1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7

Analysis

max time kernel
149s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
Size

448KB
MD5

411c8fa7d7b71729231ec23e62e023f9
SHA1

233eb141b5b030a4512962ad8ed6ef2bd458f0af
SHA256

1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7
SHA512

5b61f8132560162e7660d9cb1e04c3481489927916d16cd03879f1b4781d2b7dd3270864bb0a9cecc36cb8f5bbffbc725d04037c1954077eece21e446510ec5d
SSDEEP

6144:n+GxFNcONazpuImOeqwsMV0f2ukEjWbjcSbcY+CaQdaFOY4iGFYtR:nbFwilukFbz+xt4vF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	XDBVLEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	USUTUPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	YDRLS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	EEHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	MDHWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	JLZVTAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	NOIZMQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	KUWGR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	AIUJS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TUTDUHS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	QZN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	OQD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	JMTLMVD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	FPQDQO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	RJQFHN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	MYEG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	LCFY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	JAXQFX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	YCFZYD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DTEH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	JYHUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	HNNEZY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	MDCDVHA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	SKPHE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	FMUCWDU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	LTZH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	NBQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	NJH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	NNNR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ZGHI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	YVMCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	JOYUUM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	OIHRYCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	JXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DEXER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	IEYG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	BRNSTQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DQU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	FSSHPU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	YKWQJSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	OCBGS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TSERVT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	FPIOYC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	BDEH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	FAJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	EUL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	VHTQYCW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	LYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	HHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	KXR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	QXASNF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TIZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WWTVWNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	PKABPVA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	VWXIXL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	AND.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ODW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	MKU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ADP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	RHJJG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	YYSI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	XONMRLN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	PLDRCC.exe

Executes dropped EXE 64 IoCs

pid	Process
1352	DTEH.exe
4660	VWXIXL.exe
1744	HHH.exe
4940	BFVGWBW.exe
2936	MYEG.exe
2108	UBUBX.exe
4884	FPIOYC.exe
4056	JXP.exe
3832	AND.exe
2792	XONMRLN.exe
2996	LTZH.exe
3164	NRAJR.exe
3136	QZN.exe
2272	PKYGIVL.exe
4244	MDCDVHA.exe
2188	PLDRCC.exe
5096	LCFY.exe
4960	XUMJG.exe
1288	OCBGS.exe
3340	WSK.exe
1516	NBQ.exe
3420	MEX.exe
2360	GRUUK.exe
928	OQD.exe
3684	UQK.exe
4704	ODW.exe
3764	ZGHI.exe
1968	FMUCWDU.exe
692	JMTLMVD.exe
1272	JAXQFX.exe
4832	JOYUUM.exe
2992	EUL.exe
4852	FSSHPU.exe
864	VHTQYCW.exe
2676	EASUC.exe
4940	JRXZFHW.exe
1216	OIHRYCP.exe
3052	WGIHN.exe
1224	YKWQJSN.exe
928	DEXER.exe
2300	OWPE.exe
3496	KXR.exe
4968	WNKG.exe
3860	YVMCP.exe
4696	ATNWNP.exe
964	HOYNK.exe
5112	QXASNF.exe
4628	YCFZYD.exe
2252	TIZ.exe
3712	YDRLS.exe
3296	BRJUMD.exe
4396	SZXSYU.exe
1224	RKAIH.exe
2188	AIUJS.exe
2572	HNNEZY.exe
4040	LYY.exe
2444	FBV.exe
1564	IKWL.exe
1620	SCALV.exe
3252	MDHWM.exe
4968	UIUDP.exe
4244	JYHUE.exe
2408	EEHG.exe
3196	MKU.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\AIUJS.exe.bat	RKAIH.exe
File created	C:\windows\SysWOW64\IKWL.exe.bat	FBV.exe
File created	C:\windows\SysWOW64\JYHUE.exe	UIUDP.exe
File created	C:\windows\SysWOW64\NJH.exe	WJFSGWY.exe
File created	C:\windows\SysWOW64\WWTVWNT.exe	SVR.exe
File created	C:\windows\SysWOW64\TUTDUHS.exe.bat	BRNSTQB.exe
File opened for modification	C:\windows\SysWOW64\ODW.exe	UQK.exe
File opened for modification	C:\windows\SysWOW64\YVMCP.exe	WNKG.exe
File opened for modification	C:\windows\SysWOW64\TSERVT.exe	MWHPDWL.exe
File created	C:\windows\SysWOW64\HOYNK.exe	ATNWNP.exe
File created	C:\windows\SysWOW64\HOYNK.exe.bat	ATNWNP.exe
File opened for modification	C:\windows\SysWOW64\MKU.exe	EEHG.exe
File created	C:\windows\SysWOW64\HHH.exe.bat	VWXIXL.exe
File created	C:\windows\SysWOW64\ODW.exe.bat	UQK.exe
File opened for modification	C:\windows\SysWOW64\IKWL.exe	FBV.exe
File opened for modification	C:\windows\SysWOW64\KXXD.exe	RJQFHN.exe
File opened for modification	C:\windows\SysWOW64\NBQ.exe	WSK.exe
File created	C:\windows\SysWOW64\DEXER.exe.bat	YKWQJSN.exe
File opened for modification	C:\windows\SysWOW64\FPQDQO.exe	IEYG.exe
File opened for modification	C:\windows\SysWOW64\TUTDUHS.exe	BRNSTQB.exe
File created	C:\windows\SysWOW64\YYSI.exe.bat	SKPHE.exe
File created	C:\windows\SysWOW64\XONMRLN.exe	AND.exe
File opened for modification	C:\windows\SysWOW64\UIUDP.exe	MDHWM.exe
File opened for modification	C:\windows\SysWOW64\NOIZMQJ.exe	DQU.exe
File created	C:\windows\SysWOW64\EUYVBHG.exe	KXXD.exe
File created	C:\windows\SysWOW64\NOIZMQJ.exe	DQU.exe
File opened for modification	C:\windows\SysWOW64\JYHUE.exe	UIUDP.exe
File created	C:\windows\SysWOW64\MWHPDWL.exe.bat	PWX.exe
File created	C:\windows\SysWOW64\TSERVT.exe.bat	MWHPDWL.exe
File opened for modification	C:\windows\SysWOW64\AIUJS.exe	RKAIH.exe
File created	C:\windows\SysWOW64\UIUDP.exe	MDHWM.exe
File created	C:\windows\SysWOW64\KXXD.exe.bat	RJQFHN.exe
File created	C:\windows\SysWOW64\TUTDUHS.exe	BRNSTQB.exe
File created	C:\windows\SysWOW64\MWHPDWL.exe	PWX.exe
File opened for modification	C:\windows\SysWOW64\BFVGWBW.exe	HHH.exe
File created	C:\windows\SysWOW64\NJH.exe.bat	WJFSGWY.exe
File created	C:\windows\SysWOW64\XONMRLN.exe.bat	AND.exe
File created	C:\windows\SysWOW64\ODW.exe	UQK.exe
File opened for modification	C:\windows\SysWOW64\WWTVWNT.exe	SVR.exe
File opened for modification	C:\windows\SysWOW64\HHH.exe	VWXIXL.exe
File opened for modification	C:\windows\SysWOW64\XONMRLN.exe	AND.exe
File created	C:\windows\SysWOW64\MKU.exe	EEHG.exe
File opened for modification	C:\windows\SysWOW64\EUYVBHG.exe	KXXD.exe
File created	C:\windows\SysWOW64\NBQ.exe.bat	WSK.exe
File created	C:\windows\SysWOW64\IKWL.exe	FBV.exe
File created	C:\windows\SysWOW64\AIUJS.exe	RKAIH.exe
File opened for modification	C:\windows\SysWOW64\DEXER.exe	YKWQJSN.exe
File opened for modification	C:\windows\SysWOW64\HOYNK.exe	ATNWNP.exe
File created	C:\windows\SysWOW64\DEXER.exe	YKWQJSN.exe
File created	C:\windows\SysWOW64\JYHUE.exe.bat	UIUDP.exe
File created	C:\windows\SysWOW64\USUTUPT.exe	GJDWHS.exe
File opened for modification	C:\windows\SysWOW64\MWHPDWL.exe	PWX.exe
File opened for modification	C:\windows\SysWOW64\YYSI.exe	SKPHE.exe
File created	C:\windows\SysWOW64\HHH.exe	VWXIXL.exe
File opened for modification	C:\windows\SysWOW64\YKWQJSN.exe	WGIHN.exe
File created	C:\windows\SysWOW64\NBQ.exe	WSK.exe
File created	C:\windows\SysWOW64\MKU.exe.bat	EEHG.exe
File created	C:\windows\SysWOW64\YYSI.exe	SKPHE.exe
File created	C:\windows\SysWOW64\BFVGWBW.exe	HHH.exe
File created	C:\windows\SysWOW64\BFVGWBW.exe.bat	HHH.exe
File created	C:\windows\SysWOW64\EUYVBHG.exe.bat	KXXD.exe
File created	C:\windows\SysWOW64\YKWQJSN.exe.bat	WGIHN.exe
File created	C:\windows\SysWOW64\UIUDP.exe.bat	MDHWM.exe
File created	C:\windows\SysWOW64\FPQDQO.exe.bat	IEYG.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\TIZ.exe.bat	YCFZYD.exe
File created	C:\windows\WJFSGWY.exe	BDEH.exe
File created	C:\windows\system\KUWGR.exe	CPSSGP.exe
File created	C:\windows\PWX.exe.bat	XDBVLEU.exe
File created	C:\windows\PKYGIVL.exe	QZN.exe
File opened for modification	C:\windows\FMUCWDU.exe	SUG.exe
File opened for modification	C:\windows\RKAIH.exe	SZXSYU.exe
File created	C:\windows\system\UBUBX.exe	MYEG.exe
File created	C:\windows\FMUCWDU.exe.bat	SUG.exe
File created	C:\windows\system\OIHRYCP.exe	JRXZFHW.exe
File created	C:\windows\BDEH.exe.bat	WCWTIJM.exe
File created	C:\windows\EQW.exe.bat	YYSI.exe
File created	C:\windows\system\OQD.exe.bat	GRUUK.exe
File opened for modification	C:\windows\QXASNF.exe	HOYNK.exe
File created	C:\windows\MDHWM.exe	SCALV.exe
File opened for modification	C:\windows\RTC.exe	PKABPVA.exe
File opened for modification	C:\windows\system\LTZH.exe	XONMRLN.exe
File created	C:\windows\NRAJR.exe	LTZH.exe
File opened for modification	C:\windows\system\JRXZFHW.exe	EASUC.exe
File created	C:\windows\FKANZ.exe	FPQDQO.exe
File created	C:\windows\system\QZN.exe	NRAJR.exe
File created	C:\windows\system\JAXQFX.exe.bat	JMTLMVD.exe
File created	C:\windows\LYY.exe	HNNEZY.exe
File created	C:\windows\system\SKPHE.exe	TSERVT.exe
File opened for modification	C:\windows\BRJUMD.exe	YDRLS.exe
File opened for modification	C:\windows\system\PULTRFY.exe	JLZVTAS.exe
File opened for modification	C:\windows\SCALV.exe	IKWL.exe
File created	C:\windows\system\FAJ.exe.bat	KUWGR.exe
File opened for modification	C:\windows\EQW.exe	YYSI.exe
File created	C:\windows\system\DTEH.exe	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
File created	C:\windows\PLDRCC.exe	MDCDVHA.exe
File created	C:\windows\QXASNF.exe	HOYNK.exe
File created	C:\windows\system\SZXSYU.exe.bat	BRJUMD.exe
File opened for modification	C:\windows\system\VWXIXL.exe	DTEH.exe
File created	C:\windows\system\VHTQYCW.exe.bat	FSSHPU.exe
File created	C:\windows\WCWTIJM.exe.bat	MKU.exe
File created	C:\windows\system\NNNR.exe	USUTUPT.exe
File created	C:\windows\MDCDVHA.exe	PKYGIVL.exe
File opened for modification	C:\windows\LCFY.exe	PLDRCC.exe
File opened for modification	C:\windows\system\JOYUUM.exe	JAXQFX.exe
File created	C:\windows\system\VHTQYCW.exe	FSSHPU.exe
File created	C:\windows\MDCDVHA.exe.bat	PKYGIVL.exe
File created	C:\windows\system\ZGHI.exe.bat	ODW.exe
File created	C:\windows\system\WGIHN.exe.bat	OIHRYCP.exe
File opened for modification	C:\windows\LYY.exe	HNNEZY.exe
File opened for modification	C:\windows\system\WSK.exe	OCBGS.exe
File created	C:\windows\FMUCWDU.exe	SUG.exe
File opened for modification	C:\windows\GJDWHS.exe	RTC.exe
File created	C:\windows\JLZVTAS.exe	NNNR.exe
File created	C:\windows\GJDWHS.exe.bat	RTC.exe
File created	C:\windows\JLZVTAS.exe.bat	NNNR.exe
File opened for modification	C:\windows\system\MEX.exe	NBQ.exe
File created	C:\windows\system\OQD.exe	GRUUK.exe
File created	C:\windows\system\OIHRYCP.exe.bat	JRXZFHW.exe
File created	C:\windows\GJDWHS.exe	RTC.exe
File created	C:\windows\AND.exe	JXP.exe
File created	C:\windows\PKYGIVL.exe.bat	QZN.exe
File opened for modification	C:\windows\system\YCFZYD.exe	QXASNF.exe
File created	C:\windows\RHJJG.exe.bat	PULTRFY.exe
File opened for modification	C:\windows\MDCDVHA.exe	PKYGIVL.exe
File created	C:\windows\ATNWNP.exe.bat	YVMCP.exe
File created	C:\windows\WCWTIJM.exe	MKU.exe
File created	C:\windows\SVR.exe.bat	FKANZ.exe
File created	C:\windows\system\XUMJG.exe	LCFY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1448	2304	WerFault.exe	87
1584	1352	WerFault.exe	95
4704	4660	WerFault.exe	101
4464	1744	WerFault.exe	106
4064	4940	WerFault.exe	111
4788	2936	WerFault.exe	116
3216	2108	WerFault.exe	121
2476	4884	WerFault.exe	126
4872	4056	WerFault.exe	131
1516	3832	WerFault.exe	137
2100	2792	WerFault.exe	146
2308	2996	WerFault.exe	151
4600	3164	WerFault.exe	157
4952	3136	WerFault.exe	162
2236	2272	WerFault.exe	168
3684	4244	WerFault.exe	173
4868	2188	WerFault.exe	178
2304	5096	WerFault.exe	184
3392	4960	WerFault.exe	189
4524	1288	WerFault.exe	194
3252	3340	WerFault.exe	200
1448	1516	WerFault.exe	205
4612	3420	WerFault.exe	210
2536	2360	WerFault.exe	215
4452	928	WerFault.exe	220
3196	3684	WerFault.exe	225
1408	4704	WerFault.exe	230
3068	3764	WerFault.exe	235
1224	2188	WerFault.exe	240
1720	1968	WerFault.exe	244
3372	692	WerFault.exe	250
2252	1272	WerFault.exe	255
1656	4832	WerFault.exe	260
3256	2992	WerFault.exe	265
4976	4852	WerFault.exe	270
4556	864	WerFault.exe	274
3372	2676	WerFault.exe	280
4728	4940	WerFault.exe	285
4960	1216	WerFault.exe	290
2424	3052	WerFault.exe	296
672	1224	WerFault.exe	301
2876	928	WerFault.exe	306
4552	2300	WerFault.exe	311
2572	3496	WerFault.exe	316
952	4968	WerFault.exe	321
992	3860	WerFault.exe	325
2444	4696	WerFault.exe	331
1724	964	WerFault.exe	336
2188	5112	WerFault.exe	341
2572	4628	WerFault.exe	346
2248	2252	WerFault.exe	351
2236	3712	WerFault.exe	356
1376	3296	WerFault.exe	361
3212	4396	WerFault.exe	366
3252	1224	WerFault.exe	371
4856	2188	WerFault.exe	376
3256	2572	WerFault.exe	381
4120	4040	WerFault.exe	386
2056	2444	WerFault.exe	391
4728	1564	WerFault.exe	396
4420	1620	WerFault.exe	401
3388	3252	WerFault.exe	406
764	4968	WerFault.exe	411
2308	4244	WerFault.exe	416

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
1352	DTEH.exe
1352	DTEH.exe
4660	VWXIXL.exe
4660	VWXIXL.exe
1744	HHH.exe
1744	HHH.exe
4940	BFVGWBW.exe
4940	BFVGWBW.exe
2936	MYEG.exe
2936	MYEG.exe
2108	UBUBX.exe
2108	UBUBX.exe
4884	FPIOYC.exe
4884	FPIOYC.exe
4056	JXP.exe
4056	JXP.exe
3832	AND.exe
3832	AND.exe
2792	XONMRLN.exe
2792	XONMRLN.exe
2996	LTZH.exe
2996	LTZH.exe
3164	NRAJR.exe
3164	NRAJR.exe
3136	QZN.exe
3136	QZN.exe
2272	PKYGIVL.exe
2272	PKYGIVL.exe
4244	MDCDVHA.exe
4244	MDCDVHA.exe
2188	PLDRCC.exe
2188	PLDRCC.exe
5096	LCFY.exe
5096	LCFY.exe
4960	XUMJG.exe
4960	XUMJG.exe
1288	OCBGS.exe
1288	OCBGS.exe
3340	WSK.exe
3340	WSK.exe
1516	NBQ.exe
1516	NBQ.exe
3420	MEX.exe
3420	MEX.exe
2360	GRUUK.exe
2360	GRUUK.exe
928	OQD.exe
928	OQD.exe
3684	UQK.exe
3684	UQK.exe
4704	ODW.exe
4704	ODW.exe
2188	SUG.exe
2188	SUG.exe
1968	FMUCWDU.exe
1968	FMUCWDU.exe
692	JMTLMVD.exe
692	JMTLMVD.exe
1272	JAXQFX.exe
1272	JAXQFX.exe
4832	JOYUUM.exe
4832	JOYUUM.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
1352	DTEH.exe
1352	DTEH.exe
4660	VWXIXL.exe
4660	VWXIXL.exe
1744	HHH.exe
1744	HHH.exe
4940	BFVGWBW.exe
4940	BFVGWBW.exe
2936	MYEG.exe
2936	MYEG.exe
2108	UBUBX.exe
2108	UBUBX.exe
4884	FPIOYC.exe
4884	FPIOYC.exe
4056	JXP.exe
4056	JXP.exe
3832	AND.exe
3832	AND.exe
2792	XONMRLN.exe
2792	XONMRLN.exe
2996	LTZH.exe
2996	LTZH.exe
3164	NRAJR.exe
3164	NRAJR.exe
3136	QZN.exe
3136	QZN.exe
2272	PKYGIVL.exe
2272	PKYGIVL.exe
4244	MDCDVHA.exe
4244	MDCDVHA.exe
2188	PLDRCC.exe
2188	PLDRCC.exe
5096	LCFY.exe
5096	LCFY.exe
4960	XUMJG.exe
4960	XUMJG.exe
1288	OCBGS.exe
1288	OCBGS.exe
3340	WSK.exe
3340	WSK.exe
1516	NBQ.exe
1516	NBQ.exe
3420	MEX.exe
3420	MEX.exe
2360	GRUUK.exe
2360	GRUUK.exe
928	OQD.exe
928	OQD.exe
3684	UQK.exe
3684	UQK.exe
4704	ODW.exe
4704	ODW.exe
2188	SUG.exe
2188	SUG.exe
1968	FMUCWDU.exe
1968	FMUCWDU.exe
692	JMTLMVD.exe
692	JMTLMVD.exe
1272	JAXQFX.exe
1272	JAXQFX.exe
4832	JOYUUM.exe
4832	JOYUUM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3420	2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe	91
PID 2304 wrote to memory of 3420	2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe	91
PID 2304 wrote to memory of 3420	2304	1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe	91
PID 3420 wrote to memory of 1352	3420	cmd.exe	95
PID 3420 wrote to memory of 1352	3420	cmd.exe	95
PID 3420 wrote to memory of 1352	3420	cmd.exe	95
PID 1352 wrote to memory of 3136	1352	DTEH.exe	97
PID 1352 wrote to memory of 3136	1352	DTEH.exe	97
PID 1352 wrote to memory of 3136	1352	DTEH.exe	97
PID 3136 wrote to memory of 4660	3136	cmd.exe	101
PID 3136 wrote to memory of 4660	3136	cmd.exe	101
PID 3136 wrote to memory of 4660	3136	cmd.exe	101
PID 4660 wrote to memory of 5012	4660	VWXIXL.exe	102
PID 4660 wrote to memory of 5012	4660	VWXIXL.exe	102
PID 4660 wrote to memory of 5012	4660	VWXIXL.exe	102
PID 5012 wrote to memory of 1744	5012	cmd.exe	106
PID 5012 wrote to memory of 1744	5012	cmd.exe	106
PID 5012 wrote to memory of 1744	5012	cmd.exe	106
PID 1744 wrote to memory of 992	1744	HHH.exe	107
PID 1744 wrote to memory of 992	1744	HHH.exe	107
PID 1744 wrote to memory of 992	1744	HHH.exe	107
PID 992 wrote to memory of 4940	992	cmd.exe	111
PID 992 wrote to memory of 4940	992	cmd.exe	111
PID 992 wrote to memory of 4940	992	cmd.exe	111
PID 4940 wrote to memory of 3308	4940	BFVGWBW.exe	112
PID 4940 wrote to memory of 3308	4940	BFVGWBW.exe	112
PID 4940 wrote to memory of 3308	4940	BFVGWBW.exe	112
PID 3308 wrote to memory of 2936	3308	cmd.exe	116
PID 3308 wrote to memory of 2936	3308	cmd.exe	116
PID 3308 wrote to memory of 2936	3308	cmd.exe	116
PID 2936 wrote to memory of 4208	2936	MYEG.exe	148
PID 2936 wrote to memory of 4208	2936	MYEG.exe	148
PID 2936 wrote to memory of 4208	2936	MYEG.exe	148
PID 4208 wrote to memory of 2108	4208	cmd.exe	121
PID 4208 wrote to memory of 2108	4208	cmd.exe	121
PID 4208 wrote to memory of 2108	4208	cmd.exe	121
PID 2108 wrote to memory of 836	2108	UBUBX.exe	153
PID 2108 wrote to memory of 836	2108	UBUBX.exe	153
PID 2108 wrote to memory of 836	2108	UBUBX.exe	153
PID 836 wrote to memory of 4884	836	cmd.exe	126
PID 836 wrote to memory of 4884	836	cmd.exe	126
PID 836 wrote to memory of 4884	836	cmd.exe	126
PID 4884 wrote to memory of 4120	4884	FPIOYC.exe	127
PID 4884 wrote to memory of 4120	4884	FPIOYC.exe	127
PID 4884 wrote to memory of 4120	4884	FPIOYC.exe	127
PID 4120 wrote to memory of 4056	4120	cmd.exe	131
PID 4120 wrote to memory of 4056	4120	cmd.exe	131
PID 4120 wrote to memory of 4056	4120	cmd.exe	131
PID 4056 wrote to memory of 4700	4056	JXP.exe	165
PID 4056 wrote to memory of 4700	4056	JXP.exe	165
PID 4056 wrote to memory of 4700	4056	JXP.exe	165
PID 4700 wrote to memory of 3832	4700	cmd.exe	137
PID 4700 wrote to memory of 3832	4700	cmd.exe	137
PID 4700 wrote to memory of 3832	4700	cmd.exe	137
PID 3832 wrote to memory of 5104	3832	AND.exe	141
PID 3832 wrote to memory of 5104	3832	AND.exe	141
PID 3832 wrote to memory of 5104	3832	AND.exe	141
PID 5104 wrote to memory of 2792	5104	cmd.exe	146
PID 5104 wrote to memory of 2792	5104	cmd.exe	146
PID 5104 wrote to memory of 2792	5104	cmd.exe	146
PID 2792 wrote to memory of 4208	2792	XONMRLN.exe	148
PID 2792 wrote to memory of 4208	2792	XONMRLN.exe	148
PID 2792 wrote to memory of 4208	2792	XONMRLN.exe	148
PID 4208 wrote to memory of 2996	4208	cmd.exe	187

C:\Users\Admin\AppData\Local\Temp\1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe
"C:\Users\Admin\AppData\Local\Temp\1aa76587588dc3a0643733b8930176eedd9732ed31dafafdf545ead4741200e7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\DTEH.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\windows\system\DTEH.exe
    C:\windows\system\DTEH.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\VWXIXL.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\windows\system\VWXIXL.exe
        
        C:\windows\system\VWXIXL.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HHH.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\windows\SysWOW64\HHH.exe
        
        C:\windows\system32\HHH.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFVGWBW.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\windows\SysWOW64\BFVGWBW.exe
        
        C:\windows\system32\BFVGWBW.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYEG.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\windows\system\MYEG.exe
        
        C:\windows\system\MYEG.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UBUBX.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\windows\system\UBUBX.exe
        
        C:\windows\system\UBUBX.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FPIOYC.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\windows\system\FPIOYC.exe
        
        C:\windows\system\FPIOYC.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JXP.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\windows\JXP.exe
        
        C:\windows\JXP.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AND.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\windows\AND.exe
        
        C:\windows\AND.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XONMRLN.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\windows\SysWOW64\XONMRLN.exe
        
        C:\windows\system32\XONMRLN.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LTZH.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\windows\system\LTZH.exe
        
        C:\windows\system\LTZH.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NRAJR.exe.bat" "
        24⤵
        
        PID:836
        
        C:\windows\NRAJR.exe
        
        C:\windows\NRAJR.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QZN.exe.bat" "
        26⤵
        
        PID:3480
        
        C:\windows\system\QZN.exe
        
        C:\windows\system\QZN.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PKYGIVL.exe.bat" "
        28⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4700
        
        C:\windows\PKYGIVL.exe
        
        C:\windows\PKYGIVL.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MDCDVHA.exe.bat" "
        30⤵
        
        PID:2580
        
        C:\windows\MDCDVHA.exe
        
        C:\windows\MDCDVHA.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PLDRCC.exe.bat" "
        32⤵
        
        PID:3320
        
        C:\windows\PLDRCC.exe
        
        C:\windows\PLDRCC.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LCFY.exe.bat" "
        34⤵
        
        PID:4984
        
        C:\windows\LCFY.exe
        
        C:\windows\LCFY.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XUMJG.exe.bat" "
        36⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2996
        
        C:\windows\system\XUMJG.exe
        
        C:\windows\system\XUMJG.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OCBGS.exe.bat" "
        38⤵
        
        PID:1168
        
        C:\windows\system\OCBGS.exe
        
        C:\windows\system\OCBGS.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WSK.exe.bat" "
        40⤵
        
        PID:1968
        
        C:\windows\system\WSK.exe
        
        C:\windows\system\WSK.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "
        42⤵
        
        PID:4004
        
        C:\windows\SysWOW64\NBQ.exe
        
        C:\windows\system32\NBQ.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEX.exe.bat" "
        44⤵
        
        PID:4820
        
        C:\windows\system\MEX.exe
        
        C:\windows\system\MEX.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRUUK.exe.bat" "
        46⤵
        
        PID:3644
        
        C:\windows\system\GRUUK.exe
        
        C:\windows\system\GRUUK.exe
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OQD.exe.bat" "
        48⤵
        
        PID:3740
        
        C:\windows\system\OQD.exe
        
        C:\windows\system\OQD.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UQK.exe.bat" "
        50⤵
        
        PID:4960
        
        C:\windows\UQK.exe
        
        C:\windows\UQK.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ODW.exe.bat" "
        52⤵
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4984
        
        C:\windows\SysWOW64\ODW.exe
        
        C:\windows\system32\ODW.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGHI.exe.bat" "
        54⤵
        
        PID:1208
        
        C:\windows\system\ZGHI.exe
        
        C:\windows\system\ZGHI.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SUG.exe.bat" "
        56⤵
        
        PID:2724
        
        C:\windows\SUG.exe
        
        C:\windows\SUG.exe
        57⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMUCWDU.exe.bat" "
        58⤵
        
        PID:672
        
        C:\windows\FMUCWDU.exe
        
        C:\windows\FMUCWDU.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JMTLMVD.exe.bat" "
        60⤵
        
        PID:3552
        
        C:\windows\JMTLMVD.exe
        
        C:\windows\JMTLMVD.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JAXQFX.exe.bat" "
        62⤵
        
        PID:2572
        
        C:\windows\system\JAXQFX.exe
        
        C:\windows\system\JAXQFX.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JOYUUM.exe.bat" "
        64⤵
        
        PID:4536
        
        C:\windows\system\JOYUUM.exe
        
        C:\windows\system\JOYUUM.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EUL.exe.bat" "
        66⤵
        
        PID:4476
        
        C:\windows\system\EUL.exe
        
        C:\windows\system\EUL.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FSSHPU.exe.bat" "
        68⤵
        
        PID:1724
        
        C:\windows\FSSHPU.exe
        
        C:\windows\FSSHPU.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHTQYCW.exe.bat" "
        70⤵
        
        PID:3252
        
        C:\windows\system\VHTQYCW.exe
        
        C:\windows\system\VHTQYCW.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EASUC.exe.bat" "
        72⤵
        
        PID:624
        
        C:\windows\SysWOW64\EASUC.exe
        
        C:\windows\system32\EASUC.exe
        73⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JRXZFHW.exe.bat" "
        74⤵
        
        PID:4244
        
        C:\windows\system\JRXZFHW.exe
        
        C:\windows\system\JRXZFHW.exe
        75⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OIHRYCP.exe.bat" "
        76⤵
        
        PID:3460
        
        C:\windows\system\OIHRYCP.exe
        
        C:\windows\system\OIHRYCP.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WGIHN.exe.bat" "
        78⤵
        
        PID:4024
        
        C:\windows\system\WGIHN.exe
        
        C:\windows\system\WGIHN.exe
        79⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKWQJSN.exe.bat" "
        80⤵
        
        PID:3764
        
        C:\windows\SysWOW64\YKWQJSN.exe
        
        C:\windows\system32\YKWQJSN.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEXER.exe.bat" "
        82⤵
        
        PID:1208
        
        C:\windows\SysWOW64\DEXER.exe
        
        C:\windows\system32\DEXER.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OWPE.exe.bat" "
        84⤵
        
        PID:3212
        
        C:\windows\OWPE.exe
        
        C:\windows\OWPE.exe
        85⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KXR.exe.bat" "
        86⤵
        
        PID:4208
        
        C:\windows\system\KXR.exe
        
        C:\windows\system\KXR.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WNKG.exe.bat" "
        88⤵
        
        PID:3384
        
        C:\windows\WNKG.exe
        
        C:\windows\WNKG.exe
        89⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YVMCP.exe.bat" "
        90⤵
        
        PID:2676
        
        C:\windows\SysWOW64\YVMCP.exe
        
        C:\windows\system32\YVMCP.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATNWNP.exe.bat" "
        92⤵
        
        PID:4268
        
        C:\windows\ATNWNP.exe
        
        C:\windows\ATNWNP.exe
        93⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HOYNK.exe.bat" "
        94⤵
        
        PID:4904
        
        C:\windows\SysWOW64\HOYNK.exe
        
        C:\windows\system32\HOYNK.exe
        95⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QXASNF.exe.bat" "
        96⤵
        
        PID:1728
        
        C:\windows\QXASNF.exe
        
        C:\windows\QXASNF.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "
        98⤵
        
        PID:4600
        
        C:\windows\system\YCFZYD.exe
        
        C:\windows\system\YCFZYD.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TIZ.exe.bat" "
        100⤵
        
        PID:3120
        
        C:\windows\TIZ.exe
        
        C:\windows\TIZ.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDRLS.exe.bat" "
        102⤵
        
        PID:3244
        
        C:\windows\system\YDRLS.exe
        
        C:\windows\system\YDRLS.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BRJUMD.exe.bat" "
        104⤵
        
        PID:3388
        
        C:\windows\BRJUMD.exe
        
        C:\windows\BRJUMD.exe
        105⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZXSYU.exe.bat" "
        106⤵
        
        PID:4120
        
        C:\windows\system\SZXSYU.exe
        
        C:\windows\system\SZXSYU.exe
        107⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKAIH.exe.bat" "
        108⤵
        
        PID:3384
        
        C:\windows\RKAIH.exe
        
        C:\windows\RKAIH.exe
        109⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AIUJS.exe.bat" "
        110⤵
        
        PID:4016
        
        C:\windows\SysWOW64\AIUJS.exe
        
        C:\windows\system32\AIUJS.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HNNEZY.exe.bat" "
        112⤵
        
        PID:4688
        
        C:\windows\HNNEZY.exe
        
        C:\windows\HNNEZY.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LYY.exe.bat" "
        114⤵
        
        PID:992
        
        C:\windows\LYY.exe
        
        C:\windows\LYY.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBV.exe.bat" "
        116⤵
        
        PID:4948
        
        C:\windows\system\FBV.exe
        
        C:\windows\system\FBV.exe
        117⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKWL.exe.bat" "
        118⤵
        
        PID:4380
        
        C:\windows\SysWOW64\IKWL.exe
        
        C:\windows\system32\IKWL.exe
        119⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SCALV.exe.bat" "
        120⤵
        
        PID:3304
        
        C:\windows\SCALV.exe
        
        C:\windows\SCALV.exe
        121⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MDHWM.exe.bat" "
        122⤵
        
        PID:3340
        
        C:\windows\MDHWM.exe
        
        C:\windows\MDHWM.exe
        123⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIUDP.exe.bat" "
        124⤵
        
        PID:2992
        
        C:\windows\SysWOW64\UIUDP.exe
        
        C:\windows\system32\UIUDP.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JYHUE.exe.bat" "
        126⤵
        
        PID:2292
        
        C:\windows\SysWOW64\JYHUE.exe
        
        C:\windows\system32\JYHUE.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EEHG.exe.bat" "
        128⤵
        
        PID:2476
        
        C:\windows\EEHG.exe
        
        C:\windows\EEHG.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MKU.exe.bat" "
        130⤵
        
        PID:4576
        
        C:\windows\SysWOW64\MKU.exe
        
        C:\windows\system32\MKU.exe
        131⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WCWTIJM.exe.bat" "
        132⤵
        
        PID:4020
        
        C:\windows\WCWTIJM.exe
        
        C:\windows\WCWTIJM.exe
        133⤵
        Drops file in Windows directory
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BDEH.exe.bat" "
        134⤵
        
        PID:948
        
        C:\windows\BDEH.exe
        
        C:\windows\BDEH.exe
        135⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WJFSGWY.exe.bat" "
        136⤵
        
        PID:3696
        
        C:\windows\WJFSGWY.exe
        
        C:\windows\WJFSGWY.exe
        137⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJH.exe.bat" "
        138⤵
        
        PID:1772
        
        C:\windows\SysWOW64\NJH.exe
        
        C:\windows\system32\NJH.exe
        139⤵
        Checks computer location settings
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IEYG.exe.bat" "
        140⤵
        
        PID:1656
        
        C:\windows\system\IEYG.exe
        
        C:\windows\system\IEYG.exe
        141⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FPQDQO.exe.bat" "
        142⤵
        
        PID:4020
        
        C:\windows\SysWOW64\FPQDQO.exe
        
        C:\windows\system32\FPQDQO.exe
        143⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FKANZ.exe.bat" "
        144⤵
        
        PID:2728
        
        C:\windows\FKANZ.exe
        
        C:\windows\FKANZ.exe
        145⤵
        Drops file in Windows directory
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SVR.exe.bat" "
        146⤵
        
        PID:4948
        
        C:\windows\SVR.exe
        
        C:\windows\SVR.exe
        147⤵
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWTVWNT.exe.bat" "
        148⤵
        
        PID:2624
        
        C:\windows\SysWOW64\WWTVWNT.exe
        
        C:\windows\system32\WWTVWNT.exe
        149⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RJQFHN.exe.bat" "
        150⤵
        
        PID:4144
        
        C:\windows\RJQFHN.exe
        
        C:\windows\RJQFHN.exe
        151⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KXXD.exe.bat" "
        152⤵
        
        PID:1944
        
        C:\windows\SysWOW64\KXXD.exe
        
        C:\windows\system32\KXXD.exe
        153⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUYVBHG.exe.bat" "
        154⤵
        
        PID:4984
        
        C:\windows\SysWOW64\EUYVBHG.exe
        
        C:\windows\system32\EUYVBHG.exe
        155⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ADP.exe.bat" "
        156⤵
        
        PID:1620
        
        C:\windows\system\ADP.exe
        
        C:\windows\system\ADP.exe
        157⤵
        Checks computer location settings
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BRNSTQB.exe.bat" "
        158⤵
        
        PID:1552
        
        C:\windows\system\BRNSTQB.exe
        
        C:\windows\system\BRNSTQB.exe
        159⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUTDUHS.exe.bat" "
        160⤵
        
        PID:4816
        
        C:\windows\SysWOW64\TUTDUHS.exe
        
        C:\windows\system32\TUTDUHS.exe
        161⤵
        Checks computer location settings
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKABPVA.exe.bat" "
        162⤵
        
        PID:4008
        
        C:\windows\system\PKABPVA.exe
        
        C:\windows\system\PKABPVA.exe
        163⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RTC.exe.bat" "
        164⤵
        
        PID:1136
        
        C:\windows\RTC.exe
        
        C:\windows\RTC.exe
        165⤵
        Drops file in Windows directory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GJDWHS.exe.bat" "
        166⤵
        
        PID:3428
        
        C:\windows\GJDWHS.exe
        
        C:\windows\GJDWHS.exe
        167⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\USUTUPT.exe.bat" "
        168⤵
        
        PID:5016
        
        C:\windows\SysWOW64\USUTUPT.exe
        
        C:\windows\system32\USUTUPT.exe
        169⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NNNR.exe.bat" "
        170⤵
        
        PID:4208
        
        C:\windows\system\NNNR.exe
        
        C:\windows\system\NNNR.exe
        171⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JLZVTAS.exe.bat" "
        172⤵
        
        PID:1076
        
        C:\windows\JLZVTAS.exe
        
        C:\windows\JLZVTAS.exe
        173⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PULTRFY.exe.bat" "
        174⤵
        
        PID:4948
        
        C:\windows\system\PULTRFY.exe
        
        C:\windows\system\PULTRFY.exe
        175⤵
        Drops file in Windows directory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RHJJG.exe.bat" "
        176⤵
        
        PID:5000
        
        C:\windows\RHJJG.exe
        
        C:\windows\RHJJG.exe
        177⤵
        Checks computer location settings
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQU.exe.bat" "
        178⤵
        
        PID:1216
        
        C:\windows\system\DQU.exe
        
        C:\windows\system\DQU.exe
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOIZMQJ.exe.bat" "
        180⤵
        
        PID:1844
        
        C:\windows\SysWOW64\NOIZMQJ.exe
        
        C:\windows\system32\NOIZMQJ.exe
        181⤵
        Checks computer location settings
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CPSSGP.exe.bat" "
        182⤵
        
        PID:5068
        
        C:\windows\CPSSGP.exe
        
        C:\windows\CPSSGP.exe
        183⤵
        Drops file in Windows directory
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KUWGR.exe.bat" "
        184⤵
        
        PID:1204
        
        C:\windows\system\KUWGR.exe
        
        C:\windows\system\KUWGR.exe
        185⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FAJ.exe.bat" "
        186⤵
        
        PID:4816
        
        C:\windows\system\FAJ.exe
        
        C:\windows\system\FAJ.exe
        187⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XDBVLEU.exe.bat" "
        188⤵
        
        PID:4396
        
        C:\windows\XDBVLEU.exe
        
        C:\windows\XDBVLEU.exe
        189⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PWX.exe.bat" "
        190⤵
        
        PID:4948
        
        C:\windows\PWX.exe
        
        C:\windows\PWX.exe
        191⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MWHPDWL.exe.bat" "
        192⤵
        
        PID:4832
        
        C:\windows\SysWOW64\MWHPDWL.exe
        
        C:\windows\system32\MWHPDWL.exe
        193⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TSERVT.exe.bat" "
        194⤵
        
        PID:1596
        
        C:\windows\SysWOW64\TSERVT.exe
        
        C:\windows\system32\TSERVT.exe
        195⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKPHE.exe.bat" "
        196⤵
        
        PID:1720
        
        C:\windows\system\SKPHE.exe
        
        C:\windows\system\SKPHE.exe
        197⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YYSI.exe.bat" "
        198⤵
        
        PID:4392
        
        C:\windows\SysWOW64\YYSI.exe
        
        C:\windows\system32\YYSI.exe
        199⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EQW.exe.bat" "
        200⤵
        
        PID:4820
        
        C:\windows\EQW.exe
        
        C:\windows\EQW.exe
        201⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PJL.exe.bat" "
        202⤵
        
        PID:468
        
        C:\windows\PJL.exe
        
        C:\windows\PJL.exe
        203⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DHLURV.exe.bat" "
        204⤵
        
        PID:4852
        
        C:\windows\DHLURV.exe
        
        C:\windows\DHLURV.exe
        205⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAPRM.exe.bat" "
        206⤵
        
        PID:760
        
        C:\windows\SysWOW64\IAPRM.exe
        
        C:\windows\system32\IAPRM.exe
        207⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JVTN.exe.bat" "
        208⤵
        
        PID:3944
        
        C:\windows\JVTN.exe
        
        C:\windows\JVTN.exe
        209⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIGT.exe.bat" "
        210⤵
        
        PID:1064
        
        C:\windows\system\RIGT.exe
        
        C:\windows\system\RIGT.exe
        211⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VLQHM.exe.bat" "
        212⤵
        
        PID:3748
        
        C:\windows\VLQHM.exe
        
        C:\windows\VLQHM.exe
        213⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CEFPVI.exe.bat" "
        214⤵
        
        PID:5068
        
        C:\windows\CEFPVI.exe
        
        C:\windows\CEFPVI.exe
        215⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VWNINJ.exe.bat" "
        216⤵
        
        PID:4208
        
        C:\windows\VWNINJ.exe
        
        C:\windows\VWNINJ.exe
        217⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WUV.exe.bat" "
        218⤵
        
        PID:4160
        
        C:\windows\WUV.exe
        
        C:\windows\WUV.exe
        219⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LVEJJT.exe.bat" "
        220⤵
        
        PID:2108
        
        C:\windows\LVEJJT.exe
        
        C:\windows\LVEJJT.exe
        221⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYVX.exe.bat" "
        222⤵
        
        PID:3048
        
        C:\windows\SysWOW64\MYVX.exe
        
        C:\windows\system32\MYVX.exe
        223⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YBFL.exe.bat" "
        224⤵
        
        PID:3068
        
        C:\windows\system\YBFL.exe
        
        C:\windows\system\YBFL.exe
        225⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PJUQUY.exe.bat" "
        226⤵
        
        PID:4160
        
        C:\windows\PJUQUY.exe
        
        C:\windows\PJUQUY.exe
        227⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JXN.exe.bat" "
        228⤵
        
        PID:4004
        
        C:\windows\SysWOW64\JXN.exe
        
        C:\windows\system32\JXN.exe
        229⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OIJDOGH.exe.bat" "
        230⤵
        
        PID:3428
        
        C:\windows\system\OIJDOGH.exe
        
        C:\windows\system\OIJDOGH.exe
        231⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PGR.exe.bat" "
        232⤵
        
        PID:1200
        
        C:\windows\system\PGR.exe
        
        C:\windows\system\PGR.exe
        233⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBCFE.exe.bat" "
        234⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1316
        234⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 960
        232⤵
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1316
        230⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1328
        228⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1324
        226⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1336
        224⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1328
        222⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 964
        220⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1324
        218⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 964
        216⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1324
        214⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 988
        212⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1336
        210⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1256
        208⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1260
        206⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1292
        204⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1324
        202⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 988
        200⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 968
        198⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 988
        196⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1232
        194⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 960
        192⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 976
        190⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 968
        188⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 960
        186⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1336
        184⤵
        
        PID:184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1324
        182⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 992
        180⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1336
        178⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 1312
        176⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1340
        174⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1324
        172⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1336
        170⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 976
        168⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1324
        166⤵
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 988
        164⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1004
        162⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1328
        160⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 988
        158⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1336
        156⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1308
        154⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1328
        152⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 960
        150⤵
        
        PID:948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1308
        148⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1256
        146⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1300
        144⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1328
        142⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1272
        140⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 988
        138⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1324
        136⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1324
        134⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 960
        132⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1264
        130⤵
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1256
        128⤵
        Program crash
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1328
        126⤵
        Program crash
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1328
        124⤵
        Program crash
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1008
        122⤵
        Program crash
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1324
        120⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1304
        118⤵
        Program crash
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 988
        116⤵
        Program crash
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1324
        114⤵
        Program crash
        
        PID:3256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1256
        112⤵
        Program crash
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 960
        110⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 976
        108⤵
        Program crash
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 964
        106⤵
        Program crash
        
        PID:1376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 960
        104⤵
        Program crash
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 960
        102⤵
        Program crash
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1008
        100⤵
        Program crash
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 988
        98⤵
        Program crash
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1260
        96⤵
        Program crash
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 960
        94⤵
        Program crash
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 988
        92⤵
        Program crash
        
        PID:992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 988
        90⤵
        Program crash
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1324
        88⤵
        Program crash
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1336
        86⤵
        Program crash
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 960
        84⤵
        Program crash
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1308
        82⤵
        Program crash
        
        PID:672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1328
        80⤵
        Program crash
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 960
        78⤵
        Program crash
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1336
        76⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1364
        74⤵
        Program crash
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1328
        72⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1336
        70⤵
        Program crash
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 984
        68⤵
        Program crash
        
        PID:3256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1336
        66⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 872
        64⤵
        Program crash
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 988
        62⤵
        Program crash
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 960
        60⤵
        Program crash
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1252
        58⤵
        Program crash
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1324
        56⤵
        Program crash
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1312
        54⤵
        Program crash
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 960
        52⤵
        Program crash
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 960
        50⤵
        Program crash
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1336
        48⤵
        Program crash
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 960
        46⤵
        Program crash
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1336
        44⤵
        Program crash
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1260
        42⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 988
        40⤵
        Program crash
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 960
        38⤵
        Program crash
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 960
        36⤵
        Program crash
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1292
        34⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1304
        32⤵
        Program crash
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1004
        30⤵
        Program crash
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 960
        28⤵
        Program crash
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 960
        26⤵
        Program crash
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1324
        24⤵
        Program crash
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 960
        22⤵
        Program crash
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1328
        20⤵
        Program crash
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 960
        18⤵
        Program crash
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1324
        16⤵
        Program crash
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1336
        14⤵
        Program crash
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1004
        12⤵
        Program crash
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1336
        10⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 976
        8⤵
        Program crash
        
        PID:4464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1004
        6⤵
        Program crash
        
        PID:4704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 960
      4⤵
      Program crash
      PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 980
  2⤵
  - Program crash
  PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2304 -ip 2304
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1352 -ip 1352
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4660 -ip 4660
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1744 -ip 1744
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4940 -ip 4940
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2936 -ip 2936
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2108 -ip 2108
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4884 -ip 4884
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4056 -ip 4056
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3832 -ip 3832
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2792 -ip 2792
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2996 -ip 2996
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3164 -ip 3164
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3136 -ip 3136
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2272 -ip 2272
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4244 -ip 4244
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2188 -ip 2188
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5096 -ip 5096
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4960 -ip 4960
1⤵
PID:1772

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1288 -ip 1288
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3340 -ip 3340
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1516 -ip 1516
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3420 -ip 3420
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2360 -ip 2360
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 928 -ip 928
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3684 -ip 3684
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3764 -ip 3764
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2188 -ip 2188
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1968 -ip 1968
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 692 -ip 692
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1272 -ip 1272
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4832 -ip 4832
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2992 -ip 2992
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4852 -ip 4852
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 864 -ip 864
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2676 -ip 2676
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4940 -ip 4940
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1216 -ip 1216
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3052 -ip 3052
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1224 -ip 1224
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 928 -ip 928
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2300 -ip 2300
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3496 -ip 3496
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4968 -ip 4968
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3860 -ip 3860
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4696 -ip 4696
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5112 -ip 5112
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4628 -ip 4628
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2252 -ip 2252
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3712 -ip 3712
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3296 -ip 3296
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4396 -ip 4396
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1224 -ip 1224
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2188 -ip 2188
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2572 -ip 2572
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4040 -ip 4040
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2444 -ip 2444
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1564 -ip 1564
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1620 -ip 1620
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3252 -ip 3252
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4968 -ip 4968
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4244 -ip 4244
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2408 -ip 2408
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3196 -ip 3196
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3044 -ip 3044
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2724 -ip 2724
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3168 -ip 3168
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2676 -ip 2676
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4208 -ip 4208
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4696 -ip 4696
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1720 -ip 1720
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3212 -ip 3212
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4552 -ip 4552
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2936 -ip 2936
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1160 -ip 1160
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2300 -ip 2300
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3244 -ip 3244
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4024 -ip 4024
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2564 -ip 2564
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2704 -ip 2704
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4920 -ip 4920
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4968 -ip 4968
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 816 -ip 816
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 444 -ip 444
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4728 -ip 4728
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2476 -ip 2476
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1728 -ip 1728
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4356 -ip 4356
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3824 -ip 3824
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 744 -ip 744
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2360 -ip 2360
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4852 -ip 4852
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3296 -ip 3296
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3428 -ip 3428
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2724 -ip 2724
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3196 -ip 3196
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3824 -ip 3824
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3388 -ip 3388
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3748 -ip 3748
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5072 -ip 5072
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2236 -ip 2236
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1216 -ip 1216
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4004 -ip 4004
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4360 -ip 4360
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1860 -ip 1860
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1320 -ip 1320
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4728 -ip 4728
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 316 -ip 316
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1936 -ip 1936
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 812 -ip 812
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4168 -ip 4168
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 1320 -ip 1320
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3240 -ip 3240
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4380 -ip 4380
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1620 -ip 1620
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MDCDVHA.exe

Filesize
448KB

MD5
eb496b6bc7c574454c010e0064272590

SHA1
da2c74d0823b2ffcdec44c897a1ab93e06fc7755

SHA256
86f788beeb1fec7b24a0c1e14c1a4759b3194f0fcf1f4c155d7551b793e7166b

SHA512
ef6cefca69dd15e009c504f3514fe83781da949d47983f8c3fbb946017f57b0fada7f07255341b70ae01dbbb3b86405605d0e6bba073ee36c8f97fc57fd7c4b7

Download Submit
C:\Windows\NRAJR.exe

Filesize
448KB

MD5
56e3000b7c71f68dd4711b0137dc1b44

SHA1
362ab3ccebda67353aec9564e2f5b7950e6f81b2

SHA256
1d143bcdfd839bdae33a23de578593faa4337abe6b9b3d2dce9f37ed876fb7b2

SHA512
96e1f3a754785af33f8793595c7aafcbe6c2f4efc4ffd859ce09a257cab8aa933fe9a42b5e7b4b5456cb13db7519cec0419afa1b4d4449cba6d9b570e78310d3

Download Submit
C:\Windows\PKYGIVL.exe

Filesize
448KB

MD5
562ef314fa8d80c2b78e50d70ad5c88b

SHA1
0000690d6d72dc604586b24c5b9199dcc7e33849

SHA256
938da16376c53a117ff3469eaf588777b22d9b9b8c152b5eb315d52abf976bcb

SHA512
d93d8841defba6bc77b001a25ce2c3eb1c43a3df3836e091821eb66e66f41ab3dffa5b051d2ae6e452d1db58a28e5b2e08f1b3337c09b2c9fdaabd8b32cf67a7

Download Submit
C:\Windows\PLDRCC.exe

Filesize
448KB

MD5
f143eaaffafaecc09a4f7071e2e76096

SHA1
50c1a66a1f5fffb9ac9a9f33f6bab583ab7096ca

SHA256
b595c9a9e255063c304f656a1361c81e43ac55859a2be4dc54ae8d0525a6dded

SHA512
493c004b8ba873971df223af2c2039a23ea801a69a5cb8b973f40e53040881b30e361852e2c6cecfc247e422b2d5fa01031fcba78e260939d19b22662b2d9e4f

Download Submit
C:\Windows\SysWOW64\HHH.exe

Filesize
448KB

MD5
f3e24d5a95a520a7d152ccced75f50f2

SHA1
202eb2179eed283dc5424abee9076eb7fe8f65d9

SHA256
09e98421ec5fc252d66a4354599c6e3c830daaa89608ff397bbbd4d4bf7076fe

SHA512
66b1970723b8854493bc8905e9d8bd41f991c453b73bed09605198b70fd513bf7fd2130f660440c77901724236268557a4471c9796cdaabadebec4075f2a4dba

Download Submit
C:\Windows\System\FPIOYC.exe

Filesize
448KB

MD5
202ecb45c0800c2d99f0785ff3ed3fbd

SHA1
c34ff166572e1932c5c2b658d3634b71fce75e2d

SHA256
e354bc779cbcf413bd178106f1cf6e52ed7474d0b4af5ea20faa6d5b16b1b71a

SHA512
55388827ef9090c21d1f5b452e452f023e369ddc7e0575a533ccd226a04ec1a8ed118429c11ba37d18383ffd5a938a5b31557d8f1253ce3523c2501c568bfb7d

Download Submit
C:\Windows\System\LTZH.exe

Filesize
448KB

MD5
5247b9349f98801a0effe1bd2b701793

SHA1
697e04b1cdff21ad0d198afedc445584e5ab3067

SHA256
6263f65b3abd355a1f61d59c2d9e72f36d5937c4e09ee05035a1475d044d424a

SHA512
f332b39b0a3fb951b0048a06d0ce6b8b561eb08e726595f4fc876fa2eb4cd407c8bcd4135b873a4b471259c8e62b224fb72a8a1f8eb7a264fbd30ca79f4ed465

Download Submit
C:\Windows\System\MYEG.exe

Filesize
448KB

MD5
5ca4a34c335b5d613bb3778dfa239cc6

SHA1
713391ab75283cd47b2e72d1496552f539bcdeaa

SHA256
33689dabc40860baa1683277839887aff998a5b6b946c1a20d1f4a301e80cc48

SHA512
58cfd9ffcc20e64e2fad2d84d3f82f034f49199d6d7552d528e5e538ca0920c408ff8a2af7d767f31089c9df36352c4b85bdce92b27b1c00871baa838bef3da3

Download Submit
C:\Windows\System\OCBGS.exe

Filesize
448KB

MD5
04578393cf1012a39d5081accc9585a8

SHA1
822b6415c98d65faaa45f424979b78ed6191ffb3

SHA256
8d9467126f58811dffdf91007187168c28741e22804e7b74ced27fd7fb4c5f1c

SHA512
58f59cd258c26567daf40e1487c8b41201b6b992a1c1d11a845889b2ffb8a6ed47d4c367a9bb272af29e4174d234039cfef356ad8bd571c9da06ba5b9adf3eb6

Download Submit
C:\Windows\System\QZN.exe

Filesize
320KB

MD5
a5056c113d1338edfeceb737874cbfb5

SHA1
2db5b21744d6e2075162a87964ef42fb0187e40f

SHA256
95978ee7a9aae99b4872b7abc49e386ed6879637f3389a44a44c6ad9d68bdf46

SHA512
e1fbb907a944dcf3bcd4de45f14e59cece7e24226ced995ae100e67d6518e55dbe9c8397bc8718a96fcec8492094ad48197990dc2b238fe84d31e5d9bf776bf1

Download Submit
C:\Windows\System\UBUBX.exe

Filesize
448KB

MD5
96518b4b3083abfa6555393b87beefcf

SHA1
3c9af4e9c412732aecc0f40dfbbb49c9c5272ddc

SHA256
a16fee735458080213d06c136537ac497335332520736b66b8fceda0279d1532

SHA512
312e7eb98fff2fb8087f65b1d1eb6c7ffe3467d81599efeb6067f6b975d2e6b26b4bae1c2053b2696638fa8ac5dd1709261c69ec487ec51dc686269de98de567

Download Submit
C:\Windows\System\VWXIXL.exe

Filesize
448KB

MD5
13704a82ce4fb5bea24e4f233d8175c4

SHA1
4086ab59b2ce12b2e4d4a3d9a781b0cef58a51b5

SHA256
bd15d0a9d911219f05221deade086ade623ef2b8c00d42fb8108e235c9aca964

SHA512
96abfabc37e36732dbee3eb7a082c5b52113d0635be712e92d1240dcc6e6f518d68144bf24fe33e75c654a61f97e6124b6771a3b35ba7743173babaf62452b4b

Download Submit
C:\Windows\System\XUMJG.exe

Filesize
448KB

MD5
6d6857275be9c3860dfcf0518aba0cc7

SHA1
33ea9b31897425d6ed8c622218fbf08c4ad9d2ca

SHA256
b3bbcc57ef7c8eaa34d5540ae7592ebcda3de7886cf3e56570af7227477c1cd1

SHA512
269e6ee17fccc7efd113be18f9ad002651733cd0585bf2b1e9602cf0c5727bb7726f4811f559024b9f8ed2209c1297f51cd2dbc7072885d7dd583435946ed186

Download Submit
C:\windows\AND.exe

Filesize
448KB

MD5
699a50b1f71a4aeb66daa1370b4c68a8

SHA1
e0ed9358ff64f3594c97c0f6e5bdb14b50615104

SHA256
999ff5ed17a59f8627385d93d21150a0cb30dd55ed2768ab3240423e66074d70

SHA512
3d0b7aa312d698ff8104905aac08c05fc27bbd5eba3a18803d2a91e0e44dedf65bfbb86ec8b38cbc054f9bdb71b069fdbbc4b8a3db3b5d8dbe1d3b4fae113aad

Download Submit
C:\windows\AND.exe.bat

Filesize
52B

MD5
fa6eb10d01f3bc90fcdc9ecb1a81d648

SHA1
fb36aa8b9ea0ee323b2fba51f5decf2e5ec1fe47

SHA256
532473fdb569418adf9a7499fd024f03100bea5a323a44bfd66afd838eb3ea8f

SHA512
ade435a4d63a42ca1a03254e4f23d1f14545d760ab74208d4625de82be4d251fbb05c88fb785323fe6af4f4c832038926914c771b0d58b178734ecc3c9055e80

Download Submit
C:\windows\JXP.exe.bat

Filesize
52B

MD5
f24af5f56a52cbd53ff574307e265085

SHA1
6e5584b0ec2b7254843ee6b303dc5fb6e11cf3d3

SHA256
89f3ac1134d377913b96b9ad20e843a201c2aa973c8a9d72cd8c390ac6ac6010

SHA512
9852f8201f3bbf325456bacc6c97149bbcf5b5b3f32b8016ce00697b56addbe3e8c8b63334a2f90fe4d4838159525ef8aa6bee583562de96884259db9182a421

Download Submit
C:\windows\LCFY.exe

Filesize
448KB

MD5
2a03935b97abae088ee787c8a593b661

SHA1
a27f3f0c797e6cb8e87d27f8a91a4b59379cc5ca

SHA256
76f3e8eb23b84f63e53c98a41cb9c421998bc149ee37b20295041c16e3f83181

SHA512
70ce99fb4c621ecaeca3bde3b7472760a2882075e356c66c83c25ffd4780266523c220a0cc69469c3338c291335c24e8d12b7b289628a7a26e9207c16dc45afe

Download Submit
C:\windows\LCFY.exe.bat

Filesize
54B

MD5
014c97280ec9363f35c8a5826ce69662

SHA1
e4f2321ec310fa4c561786316d9f0cceb13fd79f

SHA256
bf4964125e033f8f38a50fe9952b8be80a6cc7a7ae4d61a3f056b4c582072b46

SHA512
ea6700a5c5e0cc5a250d5fc006364e46c3d8206668864daf91cfdcbcbb744ffb11c89be45d055b29c7aebcd4f1926c8e4b20bd4da0f2e922cc9e6c3f15832b6e

Download Submit
C:\windows\MDCDVHA.exe.bat

Filesize
60B

MD5
b4935945f066ca28640d22965f137c80

SHA1
9601a3c2d05ee80f6641449c7b57f16fbdce719c

SHA256
c95c49b5689c92d4242ceb0fb2654ec79bf23336489be755f4ef7b186b65fe14

SHA512
aba4a052d1d55511e795aeacb4c82d4fe0df38670df9a0798a71d49fb0eb1080e2ae5a08df6c9f52b1137ff307bcb147fb96535da775366604fd2880d5bbfa40

Download Submit
C:\windows\NRAJR.exe.bat

Filesize
56B

MD5
e2da64307ff63ac1a61cf9d688e6cc92

SHA1
e0cf021561554f544eaf6eaffb85a0de99d63497

SHA256
474e260af7e4f7828ff65ddef6f877942345a88517d488c1bdf6d81a859b0670

SHA512
09f795b1ded489d23ce6c053d8262013b4feb0aa9dfe86615b42b666d152ae94668937ea33d7ae943e4775996a57d484c435c0cdfe7a0c97a8f268731d305071

Download Submit
C:\windows\PKYGIVL.exe.bat

Filesize
60B

MD5
abf0d64ea30e7fda6d0c9dc738389597

SHA1
31abfa085e283e3aeb25fba149315343c181b5cf

SHA256
44957440b8495b2aea1c71dd747af4bf69eec41817ccb20fa451bb56431b77d3

SHA512
89c1172abfb9a2cf6a66f34a4ec21a729fa40813b6238b155629be1407659fa7303cea34ef9a3c5c8c7ea73be66c8fa60d842e91becc4ead619bd5638a572db5

Download Submit
C:\windows\PLDRCC.exe.bat

Filesize
58B

MD5
57686714d1a37f1023b6d047285f1e68

SHA1
aae2fd31c0a01781408961eb9fda25dcd77cbe61

SHA256
2a98939ca63daac0ce7e842ea59d74ed0d30a48eb98a7e1042ab7e2ff857f759

SHA512
dde48f5bc1616332a0a06d72fd69ad2de1d553539e0750b5905dea60adbf11331b363be30aeec73502b5c2fe0d35c8188ce3170b08f6d9f317798cd245721670

Download Submit
C:\windows\SysWOW64\BFVGWBW.exe

Filesize
448KB

MD5
a140983d9d63c59ed9d24807d52a0119

SHA1
7e22e5c0fff9c74a0816cfe9c35ac054ef641870

SHA256
2d1a62379fec5617b1b18aeda9eb94339611d7c20989f62846812d77a3a44915

SHA512
e76a33c21851fa8f3e415130b58579b44c92138ddcc180c76c8544bbdc610ea764c1a9818c4a770352cff49968dfdb4eaf0bdabea22b3ec68e7000710c3bf3f0

Download Submit
C:\windows\SysWOW64\BFVGWBW.exe.bat

Filesize
78B

MD5
ed31c0758764cf5b9ab4833643980851

SHA1
c1a23996773871e9be2a938eb1570298c7f54596

SHA256
a25a8bc2c908b4cb7fc013fee3d351431da8cba569089e7a54ffcb6027d24e1d

SHA512
c7b4c5e52870c17ed30f4c8a176796e1ab3cc7725b00299bbff524e676d45420c6fef49c844f54dd427226f9c46f8cb44ab618dd947e35a9e9db974bbd0d7da2

Download Submit
C:\windows\SysWOW64\HHH.exe.bat

Filesize
70B

MD5
f19dc499dc033423027469fa7ec526e2

SHA1
92871520e620cb9aeb91b042242031595938d464

SHA256
109a43c6df2da7e86db1b55ca4742c8830d728bef787fd28c075842d8f020efe

SHA512
f5933a6b61a9edb668439ca8899e3a0df8d97828c2a8312e588c6886c5fdd7fc7cfae74a868e2512b4e5364cbbc2853061486ec85b082558603ca97965419038

Download Submit
C:\windows\SysWOW64\NBQ.exe

Filesize
448KB

MD5
31814350b1d95b41746ec38844dad401

SHA1
cd4fa47b67916211721bd006b87fd0000b2f43f5

SHA256
01d2712f2e52a3a4a8fae909ac11166a4154fc3e431c72aead865adfaa3c61b6

SHA512
1e576648f8e72137868f794924380ad040ae350f0c1c4693c4d3339991dc87f22d0b6de4ae1bc098d7213ea49e1386040235e894e46e45e7b9e0cef261eb777a

Download Submit
C:\windows\SysWOW64\NBQ.exe.bat

Filesize
70B

MD5
d6e7b97d217556dddfb82cc8a60cd944

SHA1
3960a6f2b41e91f1ec1329bc11d8bfec8dff15cb

SHA256
2a1d0c42c7e693bef7a73f4800fc42b5b88b5da82203c1a088ad4c83c7e0cd2f

SHA512
ae234e7b26d8d7f1cf4fbb4f856e2eb6f3114684dc555b551aaa2408a9ad1bee86f26baf8e139fed94b608126e0ef314355bea99ee52083ef7908faaa77f1998

Download Submit
C:\windows\SysWOW64\XONMRLN.exe

Filesize
448KB

MD5
41d468c55b3d4ddfc51eb6969c803ade

SHA1
f3a66de1c3527f585f9c5b6e38d48aa287fe41a2

SHA256
d72bed3639425b0d4a65ebfb39fb5fd466594ee1a10a3fd6413433dc63f57e47

SHA512
f069f0e9230d6fcc94d42d20db3505ac950becf71095bdad3bfa2b07bfcaf6e7f73af9d30fdf35477f0243ac7e091201844ad1936c2aef4afdeb33861a1c8371

Download Submit
C:\windows\SysWOW64\XONMRLN.exe.bat

Filesize
78B

MD5
04ca492c7f4722a0a4d33e4b68fa00e4

SHA1
ed0828b41a5751aa80ab026e850bccd73b2fd311

SHA256
7dd4024a2e0968a0ff2f93316a6100227ac79dc0b469733433d997efae43ba13

SHA512
b7c1b8dec5efe19dca5b970cb22c412f955bc0b1e2e13a3c195eeb4f038746d9dc18e70b242a4230210f567b08e299fccb7ddd26253ea2d80776bd65230f983d

Download Submit
C:\windows\system\DTEH.exe

Filesize
448KB

MD5
4ab607293f9959f852b5a475d347deac

SHA1
0a26bf34c3b4737058daee5a562124b1dcadec3c

SHA256
d296d5b9d4cbbbc9451ac14b11a995ffd671e09dc744e609d7dc265d727591d4

SHA512
e03753471dd43cb89f3b912b4df434733411885e323bcb7dbd98ad64c1bea85fdce62e2ab50218a8fd5059a59948c5b3360fafb72d04d6d8c9466599eccf1625

Download Submit
C:\windows\system\DTEH.exe.bat

Filesize
68B

MD5
96846b621c17c7d56fdd604d46b2f757

SHA1
abf2d93d8a2e117fa7ad2d081bba75f3b1ae7f5f

SHA256
1c34bd579e33e0aa660b68c3daff0fb562e941040e968590733f51bab0e91178

SHA512
e3b1557a1245ae622df88d3602182016a0d37ae5e70a0fbfa35ea71841e0fbfaab285e12f1bdd86cdfbd1ebe80005d998adf6354768bde33040030cd589c42b1

Download Submit
C:\windows\system\FPIOYC.exe.bat

Filesize
72B

MD5
4d5eea3e2517f637ef576bc14819a507

SHA1
cbec168192c9a3ca5f7204f9632336aefc054577

SHA256
e483e326251ec23507a6b05d806fede4fcad5e249eb96ab3abef9d4d33d996df

SHA512
e0e9e1cee11b552c1246ebc6522f3558f90c4563eb4a671aefdf2c3fdeacac4c6c63ac35aa62cdd3e7de46bbf35d85f825ee2a64850c5bde2fc133bd4492edd0

Download Submit
C:\windows\system\LTZH.exe.bat

Filesize
68B

MD5
afb875cf9111ccec935999eeda0936c6

SHA1
264a5f647b003ba31a2fd1b2b7c90bf3be38d9ee

SHA256
5518bed86f46ad0ffdb0cc230447c7472b7b7d63a79a923052df647d9dd29fcd

SHA512
e112de9ccd00f7bdd3313f032ca19fff9c109374c1c7ecc50d83d1c33f61f090cf7c3cffd155325be7e14e2c263f3be7204c363e9e080e24d88d741951cdf4f2

Download Submit
C:\windows\system\MEX.exe.bat

Filesize
66B

MD5
3cbf07568891cd1db72b412608cae467

SHA1
50820b908631266d2bb49ef63eb31faf7bbd8e6c

SHA256
8da1540be55b361ea8098175d317f32cfb1161f9d3f9e37fa8ad7c1af595c3ef

SHA512
bcba15b739b5dd9066818a181b3101353eaaa8553bdc7fca735efdb4cd043678db70585884105158e4142addf05a91f7eabcc8a20150c967f81fb4556f85b07a

Download Submit
C:\windows\system\MYEG.exe.bat

Filesize
68B

MD5
83b9c79282be222954309365a24de61c

SHA1
8e9faef3a49df52151051123714157ad537543f4

SHA256
96a963ae1b7de4456ffa0d5b87429536902f1842a270d8c15863de0b878926ff

SHA512
3bd4f3a40158e2cd695fdc2bb10ddb37269b4e9b8c9945602c223f7294e80671abb586644e7ef7d984094b5e058f859e3e6184ba26f0e508bde78f4d54f58ffb

Download Submit
C:\windows\system\OCBGS.exe.bat

Filesize
70B

MD5
eaf290e1c9d06c77a9fc0194ed9f2bbd

SHA1
84fa7636555331128c4b2ee682f2a5ae54c3dd41

SHA256
f458c5366ac1c552e7c9afb0040cad11b3b6ed691afdc5fef47d6fa20ba236d8

SHA512
66dc357bba81c95dc0102b4c697085ff3748d6022860afe4944825719bc720db093e5011b700c90de5a9aea21153954bdd83e09f81351086d94faeaa622e671d

Download Submit
C:\windows\system\QZN.exe

Filesize
448KB

MD5
520bb09bd8aadd5889ef617f3391a46c

SHA1
dc84ecf2b9c2d27ffda39e038c0e69ff4fb91248

SHA256
c5df6e7baa9aa87c35745cb36955ff4c1e88f7348d39ace33ce574cee1ecb9bb

SHA512
61a5aaf06501c144237137ee51801ef629f9b292b68f4536b4e008fd2b96aa53af9f2e32910e73874a16bd1783c46d07fb470fb7c26e608916d986da1ad024b1

Download Submit
C:\windows\system\QZN.exe.bat

Filesize
66B

MD5
c64b41e1ad502f511507176b598f7174

SHA1
9d9aabd913f1f6784879be66b91477f4a93f418b

SHA256
a914d2fc1a1a50c35143e9c715bd72f14915e9829bcb508b4f3dd67a509b8079

SHA512
cd7064792bdb10eb8c5fd9270e593f2e33001b3dd7a7a38c08e6dbdb0908b91090ce43e40abe8b0548cdb706a8f9c322e62d17080a288e986581f20de11d02dc

Download Submit
C:\windows\system\UBUBX.exe.bat

Filesize
70B

MD5
e48e1280372c3664932d6aa6acd77cf9

SHA1
a3fdd0d3cd49dcfbb0ef6b0c102be6f37be55856

SHA256
87fec1c158ab54498c56bbbb2c21d01d144f91455ff9a8dceaa0580638fa9d2e

SHA512
e400002a3c35be82a87b01fcf4d36b4a34aa6a59524d19426972c7e1c55acffe8f661530e11c9176e8cf1ef6f3b0a3488e2ba06f59e5e3c4c2984599fd66f91d

Download Submit
C:\windows\system\VWXIXL.exe.bat

Filesize
72B

MD5
cf13e7233bd48d23f221269338a34edb

SHA1
99b69fd671254da57583dddae55b5acd447431d8

SHA256
9775119693cfd94f3541dd24c106f4a62694c50f6af0452331809e7cb50120da

SHA512
02a034f5ed24b893db215be6aaed5d1aed22cf98ac2daee618918e18d1a75ef609b74d9a79a1365a938c1ca71351b4e18a7116ecec0e93578bdeec0d6d05d249

Download Submit
C:\windows\system\WSK.exe

Filesize
448KB

MD5
79433de33b2ea35734d3988eb164744c

SHA1
4a9a8c4cbeaa6002fc7fac62996baf875018cab3

SHA256
b65994e6d052365875546232f52de77b98c50ac75539921c38ea5b61e51de17b

SHA512
adb2a4d8ca62ca0eeddbfcd53859bbb3942af9ea54f524cc4358c2eb1baedf5f9e4771d9ca842ea0567a754620dcbca06e56098427c230126e2c4a1327c8ee19

Download Submit
C:\windows\system\WSK.exe.bat

Filesize
66B

MD5
d744332741e6475a7a5c9328983a4151

SHA1
9c017c1f6d250b7e8fcb4d601c5c3ae6cc93d85d

SHA256
6f0d718f85d570aa1f64071414db289cb4bc47d9bc2ddaf9659d20685889d0af

SHA512
053454c4e0c1dc29cd72acb3ec484e92e31b546d79348e59f669cabc5798998e3c19c37bf4defa553723fbf59246837cc34f07dd3d1f363dc00e22947a14044d

Download Submit
C:\windows\system\XUMJG.exe.bat

Filesize
70B

MD5
0a730a05de70ac05c493d8c25ae4c163

SHA1
b1082c8bf57f3339ea7c431386f5b1833eb7ef5c

SHA256
82ba44b988466df7cacf03634d90104c7d092f4b976afd1d493a4337f9c1657c

SHA512
090b7c221cfb02d1cfdd23cc349aba5ddc7ea30fbff56a4158d584e47e4aaa022f347c5d9cd14ac3eb1e07383e8acf6489599aca27a81af69e918805c76329f3

Download Submit
memory/692-345-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/692-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1272-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1288-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1288-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1744-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1744-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2108-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2108-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-335-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2272-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2272-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2360-294-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2360-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2792-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2792-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2936-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2936-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2996-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2996-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3136-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3136-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3340-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3340-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3420-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3420-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3764-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3764-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3832-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3832-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4056-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4056-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4660-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4660-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-344-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5096-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5096-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download