9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f

Analysis

max time kernel
176s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
Size

208KB
MD5

96be24c78b46fb1c735fab37950ae109
SHA1

378b2afd43259a1ef9e05368e185170dd11a6f3d
SHA256

9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f
SHA512

646feaa796cd3d658b652b814a563d2c97046f6d610a6d0aebe6926b8e94af90fab771064d4a3badaab21adf3d76c9091a76c41e5c2e344a70b58217b0a5d623
SSDEEP

6144:DpXQJEnuOGjMTfKgVjGxSdK/BZPJ7q/AgKfCVrJK27ofZpaXFQEj:DpXQJEnu0TigVjGxS0N27ofZpaXFQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	XJCM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ZYZJKY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	BDQAOA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	MDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	JIJDSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DRZH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ZCIYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ZCPUWUK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	AGQRJFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	GOQOFSV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	PPRQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DQU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	VVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SDAYDI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	FPKCMLJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	QYWAX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	TPQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	KQILLX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DRFEP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOEOVWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	QQFEIM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ZCWUXBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	YTLNX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	UFRZBBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	HDBJTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ENEYEM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	XTMXXS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WEJGPRU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	OYEPJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	VTG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	HACV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ZRCRPXU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	BTVOUR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	JYXB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	GGLMWEY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	LULTCN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	DED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	KQHIVPI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	RMZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	NTSWRC.exe

Executes dropped EXE 42 IoCs

pid	Process
1660	DED.exe
4132	KQHIVPI.exe
452	BDQAOA.exe
2468	RMZK.exe
4520	ENEYEM.exe
4244	XTMXXS.exe
228	WEJGPRU.exe
2016	AGQRJFK.exe
1536	SOEOVWM.exe
3696	GOQOFSV.exe
3224	DIT.exe
676	ZCWUXBD.exe
3144	ZRCRPXU.exe
3504	QQFEIM.exe
4068	XJCM.exe
3120	PPRQ.exe
4504	MDX.exe
4552	YTLNX.exe
4796	BTVOUR.exe
3916	UFRZBBD.exe
996	JYXB.exe
232	OYEPJV.exe
1140	GGLMWEY.exe
3400	FPKCMLJ.exe
4596	DRZH.exe
1072	JIJDSH.exe
4000	ZCIYA.exe
4964	QYWAX.exe
3292	KQILLX.exe
1100	LULTCN.exe
1480	NTSWRC.exe
4756	DRFEP.exe
4780	TPQ.exe
4640	DQU.exe
1804	HDBJTS.exe
3764	VVG.exe
4988	VTG.exe
2948	SDAYDI.exe
1844	ZCPUWUK.exe
2968	HACV.exe
2752	ZYZJKY.exe
3588	LTS.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ZYZJKY.exe.bat	HACV.exe
File created	C:\windows\SysWOW64\BDQAOA.exe	KQHIVPI.exe
File opened for modification	C:\windows\SysWOW64\SOEOVWM.exe	AGQRJFK.exe
File created	C:\windows\SysWOW64\ZCWUXBD.exe.bat	DIT.exe
File opened for modification	C:\windows\SysWOW64\MDX.exe	PPRQ.exe
File created	C:\windows\SysWOW64\ZCPUWUK.exe	SDAYDI.exe
File created	C:\windows\SysWOW64\ZCPUWUK.exe.bat	SDAYDI.exe
File created	C:\windows\SysWOW64\XTMXXS.exe.bat	ENEYEM.exe
File opened for modification	C:\windows\SysWOW64\XJCM.exe	QQFEIM.exe
File created	C:\windows\SysWOW64\JIJDSH.exe.bat	DRZH.exe
File created	C:\windows\SysWOW64\TPQ.exe.bat	DRFEP.exe
File created	C:\windows\SysWOW64\DQU.exe.bat	TPQ.exe
File created	C:\windows\SysWOW64\BDQAOA.exe.bat	KQHIVPI.exe
File created	C:\windows\SysWOW64\MDX.exe	PPRQ.exe
File opened for modification	C:\windows\SysWOW64\UFRZBBD.exe	BTVOUR.exe
File opened for modification	C:\windows\SysWOW64\DQU.exe	TPQ.exe
File opened for modification	C:\windows\SysWOW64\ZCWUXBD.exe	DIT.exe
File created	C:\windows\SysWOW64\TPQ.exe	DRFEP.exe
File opened for modification	C:\windows\SysWOW64\ZCPUWUK.exe	SDAYDI.exe
File opened for modification	C:\windows\SysWOW64\BDQAOA.exe	KQHIVPI.exe
File created	C:\windows\SysWOW64\SOEOVWM.exe	AGQRJFK.exe
File created	C:\windows\SysWOW64\ZCWUXBD.exe	DIT.exe
File created	C:\windows\SysWOW64\UFRZBBD.exe.bat	BTVOUR.exe
File created	C:\windows\SysWOW64\DQU.exe	TPQ.exe
File opened for modification	C:\windows\SysWOW64\HACV.exe	ZCPUWUK.exe
File opened for modification	C:\windows\SysWOW64\XTMXXS.exe	ENEYEM.exe
File created	C:\windows\SysWOW64\XJCM.exe	QQFEIM.exe
File created	C:\windows\SysWOW64\XJCM.exe.bat	QQFEIM.exe
File created	C:\windows\SysWOW64\MDX.exe.bat	PPRQ.exe
File created	C:\windows\SysWOW64\UFRZBBD.exe	BTVOUR.exe
File created	C:\windows\SysWOW64\JIJDSH.exe	DRZH.exe
File opened for modification	C:\windows\SysWOW64\TPQ.exe	DRFEP.exe
File created	C:\windows\SysWOW64\HACV.exe	ZCPUWUK.exe
File created	C:\windows\SysWOW64\HACV.exe.bat	ZCPUWUK.exe
File created	C:\windows\SysWOW64\XTMXXS.exe	ENEYEM.exe
File created	C:\windows\SysWOW64\SOEOVWM.exe.bat	AGQRJFK.exe
File opened for modification	C:\windows\SysWOW64\JIJDSH.exe	DRZH.exe
File created	C:\windows\SysWOW64\ZYZJKY.exe	HACV.exe
File opened for modification	C:\windows\SysWOW64\ZYZJKY.exe	HACV.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\BTVOUR.exe.bat	YTLNX.exe
File opened for modification	C:\windows\system\VVG.exe	HDBJTS.exe
File created	C:\windows\VTG.exe	VVG.exe
File created	C:\windows\SDAYDI.exe.bat	VTG.exe
File opened for modification	C:\windows\LTS.exe	ZYZJKY.exe
File created	C:\windows\LTS.exe.bat	ZYZJKY.exe
File opened for modification	C:\windows\DED.exe	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
File opened for modification	C:\windows\system\KQILLX.exe	QYWAX.exe
File created	C:\windows\system\DRFEP.exe.bat	NTSWRC.exe
File created	C:\windows\system\PPRQ.exe	XJCM.exe
File created	C:\windows\YTLNX.exe.bat	MDX.exe
File opened for modification	C:\windows\system\KQHIVPI.exe	DED.exe
File created	C:\windows\system\PPRQ.exe.bat	XJCM.exe
File opened for modification	C:\windows\BTVOUR.exe	YTLNX.exe
File opened for modification	C:\windows\VTG.exe	VVG.exe
File created	C:\windows\system\RMZK.exe	BDQAOA.exe
File created	C:\windows\ENEYEM.exe.bat	RMZK.exe
File created	C:\windows\system\GGLMWEY.exe	OYEPJV.exe
File created	C:\windows\LULTCN.exe.bat	KQILLX.exe
File created	C:\windows\system\AGQRJFK.exe	WEJGPRU.exe
File created	C:\windows\GOQOFSV.exe	SOEOVWM.exe
File created	C:\windows\JYXB.exe	UFRZBBD.exe
File created	C:\windows\DRZH.exe	FPKCMLJ.exe
File opened for modification	C:\windows\system\NTSWRC.exe	LULTCN.exe
File created	C:\windows\system\HDBJTS.exe	DQU.exe
File created	C:\windows\DED.exe.bat	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
File created	C:\windows\system\ZRCRPXU.exe	ZCWUXBD.exe
File opened for modification	C:\windows\system\GGLMWEY.exe	OYEPJV.exe
File created	C:\windows\FPKCMLJ.exe	GGLMWEY.exe
File created	C:\windows\DRZH.exe.bat	FPKCMLJ.exe
File opened for modification	C:\windows\LULTCN.exe	KQILLX.exe
File created	C:\windows\DIT.exe.bat	GOQOFSV.exe
File created	C:\windows\YTLNX.exe	MDX.exe
File opened for modification	C:\windows\JYXB.exe	UFRZBBD.exe
File opened for modification	C:\windows\FPKCMLJ.exe	GGLMWEY.exe
File created	C:\windows\ZCIYA.exe.bat	JIJDSH.exe
File created	C:\windows\system\DRFEP.exe	NTSWRC.exe
File created	C:\windows\system\KQHIVPI.exe	DED.exe
File created	C:\windows\ENEYEM.exe	RMZK.exe
File created	C:\windows\DIT.exe	GOQOFSV.exe
File created	C:\windows\system\ZRCRPXU.exe.bat	ZCWUXBD.exe
File opened for modification	C:\windows\YTLNX.exe	MDX.exe
File created	C:\windows\OYEPJV.exe.bat	JYXB.exe
File opened for modification	C:\windows\system\RMZK.exe	BDQAOA.exe
File created	C:\windows\system\WEJGPRU.exe.bat	XTMXXS.exe
File opened for modification	C:\windows\system\QQFEIM.exe	ZRCRPXU.exe
File created	C:\windows\system\QQFEIM.exe.bat	ZRCRPXU.exe
File opened for modification	C:\windows\system\PPRQ.exe	XJCM.exe
File created	C:\windows\BTVOUR.exe	YTLNX.exe
File created	C:\windows\FPKCMLJ.exe.bat	GGLMWEY.exe
File created	C:\windows\system\KQILLX.exe	QYWAX.exe
File created	C:\windows\system\NTSWRC.exe.bat	LULTCN.exe
File created	C:\windows\DED.exe	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
File opened for modification	C:\windows\ENEYEM.exe	RMZK.exe
File created	C:\windows\system\WEJGPRU.exe	XTMXXS.exe
File opened for modification	C:\windows\DIT.exe	GOQOFSV.exe
File opened for modification	C:\windows\system\ZRCRPXU.exe	ZCWUXBD.exe
File created	C:\windows\ZCIYA.exe	JIJDSH.exe
File created	C:\windows\system\KQILLX.exe.bat	QYWAX.exe
File created	C:\windows\GOQOFSV.exe.bat	SOEOVWM.exe
File created	C:\windows\JYXB.exe.bat	UFRZBBD.exe
File opened for modification	C:\windows\DRZH.exe	FPKCMLJ.exe
File created	C:\windows\QYWAX.exe.bat	ZCIYA.exe
File opened for modification	C:\windows\system\DRFEP.exe	NTSWRC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 38 IoCs

pid	pid_target	Process	procid_target
5108	2856	WerFault.exe	86
3820	1660	WerFault.exe	96
2532	4132	WerFault.exe	101
4860	452	WerFault.exe	106
704	4244	WerFault.exe	121
3988	228	WerFault.exe	126
4392	2016	WerFault.exe	133
4736	1536	WerFault.exe	139
4196	3696	WerFault.exe	144
2772	3224	WerFault.exe	149
5080	676	WerFault.exe	154
4796	3144	WerFault.exe	159
2856	3504	WerFault.exe	165
4500	4068	WerFault.exe	169
1136	3120	WerFault.exe	177
1052	4504	WerFault.exe	181
3440	4552	WerFault.exe	186
3652	4796	WerFault.exe	193
2440	3916	WerFault.exe	199
4732	996	WerFault.exe	205
3996	232	WerFault.exe	211
4304	1140	WerFault.exe	216
3328	3400	WerFault.exe	221
4048	4596	WerFault.exe	225
2948	1072	WerFault.exe	231
2516	4000	WerFault.exe	236
3528	4964	WerFault.exe	242
1304	3292	WerFault.exe	247
3932	1100	WerFault.exe	252
2064	1480	WerFault.exe	256
4704	4640	WerFault.exe	271
2484	1804	WerFault.exe	278
532	3764	WerFault.exe	284
3196	4988	WerFault.exe	291
4040	2948	WerFault.exe	296
1684	1844	WerFault.exe	301
1824	2968	WerFault.exe	306
2628	2752	WerFault.exe	311

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
1660	DED.exe
1660	DED.exe
4132	KQHIVPI.exe
4132	KQHIVPI.exe
452	BDQAOA.exe
452	BDQAOA.exe
2468	RMZK.exe
2468	RMZK.exe
4520	ENEYEM.exe
4520	ENEYEM.exe
4244	XTMXXS.exe
4244	XTMXXS.exe
228	WEJGPRU.exe
228	WEJGPRU.exe
2016	AGQRJFK.exe
2016	AGQRJFK.exe
1536	SOEOVWM.exe
1536	SOEOVWM.exe
3696	GOQOFSV.exe
3696	GOQOFSV.exe
3224	DIT.exe
3224	DIT.exe
676	ZCWUXBD.exe
676	ZCWUXBD.exe
3144	ZRCRPXU.exe
3144	ZRCRPXU.exe
3504	QQFEIM.exe
3504	QQFEIM.exe
4068	XJCM.exe
4068	XJCM.exe
3120	PPRQ.exe
3120	PPRQ.exe
4504	MDX.exe
4504	MDX.exe
4552	YTLNX.exe
4552	YTLNX.exe
4796	BTVOUR.exe
4796	BTVOUR.exe
3916	UFRZBBD.exe
3916	UFRZBBD.exe
996	JYXB.exe
996	JYXB.exe
232	OYEPJV.exe
232	OYEPJV.exe
1140	GGLMWEY.exe
1140	GGLMWEY.exe
3400	FPKCMLJ.exe
3400	FPKCMLJ.exe
4596	DRZH.exe
4596	DRZH.exe
1072	JIJDSH.exe
1072	JIJDSH.exe
4000	ZCIYA.exe
4000	ZCIYA.exe
4964	QYWAX.exe
4964	QYWAX.exe
3292	KQILLX.exe
3292	KQILLX.exe
1100	LULTCN.exe
1100	LULTCN.exe
1480	NTSWRC.exe
1480	NTSWRC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
1660	DED.exe
1660	DED.exe
4132	KQHIVPI.exe
4132	KQHIVPI.exe
452	BDQAOA.exe
452	BDQAOA.exe
2468	RMZK.exe
2468	RMZK.exe
4520	ENEYEM.exe
4520	ENEYEM.exe
4244	XTMXXS.exe
4244	XTMXXS.exe
228	WEJGPRU.exe
228	WEJGPRU.exe
2016	AGQRJFK.exe
2016	AGQRJFK.exe
1536	SOEOVWM.exe
1536	SOEOVWM.exe
3696	GOQOFSV.exe
3696	GOQOFSV.exe
3224	DIT.exe
3224	DIT.exe
676	ZCWUXBD.exe
676	ZCWUXBD.exe
3144	ZRCRPXU.exe
3144	ZRCRPXU.exe
3504	QQFEIM.exe
3504	QQFEIM.exe
4068	XJCM.exe
4068	XJCM.exe
3120	PPRQ.exe
3120	PPRQ.exe
4504	MDX.exe
4504	MDX.exe
4552	YTLNX.exe
4552	YTLNX.exe
4796	BTVOUR.exe
4796	BTVOUR.exe
3916	UFRZBBD.exe
3916	UFRZBBD.exe
996	JYXB.exe
996	JYXB.exe
232	OYEPJV.exe
232	OYEPJV.exe
1140	GGLMWEY.exe
1140	GGLMWEY.exe
3400	FPKCMLJ.exe
3400	FPKCMLJ.exe
4596	DRZH.exe
4596	DRZH.exe
1072	JIJDSH.exe
1072	JIJDSH.exe
4000	ZCIYA.exe
4000	ZCIYA.exe
4964	QYWAX.exe
4964	QYWAX.exe
3292	KQILLX.exe
3292	KQILLX.exe
1100	LULTCN.exe
1100	LULTCN.exe
1480	NTSWRC.exe
1480	NTSWRC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1792	2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe	92
PID 2856 wrote to memory of 1792	2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe	92
PID 2856 wrote to memory of 1792	2856	9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe	92
PID 1792 wrote to memory of 1660	1792	cmd.exe	96
PID 1792 wrote to memory of 1660	1792	cmd.exe	96
PID 1792 wrote to memory of 1660	1792	cmd.exe	96
PID 1660 wrote to memory of 368	1660	DED.exe	98
PID 1660 wrote to memory of 368	1660	DED.exe	98
PID 1660 wrote to memory of 368	1660	DED.exe	98
PID 368 wrote to memory of 4132	368	cmd.exe	101
PID 368 wrote to memory of 4132	368	cmd.exe	101
PID 368 wrote to memory of 4132	368	cmd.exe	101
PID 4132 wrote to memory of 4780	4132	KQHIVPI.exe	103
PID 4132 wrote to memory of 4780	4132	KQHIVPI.exe	103
PID 4132 wrote to memory of 4780	4132	KQHIVPI.exe	103
PID 4780 wrote to memory of 452	4780	cmd.exe	106
PID 4780 wrote to memory of 452	4780	cmd.exe	106
PID 4780 wrote to memory of 452	4780	cmd.exe	106
PID 452 wrote to memory of 4792	452	BDQAOA.exe	108
PID 452 wrote to memory of 4792	452	BDQAOA.exe	108
PID 452 wrote to memory of 4792	452	BDQAOA.exe	108
PID 4792 wrote to memory of 2468	4792	cmd.exe	113
PID 4792 wrote to memory of 2468	4792	cmd.exe	113
PID 4792 wrote to memory of 2468	4792	cmd.exe	113
PID 2468 wrote to memory of 1468	2468	RMZK.exe	114
PID 2468 wrote to memory of 1468	2468	RMZK.exe	114
PID 2468 wrote to memory of 1468	2468	RMZK.exe	114
PID 1468 wrote to memory of 4520	1468	cmd.exe	117
PID 1468 wrote to memory of 4520	1468	cmd.exe	117
PID 1468 wrote to memory of 4520	1468	cmd.exe	117
PID 4520 wrote to memory of 2240	4520	ENEYEM.exe	118
PID 4520 wrote to memory of 2240	4520	ENEYEM.exe	118
PID 4520 wrote to memory of 2240	4520	ENEYEM.exe	118
PID 2240 wrote to memory of 4244	2240	cmd.exe	121
PID 2240 wrote to memory of 4244	2240	cmd.exe	121
PID 2240 wrote to memory of 4244	2240	cmd.exe	121
PID 4244 wrote to memory of 3040	4244	XTMXXS.exe	122
PID 4244 wrote to memory of 3040	4244	XTMXXS.exe	122
PID 4244 wrote to memory of 3040	4244	XTMXXS.exe	122
PID 3040 wrote to memory of 228	3040	cmd.exe	126
PID 3040 wrote to memory of 228	3040	cmd.exe	126
PID 3040 wrote to memory of 228	3040	cmd.exe	126
PID 228 wrote to memory of 4792	228	WEJGPRU.exe	129
PID 228 wrote to memory of 4792	228	WEJGPRU.exe	129
PID 228 wrote to memory of 4792	228	WEJGPRU.exe	129
PID 4792 wrote to memory of 2016	4792	cmd.exe	133
PID 4792 wrote to memory of 2016	4792	cmd.exe	133
PID 4792 wrote to memory of 2016	4792	cmd.exe	133
PID 2016 wrote to memory of 4880	2016	AGQRJFK.exe	135
PID 2016 wrote to memory of 4880	2016	AGQRJFK.exe	135
PID 2016 wrote to memory of 4880	2016	AGQRJFK.exe	135
PID 4880 wrote to memory of 1536	4880	cmd.exe	139
PID 4880 wrote to memory of 1536	4880	cmd.exe	139
PID 4880 wrote to memory of 1536	4880	cmd.exe	139
PID 1536 wrote to memory of 4964	1536	SOEOVWM.exe	140
PID 1536 wrote to memory of 4964	1536	SOEOVWM.exe	140
PID 1536 wrote to memory of 4964	1536	SOEOVWM.exe	140
PID 4964 wrote to memory of 3696	4964	cmd.exe	144
PID 4964 wrote to memory of 3696	4964	cmd.exe	144
PID 4964 wrote to memory of 3696	4964	cmd.exe	144
PID 3696 wrote to memory of 1352	3696	GOQOFSV.exe	145
PID 3696 wrote to memory of 1352	3696	GOQOFSV.exe	145
PID 3696 wrote to memory of 1352	3696	GOQOFSV.exe	145
PID 1352 wrote to memory of 3224	1352	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe
"C:\Users\Admin\AppData\Local\Temp\9e38eb223c5530419c5919ab31ba4ef31491a53a6de84fa525d27eec5272976f.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\DED.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\windows\DED.exe
    C:\windows\DED.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\KQHIVPI.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\windows\system\KQHIVPI.exe
        
        C:\windows\system\KQHIVPI.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BDQAOA.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\windows\SysWOW64\BDQAOA.exe
        
        C:\windows\system32\BDQAOA.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RMZK.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\windows\system\RMZK.exe
        
        C:\windows\system\RMZK.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ENEYEM.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\windows\ENEYEM.exe
        
        C:\windows\ENEYEM.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTMXXS.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\windows\SysWOW64\XTMXXS.exe
        
        C:\windows\system32\XTMXXS.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WEJGPRU.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\windows\system\WEJGPRU.exe
        
        C:\windows\system\WEJGPRU.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AGQRJFK.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\windows\system\AGQRJFK.exe
        
        C:\windows\system\AGQRJFK.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOEOVWM.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\windows\SysWOW64\SOEOVWM.exe
        
        C:\windows\system32\SOEOVWM.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GOQOFSV.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\windows\GOQOFSV.exe
        
        C:\windows\GOQOFSV.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DIT.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\windows\DIT.exe
        
        C:\windows\DIT.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZCWUXBD.exe.bat" "
        24⤵
        
        PID:972
        
        C:\windows\SysWOW64\ZCWUXBD.exe
        
        C:\windows\system32\ZCWUXBD.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRCRPXU.exe.bat" "
        26⤵
        
        PID:3552
        
        C:\windows\system\ZRCRPXU.exe
        
        C:\windows\system\ZRCRPXU.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QQFEIM.exe.bat" "
        28⤵
        
        PID:1504
        
        C:\windows\system\QQFEIM.exe
        
        C:\windows\system\QQFEIM.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJCM.exe.bat" "
        30⤵
        
        PID:3012
        
        C:\windows\SysWOW64\XJCM.exe
        
        C:\windows\system32\XJCM.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PPRQ.exe.bat" "
        32⤵
        
        PID:1340
        
        C:\windows\system\PPRQ.exe
        
        C:\windows\system\PPRQ.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDX.exe.bat" "
        34⤵
        
        PID:4736
        
        C:\windows\SysWOW64\MDX.exe
        
        C:\windows\system32\MDX.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTLNX.exe.bat" "
        36⤵
        
        PID:704
        
        C:\windows\YTLNX.exe
        
        C:\windows\YTLNX.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BTVOUR.exe.bat" "
        38⤵
        
        PID:912
        
        C:\windows\BTVOUR.exe
        
        C:\windows\BTVOUR.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFRZBBD.exe.bat" "
        40⤵
        
        PID:4964
        
        C:\windows\SysWOW64\UFRZBBD.exe
        
        C:\windows\system32\UFRZBBD.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JYXB.exe.bat" "
        42⤵
        
        PID:532
        
        C:\windows\JYXB.exe
        
        C:\windows\JYXB.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OYEPJV.exe.bat" "
        44⤵
        
        PID:2424
        
        C:\windows\OYEPJV.exe
        
        C:\windows\OYEPJV.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GGLMWEY.exe.bat" "
        46⤵
        
        PID:1132
        
        C:\windows\system\GGLMWEY.exe
        
        C:\windows\system\GGLMWEY.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FPKCMLJ.exe.bat" "
        48⤵
        
        PID:3740
        
        C:\windows\FPKCMLJ.exe
        
        C:\windows\FPKCMLJ.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DRZH.exe.bat" "
        50⤵
        
        PID:4220
        
        C:\windows\DRZH.exe
        
        C:\windows\DRZH.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JIJDSH.exe.bat" "
        52⤵
        
        PID:468
        
        C:\windows\SysWOW64\JIJDSH.exe
        
        C:\windows\system32\JIJDSH.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZCIYA.exe.bat" "
        54⤵
        
        PID:4804
        
        C:\windows\ZCIYA.exe
        
        C:\windows\ZCIYA.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QYWAX.exe.bat" "
        56⤵
        
        PID:1000
        
        C:\windows\QYWAX.exe
        
        C:\windows\QYWAX.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KQILLX.exe.bat" "
        58⤵
        
        PID:972
        
        C:\windows\system\KQILLX.exe
        
        C:\windows\system\KQILLX.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LULTCN.exe.bat" "
        60⤵
        
        PID:2296
        
        C:\windows\LULTCN.exe
        
        C:\windows\LULTCN.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NTSWRC.exe.bat" "
        62⤵
        
        PID:1708
        
        C:\windows\system\NTSWRC.exe
        
        C:\windows\system\NTSWRC.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRFEP.exe.bat" "
        64⤵
        
        PID:4188
        
        C:\windows\system\DRFEP.exe
        
        C:\windows\system\DRFEP.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TPQ.exe.bat" "
        66⤵
        
        PID:4904
        
        C:\windows\SysWOW64\TPQ.exe
        
        C:\windows\system32\TPQ.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DQU.exe.bat" "
        68⤵
        
        PID:2948
        
        C:\windows\SysWOW64\DQU.exe
        
        C:\windows\system32\DQU.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HDBJTS.exe.bat" "
        70⤵
        
        PID:4736
        
        C:\windows\system\HDBJTS.exe
        
        C:\windows\system\HDBJTS.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VVG.exe.bat" "
        72⤵
        
        PID:3400
        
        C:\windows\system\VVG.exe
        
        C:\windows\system\VVG.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VTG.exe.bat" "
        74⤵
        
        PID:3268
        
        C:\windows\VTG.exe
        
        C:\windows\VTG.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SDAYDI.exe.bat" "
        76⤵
        
        PID:1208
        
        C:\windows\SDAYDI.exe
        
        C:\windows\SDAYDI.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZCPUWUK.exe.bat" "
        78⤵
        
        PID:5068
        
        C:\windows\SysWOW64\ZCPUWUK.exe
        
        C:\windows\system32\ZCPUWUK.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HACV.exe.bat" "
        80⤵
        
        PID:1708
        
        C:\windows\SysWOW64\HACV.exe
        
        C:\windows\system32\HACV.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZYZJKY.exe.bat" "
        82⤵
        
        PID:348
        
        C:\windows\SysWOW64\ZYZJKY.exe
        
        C:\windows\system32\ZYZJKY.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LTS.exe.bat" "
        84⤵
        
        PID:4640
        
        C:\windows\LTS.exe
        
        C:\windows\LTS.exe
        85⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 964
        84⤵
        Program crash
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 960
        82⤵
        Program crash
        
        PID:1824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960
        80⤵
        Program crash
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1328
        78⤵
        Program crash
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1296
        76⤵
        Program crash
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1324
        74⤵
        Program crash
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 964
        72⤵
        Program crash
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 964
        70⤵
        Program crash
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 968
        64⤵
        Program crash
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 960
        62⤵
        Program crash
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1324
        60⤵
        Program crash
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1336
        58⤵
        Program crash
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1004
        56⤵
        Program crash
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1292
        54⤵
        Program crash
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1296
        52⤵
        Program crash
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1320
        50⤵
        Program crash
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 964
        48⤵
        Program crash
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1276
        46⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1288
        44⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1236
        42⤵
        Program crash
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1328
        40⤵
        Program crash
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1324
        38⤵
        Program crash
        
        PID:3440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1328
        36⤵
        Program crash
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1316
        34⤵
        Program crash
        
        PID:1136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 960
        32⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1328
        30⤵
        Program crash
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 960
        28⤵
        Program crash
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 960
        26⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1008
        24⤵
        Program crash
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1348
        22⤵
        Program crash
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 960
        20⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 972
        18⤵
        Program crash
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1328
        16⤵
        Program crash
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 988
        14⤵
        Program crash
        
        PID:704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 960
        8⤵
        Program crash
        
        PID:4860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1300
        6⤵
        Program crash
        
        PID:2532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 960
      4⤵
      Program crash
      PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 992
  2⤵
  - Program crash
  PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2856 -ip 2856
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1660 -ip 1660
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4132 -ip 4132
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 452 -ip 452
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2468 -ip 2468
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4520 -ip 4520
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4244 -ip 4244
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 228 -ip 228
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2016 -ip 2016
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1536 -ip 1536
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3696 -ip 3696
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3224 -ip 3224
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 676 -ip 676
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3144 -ip 3144
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3504 -ip 3504
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4068 -ip 4068
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3120 -ip 3120
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4504 -ip 4504
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4552 -ip 4552
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4796 -ip 4796
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3916 -ip 3916
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 996 -ip 996
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 232 -ip 232
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1140 -ip 1140
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3400 -ip 3400
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4596 -ip 4596
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1072 -ip 1072
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4000 -ip 4000
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4964 -ip 4964
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3292 -ip 3292
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1100 -ip 1100
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1480 -ip 1480
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4756 -ip 4756
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4780 -ip 4780
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4640 -ip 4640
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1804 -ip 1804
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3764 -ip 3764
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4988 -ip 4988
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2948 -ip 2948
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1844 -ip 1844
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2968 -ip 2968
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2752 -ip 2752
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DIT.exe

Filesize
208KB

MD5
4d67854c0c9044dbdbaf3152ff993764

SHA1
56499a8159aac538d900a3d35dabcd8d8eab1c55

SHA256
a5caa0885ddc7153d224cca70ddab310f8efe1ff67f62ef268c4745d80aa545f

SHA512
eeb12609238f9c40944452333f225bef9e14b43fd28b44138a3785f94419f6159f0064fa91f5b60bc68fc8a2b1b0a9a9807e8e9929b673ab68e61ed14be1be71

Download Submit
C:\Windows\ENEYEM.exe

Filesize
208KB

MD5
65242cb2a83960f2604e6f2377efee42

SHA1
b259be30e6f51565dea0c6c4230515cbf618fc06

SHA256
b229660af139e016579eb925deaf54afcd41a22064aff4f5f001fbba443f2a12

SHA512
f1b3852cb26e1db5b2a4c479e5f81294c710c65b176404636359e862aaddf8e60be8bd5529f35575737af5e55414d25ccb2c52ba0610b30cfaa903b0d342bf65

Download Submit
C:\Windows\GOQOFSV.exe

Filesize
208KB

MD5
98455a5c9f2cf05eb8ec83bcdc7c1b0f

SHA1
561b351c6645302e25e1a4a724b3980240743847

SHA256
1831da34c6b526eca89982edb1526694fe349a445b26d0df3c1a45c3630d637b

SHA512
24697b2c1341e6755c0d743c8d46dde4f8eb971ca15fbea0bc87bf4cc2e96f06479689fc25f3d36e49ec1bbb75f701686e21270629a537fdeb0b22722fbcbdf0

Download Submit
C:\Windows\JYXB.exe

Filesize
208KB

MD5
38b228171da92feef9df6c7a1a865500

SHA1
ab5a874995ae107c2e7d25efce7fb729d077d5ad

SHA256
8055d7b51a6abb3f18e4f6fb454103b5ea7fdb68f8b45213db1b330a05b8a257

SHA512
e88bbe00398cde730ce39da0718dcc085b94c5614d5020fb8c4207f34a1c6554b429958933faaa0312c237ef3a12238f4e23a9864f6f198c088deaab9f0f7737

Download Submit
C:\Windows\SysWOW64\MDX.exe

Filesize
121KB

MD5
3cc1dfbba6c10569a43048ab0aae5cbc

SHA1
45e0c449f1be66f831424075cc5e17cbcaa6be16

SHA256
bb7399ae9dab74c0ed0c8e890826d4f3ac3b8a20a1b8957e90b2141619ea3376

SHA512
ab802a0137680aa354da7c48a0493881fc01998a3b59119726bcd869f0745889fd08be00b9dbd4a1dfa0feb5c329be02bb0dfd3b9914da05aafe42bd83489f41

Download Submit
C:\Windows\SysWOW64\XJCM.exe

Filesize
208KB

MD5
5a61010eaf40b824522b65ebecbbd4a2

SHA1
5cb3a06f35a16e7f91e3dd00b4fa1cac2e113fbe

SHA256
6ce9c001517192ccf5fb78b55903afa8ea3a4815933ee922aeddecc3674c6a74

SHA512
b4562a37adef3310111fd789edbe992db6bd4aa6f86d0739e315330b65661f404d39629fbc8f9b2d416e3b59023ab5488add8d6be1518726c25dd442982500e1

Download Submit
C:\Windows\SysWOW64\XTMXXS.exe

Filesize
208KB

MD5
cc01c71c565d01b477bb8a794e8532d1

SHA1
c06488e503d39ca48308e844b2b50bf7fa143f84

SHA256
7157eed39342dd999bb4967cf786b36b01f48f6fe4b582535bcc03f3911f9f02

SHA512
6031af7f22433dabd2ce9d819b0a20681023b504a5996c23c65d5c65fbebf12978479af5372164fd60c804a08e3147c0751a84a80ecab47e8c47663295d90e1c

Download Submit
C:\Windows\System\AGQRJFK.exe

Filesize
208KB

MD5
df19dd9b629acc295d5ee996eb2b02fb

SHA1
b7dd2771db2b591c6496596ba3e0e65d9dc5bb49

SHA256
37268c526d8909cf8f717df5a7f94a930b5dd32eb671a00c7b7e0609da1d9eb9

SHA512
2846ada158fabd37e378f647f8f15bf15d463186f9404f38033a8df7d9a58e70616da085ab9ae76d41ba1125ee55289e54dba17454395e2cb0e5100ab3e30a4c

Download Submit
C:\Windows\System\KQHIVPI.exe

Filesize
208KB

MD5
53191ee32d1cc79a872d17a0654448d2

SHA1
1d79b9eb4e09ddc7479f45ed0cdc1b5fd7d8b6b2

SHA256
0c7f8de305646f91c58b0ad12c4d52ec2ba8b8c85f59a4f524f386550e06a3b3

SHA512
da1c340ab0edc7af973b1dae016bb1d792aa5b4c1ec1d1a5d0976ec987cc5a7480c5206dd53cc17e0b4d3fa3f05a038a48bc89385f0ded27eb029b5434e82b08

Download Submit
C:\Windows\System\KQHIVPI.exe

Filesize
208KB

MD5
e8f105719c64685123b47b4fcd34255d

SHA1
f868530a72b659752212f7115070cf2b6369dd86

SHA256
c6b3b8a1486027196ac2e4691d33b435f25ce51d3ab441a3c355e4bf2aa0252b

SHA512
b36d750e20f478c6a9f626db5259844cb339338dad86b9a057d21e4e0bc01366cade71b99088cf6f7e03533e08ad4c6f6e8d29cd01d806f8dc57fbb3f17bf6e0

Download Submit
C:\Windows\System\QQFEIM.exe

Filesize
208KB

MD5
d0c123cc2eaf4a6e15351d2d65a99752

SHA1
9d55bd9d02348be43daed28eb16b2390e12e6c63

SHA256
00e6d0f87dde7435972b245eb5d5bffcf8c04d77c0d564e51184d18053d4ea20

SHA512
54bd2b97eab6ac407d4ab747da1e1e89874b7e59451d4c6894482f905b12145f1108f6125acc7a629e27d726b6eacfec7add9a2f4bd02702f44cb3d4c2654617

Download Submit
C:\Windows\System\RMZK.exe

Filesize
208KB

MD5
56a7261b79359b10a61ea3be3dab1bc5

SHA1
5473046cd970e2c72201f62b403aac895abebd1b

SHA256
b813ab382e9aa38f67febf30eb4c613fbdd81eecae3cea0f46b8b80a5effd765

SHA512
1ec299fb4738eb8857e8b6deb0ab765dc7855901e1539de312997197d00c46c5f86ff49386b993491df65a3eae921814d29e521cd05f470dc3006321abd3b780

Download Submit
C:\Windows\System\WEJGPRU.exe

Filesize
208KB

MD5
f7b30949fdc86684d9f3536b43dc7edd

SHA1
9ca157dddf2a2808ca20757099b14db952dedfdb

SHA256
5f552d6ddab492290379a47f5f9e16c130cf2fed2ffb75b90e2036743a553823

SHA512
f5add8f7c10fa3b8f0bd9e6ee0c31afe9774a00cc442f87d6ae5efea9bc09eadffd09f5717bc78dded32d3523201db054f682709bb4e97e18c3b8956dcdd88f8

Download Submit
C:\windows\BTVOUR.exe

Filesize
208KB

MD5
3a18a1eb8fe0e01af4a993c0a4dd1560

SHA1
7a7173b3ba52c091d641acd6a971ea4fcf2a2746

SHA256
09691674b7a62c5d18a84c71d5c1305e6f3279db80fe57407a46d23ddc835869

SHA512
03a78b6668acb3c9e32b8e3073ba06eb9f843ace49a31ca03267f161b3823537a44e39ce729748a3f81af3d7bcb8d3e9444859e85778d1bd156a6d24618a0892

Download Submit
C:\windows\BTVOUR.exe.bat

Filesize
58B

MD5
ad55e79d3e2cf67283a819f41d509aff

SHA1
c11cb44d3379ea41aa9f787d08f0805129a62fad

SHA256
2c707019d95f312cd924aa33712c0f1eb0baa82384c008b04f1e8e7dce7b01f5

SHA512
7bb43584468e14974f71e1a7f66b65e4e2cf3e0d78ce30f7178f01cdceb4e726a9dfcf4af6cb458ad42f8818e938f56f58352df77a3484f7875c9e02026926d4

Download Submit
C:\windows\DED.exe

Filesize
208KB

MD5
ab89efff04ee6e30618862b23e9330d2

SHA1
74f3a280b63f85793f7e142d78f2955b294905cc

SHA256
997ce207f2791195b1c3377f51343141ac1afb1103cdbbe30ca86c935f54dacf

SHA512
303fc77aaad753ab6331bd8cb54e1e72498da1b3cab95cd249e58460dcf5f33c95b2a8ddf7d661926b5fb8a62c2953095e4b955d191909f3705781f0ba1d308f

Download Submit
C:\windows\DED.exe.bat

Filesize
52B

MD5
7ebb841e7b41a06caae0eed364e57afa

SHA1
cfcc8c96919bdc455db89c4d07253d5a24439e7e

SHA256
5b1e4c265e20ce6c599b24e57465792fa11c706f0a4a691065c639c9785ce3fa

SHA512
bf0918b32d792bef25fd8a9ee1d97f1e73b30b6b7e71ec90cdcc92c108078f1451803adb6e0d8fb5b466c8a385427f13ad200b056c11921a5e74df7d65c7597c

Download Submit
C:\windows\DIT.exe.bat

Filesize
52B

MD5
1b83d72e12323bd73dac0a19d5e78668

SHA1
1f4f2c1bb51aa4161951783cbc3ad604692be365

SHA256
0cf22e698074b5b32037a7d9e252b5f4814b1d4d49feba335cf3e40f631ee93b

SHA512
b7eedbed6ca6f54874639e258df711e9f21f1ffdb7c65a7a079aa34975814125504072eed2c9c20d49205c4f171a90dc797a9d41a597504eb7ef227cefabdf57

Download Submit
C:\windows\ENEYEM.exe.bat

Filesize
58B

MD5
559752dec25f4a0e87da6bb8dc17aa28

SHA1
75491a8629ce2aebf8eec6726ea3923c5b262804

SHA256
3ac18ec00901d997eb747f2e05e9d027bbfea8d6776a345474a2891a52ca1594

SHA512
5fce95d9fbfd3dc752742fe21f723edb177f800ddd32cb159cde6956890b2e777a3e976c2115a2e4a0b945a6ccf89c52cd5dfe5dd6989233f14da98287ddfbcc

Download Submit
C:\windows\GOQOFSV.exe.bat

Filesize
60B

MD5
2556790a4866947db0b456d05347e3a1

SHA1
92e3c29ee2c1ab27271c14acc5c4f8b0ca1987d9

SHA256
0e2e731848a9342c65c0d6771e11573f810b63d9c115a299a630f0c538668cb9

SHA512
7f285c77b0734b84367e22ff407955de5b1d3c9bff2ce977ad1940742deff8ca485bf784d3b05a29660b6da427f8f5dc88bf169e18a53da073956103cabfcabb

Download Submit
C:\windows\JYXB.exe.bat

Filesize
54B

MD5
1a24437d5fcf58ae898a11989949000d

SHA1
ce2e2463fc16042a935d98006b51d59f514c41c8

SHA256
086858eb1a65d845ba6443a29a31af6cd44c206e5a0e09f088e54dcfe46b2297

SHA512
223e16f3ca1c1f8e6cdd84c705f29d1cc3bb920d2ca89e3b8d31dd1c83ccc823d8e671e29f22e5bc16f8b99294382131ca70439be794734791311b77ecfcd9ab

Download Submit
C:\windows\OYEPJV.exe.bat

Filesize
58B

MD5
4182ebc79a0f01c904b8f3b496bd111a

SHA1
1ddc01569e23957ccac0777db077f6948806911a

SHA256
e49122ebb021893df5deb5559373fa75ec38f5f3b4c307a5da40310174b4993a

SHA512
f1a088ceeae25b96c40b64872bae83866b3cc98025a07ce12a910f8f2635686760b48c14a2f2bb0c181c1c7e21f23eb56cddfef047e0560f6b6a125096669027

Download Submit
C:\windows\SysWOW64\BDQAOA.exe

Filesize
208KB

MD5
249d06a90fb6462fc83a44f6ac467ea5

SHA1
5d08411ce31ba3c4eaf35d90b7eb37c91db2413d

SHA256
ceb0710b6923c6e93cc2a2bbf2d888b84e87ea2b1f00a6f97e83078b3ec10e7d

SHA512
ae8e4d5eefab1ed5a8d305b63bd3b50a61512821e849b9788dd553d8bb15e9d3bef6ae8640a9a86616246e495f459868f843c9bc25a501b824580d889f8de4e0

Download Submit
C:\windows\SysWOW64\BDQAOA.exe.bat

Filesize
76B

MD5
9b707dcd1552e0e53ecdbe7f6fd346dc

SHA1
3ffe96cd5d385208c5691d815c3f5a03dc4fb2f5

SHA256
93c8406a99dae631c6ecf15d0fecbf5e8cd41ad361d1f203428bda3745422a8f

SHA512
08a1fba0fe09dbeb9d080300572ab5f3fe7c968620ed85f2438c0bba328be1e7d28443147fa5103931763e71144d0d42c999846164195a2be154472f67de8a6c

Download Submit
C:\windows\SysWOW64\MDX.exe

Filesize
208KB

MD5
98b980ec082543954ebe0f0079b9665a

SHA1
d4ffdcbfd7576ca7c3dbccaf07c0f83d44a21b45

SHA256
7a2414726bf1fef7d4dd7356f0dece2f672e674a762fbb6ca47c399bcb220fae

SHA512
0e417e2cc10bd67a1a9330cacf335b7cda6fcbf42a09a6fe6f16f94efdc7eea9eb5cd31c9dbce7184fb6d372153cda051116ce4e0000c3aecc01cd3da9b25f08

Download Submit
C:\windows\SysWOW64\MDX.exe.bat

Filesize
70B

MD5
ce5aa70e51b0fe0811f734443aee1c7c

SHA1
9c91c8aa3a32888344d893ca0ba9e1bc0f230022

SHA256
ae942f07011fe42fdbebd35fab489b62d144d46b4ab68a9e90e10139160d0ffc

SHA512
2dc977f1b4706ce1e261c72e4103c77fa1a5e6862943d3cabc6ae00bf76007deec84d01b68960bb115fbc55415d198a017a7d7d43b6b82bb72a4f5ac817a04e0

Download Submit
C:\windows\SysWOW64\SOEOVWM.exe

Filesize
208KB

MD5
ab7f034c6c519d625c8a0e2fa6f84ecf

SHA1
097619bbb0c219fd9e579e1e4f54f224cd8103d9

SHA256
1b6c6257f07e6858015af50337c73e62f6d133e70ece03a22b2060e3ee8e8df6

SHA512
d0d2c482368fd013b534b17a8ad19497b77eed914d6c739f903b1de485c68a9c839793370d3406cacf991a3b8173e2bc0548c841ea2d05eabff633270ba5fa21

Download Submit
C:\windows\SysWOW64\SOEOVWM.exe.bat

Filesize
78B

MD5
7bf6139886f84f1cb1e6e4254c9c12de

SHA1
4d3146c9d06b3791c21c8f649d81a4b650471c71

SHA256
9233de7d981f7d1891acb9b9a3a0dadcab5ee625e56b3d9fd96982156e9b03bf

SHA512
866727c1af4b6d81ee1dd71be13f1712a7d879446fe4325700405f514796062ac5f65beb2032964be0be4310a78a2769690b42d8208db903153937f022fc2c9e

Download Submit
C:\windows\SysWOW64\UFRZBBD.exe

Filesize
208KB

MD5
20f62a5738ad0675cb3c217a96bbeba6

SHA1
71a6aeb19e6dc583266c4b9af54e7541af82d0f4

SHA256
0893d663a14af696faf444cd036bab7ba1ec81980bb916106fd9d2effa67f5ed

SHA512
fc22a9001bda01809a36cd6bc49eae3e9f76ddf3bb9d7e9f23e92bb0364a969ff950bda1db78164c1c616a8256d705120531ad84e947471beeb73a1a94e6a503

Download Submit
C:\windows\SysWOW64\UFRZBBD.exe.bat

Filesize
78B

MD5
abd975e8ee366d6087b26a08407fd072

SHA1
dc4a7f163ba7e964ba22891ac099e3bc072c834d

SHA256
7e3d28fab936bd35c373753d7ffd0f57c7d356f5f09253e7c41cfce88bf28833

SHA512
f1cd0017b9a21d38402ad915988b771b41eb06f6a1dc29150742e10bce9fcc28847ff0eedb10eec4599bd0408dad95ffa1d8611816a9e3cda55f98cfe1eb6fff

Download Submit
C:\windows\SysWOW64\XJCM.exe.bat

Filesize
72B

MD5
550598731e6fc72a0bdf8e2bf7df714c

SHA1
bb6189595d0182437f35e64aec1dfaf7eb22a8c1

SHA256
3437083519ae1d0e3db0e14ccbde1efe4da2a8d58c0fec972d90151f94ae2974

SHA512
218ae98a27209fe750ff4f3eb2015bb0f181b612f0994e83eafd754deb7abd01fc2917fe6b28d634e177ed7ff2fa3b8c668675088b0f5adf63a7bd88bb1331da

Download Submit
C:\windows\SysWOW64\XTMXXS.exe.bat

Filesize
76B

MD5
0f6835e0ddfa2e41c6f014d4174d0a39

SHA1
e03145e0fb8443984c6f130c1dc3dfeccccaa1bb

SHA256
5a3056a1bc0008e9d5120484a9f08b92e1175a3e8f4b8f594e3f81fe17813df3

SHA512
dfd32ffbe67d4771137c175e9da7820e14a5e0d374e3e648e52096362cb250e4e9118c3b1b7cf4ad0889898b6cb6000a1fb41f39eb8fd123a5e5ae0cb829df6f

Download Submit
C:\windows\SysWOW64\ZCWUXBD.exe

Filesize
208KB

MD5
1ea75f8d76c8c063d0802c533f73bfdb

SHA1
f961ad1ddc1d684dfdf31a4ddd2ae62be9ff6857

SHA256
72bf363b87b43c5c3cd3014266d399a799f86fd832f406f0fe933d0960905bd6

SHA512
bf7f920a8ccd935df3652a88e0c575d1a7f13f53cc51c1c6856b189b60bd1f1221b69dc69d44a9605b8c2fe07852edbf8dc578c846f3c45831d7fd87a9c8757c

Download Submit
C:\windows\SysWOW64\ZCWUXBD.exe.bat

Filesize
78B

MD5
d180f3f097d7fe3a19a1fd0b5783ae4f

SHA1
c1b822ef7ccca6109e5bda2fb2232b307f9ce53d

SHA256
7192f0b74f87ca19e51ef46064eac704ee28686625a62a57199a734bb8b76e6f

SHA512
2b8e36d23a9383b169f98ce08ce27f8583fe21bb3e5a2b51d5f65843fbb7e23d3200ea297a80c477342f25133fec178888e84aba31a2caa6a68809726db4c4b8

Download Submit
C:\windows\YTLNX.exe

Filesize
208KB

MD5
0b5e301f1eb84c3e13ade81270bebf6b

SHA1
5e75db05f82919b6fe5c07621b06af2ddd5df115

SHA256
88ee2ddb9459a8ed300a6b7b303ef846ed6d0cece247593fe3245e0f874196f7

SHA512
802fbe58800fbcee5c8464c5362f54d2b16bc38b59cec11914935ad3851884fd6a42a6730521e9cd67b7a0e369492faf41da362e09eb7e4058f919b4d5a5ea3a

Download Submit
C:\windows\YTLNX.exe.bat

Filesize
56B

MD5
a333feebde3180479393472f353694c0

SHA1
0d0e3a9c2a198d4045b1bbe4df01686723e9338a

SHA256
6bbba4e1b6a0564f86636a4ba02610ada494543c134321c3e99443d625b2b776

SHA512
40d529fd46ceb0b8de60547b7935ebb305bdd603f33a75538476cae5df631eeeed0d3f7fb8861861e0e007bcb426f4e57c9dc56546ccc31b2759e5fab2983a1b

Download Submit
C:\windows\system\AGQRJFK.exe.bat

Filesize
74B

MD5
5e4249312f95bde8dc9f8fc6cc743855

SHA1
64fd46e502c38f604b4b15effc6d90d1ae50755b

SHA256
c6fca9d26918ad29369416e07685d7aae0959bd3287ee5d6c783d3554b7e7e90

SHA512
84c2107098e580f63cee86a4a8dc4a1ccf4d6c0f1b254c7d1f8192110b3c1229d826e1ebea207500eadd193c636468f713a94c2b3a106108357724bbad742475

Download Submit
C:\windows\system\KQHIVPI.exe.bat

Filesize
74B

MD5
4286f36b4b9a0c757e0b138e3418f7a4

SHA1
83ec1debff5d976c6918f415eb17c8c7edfc5cef

SHA256
04c0e1564d34c61296c808b24893430146ed3d6298fdf06c2ff8c0b770a82b62

SHA512
e8acae7d401e0f3ea3b5600ae2b5761ec9f632b4b0e7cbde2dc68fd092c6dd5e6e54663bc5d7e0fb0a155dbaebba7d442869428c78b99b5127338f8f89494a38

Download Submit
C:\windows\system\PPRQ.exe

Filesize
208KB

MD5
6b1b853de46f42d3cebc276faeeac6e0

SHA1
1dbd6af27b8fbac7030065584a10bfb05f682183

SHA256
574455849d7e3c538ca187756886121bd590626e81c15de83665eeb8fcaad883

SHA512
35d66e0227eef0ae47ac936b846d3df20f80fafc6dc957b03044a0e68dfd55476f544d4f502c1941f37aec448b3c5762d3bcdac4958b7640abb7a789710ed738

Download Submit
C:\windows\system\PPRQ.exe.bat

Filesize
68B

MD5
5052b5900b1e47c97d21a27e55beb4e4

SHA1
a24c5b722312c907ddc4d252adefa29131fcabe6

SHA256
14c2209fd7c11f3855e3f0384589ac0cb2daaed75a191b0d623e3c1f4f747e91

SHA512
4d70b3788c4dae511d4250ed0ac0417dd6c2e4fb5e9088861b9c77aeeac5b21a9bb1887e66dd89fe09b316d1db8347d491b2624bf111614060c3a3048cb8b94a

Download Submit
C:\windows\system\QQFEIM.exe.bat

Filesize
72B

MD5
7645eda1169fc8fe10b0920d536cf3df

SHA1
2c8f1e157f514db7289337dd26cd1adec62ba38c

SHA256
e8092c187b3e3e66241683163d8441d14713587d3994d973eae2b3f8ac921e25

SHA512
69176312e83d63073614d707acb8a018a394feb47b173045b6910d90188d2b2fe47d4e4aff326f1abcacf4b9533a1d33b6f48e124c359d74d7da4f3831e2e6e6

Download Submit
C:\windows\system\RMZK.exe.bat

Filesize
68B

MD5
9419c959e597181905e01da1d0f15fa6

SHA1
df14156fc144db2d5d8972f84097f6afb152a2db

SHA256
e32ceac2aa488cf7f1d32d6e0a0840fbb8903b995f6ee391d25cf45cf3974721

SHA512
99d4fcd60a6ee61530fdacd6ca367248ea3ba705c1792374d0d1452dbf7a2a1fdca3c7208c066fd27efb8e45b1ea1618115d3386a67f61e86ce9a4988cd1af69

Download Submit
C:\windows\system\WEJGPRU.exe.bat

Filesize
74B

MD5
badabba7b4158c61bd899443e110fdb8

SHA1
885ec4ecb8206111dcc65290d55a7c8b682f2c33

SHA256
b91eef4f67804641224144e5afc6f481362ea58b4baef8a79a0cf984a98c0d75

SHA512
41dc02e91dd071b272882da0d285a54c24154d89bcbd902d95fbbc1572d260fce5c5ce6e36f47cfacfb04ee49fecd274d54d25d89b61320c89c43eb7df9bc77d

Download Submit
C:\windows\system\ZRCRPXU.exe

Filesize
208KB

MD5
2df5ad3596849c0e8a9978a2ff533e35

SHA1
2951f1ec38089eaffa4e9a84f86ba8ffadb7a777

SHA256
7fbd55f89cf2a81759cde2e90a0ce3505d089b1ed6768ed8a75a9fcdeb1de01c

SHA512
d4f0a16601917bdb71fd6326d863dbcb8a0ed6e656bfb11248e82c8f53a200c301291cc993ff65f5d826dcf62d7ced55c68aaac01f7083f3c39e662a61fc8ced

Download Submit
C:\windows\system\ZRCRPXU.exe.bat

Filesize
74B

MD5
be09c0039bc5cf8485c6cbee3723c3fe

SHA1
5c7b3d9b276abe769c3aa5e12a6a76b1f2f23895

SHA256
76e042258a7f1c3eadbbb24c136a46282ac72cd8ef057626716d07365a03d287

SHA512
ddf2fe560981e4048debe51fd2660b5aafac4f9318663ee1410cc45fa1a3da3ede9f51866ea59a82b29efd3157e5326e761df99654969ec66f9641699c22bfa6

Download Submit
memory/228-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/228-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/232-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/232-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/452-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/452-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/676-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/676-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-321-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1100-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1140-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1140-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1480-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1536-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1536-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2856-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2856-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3120-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3120-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3144-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3144-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3224-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3224-129-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3292-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3400-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3400-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3504-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3504-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3916-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3916-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4000-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4000-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4068-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4068-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4132-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4132-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4504-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4504-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4520-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4520-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4552-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4552-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4596-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4596-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4756-355-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4756-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4780-357-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4780-364-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4796-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4796-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4964-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download