d56b4d555a1a7ee892025004b5ae3f5b55792cb27db1d679f72923f2d8affd6e65ab5

Download Submit
C:\windows\BDR.exe.bat

Filesize
52B

MD5
a345f8ad1374c95a114e96b0443de30a

SHA1
61d00c1d1b2c0b608ef9c4840a9b9d71354be697

SHA256
eb3c094b788310738d6687ecb5b44ae9452c4b4cab74f4525f5943d81d35a510

SHA512
7929b1e032c97a8350d80be4330d53b77cadabf9597fe085719cba2a9589ff58e3239c97f4212187483a301eea204c7058cd3fe24191f1841f127d7df8f5c569

Download Submit
C:\windows\CFVW.exe

Filesize
289KB

MD5
33da2aa0505e6f61a3a89b8f1785e496

SHA1
f481d3f4e99265a274674a3ebf85061bdb274f19

SHA256
66904ca630650ce8e63e2bdd43f48b43991ab595b504b0db894ec2c8f88090fd

SHA512
c16835dcfcb542a1284b90143f56c6fe26bee5e073d3eb9c4e61ce5b244616b9e2c05e516cb8605a084967a185d34d22ccc0d75bb8790d2edea7fda34cecae9f

Download Submit
C:\windows\CFVW.exe.bat

Filesize
54B

MD5
2181a7aaf144ea492616f06195578478

SHA1
10d9c704ec2498a783c41ddd3d5a023ed945a62e

SHA256
f9b13fda05362075e1d48dfd257e7580c84637a0a0b3d05d30e665ab7d14bc42

SHA512
9b19ff256a1bc4935b15b36e6892a59c5e93a400004c5f913276b04798803c4ebe2b511d8a65d802053057e1a19c91196d9c1ce9d939a876791cafcdbf6d5185

Download Submit
C:\windows\SysWOW64\CXOFVZK.exe

Filesize
289KB

MD5
10ea8d23c37bb83c1c159e0a9f3476e6

SHA1
f07a29c7fd8f3110bcfac00927cc3c12cf4f4d1b

SHA256
129746644fd7be86b3ef157d950be029ccea179f567bb1d99aa0545cebab67e6

SHA512
2793d723fc9143c7ce1e544b831fd5f50d67355a711c1161a9bc38f0db46e20c05e2ea97d48626508a4b48b4edebf91051e82f44dfed7e347dbc2f1932016d04

Download Submit
C:\windows\SysWOW64\CXOFVZK.exe.bat

Filesize
78B

MD5
bd11336c0ae7dda30e6b22505b0a2ba6

SHA1
f6e8eb24c0163232bcaa7c946849525237c70e4a

SHA256
eaa5c5fb5b3dfd286968c75404325b730b2a003031ba5fb84ae267945509221e

SHA512
738deae562b3971e200f415e9278ef7a8801902b4bd1371982d7eca8c092de121af8669fa86c32b8e9c256731a8e6545ff2afd684c4279efb6547d1cac5d8283

Download Submit
C:\windows\SysWOW64\DTTLGUZ.exe

Filesize
289KB

MD5
9906770f82fa05e64e6085ab94911369

SHA1
e03c3c64b467d187a7c8549d1a82ded83e210345

SHA256
3c67b21c62c9d439ec086e0b4791dfac19a5575afb70751eedf6178958153fb4

SHA512
3a6b43428be1e1426dc67ddd0c1ccc8e50c5e76a38593cd5b3f109fec6e725abd1f8d2c24ffcb2dafbd85b315b2a3b1c37f3356b312429da08a38e9b801c5d02

Download Submit
C:\windows\SysWOW64\DTTLGUZ.exe.bat

Filesize
78B

MD5
dc260d1aae49b8599c2aba69e97c0e3c

SHA1
f3c7f21eb9c41e9938c8d684fafd7e99443e0a59

SHA256
77c038eba07d57eda66a3539a525c432b9a647874d432948e35bdd0e6639f867

SHA512
0a0296e4e16be6110c8d676d77c4da0a9bd7e84274e3f846e3ba1481c2d747dadfcf29dfcc1b081b551e0a75087fe6a41792c975daa1b247d400891a06714e15

Download Submit
C:\windows\SysWOW64\FBKXP.exe

Filesize
289KB

MD5
34ae0e44e9086d71c8dc100769271e94

SHA1
6476a85452157b05e09770f5b745cce994fe5562

SHA256
368340e8dd6724e56b95a8cb35b830c7e1ab9534dc2eb464fae67f6051f3bd3a

SHA512
2faf507013440aa70645079822fb9ff9d15f3993e27d23946f17b9d19d6c532b8076b31aa18e6542f4f62f253aef9a725f80b6ac3d7dc48388ec2616a33e6c45

Download Submit
C:\windows\SysWOW64\FBKXP.exe.bat

Filesize
74B

MD5
d8c56e8eefe030d80e333296460bab42

SHA1
8a6f287229554097123d47bc8d45432f703925c1

SHA256
ac966e392793ae6eb3ec88f4720adf1ae1928bf922353afff54ed6ecb2a24dbe

SHA512
4da9c88efe561c36bcd6933fc37baa27ca93fa620f2be3525b3f2aaf35a30a10630c46d96b156d074f0ddb266d0761603ed4ed9700942a95bc5060acca08841f

Download Submit
C:\windows\SysWOW64\HTBFT.exe

Filesize
289KB

MD5
39fd9d76955ed53ab918d184b58853eb

SHA1
02d72b03ddf8b4988b2c063a689cd9138a18eb02

SHA256
21d2c684a1cebe9392ac8ebee9f27bcf1bdb8cde5b26da69296b46e71996f4e1

SHA512
8cc71a8ed8eecadd61f436d0798e9316727b8b8b0ea9a8e6ef92b9fccd474bd56a6282bb53987432aca6606a624cce31c5c807a1bf44fc40b08c8c1c2048027e

Download Submit
C:\windows\SysWOW64\HTBFT.exe.bat

Filesize
74B

MD5
2a1fd187652e78f0791e0fa824dd9eaa

SHA1
9d2ca88051c2e725f1c8b84616d0ff966da7eaa0

SHA256
3761c7d75a7c5b339701637ff7269b085e28f5171c01b23efb305ca9b36488e5

SHA512
cc9eee7a5a8bdd2ae404032976962fc353b63105a880b2d09af5ef097ca0f4b6f3c57f42704ad664cbfcd07a9ebbcf32e53f0f41e95c22bd6a0af65cafd1693d

Download Submit
C:\windows\SysWOW64\JOBDWG.exe.bat

Filesize
76B

MD5
04413e20a10aa52e3027533490314419

SHA1
e272d27928fed624d145c58d6ea1c81cb5909f34

SHA256
62430b94ad3e689cf186f59537dda310bc2780ddf9d0781159f080317393015a

SHA512
562623915b12f21e6b5c69a6e790111242e524cc3492b4b9fd839772bae54fa21324ffce19d68e6217f8cb7cca1e7899915d8913e991a3010f84fef5117293cd

Download Submit
C:\windows\SysWOW64\MNPTZ.exe

Filesize
289KB

MD5
fe5bcc3c4e81fc464d9ac1e3ecbd6aa5

SHA1
7706a23dde32992dcc8f419efe7349de2978cf38

SHA256
e457737ff09ec8168c2320415aae88484b20ff97bfc0cf38ca688bd08fd4da95

SHA512
0043d3f32593c8154dbd3834a4f05895f98f53205c9e7efe437933ffd9b1ddfb045c349850c0679a7f4f325810f42bb055a3a3e61490b88d1ce334466c8cf7a1

Download Submit
C:\windows\SysWOW64\MNPTZ.exe.bat

Filesize
74B

MD5
6dbd6be9b15ecf0af76621dd1bba1a6c

SHA1
84cb2a0eb7880a2e0d93c275c02b9459603c1e57

SHA256
243ec3136a4ab72b756bd2c97f3fa6d611635dd334f1e155b9328f3bf29ed139

SHA512
8c2711ffdbf39f818eab43c92ad1d00c8e6c0981452a9c24c587d01354ef327569e937ec79d4b228fa72d414fedac8c1abdbaf5cfdffebe6af709a25d51563c0

Download Submit
C:\windows\SysWOW64\TMAAZNV.exe

Filesize
289KB

MD5
2091f32e93e234640a41cb8fe484181f

SHA1
c5ff12819de80bd03ece9b406d4310ec4ce8a750

SHA256
2177a6d6c8a510f446ba734825f38fd3cbb3fc20f8111a997d4fab8fadddb6cb

SHA512
5ef4418081256e5c8b4d285e680e63f294e2401415dc81fa8d10f453fd83817ce9e46e65acd15478d5727f8d83e59a1984c22d8fc2c488e2a1b0a16546cdcf79

Download Submit
C:\windows\SysWOW64\TMAAZNV.exe.bat

Filesize
78B

MD5
e1197a5ea0983a9881ce65cea83d3e22

SHA1
7c8d35925069902887c38d932d3f9aae14a9270c

SHA256
3817755f2a041b5fc537cbf2e5db16d69b907c25e4f1d76f2045683726056c6f

SHA512
ed8f1b1e43cbbe50193bb525575bcc26d9fe0e556dfaab8524ea65c8f50c62c1a6114b0f1f9bf30f123f69bdf651c7972fb3d36d39a66df07a1b459b8388b6ff

Download Submit
C:\windows\SysWOW64\UXT.exe

Filesize
289KB

MD5
d981f3cd485e548827bfb7fa8efb9055

SHA1
2638824200ee5658407ba83a7dab8ccb8037f782

SHA256
df37484eea57367a50419d3e85ffc4ce1f27b8f42b2ed8e5e0f0e55fa8f02f6a

SHA512
d2a8af6df22eb0ea64acc11b31381a37c2fc59f1f8744f1a69b2c1af13d4577866100d228b8a453643cd17bfc077b03ed03d1d6388daa4cb74c2e36cd3aeb60f

Download Submit
C:\windows\SysWOW64\UXT.exe.bat

Filesize
70B

MD5
32e82ccffb35820c85e9ecaad7861abf

SHA1
46a902947c43826e0e1d7d8cfcde3b373255979f

SHA256
1b5d3be7abed2930b75820c97e298a88ce8326bbf173f84535ba6da8ea0c164b

SHA512
f1594b15db897db4dca9c92ebec040f50ed29ca85a85ea30a3ca44e580982e4217eae8703a0e6477fd9565e3fd5757ab391401095cc12ca71221fed690c7a70e

Download Submit
C:\windows\SysWOW64\YKWQJSN.exe

Filesize
289KB

MD5
9a98cb6fbb6aa0ad034208afa7dce702

SHA1
8c6abfd98958092f483734cd3f9e35026bf0ddb0

SHA256
2593af38bfab9788cd86b63a8069bf17e0126e5336b099ec20dc22fcc81eddab

SHA512
45e6dde9b28e2dcf3d5c3cf50853b87a3a9a12c2e06cc52e727a7a1647c004b7fd3068c011adb023120cd01c573ec5222d3ec99d5625cbf83fccd788e163343a

Download Submit
C:\windows\SysWOW64\YKWQJSN.exe.bat

Filesize
78B

MD5
b42d2a1ba2646ee9953dd0cbd2180531

SHA1
ce28ca888502aca1bc416ec10fc98f1922fe5bd5

SHA256
20c6e108720ca5a33d30a03ef675b34d8cc9d8eeba7d49575a62a082196000f0

SHA512
ccccc42a4009daf19fc3eb6e30a0ef4a1da793d83dfa009c54550ec6806d12618216eb324f6b966a5506551a53913e44746b00a83714570c34417d03f8da4749

Download Submit
C:\windows\system\AYM.exe

Filesize
289KB

MD5
ad73875dfecc4a14f3da0b8efd3525cb

SHA1
d16a71bba56008cea02284492d5dabb5e0bca269

SHA256
7db345f93f1b37f65a2f79aef52765082a40be8f01b71f2e33c1461b9ccf4850

SHA512
f8bcefa261784f20b8273e58ce933dbc2a44affde95f624e3fc818e4fbfee34b77285b924351c4dde158e099128e0d198ce10c6f6a812b81b5517d5387b36189

Download Submit
C:\windows\system\AYM.exe.bat

Filesize
66B

MD5
f50adfb873f38e757446cf834094c028

SHA1
0359fcf95c315bbd9eb88299cdc57d3567345389

SHA256
315fd1105694d39ff94022f044a604e4e75c4962dc8b01221cfeeabf2d0bbb4c

SHA512
f1088c593cdd93e97b1037bb86ddda7a97641638066c3360e57466df6434626001c09c96d66a2a6f7e97a7c285196426c6519b26984733708af41f674e42fa9f

Download Submit
C:\windows\system\CUCS.exe

Filesize
289KB

MD5
c05c27a2d2b556d2715c6369463c5cb5

SHA1
227698ba41df72cfef5c86491632133a64ac6ea3

SHA256
82cdc8df108bffe0cda450e0892172ff728be644f1eeca5d0aed5e6082c6837c

SHA512
3d444c3b0326a2c59f6c7932aeaca6cb16986febf9c69c74c4efc05ff0e8f5ec03d8f305aaa7b19c890c4182e162e70eb0b50b41253e3eaa3c3f6c801ba37b57

Download Submit
C:\windows\system\CUCS.exe.bat

Filesize
68B

MD5
1b72ce98ac20a836034ef65b5f567ddb

SHA1
d24f09f436077c13835962f82c9cb452924cc37f

SHA256
625958fe78516ae7e7ba9af3423d0c7e2b69a5ca3859ff802d1850e1187c90a1

SHA512
5893f5448c7c20dca230ae39abc156feba6f957e2ab4aab7e4cca1d1aa3c575937389a3c46bf456a6b44e6c1fdf6bc5793f9dfd20a35f9a0160bcd75bfe2a192

Download Submit
C:\windows\system\DIQSK.exe

Filesize
289KB

MD5
4675449ced2690c342b4de79ff5c780c

SHA1
1ac751abbae96372a6fbe7b0cabd4a064180c35b

SHA256
bc04b22c5be65bd90352ff7133a9d86bd1991c2248c54441fed0d2d15b017f04

SHA512
c8472bbc33b0f9ddde5bafafd682b4417987ea1af15647a3112564196ceb83824f071988c204297a5448c78011d56845248be825772c6833d456b7ebf2b4ca3e

Download Submit
C:\windows\system\DIQSK.exe.bat

Filesize
70B

MD5
833669aea91c0570c026c3e1b6de5378

SHA1
71511e4da4c0b3e35e56dbaba0d863b6d405288e

SHA256
36cf00c6b07a3ee3595cf173fb68258ac79b9adc3a4474822bcb89b84cc3ca61

SHA512
bba93d80a7b890be62006652bb9416038acbfa07f41ba2bd3bca25931618827d2b4d12620e8b93134c38e89cc5cc027c7f2b91282aef2c354ebe95fbc286f92f

Download Submit
C:\windows\system\FPLN.exe

Filesize
289KB

MD5
a1ce00a7dd2310729bd53739f5e9a6c6

SHA1
880c92e59994b05f8f09d1f29edb9fe2a3bf3f68

SHA256
dda468b3fe91c8274fefacbbf33300abcec0e5736766765ca20844e5a0802ed6

SHA512
5682a6a4a614436797e495c0fa9492b18eed468ad4205ffa617b398c0c0bc8d46431a329d4d3e1cc330eeff2f44a337d329ccf166381425175989b5bb9964ec4

Download Submit
C:\windows\system\FPLN.exe.bat

Filesize
68B

MD5
528c4300f5cee6a2c4a3fb713731adab

SHA1
721573d581f7bd52740185652a15f5a274d4591b

SHA256
7de325e41e9b0dc4196c3a5d7287d0626d54b05e4c98c2277c2748ebf44ae3fe

SHA512
5f6a2e90a54c1a70d9024f38aee74aa3ebf0f89200c93e1c2e7a3de155490a8088d013013e40330e24c393ab077924675cda03196de28d86d36325f38b695ec6

Download Submit
C:\windows\system\HBD.exe

Filesize
289KB

MD5
e18c571cf5aa63bddc4ed2ffcf93985d

SHA1
86cdf8c14030f5bd1f8b8079932bf80096b8fd8a

SHA256
00e266fff67587000f70c7afaf24a3a84b9c152589828b5766a281e6efc69ffd

SHA512
bcbd3f655058b2c002c7e37765b13911f5920967ce3c048a7504f0b835cce590fdd448235d0baad52b4f0d39ec2683c1c55177fa320d08517466481fa0c64486

Download Submit
C:\windows\system\HBD.exe.bat

Filesize
66B

MD5
a4470297e6d9bcb389986c70aa2d998c

SHA1
7cfc7b73568205e001e0214321c2655ed59b0451

SHA256
2209b57a11a5d9b4c191baa9f9788e19558f95404d3dd3a7395ef7bc74a21260

SHA512
3d30be14fd4383a00f0fea963b220fda5cb92ff51352fce53f05a3045f7c4bf544280294fb200e7dc37559ed9ddf850201c032cc320d2e71c48cd75ea16541dc

Download Submit
C:\windows\system\JLSCWXP.exe

Filesize
289KB

MD5
7d94ce9965245726ca1b2be9a0d3117b

SHA1
284f312535f82ea7f4443e9a6b2156b600415005

SHA256
c011c2867f11c22a7884c5150783e930dfc4a9011bf51d835f33d285e8c7a043

SHA512
b664479b4929bdbcb2f0a0f20cc2fe1e56045d062bedd8d6e2f55355af8b6459366e3d4a7562278287d3b2cd7142cdfc85b93c0957e0576db6f5dcf316e217f3

Download Submit
C:\windows\system\JLSCWXP.exe.bat

Filesize
74B

MD5
8df965e296fc81cd42d345f2490f9f9f

SHA1
be7b4e9d1912a79c6ddf4aeee4942528e7d34abf

SHA256
89cbcf5fea88dd603c1c14452e333dafe34776e5eb158e6d9b7f2ac82a5e8540

SHA512
1910ff5fad5df54bee48fbd3afbb05992465f6db8a3f41f0f08d8fff374afe079b749ec095418d8dc254f79ba89da97040133f6452e627ba9ee6a399d25c66ce

Download Submit
C:\windows\system\QXUWJ.exe

Filesize
289KB

MD5
8f1831e91ba081652d8954e0f98af11b

SHA1
e821e2021ddc8136d46fe293745af1b729795b80

SHA256
c7e43e3067598d85a76f636dff008f7bf2a61f8ee2098559ec354f30bce14640

SHA512
5228edcf04b729c296bc84c21491d3b8b8fdbd0457c6cd57b4a19b1a331a7aa997f32a0dd5c280bbe13dadcb86f21145db17c3e2829157d7e3c65636a08f370c

Download Submit
C:\windows\system\QXUWJ.exe.bat

Filesize
70B

MD5
23ec28b96268595c6ef3532a74627e86

SHA1
570701efdd06e3bdd4512a7247fcabf8810a67ec

SHA256
b620090f5a9737883b171207abcc5b29edb25a4984539fa188acf3bd2508dc87

SHA512
1ac3b7552fe69eb6edc3bae84677bdea51cbdf405465e9479a0a4944269fc3d22ef7462d4646daec46628c8f82bfa87e18bfeac62860dc2e3f8a2a212d07bde3

Download Submit
C:\windows\system\TUWXW.exe

Filesize
289KB

MD5
5b122eaf48cd79e8bc2985614bc6a66f

SHA1
fe97a188aa03880217a3cc84506898fc59660cb4

SHA256
33e6ebd7348fcf7c27dadd87f70f2137fc5ae990a6601acad548828e96cfb7c3

SHA512
93206bdfe5497f066786d7dedcf76dc38944058a4b4cca8f80a627a7179b30e02ce48016c29b5042598c0677aa687e974fd0ad4c9a29cd3d5918eb2a30ad887c

Download Submit
C:\windows\system\TUWXW.exe.bat

Filesize
70B

MD5
67856ef3aa4d5120d46ba6df78447be6

SHA1
f4689e023fb06923ab37fcea39ca8ecbefacc393

SHA256
4fbdb1a506b45d1e34c528464535812a634c808b8422e8beaef17da55d070563

SHA512
4be7340c1933cad8b99a592154aa3d59c33edcb7b8216e58dbfae494d59866ce8fb763e71c0206ff479300d6f3f439754065f71fcc64aad15f91b6459217319f

Download Submit
C:\windows\system\XJXWF.exe

Filesize
289KB

MD5
86b18c5d267cf4bc5d7727a07916e52b

SHA1
8c44c76bae67c38341f718be79fa66d196b65fb5

SHA256
d03c9fb6ae180f9e6ec766571db8743d7431919d1f977e08ba008f6e70c32838

SHA512
5a74d5067518a65dcf6dc06914e0e214222d63642ea2985a6a1e53395c3428dd71bab0f6f6a6455db9a13627e2c117f7ac74fa3ff84956387537b00ee4d07602

Download Submit
C:\windows\system\XJXWF.exe.bat

Filesize
70B

MD5
2c5ff98648d4ded510de02c9534c6e57

SHA1
d9520122ad11666ae8ed4d1fa1b9b9f5cf46f2d0

SHA256
3e389cd2bb4dd610323d73f55df19556bdba3be52ef23fdb8d4b7c5490ea41c6

SHA512
c0d5bdfe40d55b2ffc5e1cf8b329fed83fd2f5f745cacdf840e8d0df86b8ca0fe9e06793fd65eb063779101626f9424ef589b943e1a055f37028fd0652a7d4dc

Download Submit
C:\windows\system\YREA.exe

Filesize
289KB

MD5
7d8da5a57f45825203628462aa43d786

SHA1
b947acc54726a9a958d569a1fcd64dbe2547ef1f

SHA256
e5e99efe346947c233553bb6af1c1d1d98e9bc13fdbb2000e756755ca71d085f

SHA512
15db60bc5a6994e1a9306a3dfb0033042048140e997a26580c4abfac0accf3a556a77a3499e98a53f0d14e69b319e1aad75bbaa957afad2280224106b08594a7

Download Submit
C:\windows\system\YREA.exe.bat

Filesize
68B

MD5
abe344917fef7bc1843f930ee6c1be40

SHA1
800002464fa56591dd20fa304c721bef22344393

SHA256
d9819600537e59c0d33d04159becf579bb66e9a54d1f6f788a5c563c1dc6589b

SHA512
4b0f8a094ae69f893d7af5c079eff733007ac3b0af567e74438b746f0b279812043543f2d8464de332a604dc06f012ae7c2893d31e9b98a2a8ee2d1ef7655ed2

Download Submit
memory/312-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/312-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1736-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1736-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3244-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3244-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-51-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download