cbc97c82ea12518215510a3cb3982880eedda1232d52c1f204f23c98bd7998fc

Analysis

max time kernel
45s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.213cfd32e2da38286425cc9d36e9389f.exe
Size

208KB
MD5

213cfd32e2da38286425cc9d36e9389f
SHA1

faa3ea563aa19c5897c6116805db42a272e1adf2
SHA256

cbc97c82ea12518215510a3cb3982880eedda1232d52c1f204f23c98bd7998fc
SHA512

77313ccec5cd367ef3da45a48f9d4a431ef1c223ef0cfa2bbbdf247543c9ee06b123f97e881979915f1a4b5a1da17648e83ef241819a16e1a1118dc02be24d57
SSDEEP

3072:z4D0ZbTVnmUU8UYBGFLivSaWMEVm7LxX4NLthEjQT6j:zFVVnG8HGFLivSQ1QEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 35 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	JJWK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	JRKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	EIF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	KKCL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	CURX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	UNIEDL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	AND.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	VMOIPUZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	GTD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	CEXE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	RNZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	AOQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	SJC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	FSRTQM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	DYULRDL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	TIMGF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	BPDG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NFBRZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	XUJZIUX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	KWV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	FDEH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	KQC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	RVGEEBO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	CQTRYGC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	BUO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	HOPRU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	ISRPMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	KVLRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	QNCTP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	FKHKDBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WPKEBT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	FFKGWVS.exe

Executes dropped EXE 54 IoCs

pid	Process
5012	CURX.exe
2400	WPKEBT.exe
3828	TIMGF.exe
4780	GTD.exe
1424	BPDG.exe
436	FFKGWVS.exe
3692	RNZO.exe
484	KQC.exe
928	UNIEDL.exe
3976	AOQ.exe
1660	JJWK.exe
4836	JRKI.exe
5004	BUO.exe
1076	EIF.exe
5080	AND.exe
4960	ISRPMV.exe
4940	HOPRU.exe
4884	KWV.exe
680	CEXE.exe
4140	KKCL.exe
1284	WerFault.exe
4960	WerFault.exe
4564	WerFault.exe
5004	FDEH.exe
2344	SJC.exe
1424	KVLRR.exe
2304	WerFault.exe
2084	QNCTP.exe
3468	WerFault.exe
4600	RVGEEBO.exe
2348	WerFault.exe
3520	NFBRZ.exe
1500	WerFault.exe
1964	WerFault.exe
2088	WerFault.exe
2620	FSRTQM.exe
1128	FKHKDBD.exe
488	CQTRYGC.exe
3840	cmd.exe
4740	backgroundTaskHost.exe
4336	DYULRDL.exe
1964	WerFault.exe
3468	WerFault.exe
3684	VMOIPUZ.exe
1304	backgroundTaskHost.exe
2516	WerFault.exe
4396	WerFault.exe
1664	Conhost.exe
4268	XUJZIUX.exe
1284	WerFault.exe
4408	cmd.exe
2280	Conhost.exe
1128	FKHKDBD.exe
3136	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\YQZO.exe	Conhost.exe
File created	C:\windows\SysWOW64\FJIIED.exe	FKHKDBD.exe
File created	C:\windows\SysWOW64\FDDLWT.exe.bat	QNCTP.exe
File created	C:\windows\SysWOW64\FJIIED.exe.bat	FKHKDBD.exe
File created	C:\windows\SysWOW64\RVGEEBO.exe.bat	WerFault.exe
File created	C:\windows\SysWOW64\FDDLWT.exe	QNCTP.exe
File opened for modification	C:\windows\SysWOW64\FDDLWT.exe	QNCTP.exe
File opened for modification	C:\windows\SysWOW64\QSGP.exe	WerFault.exe
File created	C:\windows\SysWOW64\RIHR.exe	WerFault.exe
File opened for modification	C:\windows\SysWOW64\KKCL.exe	CEXE.exe
File opened for modification	C:\windows\SysWOW64\RVGEEBO.exe	WerFault.exe
File created	C:\windows\SysWOW64\RAIT.exe.bat	VMOIPUZ.exe
File created	C:\windows\SysWOW64\BFPLZ.exe.bat	WerFault.exe
File created	C:\windows\SysWOW64\KKCL.exe.bat	CEXE.exe
File opened for modification	C:\windows\SysWOW64\SJC.exe	FDEH.exe
File created	C:\windows\SysWOW64\FAJ.exe	XUJZIUX.exe
File created	C:\windows\SysWOW64\HDUF.exe	WerFault.exe
File created	C:\windows\SysWOW64\QSGP.exe	WerFault.exe
File created	C:\windows\SysWOW64\SJC.exe	FDEH.exe
File opened for modification	C:\windows\SysWOW64\BPDG.exe	GTD.exe
File created	C:\windows\SysWOW64\SJC.exe.bat	FDEH.exe
File created	C:\windows\SysWOW64\QSGP.exe.bat	WerFault.exe
File opened for modification	C:\windows\SysWOW64\RAIT.exe	VMOIPUZ.exe
File opened for modification	C:\windows\SysWOW64\BFPLZ.exe	WerFault.exe
File created	C:\windows\SysWOW64\BPDG.exe	GTD.exe
File created	C:\windows\SysWOW64\CRGZXFG.exe	WerFault.exe
File created	C:\windows\SysWOW64\EIF.exe	BUO.exe
File created	C:\windows\SysWOW64\CEXE.exe.bat	KWV.exe
File created	C:\windows\SysWOW64\RIHR.exe.bat	WerFault.exe
File opened for modification	C:\windows\SysWOW64\YQZO.exe	Conhost.exe
File opened for modification	C:\windows\SysWOW64\RNZO.exe	FFKGWVS.exe
File opened for modification	C:\windows\SysWOW64\KQC.exe	RNZO.exe
File created	C:\windows\SysWOW64\KKCL.exe	CEXE.exe
File created	C:\windows\SysWOW64\YQZO.exe.bat	Conhost.exe
File created	C:\windows\SysWOW64\BPDG.exe.bat	GTD.exe
File opened for modification	C:\windows\SysWOW64\CRGZXFG.exe	WerFault.exe
File opened for modification	C:\windows\SysWOW64\RIHR.exe	WerFault.exe
File opened for modification	C:\windows\SysWOW64\KCLFJJ.exe	KKCL.exe
File opened for modification	C:\windows\SysWOW64\CEXE.exe	KWV.exe
File created	C:\windows\SysWOW64\CRGZXFG.exe.bat	WerFault.exe
File opened for modification	C:\windows\SysWOW64\FJIIED.exe	FKHKDBD.exe
File opened for modification	C:\windows\SysWOW64\EIF.exe	BUO.exe
File created	C:\windows\SysWOW64\RAIT.exe	VMOIPUZ.exe
File created	C:\windows\SysWOW64\BFPLZ.exe	WerFault.exe
File created	C:\windows\SysWOW64\KCLFJJ.exe	KKCL.exe
File created	C:\windows\SysWOW64\KQC.exe	RNZO.exe
File created	C:\windows\SysWOW64\KQC.exe.bat	RNZO.exe
File created	C:\windows\SysWOW64\RNZO.exe	FFKGWVS.exe
File created	C:\windows\SysWOW64\CEXE.exe	KWV.exe
File created	C:\windows\SysWOW64\KCLFJJ.exe.bat	KKCL.exe
File opened for modification	C:\windows\SysWOW64\HDUF.exe	WerFault.exe
File created	C:\windows\SysWOW64\HDUF.exe.bat	WerFault.exe
File opened for modification	C:\windows\SysWOW64\FAJ.exe	XUJZIUX.exe
File created	C:\windows\SysWOW64\RNZO.exe.bat	FFKGWVS.exe
File created	C:\windows\SysWOW64\RVGEEBO.exe	WerFault.exe
File created	C:\windows\SysWOW64\FAJ.exe.bat	XUJZIUX.exe
File created	C:\windows\SysWOW64\EIF.exe.bat	BUO.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\BRCYI.exe	WerFault.exe
File created	C:\windows\WPKEBT.exe.bat	CURX.exe
File created	C:\windows\UNIEDL.exe	KQC.exe
File created	C:\windows\BUO.exe	JRKI.exe
File created	C:\windows\BUO.exe.bat	JRKI.exe
File created	C:\windows\system\PMX.exe.bat	cmd.exe
File created	C:\windows\AND.exe.bat	EIF.exe
File created	C:\windows\ISRPMV.exe	WerFault.exe
File opened for modification	C:\windows\YXLWMOI.exe	NFBRZ.exe
File created	C:\windows\USSBIP.exe	WerFault.exe
File opened for modification	C:\windows\system\QNCTP.exe	WerFault.exe
File opened for modification	C:\windows\system\ZUHN.exe	DYULRDL.exe
File created	C:\windows\WPKEBT.exe	CURX.exe
File created	C:\windows\AND.exe	EIF.exe
File opened for modification	C:\windows\KWV.exe	HOPRU.exe
File opened for modification	C:\windows\system\HELJZJ.exe	SJC.exe
File created	C:\windows\system\QNCTP.exe	WerFault.exe
File opened for modification	C:\windows\RYYYPZ.exe	FSRTQM.exe
File created	C:\windows\system\POVMO.exe	RVGEEBO.exe
File created	C:\windows\system\PTXQDY.exe	CQTRYGC.exe
File opened for modification	C:\windows\system\CURX.exe	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
File created	C:\windows\system\JRKI.exe	JJWK.exe
File opened for modification	C:\windows\system\POVMO.exe	RVGEEBO.exe
File created	C:\windows\YXLWMOI.exe.bat	NFBRZ.exe
File created	C:\windows\system\CQTRYGC.exe.bat	FKHKDBD.exe
File opened for modification	C:\windows\system\SWXY.exe	WerFault.exe
File created	C:\windows\system\HELJZJ.exe	SJC.exe
File created	C:\windows\JJWK.exe.bat	AOQ.exe
File created	C:\windows\system\SWXY.exe.bat	WerFault.exe
File opened for modification	C:\windows\system\PMX.exe	cmd.exe
File created	C:\windows\system\ZUHN.exe	DYULRDL.exe
File opened for modification	C:\windows\XUJZIUX.exe	Conhost.exe
File created	C:\windows\XUJZIUX.exe.bat	Conhost.exe
File created	C:\windows\TIMGF.exe	WPKEBT.exe
File created	C:\windows\system\CQTRYGC.exe	FKHKDBD.exe
File opened for modification	C:\windows\system\CQTRYGC.exe	FKHKDBD.exe
File created	C:\windows\RRN.exe.bat	WerFault.exe
File created	C:\windows\XUJZIUX.exe	Conhost.exe
File opened for modification	C:\windows\HLVON.exe	WerFault.exe
File created	C:\windows\ISRPMV.exe.bat	WerFault.exe
File created	C:\windows\system\SWXY.exe	WerFault.exe
File created	C:\windows\EXTK.exe	WerFault.exe
File created	C:\windows\system\ZUHN.exe.bat	DYULRDL.exe
File created	C:\windows\system\QLT.exe.bat	backgroundTaskHost.exe
File created	C:\windows\SQSB.exe	cmd.exe
File created	C:\windows\system\FFKGWVS.exe	BPDG.exe
File opened for modification	C:\windows\system\FFKGWVS.exe	BPDG.exe
File created	C:\windows\RYYYPZ.exe	FSRTQM.exe
File created	C:\windows\system\HOPRU.exe	ISRPMV.exe
File opened for modification	C:\windows\system\GNME.exe	WerFault.exe
File created	C:\windows\system\QLT.exe	backgroundTaskHost.exe
File opened for modification	C:\windows\TIMGF.exe	WPKEBT.exe
File created	C:\windows\UNIEDL.exe.bat	KQC.exe
File created	C:\windows\KWV.exe.bat	HOPRU.exe
File created	C:\windows\USSBIP.exe.bat	WerFault.exe
File opened for modification	C:\windows\AND.exe	EIF.exe
File created	C:\windows\system\HELJZJ.exe.bat	SJC.exe
File opened for modification	C:\windows\EXTK.exe	WerFault.exe
File opened for modification	C:\windows\USSBIP.exe	WerFault.exe
File opened for modification	C:\windows\RKZLPZC.exe	backgroundTaskHost.exe
File created	C:\windows\system\CURX.exe	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
File created	C:\windows\RKZLPZC.exe.bat	backgroundTaskHost.exe
File opened for modification	C:\windows\GTD.exe	TIMGF.exe
File opened for modification	C:\windows\system\JRKI.exe	JJWK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4820	3712	WerFault.exe	25
540	5012	WerFault.exe	93
928	2400	WerFault.exe	100
4600	3828	WerFault.exe	105
4872	4780	WerFault.exe	110
2620	1424	WerFault.exe	115
2988	436	WerFault.exe	122
4372	3692	WerFault.exe	128
3280	484	WerFault.exe	134
3664	928	WerFault.exe	138
2672	3976	WerFault.exe	144
3672	1660	WerFault.exe	149
2412	4836	WerFault.exe	155
4160	5004	WerFault.exe	159
4436	1076	WerFault.exe	165
1184	5080	WerFault.exe	172
3020	4960	WerFault.exe	176
388	4940	WerFault.exe	182
3468	4884	WerFault.exe	187
3208	680	WerFault.exe	192
2592	4140	WerFault.exe	196
492	1284	WerFault.exe	199
1876	4960	WerFault.exe	207
2412	4564	WerFault.exe	212
4360	5004	WerFault.exe	217
4288	2344	WerFault.exe	221
760	1424	WerFault.exe	227
404	2304	WerFault.exe	231
884	2084	WerFault.exe	237
5020	3468	WerFault.exe	242
764	4600	WerFault.exe	247
1372	2348	WerFault.exe	251
4960	3520	WerFault.exe	258
4572	1500	WerFault.exe	264
4912	1964	WerFault.exe	267
4412	2088	WerFault.exe	274
4832	2620	WerFault.exe	279
3616	1128	WerFault.exe	284
3116	488	WerFault.exe	287
5116	3840	WerFault.exe	293
3828	4740	WerFault.exe	298
1120	4336	WerFault.exe	304
3780	1964	WerFault.exe	310
4376	3468	WerFault.exe	313
2436	3684	WerFault.exe	318
3496	1304	WerFault.exe	325
2068	2516	WerFault.exe	327
4652	4396	WerFault.exe	335
1120	1664	WerFault.exe	340
3172	4268	WerFault.exe	344
1604	1284	WerFault.exe	348
1248	4408	WerFault.exe	355
1680	2280	WerFault.exe	358
2824	1128	WerFault.exe	366
4692	3136	WerFault.exe	369
4396	4372	WerFault.exe	374
3004	4916	WerFault.exe	379
2404	4560	WerFault.exe	385
4956	4376	WerFault.exe	389
4420	2904	WerFault.exe	395
3116	3344	WerFault.exe	400
4228	3684	WerFault.exe	405
1604	4740	WerFault.exe	409
1700	1284	WerFault.exe	415

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
5012	CURX.exe
5012	CURX.exe
2400	WPKEBT.exe
2400	WPKEBT.exe
3828	TIMGF.exe
3828	TIMGF.exe
4780	GTD.exe
4780	GTD.exe
1424	BPDG.exe
1424	BPDG.exe
436	FFKGWVS.exe
436	FFKGWVS.exe
3692	RNZO.exe
3692	RNZO.exe
484	KQC.exe
484	KQC.exe
928	UNIEDL.exe
928	UNIEDL.exe
3976	AOQ.exe
3976	AOQ.exe
1660	JJWK.exe
1660	JJWK.exe
4836	JRKI.exe
4836	JRKI.exe
5004	BUO.exe
5004	BUO.exe
1076	EIF.exe
1076	EIF.exe
5080	AND.exe
5080	AND.exe
4960	ISRPMV.exe
4960	ISRPMV.exe
4940	HOPRU.exe
4940	HOPRU.exe
4884	KWV.exe
4884	KWV.exe
680	CEXE.exe
680	CEXE.exe
4140	KKCL.exe
4140	KKCL.exe
1284	WerFault.exe
1284	WerFault.exe
4960	WerFault.exe
4960	WerFault.exe
4564	WerFault.exe
4564	WerFault.exe
5004	FDEH.exe
5004	FDEH.exe
2344	SJC.exe
2344	SJC.exe
1424	KVLRR.exe
1424	KVLRR.exe
2304	WerFault.exe
2304	WerFault.exe
2084	QNCTP.exe
2084	QNCTP.exe
3468	WerFault.exe
3468	WerFault.exe
4600	RVGEEBO.exe
4600	RVGEEBO.exe
2348	WerFault.exe
2348	WerFault.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
5012	CURX.exe
5012	CURX.exe
2400	WPKEBT.exe
2400	WPKEBT.exe
3828	TIMGF.exe
3828	TIMGF.exe
4780	GTD.exe
4780	GTD.exe
1424	BPDG.exe
1424	BPDG.exe
436	FFKGWVS.exe
436	FFKGWVS.exe
3692	RNZO.exe
3692	RNZO.exe
484	KQC.exe
484	KQC.exe
928	UNIEDL.exe
928	UNIEDL.exe
3976	AOQ.exe
3976	AOQ.exe
1660	JJWK.exe
1660	JJWK.exe
4836	JRKI.exe
4836	JRKI.exe
5004	BUO.exe
5004	BUO.exe
1076	EIF.exe
1076	EIF.exe
5080	AND.exe
5080	AND.exe
4960	ISRPMV.exe
4960	ISRPMV.exe
4940	HOPRU.exe
4940	HOPRU.exe
4884	KWV.exe
4884	KWV.exe
680	CEXE.exe
680	CEXE.exe
4140	KKCL.exe
4140	KKCL.exe
1284	WerFault.exe
1284	WerFault.exe
4960	WerFault.exe
4960	WerFault.exe
4564	WerFault.exe
4564	WerFault.exe
5004	FDEH.exe
5004	FDEH.exe
2344	SJC.exe
2344	SJC.exe
1424	KVLRR.exe
1424	KVLRR.exe
2304	WerFault.exe
2304	WerFault.exe
2084	QNCTP.exe
2084	QNCTP.exe
3468	WerFault.exe
3468	WerFault.exe
4600	RVGEEBO.exe
4600	RVGEEBO.exe
2348	WerFault.exe
2348	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 336	3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	89
PID 3712 wrote to memory of 336	3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	89
PID 3712 wrote to memory of 336	3712	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	89
PID 336 wrote to memory of 5012	336	cmd.exe	93
PID 336 wrote to memory of 5012	336	cmd.exe	93
PID 336 wrote to memory of 5012	336	cmd.exe	93
PID 5012 wrote to memory of 4772	5012	CURX.exe	96
PID 5012 wrote to memory of 4772	5012	CURX.exe	96
PID 5012 wrote to memory of 4772	5012	CURX.exe	96
PID 4772 wrote to memory of 2400	4772	cmd.exe	100
PID 4772 wrote to memory of 2400	4772	cmd.exe	100
PID 4772 wrote to memory of 2400	4772	cmd.exe	100
PID 2400 wrote to memory of 4864	2400	WPKEBT.exe	103
PID 2400 wrote to memory of 4864	2400	WPKEBT.exe	103
PID 2400 wrote to memory of 4864	2400	WPKEBT.exe	103
PID 4864 wrote to memory of 3828	4864	cmd.exe	105
PID 4864 wrote to memory of 3828	4864	cmd.exe	105
PID 4864 wrote to memory of 3828	4864	cmd.exe	105
PID 3828 wrote to memory of 3064	3828	TIMGF.exe	106
PID 3828 wrote to memory of 3064	3828	TIMGF.exe	106
PID 3828 wrote to memory of 3064	3828	TIMGF.exe	106
PID 3064 wrote to memory of 4780	3064	cmd.exe	110
PID 3064 wrote to memory of 4780	3064	cmd.exe	110
PID 3064 wrote to memory of 4780	3064	cmd.exe	110
PID 4780 wrote to memory of 4360	4780	GTD.exe	113
PID 4780 wrote to memory of 4360	4780	GTD.exe	113
PID 4780 wrote to memory of 4360	4780	GTD.exe	113
PID 4360 wrote to memory of 1424	4360	cmd.exe	115
PID 4360 wrote to memory of 1424	4360	cmd.exe	115
PID 4360 wrote to memory of 1424	4360	cmd.exe	115
PID 1424 wrote to memory of 4232	1424	BPDG.exe	118
PID 1424 wrote to memory of 4232	1424	BPDG.exe	118
PID 1424 wrote to memory of 4232	1424	BPDG.exe	118
PID 4232 wrote to memory of 436	4232	cmd.exe	122
PID 4232 wrote to memory of 436	4232	cmd.exe	122
PID 4232 wrote to memory of 436	4232	cmd.exe	122
PID 436 wrote to memory of 336	436	FFKGWVS.exe	124
PID 436 wrote to memory of 336	436	FFKGWVS.exe	124
PID 436 wrote to memory of 336	436	FFKGWVS.exe	124
PID 336 wrote to memory of 3692	336	cmd.exe	128
PID 336 wrote to memory of 3692	336	cmd.exe	128
PID 336 wrote to memory of 3692	336	cmd.exe	128
PID 3692 wrote to memory of 5004	3692	RNZO.exe	130
PID 3692 wrote to memory of 5004	3692	RNZO.exe	130
PID 3692 wrote to memory of 5004	3692	RNZO.exe	130
PID 5004 wrote to memory of 484	5004	cmd.exe	134
PID 5004 wrote to memory of 484	5004	cmd.exe	134
PID 5004 wrote to memory of 484	5004	cmd.exe	134
PID 484 wrote to memory of 1280	484	KQC.exe	135
PID 484 wrote to memory of 1280	484	KQC.exe	135
PID 484 wrote to memory of 1280	484	KQC.exe	135
PID 1280 wrote to memory of 928	1280	cmd.exe	138
PID 1280 wrote to memory of 928	1280	cmd.exe	138
PID 1280 wrote to memory of 928	1280	cmd.exe	138
PID 928 wrote to memory of 4572	928	UNIEDL.exe	140
PID 928 wrote to memory of 4572	928	UNIEDL.exe	140
PID 928 wrote to memory of 4572	928	UNIEDL.exe	140
PID 4572 wrote to memory of 3976	4572	cmd.exe	144
PID 4572 wrote to memory of 3976	4572	cmd.exe	144
PID 4572 wrote to memory of 3976	4572	cmd.exe	144
PID 3976 wrote to memory of 824	3976	AOQ.exe	146
PID 3976 wrote to memory of 824	3976	AOQ.exe	146
PID 3976 wrote to memory of 824	3976	AOQ.exe	146
PID 824 wrote to memory of 1660	824	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\NEAS.213cfd32e2da38286425cc9d36e9389f.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.213cfd32e2da38286425cc9d36e9389f.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\CURX.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\windows\system\CURX.exe
    C:\windows\system\CURX.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\WPKEBT.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\windows\WPKEBT.exe
        
        C:\windows\WPKEBT.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TIMGF.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\windows\TIMGF.exe
        
        C:\windows\TIMGF.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GTD.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\windows\GTD.exe
        
        C:\windows\GTD.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BPDG.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\windows\SysWOW64\BPDG.exe
        
        C:\windows\system32\BPDG.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FFKGWVS.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\windows\system\FFKGWVS.exe
        
        C:\windows\system\FFKGWVS.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\windows\SysWOW64\RNZO.exe
        
        C:\windows\system32\RNZO.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQC.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\windows\SysWOW64\KQC.exe
        
        C:\windows\system32\KQC.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UNIEDL.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\windows\UNIEDL.exe
        
        C:\windows\UNIEDL.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AOQ.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\windows\AOQ.exe
        
        C:\windows\AOQ.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JJWK.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\windows\JJWK.exe
        
        C:\windows\JJWK.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JRKI.exe.bat" "
        24⤵
        
        PID:1424
        
        C:\windows\system\JRKI.exe
        
        C:\windows\system\JRKI.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BUO.exe.bat" "
        26⤵
        
        PID:3544
        
        C:\windows\BUO.exe
        
        C:\windows\BUO.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EIF.exe.bat" "
        28⤵
        
        PID:4972
        
        C:\windows\SysWOW64\EIF.exe
        
        C:\windows\system32\EIF.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1004
        30⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AND.exe.bat" "
        30⤵
        
        PID:4624
        
        C:\windows\AND.exe
        
        C:\windows\AND.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATDQ.exe.bat" "
        32⤵
        
        PID:4236
        
        C:\windows\ATDQ.exe
        
        C:\windows\ATDQ.exe
        33⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOPRU.exe.bat" "
        34⤵
        
        PID:4064
        
        C:\windows\system\HOPRU.exe
        
        C:\windows\system\HOPRU.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KWV.exe.bat" "
        36⤵
        
        PID:3172
        
        C:\windows\KWV.exe
        
        C:\windows\KWV.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CEXE.exe.bat" "
        38⤵
        
        PID:3964
        
        C:\windows\SysWOW64\CEXE.exe
        
        C:\windows\system32\CEXE.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 960
        40⤵
        Program crash
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKCL.exe.bat" "
        40⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 960
        38⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 976
        36⤵
        Program crash
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1340
        34⤵
        Program crash
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1324
        32⤵
        Program crash
        
        PID:1184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1012
        28⤵
        Program crash
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1324
        26⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1268
        24⤵
        Program crash
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1304
        22⤵
        Program crash
        
        PID:2672
        
        C:\windows\SysWOW64\KCLFJJ.exe
        
        C:\windows\system32\KCLFJJ.exe
        22⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ISRPMV.exe.bat" "
        23⤵
        
        PID:4792
        
        C:\windows\ISRPMV.exe
        
        C:\windows\ISRPMV.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDUF.exe.bat" "
        25⤵
        
        PID:1924
        
        C:\windows\SysWOW64\HDUF.exe
        
        C:\windows\system32\HDUF.exe
        26⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SWXY.exe.bat" "
        27⤵
        
        PID:1240
        
        C:\windows\system\SWXY.exe
        
        C:\windows\system\SWXY.exe
        28⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SJC.exe.bat" "
        29⤵
        
        PID:4600
        
        C:\windows\SysWOW64\SJC.exe
        
        C:\windows\system32\SJC.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HELJZJ.exe.bat" "
        31⤵
        
        PID:1520
        
        C:\windows\system\HELJZJ.exe
        
        C:\windows\system\HELJZJ.exe
        32⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMUGGVI.exe.bat" "
        33⤵
        
        PID:1760
        
        C:\windows\system\KMUGGVI.exe
        
        C:\windows\system\KMUGGVI.exe
        34⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNCTP.exe.bat" "
        35⤵
        
        PID:2620
        
        C:\windows\system\QNCTP.exe
        
        C:\windows\system\QNCTP.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDDLWT.exe.bat" "
        37⤵
        
        PID:1304
        
        C:\windows\SysWOW64\FDDLWT.exe
        
        C:\windows\system32\FDDLWT.exe
        38⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVGEEBO.exe.bat" "
        39⤵
        
        PID:1964
        
        C:\windows\SysWOW64\RVGEEBO.exe
        
        C:\windows\system32\RVGEEBO.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\POVMO.exe.bat" "
        41⤵
        
        PID:4240
        
        C:\windows\system\POVMO.exe
        
        C:\windows\system\POVMO.exe
        42⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRGZXFG.exe.bat" "
        43⤵
        
        PID:1424
        
        C:\windows\SysWOW64\CRGZXFG.exe
        
        C:\windows\system32\CRGZXFG.exe
        44⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YXLWMOI.exe.bat" "
        45⤵
        
        PID:2436
        
        C:\windows\YXLWMOI.exe
        
        C:\windows\YXLWMOI.exe
        46⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1008
        47⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "
        47⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 976
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1328
        43⤵
        Program crash
        
        PID:1372
        
        C:\windows\SysWOW64\FKHKDBD.exe
        
        C:\windows\system32\FKHKDBD.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1304
        45⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EDPMJFR.exe.bat" "
        45⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 960
        41⤵
        Program crash
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1296
        39⤵
        Program crash
        
        PID:5020
        
        C:\windows\YWIN.exe
        
        C:\windows\YWIN.exe
        40⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CEOV.exe.bat" "
        41⤵
        
        PID:4236
        
        C:\windows\SysWOW64\CEOV.exe
        
        C:\windows\system32\CEOV.exe
        42⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1336
        43⤵
        Program crash
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TPFL.exe.bat" "
        43⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1300
        41⤵
        Program crash
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 960
        37⤵
        Program crash
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 960
        35⤵
        Program crash
        
        PID:404
        
        C:\windows\system\BEEBOA.exe
        
        C:\windows\system\BEEBOA.exe
        35⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 976
        36⤵
        Program crash
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BXF.exe.bat" "
        36⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1336
        33⤵
        Program crash
        
        PID:760
        
        C:\windows\SysWOW64\QSGP.exe
        
        C:\windows\system32\QSGP.exe
        34⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 960
        35⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RIHR.exe.bat" "
        35⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1004
        31⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 960
        29⤵
        Program crash
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1336
        27⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1300
        25⤵
        Program crash
        
        PID:1876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 960
        23⤵
        Program crash
        
        PID:492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1248
        20⤵
        Program crash
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 988
        18⤵
        Program crash
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960
        16⤵
        Program crash
        
        PID:4372
        
        C:\windows\SysWOW64\FAJ.exe
        
        C:\windows\system32\FAJ.exe
        16⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFPLZ.exe.bat" "
        17⤵
        
        PID:2516
        
        C:\windows\SysWOW64\BFPLZ.exe
        
        C:\windows\system32\BFPLZ.exe
        18⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1308
        19⤵
        Program crash
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SQSB.exe.bat" "
        19⤵
        
        PID:2592
        
        C:\windows\IQMC.exe
        
        C:\windows\IQMC.exe
        19⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HBVDLG.exe.bat" "
        20⤵
        
        PID:1932
        
        C:\windows\SysWOW64\HBVDLG.exe
        
        C:\windows\system32\HBVDLG.exe
        21⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1008
        22⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HONSUTU.exe.bat" "
        22⤵
        
        PID:5008
        
        C:\windows\SysWOW64\OGIX.exe
        
        C:\windows\system32\OGIX.exe
        23⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJUTJF.exe.bat" "
        24⤵
        
        PID:3444
        
        C:\windows\system\PJUTJF.exe
        
        C:\windows\system\PJUTJF.exe
        25⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KPGX.exe.bat" "
        26⤵
        
        PID:2180
        
        C:\windows\KPGX.exe
        
        C:\windows\KPGX.exe
        27⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 988
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSC.exe.bat" "
        28⤵
        
        PID:4692
        
        C:\windows\SysWOW64\PSC.exe
        
        C:\windows\system32\PSC.exe
        29⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1000
        30⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TVY.exe.bat" "
        30⤵
        
        PID:1164
        
        C:\windows\SysWOW64\IZLTFW.exe
        
        C:\windows\system32\IZLTFW.exe
        31⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 960
        32⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QKTULIA.exe.bat" "
        32⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 840
        26⤵
        
        PID:2712
        
        C:\windows\SysWOW64\QDVH.exe
        
        C:\windows\system32\QDVH.exe
        26⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1304
        27⤵
        
        PID:1384
        
        C:\windows\system\XZT.exe
        
        C:\windows\system\XZT.exe
        28⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZCDQ.exe.bat" "
        29⤵
        
        PID:3340
        
        C:\windows\SysWOW64\ZCDQ.exe
        
        C:\windows\system32\ZCDQ.exe
        30⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1244
        31⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BAWT.exe.bat" "
        31⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 996
        29⤵
        
        PID:544
        
        C:\windows\SysWOW64\QGDJY.exe
        
        C:\windows\system32\QGDJY.exe
        30⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PRTYF.exe.bat" "
        31⤵
        
        PID:3520
        
        C:\windows\SysWOW64\PRTYF.exe
        
        C:\windows\system32\PRTYF.exe
        32⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1344
        33⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JNYIIGG.exe.bat" "
        33⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1336
        31⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RGZCI.exe.bat" "
        27⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 960
        24⤵
        
        PID:2304
        
        C:\windows\SysWOW64\GJS.exe
        
        C:\windows\system32\GJS.exe
        22⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 960
        23⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YRVV.exe.bat" "
        23⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 960
        20⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 960
        17⤵
        Program crash
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1008
        14⤵
        Program crash
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1304
        12⤵
        Program crash
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 968
        10⤵
        Program crash
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1324
        8⤵
        Program crash
        
        PID:4600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1324
        6⤵
        Program crash
        
        PID:928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1292
      4⤵
      Program crash
      PID:540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1312
  2⤵
  - Program crash
  PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3712 -ip 3712
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5012 -ip 5012
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2400 -ip 2400
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3828 -ip 3828
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4780 -ip 4780
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1424 -ip 1424
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 436 -ip 436
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3692 -ip 3692
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 484 -ip 484
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 928 -ip 928
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3976 -ip 3976
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1660 -ip 1660
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4836 -ip 4836
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5004 -ip 5004
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1076 -ip 1076
1⤵
PID:2516
- C:\windows\EXTK.exe
  C:\windows\EXTK.exe
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 988
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system\GNME.exe.bat" "
    3⤵
    PID:4560
  - - C:\windows\XUJZIUX.exe
      C:\windows\XUJZIUX.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      PID:4268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 960
        5⤵
        Program crash
        
        PID:3172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FAJ.exe.bat" "
        5⤵
        
        PID:3692
      - C:\windows\system\ARZ.exe
        
        C:\windows\system\ARZ.exe
        6⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1316
        7⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RHY.exe.bat" "
        7⤵
        
        PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5080 -ip 5080
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4960 -ip 4960
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4940 -ip 4940
1⤵
PID:5104
- C:\windows\BOPBEQE.exe
  C:\windows\BOPBEQE.exe
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\LHY.exe.bat" "
    3⤵
    PID:4908
  - - C:\windows\LHY.exe
      C:\windows\LHY.exe
      4⤵
      PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDEH.exe.bat" "
        5⤵
        
        PID:1248
      - C:\windows\SysWOW64\FDEH.exe
        
        C:\windows\system32\FDEH.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EWH.exe.bat" "
        7⤵
        
        PID:2068
        
        C:\windows\system\EWH.exe
        
        C:\windows\system\EWH.exe
        8⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 960
        9⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQRER.exe.bat" "
        9⤵
        
        PID:1912
        
        C:\windows\system\YQRER.exe
        
        C:\windows\system\YQRER.exe
        10⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UGA.exe.bat" "
        11⤵
        
        PID:4696
        
        C:\windows\SysWOW64\UGA.exe
        
        C:\windows\system32\UGA.exe
        12⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1008
        13⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UCMHAXM.exe.bat" "
        13⤵
        
        PID:4376
        
        C:\windows\UCMHAXM.exe
        
        C:\windows\UCMHAXM.exe
        14⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1320
        15⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PPRQ.exe.bat" "
        15⤵
        
        PID:4216
        
        C:\windows\SysWOW64\KJDWTA.exe
        
        C:\windows\system32\KJDWTA.exe
        15⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1272
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJK.exe.bat" "
        16⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 960
        11⤵
        
        PID:2612
        
        C:\windows\GNU.exe
        
        C:\windows\GNU.exe
        12⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 988
        13⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RGXEL.exe.bat" "
        13⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1000
        7⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 964
        5⤵
        
        PID:3892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1004
    3⤵
    PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4884 -ip 4884
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 680 -ip 680
1⤵
PID:1664

C:\windows\SysWOW64\KKCL.exe
C:\windows\system32\KKCL.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 976
  2⤵
  - Program crash
  PID:2592
- - C:\windows\SQSB.exe
    C:\windows\SQSB.exe
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YQZO.exe.bat" "
      4⤵
      PID:2972
    - - C:\windows\SysWOW64\YQZO.exe
        
        C:\windows\system32\YQZO.exe
        5⤵
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 988
        6⤵
        Program crash
        
        PID:2824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJIIED.exe.bat" "
        6⤵
        
        PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1008
      4⤵
      Program crash
      PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KCLFJJ.exe.bat" "
  2⤵
  PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4140 -ip 4140
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1284 -ip 1284
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4960 -ip 4960
1⤵
PID:2080
- C:\windows\SysWOW64\QQLBUNV.exe
  C:\windows\system32\QQLBUNV.exe
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 988
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\YIUCAZJ.exe.bat" "
    3⤵
    PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4564 -ip 4564
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5004 -ip 5004
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2344 -ip 2344
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1424 -ip 1424
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2304 -ip 2304
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2084 -ip 2084
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3468 -ip 3468
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4600 -ip 4600
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2348 -ip 2348
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3520 -ip 3520
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1500 -ip 1500
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1964 -ip 1964
1⤵
PID:3808

C:\windows\system\GNME.exe
C:\windows\system\GNME.exe
1⤵
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\USSBIP.exe.bat" "
  2⤵
  PID:4848
- - C:\windows\USSBIP.exe
    C:\windows\USSBIP.exe
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\RYYYPZ.exe.bat" "
      4⤵
      PID:4740
    - - C:\windows\RYYYPZ.exe
        
        C:\windows\RYYYPZ.exe
        5⤵
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 988
        6⤵
        Program crash
        
        PID:3616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "
        6⤵
        
        PID:3724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 976
      4⤵
      Program crash
      PID:4832
  - - C:\windows\SysWOW64\RGXEL.exe
      C:\windows\system32\RGXEL.exe
      4⤵
      PID:3804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1288
        5⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GBGIWNK.exe.bat" "
        5⤵
        
        PID:384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 964
  2⤵
  - Program crash
  PID:4412
- - C:\windows\system\TYENN.exe
    C:\windows\system\TYENN.exe
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1008
      4⤵
      Program crash
      PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\BEEBOA.exe.bat" "
      4⤵
      PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2088 -ip 2088
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2620 -ip 2620
1⤵
PID:640

C:\windows\system\CQTRYGC.exe
C:\windows\system\CQTRYGC.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTXQDY.exe.bat" "
  2⤵
  PID:4228
- - C:\windows\system\PTXQDY.exe
    C:\windows\system\PTXQDY.exe
    3⤵
    PID:3840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\PMX.exe.bat" "
      4⤵
      PID:4904
    - - C:\windows\system\PMX.exe
        
        C:\windows\system\PMX.exe
        5⤵
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKZLPZC.exe.bat" "
        6⤵
        
        PID:4572
        
        C:\windows\RKZLPZC.exe
        
        C:\windows\RKZLPZC.exe
        7⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUHN.exe.bat" "
        8⤵
        
        PID:4760
        
        C:\windows\system\ZUHN.exe
        
        C:\windows\system\ZUHN.exe
        9⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1264
        10⤵
        Program crash
        
        PID:3780
        
        C:\windows\SysWOW64\FJIIED.exe
        
        C:\windows\system32\FJIIED.exe
        11⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 988
        12⤵
        Program crash
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BRCYI.exe.bat" "
        12⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSGP.exe.bat" "
        10⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4572
        
        C:\windows\YIL.exe
        
        C:\windows\YIL.exe
        11⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 960
        12⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UFIDA.exe.bat" "
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988
        8⤵
        Program crash
        
        PID:1120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 988
        6⤵
        Program crash
        
        PID:3828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 988
      4⤵
      Program crash
      PID:5116
    - - C:\windows\system\SEZMCL.exe
        
        C:\windows\system\SEZMCL.exe
        5⤵
        
        PID:2820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 960
        6⤵
        
        PID:388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DCLKOS.exe.bat" "
        6⤵
        
        PID:2612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 1008
  2⤵
  - Program crash
  PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1128 -ip 1128
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 488 -ip 488
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3840 -ip 3840
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4740 -ip 4740
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4336 -ip 4336
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1964 -ip 1964
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3468 -ip 3468
1⤵
PID:1424

C:\windows\SysWOW64\RIHR.exe
C:\windows\system32\RIHR.exe
1⤵
PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAIT.exe.bat" "
  2⤵
  PID:3724
- - C:\windows\SysWOW64\RAIT.exe
    C:\windows\system32\RAIT.exe
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1336
      4⤵
      Program crash
      PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLT.exe.bat" "
      4⤵
      PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 960
  2⤵
  - Program crash
  PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3684 -ip 3684
1⤵
PID:4572

C:\windows\system\QLT.exe
C:\windows\system\QLT.exe
1⤵
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\HLVON.exe.bat" "
  2⤵
  PID:3028
- - C:\windows\HLVON.exe
    C:\windows\HLVON.exe
    3⤵
    PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\RRN.exe.bat" "
      4⤵
      PID:4436
    - - C:\windows\RRN.exe
        
        C:\windows\RRN.exe
        5⤵
        
        PID:1664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960
        6⤵
        Program crash
        
        PID:1120
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XUJZIUX.exe.bat" "
        6⤵
        
        PID:4560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 960
      4⤵
      Program crash
      PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 960
  2⤵
  - Program crash
  PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1304 -ip 1304
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2516 -ip 2516
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4396 -ip 4396
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1664 -ip 1664
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4268 -ip 4268
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1284 -ip 1284
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4408 -ip 4408
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2280 -ip 2280
1⤵
PID:3292
- C:\windows\ZTIHAS.exe
  C:\windows\ZTIHAS.exe
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 968
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system\NROEH.exe.bat" "
    3⤵
    PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1128 -ip 1128
1⤵
PID:2348
- C:\windows\SysWOW64\BCF.exe
  C:\windows\system32\BCF.exe
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1008
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\YIL.exe.bat" "
    3⤵
    PID:760

C:\windows\BRCYI.exe
C:\windows\BRCYI.exe
1⤵
PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 960
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\YWIN.exe.bat" "
  2⤵
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3136 -ip 3136
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4372 -ip 4372
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4916 -ip 4916
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4560 -ip 4560
1⤵
PID:2844

C:\windows\TPFL.exe
C:\windows\TPFL.exe
1⤵
PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\VLKCLR.exe.bat" "
  2⤵
  PID:3828
- - C:\windows\VLKCLR.exe
    C:\windows\VLKCLR.exe
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\QYOLNQQ.exe.bat" "
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      PID:3840
    - - C:\windows\QYOLNQQ.exe
        
        C:\windows\QYOLNQQ.exe
        5⤵
        
        PID:3344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1268
        6⤵
        Program crash
        
        PID:3116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZLZ.exe.bat" "
        6⤵
        
        PID:3080
        
        C:\windows\system\LIJJKMN.exe
        
        C:\windows\system\LIJJKMN.exe
        7⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 976
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RIRX.exe.bat" "
        8⤵
        
        PID:3356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 988
      4⤵
      Program crash
      PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 960
  2⤵
  - Program crash
  PID:4956
- - C:\windows\SysWOW64\TFZ.exe
    C:\windows\system32\TFZ.exe
    3⤵
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\KSJB.exe.bat" "
      4⤵
      PID:4436
    - - C:\windows\KSJB.exe
        
        C:\windows\KSJB.exe
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 988
        6⤵
        
        PID:4480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGGKTR.exe.bat" "
        6⤵
        
        PID:2404
      - C:\windows\QKTULIA.exe
        
        C:\windows\QKTULIA.exe
        6⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1336
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQLBUNV.exe.bat" "
        7⤵
        
        PID:2080
    - - C:\windows\system\GCJRZH.exe
        
        C:\windows\system\GCJRZH.exe
        5⤵
        
        PID:3468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 960
        6⤵
        
        PID:4584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IZLTFW.exe.bat" "
        6⤵
        
        PID:1164
        
        C:\windows\system\JNYIIGG.exe
        
        C:\windows\system\JNYIIGG.exe
        7⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 988
        8⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JXGJWKU.exe.bat" "
        8⤵
        
        PID:3764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1008
      4⤵
      PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4376 -ip 4376
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2904 -ip 2904
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3344 -ip 3344
1⤵
PID:4016

C:\windows\system\ZLZ.exe
C:\windows\system\ZLZ.exe
1⤵
PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 996
  2⤵
  - Program crash
  PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\TYENN.exe.bat" "
  2⤵
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3684 -ip 3684
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4740 -ip 4740
1⤵
PID:1880
- C:\windows\system\RHY.exe
  C:\windows\system\RHY.exe
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1004
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFZ.exe.bat" "
    3⤵
    PID:4956

C:\windows\SysWOW64\BXF.exe
C:\windows\system32\BXF.exe
1⤵
PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1296
  2⤵
  PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCF.exe.bat" "
  2⤵
  PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1284 -ip 1284
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2020 -ip 2020
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3344 -ip 3344
1⤵
PID:1876

C:\windows\system\UFIDA.exe
C:\windows\system\UFIDA.exe
1⤵
PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1296
  2⤵
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\IQMC.exe.bat" "
  2⤵
  PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3932 -ip 3932
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3048 -ip 3048
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4288 -ip 4288
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1844 -ip 1844
1⤵
PID:2276
- C:\windows\system\YDQ.exe
  C:\windows\system\YDQ.exe
  2⤵
  PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1300
    3⤵
    PID:5000
  - - C:\windows\MHYQ.exe
      C:\windows\MHYQ.exe
      4⤵
      PID:1248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1344
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XZT.exe.bat" "
        5⤵
        
        PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVLRR.exe.bat" "
    3⤵
    PID:3800

C:\windows\SysWOW64\HONSUTU.exe
C:\windows\system32\HONSUTU.exe
1⤵
PID:4376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 960
  2⤵
  PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\PZWTAXJ.exe.bat" "
  2⤵
  PID:3352

C:\windows\PZWTAXJ.exe
C:\windows\PZWTAXJ.exe
1⤵
PID:1184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1008
  2⤵
  PID:2404
- - C:\windows\SysWOW64\FGGKTR.exe
    C:\windows\system32\FGGKTR.exe
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 996
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGIX.exe.bat" "
      4⤵
      PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARZ.exe.bat" "
  2⤵
  PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4376 -ip 4376
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1184 -ip 1184
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 336 -ip 336
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4196 -ip 4196
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2412 -ip 2412
1⤵
PID:4372
- C:\windows\system\YRVV.exe
  C:\windows\system\YRVV.exe
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1268
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEZMCL.exe.bat" "
    3⤵
    PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2348 -ip 2348
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3000 -ip 3000
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 336 -ip 336
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4408 -ip 4408
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4908 -ip 4908
1⤵
PID:1392

C:\windows\TVY.exe
C:\windows\TVY.exe
1⤵
PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\HBD.exe.bat" "
  2⤵
  PID:2680
- - C:\windows\HBD.exe
    C:\windows\HBD.exe
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KON.exe.bat" "
      4⤵
      PID:3116
    - - C:\windows\SysWOW64\KON.exe
        
        C:\windows\system32\KON.exe
        5⤵
        
        PID:3172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1000
        6⤵
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BOPBEQE.exe.bat" "
        6⤵
        
        PID:5104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1332
      4⤵
      PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 960
  2⤵
  PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5060 -ip 5060
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4420 -ip 4420
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4916 -ip 4916
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3172 -ip 3172
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4320 -ip 4320
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3424 -ip 3424
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5004 -ip 5004
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3116 -ip 3116
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 336 -ip 336
1⤵
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1184 -ip 1184
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3892 -ip 3892
1⤵
PID:4260

C:\windows\system\PPRQ.exe
C:\windows\system\PPRQ.exe
1⤵
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\PVREM.exe.bat" "
  2⤵
  PID:1588
- - C:\windows\PVREM.exe
    C:\windows\PVREM.exe
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 960
      4⤵
      PID:212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKQPY.exe.bat" "
      4⤵
      PID:4188
- - C:\windows\system\GLA.exe
    C:\windows\system\GLA.exe
    3⤵
    PID:4412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 996
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOC.exe.bat" "
      4⤵
      PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1324
  2⤵
  PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4588 -ip 4588
1⤵
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4728 -ip 4728
1⤵
PID:2256

C:\windows\system\FKQPY.exe
C:\windows\system\FKQPY.exe
1⤵
PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 988
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\GNU.exe.bat" "
  2⤵
  PID:2612
- - C:\windows\system\DCLKOS.exe
    C:\windows\system\DCLKOS.exe
    3⤵
    PID:1880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 976
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\LHLZ.exe.bat" "
      4⤵
      PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3792 -ip 3792
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1660 -ip 1660
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3804 -ip 3804
1⤵
PID:2608

C:\windows\GBGIWNK.exe
C:\windows\GBGIWNK.exe
1⤵
PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\BWLZ.exe.bat" "
  2⤵
  PID:232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2592
- - C:\windows\system\BWLZ.exe
    C:\windows\system\BWLZ.exe
    3⤵
    PID:3316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 960
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\URPVMD.exe.bat" "
      4⤵
      PID:544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 960
  2⤵
  PID:4188
- C:\windows\SysWOW64\QTYLKGV.exe
  C:\windows\system32\QTYLKGV.exe
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMHM.exe.bat" "
    3⤵
    PID:568
  - - C:\windows\system\QMHM.exe
      C:\windows\system\QMHM.exe
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 960
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOD.exe.bat" "
        5⤵
        
        PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1344
    3⤵
    PID:3800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 404 -ip 404
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3316 -ip 3316
1⤵
PID:224

C:\windows\system\URPVMD.exe
C:\windows\system\URPVMD.exe
1⤵
PID:4388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 960
  2⤵
  PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\CFPKNID.exe.bat" "
  2⤵
  PID:4256

C:\windows\CFPKNID.exe
C:\windows\CFPKNID.exe
1⤵
PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 960
  2⤵
  PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QDVH.exe.bat" "
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4388 -ip 4388
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1120 -ip 1120
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2608 -ip 2608
1⤵
PID:2544

C:\windows\RGZCI.exe
C:\windows\RGZCI.exe
1⤵
PID:1680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1004
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\ITJ.exe.bat" "
  2⤵
  PID:3380

C:\windows\ITJ.exe
C:\windows\ITJ.exe
1⤵
PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1008
  2⤵
  PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\WQH.exe.bat" "
  2⤵
  PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1680 -ip 1680
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4648 -ip 4648
1⤵
PID:3800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1664
- C:\windows\SysWOW64\KVLRR.exe
  C:\windows\system32\KVLRR.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\YBQOYR.exe.bat" "
    3⤵
    PID:2668
  - - C:\windows\YBQOYR.exe
      C:\windows\YBQOYR.exe
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BOV.exe.bat" "
        5⤵
        
        PID:5116
      - C:\windows\BOV.exe
        
        C:\windows\BOV.exe
        6⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 988
        7⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MHYQ.exe.bat" "
        7⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 960
        5⤵
        
        PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1264
    3⤵
    PID:2824

C:\windows\WQH.exe
C:\windows\WQH.exe
1⤵
PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1008
  2⤵
  PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\DMGSKR.exe.bat" "
  2⤵
  PID:2668
- - C:\windows\DMGSKR.exe
    C:\windows\DMGSKR.exe
    3⤵
    PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GCN.exe.bat" "
      4⤵
      PID:2712
    - - C:\windows\SysWOW64\GCN.exe
        
        C:\windows\system32\GCN.exe
        5⤵
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FNYIWPE.exe.bat" "
        6⤵
        
        PID:4804
        
        C:\windows\SysWOW64\FNYIWPE.exe
        
        C:\windows\system32\FNYIWPE.exe
        7⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1276
        8⤵
        
        PID:4280
        
        C:\windows\SysWOW64\DLMZQG.exe
        
        C:\windows\system32\DLMZQG.exe
        9⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWLXPA.exe.bat" "
        10⤵
        
        PID:4376
        
        C:\windows\SysWOW64\CWLXPA.exe
        
        C:\windows\system32\CWLXPA.exe
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HWSL.exe.bat" "
        12⤵
        
        PID:416
        
        C:\windows\system\HWSL.exe
        
        C:\windows\system\HWSL.exe
        13⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EWU.exe.bat" "
        14⤵
        
        PID:2244
        
        C:\windows\EWU.exe
        
        C:\windows\EWU.exe
        15⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KXCBT.exe.bat" "
        16⤵
        
        PID:224
        
        C:\windows\SysWOW64\KXCBT.exe
        
        C:\windows\system32\KXCBT.exe
        17⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1248
        18⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FKHKDBD.exe.bat" "
        18⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1268
        16⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 1244
        14⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 980
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 960
        10⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LIJJKMN.exe.bat" "
        8⤵
        
        PID:3080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1000
        6⤵
        
        PID:4588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1304
      4⤵
      PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4832 -ip 4832
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3808 -ip 3808
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2688 -ip 2688
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3804 -ip 3804
1⤵
PID:1168

C:\windows\RIRX.exe
C:\windows\RIRX.exe
1⤵
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBMQC.exe.bat" "
  2⤵
  PID:2396
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2280
- - C:\windows\SysWOW64\CBMQC.exe
    C:\windows\system32\CBMQC.exe
    3⤵
    PID:4388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 960
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GJS.exe.bat" "
      4⤵
      PID:1844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 988
  2⤵
  PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3344 -ip 3344
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2812 -ip 2812
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4388 -ip 4388
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1120 -ip 1120
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2924 -ip 2924
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2820 -ip 2820
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1880 -ip 1880
1⤵
PID:416

C:\windows\LHLZ.exe
C:\windows\LHLZ.exe
1⤵
PID:1348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1332
  2⤵
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\RSH.exe.bat" "
  2⤵
  PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1348 -ip 1348
1⤵
PID:636

C:\windows\RSH.exe
C:\windows\RSH.exe
1⤵
PID:4388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 988
  2⤵
  PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDQ.exe.bat" "
  2⤵
  PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4388 -ip 4388
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 232 -ip 232
1⤵
PID:3764
- C:\windows\SysWOW64\JXGJWKU.exe
  C:\windows\system32\JXGJWKU.exe
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFBRZ.exe.bat" "
    3⤵
    PID:416
  - - C:\windows\system\NFBRZ.exe
      C:\windows\system\NFBRZ.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PDGLO.exe.bat" "
        5⤵
        
        PID:2680
      - C:\windows\PDGLO.exe
        
        C:\windows\PDGLO.exe
        6⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDOZXUZ.exe.bat" "
        7⤵
        
        PID:2868
        
        C:\windows\SysWOW64\VDOZXUZ.exe
        
        C:\windows\system32\VDOZXUZ.exe
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZTIHAS.exe.bat" "
        9⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1332
        9⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 976
        7⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1008
        5⤵
        
        PID:3124
  - - C:\windows\QPIZX.exe
      C:\windows\QPIZX.exe
      4⤵
      PID:3800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 960
        5⤵
        
        PID:3132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DAMGCC.exe.bat" "
        5⤵
        
        PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1004
    3⤵
    PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1424 -ip 1424
1⤵
PID:416

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2252 -ip 2252
1⤵
PID:1328
- C:\windows\system\IOC.exe
  C:\windows\system\IOC.exe
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\VRGF.exe.bat" "
    3⤵
    PID:388
  - - C:\windows\VRGF.exe
      C:\windows\VRGF.exe
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XOZZJ.exe.bat" "
        5⤵
        
        PID:368
      - C:\windows\system\XOZZJ.exe
        
        C:\windows\system\XOZZJ.exe
        6⤵
        
        PID:652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 1344
        7⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GCJRZH.exe.bat" "
        7⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 960
        5⤵
        
        PID:4912
      - C:\windows\system\IXPXW.exe
        
        C:\windows\system\IXPXW.exe
        6⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ECVMD.exe.bat" "
        7⤵
        
        PID:1960
        
        C:\windows\SysWOW64\ECVMD.exe
        
        C:\windows\system32\ECVMD.exe
        8⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MNVNRJQ.exe.bat" "
        9⤵
        
        PID:3616
        
        C:\windows\system\MNVNRJQ.exe
        
        C:\windows\system\MNVNRJQ.exe
        10⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DYULRDL.exe.bat" "
        11⤵
        
        PID:4604
        
        C:\windows\DYULRDL.exe
        
        C:\windows\DYULRDL.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1340
        13⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TOTOCXT.exe.bat" "
        13⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1324
        11⤵
        
        PID:4380
        
        C:\windows\system\DAMGCC.exe
        
        C:\windows\system\DAMGCC.exe
        12⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 960
        13⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLMZQG.exe.bat" "
        13⤵
        
        PID:4280
        
        C:\windows\SysWOW64\VMOIPUZ.exe
        
        C:\windows\system32\VMOIPUZ.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPYUA.exe.bat" "
        12⤵
        
        PID:2896
        
        C:\windows\system\LPYUA.exe
        
        C:\windows\system\LPYUA.exe
        13⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UAWBI.exe.bat" "
        14⤵
        
        PID:4088
        
        C:\windows\UAWBI.exe
        
        C:\windows\UAWBI.exe
        15⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FSRTQM.exe.bat" "
        16⤵
        
        PID:4280
        
        C:\windows\SysWOW64\FSRTQM.exe
        
        C:\windows\system32\FSRTQM.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LSZHZG.exe.bat" "
        18⤵
        
        PID:5008
        
        C:\windows\LSZHZG.exe
        
        C:\windows\LSZHZG.exe
        19⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HYE.exe.bat" "
        20⤵
        
        PID:3760
        
        C:\windows\HYE.exe
        
        C:\windows\HYE.exe
        21⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EEKBV.exe.bat" "
        22⤵
        
        PID:3372
        
        C:\windows\system\EEKBV.exe
        
        C:\windows\system\EEKBV.exe
        23⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TUYLD.exe.bat" "
        24⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4560
        
        C:\windows\system\TUYLD.exe
        
        C:\windows\system\TUYLD.exe
        25⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KEOJD.exe.bat" "
        26⤵
        
        PID:4160
        
        C:\windows\system\KEOJD.exe
        
        C:\windows\system\KEOJD.exe
        27⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUHM.exe.bat" "
        28⤵
        
        PID:3424
        
        C:\windows\SysWOW64\JUHM.exe
        
        C:\windows\system32\JUHM.exe
        29⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HNYB.exe.bat" "
        30⤵
        
        PID:384
        
        C:\windows\HNYB.exe
        
        C:\windows\HNYB.exe
        31⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WIHOIOH.exe.bat" "
        32⤵
        
        PID:3888
        
        C:\windows\WIHOIOH.exe
        
        C:\windows\WIHOIOH.exe
        33⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LGN.exe.bat" "
        34⤵
        
        PID:2672
        
        C:\windows\SysWOW64\LGN.exe
        
        C:\windows\system32\LGN.exe
        35⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TTNR.exe.bat" "
        36⤵
        
        PID:3156
        
        C:\windows\SysWOW64\TTNR.exe
        
        C:\windows\system32\TTNR.exe
        37⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BZSY.exe.bat" "
        38⤵
        
        PID:4956
        
        C:\windows\BZSY.exe
        
        C:\windows\BZSY.exe
        39⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZZM.exe.bat" "
        40⤵
        
        PID:1680
        
        C:\windows\SysWOW64\ZZZM.exe
        
        C:\windows\system32\ZZZM.exe
        41⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFFJZN.exe.bat" "
        42⤵
        
        PID:4708
        
        C:\windows\SysWOW64\VFFJZN.exe
        
        C:\windows\system32\VFFJZN.exe
        43⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WIJNFDM.exe.bat" "
        44⤵
        
        PID:4472
        
        C:\windows\SysWOW64\WIJNFDM.exe
        
        C:\windows\system32\WIJNFDM.exe
        45⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYKEMY.exe.bat" "
        46⤵
        
        PID:1424
        
        C:\windows\system\DYKEMY.exe
        
        C:\windows\system\DYKEMY.exe
        47⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AVQ.exe.bat" "
        48⤵
        
        PID:4672
        
        C:\windows\system\AVQ.exe
        
        C:\windows\system\AVQ.exe
        49⤵
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1000
        48⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 960
        46⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1248
        44⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 916
        42⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1008
        40⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1332
        38⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1304
        36⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 960
        34⤵
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 872
        32⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 960
        30⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1316
        28⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 960
        26⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1276
        24⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 888
        22⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 968
        20⤵
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 976
        18⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1216
        16⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1348
        14⤵
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1344
        12⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1000
        9⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1336
        7⤵
        
        PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1004
    3⤵
    PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4380 -ip 4380
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1248 -ip 1248
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1284 -ip 1284
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2612 -ip 2612
1⤵
PID:4240

C:\windows\BAWT.exe
C:\windows\BAWT.exe
1⤵
PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 976
  2⤵
  PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\GLA.exe.bat" "
  2⤵
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2412 -ip 2412
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4412 -ip 4412
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1960 -ip 1960
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1680 -ip 1680
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 652 -ip 652
1⤵
PID:1700
- C:\windows\YIUCAZJ.exe
  C:\windows\YIUCAZJ.exe
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\windows\system\AGN.exe.bat" "
    3⤵
    PID:3996
  - - C:\windows\system\AGN.exe
      C:\windows\system\AGN.exe
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1268
        5⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FJRD.exe.bat" "
        5⤵
        
        PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 960
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3468 -ip 3468
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2404 -ip 2404
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4948 -ip 4948
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3748 -ip 3748
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4288 -ip 4288
1⤵
PID:956

C:\windows\FJRD.exe
C:\windows\FJRD.exe
1⤵
PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 988
  2⤵
  PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGDJY.exe.bat" "
  2⤵
  PID:544
- - C:\windows\system\QJK.exe
    C:\windows\system\QJK.exe
    3⤵
    PID:3828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1272
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMOIPUZ.exe.bat" "
      4⤵
      PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4412 -ip 4412
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3844 -ip 3844
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2080 -ip 2080
1⤵
PID:1520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5116 -ip 5116
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2752 -ip 2752
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1604 -ip 1604
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3520 -ip 3520
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 384 -ip 384
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2252 -ip 2252
1⤵
PID:1280

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4740

C:\windows\system\NROEH.exe
C:\windows\system\NROEH.exe
1⤵
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\RHIMKB.exe.bat" "
  2⤵
  PID:2612
- - C:\windows\RHIMKB.exe
    C:\windows\RHIMKB.exe
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 960
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXPXW.exe.bat" "
      4⤵
      PID:4912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1276
  2⤵
  PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4848 -ip 4848
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2256 -ip 2256
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1128 -ip 1128
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3208 -ip 3208
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1284 -ip 1284
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5116 -ip 5116
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2304

C:\windows\system\TOTOCXT.exe
C:\windows\system\TOTOCXT.exe
1⤵
PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1332
  2⤵
  PID:788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QTYLKGV.exe.bat" "
  2⤵
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4336 -ip 4336
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2980 -ip 2980
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3468 -ip 3468
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3764 -ip 3764
1⤵
PID:4584

C:\windows\system\DOD.exe
C:\windows\system\DOD.exe
1⤵
PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\VSU.exe.bat" "
  2⤵
  PID:956
- - C:\windows\system\VSU.exe
    C:\windows\system\VSU.exe
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BSCCQ.exe.bat" "
      4⤵
      PID:4376
    - - C:\windows\SysWOW64\BSCCQ.exe
        
        C:\windows\system32\BSCCQ.exe
        5⤵
        
        PID:788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 1008
        6⤵
        
        PID:1328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QPIZX.exe.bat" "
        6⤵
        
        PID:416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 960
      4⤵
      PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 960
  2⤵
  PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1240 -ip 1240
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1128 -ip 1128
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 788 -ip 788
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3800 -ip 3800
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1084 -ip 1084
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4240 -ip 4240
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3048 -ip 3048
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 788 -ip 788
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1520 -ip 1520
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4948 -ip 4948
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1128 -ip 1128
1⤵
PID:3968

C:\windows\EDPMJFR.exe
C:\windows\EDPMJFR.exe
1⤵
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\XYHPO.exe.bat" "
  2⤵
  PID:1508
- - C:\windows\XYHPO.exe
    C:\windows\XYHPO.exe
    3⤵
    PID:4696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 960
      4⤵
      PID:3292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KJDWTA.exe.bat" "
      4⤵
      PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1304
  2⤵
  PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2904 -ip 2904
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4696 -ip 4696
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2928 -ip 2928
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3828 -ip 3828
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3684 -ip 3684
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3532 -ip 3532
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2292 -ip 2292
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2620 -ip 2620
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2248 -ip 2248
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1424 -ip 1424
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1280 -ip 1280
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1960 -ip 1960
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4772 -ip 4772
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2928 -ip 2928
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2412 -ip 2412
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4584 -ip 4584
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4896 -ip 4896
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4376 -ip 4376
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3268 -ip 3268
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3976 -ip 3976
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2896 -ip 2896
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3892 -ip 3892
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3512 -ip 3512
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AND.exe

Filesize
208KB

MD5
6e59409a1a04ae246ff20dca42745f14

SHA1
484f308ca26a649518fc40618127d069ccc802af

SHA256
d3a34d8d7fb096c779789c834335095975e97aac46edd5c0c9e808d66ab0810a

SHA512
048a34046b87f85c4c911c7f609cb12df2f1342454589b8a1ab9790ce9f26a5e812bd07a9b80c6e94d8b29458575f3f89fdbfc11cda2f3920d0a73daf80be9f8

Download Submit
C:\Windows\AOQ.exe

Filesize
208KB

MD5
fe739f0a100458db686e095bb051d43a

SHA1
3f57d52f8f3cbef0bd5a32acb16c5ee85d255303

SHA256
d702dfa9efdf3595de03a1a3a16b6ed16365307f35fae5f52e78f919f0bfa81c

SHA512
1911b9c62f1cda04ce402ac65e01faae105e91ffa2a4cecf0afaace49640c21b267167a516ae437baa6eabc51bc2196ddb0fb2b89c4a5a476a69e56ef43648b2

Download Submit
C:\Windows\ATDQ.exe

Filesize
208KB

MD5
2b74e3fd6287b760492b269cad63cbad

SHA1
79c29b32f0b84d64b8ca25d4f6d8a47e8433d984

SHA256
f5a9da3f1911a16723f66fccd00c90afe9b872e4b43bbfdc076088df9d1d2177

SHA512
89cd34afd05c32352df5c844a0951cde96cfae33de77c7770ca0c2996de894ff4c0e9d2b5484b28ea3bb616ceb04e626d34ac96f89afbb207357c62f454f0926

Download Submit
C:\Windows\BUO.exe

Filesize
208KB

MD5
50923cc89cd471c96795fcf1536baaa7

SHA1
47ee4e8f21f37a469e1ba2b448c1da9e2d47db23

SHA256
b718f6e71428ea3b4f4f168cf491bc086569eb3eeda103d60f28357aea944f3e

SHA512
ef49098609a9793768289e2463434e537651202ef78458135b1b5905cce8e69a7ae6ed75f09cdfd1ea433124fd718c3189192d0c1e2fb7f5b8dff2347d7d58b9

Download Submit
C:\Windows\GTD.exe

Filesize
208KB

MD5
9834fcd5ca0c5ef89084295817fcd949

SHA1
ee5c90ec6c2938c50cbbb6a70d405ecd16057c55

SHA256
546ff3238d88f019be17e21a360261609e2ee45064d062994e55cde186452ed2

SHA512
b3623f8ff2f1584c5da63c1b4615d871654262f2f84a09b9352004274a41e1317717e5bbbf256345bfb1d81664bfda01e2357edaf4132c5a6a73d7785ec37838

Download Submit
C:\Windows\JJWK.exe

Filesize
208KB

MD5
344e3b8556c4aaa32ef6049d56c6b1e4

SHA1
6d9526110c1c5fbc9594acba34cf0a6a83f554f2

SHA256
3cc560122e6524e71d1ab0f48d06396fe6b1fc86ed9d06f630f0cbaa9eee2f6e

SHA512
adfe7687e19fcbeebafc1d02f1ee85227d344ddc763a5ba4fb0d2ae7a1815aff1b3172fabb521be4eda2f712180bd4fec8713047666316b908b6ea5ba60741ce

Download Submit
C:\Windows\KWV.exe

Filesize
208KB

MD5
c8d5058fa4671735e22a717db899cdc8

SHA1
79d7b190efcf268773e62331a0778eea8529a273

SHA256
60edc28dc41841c21b1ffc0382da91dd98254590d60cbb43ad6353706e8d76fb

SHA512
cda5ebbf458920e60082bdf745c597ead48219e1b9efa8ef8e82a56259406f9ef6aae5d1e9a066dc4b30cd692a59dfa30bbe8f3b50de7ca5aca45aa40869e264

Download Submit
C:\Windows\SysWOW64\BPDG.exe

Filesize
208KB

MD5
a4912bc4d2a80c30318069c4900ac8f7

SHA1
75d082520959aa541664a9858ce01fa80a0c38b0

SHA256
3afe17a1fbae6b99faedde1f039f7a34d32bdcc8a279cb62018caff265b7b98c

SHA512
17a9cc59938f4c82cdd2c002de03a87edc5345482f0c494e68460bcdd5bdf9351fccca535293da97741c5a3e852609d6a52e3a789313a772993eb062a689f159

Download Submit
C:\Windows\SysWOW64\CEXE.exe

Filesize
208KB

MD5
c8d5058fa4671735e22a717db899cdc8

SHA1
79d7b190efcf268773e62331a0778eea8529a273

SHA256
60edc28dc41841c21b1ffc0382da91dd98254590d60cbb43ad6353706e8d76fb

SHA512
cda5ebbf458920e60082bdf745c597ead48219e1b9efa8ef8e82a56259406f9ef6aae5d1e9a066dc4b30cd692a59dfa30bbe8f3b50de7ca5aca45aa40869e264

Download Submit
C:\Windows\SysWOW64\EIF.exe

Filesize
208KB

MD5
50923cc89cd471c96795fcf1536baaa7

SHA1
47ee4e8f21f37a469e1ba2b448c1da9e2d47db23

SHA256
b718f6e71428ea3b4f4f168cf491bc086569eb3eeda103d60f28357aea944f3e

SHA512
ef49098609a9793768289e2463434e537651202ef78458135b1b5905cce8e69a7ae6ed75f09cdfd1ea433124fd718c3189192d0c1e2fb7f5b8dff2347d7d58b9

Download Submit
C:\Windows\SysWOW64\KCLFJJ.exe

Filesize
208KB

MD5
619a37fb3489a4478d9b0ede7fe55165

SHA1
fbc3e2f37387a6c303ba5807d70b81c7cbb8deda

SHA256
e7afbc3116357cf82604755aed9c4d8bd3213444395d82de6f31f397bb8c60d0

SHA512
5849bd0912bf197a2a75a270b597fb02eb9a9e0ed5a1133dc3600f7320c6a989986ef33a2813c1f8e609fa0db8eba6a2105b95317867e50b5074f4af466d750c

Download Submit
C:\Windows\SysWOW64\KKCL.exe

Filesize
208KB

MD5
8217ecf787d28ae24fcb4ee8024e81be

SHA1
5febcaf607d90c678025a2efc01b50c8cb2925bf

SHA256
ff9d7d5031a0e976fb5368dc1f882dee801ba1df0aa3d20655c165c85233b760

SHA512
7df1637cfd6b371b0f19937237ab995df545a32d3ce53064aadb94eb35712f9ec3b35c5f25e3c60be760fa9f52312c6096b2657327e0d7fc89f1901135f6e041

Download Submit
C:\Windows\SysWOW64\KQC.exe

Filesize
208KB

MD5
61292c4ade46810101e0f1e896372617

SHA1
f7d25d36d407d2d240d14513969f81758a2e6af1

SHA256
5c1686939a6641cf6505a412e34a6d3ff8c74a11dc5459d4ae0f8c95507ca81e

SHA512
427d03c1848db4fc145d296682da5e582928a003668b2978bca8a923db47f7bd05b9e7c55dd2c5bdb7001fe716b75b06847611f2b0feb29fa23748ec62704841

Download Submit
C:\Windows\SysWOW64\RNZO.exe

Filesize
208KB

MD5
61292c4ade46810101e0f1e896372617

SHA1
f7d25d36d407d2d240d14513969f81758a2e6af1

SHA256
5c1686939a6641cf6505a412e34a6d3ff8c74a11dc5459d4ae0f8c95507ca81e

SHA512
427d03c1848db4fc145d296682da5e582928a003668b2978bca8a923db47f7bd05b9e7c55dd2c5bdb7001fe716b75b06847611f2b0feb29fa23748ec62704841

Download Submit
C:\Windows\System\CURX.exe

Filesize
208KB

MD5
db80a10627cda6dd678a9a05bed73318

SHA1
98501cba2f1dd767a82e0a08da47cea4a0ac1d36

SHA256
9e96abb2ddcb0e7506b9ad3b55a2deabdff3f815aa349b5684d86bddd648ea48

SHA512
2b40df8d1fd1ecb535c43b93e473825e8d35f35a0b2587b656b7bfd192caa2797367cd7cab52fd2929765305d28446bd174f1da90325721b332fcfc92b7c2b82

Download Submit
C:\Windows\System\FFKGWVS.exe

Filesize
208KB

MD5
e81c9884f1b5049b2bebb500ed64cabf

SHA1
21ede7a602a885736e6d9bbd1090754a2f19c7cf

SHA256
7a5ddba5cdfd49eb886dbcb7b369680cab7df32e436eb2e78d89369d50fa76b1

SHA512
2053d64adb94ab87880c7cd6e1a6944660de372e1ec539f1d090fa95f92bd50174332cfccdacc350b48e991ad2c037e22500f22aa57c7485f712355ac4286083

Download Submit
C:\Windows\System\HOPRU.exe

Filesize
208KB

MD5
4befb9a8540a63eb20227fb6147d015a

SHA1
b4550aae6f50202fb37022104add4442d17b77b1

SHA256
9a1e48929864562466305619268d5dcf80e996561bdd3597b09a3b9098939f16

SHA512
7693dbbb784e5805145307205e13d6afd9680a49b10c4aa45cda9a1848111cadaee54113873f64f9519ecc145bfe127711d55cfa6e5a76b7c9568d62da5cb9ea

Download Submit
C:\Windows\System\JRKI.exe

Filesize
208KB

MD5
41f3290ef1a30f40537602310dd3ae13

SHA1
2b88f5d9da93d651d8db1d6f94fdcac71343508c

SHA256
cbbe1c503153fd7e83288f032b0c3f4dd9f8882ae01b4551a17f76a939b8407c

SHA512
776b1718315be63d51de7cabea5b823986d969616b1e6f111a66221cacd777a68ff672fa6adbbd8b4f8647eaa066ddad551b13a56b2007d1bcde374073770054

Download Submit
C:\Windows\TIMGF.exe

Filesize
208KB

MD5
9b74d4103f9dd4c11cbdbd50928198cc

SHA1
0b154d6933012c3f55456b986fe247b67be44481

SHA256
93987c13686eccb4f525e9761fbdca1dff30e6fb17bce6b3d8984e877022225a

SHA512
7edd9ffaa82e37f46e013dd61692e7ef26d55632a670ca90b651d0688aee3062ff833daa0cb556f917b696bdf1e724020fd383214de3e9b712a32a16c8188667

Download Submit
C:\Windows\UNIEDL.exe

Filesize
208KB

MD5
7d3f009a36c7813aa64ae0260a1202fa

SHA1
c3efca2b41e85352aff85abbbc0106d8b76666b0

SHA256
b56987dcc38ca83968591a55fbd0ce306728af99423000fa9ef09c0ae289e4b4

SHA512
aba5481822252d8de227c77a0e14488ae04dd82c7a2acca3ca829ea5fb952ee710b6ed1f0307e7d538836e04e9dafb77bed6faeb26858faaefb72ebcf2065995

Download Submit
C:\Windows\WPKEBT.exe

Filesize
208KB

MD5
473ee58c9c8901225121762e5d40e745

SHA1
35677650ab2713f5033202b6fbfe0a80b56a2b40

SHA256
73b0fbaf19c29f518ed3f23a9c7028c2ff2fe4c5164e3374dc970bce4ade4f22

SHA512
67b5ed9ff56d1df13c6b9090ab8bb0340de18445337e623a79668bff4c824be4a1e1fe77ceaadd4fc2c2dea2b10fb62ad95ce769f6b5db944d8a49f0383b7e33

Download Submit
C:\Windows\WPKEBT.exe

Filesize
208KB

MD5
473ee58c9c8901225121762e5d40e745

SHA1
35677650ab2713f5033202b6fbfe0a80b56a2b40

SHA256
73b0fbaf19c29f518ed3f23a9c7028c2ff2fe4c5164e3374dc970bce4ade4f22

SHA512
67b5ed9ff56d1df13c6b9090ab8bb0340de18445337e623a79668bff4c824be4a1e1fe77ceaadd4fc2c2dea2b10fb62ad95ce769f6b5db944d8a49f0383b7e33

Download Submit
C:\windows\AND.exe

Filesize
208KB

MD5
6e59409a1a04ae246ff20dca42745f14

SHA1
484f308ca26a649518fc40618127d069ccc802af

SHA256
d3a34d8d7fb096c779789c834335095975e97aac46edd5c0c9e808d66ab0810a

SHA512
048a34046b87f85c4c911c7f609cb12df2f1342454589b8a1ab9790ce9f26a5e812bd07a9b80c6e94d8b29458575f3f89fdbfc11cda2f3920d0a73daf80be9f8

Download Submit
C:\windows\AND.exe.bat

Filesize
52B

MD5
fa6eb10d01f3bc90fcdc9ecb1a81d648

SHA1
fb36aa8b9ea0ee323b2fba51f5decf2e5ec1fe47

SHA256
532473fdb569418adf9a7499fd024f03100bea5a323a44bfd66afd838eb3ea8f

SHA512
ade435a4d63a42ca1a03254e4f23d1f14545d760ab74208d4625de82be4d251fbb05c88fb785323fe6af4f4c832038926914c771b0d58b178734ecc3c9055e80

Download Submit
C:\windows\AOQ.exe

Filesize
208KB

MD5
fe739f0a100458db686e095bb051d43a

SHA1
3f57d52f8f3cbef0bd5a32acb16c5ee85d255303

SHA256
d702dfa9efdf3595de03a1a3a16b6ed16365307f35fae5f52e78f919f0bfa81c

SHA512
1911b9c62f1cda04ce402ac65e01faae105e91ffa2a4cecf0afaace49640c21b267167a516ae437baa6eabc51bc2196ddb0fb2b89c4a5a476a69e56ef43648b2

Download Submit
C:\windows\AOQ.exe.bat

Filesize
52B

MD5
a208fe332e5c4a05983e252af4909b9b

SHA1
71a3333d7bcd6556d234d9d68ef0f774ac0008ea

SHA256
33ecf536d1a3cae4981ff0655bd36abd1b706065ad9bb1cc6e5b1c2240a35d69

SHA512
16fcfba8af1029b4639f43ad91402b7b1398e30056c90698b6c00aa4ba815ac9f1e9f3aff6092005994c178f1d4fa95058a5281411c9d9a973a7db115b556498

Download Submit
C:\windows\ATDQ.exe

Filesize
208KB

MD5
2b74e3fd6287b760492b269cad63cbad

SHA1
79c29b32f0b84d64b8ca25d4f6d8a47e8433d984

SHA256
f5a9da3f1911a16723f66fccd00c90afe9b872e4b43bbfdc076088df9d1d2177

SHA512
89cd34afd05c32352df5c844a0951cde96cfae33de77c7770ca0c2996de894ff4c0e9d2b5484b28ea3bb616ceb04e626d34ac96f89afbb207357c62f454f0926

Download Submit
C:\windows\ATDQ.exe.bat

Filesize
54B

MD5
1eea184bcf1dfd88b0ae3e5fd622e167

SHA1
4c00924f6cc1af82a70c533fa231a1c3a2039bfb

SHA256
45bea1ecc409fbf38c6bb0657b2b0d897abfc11c6da69a73b7dd108069ac0662

SHA512
4f2292bd6c1c5355e91fdbd95680ae1db9842ac32026aaabd3792d8e4e42a3b41daac31c7ba068013f3d3658e2ecce6a7cf7cc2154bffe2f2d5dff9c1dacdd4d

Download Submit
C:\windows\BUO.exe

Filesize
208KB

MD5
50923cc89cd471c96795fcf1536baaa7

SHA1
47ee4e8f21f37a469e1ba2b448c1da9e2d47db23

SHA256
b718f6e71428ea3b4f4f168cf491bc086569eb3eeda103d60f28357aea944f3e

SHA512
ef49098609a9793768289e2463434e537651202ef78458135b1b5905cce8e69a7ae6ed75f09cdfd1ea433124fd718c3189192d0c1e2fb7f5b8dff2347d7d58b9

Download Submit
C:\windows\BUO.exe.bat

Filesize
52B

MD5
2c1f87dbdc61b9319d5a4deea2932ba4

SHA1
2ac9a2f0d7ac34b953a65d9572264346cdba0cf9

SHA256
9d2467af537cf77a63aba1f7fe656c8715d407eeca789f2bfdc187221349847a

SHA512
c65293958977a7774fec1ecbebba8d844bde25fd0ae842a9193c50ad00aab8b6765820f7c9b518dc5f257a0e8d726e62b1b4b35143024f391c49ad1644a77f1f

Download Submit
C:\windows\GTD.exe

Filesize
208KB

MD5
9834fcd5ca0c5ef89084295817fcd949

SHA1
ee5c90ec6c2938c50cbbb6a70d405ecd16057c55

SHA256
546ff3238d88f019be17e21a360261609e2ee45064d062994e55cde186452ed2

SHA512
b3623f8ff2f1584c5da63c1b4615d871654262f2f84a09b9352004274a41e1317717e5bbbf256345bfb1d81664bfda01e2357edaf4132c5a6a73d7785ec37838

Download Submit
C:\windows\GTD.exe.bat

Filesize
52B

MD5
ebf9a4c64343f4dc71094493776d133d

SHA1
9f3c90e53930926eae64de30d422f962247b526e

SHA256
97d4e7f331c3e2846e099659e898829c22fd5c288d6a7236658c506217aa3a74

SHA512
fdaed665d7116c42072ab99924a72d31e8cc9e27a667793ea5e4227b729ff77e6a2f31fa84a632b9ec0e9591cfb809c11718102446f7d31313c584273f083345

Download Submit
C:\windows\ISRPMV.exe.bat

Filesize
58B

MD5
29517c7082e2a27f19f235a3a3b52486

SHA1
90951788fa627d66df4f1d386b1afd08c2cfccca

SHA256
de85d2e172b886d66df816e8b74185938bc5e1b2971f3a337cf6c9ef0f886580

SHA512
55751aff7cc934c3cf3ea7236d99120f553de6a14de8195f0f216c0607ad4fbe0f4f9f5b44a9981a2f6e7838c60fa6ca98a70c0a95a46250efebbe3075b0ac3f

Download Submit
C:\windows\JJWK.exe

Filesize
208KB

MD5
344e3b8556c4aaa32ef6049d56c6b1e4

SHA1
6d9526110c1c5fbc9594acba34cf0a6a83f554f2

SHA256
3cc560122e6524e71d1ab0f48d06396fe6b1fc86ed9d06f630f0cbaa9eee2f6e

SHA512
adfe7687e19fcbeebafc1d02f1ee85227d344ddc763a5ba4fb0d2ae7a1815aff1b3172fabb521be4eda2f712180bd4fec8713047666316b908b6ea5ba60741ce

Download Submit
C:\windows\JJWK.exe.bat

Filesize
54B

MD5
c39ec70d0914fe6e75b13e875c0e8c36

SHA1
5a68b24ee5ceefabe7515ab8db6730c596f0e804

SHA256
bb0d338b4dd3586c0e376546ae26922c0abfc31708d775390d33a2808af2a108

SHA512
2b7ea48f064d4c67866d06c825afd100c5a04ba960e8ea2335a428192cd7339db7279f68348fd06fa91b541236aa3748173c3463614ab06c17cf03fdb125bd47

Download Submit
C:\windows\KWV.exe

Filesize
208KB

MD5
c8d5058fa4671735e22a717db899cdc8

SHA1
79d7b190efcf268773e62331a0778eea8529a273

SHA256
60edc28dc41841c21b1ffc0382da91dd98254590d60cbb43ad6353706e8d76fb

SHA512
cda5ebbf458920e60082bdf745c597ead48219e1b9efa8ef8e82a56259406f9ef6aae5d1e9a066dc4b30cd692a59dfa30bbe8f3b50de7ca5aca45aa40869e264

Download Submit
C:\windows\KWV.exe.bat

Filesize
52B

MD5
b3fa691043bab6276cb90d17707267c8

SHA1
0add66024e40ad3b97f155fce697dd3a93c20871

SHA256
e11d5aa465d862dc48c5e90b709bc226bc9b51fb1ef0396df7c9018fe3db6b98

SHA512
8df9a752c5345b9429b072a18d18c777f72952bd138f7ce991157c83a798ca4654372cae00b54405505eba764365689d1a1264203e17496e272f2708ce3b62dc

Download Submit
C:\windows\SysWOW64\BPDG.exe

Filesize
208KB

MD5
a4912bc4d2a80c30318069c4900ac8f7

SHA1
75d082520959aa541664a9858ce01fa80a0c38b0

SHA256
3afe17a1fbae6b99faedde1f039f7a34d32bdcc8a279cb62018caff265b7b98c

SHA512
17a9cc59938f4c82cdd2c002de03a87edc5345482f0c494e68460bcdd5bdf9351fccca535293da97741c5a3e852609d6a52e3a789313a772993eb062a689f159

Download Submit
C:\windows\SysWOW64\BPDG.exe.bat

Filesize
72B

MD5
4cd616b0c8e886912588eed65fe17c3c

SHA1
b813c3b75d31650b826b1f6fddfe41745835e09b

SHA256
5cfa182f7f6cccee6574628e09999e2dc777d72d422252f1199a953506166c15

SHA512
e6b81d86f3ce236c9d4fb2f35640c63f0ae8dddf9b362d9982f86e63c1799b69723195a25166c601fbe71de1e5d323c8d31cbcdaa818e5014e5a7a64a5deca16

Download Submit
C:\windows\SysWOW64\CEXE.exe

Filesize
208KB

MD5
c8d5058fa4671735e22a717db899cdc8

SHA1
79d7b190efcf268773e62331a0778eea8529a273

SHA256
60edc28dc41841c21b1ffc0382da91dd98254590d60cbb43ad6353706e8d76fb

SHA512
cda5ebbf458920e60082bdf745c597ead48219e1b9efa8ef8e82a56259406f9ef6aae5d1e9a066dc4b30cd692a59dfa30bbe8f3b50de7ca5aca45aa40869e264

Download Submit
C:\windows\SysWOW64\CEXE.exe.bat

Filesize
72B

MD5
da91b010c58d1da9982b999cbc431ae8

SHA1
7cc8fd5c8f10221f03bd5b43ac324ff2f1915a51

SHA256
fc2defc3eb8790adc86fb464d6037d379b283f42d5aff9581725fa31e075713f

SHA512
cfd69dbe75c5ef78efc2fc1263d6caa0d2dfa7c20b169dc55e0de5260e7333b60dac8eb95751c977d94e8744193fc7571355442601135d0549617c8e70cbaee4

Download Submit
C:\windows\SysWOW64\EIF.exe

Filesize
208KB

MD5
50923cc89cd471c96795fcf1536baaa7

SHA1
47ee4e8f21f37a469e1ba2b448c1da9e2d47db23

SHA256
b718f6e71428ea3b4f4f168cf491bc086569eb3eeda103d60f28357aea944f3e

SHA512
ef49098609a9793768289e2463434e537651202ef78458135b1b5905cce8e69a7ae6ed75f09cdfd1ea433124fd718c3189192d0c1e2fb7f5b8dff2347d7d58b9

Download Submit
C:\windows\SysWOW64\EIF.exe.bat

Filesize
70B

MD5
884550483c23cce56007a5d4d0ccc01a

SHA1
da29ead5e9c57b1e89247c8ba0b26a66649db3f0

SHA256
6681e78c45fc3ee34a88c35614dcda0e7bbaa6cefce4db3a4a188d594cac94a5

SHA512
85750424fe90ac5723cf70b98ae23600bac050430378ff8ed4189cf7d81d00e3ee2508790f5e814a4aafda1cf7ec215362e93d99d12d6b7d9f2468161d34fafd

Download Submit
C:\windows\SysWOW64\KCLFJJ.exe

Filesize
208KB

MD5
619a37fb3489a4478d9b0ede7fe55165

SHA1
fbc3e2f37387a6c303ba5807d70b81c7cbb8deda

SHA256
e7afbc3116357cf82604755aed9c4d8bd3213444395d82de6f31f397bb8c60d0

SHA512
5849bd0912bf197a2a75a270b597fb02eb9a9e0ed5a1133dc3600f7320c6a989986ef33a2813c1f8e609fa0db8eba6a2105b95317867e50b5074f4af466d750c

Download Submit
C:\windows\SysWOW64\KCLFJJ.exe.bat

Filesize
76B

MD5
3e5759231429f40200e771f9dba75e6c

SHA1
229fcb1ffb1233f5be9994c4c4d68a1681d7c1be

SHA256
40a0382f5b8b9a6a16cf6e3e527578cab746c4e5b0e923a14c7dcd049afcf2bf

SHA512
d9c4327b218a5c423efed361aff59166225566d2823102399e21362b9fb1cb9572eeda86625e3c082fa44ef8a4b36bd6d02a1c721a1dc47b0aeb25d5e6b7d35d

Download Submit
C:\windows\SysWOW64\KKCL.exe

Filesize
208KB

MD5
8217ecf787d28ae24fcb4ee8024e81be

SHA1
5febcaf607d90c678025a2efc01b50c8cb2925bf

SHA256
ff9d7d5031a0e976fb5368dc1f882dee801ba1df0aa3d20655c165c85233b760

SHA512
7df1637cfd6b371b0f19937237ab995df545a32d3ce53064aadb94eb35712f9ec3b35c5f25e3c60be760fa9f52312c6096b2657327e0d7fc89f1901135f6e041

Download Submit
C:\windows\SysWOW64\KKCL.exe.bat

Filesize
72B

MD5
30d99e7d7bb421ecaa0793c5828c8533

SHA1
775968c26be27281df9ccd50a2b0aebe989bf707

SHA256
db0392b633b8ec57b6fb3f939b8f065c95163ce884d1907ee4b5c0c76c1e3b6a

SHA512
379d9b163d77828ebd2a35012cdaaef33d391ef90b8f076be27f8e1f5617045e9f5dcd0245e0cc12e5db1495e32491eb87fd53c5af740efb8f7eb13f1df45d1a

Download Submit
C:\windows\SysWOW64\KQC.exe

Filesize
208KB

MD5
61292c4ade46810101e0f1e896372617

SHA1
f7d25d36d407d2d240d14513969f81758a2e6af1

SHA256
5c1686939a6641cf6505a412e34a6d3ff8c74a11dc5459d4ae0f8c95507ca81e

SHA512
427d03c1848db4fc145d296682da5e582928a003668b2978bca8a923db47f7bd05b9e7c55dd2c5bdb7001fe716b75b06847611f2b0feb29fa23748ec62704841

Download Submit
C:\windows\SysWOW64\KQC.exe.bat

Filesize
70B

MD5
782cdf4aac9c8a93a10f04b67e1387d1

SHA1
82e5bf1fef4811d7255c56b7830d1d7f18dc1a53

SHA256
de61de18ee39592c6203d16d5c3a31df152b632474db8bb82a6a91e2a3a5396b

SHA512
841b9592d5583133d0712713422dc863a795aaf11e3e392207e4b97c314e65250ed6a5e3768612c12bb78878bd59698d06cd95128b75eab4c8d89774e51ff570

Download Submit
C:\windows\SysWOW64\RNZO.exe

Filesize
208KB

MD5
61292c4ade46810101e0f1e896372617

SHA1
f7d25d36d407d2d240d14513969f81758a2e6af1

SHA256
5c1686939a6641cf6505a412e34a6d3ff8c74a11dc5459d4ae0f8c95507ca81e

SHA512
427d03c1848db4fc145d296682da5e582928a003668b2978bca8a923db47f7bd05b9e7c55dd2c5bdb7001fe716b75b06847611f2b0feb29fa23748ec62704841

Download Submit
C:\windows\SysWOW64\RNZO.exe.bat

Filesize
72B

MD5
5c0de56c0850818b9e05ee7d6fbf0f62

SHA1
710a8252a86fc7f6d7f55c80b4c03d09b76a6724

SHA256
120625de9bddbfa8c2bb0c7b5808c23dbbb35e334bd804bf98057e3237880808

SHA512
864ea317074c4e8e78463da0bbfcbe265e2f5f082113a247dd2db6000ca7e5c7ba749c005f0badb56d42b7416dc90416ac859d315aefe1b360639147f6530adc

Download Submit
C:\windows\TIMGF.exe

Filesize
208KB

MD5
9b74d4103f9dd4c11cbdbd50928198cc

SHA1
0b154d6933012c3f55456b986fe247b67be44481

SHA256
93987c13686eccb4f525e9761fbdca1dff30e6fb17bce6b3d8984e877022225a

SHA512
7edd9ffaa82e37f46e013dd61692e7ef26d55632a670ca90b651d0688aee3062ff833daa0cb556f917b696bdf1e724020fd383214de3e9b712a32a16c8188667

Download Submit
C:\windows\TIMGF.exe.bat

Filesize
56B

MD5
01fc3e8b7498496343cb38989ce9947f

SHA1
30b45d4ee4187d484d01913b03ec52f8e1658f36

SHA256
b2ca2f9e2fdd995f1060548cd6379e24f3cb05f349857fa3e8d209918fdf1763

SHA512
487dba56fcb3dd7eb5d692c4d36913742514ce5bbc0dc5304aeb05d5bb7dd47b651be4dd6b1f5fe590cf89d7caf8f44a7199bb535b83e64d9fd5c96407671750

Download Submit
C:\windows\UNIEDL.exe

Filesize
208KB

MD5
7d3f009a36c7813aa64ae0260a1202fa

SHA1
c3efca2b41e85352aff85abbbc0106d8b76666b0

SHA256
b56987dcc38ca83968591a55fbd0ce306728af99423000fa9ef09c0ae289e4b4

SHA512
aba5481822252d8de227c77a0e14488ae04dd82c7a2acca3ca829ea5fb952ee710b6ed1f0307e7d538836e04e9dafb77bed6faeb26858faaefb72ebcf2065995

Download Submit
C:\windows\UNIEDL.exe.bat

Filesize
58B

MD5
1e571d0c7fb26636bd4c62768758c5f1

SHA1
6992d5a9c1e0aea12b32a1beba2e92318c735d52

SHA256
fe4d0d8556d804e0606be521ab2c8890bfe9522ef0de2cadc996020e310ba001

SHA512
b339f1a0443fc15e64a13afefd8becc396511668ec2affd8541959fe742c956b81b3f0c64c572e29ec9ce0d05a567e39d64789e81e2b4c932d1f84dad856f2e2

Download Submit
C:\windows\WPKEBT.exe

Filesize
208KB

MD5
473ee58c9c8901225121762e5d40e745

SHA1
35677650ab2713f5033202b6fbfe0a80b56a2b40

SHA256
73b0fbaf19c29f518ed3f23a9c7028c2ff2fe4c5164e3374dc970bce4ade4f22

SHA512
67b5ed9ff56d1df13c6b9090ab8bb0340de18445337e623a79668bff4c824be4a1e1fe77ceaadd4fc2c2dea2b10fb62ad95ce769f6b5db944d8a49f0383b7e33

Download Submit
C:\windows\WPKEBT.exe.bat

Filesize
58B

MD5
88bfae80f3053eafeb004a16f614df53

SHA1
18d9b8772fae7053acc1385607bddf3c1a99b5bf

SHA256
9ec8f5d79f3764c0b3b11b6684ef8103f8560d8b7d820031dc5e6acc646503f0

SHA512
97cd6ffaca9dde83a810dd65d6c58ec3ea8759e4735c9ff2c4f19f6bf3122c9822ce4a81a15499ced8f38892928f24679f6b7732afabe834a1873605ee121725

Download Submit
C:\windows\system\CURX.exe

Filesize
208KB

MD5
db80a10627cda6dd678a9a05bed73318

SHA1
98501cba2f1dd767a82e0a08da47cea4a0ac1d36

SHA256
9e96abb2ddcb0e7506b9ad3b55a2deabdff3f815aa349b5684d86bddd648ea48

SHA512
2b40df8d1fd1ecb535c43b93e473825e8d35f35a0b2587b656b7bfd192caa2797367cd7cab52fd2929765305d28446bd174f1da90325721b332fcfc92b7c2b82

Download Submit
C:\windows\system\CURX.exe.bat

Filesize
68B

MD5
de8a2aada8d2e63d6710c0fc3a3a83e1

SHA1
41e0c454542110234595c3aba87f78127d0fd035

SHA256
e8a10a097be585a6580ac7bc9c22a17fb63aa4ea479611f6884ac0f7571a064a

SHA512
30eae6511cd0bb5ac2449251aa87387b271a557b5445279dd5fee083d8b5351ece7ef0837712f4aaf029c503fd0ae621db8076f9b7f0c71b3b58e717f26309b6

Download Submit
C:\windows\system\FFKGWVS.exe

Filesize
208KB

MD5
e81c9884f1b5049b2bebb500ed64cabf

SHA1
21ede7a602a885736e6d9bbd1090754a2f19c7cf

SHA256
7a5ddba5cdfd49eb886dbcb7b369680cab7df32e436eb2e78d89369d50fa76b1

SHA512
2053d64adb94ab87880c7cd6e1a6944660de372e1ec539f1d090fa95f92bd50174332cfccdacc350b48e991ad2c037e22500f22aa57c7485f712355ac4286083

Download Submit
C:\windows\system\FFKGWVS.exe.bat

Filesize
74B

MD5
9ddafdcad2766754da2eb9bcacfc741b

SHA1
438c411b8ac5739f4ef54c0bd56c38b45206cd3c

SHA256
f8324fd23705d6b25db6bb1c925df7e2f2e364d7f6294da116c0a109775b4389

SHA512
cee622eeb9bd927124dda731f66d592b8aa965c0021d8fb1a00ac7097329daa3b07486af0dd0de22d8e4c36ff24cb64d71d6d17ad1a43a807f310db4b5423e1d

Download Submit
C:\windows\system\HOPRU.exe

Filesize
208KB

MD5
4befb9a8540a63eb20227fb6147d015a

SHA1
b4550aae6f50202fb37022104add4442d17b77b1

SHA256
9a1e48929864562466305619268d5dcf80e996561bdd3597b09a3b9098939f16

SHA512
7693dbbb784e5805145307205e13d6afd9680a49b10c4aa45cda9a1848111cadaee54113873f64f9519ecc145bfe127711d55cfa6e5a76b7c9568d62da5cb9ea

Download Submit
C:\windows\system\HOPRU.exe.bat

Filesize
70B

MD5
a80bc01f2b420e26d2d147f81448a6bc

SHA1
77294e5c0c57e14862a927a478af2be4fa654e51

SHA256
1b730c3a60d2e3887aa2a639a96e8ced161788ffa6b8699eac00554732f90f46

SHA512
0d936296abcc10a0169bf079f8f052cf9ac829977329fb3bf5cc549522c10abb686ac595a139f14b440e21ca019d4f4c3328d6eecee64b25eb78f66c4f1d8d92

Download Submit
C:\windows\system\JRKI.exe

Filesize
208KB

MD5
41f3290ef1a30f40537602310dd3ae13

SHA1
2b88f5d9da93d651d8db1d6f94fdcac71343508c

SHA256
cbbe1c503153fd7e83288f032b0c3f4dd9f8882ae01b4551a17f76a939b8407c

SHA512
776b1718315be63d51de7cabea5b823986d969616b1e6f111a66221cacd777a68ff672fa6adbbd8b4f8647eaa066ddad551b13a56b2007d1bcde374073770054

Download Submit
C:\windows\system\JRKI.exe.bat

Filesize
68B

MD5
5c15222997527e4c64172ab3389890a2

SHA1
705b7fe942a438586c6e2bf50f84fbec89dfa965

SHA256
f641bc4f8d696f8ef5d0d8a73e8f9526aa01861f7997bd22439649e8ea5e61ea

SHA512
1a92fe69931751ee82d36d82cbe4ea56147b601429a9b81c141ccdadfdff84db890cf17f987ae37598120428dca5c7e97d8da1d071d0dfd0f3eafbb629ac5ec4

Download Submit
memory/436-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/436-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/484-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/484-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/680-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/680-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-124-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-266-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1424-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1424-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1424-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1424-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2084-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2084-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-320-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2344-302-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2344-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2348-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3468-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3468-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3520-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-1165-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1176-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1187-0x0000029DFCB20000-0x0000029DFCB21000-memory.dmp

Filesize
4KB

Download
memory/3640-1195-0x0000029DFCA50000-0x0000029DFCA51000-memory.dmp

Filesize
4KB

Download
memory/3640-1209-0x0000029DFCC60000-0x0000029DFCC61000-memory.dmp

Filesize
4KB

Download
memory/3640-1192-0x0000029DFCB10000-0x0000029DFCB11000-memory.dmp

Filesize
4KB

Download
memory/3640-1182-0x0000029DFCB20000-0x0000029DFCB21000-memory.dmp

Filesize
4KB

Download
memory/3640-1162-0x0000029DFCED0000-0x0000029DFCED1000-memory.dmp

Filesize
4KB

Download
memory/3640-1210-0x0000029DFCC60000-0x0000029DFCC61000-memory.dmp

Filesize
4KB

Download
memory/3640-1174-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1175-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1207-0x0000029DFCC50000-0x0000029DFCC51000-memory.dmp

Filesize
4KB

Download
memory/3640-1173-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1172-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1171-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1170-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1169-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1167-0x0000029DFCEF0000-0x0000029DFCEF1000-memory.dmp

Filesize
4KB

Download
memory/3640-1142-0x0000029DF8940000-0x0000029DF8950000-memory.dmp

Filesize
64KB

Download
memory/3640-1126-0x0000029DF8840000-0x0000029DF8850000-memory.dmp

Filesize
64KB

Download
memory/3640-1211-0x0000029DFCD70000-0x0000029DFCD71000-memory.dmp

Filesize
4KB

Download
memory/3640-1183-0x0000029DFCB10000-0x0000029DFCB11000-memory.dmp

Filesize
4KB

Download
memory/3692-100-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3692-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3712-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3712-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3828-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3828-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3976-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3976-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4600-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4600-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4780-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4780-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-208-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5004-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5004-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5004-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5004-293-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5012-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5012-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5080-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5080-196-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download