3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496

Analysis

max time kernel
104s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
Size

289KB
MD5

d8d438c89fce6e7114c3e8ec9c12872b
SHA1

7ef91106136756d91b9f74ff8ad04379bdb31842
SHA256

3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496
SHA512

6d152c2dc6c79543f21331a4916f754c9ea7c0c5cda70102736bac5386b6674d4522e7d320c36fa6abc49e8626432e268bc17eab34f508d297ae20e88448176d
SSDEEP

6144:80W6tQl9eaRjb9kdhqZSqCqtsgdKaxkECzJLaQVbU5:80WYQLeaReDqN/KaxklJLJbU5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 61 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YHOWO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PCJVXR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PUFWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PWBOO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CGJY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KMBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XTIW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NHIMZS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NLDW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	AWKZBV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WERFL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MLDHOYU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ARAABOE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CZW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FSKF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QNTZAHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ZEQMW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KAQIGS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KQMFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KHQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	GZUHOMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	RBYSFMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	VBXIIUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	RWWK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PZY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	GBI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	UGGKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	SKEJCV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QLT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	HJMJKTR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	SUOZMHK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TFZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QADWJMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CNR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	LCOTQLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XUUX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	LCJW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	GRGZIVH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CJOQQM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QJG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	BOKDWE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	BEKSUIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MTCNWS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DSPZIM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PEBBSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	STS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	LKNJCT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	HKFSRRF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MIDCLFC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	APNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ZFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FFLDO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MKQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ZPQYHJI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TBXB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	JLN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FNECZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	RZRGT.exe

Executes dropped EXE 61 IoCs

pid	Process
3104	CGJY.exe
5428	AWKZBV.exe
1448	YHOWO.exe
5980	PZY.exe
5544	MKQ.exe
5800	QLT.exe
3784	BOKDWE.exe
3564	GZUHOMR.exe
5176	ZFK.exe
648	LCJW.exe
2232	RBYSFMR.exe
2220	GRGZIVH.exe
3128	FFLDO.exe
5472	FNECZ.exe
5764	BEKSUIT.exe
116	KMBD.exe
5032	TFZ.exe
1720	STS.exe
5760	WERFL.exe
1416	ZPQYHJI.exe
4512	XTIW.exe
5204	CZW.exe
4404	PCJVXR.exe
2188	QADWJMS.exe
1940	ZEQMW.exe
2160	CJOQQM.exe
4816	FSKF.exe
3968	MLDHOYU.exe
2344	VBXIIUD.exe
3940	RZRGT.exe
2036	CNR.exe
4412	KAQIGS.exe
5084	MTCNWS.exe
4056	PUFWM.exe
3576	LKNJCT.exe
2420	GBI.exe
5900	RWWK.exe
6032	DSPZIM.exe
2200	QNTZAHH.exe
4036	HJMJKTR.exe
3376	NHIMZS.exe
2884	HKFSRRF.exe
1924	TAC.exe
1640	YZJ.exe
5372	ARAABOE.exe
5208	MIDCLFC.exe
4680	QJG.exe
4672	TBXB.exe
116	XUUX.exe
1480	KQMFA.exe
3324	PWBOO.exe
3384	SUOZMHK.exe
4320	SKEJCV.exe
4584	JLN.exe
4956	UGGKH.exe
4224	KHQ.exe
5748	LCOTQLC.exe
5336	NLDW.exe
2548	PEBBSM.exe
2588	APNN.exe
5172	FVNPZ.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\NLDW.exe	LCOTQLC.exe
File created	C:\windows\SysWOW64\APNN.exe	PEBBSM.exe
File created	C:\windows\SysWOW64\APNN.exe.bat	PEBBSM.exe
File created	C:\windows\SysWOW64\MLDHOYU.exe.bat	FSKF.exe
File created	C:\windows\SysWOW64\RZRGT.exe.bat	VBXIIUD.exe
File created	C:\windows\SysWOW64\TBXB.exe	QJG.exe
File opened for modification	C:\windows\SysWOW64\HJMJKTR.exe	QNTZAHH.exe
File created	C:\windows\SysWOW64\HJMJKTR.exe.bat	QNTZAHH.exe
File created	C:\windows\SysWOW64\HKFSRRF.exe	NHIMZS.exe
File created	C:\windows\SysWOW64\KQMFA.exe.bat	XUUX.exe
File created	C:\windows\SysWOW64\KHQ.exe	UGGKH.exe
File created	C:\windows\SysWOW64\KMBD.exe.bat	BEKSUIT.exe
File created	C:\windows\SysWOW64\WERFL.exe.bat	STS.exe
File opened for modification	C:\windows\SysWOW64\CJOQQM.exe	ZEQMW.exe
File created	C:\windows\SysWOW64\AWKZBV.exe.bat	CGJY.exe
File created	C:\windows\SysWOW64\HKFSRRF.exe.bat	NHIMZS.exe
File created	C:\windows\SysWOW64\TBXB.exe.bat	QJG.exe
File created	C:\windows\SysWOW64\LCOTQLC.exe	KHQ.exe
File created	C:\windows\SysWOW64\LCOTQLC.exe.bat	KHQ.exe
File opened for modification	C:\windows\SysWOW64\FVNPZ.exe	APNN.exe
File created	C:\windows\SysWOW64\MKQ.exe.bat	PZY.exe
File created	C:\windows\SysWOW64\PUFWM.exe.bat	MTCNWS.exe
File opened for modification	C:\windows\SysWOW64\KHQ.exe	UGGKH.exe
File created	C:\windows\SysWOW64\XTIW.exe.bat	ZPQYHJI.exe
File created	C:\windows\SysWOW64\ARAABOE.exe	YZJ.exe
File opened for modification	C:\windows\SysWOW64\LCOTQLC.exe	KHQ.exe
File opened for modification	C:\windows\SysWOW64\NLDW.exe	LCOTQLC.exe
File created	C:\windows\SysWOW64\FVNPZ.exe	APNN.exe
File created	C:\windows\SysWOW64\ZFK.exe.bat	GZUHOMR.exe
File created	C:\windows\SysWOW64\KMBD.exe	BEKSUIT.exe
File created	C:\windows\SysWOW64\ZPQYHJI.exe.bat	WERFL.exe
File created	C:\windows\SysWOW64\HJMJKTR.exe	QNTZAHH.exe
File opened for modification	C:\windows\SysWOW64\TAC.exe	HKFSRRF.exe
File created	C:\windows\SysWOW64\KHQ.exe.bat	UGGKH.exe
File opened for modification	C:\windows\SysWOW64\YHOWO.exe	AWKZBV.exe
File opened for modification	C:\windows\SysWOW64\MLDHOYU.exe	FSKF.exe
File opened for modification	C:\windows\SysWOW64\PUFWM.exe	MTCNWS.exe
File created	C:\windows\SysWOW64\CJOQQM.exe	ZEQMW.exe
File created	C:\windows\SysWOW64\RZRGT.exe	VBXIIUD.exe
File opened for modification	C:\windows\SysWOW64\RZRGT.exe	VBXIIUD.exe
File created	C:\windows\SysWOW64\KQMFA.exe	XUUX.exe
File created	C:\windows\SysWOW64\YHOWO.exe.bat	AWKZBV.exe
File created	C:\windows\SysWOW64\TFZ.exe	KMBD.exe
File opened for modification	C:\windows\SysWOW64\TFZ.exe	KMBD.exe
File opened for modification	C:\windows\SysWOW64\XTIW.exe	ZPQYHJI.exe
File created	C:\windows\SysWOW64\MLDHOYU.exe	FSKF.exe
File opened for modification	C:\windows\SysWOW64\YZJ.exe	TAC.exe
File opened for modification	C:\windows\SysWOW64\KQMFA.exe	XUUX.exe
File created	C:\windows\SysWOW64\FVNPZ.exe.bat	APNN.exe
File opened for modification	C:\windows\SysWOW64\GZUHOMR.exe	BOKDWE.exe
File opened for modification	C:\windows\SysWOW64\KMBD.exe	BEKSUIT.exe
File created	C:\windows\SysWOW64\TFZ.exe.bat	KMBD.exe
File opened for modification	C:\windows\SysWOW64\AWKZBV.exe	CGJY.exe
File created	C:\windows\SysWOW64\ZFK.exe	GZUHOMR.exe
File opened for modification	C:\windows\SysWOW64\ZFK.exe	GZUHOMR.exe
File opened for modification	C:\windows\SysWOW64\APNN.exe	PEBBSM.exe
File opened for modification	C:\windows\SysWOW64\HKFSRRF.exe	NHIMZS.exe
File created	C:\windows\SysWOW64\YZJ.exe	TAC.exe
File created	C:\windows\SysWOW64\YZJ.exe.bat	TAC.exe
File opened for modification	C:\windows\SysWOW64\WERFL.exe	STS.exe
File created	C:\windows\SysWOW64\ZPQYHJI.exe	WERFL.exe
File created	C:\windows\SysWOW64\TAC.exe	HKFSRRF.exe
File created	C:\windows\SysWOW64\ARAABOE.exe.bat	YZJ.exe
File created	C:\windows\SysWOW64\GZUHOMR.exe.bat	BOKDWE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\CGJY.exe	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
File created	C:\windows\system\BOKDWE.exe	QLT.exe
File created	C:\windows\system\BEKSUIT.exe	FNECZ.exe
File created	C:\windows\LKNJCT.exe	PUFWM.exe
File created	C:\windows\system\SQZPSJ.exe.bat	FVNPZ.exe
File created	C:\windows\system\MTCNWS.exe.bat	KAQIGS.exe
File created	C:\windows\MIDCLFC.exe.bat	ARAABOE.exe
File created	C:\windows\JLN.exe	SKEJCV.exe
File opened for modification	C:\windows\JLN.exe	SKEJCV.exe
File opened for modification	C:\windows\system\SQZPSJ.exe	FVNPZ.exe
File opened for modification	C:\windows\system\PCJVXR.exe	CZW.exe
File created	C:\windows\system\MTCNWS.exe	KAQIGS.exe
File created	C:\windows\ZEQMW.exe	QADWJMS.exe
File opened for modification	C:\windows\system\BEKSUIT.exe	FNECZ.exe
File created	C:\windows\system\SKEJCV.exe	SUOZMHK.exe
File created	C:\windows\system\PCJVXR.exe.bat	CZW.exe
File created	C:\windows\system\VBXIIUD.exe.bat	MLDHOYU.exe
File opened for modification	C:\windows\MIDCLFC.exe	ARAABOE.exe
File opened for modification	C:\windows\system\DSPZIM.exe	RWWK.exe
File opened for modification	C:\windows\NHIMZS.exe	HJMJKTR.exe
File created	C:\windows\system\XUUX.exe	TBXB.exe
File opened for modification	C:\windows\system\FFLDO.exe	GRGZIVH.exe
File opened for modification	C:\windows\CZW.exe	XTIW.exe
File opened for modification	C:\windows\ZEQMW.exe	QADWJMS.exe
File opened for modification	C:\windows\system\KAQIGS.exe	CNR.exe
File created	C:\windows\system\RWWK.exe.bat	GBI.exe
File created	C:\windows\SUOZMHK.exe	PWBOO.exe
File created	C:\windows\system\CGJY.exe.bat	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
File created	C:\windows\QJG.exe.bat	MIDCLFC.exe
File opened for modification	C:\windows\SUOZMHK.exe	PWBOO.exe
File created	C:\windows\system\BOKDWE.exe.bat	QLT.exe
File created	C:\windows\FNECZ.exe	FFLDO.exe
File opened for modification	C:\windows\system\FSKF.exe	CJOQQM.exe
File opened for modification	C:\windows\system\VBXIIUD.exe	MLDHOYU.exe
File opened for modification	C:\windows\system\QLT.exe	MKQ.exe
File created	C:\windows\system\PEBBSM.exe.bat	NLDW.exe
File created	C:\windows\QADWJMS.exe.bat	PCJVXR.exe
File created	C:\windows\QNTZAHH.exe.bat	DSPZIM.exe
File created	C:\windows\CZW.exe.bat	XTIW.exe
File opened for modification	C:\windows\system\PWBOO.exe	KQMFA.exe
File created	C:\windows\system\SQZPSJ.exe	FVNPZ.exe
File created	C:\windows\system\PWBOO.exe	KQMFA.exe
File opened for modification	C:\windows\system\PEBBSM.exe	NLDW.exe
File opened for modification	C:\windows\LCJW.exe	ZFK.exe
File created	C:\windows\system\FFLDO.exe.bat	GRGZIVH.exe
File created	C:\windows\system\BEKSUIT.exe.bat	FNECZ.exe
File created	C:\windows\STS.exe	TFZ.exe
File opened for modification	C:\windows\QNTZAHH.exe	DSPZIM.exe
File created	C:\windows\system\XUUX.exe.bat	TBXB.exe
File created	C:\windows\system\QLT.exe.bat	MKQ.exe
File created	C:\windows\RBYSFMR.exe	LCJW.exe
File created	C:\windows\RBYSFMR.exe.bat	LCJW.exe
File opened for modification	C:\windows\system\GBI.exe	LKNJCT.exe
File opened for modification	C:\windows\QJG.exe	MIDCLFC.exe
File opened for modification	C:\windows\system\CGJY.exe	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
File opened for modification	C:\windows\LKNJCT.exe	PUFWM.exe
File created	C:\windows\QNTZAHH.exe	DSPZIM.exe
File created	C:\windows\system\PZY.exe	YHOWO.exe
File created	C:\windows\system\UGGKH.exe	JLN.exe
File opened for modification	C:\windows\RBYSFMR.exe	LCJW.exe
File created	C:\windows\system\VBXIIUD.exe	MLDHOYU.exe
File opened for modification	C:\windows\system\CNR.exe	RZRGT.exe
File created	C:\windows\system\DSPZIM.exe	RWWK.exe
File created	C:\windows\system\PEBBSM.exe	NLDW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4872	5428	WerFault.exe	99
3144	2620	WerFault.exe	90
4476	3104	WerFault.exe	94
5888	1448	WerFault.exe	103
4356	648	WerFault.exe	135
904	2232	WerFault.exe	139
5392	2220	WerFault.exe	145
5948	3128	WerFault.exe	150
2316	5472	WerFault.exe	157
768	5764	WerFault.exe	162
216	116	WerFault.exe	167
5796	5032	WerFault.exe	172
4360	1720	WerFault.exe	177
3376	5760	WerFault.exe	182
5164	1416	WerFault.exe	187
1924	4512	WerFault.exe	192
5404	5204	WerFault.exe	197
700	4404	WerFault.exe	202
4256	2188	WerFault.exe	207
6100	1940	WerFault.exe	213
3084	2160	WerFault.exe	218
3388	4816	WerFault.exe	223
3936	3968	WerFault.exe	228
1796	2344	WerFault.exe	233
1960	3940	WerFault.exe	238
3080	2036	WerFault.exe	243
3728	4412	WerFault.exe	250
3972	5084	WerFault.exe	256
5612	4056	WerFault.exe	261
4200	3576	WerFault.exe	267
1508	2420	WerFault.exe	272
6068	5900	WerFault.exe	279
4448	6032	WerFault.exe	284
2588	2200	WerFault.exe	289
2344	4036	WerFault.exe	294
1604	3376	WerFault.exe	299
1588	2884	WerFault.exe	304
2532	1924	WerFault.exe	309
5136	1640	WerFault.exe	314
4700	5372	WerFault.exe	319
4252	5208	WerFault.exe	324
5492	4680	WerFault.exe	329
3976	4672	WerFault.exe	334
6032	116	WerFault.exe	339
2200	1480	WerFault.exe	344
5032	3324	WerFault.exe	349
4164	3384	WerFault.exe	354
4092	4320	WerFault.exe	359
5084	4584	WerFault.exe	364
2468	4956	WerFault.exe	369
3888	4224	WerFault.exe	374
4300	5748	WerFault.exe	379
3804	5336	WerFault.exe	384
2040	2548	WerFault.exe	389
4868	2588	WerFault.exe	394
5940	5172	WerFault.exe	399
2324	6012	WerFault.exe	404
2104	2480	WerFault.exe	409
3948	2244	WerFault.exe	414
2196	448	WerFault.exe	419
3184	5084	WerFault.exe	424
924	5396	WerFault.exe	429
3960	5136	WerFault.exe	434
4444	6088	WerFault.exe	439

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
3104	CGJY.exe
3104	CGJY.exe
5428	AWKZBV.exe
5428	AWKZBV.exe
1448	YHOWO.exe
1448	YHOWO.exe
5980	PZY.exe
5980	PZY.exe
5544	MKQ.exe
5544	MKQ.exe
5800	QLT.exe
5800	QLT.exe
3784	BOKDWE.exe
3784	BOKDWE.exe
3564	GZUHOMR.exe
3564	GZUHOMR.exe
5176	ZFK.exe
5176	ZFK.exe
648	LCJW.exe
648	LCJW.exe
2232	RBYSFMR.exe
2232	RBYSFMR.exe
2220	GRGZIVH.exe
2220	GRGZIVH.exe
3128	FFLDO.exe
3128	FFLDO.exe
5472	FNECZ.exe
5472	FNECZ.exe
5764	BEKSUIT.exe
5764	BEKSUIT.exe
116	KMBD.exe
116	KMBD.exe
5032	TFZ.exe
5032	TFZ.exe
1720	STS.exe
1720	STS.exe
5760	WERFL.exe
5760	WERFL.exe
1416	ZPQYHJI.exe
1416	ZPQYHJI.exe
4512	XTIW.exe
4512	XTIW.exe
5204	CZW.exe
5204	CZW.exe
4404	PCJVXR.exe
4404	PCJVXR.exe
2188	QADWJMS.exe
2188	QADWJMS.exe
1940	ZEQMW.exe
1940	ZEQMW.exe
2160	CJOQQM.exe
2160	CJOQQM.exe
4816	FSKF.exe
4816	FSKF.exe
3968	MLDHOYU.exe
3968	MLDHOYU.exe
2344	VBXIIUD.exe
2344	VBXIIUD.exe
3940	RZRGT.exe
3940	RZRGT.exe
2036	CNR.exe
2036	CNR.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
3104	CGJY.exe
3104	CGJY.exe
5428	AWKZBV.exe
5428	AWKZBV.exe
1448	YHOWO.exe
1448	YHOWO.exe
5980	PZY.exe
5980	PZY.exe
5544	MKQ.exe
5544	MKQ.exe
5800	QLT.exe
5800	QLT.exe
3784	BOKDWE.exe
3784	BOKDWE.exe
3564	GZUHOMR.exe
3564	GZUHOMR.exe
5176	ZFK.exe
5176	ZFK.exe
648	LCJW.exe
648	LCJW.exe
2232	RBYSFMR.exe
2232	RBYSFMR.exe
2220	GRGZIVH.exe
2220	GRGZIVH.exe
3128	FFLDO.exe
3128	FFLDO.exe
5472	FNECZ.exe
5472	FNECZ.exe
5764	BEKSUIT.exe
5764	BEKSUIT.exe
116	KMBD.exe
116	KMBD.exe
5032	TFZ.exe
5032	TFZ.exe
1720	STS.exe
1720	STS.exe
5760	WERFL.exe
5760	WERFL.exe
1416	ZPQYHJI.exe
1416	ZPQYHJI.exe
4512	XTIW.exe
4512	XTIW.exe
5204	CZW.exe
5204	CZW.exe
4404	PCJVXR.exe
4404	PCJVXR.exe
2188	QADWJMS.exe
2188	QADWJMS.exe
1940	ZEQMW.exe
1940	ZEQMW.exe
2160	CJOQQM.exe
2160	CJOQQM.exe
4816	FSKF.exe
4816	FSKF.exe
3968	MLDHOYU.exe
3968	MLDHOYU.exe
2344	VBXIIUD.exe
2344	VBXIIUD.exe
3940	RZRGT.exe
3940	RZRGT.exe
2036	CNR.exe
2036	CNR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4992	2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	91
PID 2620 wrote to memory of 4992	2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	91
PID 2620 wrote to memory of 4992	2620	3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe	91
PID 4992 wrote to memory of 3104	4992	cmd.exe	94
PID 4992 wrote to memory of 3104	4992	cmd.exe	94
PID 4992 wrote to memory of 3104	4992	cmd.exe	94
PID 3104 wrote to memory of 4252	3104	CGJY.exe	96
PID 3104 wrote to memory of 4252	3104	CGJY.exe	96
PID 3104 wrote to memory of 4252	3104	CGJY.exe	96
PID 4252 wrote to memory of 5428	4252	cmd.exe	99
PID 4252 wrote to memory of 5428	4252	cmd.exe	99
PID 4252 wrote to memory of 5428	4252	cmd.exe	99
PID 5428 wrote to memory of 5332	5428	AWKZBV.exe	100
PID 5428 wrote to memory of 5332	5428	AWKZBV.exe	100
PID 5428 wrote to memory of 5332	5428	AWKZBV.exe	100
PID 5332 wrote to memory of 1448	5332	cmd.exe	103
PID 5332 wrote to memory of 1448	5332	cmd.exe	103
PID 5332 wrote to memory of 1448	5332	cmd.exe	103
PID 1448 wrote to memory of 5936	1448	YHOWO.exe	107
PID 1448 wrote to memory of 5936	1448	YHOWO.exe	107
PID 1448 wrote to memory of 5936	1448	YHOWO.exe	107
PID 5936 wrote to memory of 5980	5936	cmd.exe	111
PID 5936 wrote to memory of 5980	5936	cmd.exe	111
PID 5936 wrote to memory of 5980	5936	cmd.exe	111
PID 5980 wrote to memory of 3308	5980	PZY.exe	112
PID 5980 wrote to memory of 3308	5980	PZY.exe	112
PID 5980 wrote to memory of 3308	5980	PZY.exe	112
PID 3308 wrote to memory of 5544	3308	cmd.exe	115
PID 3308 wrote to memory of 5544	3308	cmd.exe	115
PID 3308 wrote to memory of 5544	3308	cmd.exe	115
PID 5544 wrote to memory of 5268	5544	MKQ.exe	116
PID 5544 wrote to memory of 5268	5544	MKQ.exe	116
PID 5544 wrote to memory of 5268	5544	MKQ.exe	116
PID 5268 wrote to memory of 5800	5268	cmd.exe	119
PID 5268 wrote to memory of 5800	5268	cmd.exe	119
PID 5268 wrote to memory of 5800	5268	cmd.exe	119
PID 5800 wrote to memory of 768	5800	QLT.exe	120
PID 5800 wrote to memory of 768	5800	QLT.exe	120
PID 5800 wrote to memory of 768	5800	QLT.exe	120
PID 768 wrote to memory of 3784	768	cmd.exe	123
PID 768 wrote to memory of 3784	768	cmd.exe	123
PID 768 wrote to memory of 3784	768	cmd.exe	123
PID 3784 wrote to memory of 888	3784	BOKDWE.exe	124
PID 3784 wrote to memory of 888	3784	BOKDWE.exe	124
PID 3784 wrote to memory of 888	3784	BOKDWE.exe	124
PID 888 wrote to memory of 3564	888	cmd.exe	127
PID 888 wrote to memory of 3564	888	cmd.exe	127
PID 888 wrote to memory of 3564	888	cmd.exe	127
PID 3564 wrote to memory of 2008	3564	GZUHOMR.exe	128
PID 3564 wrote to memory of 2008	3564	GZUHOMR.exe	128
PID 3564 wrote to memory of 2008	3564	GZUHOMR.exe	128
PID 2008 wrote to memory of 5176	2008	cmd.exe	131
PID 2008 wrote to memory of 5176	2008	cmd.exe	131
PID 2008 wrote to memory of 5176	2008	cmd.exe	131
PID 5176 wrote to memory of 2192	5176	ZFK.exe	132
PID 5176 wrote to memory of 2192	5176	ZFK.exe	132
PID 5176 wrote to memory of 2192	5176	ZFK.exe	132
PID 2192 wrote to memory of 648	2192	cmd.exe	135
PID 2192 wrote to memory of 648	2192	cmd.exe	135
PID 2192 wrote to memory of 648	2192	cmd.exe	135
PID 648 wrote to memory of 3020	648	LCJW.exe	136
PID 648 wrote to memory of 3020	648	LCJW.exe	136
PID 648 wrote to memory of 3020	648	LCJW.exe	136
PID 3020 wrote to memory of 2232	3020	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe
"C:\Users\Admin\AppData\Local\Temp\3321057cb281adf6eaa8ecd5bd88cc3232a174fa464ca2cf141ed80e39d61496.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGJY.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\windows\system\CGJY.exe
    C:\windows\system\CGJY.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWKZBV.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\windows\SysWOW64\AWKZBV.exe
        
        C:\windows\system32\AWKZBV.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHOWO.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5332
        
        C:\windows\SysWOW64\YHOWO.exe
        
        C:\windows\system32\YHOWO.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PZY.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5936
        
        C:\windows\system\PZY.exe
        
        C:\windows\system\PZY.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MKQ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\windows\SysWOW64\MKQ.exe
        
        C:\windows\system32\MKQ.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLT.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5268
        
        C:\windows\system\QLT.exe
        
        C:\windows\system\QLT.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BOKDWE.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\windows\system\BOKDWE.exe
        
        C:\windows\system\BOKDWE.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZUHOMR.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\windows\SysWOW64\GZUHOMR.exe
        
        C:\windows\system32\GZUHOMR.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFK.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\windows\SysWOW64\ZFK.exe
        
        C:\windows\system32\ZFK.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LCJW.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\windows\LCJW.exe
        
        C:\windows\LCJW.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RBYSFMR.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\windows\RBYSFMR.exe
        
        C:\windows\RBYSFMR.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRGZIVH.exe.bat" "
        24⤵
        
        PID:5084
        
        C:\windows\system\GRGZIVH.exe
        
        C:\windows\system\GRGZIVH.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FFLDO.exe.bat" "
        26⤵
        
        PID:4572
        
        C:\windows\system\FFLDO.exe
        
        C:\windows\system\FFLDO.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FNECZ.exe.bat" "
        28⤵
        
        PID:5348
        
        C:\windows\FNECZ.exe
        
        C:\windows\FNECZ.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BEKSUIT.exe.bat" "
        30⤵
        
        PID:5468
        
        C:\windows\system\BEKSUIT.exe
        
        C:\windows\system\BEKSUIT.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMBD.exe.bat" "
        32⤵
        
        PID:5820
        
        C:\windows\SysWOW64\KMBD.exe
        
        C:\windows\system32\KMBD.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFZ.exe.bat" "
        34⤵
        
        PID:556
        
        C:\windows\SysWOW64\TFZ.exe
        
        C:\windows\system32\TFZ.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\STS.exe.bat" "
        36⤵
        
        PID:5184
        
        C:\windows\STS.exe
        
        C:\windows\STS.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WERFL.exe.bat" "
        38⤵
        
        PID:5192
        
        C:\windows\SysWOW64\WERFL.exe
        
        C:\windows\system32\WERFL.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPQYHJI.exe.bat" "
        40⤵
        
        PID:4112
        
        C:\windows\SysWOW64\ZPQYHJI.exe
        
        C:\windows\system32\ZPQYHJI.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTIW.exe.bat" "
        42⤵
        
        PID:5160
        
        C:\windows\SysWOW64\XTIW.exe
        
        C:\windows\system32\XTIW.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CZW.exe.bat" "
        44⤵
        
        PID:1836
        
        C:\windows\CZW.exe
        
        C:\windows\CZW.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PCJVXR.exe.bat" "
        46⤵
        
        PID:1052
        
        C:\windows\system\PCJVXR.exe
        
        C:\windows\system\PCJVXR.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QADWJMS.exe.bat" "
        48⤵
        
        PID:924
        
        C:\windows\QADWJMS.exe
        
        C:\windows\QADWJMS.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZEQMW.exe.bat" "
        50⤵
        
        PID:4280
        
        C:\windows\ZEQMW.exe
        
        C:\windows\ZEQMW.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CJOQQM.exe.bat" "
        52⤵
        
        PID:5168
        
        C:\windows\SysWOW64\CJOQQM.exe
        
        C:\windows\system32\CJOQQM.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FSKF.exe.bat" "
        54⤵
        
        PID:3964
        
        C:\windows\system\FSKF.exe
        
        C:\windows\system\FSKF.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLDHOYU.exe.bat" "
        56⤵
        
        PID:768
        
        C:\windows\SysWOW64\MLDHOYU.exe
        
        C:\windows\system32\MLDHOYU.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBXIIUD.exe.bat" "
        58⤵
        
        PID:116
        
        C:\windows\system\VBXIIUD.exe
        
        C:\windows\system\VBXIIUD.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZRGT.exe.bat" "
        60⤵
        
        PID:5796
        
        C:\windows\SysWOW64\RZRGT.exe
        
        C:\windows\system32\RZRGT.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CNR.exe.bat" "
        62⤵
        
        PID:772
        
        C:\windows\system\CNR.exe
        
        C:\windows\system\CNR.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAQIGS.exe.bat" "
        64⤵
        
        PID:5996
        
        C:\windows\system\KAQIGS.exe
        
        C:\windows\system\KAQIGS.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MTCNWS.exe.bat" "
        66⤵
        
        PID:5164
        
        C:\windows\system\MTCNWS.exe
        
        C:\windows\system\MTCNWS.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PUFWM.exe.bat" "
        68⤵
        
        PID:2488
        
        C:\windows\SysWOW64\PUFWM.exe
        
        C:\windows\system32\PUFWM.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LKNJCT.exe.bat" "
        70⤵
        
        PID:4676
        
        C:\windows\LKNJCT.exe
        
        C:\windows\LKNJCT.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBI.exe.bat" "
        72⤵
        
        PID:1524
        
        C:\windows\system\GBI.exe
        
        C:\windows\system\GBI.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWWK.exe.bat" "
        74⤵
        
        PID:948
        
        C:\windows\system\RWWK.exe
        
        C:\windows\system\RWWK.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DSPZIM.exe.bat" "
        76⤵
        
        PID:5384
        
        C:\windows\system\DSPZIM.exe
        
        C:\windows\system\DSPZIM.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QNTZAHH.exe.bat" "
        78⤵
        
        PID:5172
        
        C:\windows\QNTZAHH.exe
        
        C:\windows\QNTZAHH.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HJMJKTR.exe.bat" "
        80⤵
        
        PID:3396
        
        C:\windows\SysWOW64\HJMJKTR.exe
        
        C:\windows\system32\HJMJKTR.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NHIMZS.exe.bat" "
        82⤵
        
        PID:4144
        
        C:\windows\NHIMZS.exe
        
        C:\windows\NHIMZS.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HKFSRRF.exe.bat" "
        84⤵
        
        PID:2264
        
        C:\windows\SysWOW64\HKFSRRF.exe
        
        C:\windows\system32\HKFSRRF.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAC.exe.bat" "
        86⤵
        
        PID:1096
        
        C:\windows\SysWOW64\TAC.exe
        
        C:\windows\system32\TAC.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZJ.exe.bat" "
        88⤵
        
        PID:1988
        
        C:\windows\SysWOW64\YZJ.exe
        
        C:\windows\system32\YZJ.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARAABOE.exe.bat" "
        90⤵
        
        PID:5312
        
        C:\windows\SysWOW64\ARAABOE.exe
        
        C:\windows\system32\ARAABOE.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MIDCLFC.exe.bat" "
        92⤵
        
        PID:5204
        
        C:\windows\MIDCLFC.exe
        
        C:\windows\MIDCLFC.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QJG.exe.bat" "
        94⤵
        
        PID:5944
        
        C:\windows\QJG.exe
        
        C:\windows\QJG.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TBXB.exe.bat" "
        96⤵
        
        PID:1508
        
        C:\windows\SysWOW64\TBXB.exe
        
        C:\windows\system32\TBXB.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XUUX.exe.bat" "
        98⤵
        
        PID:3936
        
        C:\windows\system\XUUX.exe
        
        C:\windows\system\XUUX.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQMFA.exe.bat" "
        100⤵
        
        PID:464
        
        C:\windows\SysWOW64\KQMFA.exe
        
        C:\windows\system32\KQMFA.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWBOO.exe.bat" "
        102⤵
        
        PID:4824
        
        C:\windows\system\PWBOO.exe
        
        C:\windows\system\PWBOO.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SUOZMHK.exe.bat" "
        104⤵
        
        PID:5376
        
        C:\windows\SUOZMHK.exe
        
        C:\windows\SUOZMHK.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKEJCV.exe.bat" "
        106⤵
        
        PID:5008
        
        C:\windows\system\SKEJCV.exe
        
        C:\windows\system\SKEJCV.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JLN.exe.bat" "
        108⤵
        
        PID:4488
        
        C:\windows\JLN.exe
        
        C:\windows\JLN.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGGKH.exe.bat" "
        110⤵
        
        PID:1976
        
        C:\windows\system\UGGKH.exe
        
        C:\windows\system\UGGKH.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KHQ.exe.bat" "
        112⤵
        
        PID:532
        
        C:\windows\SysWOW64\KHQ.exe
        
        C:\windows\system32\KHQ.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCOTQLC.exe.bat" "
        114⤵
        
        PID:220
        
        C:\windows\SysWOW64\LCOTQLC.exe
        
        C:\windows\system32\LCOTQLC.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NLDW.exe.bat" "
        116⤵
        
        PID:5392
        
        C:\windows\SysWOW64\NLDW.exe
        
        C:\windows\system32\NLDW.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PEBBSM.exe.bat" "
        118⤵
        
        PID:2640
        
        C:\windows\system\PEBBSM.exe
        
        C:\windows\system\PEBBSM.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\APNN.exe.bat" "
        120⤵
        
        PID:1608
        
        C:\windows\SysWOW64\APNN.exe
        
        C:\windows\system32\APNN.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FVNPZ.exe.bat" "
        122⤵
        
        PID:5424
        
        C:\windows\SysWOW64\FVNPZ.exe
        
        C:\windows\system32\FVNPZ.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SQZPSJ.exe.bat" "
        124⤵
        
        PID:5096
        
        C:\windows\system\SQZPSJ.exe
        
        C:\windows\system\SQZPSJ.exe
        125⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GWZS.exe.bat" "
        126⤵
        
        PID:2428
        
        C:\windows\system\GWZS.exe
        
        C:\windows\system\GWZS.exe
        127⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TNWLWB.exe.bat" "
        128⤵
        
        PID:5760
        
        C:\windows\system\TNWLWB.exe
        
        C:\windows\system\TNWLWB.exe
        129⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DDKA.exe.bat" "
        130⤵
        
        PID:5256
        
        C:\windows\SysWOW64\DDKA.exe
        
        C:\windows\system32\DDKA.exe
        131⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KJDWTA.exe.bat" "
        132⤵
        
        PID:5628
        
        C:\windows\SysWOW64\KJDWTA.exe
        
        C:\windows\system32\KJDWTA.exe
        133⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BMWWY.exe.bat" "
        134⤵
        
        PID:2208
        
        C:\windows\BMWWY.exe
        
        C:\windows\BMWWY.exe
        135⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XSIZJTC.exe.bat" "
        136⤵
        
        PID:712
        
        C:\windows\system\XSIZJTC.exe
        
        C:\windows\system\XSIZJTC.exe
        137⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\INIVC.exe.bat" "
        138⤵
        
        PID:5324
        
        C:\windows\system\INIVC.exe
        
        C:\windows\system\INIVC.exe
        139⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGSC.exe.bat" "
        140⤵
        
        PID:6100
        
        C:\windows\system\SGSC.exe
        
        C:\windows\system\SGSC.exe
        141⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NHXRII.exe.bat" "
        142⤵
        
        PID:5128
        
        C:\windows\system\NHXRII.exe
        
        C:\windows\system\NHXRII.exe
        143⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VVWQ.exe.bat" "
        144⤵
        
        PID:752
        
        C:\windows\system\VVWQ.exe
        
        C:\windows\system\VVWQ.exe
        145⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CAPL.exe.bat" "
        146⤵
        
        PID:840
        
        C:\windows\CAPL.exe
        
        C:\windows\CAPL.exe
        147⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYYJH.exe.bat" "
        148⤵
        
        PID:4872
        
        C:\windows\system\CYYJH.exe
        
        C:\windows\system\CYYJH.exe
        149⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QPFQ.exe.bat" "
        150⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1976
        
        C:\windows\SysWOW64\QPFQ.exe
        
        C:\windows\system32\QPFQ.exe
        151⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TQXOM.exe.bat" "
        152⤵
        
        PID:2056
        
        C:\windows\SysWOW64\TQXOM.exe
        
        C:\windows\system32\TQXOM.exe
        153⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VVCQ.exe.bat" "
        154⤵
        
        PID:5292
        
        C:\windows\SysWOW64\VVCQ.exe
        
        C:\windows\system32\VVCQ.exe
        155⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEXFSGZ.exe.bat" "
        156⤵
        
        PID:1768
        
        C:\windows\SysWOW64\YEXFSGZ.exe
        
        C:\windows\system32\YEXFSGZ.exe
        157⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RRLS.exe.bat" "
        158⤵
        
        PID:1868
        
        C:\windows\SysWOW64\RRLS.exe
        
        C:\windows\system32\RRLS.exe
        159⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IKIRUY.exe.bat" "
        160⤵
        
        PID:4832
        
        C:\windows\system\IKIRUY.exe
        
        C:\windows\system\IKIRUY.exe
        161⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KLF.exe.bat" "
        162⤵
        
        PID:3496
        
        C:\windows\KLF.exe
        
        C:\windows\KLF.exe
        163⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YBOCVTV.exe.bat" "
        164⤵
        
        PID:5128
        
        C:\windows\YBOCVTV.exe
        
        C:\windows\YBOCVTV.exe
        165⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AZBFTF.exe.bat" "
        166⤵
        
        PID:6048
        
        C:\windows\AZBFTF.exe
        
        C:\windows\AZBFTF.exe
        167⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WFNQ.exe.bat" "
        168⤵
        
        PID:864
        
        C:\windows\SysWOW64\WFNQ.exe
        
        C:\windows\system32\WFNQ.exe
        169⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YNJXNHW.exe.bat" "
        170⤵
        
        PID:4968
        
        C:\windows\SysWOW64\YNJXNHW.exe
        
        C:\windows\system32\YNJXNHW.exe
        171⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YWGOHR.exe.bat" "
        172⤵
        
        PID:5368
        
        C:\windows\SysWOW64\YWGOHR.exe
        
        C:\windows\system32\YWGOHR.exe
        173⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HZWKVAW.exe.bat" "
        174⤵
        
        PID:2956
        
        C:\windows\HZWKVAW.exe
        
        C:\windows\HZWKVAW.exe
        175⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HAJWQI.exe.bat" "
        176⤵
        
        PID:4520
        
        C:\windows\SysWOW64\HAJWQI.exe
        
        C:\windows\system32\HAJWQI.exe
        177⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ETKYCMY.exe.bat" "
        178⤵
        
        PID:412
        
        C:\windows\system\ETKYCMY.exe
        
        C:\windows\system\ETKYCMY.exe
        179⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YJIAVXW.exe.bat" "
        180⤵
        
        PID:2868
        
        C:\windows\YJIAVXW.exe
        
        C:\windows\YJIAVXW.exe
        181⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XCXIF.exe.bat" "
        182⤵
        
        PID:4952
        
        C:\windows\system\XCXIF.exe
        
        C:\windows\system\XCXIF.exe
        183⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DXIS.exe.bat" "
        184⤵
        
        PID:5608
        
        C:\windows\system\DXIS.exe
        
        C:\windows\system\DXIS.exe
        185⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RORFR.exe.bat" "
        186⤵
        
        PID:1864
        
        C:\windows\RORFR.exe
        
        C:\windows\RORFR.exe
        187⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IGPL.exe.bat" "
        188⤵
        
        PID:2036
        
        C:\windows\system\IGPL.exe
        
        C:\windows\system\IGPL.exe
        189⤵
        
        PID:464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1316
        188⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 1304
        186⤵
        
        PID:748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 968
        184⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1336
        182⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 960
        180⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1272
        178⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1328
        176⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 976
        174⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 960
        172⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1328
        170⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1308
        168⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 1324
        166⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 976
        164⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1008
        162⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 988
        160⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1328
        158⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1308
        156⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 960
        154⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 964
        152⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 960
        150⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 964
        148⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1324
        146⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 976
        144⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1280
        142⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 960
        140⤵
        Program crash
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 976
        138⤵
        Program crash
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 960
        136⤵
        Program crash
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 964
        134⤵
        Program crash
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 964
        132⤵
        Program crash
        
        PID:2196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 960
        130⤵
        Program crash
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 960
        128⤵
        Program crash
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 960
        126⤵
        Program crash
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 1316
        124⤵
        Program crash
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1328
        122⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1328
        120⤵
        Program crash
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 1248
        118⤵
        Program crash
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 1296
        116⤵
        Program crash
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1308
        114⤵
        Program crash
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1308
        112⤵
        Program crash
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1248
        110⤵
        Program crash
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 960
        108⤵
        Program crash
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1316
        106⤵
        Program crash
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 960
        104⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1336
        102⤵
        Program crash
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1328
        100⤵
        Program crash
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 960
        98⤵
        Program crash
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 960
        96⤵
        Program crash
        
        PID:5492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 1324
        94⤵
        Program crash
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 872
        92⤵
        Program crash
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 988
        90⤵
        Program crash
        
        PID:5136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1308
        88⤵
        Program crash
        
        PID:2532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 972
        86⤵
        Program crash
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1308
        84⤵
        Program crash
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1304
        82⤵
        Program crash
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1328
        80⤵
        Program crash
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 976
        78⤵
        Program crash
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1316
        76⤵
        Program crash
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1004
        74⤵
        Program crash
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1336
        72⤵
        Program crash
        
        PID:4200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1324
        70⤵
        Program crash
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 988
        68⤵
        Program crash
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1336
        66⤵
        Program crash
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1316
        64⤵
        Program crash
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1336
        62⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 960
        60⤵
        Program crash
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 988
        58⤵
        Program crash
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 988
        56⤵
        Program crash
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 960
        54⤵
        Program crash
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1256
        52⤵
        Program crash
        
        PID:6100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1324
        50⤵
        Program crash
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1312
        48⤵
        Program crash
        
        PID:700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 1268
        46⤵
        Program crash
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 960
        44⤵
        Program crash
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1328
        42⤵
        Program crash
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 1328
        40⤵
        Program crash
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1328
        38⤵
        Program crash
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 960
        36⤵
        Program crash
        
        PID:5796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1240
        34⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 1304
        32⤵
        Program crash
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 1000
        30⤵
        Program crash
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1324
        28⤵
        Program crash
        
        PID:5948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 696
        26⤵
        Program crash
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1004
        24⤵
        Program crash
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1304
        22⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 960
        8⤵
        Program crash
        
        PID:5888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 960
        6⤵
        Program crash
        
        PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 960
      4⤵
      Program crash
      PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1244
  2⤵
  - Program crash
  PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2620 -ip 2620
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3104 -ip 3104
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5428 -ip 5428
1⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1448 -ip 1448
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5980 -ip 5980
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5544 -ip 5544
1⤵
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5800 -ip 5800
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3784 -ip 3784
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3564 -ip 3564
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5176 -ip 5176
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 648 -ip 648
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2232 -ip 2232
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2220 -ip 2220
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3128 -ip 3128
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5472 -ip 5472
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5764 -ip 5764
1⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 116 -ip 116
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5032 -ip 5032
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1720 -ip 1720
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5760 -ip 5760
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1416 -ip 1416
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4512 -ip 4512
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5204 -ip 5204
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4404 -ip 4404
1⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2188 -ip 2188
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1940 -ip 1940
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2160 -ip 2160
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4816 -ip 4816
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3968 -ip 3968
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2344 -ip 2344
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3940 -ip 3940
1⤵
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2036 -ip 2036
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4412 -ip 4412
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5084 -ip 5084
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4056 -ip 4056
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3576 -ip 3576
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2420 -ip 2420
1⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5900 -ip 5900
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6032 -ip 6032
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2200 -ip 2200
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4036 -ip 4036
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3376 -ip 3376
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2884 -ip 2884
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1924 -ip 1924
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1640 -ip 1640
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5372 -ip 5372
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5208 -ip 5208
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4680 -ip 4680
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4672 -ip 4672
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 116 -ip 116
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1480 -ip 1480
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3324 -ip 3324
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3384 -ip 3384
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4320 -ip 4320
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 4584
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4956 -ip 4956
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4224 -ip 4224
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5748 -ip 5748
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5336 -ip 5336
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2548 -ip 2548
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2588 -ip 2588
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5172 -ip 5172
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6012 -ip 6012
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2480 -ip 2480
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2244 -ip 2244
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 448 -ip 448
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5084 -ip 5084
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5396 -ip 5396
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5136 -ip 5136
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6088 -ip 6088
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3976 -ip 3976
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5848 -ip 5848
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2116 -ip 2116
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3020 -ip 3020
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4564 -ip 4564
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2512 -ip 2512
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6004 -ip 6004
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5076 -ip 5076
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1788 -ip 1788
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1656 -ip 1656
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4160 -ip 4160
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4528 -ip 4528
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5916 -ip 5916
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3976 -ip 3976
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4776 -ip 4776
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3728 -ip 3728
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4856 -ip 4856
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1004 -ip 1004
1⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4700 -ip 4700
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4408 -ip 4408
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4144 -ip 4144
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 5500 -ip 5500
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5856 -ip 5856
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 3248 -ip 3248
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\FNECZ.exe

Filesize
289KB

MD5
1cda26e187fe9af2377874b5b73ee44b

SHA1
fd4a19dde174256934f5318caea723fce11ac9fe

SHA256
7ec69b9eadf501370f722942070a43c4913e2e22e7a12b052a08cc33697fd51c

SHA512
46d1e41153f2176cc2a0d501df338d227e6ef50593acdf9a80a3750d11f068ce9ef76e3e3f747e3c114fb49082c2189ef9b34b770017d88f5709e3fdab0ded93

Download Submit
C:\Windows\LCJW.exe

Filesize
289KB

MD5
0112caf166e7796ff7312a6a246e88df

SHA1
aec49712df4d5680a98ad1e211466d54fec0a836

SHA256
efa520804868e5a103bb7910c7f4e1f1aa7a0befc60be252653509d76cabd021

SHA512
44881bd359ab32c10d3628cdd83ee95234e562b537089b48d59d049304f8eb4b9aa5b68c96a7fdec47aa0194061a991c5cac10c45b8bd10b5b3dde91381f5081

Download Submit
C:\Windows\RBYSFMR.exe

Filesize
289KB

MD5
53a622ebdb2d8223602678557b3a2de2

SHA1
5c9a89e9f56668e201a2a8efee51462a83c82795

SHA256
49a633c2e0a7c6ea756ca4e06dae2fa12c5048798c07d3c67c5ed0f35ec19ac1

SHA512
e4dd19089e94ceadf936255f3566850b158f326520bf3dd6e25c43abb37e8698bbef063be865f0b7c30120d63b99c0851039d8c94e3c3d5038a4f07c2d2407c9

Download Submit
C:\Windows\SysWOW64\AWKZBV.exe

Filesize
289KB

MD5
40c81fe554af37b13b78db47bdd3885f

SHA1
4d001e3eabd6c6e75c7eb6fb5ec29815238a1aa6

SHA256
46382282225053d6f025ab3f7bf216679aab8bf7f12e20da724b442e99481fcf

SHA512
7d588a0d7dd1ff944cab0575883cb1843cf491249ade351383c36807a17065445c226eac77c399c5018feec6abf76cdb8da69786568c1a1bf77b623429b50f93

Download Submit
C:\Windows\SysWOW64\AWKZBV.exe

Filesize
289KB

MD5
dcbff2dc02266b7ee4dd7f0926cb0d6b

SHA1
4a621b15af75be15b8453ad4759aeaa93fbb1c52

SHA256
902526bda04f048d36a901486a8bb0341b04711a58c70f50661c0798e942ed67

SHA512
0875936e850b04816e69c261fc8b15a72d649e30eddcd79404b9b7b7879e89dcfb9a0604e62d9df8796989c202a902feedbbedb5fde7b19b101b905973bc141b

Download Submit
C:\Windows\SysWOW64\GZUHOMR.exe

Filesize
289KB

MD5
7237e9315ec7de3cb09986912fe31d3e

SHA1
f4b23badd8965eaa84a12b832492eae27119456d

SHA256
e07b3d7f155e52a2b480951eeac0e7181405fc791c11b27813d67d9f0d9e97d4

SHA512
ebcaf75654016e0ef2942062630afdcd9dc9665c104508360aed230d9807ae0ca6febaf220f3f9d48d74ff5de106d9b343a12be54f60e9f94d06e9a5c5e38bea

Download Submit
C:\Windows\SysWOW64\KMBD.exe

Filesize
289KB

MD5
986697e6dafce9fb4b2aef4729b64560

SHA1
9d2e986cf51f27b046ea5653837a4716f02cd7b3

SHA256
0e89b91f2879c856ed9fde79b07e16f389e032f1e0dbe7e5555e7a92fed15ac3

SHA512
07f05a5e63b8f4f60a0fbd71cc21d02965cf654d2e491fa86c7b8e8c39252ce1598321ad53291053de14deaa4035be6feb1f6df721caee753334f96630946940

Download Submit
C:\Windows\SysWOW64\MKQ.exe

Filesize
289KB

MD5
8567577f96b2baa72ba8b26a5444d8c9

SHA1
0340e819cab06b8e717fe98ba0831e3b060e8e40

SHA256
1b765e04e683879c19567bec3b0eb7cb654921690efbeb9a2fd8a205ff168273

SHA512
5651d3989878a57a1d544e973ab8cef67292decc579630a8eb20fe35f628a16e768514ee8a6205e2e9584bee40a1faccc5fb50b065c5de490d085cfa5ada5df1

Download Submit
C:\Windows\SysWOW64\TFZ.exe

Filesize
289KB

MD5
8d1e162a3bee0983be3466db89a27aaf

SHA1
2473434e56717209a2152f925ff4c35c8017ee2f

SHA256
7990fdc401848d48922a5e2be913f9f3dc43287e381bc0efd8fc8d51ec54103e

SHA512
a99a1799ddc1efd93fb890fee19db87be9fb7376c744b736d438e971b33a0acc5e41a4d3b08c4873895f82d7bb5cbcafa22b7840fd4bb04e43260af9d53d196e

Download Submit
C:\Windows\SysWOW64\WERFL.exe

Filesize
289KB

MD5
33bebcfb720e6bfd0778cf40a01f0995

SHA1
35bcb55645a1ba6994cb72dda225edf50f79c97b

SHA256
908187e58135af241a6a9e832580f35155240ba4c833320ac175a98bb73aa695

SHA512
780f5b89649d94717a69fdb8fdd1929b1449beadf56eb81182c17edc11c7b6e6ac1bd4d9df6d11cb09b799bfe2de34eae5a40e187678a849114adf6687e6e990

Download Submit
C:\Windows\SysWOW64\YHOWO.exe

Filesize
289KB

MD5
38b158b68965b0a027336f19890fc211

SHA1
c429a91cf82cfac1f06f5d830f362d9ff688f669

SHA256
bbe1219c3bf13364e712816661127f379d43e86fc0eeeabf4b9ef4cb274d515f

SHA512
82519ef37ecf63790d229134ebf4a59f463cc102e55882edd5eb6d7c059a291cde270ac4bb65734a607499245502c3699daa4656d5c2b271c082868771b3dd78

Download Submit
C:\Windows\SysWOW64\ZFK.exe

Filesize
289KB

MD5
493d8e6adb6d9b48cc8206467595d26d

SHA1
f765d356146f05b5b91d7246660d201c1fcde170

SHA256
e7e5b07bf682cbe8f595f8ce6946a1a7f6de3a5122c1e86b1cefda052f1e7358

SHA512
d9082ad1f36d1c3cd7c40aeec70e6ff23e4e76e251f327b8fde9c17bf0d5b240f6bd2672b4ffdaebc502bf5d55fed7b034bdae7e200539ab1c9f17a3c9b1d6e2

Download Submit
C:\Windows\SysWOW64\ZPQYHJI.exe

Filesize
289KB

MD5
444bbae44ab50638028ba9f937d2aa52

SHA1
97c23e81ada5798a1a5f6454897d1e502d729222

SHA256
82caad7802458e013d9495b0713d0afb6017f3c5446bb076cada24a17e7e76b9

SHA512
6ea1ac6c793c4790f7d0cb2ca71264ddbf2e8698d0adf0d2f5931aaff5b5dfcd48b89a4bf5407272e9e64f312f894adb5a4836b75f45fd4a363eec38a7f9b99a

Download Submit
C:\Windows\System\BOKDWE.exe

Filesize
289KB

MD5
005e5350a125706b1d17c01fa0f01d9c

SHA1
f097bf6362b2145279374416bdcd66c15c2cc3fb

SHA256
912821f9c59625ee188b83c610b7825d221237be39f575e0d3c4312905430c5b

SHA512
734929963ffc02f9bd66dfef472c700bef800412b848e35a4386943bc575115e87ea9bb30b1fb3767def72a922ff0df1993d3ad800419e673f5a1334c0863d77

Download Submit
C:\Windows\System\CGJY.exe

Filesize
289KB

MD5
5ea613f2e73342cc41e9207acf54e480

SHA1
39ff70cdc301b57a7c728e38952d7aa7e436fbce

SHA256
08818c60cf4ccdd85a97455981c052fb9f96f5a66d4413b9bc95a1b5df136b1b

SHA512
37fe9182a76ef30c47d639512bc24a7acfd4a136c8f89ec64bde008bd02dab9743915ace46c39645cdfa73456fa48f0ddfaa180caaa746a4cef4f837ff8c05fe

Download Submit
C:\Windows\System\GRGZIVH.exe

Filesize
289KB

MD5
c36412adccf875bc1bd386357d151901

SHA1
0a57261194b4ac7ceb790193c5ee52dd6f6e45d6

SHA256
b432cb8b039d4bd36903917f4d08cadf8832c2d786172a1bae46568b84fffa7e

SHA512
076b461036ee9ce1836976732f3bf528558f4ea475df9eee637641ddb6ff11d80e41a7f0408ea3b7516d6ca005a67acbbc61cd1fb32a6947ad4ecae6163b3c0a

Download Submit
C:\Windows\System\PZY.exe

Filesize
289KB

MD5
bd9285fe5e784139869ccd0aa3bbf2df

SHA1
464420e342793a95cb2b89a472f11daf21f384ba

SHA256
1e7c8077aff92ae3c1a1e49719f8f554d2f13c59b4e0a70c62109cdafb5cea13

SHA512
047627dce51217e193566aab5ce20441553957cd3b12ef89822ce5e132015819cfbed1ab7ff77b769db8e1cda428e2f42ccd9918dff029cdeb47123845a6bc77

Download Submit
C:\Windows\System\QLT.exe

Filesize
289KB

MD5
f0fe4e11766ed4440c612fbb41c719bf

SHA1
81727ef1850bbfded36cf7347294d00f7f46192f

SHA256
9e52356a9174fd6266adf0dcfda85422440d67e868dfb303bbdc6ecbebc52e95

SHA512
e60dd702bce33239e3188d55891d19771ed864ce820e88562ad058a201984377ae0dcfbba3db8da5dafc53d12633f03cf228f0225b26124c87d5f992b0c78a6c

Download Submit
C:\windows\CZW.exe.bat

Filesize
52B

MD5
1cc1ffd85deab3fcea8670e4510211ed

SHA1
6b157c8382b5a8c42550749cc214d90bfa046e7b

SHA256
1e0d22b347e1e3ac190cc5b4fb0b86039f0428b2d924222a1942ec20be6b6506

SHA512
c3761d79de6572c10b3e3af44d6f2bc1f226190d95a83306945ca3e360c6873e97d1f35acf9da3cf2024f711ee08547be28987ef20228c1adf1bf123d64f901c

Download Submit
C:\windows\FNECZ.exe.bat

Filesize
56B

MD5
44b668b92a43354870b93296ced9af1a

SHA1
70e551d9b303286b9b3504e3ebb61aea995da006

SHA256
e5870cf30c794ed89e60d1e1a7c2fbc22c3168ddbd3ebaa9205a78f17e6670d3

SHA512
e02b4a7e044a161a569dc147d2da12201cbd7a1dae042b78921e416701dbd5a6205c14ae911291294792b3bbda96a1ec4c79c0c91f556af286594d708df36cd2

Download Submit
C:\windows\LCJW.exe.bat

Filesize
54B

MD5
8077a88510f8a24999737d09faa6f242

SHA1
5b43e3bb20791f87ccdd86df19f3b2eb2530d375

SHA256
0a75af644f0bb9b272d12acc53a2e5d81bcda19e4b620a87748ff3648450a474

SHA512
7f7fa20edc5d8e9cf33203488f5110518beb86126d4edc77b69839d12b80bd5341201590282efd60f9f3ade50265aff7dd1941bad14c9c8c7f7c66c203090d3d

Download Submit
C:\windows\RBYSFMR.exe.bat

Filesize
60B

MD5
2afb9c3e93575c184a5243ea2184fb93

SHA1
77a70b3363bc944c280f2da0b04b6c66ed138a04

SHA256
790d28beb1cdbf28c9a29ed72038fdde406c3ccbc7b8733e0d67371a489a92eb

SHA512
65649fc773703e2b0da9cf7badeec86c712fe3f5a158253d55158ad3e23bf52ead40dcacfa8f6e35b2d0a019e316619f4a733c90cd1e5f9462dcf633fbbcb734

Download Submit
C:\windows\STS.exe

Filesize
289KB

MD5
28e005fe93268b7e4031339830d98de9

SHA1
09050904fb9a172ce0fc85452a594bc2f0c0e6f7

SHA256
8e10e09db374a60df24152ffb394048031d993eb9b23fc741421c8a5eeb0f0a6

SHA512
72125416320fc83a89b8e9e285618bcde5465d7a8f81f75370a348fb03719a7a3a2c4d662cb5d9f8735e4efc9357960b76da62ac5ce3b96f1a8e046d8813b5d2

Download Submit
C:\windows\STS.exe.bat

Filesize
52B

MD5
f4eb94b667222a258e28468aa2428c07

SHA1
f8eefbf23ebb367a0cf0e5915d550f9296083e20

SHA256
38ab8266b27249681ab6d21edc5f2f1d5f31dba2ca224432bfac1ec9638d21ce

SHA512
7f03afce92230a958788286d6d148076f9852145bd95a01421880a685f588c2969078fbc79a264e4971dcc44cdb250e3e1ed4c72ac09e51ad1b85d92824f95be

Download Submit
C:\windows\SysWOW64\AWKZBV.exe.bat

Filesize
76B

MD5
43c8414433cd70a07bb198c1f43acb7a

SHA1
713429dcc01c7e59b9832ac2d5b1b06f845b2040

SHA256
37e2a1cfe5e299fe06c3002810b45f973d63aecbe04a844c0df84a89026fa95d

SHA512
b0df744ccda0605583ed41530d722762d40ba40ae34863d557d1c90b34a70191a06c6d1522b91670587f2adf88d762b2fc3407f65619fff24197f66f9c2afe99

Download Submit
C:\windows\SysWOW64\GZUHOMR.exe.bat

Filesize
78B

MD5
a382f01ab2aba2309ad1c0ce2f40d8fc

SHA1
d6ac933531f80f22184c8a1cc7747126d3c4063b

SHA256
4c8083c601b2f4160aad77ae65611f4d27bc65d3941471441a51bfb72389608a

SHA512
8c6cb932b0086a4274b5e1613e80425b5aa26c4f8554fc205300afc90ac990cda7bfa7a7e1b214b3029acfa6ee3d88e3f9f1e20742928ed1b40bda0e7f420588

Download Submit
C:\windows\SysWOW64\KMBD.exe.bat

Filesize
72B

MD5
4c39dfc6414aac72251b9ab772682d51

SHA1
a9023bd36a37b8a58fbe693765fa4cdb4512f365

SHA256
558549249a87d93914a6c889016f6e66aeea84124cd5f956d1347977596dca38

SHA512
4c24418efb2a6781d237d104578fa4eaf12c64492b2aaec54508f4dd06ad8429865baf7d54718e4b1e1a9d02492afedcbe53931af56e5719a2575227740ba1a0

Download Submit
C:\windows\SysWOW64\MKQ.exe.bat

Filesize
70B

MD5
a17a43ac9d8286cb8c664e20adc3235a

SHA1
325eab62bd9ef1c83770f5510a895ca2e3bb3c55

SHA256
cd599d615cbf2d94baec162a20464ca7948c1e1b6bcb2a5556704bfa3daee411

SHA512
fc442de6404f6bc875dfc18e2c192f8bb3b29a62909d466dc9cccb272a9705d92c21d6f603b1c68f7fe38cbd4267e76d72512f8d34a73534d1e420f0071d967f

Download Submit
C:\windows\SysWOW64\TFZ.exe.bat

Filesize
70B

MD5
1e569fd78a280c11f44b0c5e1041ba90

SHA1
1d3fdb5c10f41b4562722001e7f8c84cf9e6c343

SHA256
e54f10a4669f32584c38efa3131f1f6b622f5f64c7028c8b38d9731def64b6fc

SHA512
b46aa1beaeb0453e9df0d616d7ec1c8dc5d09f42a9d10e86d5ab7ef416bb010298b98ada978665a0549637423fc55516b29e3cee43afdcf0e857abf716f6adc8

Download Submit
C:\windows\SysWOW64\WERFL.exe.bat

Filesize
74B

MD5
ab0f8dd619867c23d3cfcdeed5d3f37e

SHA1
8a8f3ad3a20252a3f565589faffb05d63e579950

SHA256
e8da292a2776ba042976ab7fa1c406dc5850424f65ed1fa59e74d5c58d1ef468

SHA512
01548288c0dd761d611d16a994474a5264dc911637c47c63ba9959335736b1ce4d95bae929e41b22f5dcd1b8b4551811e6af5b4d459376b6f2842572270cbde8

Download Submit
C:\windows\SysWOW64\XTIW.exe

Filesize
289KB

MD5
9fdeb397c93565622798ced1762af421

SHA1
c2d2cc89a66f4c902d37f467f20230877544c185

SHA256
0bcd15a95dcb4ced809cc4e4340427af5f5750ec22343e741a88417246210f78

SHA512
9000e6dac3fbd3b4276aae857f6ff25fd234c13c7056f4fb80f8fc6c12ebecec674fb475d2b2edc736e924b215036e2b653e4bb1bdb096320a4c8ba081ade1ad

Download Submit
C:\windows\SysWOW64\XTIW.exe.bat

Filesize
72B

MD5
4b27dd58d9ade79ae8049bb3e551eb78

SHA1
5aab4a8297beb96740eea281184dfb110cbc20bd

SHA256
95458b316d692f686ebdc9785b2861e69d7d7b2556e6f19c843d7bfe6aeb7d5a

SHA512
2fda7e3023a27ff8094f48de42d8097edd82c76c2f6632d6e2820a68c4084f86b88203fd8c11480812d47f85eafca5f1fd34a8e1935c524d1182915851658815

Download Submit
C:\windows\SysWOW64\YHOWO.exe.bat

Filesize
74B

MD5
0eda809c7c0f9978dabc80b2f9c4bf56

SHA1
60101d7a0588a209aafc1a04e488d9f3d15e91c8

SHA256
9f31c63d8be87b14373f51c16fd153accdf0fc28c6387bfb71e11f4f94de7674

SHA512
eeacb02218b1f6f136ab363a0d73c4cc2b69037bc6453a029b652029beba5eeb625d7806ef71474ceef85eabf12ecdb47c51e46cf68874bd901a44e3b7e7c215

Download Submit
C:\windows\SysWOW64\ZFK.exe.bat

Filesize
70B

MD5
f5df02fa12a83caa06d19c2bce0768f6

SHA1
d8bddaf7ebcb7c643f5e3bc4f2d2942705b429fc

SHA256
b3a968a4d93b271f2189257651982873d2dd73b08d939ab0e08fce6cd7e4ed14

SHA512
c94e114f76e2820b63edcf086f5cae7758280f912da020b5ccfeda9cea73de047fd7add171344119579b92e17479ad86ac5476bee206cb4a0d0d2da8b585076a

Download Submit
C:\windows\SysWOW64\ZPQYHJI.exe.bat

Filesize
78B

MD5
eec9d15082cac81a4b54869132c5357d

SHA1
083b0d848663b838d59d92ff986b33e7e25bc1c5

SHA256
f2e5e236afd94b245e367ccd78e075dd21cd0c386c5d8a6285633aa65dc81b93

SHA512
491fe50ceb5bc3c4244d28ed9d8fb1b7addccf73761d42e77aae05df58cbb1aa33d3e8e26030588e6e5453a61a18a4340647826428bf24caa5c68862d8903fe0

Download Submit
C:\windows\system\BEKSUIT.exe

Filesize
289KB

MD5
7adcef7393bd63bfa3d1f789dad6769a

SHA1
ccbdc5f8c0eb401d626a968b247fe23e62a63f03

SHA256
565bfe83d8d171b7596ea394ec7d01b977994eba8808f54168535b8a8d67405a

SHA512
329ab5cf2e5afcc7514c5aba488ebabbb680d002e019ab0499939c5be8124185f0c928317c1238510976d59ecb3c9f858715ddc73a7579952c441d79a23f2137

Download Submit
C:\windows\system\BEKSUIT.exe.bat

Filesize
74B

MD5
74b6fc8a5794e6ae4195fa57c9b19eb4

SHA1
60d20e1d7386f570437fa6255312c3bab41dc1b8

SHA256
f1e68a4ec829bdfe6814c9e9b73657f2a843733a0b2d6f197bf936a02d25187e

SHA512
f7f96822be7044331babcecf9e702daad14a33093d5a295c3f8a1f4bd42b4ac76471b96ab31f61eccb41eca0ea3421b9cd7e813d43156919810b3c363ec83a3e

Download Submit
C:\windows\system\BOKDWE.exe.bat

Filesize
72B

MD5
b9e929ccb98220dca784560e9428e429

SHA1
a652be8140e4a66e3f55c48d88e08912434fb072

SHA256
6a4c5220c80c47ece581784c2ea5412ccf74e273cd07e11565f2b7db53c08ade

SHA512
725433ca3daa178ea20b5e317a62ba5b19042b80b06d7d3c9153f42f819097540067354ecb0211eb23ab344a70897eb133c84850aaee4ec3db8b2680eadb0f3c

Download Submit
C:\windows\system\CGJY.exe.bat

Filesize
68B

MD5
e9f57979ddae0be4bae75ade0a7fc6e7

SHA1
1f731a541cc96405d14e7baf2a2e755a8a3e4b9c

SHA256
304762cf224f254cdbf9ca2c6508342ab1477a5ee5c6024100c90b3b4128cca2

SHA512
4707303f54b597f911c0b271087a11cc0a902c3efdd16672c8bd1e68000276af7ef18582009c229b4edbc8221e4dba40ced4f8b792289968c70f60f25703c671

Download Submit
C:\windows\system\FFLDO.exe

Filesize
289KB

MD5
0dec389f884ec89737b53cf9d2e7822d

SHA1
c15217a861140ce817700aaa6529fc2a902adcd5

SHA256
85400e4c5ff284205150ca5e848a951017f9d185d215b6660e7a910d55e37da2

SHA512
69a96f4c7ffbf1538fc4c8bac1154a3113963546e000f8ddcd0c1221e1fb52670ac7c7eda6c85a64c0a66463e8abfbfe9224f67def873d2facc706d1867428b4

Download Submit
C:\windows\system\FFLDO.exe.bat

Filesize
70B

MD5
6f776aa41088f806e4e1126e83c3724a

SHA1
f3f3217719c64a720c43aaa948b5694663345554

SHA256
638ad6f47c419ebe3641f6fffa4b5e9393e62561330617f64043bdf6b0cd0440

SHA512
a8f446067f8f15019695e21db2cfb723e784b893b59a5e7a9df4320ab8e6e0aa9016cdd448f6ab4896f7b72e68f14649c06e896142f47ce7287e31ba17acc9d3

Download Submit
C:\windows\system\GRGZIVH.exe.bat

Filesize
74B

MD5
8e772fb6fbed41f015a70c24866faab9

SHA1
7836552b030e63d37ce01c562caadfbbf9efd720

SHA256
8bf3c8753e0e110c9585d56c87010c086ae2e0902ade346fd532741a218e2f9b

SHA512
3ce09f48fa8b37aa864b746c8aa58ae7e567ab7b7a6221d7e83e40c1498d59ea63ee29f4fde0ebb470d24d9765bd53f251013d464c93b79d2565ed63099f22e4

Download Submit
C:\windows\system\PZY.exe.bat

Filesize
66B

MD5
decf27edb7ef071873cda0c45f9aa0cb

SHA1
9c94ca56815bc8b47f8ccc1064eb36982e3d7eb3

SHA256
1028d42d204d203987777e1f7823566a1a28ab9fa2b57411e22f274bf8346722

SHA512
2c6da53b5bdfac77d30011da65757a8b2592bfd88b2896c214787dc7b094421a3ea5986ae7d6c0ee98155c61267b438d18c6ef009ae1f635ff11497d0fe5343d

Download Submit
C:\windows\system\QLT.exe.bat

Filesize
66B

MD5
68b16c1d9628f207918b17515f5e3b65

SHA1
e8a728cf3e9df1274444b9703744aae534332cc7

SHA256
05abebea955a39bf31f220c110e2236b80f53b4f9e6bcd3d460ca35bf84974e7

SHA512
c3fd4907520f709908d77bbb898a82864dc3ac22c4ef156e2afd8bb2f8e9a5f6058288c8fdc380e617e6d9c2d88723443155b055e3a985d5b71085ec83921071

Download Submit
memory/116-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/116-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/648-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/648-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1416-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1416-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2232-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2232-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3940-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3940-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3968-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3968-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5176-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5176-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5204-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5204-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5428-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5428-114-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5472-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5472-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5544-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5544-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5760-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5760-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5764-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5764-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5800-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5800-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5980-43-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5980-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download