aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4

Analysis

max time kernel
165s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
Size

320KB
MD5

8595e2ca3dc56d16c38d4f140c039748
SHA1

db425e51f9ea205dd6a58ec6e40b498ffec32b88
SHA256

aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4
SHA512

95dd167479694ea8e54e30d9a87098190ba727e8341b14d7a34a3d9d67ec75b1a424a8bfefae66968cb86e90c2faeaa51116be30ffdc9b477b11dd45a039b63d
SSDEEP

6144:hmd9Vmi7m+pbKbvP4uqHkEjWbjcSbcY+CA:hmdKwpbq1IkFbzs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DVXY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	MOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	YUB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	JRD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	YGVSP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	DYWUB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	VEBLS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	RVTWXUL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	APDIADM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	MYB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	XFLJN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	NOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	VRWOHWI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	TFFDS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	IED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	GFLHNG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ANFJCW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	XHGBAZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	BAOKZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	WZOEV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	VNVWWN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	VGIIRU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	TTQMTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	PKCAL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	HRRHRF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ITIJLKX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	MRHQN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	TNQAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	JNQTUXM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	RQNWE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	TLYMYUA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	EVLDAFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	UAP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	LEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	NFOU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	IHYQUPS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	XAVHE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ZFUPCR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	OZZYP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	PJFMKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	LSEPTGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	UQLJOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	LASXIK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	SDVAV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	QJXRFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	YRULS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	JYWRO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	JSJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	LMHQZXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	TTGQRJN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	MOAZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ERS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	NDGFWMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	FRUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	FEOUG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	BGJUFL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	JNJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	SEQDK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	JFBRK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ICBSG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	GZQRHOO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	HHKQNOE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	QAREA.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	FWCWG.exe
4344	DVXY.exe
1620	DYWUB.exe
4924	FRUQ.exe
1668	WZOEV.exe
2884	MPBNLJ.exe
672	VNVWWN.exe
2028	GFLHNG.exe
1636	VGIIRU.exe
1080	FEOUG.exe
672	MRHQN.exe
1540	ANFJCW.exe
1872	ODZH.exe
456	BGJUFL.exe
1132	LEX.exe
2884	QJXRFB.exe
1596	JNJ.exe
2396	XAVHE.exe
2584	SOAQORU.exe
2108	LMHQZXF.exe
400	YWYON.exe
1872	RVTWXUL.exe
2168	OAL.exe
1612	MEK.exe
848	ICBSG.exe
3600	YIAY.exe
4648	TTGQRJN.exe
1636	DPIIN.exe
4568	GZQRHOO.exe
992	TNQAE.exe
4888	VMPD.exe
404	HHKQNOE.exe
1036	ZFUPCR.exe
2508	APDIADM.exe
1368	QAREA.exe
3056	MYB.exe
3684	EBHM.exe
3308	OZZYP.exe
3500	NFOU.exe
4360	FCGGLKJ.exe
2976	JNQTUXM.exe
2140	RQNWE.exe
5044	MOI.exe
2028	YUB.exe
448	XFLJN.exe
1396	TLYMYUA.exe
5040	NOV.exe
1568	GBGIWNK.exe
3104	VRWOHWI.exe
5032	UPXEWNR.exe
4436	FYELON.exe
4796	TTQMTB.exe
872	JRD.exe
4336	SXGHL.exe
1048	IILCX.exe
3776	XEJVMU.exe
1936	EVLDAFK.exe
812	PJFMKI.exe
1984	XHGBAZR.exe
1396	UAP.exe
4656	BEOHVVE.exe
2884	IPD.exe
2548	MOAZ.exe
3008	YGVSP.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\VRWOHWI.exe	GBGIWNK.exe
File created	C:\windows\SysWOW64\IILCX.exe.bat	SXGHL.exe
File opened for modification	C:\windows\SysWOW64\SOAQORU.exe	XAVHE.exe
File opened for modification	C:\windows\SysWOW64\OAL.exe	RVTWXUL.exe
File opened for modification	C:\windows\SysWOW64\YRULS.exe	UQLJOV.exe
File created	C:\windows\SysWOW64\MPBNLJ.exe	WZOEV.exe
File created	C:\windows\SysWOW64\VGIIRU.exe	GFLHNG.exe
File created	C:\windows\SysWOW64\VRWOHWI.exe.bat	GBGIWNK.exe
File opened for modification	C:\windows\SysWOW64\EVLDAFK.exe	XEJVMU.exe
File opened for modification	C:\windows\SysWOW64\JYWRO.exe	XQD.exe
File created	C:\windows\SysWOW64\OAL.exe.bat	RVTWXUL.exe
File created	C:\windows\SysWOW64\JJQLFO.exe	YRULS.exe
File opened for modification	C:\windows\SysWOW64\JFBRK.exe	BAOKZ.exe
File created	C:\windows\SysWOW64\FRUQ.exe	DYWUB.exe
File opened for modification	C:\windows\SysWOW64\XFLJN.exe	YUB.exe
File created	C:\windows\SysWOW64\XFLJN.exe.bat	YUB.exe
File created	C:\windows\SysWOW64\YRULS.exe	UQLJOV.exe
File created	C:\windows\SysWOW64\FRUQ.exe.bat	DYWUB.exe
File created	C:\windows\SysWOW64\LMHQZXF.exe	SOAQORU.exe
File opened for modification	C:\windows\SysWOW64\UQLJOV.exe	LSEPTGY.exe
File created	C:\windows\SysWOW64\ICBSG.exe.bat	MEK.exe
File opened for modification	C:\windows\SysWOW64\UPXEWNR.exe	VRWOHWI.exe
File created	C:\windows\SysWOW64\ANFJCW.exe.bat	MRHQN.exe
File created	C:\windows\SysWOW64\GZQRHOO.exe	DPIIN.exe
File created	C:\windows\SysWOW64\GZQRHOO.exe.bat	DPIIN.exe
File opened for modification	C:\windows\SysWOW64\IILCX.exe	SXGHL.exe
File opened for modification	C:\windows\SysWOW64\LMHQZXF.exe	SOAQORU.exe
File created	C:\windows\SysWOW64\SEQDK.exe	IHYQUPS.exe
File opened for modification	C:\windows\SysWOW64\SDVAV.exe	JFBRK.exe
File created	C:\windows\SysWOW64\MPBNLJ.exe.bat	WZOEV.exe
File opened for modification	C:\windows\SysWOW64\ANFJCW.exe	MRHQN.exe
File opened for modification	C:\windows\SysWOW64\TFFDS.exe	LASXIK.exe
File created	C:\windows\SysWOW64\TFFDS.exe.bat	LASXIK.exe
File opened for modification	C:\windows\SysWOW64\VRWOHWI.exe	GBGIWNK.exe
File created	C:\windows\SysWOW64\WZOEV.exe.bat	FRUQ.exe
File opened for modification	C:\windows\SysWOW64\VGIIRU.exe	GFLHNG.exe
File created	C:\windows\SysWOW64\JYWRO.exe.bat	XQD.exe
File created	C:\windows\SysWOW64\EVLDAFK.exe	XEJVMU.exe
File created	C:\windows\SysWOW64\VEBLS.exe	KYLVQZN.exe
File created	C:\windows\SysWOW64\VEBLS.exe.bat	KYLVQZN.exe
File created	C:\windows\SysWOW64\UQLJOV.exe	LSEPTGY.exe
File opened for modification	C:\windows\SysWOW64\FRUQ.exe	DYWUB.exe
File created	C:\windows\SysWOW64\FEOUG.exe.bat	VGIIRU.exe
File opened for modification	C:\windows\SysWOW64\GZQRHOO.exe	DPIIN.exe
File opened for modification	C:\windows\SysWOW64\RCNPDGV.exe	VEBLS.exe
File created	C:\windows\SysWOW64\UPXEWNR.exe	VRWOHWI.exe
File created	C:\windows\SysWOW64\YRULS.exe.bat	UQLJOV.exe
File created	C:\windows\SysWOW64\MOAZ.exe.bat	IPD.exe
File created	C:\windows\SysWOW64\RCNPDGV.exe.bat	VEBLS.exe
File created	C:\windows\SysWOW64\JYWRO.exe	XQD.exe
File created	C:\windows\SysWOW64\FEOUG.exe	VGIIRU.exe
File created	C:\windows\SysWOW64\XEJVMU.exe.bat	IILCX.exe
File created	C:\windows\SysWOW64\TFFDS.exe	LASXIK.exe
File created	C:\windows\SysWOW64\YIAY.exe.bat	ICBSG.exe
File created	C:\windows\SysWOW64\IILCX.exe	SXGHL.exe
File opened for modification	C:\windows\SysWOW64\VEBLS.exe	KYLVQZN.exe
File opened for modification	C:\windows\SysWOW64\JJQLFO.exe	YRULS.exe
File created	C:\windows\SysWOW64\WZOEV.exe	FRUQ.exe
File opened for modification	C:\windows\SysWOW64\FEOUG.exe	VGIIRU.exe
File created	C:\windows\SysWOW64\HUTBO.exe.bat	JJQLFO.exe
File created	C:\windows\SysWOW64\SDVAV.exe.bat	JFBRK.exe
File opened for modification	C:\windows\SysWOW64\WZOEV.exe	FRUQ.exe
File opened for modification	C:\windows\SysWOW64\SEQDK.exe	IHYQUPS.exe
File created	C:\windows\SysWOW64\UAP.exe.bat	XHGBAZR.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\FCGGLKJ.exe.bat	NFOU.exe
File created	C:\windows\TLYMYUA.exe	XFLJN.exe
File opened for modification	C:\windows\system\KYLVQZN.exe	PKCAL.exe
File created	C:\windows\IHYQUPS.exe.bat	HRRHRF.exe
File opened for modification	C:\windows\system\GQTC.exe	RCNPDGV.exe
File created	C:\windows\system\HRRHRF.exe.bat	FBV.exe
File created	C:\windows\system\VNVWWN.exe.bat	MPBNLJ.exe
File created	C:\windows\QAREA.exe	APDIADM.exe
File created	C:\windows\MYB.exe.bat	QAREA.exe
File created	C:\windows\SXGHL.exe.bat	JRD.exe
File created	C:\windows\JRD.exe	TTQMTB.exe
File created	C:\windows\QJXRFB.exe.bat	LEX.exe
File opened for modification	C:\windows\APDIADM.exe	ZFUPCR.exe
File created	C:\windows\QAREA.exe.bat	APDIADM.exe
File created	C:\windows\system\RQNWE.exe.bat	JNQTUXM.exe
File created	C:\windows\system\PJFMKI.exe	EVLDAFK.exe
File created	C:\windows\system\ERS.exe.bat	YGVSP.exe
File created	C:\windows\system\BAOKZ.exe	IED.exe
File created	C:\windows\ITIJLKX.exe	SDVAV.exe
File created	C:\windows\APDIADM.exe.bat	ZFUPCR.exe
File opened for modification	C:\windows\MYB.exe	QAREA.exe
File opened for modification	C:\windows\GBGIWNK.exe	NOV.exe
File created	C:\windows\system\TTQMTB.exe	FYELON.exe
File opened for modification	C:\windows\system\LEX.exe	BGJUFL.exe
File created	C:\windows\system\MEK.exe	OAL.exe
File created	C:\windows\DPIIN.exe.bat	TTGQRJN.exe
File created	C:\windows\ZFUPCR.exe.bat	HHKQNOE.exe
File opened for modification	C:\windows\PKCAL.exe	ERS.exe
File opened for modification	C:\windows\IHYQUPS.exe	HRRHRF.exe
File opened for modification	C:\windows\system\TTQMTB.exe	FYELON.exe
File opened for modification	C:\windows\XAVHE.exe	JNJ.exe
File opened for modification	C:\windows\HHKQNOE.exe	VMPD.exe
File created	C:\windows\HHKQNOE.exe.bat	VMPD.exe
File created	C:\windows\TLYMYUA.exe.bat	XFLJN.exe
File created	C:\windows\system\FYELON.exe	UPXEWNR.exe
File created	C:\windows\PKCAL.exe.bat	ERS.exe
File opened for modification	C:\windows\LSEPTGY.exe	SEQDK.exe
File created	C:\windows\MRHQN.exe	FEOUG.exe
File created	C:\windows\system\ODZH.exe.bat	ANFJCW.exe
File created	C:\windows\VMPD.exe.bat	TNQAE.exe
File opened for modification	C:\windows\QAREA.exe	APDIADM.exe
File created	C:\windows\YUB.exe.bat	MOI.exe
File created	C:\windows\BEOHVVE.exe.bat	UAP.exe
File created	C:\windows\system\JSJ.exe.bat	NDGFWMR.exe
File created	C:\windows\DVXY.exe	FWCWG.exe
File created	C:\windows\system\VNVWWN.exe	MPBNLJ.exe
File opened for modification	C:\windows\BGJUFL.exe	ODZH.exe
File opened for modification	C:\windows\EBHM.exe	MYB.exe
File opened for modification	C:\windows\QJXRFB.exe	LEX.exe
File created	C:\windows\BEOHVVE.exe	UAP.exe
File created	C:\windows\system\BAOKZ.exe.bat	IED.exe
File created	C:\windows\system\KYLVQZN.exe.bat	PKCAL.exe
File opened for modification	C:\windows\NDGFWMR.exe	SROET.exe
File created	C:\windows\TNQAE.exe	GZQRHOO.exe
File created	C:\windows\APDIADM.exe	ZFUPCR.exe
File created	C:\windows\system\TTQMTB.exe.bat	FYELON.exe
File created	C:\windows\system\ERS.exe	YGVSP.exe
File created	C:\windows\SROET.exe	ITIJLKX.exe
File created	C:\windows\system\FWCWG.exe.bat	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
File created	C:\windows\XAVHE.exe.bat	JNJ.exe
File opened for modification	C:\windows\TNQAE.exe	GZQRHOO.exe
File opened for modification	C:\windows\XHGBAZR.exe	PJFMKI.exe
File created	C:\windows\EBHM.exe	MYB.exe
File created	C:\windows\system\FCGGLKJ.exe	NFOU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5048	3644	WerFault.exe	94
3092	2924	WerFault.exe	101
3480	4344	WerFault.exe	108
3764	1620	WerFault.exe	113
1208	4924	WerFault.exe	118
4240	1668	WerFault.exe	124
3772	2884	WerFault.exe	129
5076	672	WerFault.exe	134
3640	2028	WerFault.exe	139
824	1636	WerFault.exe	146
3028	1080	WerFault.exe	153
3680	672	WerFault.exe	159
1636	1540	WerFault.exe	164
364	1872	WerFault.exe	169
1044	456	WerFault.exe	174
4024	1132	WerFault.exe	180
372	2884	WerFault.exe	185
3600	1596	WerFault.exe	192
1132	2396	WerFault.exe	196
1612	2584	WerFault.exe	202
1132	2108	WerFault.exe	207
2868	400	WerFault.exe	212
1120	1872	WerFault.exe	217
404	2168	WerFault.exe	222
1956	1612	WerFault.exe	226
3384	1636	WerFault.exe	245
876	4568	WerFault.exe	251
676	992	WerFault.exe	256
3856	4888	WerFault.exe	261
3776	404	WerFault.exe	266
5008	1036	WerFault.exe	271
3500	2508	WerFault.exe	276
2640	1368	WerFault.exe	281
4104	3056	WerFault.exe	286
1960	3684	WerFault.exe	291
992	3308	WerFault.exe	296
2548	3500	WerFault.exe	301
400	4360	WerFault.exe	306
5032	2976	WerFault.exe	311
1604	2140	WerFault.exe	316
1036	5044	WerFault.exe	321
2736	2028	WerFault.exe	326
2616	448	WerFault.exe	331
2544	1396	WerFault.exe	336
3696	5040	WerFault.exe	341
2792	1568	WerFault.exe	346
4404	3104	WerFault.exe	351
1608	5032	WerFault.exe	356
1232	4436	WerFault.exe	361
2868	4796	WerFault.exe	366
448	872	WerFault.exe	372
3768	4336	WerFault.exe	377
660	1048	WerFault.exe	382
1384	3776	WerFault.exe	387
224	1936	WerFault.exe	393
2028	812	WerFault.exe	398
4880	1984	WerFault.exe	403
2508	1396	WerFault.exe	408
1188	4656	WerFault.exe	413
4392	2884	WerFault.exe	418
1048	2548	WerFault.exe	422
4316	3008	WerFault.exe	428
2180	4124	WerFault.exe	433
3744	2428	WerFault.exe	438

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
2924	FWCWG.exe
2924	FWCWG.exe
4344	DVXY.exe
4344	DVXY.exe
1620	DYWUB.exe
1620	DYWUB.exe
4924	FRUQ.exe
4924	FRUQ.exe
1668	WZOEV.exe
1668	WZOEV.exe
2884	MPBNLJ.exe
2884	MPBNLJ.exe
672	VNVWWN.exe
672	VNVWWN.exe
2028	GFLHNG.exe
2028	GFLHNG.exe
1636	VGIIRU.exe
1636	VGIIRU.exe
1080	FEOUG.exe
1080	FEOUG.exe
672	MRHQN.exe
672	MRHQN.exe
1540	ANFJCW.exe
1540	ANFJCW.exe
1872	ODZH.exe
1872	ODZH.exe
456	BGJUFL.exe
456	BGJUFL.exe
1132	LEX.exe
1132	LEX.exe
2884	QJXRFB.exe
2884	QJXRFB.exe
1596	JNJ.exe
1596	JNJ.exe
2396	XAVHE.exe
2396	XAVHE.exe
2584	SOAQORU.exe
2584	SOAQORU.exe
2108	LMHQZXF.exe
2108	LMHQZXF.exe
400	YWYON.exe
400	YWYON.exe
1872	RVTWXUL.exe
1872	RVTWXUL.exe
2168	OAL.exe
2168	OAL.exe
1612	MEK.exe
1612	MEK.exe
848	ICBSG.exe
848	ICBSG.exe
3600	YIAY.exe
3600	YIAY.exe
4648	TTGQRJN.exe
4648	TTGQRJN.exe
1636	DPIIN.exe
1636	DPIIN.exe
4568	GZQRHOO.exe
4568	GZQRHOO.exe
992	TNQAE.exe
992	TNQAE.exe
4888	VMPD.exe
4888	VMPD.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
2924	FWCWG.exe
2924	FWCWG.exe
4344	DVXY.exe
4344	DVXY.exe
1620	DYWUB.exe
1620	DYWUB.exe
4924	FRUQ.exe
4924	FRUQ.exe
1668	WZOEV.exe
1668	WZOEV.exe
2884	MPBNLJ.exe
2884	MPBNLJ.exe
672	VNVWWN.exe
672	VNVWWN.exe
2028	GFLHNG.exe
2028	GFLHNG.exe
1636	VGIIRU.exe
1636	VGIIRU.exe
1080	FEOUG.exe
1080	FEOUG.exe
672	MRHQN.exe
672	MRHQN.exe
1540	ANFJCW.exe
1540	ANFJCW.exe
1872	ODZH.exe
1872	ODZH.exe
456	BGJUFL.exe
456	BGJUFL.exe
1132	LEX.exe
1132	LEX.exe
2884	QJXRFB.exe
2884	QJXRFB.exe
1596	JNJ.exe
1596	JNJ.exe
2396	XAVHE.exe
2396	XAVHE.exe
2584	SOAQORU.exe
2584	SOAQORU.exe
2108	LMHQZXF.exe
2108	LMHQZXF.exe
400	YWYON.exe
400	YWYON.exe
1872	RVTWXUL.exe
1872	RVTWXUL.exe
2168	OAL.exe
2168	OAL.exe
1612	MEK.exe
1612	MEK.exe
848	ICBSG.exe
848	ICBSG.exe
3600	YIAY.exe
3600	YIAY.exe
4648	TTGQRJN.exe
4648	TTGQRJN.exe
1636	DPIIN.exe
1636	DPIIN.exe
4568	GZQRHOO.exe
4568	GZQRHOO.exe
992	TNQAE.exe
992	TNQAE.exe
4888	VMPD.exe
4888	VMPD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 1796	3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe	98
PID 3644 wrote to memory of 1796	3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe	98
PID 3644 wrote to memory of 1796	3644	aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe	98
PID 1796 wrote to memory of 2924	1796	cmd.exe	101
PID 1796 wrote to memory of 2924	1796	cmd.exe	101
PID 1796 wrote to memory of 2924	1796	cmd.exe	101
PID 2924 wrote to memory of 3500	2924	FWCWG.exe	104
PID 2924 wrote to memory of 3500	2924	FWCWG.exe	104
PID 2924 wrote to memory of 3500	2924	FWCWG.exe	104
PID 3500 wrote to memory of 4344	3500	cmd.exe	108
PID 3500 wrote to memory of 4344	3500	cmd.exe	108
PID 3500 wrote to memory of 4344	3500	cmd.exe	108
PID 4344 wrote to memory of 824	4344	DVXY.exe	109
PID 4344 wrote to memory of 824	4344	DVXY.exe	109
PID 4344 wrote to memory of 824	4344	DVXY.exe	109
PID 824 wrote to memory of 1620	824	cmd.exe	113
PID 824 wrote to memory of 1620	824	cmd.exe	113
PID 824 wrote to memory of 1620	824	cmd.exe	113
PID 1620 wrote to memory of 3680	1620	DYWUB.exe	114
PID 1620 wrote to memory of 3680	1620	DYWUB.exe	114
PID 1620 wrote to memory of 3680	1620	DYWUB.exe	114
PID 3680 wrote to memory of 4924	3680	cmd.exe	118
PID 3680 wrote to memory of 4924	3680	cmd.exe	118
PID 3680 wrote to memory of 4924	3680	cmd.exe	118
PID 4924 wrote to memory of 4976	4924	FRUQ.exe	137
PID 4924 wrote to memory of 4976	4924	FRUQ.exe	137
PID 4924 wrote to memory of 4976	4924	FRUQ.exe	137
PID 4976 wrote to memory of 1668	4976	cmd.exe	124
PID 4976 wrote to memory of 1668	4976	cmd.exe	124
PID 4976 wrote to memory of 1668	4976	cmd.exe	124
PID 1668 wrote to memory of 2952	1668	WZOEV.exe	125
PID 1668 wrote to memory of 2952	1668	WZOEV.exe	125
PID 1668 wrote to memory of 2952	1668	WZOEV.exe	125
PID 2952 wrote to memory of 2884	2952	cmd.exe	129
PID 2952 wrote to memory of 2884	2952	cmd.exe	129
PID 2952 wrote to memory of 2884	2952	cmd.exe	129
PID 2884 wrote to memory of 4876	2884	MPBNLJ.exe	130
PID 2884 wrote to memory of 4876	2884	MPBNLJ.exe	130
PID 2884 wrote to memory of 4876	2884	MPBNLJ.exe	130
PID 4876 wrote to memory of 672	4876	cmd.exe	159
PID 4876 wrote to memory of 672	4876	cmd.exe	159
PID 4876 wrote to memory of 672	4876	cmd.exe	159
PID 672 wrote to memory of 1080	672	VNVWWN.exe	153
PID 672 wrote to memory of 1080	672	VNVWWN.exe	153
PID 672 wrote to memory of 1080	672	VNVWWN.exe	153
PID 1080 wrote to memory of 2028	1080	cmd.exe	139
PID 1080 wrote to memory of 2028	1080	cmd.exe	139
PID 1080 wrote to memory of 2028	1080	cmd.exe	139
PID 2028 wrote to memory of 1208	2028	GFLHNG.exe	155
PID 2028 wrote to memory of 1208	2028	GFLHNG.exe	155
PID 2028 wrote to memory of 1208	2028	GFLHNG.exe	155
PID 1208 wrote to memory of 1636	1208	cmd.exe	168
PID 1208 wrote to memory of 1636	1208	cmd.exe	168
PID 1208 wrote to memory of 1636	1208	cmd.exe	168
PID 1636 wrote to memory of 4532	1636	VGIIRU.exe	149
PID 1636 wrote to memory of 4532	1636	VGIIRU.exe	149
PID 1636 wrote to memory of 4532	1636	VGIIRU.exe	149
PID 4532 wrote to memory of 1080	4532	cmd.exe	153
PID 4532 wrote to memory of 1080	4532	cmd.exe	153
PID 4532 wrote to memory of 1080	4532	cmd.exe	153
PID 1080 wrote to memory of 4344	1080	FEOUG.exe	154
PID 1080 wrote to memory of 4344	1080	FEOUG.exe	154
PID 1080 wrote to memory of 4344	1080	FEOUG.exe	154
PID 4344 wrote to memory of 672	4344	cmd.exe	159

C:\Users\Admin\AppData\Local\Temp\aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe
"C:\Users\Admin\AppData\Local\Temp\aebcd4f236369977e1c6fd9307eca7beff9f405d788f6a158ffe4a4a8870d8c4.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\FWCWG.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\windows\system\FWCWG.exe
    C:\windows\system\FWCWG.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\DVXY.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\windows\DVXY.exe
        
        C:\windows\DVXY.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYWUB.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\windows\system\DYWUB.exe
        
        C:\windows\system\DYWUB.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRUQ.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\windows\SysWOW64\FRUQ.exe
        
        C:\windows\system32\FRUQ.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WZOEV.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\windows\SysWOW64\WZOEV.exe
        
        C:\windows\system32\WZOEV.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MPBNLJ.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\windows\SysWOW64\MPBNLJ.exe
        
        C:\windows\system32\MPBNLJ.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VNVWWN.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\windows\system\VNVWWN.exe
        
        C:\windows\system\VNVWWN.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GFLHNG.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4976
        
        C:\windows\system\GFLHNG.exe
        
        C:\windows\system\GFLHNG.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VGIIRU.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\windows\SysWOW64\VGIIRU.exe
        
        C:\windows\system32\VGIIRU.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEOUG.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\windows\SysWOW64\FEOUG.exe
        
        C:\windows\system32\FEOUG.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MRHQN.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\windows\MRHQN.exe
        
        C:\windows\MRHQN.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANFJCW.exe.bat" "
        24⤵
        
        PID:2884
        
        C:\windows\SysWOW64\ANFJCW.exe
        
        C:\windows\system32\ANFJCW.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ODZH.exe.bat" "
        26⤵
        
        PID:1232
        
        C:\windows\system\ODZH.exe
        
        C:\windows\system\ODZH.exe
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BGJUFL.exe.bat" "
        28⤵
        
        PID:1132
        
        C:\windows\BGJUFL.exe
        
        C:\windows\BGJUFL.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LEX.exe.bat" "
        30⤵
        
        PID:4988
        
        C:\windows\system\LEX.exe
        
        C:\windows\system\LEX.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QJXRFB.exe.bat" "
        32⤵
        
        PID:2924
        
        C:\windows\QJXRFB.exe
        
        C:\windows\QJXRFB.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNJ.exe.bat" "
        34⤵
        
        PID:3140
        
        C:\windows\SysWOW64\JNJ.exe
        
        C:\windows\system32\JNJ.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XAVHE.exe.bat" "
        36⤵
        
        PID:4024
        
        C:\windows\XAVHE.exe
        
        C:\windows\XAVHE.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOAQORU.exe.bat" "
        38⤵
        
        PID:364
        
        C:\windows\SysWOW64\SOAQORU.exe
        
        C:\windows\system32\SOAQORU.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMHQZXF.exe.bat" "
        40⤵
        
        PID:992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2924
        
        C:\windows\SysWOW64\LMHQZXF.exe
        
        C:\windows\system32\LMHQZXF.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YWYON.exe.bat" "
        42⤵
        
        PID:5076
        
        C:\windows\system\YWYON.exe
        
        C:\windows\system\YWYON.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RVTWXUL.exe.bat" "
        44⤵
        
        PID:1248
        
        C:\windows\RVTWXUL.exe
        
        C:\windows\RVTWXUL.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OAL.exe.bat" "
        46⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1596
        
        C:\windows\SysWOW64\OAL.exe
        
        C:\windows\system32\OAL.exe
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEK.exe.bat" "
        48⤵
        
        PID:2236
        
        C:\windows\system\MEK.exe
        
        C:\windows\system\MEK.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICBSG.exe.bat" "
        50⤵
        
        PID:4860
        
        C:\windows\SysWOW64\ICBSG.exe
        
        C:\windows\system32\ICBSG.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIAY.exe.bat" "
        52⤵
        
        PID:1604
        
        C:\windows\SysWOW64\YIAY.exe
        
        C:\windows\system32\YIAY.exe
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTGQRJN.exe.bat" "
        54⤵
        
        PID:1788
        
        C:\windows\system\TTGQRJN.exe
        
        C:\windows\system\TTGQRJN.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DPIIN.exe.bat" "
        56⤵
        
        PID:4104
        
        C:\windows\DPIIN.exe
        
        C:\windows\DPIIN.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZQRHOO.exe.bat" "
        58⤵
        
        PID:4048
        
        C:\windows\SysWOW64\GZQRHOO.exe
        
        C:\windows\system32\GZQRHOO.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TNQAE.exe.bat" "
        60⤵
        
        PID:1788
        
        C:\windows\TNQAE.exe
        
        C:\windows\TNQAE.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VMPD.exe.bat" "
        62⤵
        
        PID:2616
        
        C:\windows\VMPD.exe
        
        C:\windows\VMPD.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HHKQNOE.exe.bat" "
        64⤵
        
        PID:4632
        
        C:\windows\HHKQNOE.exe
        
        C:\windows\HHKQNOE.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "
        66⤵
        
        PID:4124
        
        C:\windows\ZFUPCR.exe
        
        C:\windows\ZFUPCR.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\APDIADM.exe.bat" "
        68⤵
        
        PID:1260
        
        C:\windows\APDIADM.exe
        
        C:\windows\APDIADM.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QAREA.exe.bat" "
        70⤵
        
        PID:3028
        
        C:\windows\QAREA.exe
        
        C:\windows\QAREA.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MYB.exe.bat" "
        72⤵
        
        PID:3768
        
        C:\windows\MYB.exe
        
        C:\windows\MYB.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EBHM.exe.bat" "
        74⤵
        
        PID:1788
        
        C:\windows\EBHM.exe
        
        C:\windows\EBHM.exe
        75⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OZZYP.exe.bat" "
        76⤵
        
        PID:1544
        
        C:\windows\OZZYP.exe
        
        C:\windows\OZZYP.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFOU.exe.bat" "
        78⤵
        
        PID:1080
        
        C:\windows\system\NFOU.exe
        
        C:\windows\system\NFOU.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCGGLKJ.exe.bat" "
        80⤵
        
        PID:404
        
        C:\windows\system\FCGGLKJ.exe
        
        C:\windows\system\FCGGLKJ.exe
        81⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNQTUXM.exe.bat" "
        82⤵
        
        PID:2992
        
        C:\windows\SysWOW64\JNQTUXM.exe
        
        C:\windows\system32\JNQTUXM.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQNWE.exe.bat" "
        84⤵
        
        PID:4964
        
        C:\windows\system\RQNWE.exe
        
        C:\windows\system\RQNWE.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MOI.exe.bat" "
        86⤵
        
        PID:3300
        
        C:\windows\MOI.exe
        
        C:\windows\MOI.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUB.exe.bat" "
        88⤵
        
        PID:4568
        
        C:\windows\YUB.exe
        
        C:\windows\YUB.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XFLJN.exe.bat" "
        90⤵
        
        PID:1372
        
        C:\windows\SysWOW64\XFLJN.exe
        
        C:\windows\system32\XFLJN.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TLYMYUA.exe.bat" "
        92⤵
        
        PID:4544
        
        C:\windows\TLYMYUA.exe
        
        C:\windows\TLYMYUA.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NOV.exe.bat" "
        94⤵
        
        PID:1960
        
        C:\windows\NOV.exe
        
        C:\windows\NOV.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GBGIWNK.exe.bat" "
        96⤵
        
        PID:3028
        
        C:\windows\GBGIWNK.exe
        
        C:\windows\GBGIWNK.exe
        97⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VRWOHWI.exe.bat" "
        98⤵
        
        PID:3856
        
        C:\windows\SysWOW64\VRWOHWI.exe
        
        C:\windows\system32\VRWOHWI.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPXEWNR.exe.bat" "
        100⤵
        
        PID:2416
        
        C:\windows\SysWOW64\UPXEWNR.exe
        
        C:\windows\system32\UPXEWNR.exe
        101⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FYELON.exe.bat" "
        102⤵
        
        PID:2244
        
        C:\windows\system\FYELON.exe
        
        C:\windows\system\FYELON.exe
        103⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTQMTB.exe.bat" "
        104⤵
        
        PID:3652
        
        C:\windows\system\TTQMTB.exe
        
        C:\windows\system\TTQMTB.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JRD.exe.bat" "
        106⤵
        
        PID:2612
        
        C:\windows\JRD.exe
        
        C:\windows\JRD.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SXGHL.exe.bat" "
        108⤵
        
        PID:544
        
        C:\windows\SXGHL.exe
        
        C:\windows\SXGHL.exe
        109⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IILCX.exe.bat" "
        110⤵
        
        PID:1536
        
        C:\windows\SysWOW64\IILCX.exe
        
        C:\windows\system32\IILCX.exe
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XEJVMU.exe.bat" "
        112⤵
        
        PID:4476
        
        C:\windows\SysWOW64\XEJVMU.exe
        
        C:\windows\system32\XEJVMU.exe
        113⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVLDAFK.exe.bat" "
        114⤵
        
        PID:3008
        
        C:\windows\SysWOW64\EVLDAFK.exe
        
        C:\windows\system32\EVLDAFK.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJFMKI.exe.bat" "
        116⤵
        
        PID:5008
        
        C:\windows\system\PJFMKI.exe
        
        C:\windows\system\PJFMKI.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XHGBAZR.exe.bat" "
        118⤵
        
        PID:956
        
        C:\windows\XHGBAZR.exe
        
        C:\windows\XHGBAZR.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAP.exe.bat" "
        120⤵
        
        PID:3344
        
        C:\windows\SysWOW64\UAP.exe
        
        C:\windows\system32\UAP.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BEOHVVE.exe.bat" "
        122⤵
        
        PID:1568
        
        C:\windows\BEOHVVE.exe
        
        C:\windows\BEOHVVE.exe
        123⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IPD.exe.bat" "
        124⤵
        
        PID:4988
        
        C:\windows\IPD.exe
        
        C:\windows\IPD.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MOAZ.exe.bat" "
        126⤵
        
        PID:544
        
        C:\windows\SysWOW64\MOAZ.exe
        
        C:\windows\system32\MOAZ.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YGVSP.exe.bat" "
        128⤵
        
        PID:5032
        
        C:\windows\YGVSP.exe
        
        C:\windows\YGVSP.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERS.exe.bat" "
        130⤵
        
        PID:2244
        
        C:\windows\system\ERS.exe
        
        C:\windows\system\ERS.exe
        131⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PKCAL.exe.bat" "
        132⤵
        
        PID:2668
        
        C:\windows\PKCAL.exe
        
        C:\windows\PKCAL.exe
        133⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYLVQZN.exe.bat" "
        134⤵
        
        PID:1060
        
        C:\windows\system\KYLVQZN.exe
        
        C:\windows\system\KYLVQZN.exe
        135⤵
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEBLS.exe.bat" "
        136⤵
        
        PID:2168
        
        C:\windows\SysWOW64\VEBLS.exe
        
        C:\windows\system32\VEBLS.exe
        137⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCNPDGV.exe.bat" "
        138⤵
        
        PID:1804
        
        C:\windows\SysWOW64\RCNPDGV.exe
        
        C:\windows\system32\RCNPDGV.exe
        139⤵
        Drops file in Windows directory
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GQTC.exe.bat" "
        140⤵
        
        PID:4440
        
        C:\windows\system\GQTC.exe
        
        C:\windows\system\GQTC.exe
        141⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBV.exe.bat" "
        142⤵
        
        PID:1636
        
        C:\windows\system\FBV.exe
        
        C:\windows\system\FBV.exe
        143⤵
        Drops file in Windows directory
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HRRHRF.exe.bat" "
        144⤵
        
        PID:3096
        
        C:\windows\system\HRRHRF.exe
        
        C:\windows\system\HRRHRF.exe
        145⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IHYQUPS.exe.bat" "
        146⤵
        
        PID:1808
        
        C:\windows\IHYQUPS.exe
        
        C:\windows\IHYQUPS.exe
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEQDK.exe.bat" "
        148⤵
        
        PID:2044
        
        C:\windows\SysWOW64\SEQDK.exe
        
        C:\windows\system32\SEQDK.exe
        149⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LSEPTGY.exe.bat" "
        150⤵
        
        PID:1776
        
        C:\windows\LSEPTGY.exe
        
        C:\windows\LSEPTGY.exe
        151⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UQLJOV.exe.bat" "
        152⤵
        
        PID:3212
        
        C:\windows\SysWOW64\UQLJOV.exe
        
        C:\windows\system32\UQLJOV.exe
        153⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YRULS.exe.bat" "
        154⤵
        
        PID:636
        
        C:\windows\SysWOW64\YRULS.exe
        
        C:\windows\system32\YRULS.exe
        155⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JJQLFO.exe.bat" "
        156⤵
        
        PID:2044
        
        C:\windows\SysWOW64\JJQLFO.exe
        
        C:\windows\system32\JJQLFO.exe
        157⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HUTBO.exe.bat" "
        158⤵
        
        PID:3856
        
        C:\windows\SysWOW64\HUTBO.exe
        
        C:\windows\system32\HUTBO.exe
        159⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LASXIK.exe.bat" "
        160⤵
        
        PID:860
        
        C:\windows\system\LASXIK.exe
        
        C:\windows\system\LASXIK.exe
        161⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFFDS.exe.bat" "
        162⤵
        
        PID:1880
        
        C:\windows\SysWOW64\TFFDS.exe
        
        C:\windows\system32\TFFDS.exe
        163⤵
        Checks computer location settings
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQD.exe.bat" "
        164⤵
        
        PID:224
        
        C:\windows\system\XQD.exe
        
        C:\windows\system\XQD.exe
        165⤵
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JYWRO.exe.bat" "
        166⤵
        
        PID:2964
        
        C:\windows\SysWOW64\JYWRO.exe
        
        C:\windows\system32\JYWRO.exe
        167⤵
        Checks computer location settings
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IED.exe.bat" "
        168⤵
        
        PID:1232
        
        C:\windows\IED.exe
        
        C:\windows\IED.exe
        169⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BAOKZ.exe.bat" "
        170⤵
        
        PID:4868
        
        C:\windows\system\BAOKZ.exe
        
        C:\windows\system\BAOKZ.exe
        171⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFBRK.exe.bat" "
        172⤵
        
        PID:3372
        
        C:\windows\SysWOW64\JFBRK.exe
        
        C:\windows\system32\JFBRK.exe
        173⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SDVAV.exe.bat" "
        174⤵
        
        PID:4448
        
        C:\windows\SysWOW64\SDVAV.exe
        
        C:\windows\system32\SDVAV.exe
        175⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ITIJLKX.exe.bat" "
        176⤵
        
        PID:3380
        
        C:\windows\ITIJLKX.exe
        
        C:\windows\ITIJLKX.exe
        177⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SROET.exe.bat" "
        178⤵
        
        PID:3104
        
        C:\windows\SROET.exe
        
        C:\windows\SROET.exe
        179⤵
        Drops file in Windows directory
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NDGFWMR.exe.bat" "
        180⤵
        
        PID:1640
        
        C:\windows\NDGFWMR.exe
        
        C:\windows\NDGFWMR.exe
        181⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JSJ.exe.bat" "
        182⤵
        
        PID:1620
        
        C:\windows\system\JSJ.exe
        
        C:\windows\system\JSJ.exe
        183⤵
        Checks computer location settings
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LOB.exe.bat" "
        184⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1312
        184⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1336
        182⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1296
        180⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1304
        178⤵
        
        PID:184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1252
        176⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 960
        174⤵
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 960
        172⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1308
        170⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1008
        168⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1328
        166⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1304
        164⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 988
        162⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988
        160⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1328
        158⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 960
        156⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1328
        154⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1004
        152⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1324
        150⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1308
        148⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1004
        146⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1272
        144⤵
        
        PID:992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1312
        142⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 960
        140⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1332
        138⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 988
        136⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1264
        134⤵
        Program crash
        
        PID:3744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 968
        132⤵
        Program crash
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1316
        130⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 960
        128⤵
        Program crash
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 960
        126⤵
        Program crash
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 960
        124⤵
        Program crash
        
        PID:1188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 976
        122⤵
        Program crash
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1328
        120⤵
        Program crash
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1352
        118⤵
        Program crash
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 960
        116⤵
        Program crash
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 968
        114⤵
        Program crash
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1328
        112⤵
        Program crash
        
        PID:660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 992
        110⤵
        Program crash
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1004
        108⤵
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1264
        106⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 960
        104⤵
        Program crash
        
        PID:1232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1248
        102⤵
        Program crash
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1328
        100⤵
        Program crash
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1300
        98⤵
        Program crash
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1352
        96⤵
        Program crash
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1296
        94⤵
        Program crash
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 980
        92⤵
        Program crash
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 960
        90⤵
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1296
        88⤵
        Program crash
        
        PID:1036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 960
        86⤵
        Program crash
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1308
        84⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1328
        82⤵
        Program crash
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1308
        80⤵
        Program crash
        
        PID:2548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1280
        78⤵
        Program crash
        
        PID:992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1324
        76⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1316
        74⤵
        Program crash
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1324
        72⤵
        Program crash
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 960
        70⤵
        Program crash
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1264
        68⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1324
        66⤵
        Program crash
        
        PID:3776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 960
        64⤵
        Program crash
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 968
        62⤵
        Program crash
        
        PID:676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 960
        60⤵
        Program crash
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1296
        58⤵
        Program crash
        
        PID:3384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 960
        50⤵
        Program crash
        
        PID:1956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 988
        48⤵
        Program crash
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1004
        46⤵
        Program crash
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 960
        44⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1312
        42⤵
        Program crash
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1312
        40⤵
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 988
        38⤵
        Program crash
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1252
        36⤵
        Program crash
        
        PID:3600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1240
        34⤵
        Program crash
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 980
        32⤵
        Program crash
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1336
        30⤵
        Program crash
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 960
        28⤵
        Program crash
        
        PID:364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1008
        26⤵
        Program crash
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 960
        24⤵
        Program crash
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1008
        22⤵
        Program crash
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1328
        20⤵
        Program crash
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 996
        18⤵
        Program crash
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1308
        16⤵
        Program crash
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1316
        14⤵
        Program crash
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1356
        12⤵
        Program crash
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1300
        10⤵
        Program crash
        
        PID:1208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 960
        8⤵
        Program crash
        
        PID:3764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1308
        6⤵
        Program crash
        
        PID:3480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 960
      4⤵
      Program crash
      PID:3092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1324
  2⤵
  - Program crash
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3644 -ip 3644
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2924 -ip 2924
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4344 -ip 4344
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1620 -ip 1620
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4924 -ip 4924
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1668 -ip 1668
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2884 -ip 2884
1⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 672 -ip 672
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2028 -ip 2028
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1636 -ip 1636
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1080 -ip 1080
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 672 -ip 672
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1540 -ip 1540
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1872 -ip 1872
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 456 -ip 456
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1132 -ip 1132
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 2884
1⤵
PID:1080

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1596 -ip 1596
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2396 -ip 2396
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2584 -ip 2584
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2108 -ip 2108
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 400 -ip 400
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1872 -ip 1872
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2168 -ip 2168
1⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1612 -ip 1612
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 848 -ip 848
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3600 -ip 3600
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4648 -ip 4648
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1636 -ip 1636
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4568 -ip 4568
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4888 -ip 4888
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 404 -ip 404
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1036 -ip 1036
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2508 -ip 2508
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1368 -ip 1368
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3056 -ip 3056
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3684 -ip 3684
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3308 -ip 3308
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3500 -ip 3500
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4360 -ip 4360
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2976 -ip 2976
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2140 -ip 2140
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5044 -ip 5044
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2028 -ip 2028
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 448 -ip 448
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1396 -ip 1396
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5040 -ip 5040
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1568 -ip 1568
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5032 -ip 5032
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4436 -ip 4436
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4796 -ip 4796
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 872 -ip 872
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4336 -ip 4336
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1048 -ip 1048
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3776 -ip 3776
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1936 -ip 1936
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 812 -ip 812
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1984 -ip 1984
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1396 -ip 1396
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4656 -ip 4656
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 2884
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2548 -ip 2548
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3008 -ip 3008
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4124 -ip 4124
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2428 -ip 2428
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2736 -ip 2736
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2692 -ip 2692
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3644 -ip 3644
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2508 -ip 2508
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4448 -ip 4448
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3744 -ip 3744
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 116 -ip 116
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4476 -ip 4476
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4612 -ip 4612
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4456 -ip 4456
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4908 -ip 4908
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 812 -ip 812
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4336 -ip 4336
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1620 -ip 1620
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3008 -ip 3008
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4104 -ip 4104
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3856 -ip 3856
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3980 -ip 3980
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2004 -ip 2004
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4572 -ip 4572
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2964 -ip 2964
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4796 -ip 4796
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1128 -ip 1128
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1000 -ip 1000
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2004 -ip 2004
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DVXY.exe

Filesize
320KB

MD5
3c744fff0291049940693e06b7521a99

SHA1
844349f048693e7e573c018211a2f5480d3f8ab4

SHA256
f6f9e39a1a04d6fcef42c0fa8fdb52625008a7da7844b87469d8cb1c169ab541

SHA512
8451dab271ef6706135ba309a88fb1587bffe60e9242deb3edfd84807d6a04020a80659c8e44888da4379eb3cd56a67176edf6c2fd8269b15161a17ff142c973

Download Submit
C:\Windows\MRHQN.exe

Filesize
320KB

MD5
f7b6faae2da66802f4cd21a9c0d3fe8d

SHA1
60200fec793511a087b8d8474252264bab82431c

SHA256
f6a65c4721dc9c781fc8221a11e62994615863cc2c6b18b647c51a435d290f33

SHA512
ca6be3d733f67ce3756ceb52276dd7de230ccbadd52821c93882ff6196aad7b5f2e8c4c76855f183ff0e8e68e9358e187b0e5015d4ab31e5e5d475ed750c5dbd

Download Submit
C:\Windows\QJXRFB.exe

Filesize
320KB

MD5
22635036402e5e8ccb1f3bc2daa19fe0

SHA1
5eab182de17da7639dc94ed5a799dfb3fe748a19

SHA256
d790e7a60a1a1ff6665cb28876a3804246a0fdaf823c13d5b5b20cf7a0473576

SHA512
ad24b902e8ba67f96d6a9ba78da12bbb7881b264a01ae569c4840e64a8c54ff3fc69ffda46865b08ace13dce91ad930f6efbebe1d7e12bf33798ab1526bc14da

Download Submit
C:\Windows\SysWOW64\ANFJCW.exe

Filesize
320KB

MD5
0a3589f3f8560149bc40962afe0731d6

SHA1
b4449f8c9f42d28092047b89d3de14205ac4b6ee

SHA256
e688f9f86adcb484cbf19205fa3238b0b5bdfdaa348a2dae40a98914b8672710

SHA512
570ccde7fd7dab441695810ea063c49868beae6397c9c034d754063e5877fe087371b27ca27a64a87812c7ea6b8749d296c788213ccb5ee6997b7e302ba9cfda

Download Submit
C:\Windows\SysWOW64\FEOUG.exe

Filesize
320KB

MD5
3681cc7549d4481987cd590e39a3bf9a

SHA1
e3ef15e284d57a563a269f28566ff953c33c4168

SHA256
1bf55da6c4bc3d092c1fc7d180700c1abb91284064b226f7b689e061d4d97d8c

SHA512
4dea2ef21a569faefacf4168c9503c116072ec7243cca251c1e9566d0a4f9bc7705e24461141cf1d687e849764856f6762c9d8e664c016e40d9be13b77d7ed1e

Download Submit
C:\Windows\SysWOW64\FRUQ.exe

Filesize
320KB

MD5
19e876bc26bce67bc51d93d815acdcb6

SHA1
53347d47e2a310fc5bbbbe0d16f02b16781f5e07

SHA256
be14abdea2c3502eaf31d5f468d920df793365797f032b08df338ff069e10cfa

SHA512
566f4b3d08533e0e068f158cc2c59f66b2acf1562f8b3076f14a4428dc306cc9ee4ff4764b265d914b49fd65dc55abc946ea01fbb2f13cf40a065585180c1ae8

Download Submit
C:\Windows\SysWOW64\LMHQZXF.exe

Filesize
320KB

MD5
edafbb43a93b6c059582d4b3e58e8fcc

SHA1
bbbd4017e2408767777ccc8f2f6237fcb66763ba

SHA256
acb5b7e88a801712abb76998f7b539aacaf0d36bfd416ebdfeab7359ee003b09

SHA512
84e1792ff831eec183be5cbc4a18a336f8fd9caa19969e41d93d100f1154d86e704e44d0ba3dd41f873c4b710f533e8a849dcf9f20ce9d6f2f6bc5b3fcbf7652

Download Submit
C:\Windows\SysWOW64\MPBNLJ.exe

Filesize
320KB

MD5
36a010da24b45f5fb8c166790650cb98

SHA1
ef6e553475ab76c51ea49098b82014baec54a530

SHA256
9c495574b980331bf55470d5f9c41e0321d85867a4c39fd98e48ea03a38b2ceb

SHA512
029166d062df0dbcea3fbb3ed2397c70d83f2815139f70354bdc3a28806759e213e14e2d813b5f608995f1097591f9e18ff070e8d3f4a9968959bd483dc51bc9

Download Submit
C:\Windows\SysWOW64\SOAQORU.exe

Filesize
320KB

MD5
0f4eb9ff57075469d45c824c115cd675

SHA1
d5a44e196b667d6ae938f59ae9ff009f4a9539e3

SHA256
2c18befe510a44e80959241b7a221c4e98b485f7f72532f4f1e3aa36607e77a4

SHA512
00a98ccc81ec3fea52fbc10fc03cb8b59266244cee65c4a4d31c7b033ca42325dade1973c9bfc8af7238231a623f26bf55f5b2f60fd03e042368b869d757ba62

Download Submit
C:\Windows\SysWOW64\VGIIRU.exe

Filesize
320KB

MD5
c7bb89d9a37ce97e44b52831295c19c8

SHA1
f046bbb054b3b904c23c0b3614a2473736b420f3

SHA256
e4e2dc71042e3bfc885e291401dbcc43f139b317bc85e12e7d3aa4eaab9ed244

SHA512
845680440770756276ff85fdcd1e9e2cf608ec4023d278fa61edaba4f1942cb5effc27f29ad3a44ab45114d46cdde068842e1a488f0aec156fd4c2bcb9b0d766

Download Submit
C:\Windows\System\DYWUB.exe

Filesize
320KB

MD5
f222f26fc5317ef889a197423d530b8a

SHA1
ffb9f729d52e3f8b5bd6fd1957d0a68b44558387

SHA256
f7a4a9f59a13e6acc3d00f9d2a2acb7d6f18f1ead897636acb486f1fb2dfb4bd

SHA512
a9bc4ccc17bf395cb6efc2bedc66b8bf38c855d0d2b504054293e45004b375ad9599ecd6b41dffab5fa1fda15d62ca2f2954cdace6838cbb2f1ca6ea194f3616

Download Submit
C:\Windows\System\FWCWG.exe

Filesize
320KB

MD5
921793e57e0c8ce35e58492202f9e5dc

SHA1
7e64e896a97a372f58887c2a55c69090001459b8

SHA256
8395f9e2e594e90570f329a91aa5c9e15382deb652de8a2a05236a097e4d5872

SHA512
50ceb078d71a2ff6df7de99871ba345cd66b8ebfb42535c9bde239096ed08a68908969315f6e8aa690dc67b4a2e7795a247dac9c2a2ce187a8c10e8e5e4c9f9f

Download Submit
C:\Windows\XAVHE.exe

Filesize
320KB

MD5
10051fcf72c6049ffb006d5cbcd9e0f6

SHA1
69cc5129e1ea06e3771c1f530240f1df76a973e1

SHA256
afa505010812782711e5949a55c0faa293ad0c78cd2393c5bdd7e097bff4485b

SHA512
24446449a0b643e1f69371d5553c74fd78ff8c3be9d5edb36149df112dd34e9331520a1c3622bea3ff67baf98759ea305615b7f75097febda14b8b2ffc4e26df

Download Submit
C:\windows\BGJUFL.exe

Filesize
320KB

MD5
ec1de2fa999d635cba0890342ea438d3

SHA1
13a6c76afcb72166c159eb965edb972e75171f1b

SHA256
d55a799a7b67e940819d59082afa5810d865dfe92a7d91277d6e0dd9a23ddf02

SHA512
21c9ae8f13f6d9b05eedf3b1b2947734a04d1fcc06d8357ebce1129ff390e9b51368c0670788bc5f95ce0ec4aed6e8598fd668e2d96d06ef0572780c67f3d76e

Download Submit
C:\windows\BGJUFL.exe.bat

Filesize
58B

MD5
1d95876ce599d7414fa8dd7baf4a421c

SHA1
5ba0d77a0ff54b31d681a1aaca11ea6ab3adab40

SHA256
4e714d6606543425f069a8f402f4bf18b7bc9d559faada478440797027385152

SHA512
16c2cabcb2b00fa2f48f03cd93eacac7edfc374494fe420c4ab66aa666f79ddceeb8e9fcef7b32691311e3a5be7dc931a6c3fec9d7654a3d0b84851438f053e6

Download Submit
C:\windows\DVXY.exe.bat

Filesize
54B

MD5
5e3dacf8cce11b930144108354d645e3

SHA1
5076ba2d9b4687b10ddf21bd09f97cb37267837a

SHA256
82aa3c3c52661d723f65d91fbac32489f96327f60ba2dadc5201261aea543a71

SHA512
73fc38ec4244e665ed4049561ca93d996b36578f604794d90dc77e2d25946cbcada1a701376189c9f5e584dea2edb632d3a908d8ebc4d0bb06124e74df7d758c

Download Submit
C:\windows\MRHQN.exe.bat

Filesize
56B

MD5
976fca7364def23d3ca2c37cd9c78123

SHA1
aa3ff5dfce6c4060800d51988b1a6c1712d1e5bc

SHA256
041f493c4b4dbc96b7040df640c3dda125a5e5e58d749457bca52c2996bf63d0

SHA512
3e9d75d3eea29e8d8bece4294f022982af5e88111b76f281b87a9e56034b6126e4c8548a93a4382ad22a5f3bda20fe90349073b39a65e2ffd7108973adba2693

Download Submit
C:\windows\QJXRFB.exe.bat

Filesize
58B

MD5
ebb81f7ad18df82311a74f7f97d14e71

SHA1
77165fa0849f0adb643b2cf93658f3e3ed9e7ccb

SHA256
a7dda4555d5ac1d701bfe82861fdcfb72d072b34920a8091e56655e9afea9f17

SHA512
7b1151160829950ae7c8d948c06fa2338829472576c1d8acb82c1d9c09106433df0085d4106bfdaa4598f590a10fef0938588fa8e1aafe0d37d596a42b21b05a

Download Submit
C:\windows\RVTWXUL.exe.bat

Filesize
60B

MD5
2681f1901c112d8ef63e4367d18b3366

SHA1
2c2e8967966fe80d1462e612dbaca14526922aff

SHA256
35b8a8b9a0f3a0f795d5752fc3250546296178b3ece41f65e8c8606f0eb38b06

SHA512
d4316d1f0ec679299590f36010c67500c93194969e9937c4a34befbe7c9da7993fee0d35468e27cfb8693714a4ec0e83d7b753c4c24c1401ff6eb40208a3dabb

Download Submit
C:\windows\SysWOW64\ANFJCW.exe.bat

Filesize
76B

MD5
767131f5df0f55de02cca7eece201ff3

SHA1
54dc40d25a909c0dc9d3590220bf154d43789cc3

SHA256
8ac11c9abdc1b2002784d49b680a182be17b981f49689e495492c8a58bf64947

SHA512
cb8925cb40a17b4dcb3a60ce750506c60006c90b3cfd03132267c7b2c81838f99ace4a4f7989c32e61a83bef1214d2c0a24d91133722d76e9f6d8ce1bbed1a0e

Download Submit
C:\windows\SysWOW64\FEOUG.exe.bat

Filesize
74B

MD5
c5a693b26a8d29e7af084ab5c5bed4e8

SHA1
8cc8d628b0c20bde31d5187f194c7a503b085c8e

SHA256
bd03d07fba05725a80499d86fc4a30c592f11ed7716bc819857bbcdc32505fe5

SHA512
67005cb167896bd557dbb7d7ce96a6aebd8815e73cf3a14cd32b3d78c93f11bb9acb1cec3fa878ec95685adbeccdd83d00dd1dadd4edae39da81948169062104

Download Submit
C:\windows\SysWOW64\FRUQ.exe.bat

Filesize
72B

MD5
e7824f756c29dc1fb882a3402dd92e10

SHA1
440c3d5f699670739c22601c7087b448a4c6add1

SHA256
e136e4eedfeea390b0b82abcd13addec7c71bfe8ae8c6a56dfe5ff30c1c1960c

SHA512
c960728e01212965f78081320ae041f8e3f23c1ce455a733b2c894faf9f9542672cf5c2bc7c1c7bd1afb8313bc5407e306779bf79bc674f4740109c52f011f75

Download Submit
C:\windows\SysWOW64\JNJ.exe

Filesize
320KB

MD5
06f943b698421a7de653cb0d812e7d18

SHA1
176f3ff1d026f266ece23249b08ea5d505b8df6f

SHA256
d11ad426625547239e418c61e6170ff1e300a216dbbb169e5b0a2dba4ff3cf2d

SHA512
9ee8f15ea04b010ac8e4070281adeaa204c2fd0f98a591933784e2769c3a27c9498645c06088e83aaaedb2a018761c51a3a6c1d905ea28c45950af89cb61a989

Download Submit
C:\windows\SysWOW64\JNJ.exe.bat

Filesize
70B

MD5
e0847cf7c68fe54e82aff967e61dacdc

SHA1
9ee2bce8a4fbbb7869f392fd422dd60a8cf70274

SHA256
d6595c38e1391a78544ec6378416133ad5f9696d698f5d54b46052e55c589a6f

SHA512
7ba3ac5515e2a0a5477b0247af8d43a25092018f46f8f959aff00db49b72e8ebf66a2a02f3aa0965658b21fd96f84211ee18e94321cf1f6cea45f4d987a952fe

Download Submit
C:\windows\SysWOW64\LMHQZXF.exe.bat

Filesize
78B

MD5
00d6725dbfddf022bb039a24a378aa13

SHA1
81a9f7bfa2939682b5b923bfc581fe6344fe46d0

SHA256
efbf9e127ed22fb8ca1518c236186f5a1a70313a095b914df7bcf0d5fbeafbf6

SHA512
f5d921ef770767b430cd404d9d868a3bd759a60a649c3db348713c7989f43a34b9ec5c600faf910ee771365df0a7f046656df478f94a331439281cc9a0a3b578

Download Submit
C:\windows\SysWOW64\MPBNLJ.exe.bat

Filesize
76B

MD5
db49ed72b9f206950623945c01ee87a0

SHA1
66fe572b248056e47eb9cadb8fc6394e915af27c

SHA256
fa2745c403ae37763e23bf687d93f9592fe74b8108735b81f291efbe814306ca

SHA512
ed52041dedcb719e987edfed911d6e710ef4b89d7b1eb55c5b70923126c09c96652286faec64ab13e8db7e1386f5af566b02f70e45d7a7f651ad74a0153045a1

Download Submit
C:\windows\SysWOW64\SOAQORU.exe.bat

Filesize
78B

MD5
f0cb2ed9a98bef1e19d77f15e68f5f1b

SHA1
95c3e4228ccb6041946171e57987a4a686f32b77

SHA256
9e342147e2c7dcb88f5ce07d3506e8cbddf37ca0498174fe2d4e6496ede2216d

SHA512
368d309f1dc94761eb18bf810c36f5183cf3f073558ed284fb68fa0afecd3136d381a5dbf30271a43b82f1a66e3aa1d4bc6af0c65216077153c310677337aff8

Download Submit
C:\windows\SysWOW64\VGIIRU.exe.bat

Filesize
76B

MD5
eed476fa8df635a49b57f0db866e6082

SHA1
257dd09d9d482a6566fda255c9a9e119527da9a4

SHA256
765fdc206a461f169e22753508e81f0e3f42d547ce045d4b05054476c80d257e

SHA512
a1eae898cfa97d85682b2a6f1553d6ecbc9f117916a366dc54857143035637cd482999c8ffc74575da37a462456e5f5ab79e38edde3601fffb380aec7b08d918

Download Submit
C:\windows\SysWOW64\WZOEV.exe

Filesize
320KB

MD5
9ac199a172817e5cc17ca50ab44f9129

SHA1
b46921a41b461f72ae47e61be19618d9823b2050

SHA256
d64255cee6cfa5f15346d0e03bd143f389bfa24cfa9914ad6936d5072de8517d

SHA512
30b6d9333829bf2dbc51e586555a559bb77623724d29ef7e2c8aaaa26ce1cb6fbcb281ab5ee8a149c7965787c28c5711f0f874f752e12bb500c0a98102b6f428

Download Submit
C:\windows\SysWOW64\WZOEV.exe.bat

Filesize
74B

MD5
3a206d90cf2aabbc1e535e5cace59955

SHA1
46e45c2281477580c89eed1a0f0d16ecc66160fd

SHA256
8898164bc50a403aec00afd5a016d96ec68df5ffdbe9124cfbb7bda0019b758f

SHA512
4729dd4b5ef4ea78bdcb07e8ef48f8bcb3a41ac4810b5f9648d12771c286f318fff9fdf5aa5c376aad446165e1cfd521cd07b1e899758d977ca74412df711a55

Download Submit
C:\windows\XAVHE.exe.bat

Filesize
56B

MD5
5a3c47e4378c630296f7f55f726c9b21

SHA1
48855251acd327e97211368adcec7c941a474c12

SHA256
1d8ef3e169fffd0931a908c7066ca53943daf70dc6427604c2acf5869eb0457b

SHA512
44f88443f74e2d7523b3132f75e87d558de7e8490cdc8d4d71af58405dc4366b1d63bdd96101d081920b0fc99995390fbd8a5f973bf1a3f7ca576264a6640dfb

Download Submit
C:\windows\system\DYWUB.exe.bat

Filesize
70B

MD5
cfcba5ebb8678b94b37e8741485ca961

SHA1
89481e8d594cfc4735cb520edca5607ed2868b25

SHA256
1ac74b0d4393a601734d78c2566827ea9022fb696283c2dcb18c5a6dd7dcfe87

SHA512
d796914c490ffef42e175af2204394836aaf61ca9fb806100e534b636a4904da9e146272f36ba76f2c8bbd2f90629250e46e0b426dd3bd61c3339de3e9122fa7

Download Submit
C:\windows\system\FWCWG.exe.bat

Filesize
70B

MD5
c7dc79e1aa97ea44f8a6ef3d26489c83

SHA1
18fa2c7ee5d459822e83191a2d8987520a62ed21

SHA256
713f866b5fd7a6eb7b8d37e8f78305d3ded7f30c72cbd087da9f6f6821e820e9

SHA512
e42afc2eb6f1340e44858ff7b995f3e18e0adf4e5001bae002e4438a476a3988f9943721f22b658f695c2fad41b4b5a967b79ab5901b7115a37501745c1cfbbe

Download Submit
C:\windows\system\GFLHNG.exe

Filesize
320KB

MD5
45c0bcc85eef8c7ac268b95379168511

SHA1
144bba106699f650deff4c054188445d0098ecb6

SHA256
40abdaa48f758a006692af4e3d79a992f8e4700a2fd903d71bae3b094ab49ca0

SHA512
2ad06bef1db9a4bf50b4fe629982492b661732aa1feb1a6373535a15c41f5b092e6e2b826e27578fb59795af2263d8d8f2e5dc1365355c5e74e51c457f6390af

Download Submit
C:\windows\system\GFLHNG.exe.bat

Filesize
72B

MD5
15c628bb418eb88ae92a0f521b3f5cb3

SHA1
30d5161c78f6a57809aa295af0c2556c8fa9a84c

SHA256
81d67ab70cf2375051d9026ee6bfd3810dac116934e17365dae9f4e878718971

SHA512
9bd247fe51df3b2ac483f69d0a6e94b2dba7bf03b0bc84547de55545c439acdadae36538e3bbb47d08e7ba71ccd8f3ac18c4f7d46434702e455b50a0288bba34

Download Submit
C:\windows\system\LEX.exe.bat

Filesize
66B

MD5
02ba81f0f49566fe494525f4d3bad8b8

SHA1
a077cf1c4f35bed019d52492b372a84f0879ef84

SHA256
1faf9a4357b5d1a01c9adeefba1d34eb417d759e26108259bc2e07faefe00dfe

SHA512
63691879e92d3abbf72f4779b2acc33d19539c1d77f9bb49e8522c3d6d97184f4e4380d7cda3be02aaad7a7d878324578778293ccc250af63a5a5002c8087400

Download Submit
C:\windows\system\ODZH.exe

Filesize
320KB

MD5
8145d3c98ef2c81743f75a3a0e383f9b

SHA1
4ca80d855ee61ef3090d0c4072a97db96cf50987

SHA256
2299fe9eef1d31165292d428af2ed8a05479fa7fb0d2022cd70a83042bd00d8d

SHA512
317cfa9010eeaa35c8d74f021cb586efed8607b4eecc4bfb717b8f6bce7bc68c0d078eaac933eeba7179297d3334adceed43e77422ec321266eb5191d9627075

Download Submit
C:\windows\system\ODZH.exe.bat

Filesize
68B

MD5
8bc81415d507950d5b17aa28c50fc047

SHA1
f01039930b3a59110001d22e3a01a9dade07a2ac

SHA256
468366cde5a521d12fb223b570c490cf588a9b4baf954692d1b5a2e8a466fd46

SHA512
47621b8f58cc95adf1c3d98aaa45c136a7ae1ed69d09264cf58a7c5a99969d172be5eb8f453ca02b92dd997f5190642417fd3363b1358fc86086aace2269e04f

Download Submit
C:\windows\system\VNVWWN.exe

Filesize
320KB

MD5
0f60a96917a8ceb348764375571a8a06

SHA1
a7c4237b159b4612c51802dea56efc9e1fdfe971

SHA256
4c1813f193e1d66610dfa004d7a616587d459989705c0982f8a7c345dd4be74b

SHA512
e84a46c219b5fe858088db976a830754fe6062149c3047f6173bfa81b8b90544aa480f76da2494cbbeb0c398af7318201d0007ed053b8175d57ea8bfa9f15290

Download Submit
C:\windows\system\VNVWWN.exe.bat

Filesize
72B

MD5
6b61304a73f27decd6528b2a0ad4dd8f

SHA1
615ad112602edfc6b9233c2e68f6a8b3abab50a5

SHA256
2eaf3e0be97cc00d0c85c05a9b67652e1ba4ccf6944d05de1c44da6869f4b3db

SHA512
8b29aade4bc9b52c24baec0d7a1b2ce3e27cce330e046f422fde3ff3af5ceabc26b55924ce9e11c29bccd74aeaedb3a1393448993969fd796cba61ee044a69be

Download Submit
C:\windows\system\YWYON.exe

Filesize
320KB

MD5
2832d8a4d8accdfe6851b6f01ac67fba

SHA1
b30e56e1a9b93a7dbe7fb3d0b60f2cdbef1acc4f

SHA256
901d33bac668fc9c7b769a7cce20c9438e4243e4b576a786a27cf2e2f6cb6664

SHA512
6a5e9b6d9e2344ff7180d5bb3d75821901c2326916a276a565de946046a07dd251d506a412ecf53093a29aa4abc01ce62e1340216fe350ff71379a946ce0c664

Download Submit
C:\windows\system\YWYON.exe.bat

Filesize
70B

MD5
0a5ae2da63991557e9f185103e6016d2

SHA1
338b3d914d66e4d922b5161c87c2d8e22f7fa9c1

SHA256
6c90120caa245b185db7f711df34dcfef3b513bc5885b6ed05972426b6123ee3

SHA512
3bc58e76b23b18f119335f0072b069b89d193dce73b4a29aafe2bd7c754b6dc971a46ec790c301e7591386d3a929ed9d17867c622a6630afe7120042d0f2a6d8

Download Submit
memory/400-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/400-312-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-349-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/456-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/456-186-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/672-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/672-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/672-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/672-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/848-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/848-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/992-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-357-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1080-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1596-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1596-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1612-329-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1612-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-337-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-175-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2028-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2028-125-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2108-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2108-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2396-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2396-234-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2584-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2584-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-208-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2924-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2924-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3600-294-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3600-302-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3644-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4344-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4344-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4568-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4568-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-303-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4888-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4924-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4924-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download