0923d0ac98ab34176f2bd74a6fb71371e4bc8419823d1012871040bc8fa704eb

Analysis

max time kernel
115s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
Size

282KB
MD5

5d02bc977215b338c0b7f944413afdc0
SHA1

5871cd14ec1e8bc9a97f5e9b589ad077c6631971
SHA256

0923d0ac98ab34176f2bd74a6fb71371e4bc8419823d1012871040bc8fa704eb
SHA512

bc3d0cb4bd6cd123201a5a03ceec1699d0bc961e57d516164360acae15d854c878284d3c94fb41f174023796faaede280a983ae39340db4f3d509004fe648d44
SSDEEP

6144:IF4q1TyahVHIB4RnH6NXj5kEjiPISUOgW9X+hOGzC/:Iqq1Tlhij5kmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 22 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\System\HELJZJ.exe	family_berbew
C:\Windows\SysWOW64\VZZJ.exe	family_berbew
C:\Windows\SysWOW64\VZZJ.exe	family_berbew
C:\Windows\WXHSM.exe	family_berbew
C:\Windows\System\ZFUZC.exe	family_berbew
C:\windows\SysWOW64\AJWXU.exe	family_berbew
C:\Windows\SysWOW64\EMHKDCX.exe	family_berbew
C:\Windows\PDCZT.exe	family_berbew
C:\windows\YGBGP.exe	family_berbew
C:\windows\YJUR.exe	family_berbew
C:\Windows\System\RXFP.exe	family_berbew
C:\Windows\AFVRD.exe	family_berbew
C:\Windows\KYRRQT.exe	family_berbew
C:\windows\system\RMZK.exe	family_berbew
C:\windows\system\XSSX.exe	family_berbew
C:\windows\PVL.exe	family_berbew
C:\Windows\SysWOW64\CBMRFW.exe	family_berbew
C:\Windows\SysWOW64\AMD.exe	family_berbew
C:\windows\DFGY.exe	family_berbew
C:\Windows\SysWOW64\XDHJDXR.exe	family_berbew
C:\Windows\System\BOGB.exe	family_berbew
C:\Windows\RXP.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PVL.exeOPJG.exeJIBMEOL.exeCBMRFW.exeMWSJKCB.exePBYI.exeYGBGP.exeKYRRQT.exeVJN.exeBMVHON.exeFDH.exeAFVRD.exeWUPW.exeHNK.exeTQNHLK.exeIVRY.exeCCTYP.exeDNP.exeZFUZC.exePDCZT.exeRXP.exeKZR.exeDTTBOAO.exeFBBUF.exeCKUGGUO.exeXAES.exeEMHKDCX.exeYCFZYD.exePKSCSG.exeXELYESU.exeYKEFXQ.exeNLDW.exeWXHSM.exeXSSX.exeZIHZS.exeQDVH.exeGQBM.exe5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeHELJZJ.exeAJWXU.exeJVY.exeNJMMJ.exeVZZJ.exeRMZK.exeFRREP.exeCYK.exeCPLV.exeDFGY.exeULT.exeLZBRT.exeZUJIK.exeWTTR.exeRXFP.exeYBKXS.exeMJCCUX.exeJMMHOP.exeAMD.exeXDHJDXR.exeIKUNGR.exeHBSRQPH.exeORMFL.exeTVREX.exeQMNN.exeYJUR.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PVL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	OPJG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	JIBMEOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CBMRFW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MWSJKCB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PBYI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YGBGP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KYRRQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	VJN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	BMVHON.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FDH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	AFVRD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WUPW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	HNK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TQNHLK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	IVRY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CCTYP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DNP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ZFUZC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PDCZT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	RXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DTTBOAO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FBBUF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CKUGGUO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XAES.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	EMHKDCX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YCFZYD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PKSCSG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XELYESU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YKEFXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NLDW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WXHSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XSSX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ZIHZS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QDVH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	GQBM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	HELJZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	AJWXU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	JVY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NJMMJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	VZZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	RMZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FRREP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CYK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CPLV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DFGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ULT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	LZBRT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ZUJIK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WTTR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	RXFP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YBKXS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MJCCUX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	JMMHOP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	AMD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	XDHJDXR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	IKUNGR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	HBSRQPH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ORMFL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TVREX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QMNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	YJUR.exe

Executes dropped EXE 64 IoCs

Processes:

HELJZJ.exeVZZJ.exeWXHSM.exeZFUZC.exeAJWXU.exeEMHKDCX.exePDCZT.exeYGBGP.exeYJUR.exeRXFP.exeAFVRD.exeKYRRQT.exeRMZK.exeXSSX.exePVL.exeCBMRFW.exeAMD.exeDFGY.exeXDHJDXR.exeBOGB.exeRXP.exeJVY.exeULT.exeVJN.exeOPJG.exeBGS.exeFRREP.exeIKUNGR.exeRAOQFZ.exeCYK.exeWUPW.exeYCFZYD.exeZIHZS.exeRWNKOG.exeKZR.exeFKQPY.exeDTTBOAO.exeMWSJKCB.exeQDVH.exeIVRY.exeBMVHON.exeCPLV.exeGQBM.exeFDH.exeYBKXS.exePKSCSG.exeHNK.exeMJCCUX.exeCCTYP.exeTVREX.exeHVIL.exeXELYESU.exeLZBRT.exeDNP.exeJIBMEOL.exeHBSRQPH.exeORMFL.exeYKEFXQ.exePBYI.exeFBBUF.exeJMMHOP.exeCKUGGUO.exeNLDW.exeNJMMJ.exe

pid	process
5016	HELJZJ.exe
4220	VZZJ.exe
1336	WXHSM.exe
1836	ZFUZC.exe
3984	AJWXU.exe
1624	EMHKDCX.exe
4960	PDCZT.exe
4468	YGBGP.exe
552	YJUR.exe
2992	RXFP.exe
4348	AFVRD.exe
564	KYRRQT.exe
1432	RMZK.exe
1688	XSSX.exe
976	PVL.exe
656	CBMRFW.exe
5108	AMD.exe
2100	DFGY.exe
4316	XDHJDXR.exe
3392	BOGB.exe
1996	RXP.exe
4608	JVY.exe
4236	ULT.exe
1920	VJN.exe
4652	OPJG.exe
1004	BGS.exe
2296	FRREP.exe
1996	IKUNGR.exe
2256	RAOQFZ.exe
1920	CYK.exe
2944	WUPW.exe
3792	YCFZYD.exe
2980	ZIHZS.exe
3976	RWNKOG.exe
3520	KZR.exe
832	FKQPY.exe
2836	DTTBOAO.exe
1528	MWSJKCB.exe
4008	QDVH.exe
3588	IVRY.exe
1920	BMVHON.exe
4336	CPLV.exe
3636	GQBM.exe
2220	FDH.exe
2660	YBKXS.exe
4356	PKSCSG.exe
3588	HNK.exe
4620	MJCCUX.exe
4480	CCTYP.exe
4932	TVREX.exe
2024	HVIL.exe
1008	XELYESU.exe
1836	LZBRT.exe
2100	DNP.exe
5036	JIBMEOL.exe
3896	HBSRQPH.exe
4896	ORMFL.exe
1516	YKEFXQ.exe
4568	PBYI.exe
1556	FBBUF.exe
1988	JMMHOP.exe
820	CKUGGUO.exe
4004	NLDW.exe
2864	NJMMJ.exe

Drops file in System32 directory 64 IoCs

Processes:

ZUJIK.exeRXP.exeZIHZS.exeIVRY.exeFDH.exeCKUGGUO.exeZFUZC.exeLZBRT.exeCBMRFW.exeCYK.exeHELJZJ.exeBGS.exeCPLV.exeFBBUF.exeDFGY.exeYKEFXQ.exeNJMMJ.exeMWSJKCB.exePBYI.exeJMMHOP.exeAJWXU.exeNLDW.exePVL.exe

description	ioc	process
File opened for modification	C:\windows\SysWOW64\XAES.exe	ZUJIK.exe
File created	C:\windows\SysWOW64\JVY.exe	RXP.exe
File created	C:\windows\SysWOW64\RWNKOG.exe	ZIHZS.exe
File opened for modification	C:\windows\SysWOW64\BMVHON.exe	IVRY.exe
File opened for modification	C:\windows\SysWOW64\YBKXS.exe	FDH.exe
File created	C:\windows\SysWOW64\NLDW.exe.bat	CKUGGUO.exe
File opened for modification	C:\windows\SysWOW64\AJWXU.exe	ZFUZC.exe
File created	C:\windows\SysWOW64\DNP.exe	LZBRT.exe
File opened for modification	C:\windows\SysWOW64\DNP.exe	LZBRT.exe
File opened for modification	C:\windows\SysWOW64\NLDW.exe	CKUGGUO.exe
File opened for modification	C:\windows\SysWOW64\AMD.exe	CBMRFW.exe
File opened for modification	C:\windows\SysWOW64\WUPW.exe	CYK.exe
File created	C:\windows\SysWOW64\WUPW.exe.bat	CYK.exe
File created	C:\windows\SysWOW64\RWNKOG.exe.bat	ZIHZS.exe
File created	C:\windows\SysWOW64\YBKXS.exe.bat	FDH.exe
File created	C:\windows\SysWOW64\XAES.exe.bat	ZUJIK.exe
File created	C:\windows\SysWOW64\VZZJ.exe	HELJZJ.exe
File created	C:\windows\SysWOW64\FRREP.exe.bat	BGS.exe
File created	C:\windows\SysWOW64\GQBM.exe.bat	CPLV.exe
File created	C:\windows\SysWOW64\JMMHOP.exe	FBBUF.exe
File created	C:\windows\SysWOW64\XAES.exe	ZUJIK.exe
File created	C:\windows\SysWOW64\XDHJDXR.exe	DFGY.exe
File created	C:\windows\SysWOW64\FRREP.exe	BGS.exe
File created	C:\windows\SysWOW64\PBYI.exe	YKEFXQ.exe
File opened for modification	C:\windows\SysWOW64\JMMHOP.exe	FBBUF.exe
File opened for modification	C:\windows\SysWOW64\ZUJIK.exe	NJMMJ.exe
File created	C:\windows\SysWOW64\AJWXU.exe.bat	ZFUZC.exe
File opened for modification	C:\windows\SysWOW64\XDHJDXR.exe	DFGY.exe
File created	C:\windows\SysWOW64\QDVH.exe.bat	MWSJKCB.exe
File created	C:\windows\SysWOW64\BMVHON.exe	IVRY.exe
File opened for modification	C:\windows\SysWOW64\FBBUF.exe	PBYI.exe
File created	C:\windows\SysWOW64\BMVHON.exe.bat	IVRY.exe
File opened for modification	C:\windows\SysWOW64\PBYI.exe	YKEFXQ.exe
File created	C:\windows\SysWOW64\VZZJ.exe.bat	HELJZJ.exe
File opened for modification	C:\windows\SysWOW64\CKUGGUO.exe	JMMHOP.exe
File created	C:\windows\SysWOW64\EMHKDCX.exe	AJWXU.exe
File created	C:\windows\SysWOW64\DNP.exe.bat	LZBRT.exe
File created	C:\windows\SysWOW64\FBBUF.exe.bat	PBYI.exe
File created	C:\windows\SysWOW64\NJMMJ.exe	NLDW.exe
File opened for modification	C:\windows\SysWOW64\VZZJ.exe	HELJZJ.exe
File opened for modification	C:\windows\SysWOW64\JVY.exe	RXP.exe
File created	C:\windows\SysWOW64\WUPW.exe	CYK.exe
File opened for modification	C:\windows\SysWOW64\CBMRFW.exe	PVL.exe
File created	C:\windows\SysWOW64\YBKXS.exe	FDH.exe
File created	C:\windows\SysWOW64\NJMMJ.exe.bat	NLDW.exe
File opened for modification	C:\windows\SysWOW64\EMHKDCX.exe	AJWXU.exe
File created	C:\windows\SysWOW64\CBMRFW.exe.bat	PVL.exe
File opened for modification	C:\windows\SysWOW64\RWNKOG.exe	ZIHZS.exe
File created	C:\windows\SysWOW64\JMMHOP.exe.bat	FBBUF.exe
File created	C:\windows\SysWOW64\ZUJIK.exe.bat	NJMMJ.exe
File created	C:\windows\SysWOW64\ZUJIK.exe	NJMMJ.exe
File created	C:\windows\SysWOW64\AMD.exe.bat	CBMRFW.exe
File created	C:\windows\SysWOW64\XDHJDXR.exe.bat	DFGY.exe
File opened for modification	C:\windows\SysWOW64\FRREP.exe	BGS.exe
File opened for modification	C:\windows\SysWOW64\QDVH.exe	MWSJKCB.exe
File created	C:\windows\SysWOW64\GQBM.exe	CPLV.exe
File opened for modification	C:\windows\SysWOW64\NJMMJ.exe	NLDW.exe
File created	C:\windows\SysWOW64\AJWXU.exe	ZFUZC.exe
File created	C:\windows\SysWOW64\CBMRFW.exe	PVL.exe
File created	C:\windows\SysWOW64\JVY.exe.bat	RXP.exe
File created	C:\windows\SysWOW64\QDVH.exe	MWSJKCB.exe
File created	C:\windows\SysWOW64\CKUGGUO.exe	JMMHOP.exe
File created	C:\windows\SysWOW64\AMD.exe	CBMRFW.exe
File opened for modification	C:\windows\SysWOW64\GQBM.exe	CPLV.exe

Drops file in Windows directory 64 IoCs

Processes:

CCTYP.exeJIBMEOL.exeXSSX.exeULT.exeVJN.exeDTTBOAO.exeMJCCUX.exeXELYESU.exeWXHSM.exeEMHKDCX.exeYGBGP.exeWUPW.exeHNK.exeORMFL.exeDNP.exe5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeYBKXS.exeTVREX.exeGQBM.exePKSCSG.exeQMNN.exeAFVRD.exeYCFZYD.exeFKQPY.exeWTTR.exeWRCZBUK.exeHVIL.exeXAES.exeTQNHLK.exeKYRRQT.exeHBSRQPH.exePDCZT.exeRWNKOG.exeVZZJ.exeYJUR.exeRMZK.exeXDHJDXR.exeIKUNGR.exeRXFP.exeAMD.exeQDVH.exe

description	ioc	process
File created	C:\windows\TVREX.exe.bat	CCTYP.exe
File opened for modification	C:\windows\system\HBSRQPH.exe	JIBMEOL.exe
File created	C:\windows\PVL.exe.bat	XSSX.exe
File opened for modification	C:\windows\VJN.exe	ULT.exe
File created	C:\windows\system\OPJG.exe	VJN.exe
File opened for modification	C:\windows\MWSJKCB.exe	DTTBOAO.exe
File created	C:\windows\CCTYP.exe.bat	MJCCUX.exe
File opened for modification	C:\windows\LZBRT.exe	XELYESU.exe
File opened for modification	C:\windows\system\ZFUZC.exe	WXHSM.exe
File created	C:\windows\PDCZT.exe	EMHKDCX.exe
File created	C:\windows\YJUR.exe.bat	YGBGP.exe
File created	C:\windows\system\YCFZYD.exe.bat	WUPW.exe
File created	C:\windows\system\ZFUZC.exe	WXHSM.exe
File created	C:\windows\YJUR.exe	YGBGP.exe
File opened for modification	C:\windows\MJCCUX.exe	HNK.exe
File created	C:\windows\YKEFXQ.exe.bat	ORMFL.exe
File opened for modification	C:\windows\JIBMEOL.exe	DNP.exe
File created	C:\windows\YKEFXQ.exe	ORMFL.exe
File opened for modification	C:\windows\system\HELJZJ.exe	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
File opened for modification	C:\windows\PVL.exe	XSSX.exe
File created	C:\windows\PKSCSG.exe	YBKXS.exe
File opened for modification	C:\windows\HVIL.exe	TVREX.exe
File created	C:\windows\FDH.exe.bat	GQBM.exe
File created	C:\windows\HNK.exe.bat	PKSCSG.exe
File created	C:\windows\HVIL.exe.bat	TVREX.exe
File opened for modification	C:\windows\TQNHLK.exe	QMNN.exe
File opened for modification	C:\windows\KYRRQT.exe	AFVRD.exe
File created	C:\windows\system\ZIHZS.exe.bat	YCFZYD.exe
File created	C:\windows\DTTBOAO.exe	FKQPY.exe
File opened for modification	C:\windows\FDH.exe	GQBM.exe
File created	C:\windows\system\WRCZBUK.exe.bat	WTTR.exe
File created	C:\windows\system\QMNN.exe	WRCZBUK.exe
File created	C:\windows\system\ZFUZC.exe.bat	WXHSM.exe
File created	C:\windows\system\XELYESU.exe	HVIL.exe
File created	C:\windows\WTTR.exe.bat	XAES.exe
File opened for modification	C:\windows\system\WRCZBUK.exe	WTTR.exe
File created	C:\windows\GWNQ.exe	TQNHLK.exe
File created	C:\windows\system\RMZK.exe.bat	KYRRQT.exe
File created	C:\windows\ORMFL.exe	HBSRQPH.exe
File opened for modification	C:\windows\WTTR.exe	XAES.exe
File created	C:\windows\TQNHLK.exe.bat	QMNN.exe
File opened for modification	C:\windows\YGBGP.exe	PDCZT.exe
File created	C:\windows\system\HBSRQPH.exe	JIBMEOL.exe
File created	C:\windows\KZR.exe	RWNKOG.exe
File created	C:\windows\system\HBSRQPH.exe.bat	JIBMEOL.exe
File opened for modification	C:\windows\ORMFL.exe	HBSRQPH.exe
File created	C:\windows\system\HELJZJ.exe	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
File created	C:\windows\WXHSM.exe	VZZJ.exe
File created	C:\windows\system\RXFP.exe.bat	YJUR.exe
File opened for modification	C:\windows\system\RMZK.exe	KYRRQT.exe
File opened for modification	C:\windows\system\XSSX.exe	RMZK.exe
File created	C:\windows\system\BOGB.exe.bat	XDHJDXR.exe
File created	C:\windows\RAOQFZ.exe.bat	IKUNGR.exe
File created	C:\windows\LZBRT.exe.bat	XELYESU.exe
File opened for modification	C:\windows\DTTBOAO.exe	FKQPY.exe
File created	C:\windows\JIBMEOL.exe.bat	DNP.exe
File opened for modification	C:\windows\AFVRD.exe	RXFP.exe
File created	C:\windows\system\XSSX.exe	RMZK.exe
File created	C:\windows\DFGY.exe.bat	AMD.exe
File created	C:\windows\JIBMEOL.exe	DNP.exe
File created	C:\windows\IVRY.exe	QDVH.exe
File opened for modification	C:\windows\TVREX.exe	CCTYP.exe
File opened for modification	C:\windows\system\QMNN.exe	WRCZBUK.exe
File created	C:\windows\KYRRQT.exe	AFVRD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1636	5016	WerFault.exe	HELJZJ.exe
2084	1804	WerFault.exe	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
1596	4220	WerFault.exe	VZZJ.exe
3508	1336	WerFault.exe	WXHSM.exe
4208	3984	WerFault.exe	AJWXU.exe
3668	1624	WerFault.exe	EMHKDCX.exe
4308	4960	WerFault.exe	PDCZT.exe
3780	4468	WerFault.exe	YGBGP.exe
1812	552	WerFault.exe	YJUR.exe
2416	2992	WerFault.exe	RXFP.exe
4124	4348	WerFault.exe	AFVRD.exe
3288	564	WerFault.exe	KYRRQT.exe
3212	1432	WerFault.exe	RMZK.exe
4008	1688	WerFault.exe	XSSX.exe
4636	976	WerFault.exe	PVL.exe
3092	656	WerFault.exe	CBMRFW.exe
2892	5108	WerFault.exe	AMD.exe
2144	2100	WerFault.exe	DFGY.exe
376	4316	WerFault.exe	XDHJDXR.exe
2336	3392	WerFault.exe	BOGB.exe
5016	1996	WerFault.exe	RXP.exe
3792	4608	WerFault.exe	JVY.exe
2256	4236	WerFault.exe	ULT.exe
1292	1920	WerFault.exe	VJN.exe
1416	4652	WerFault.exe	OPJG.exe
436	1004	WerFault.exe	BGS.exe
1336	2296	WerFault.exe	FRREP.exe
3652	1996	WerFault.exe	IKUNGR.exe
1624	2256	WerFault.exe	RAOQFZ.exe
4460	1920	WerFault.exe	CYK.exe
3228	2944	WerFault.exe	WUPW.exe
2344	3792	WerFault.exe	YCFZYD.exe
5044	2980	WerFault.exe	ZIHZS.exe
3780	3976	WerFault.exe	RWNKOG.exe
3300	3520	WerFault.exe	KZR.exe
2072	832	WerFault.exe	FKQPY.exe
1040	2836	WerFault.exe	DTTBOAO.exe
3792	1528	WerFault.exe	MWSJKCB.exe
1196	4008	WerFault.exe	QDVH.exe
708	3588	WerFault.exe	IVRY.exe
4524	1920	WerFault.exe	BMVHON.exe
1596	4336	WerFault.exe	CPLV.exe
4404	3636	WerFault.exe	GQBM.exe
1556	2220	WerFault.exe	FDH.exe
1944	2660	WerFault.exe	YBKXS.exe
4592	4356	WerFault.exe	PKSCSG.exe
2072	3588	WerFault.exe	HNK.exe
3668	4620	WerFault.exe	MJCCUX.exe
4880	4480	WerFault.exe	CCTYP.exe
2924	4932	WerFault.exe	TVREX.exe
2660	2024	WerFault.exe	HVIL.exe
4980	1008	WerFault.exe	XELYESU.exe
1996	1836	WerFault.exe	LZBRT.exe
1040	2100	WerFault.exe	DNP.exe
1132	5036	WerFault.exe	JIBMEOL.exe
2980	3896	WerFault.exe	HBSRQPH.exe
4592	4896	WerFault.exe	ORMFL.exe
1596	1516	WerFault.exe	YKEFXQ.exe
2944	4568	WerFault.exe	PBYI.exe
2044	1556	WerFault.exe	FBBUF.exe
924	1988	WerFault.exe	JMMHOP.exe
436	820	WerFault.exe	CKUGGUO.exe
932	4004	WerFault.exe	NLDW.exe
1656	2864	WerFault.exe	NJMMJ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeHELJZJ.exeVZZJ.exeWXHSM.exeZFUZC.exeAJWXU.exeEMHKDCX.exePDCZT.exeYGBGP.exeYJUR.exeRXFP.exeAFVRD.exeKYRRQT.exeRMZK.exeXSSX.exePVL.exeCBMRFW.exeAMD.exeDFGY.exeXDHJDXR.exeBOGB.exeRXP.exeJVY.exeULT.exeVJN.exeOPJG.exeBGS.exeFRREP.exeIKUNGR.exeRAOQFZ.exeCYK.exeWUPW.exe

pid	process
1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
5016	HELJZJ.exe
5016	HELJZJ.exe
4220	VZZJ.exe
4220	VZZJ.exe
1336	WXHSM.exe
1336	WXHSM.exe
1836	ZFUZC.exe
1836	ZFUZC.exe
3984	AJWXU.exe
3984	AJWXU.exe
1624	EMHKDCX.exe
1624	EMHKDCX.exe
4960	PDCZT.exe
4960	PDCZT.exe
4468	YGBGP.exe
4468	YGBGP.exe
552	YJUR.exe
552	YJUR.exe
2992	RXFP.exe
2992	RXFP.exe
4348	AFVRD.exe
4348	AFVRD.exe
564	KYRRQT.exe
564	KYRRQT.exe
1432	RMZK.exe
1432	RMZK.exe
1688	XSSX.exe
1688	XSSX.exe
976	PVL.exe
976	PVL.exe
656	CBMRFW.exe
656	CBMRFW.exe
5108	AMD.exe
5108	AMD.exe
2100	DFGY.exe
2100	DFGY.exe
4316	XDHJDXR.exe
4316	XDHJDXR.exe
3392	BOGB.exe
3392	BOGB.exe
1996	RXP.exe
1996	RXP.exe
4608	JVY.exe
4608	JVY.exe
4236	ULT.exe
4236	ULT.exe
1920	VJN.exe
1920	VJN.exe
4652	OPJG.exe
4652	OPJG.exe
1004	BGS.exe
1004	BGS.exe
2296	FRREP.exe
2296	FRREP.exe
1996	IKUNGR.exe
1996	IKUNGR.exe
2256	RAOQFZ.exe
2256	RAOQFZ.exe
1920	CYK.exe
1920	CYK.exe
2944	WUPW.exe
2944	WUPW.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
5016	HELJZJ.exe
5016	HELJZJ.exe
4220	VZZJ.exe
4220	VZZJ.exe
1336	WXHSM.exe
1336	WXHSM.exe
1836	ZFUZC.exe
1836	ZFUZC.exe
3984	AJWXU.exe
3984	AJWXU.exe
1624	EMHKDCX.exe
1624	EMHKDCX.exe
4960	PDCZT.exe
4960	PDCZT.exe
4468	YGBGP.exe
4468	YGBGP.exe
552	YJUR.exe
552	YJUR.exe
2992	RXFP.exe
2992	RXFP.exe
4348	AFVRD.exe
4348	AFVRD.exe
564	KYRRQT.exe
564	KYRRQT.exe
1432	RMZK.exe
1432	RMZK.exe
1688	XSSX.exe
1688	XSSX.exe
976	PVL.exe
976	PVL.exe
656	CBMRFW.exe
656	CBMRFW.exe
5108	AMD.exe
5108	AMD.exe
2100	DFGY.exe
2100	DFGY.exe
4316	XDHJDXR.exe
4316	XDHJDXR.exe
3392	BOGB.exe
3392	BOGB.exe
1996	RXP.exe
1996	RXP.exe
4608	JVY.exe
4608	JVY.exe
4236	ULT.exe
4236	ULT.exe
1920	VJN.exe
1920	VJN.exe
4652	OPJG.exe
4652	OPJG.exe
1004	BGS.exe
1004	BGS.exe
2296	FRREP.exe
2296	FRREP.exe
1996	IKUNGR.exe
1996	IKUNGR.exe
2256	RAOQFZ.exe
2256	RAOQFZ.exe
1920	CYK.exe
1920	CYK.exe
2944	WUPW.exe
2944	WUPW.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.execmd.exeHELJZJ.execmd.exeVZZJ.execmd.exeWXHSM.execmd.exeZFUZC.execmd.exeAJWXU.execmd.exeEMHKDCX.execmd.exePDCZT.execmd.exeYGBGP.execmd.exeYJUR.execmd.exeRXFP.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 2644	1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 1804 wrote to memory of 2644	1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 1804 wrote to memory of 2644	1804	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 5016	2644	cmd.exe	HELJZJ.exe
PID 2644 wrote to memory of 5016	2644	cmd.exe	HELJZJ.exe
PID 2644 wrote to memory of 5016	2644	cmd.exe	HELJZJ.exe
PID 5016 wrote to memory of 3156	5016	HELJZJ.exe	cmd.exe
PID 5016 wrote to memory of 3156	5016	HELJZJ.exe	cmd.exe
PID 5016 wrote to memory of 3156	5016	HELJZJ.exe	cmd.exe
PID 3156 wrote to memory of 4220	3156	cmd.exe	VZZJ.exe
PID 3156 wrote to memory of 4220	3156	cmd.exe	VZZJ.exe
PID 3156 wrote to memory of 4220	3156	cmd.exe	VZZJ.exe
PID 4220 wrote to memory of 1196	4220	VZZJ.exe	cmd.exe
PID 4220 wrote to memory of 1196	4220	VZZJ.exe	cmd.exe
PID 4220 wrote to memory of 1196	4220	VZZJ.exe	cmd.exe
PID 1196 wrote to memory of 1336	1196	cmd.exe	WXHSM.exe
PID 1196 wrote to memory of 1336	1196	cmd.exe	WXHSM.exe
PID 1196 wrote to memory of 1336	1196	cmd.exe	WXHSM.exe
PID 1336 wrote to memory of 1648	1336	WXHSM.exe	cmd.exe
PID 1336 wrote to memory of 1648	1336	WXHSM.exe	cmd.exe
PID 1336 wrote to memory of 1648	1336	WXHSM.exe	cmd.exe
PID 1648 wrote to memory of 1836	1648	cmd.exe	ZFUZC.exe
PID 1648 wrote to memory of 1836	1648	cmd.exe	ZFUZC.exe
PID 1648 wrote to memory of 1836	1648	cmd.exe	ZFUZC.exe
PID 1836 wrote to memory of 3520	1836	ZFUZC.exe	cmd.exe
PID 1836 wrote to memory of 3520	1836	ZFUZC.exe	cmd.exe
PID 1836 wrote to memory of 3520	1836	ZFUZC.exe	cmd.exe
PID 3520 wrote to memory of 3984	3520	cmd.exe	AJWXU.exe
PID 3520 wrote to memory of 3984	3520	cmd.exe	AJWXU.exe
PID 3520 wrote to memory of 3984	3520	cmd.exe	AJWXU.exe
PID 3984 wrote to memory of 564	3984	AJWXU.exe	cmd.exe
PID 3984 wrote to memory of 564	3984	AJWXU.exe	cmd.exe
PID 3984 wrote to memory of 564	3984	AJWXU.exe	cmd.exe
PID 564 wrote to memory of 1624	564	cmd.exe	EMHKDCX.exe
PID 564 wrote to memory of 1624	564	cmd.exe	EMHKDCX.exe
PID 564 wrote to memory of 1624	564	cmd.exe	EMHKDCX.exe
PID 1624 wrote to memory of 2200	1624	EMHKDCX.exe	cmd.exe
PID 1624 wrote to memory of 2200	1624	EMHKDCX.exe	cmd.exe
PID 1624 wrote to memory of 2200	1624	EMHKDCX.exe	cmd.exe
PID 2200 wrote to memory of 4960	2200	cmd.exe	PDCZT.exe
PID 2200 wrote to memory of 4960	2200	cmd.exe	PDCZT.exe
PID 2200 wrote to memory of 4960	2200	cmd.exe	PDCZT.exe
PID 4960 wrote to memory of 1252	4960	PDCZT.exe	cmd.exe
PID 4960 wrote to memory of 1252	4960	PDCZT.exe	cmd.exe
PID 4960 wrote to memory of 1252	4960	PDCZT.exe	cmd.exe
PID 1252 wrote to memory of 4468	1252	cmd.exe	YGBGP.exe
PID 1252 wrote to memory of 4468	1252	cmd.exe	YGBGP.exe
PID 1252 wrote to memory of 4468	1252	cmd.exe	YGBGP.exe
PID 4468 wrote to memory of 1196	4468	YGBGP.exe	cmd.exe
PID 4468 wrote to memory of 1196	4468	YGBGP.exe	cmd.exe
PID 4468 wrote to memory of 1196	4468	YGBGP.exe	cmd.exe
PID 1196 wrote to memory of 552	1196	cmd.exe	YJUR.exe
PID 1196 wrote to memory of 552	1196	cmd.exe	YJUR.exe
PID 1196 wrote to memory of 552	1196	cmd.exe	YJUR.exe
PID 552 wrote to memory of 2364	552	YJUR.exe	cmd.exe
PID 552 wrote to memory of 2364	552	YJUR.exe	cmd.exe
PID 552 wrote to memory of 2364	552	YJUR.exe	cmd.exe
PID 2364 wrote to memory of 2992	2364	cmd.exe	RXFP.exe
PID 2364 wrote to memory of 2992	2364	cmd.exe	RXFP.exe
PID 2364 wrote to memory of 2992	2364	cmd.exe	RXFP.exe
PID 2992 wrote to memory of 748	2992	RXFP.exe	cmd.exe
PID 2992 wrote to memory of 748	2992	RXFP.exe	cmd.exe
PID 2992 wrote to memory of 748	2992	RXFP.exe	cmd.exe
PID 748 wrote to memory of 4348	748	cmd.exe	AFVRD.exe

C:\Users\Admin\AppData\Local\Temp\5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HELJZJ.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\windows\system\HELJZJ.exe
C:\windows\system\HELJZJ.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VZZJ.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\windows\SysWOW64\VZZJ.exe
C:\windows\system32\VZZJ.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WXHSM.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\windows\WXHSM.exe
C:\windows\WXHSM.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFUZC.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\windows\system\ZFUZC.exe
C:\windows\system\ZFUZC.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJWXU.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\windows\SysWOW64\AJWXU.exe
C:\windows\system32\AJWXU.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EMHKDCX.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\windows\SysWOW64\EMHKDCX.exe
C:\windows\system32\EMHKDCX.exe
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PDCZT.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\windows\PDCZT.exe
C:\windows\PDCZT.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YGBGP.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\windows\YGBGP.exe
C:\windows\YGBGP.exe
17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YJUR.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\windows\YJUR.exe
C:\windows\YJUR.exe
19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RXFP.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\windows\system\RXFP.exe
C:\windows\system\RXFP.exe
21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AFVRD.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\windows\AFVRD.exe
C:\windows\AFVRD.exe
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KYRRQT.exe.bat" "
24⤵
PID:3508

C:\windows\KYRRQT.exe
C:\windows\KYRRQT.exe
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RMZK.exe.bat" "
26⤵
PID:4360

C:\windows\system\RMZK.exe
C:\windows\system\RMZK.exe
27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XSSX.exe.bat" "
28⤵
PID:4900

C:\windows\system\XSSX.exe
C:\windows\system\XSSX.exe
29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PVL.exe.bat" "
30⤵
PID:3772

C:\windows\PVL.exe
C:\windows\PVL.exe
31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBMRFW.exe.bat" "
32⤵
PID:3636

C:\windows\SysWOW64\CBMRFW.exe
C:\windows\system32\CBMRFW.exe
33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AMD.exe.bat" "
34⤵
PID:3604

C:\windows\SysWOW64\AMD.exe
C:\windows\system32\AMD.exe
35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DFGY.exe.bat" "
36⤵
PID:4420

C:\windows\DFGY.exe
C:\windows\DFGY.exe
37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XDHJDXR.exe.bat" "
38⤵
PID:820

C:\windows\SysWOW64\XDHJDXR.exe
C:\windows\system32\XDHJDXR.exe
39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BOGB.exe.bat" "
40⤵
PID:3164

C:\windows\system\BOGB.exe
C:\windows\system\BOGB.exe
41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RXP.exe.bat" "
42⤵
PID:3368

C:\windows\RXP.exe
C:\windows\RXP.exe
43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JVY.exe.bat" "
44⤵
PID:5024

C:\windows\SysWOW64\JVY.exe
C:\windows\system32\JVY.exe
45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ULT.exe.bat" "
46⤵
PID:4980

C:\windows\ULT.exe
C:\windows\ULT.exe
47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VJN.exe.bat" "
48⤵
PID:1040

C:\windows\VJN.exe
C:\windows\VJN.exe
49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OPJG.exe.bat" "
50⤵
PID:1900

C:\windows\system\OPJG.exe
C:\windows\system\OPJG.exe
51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BGS.exe.bat" "
52⤵
PID:924

C:\windows\BGS.exe
C:\windows\BGS.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRREP.exe.bat" "
54⤵
PID:1132

C:\windows\SysWOW64\FRREP.exe
C:\windows\system32\FRREP.exe
55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IKUNGR.exe.bat" "
56⤵
PID:3228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4980

C:\windows\IKUNGR.exe
C:\windows\IKUNGR.exe
57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RAOQFZ.exe.bat" "
58⤵
PID:2892

C:\windows\RAOQFZ.exe
C:\windows\RAOQFZ.exe
59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CYK.exe.bat" "
60⤵
PID:3636

C:\windows\CYK.exe
C:\windows\CYK.exe
61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUPW.exe.bat" "
62⤵
PID:4856

C:\windows\SysWOW64\WUPW.exe
C:\windows\system32\WUPW.exe
63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "
64⤵
PID:4068

C:\windows\system\YCFZYD.exe
C:\windows\system\YCFZYD.exe
65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZIHZS.exe.bat" "
66⤵
PID:2024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1040

C:\windows\system\ZIHZS.exe
C:\windows\system\ZIHZS.exe
67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWNKOG.exe.bat" "
68⤵
PID:3772

C:\windows\SysWOW64\RWNKOG.exe
C:\windows\system32\RWNKOG.exe
69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KZR.exe.bat" "
70⤵
PID:2532

C:\windows\KZR.exe
C:\windows\KZR.exe
71⤵
- Checks computer location settings
- Executes dropped EXE
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKQPY.exe.bat" "
72⤵
PID:2660

C:\windows\system\FKQPY.exe
C:\windows\system\FKQPY.exe
73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DTTBOAO.exe.bat" "
74⤵
PID:3132

C:\windows\DTTBOAO.exe
C:\windows\DTTBOAO.exe
75⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MWSJKCB.exe.bat" "
76⤵
PID:5032

C:\windows\MWSJKCB.exe
C:\windows\MWSJKCB.exe
77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QDVH.exe.bat" "
78⤵
PID:1336

C:\windows\SysWOW64\QDVH.exe
C:\windows\system32\QDVH.exe
79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IVRY.exe.bat" "
80⤵
PID:2236

C:\windows\IVRY.exe
C:\windows\IVRY.exe
81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BMVHON.exe.bat" "
82⤵
PID:1100

C:\windows\SysWOW64\BMVHON.exe
C:\windows\system32\BMVHON.exe
83⤵
- Checks computer location settings
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CPLV.exe.bat" "
84⤵
PID:2004

C:\windows\CPLV.exe
C:\windows\CPLV.exe
85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQBM.exe.bat" "
86⤵
PID:1892

C:\windows\SysWOW64\GQBM.exe
C:\windows\system32\GQBM.exe
87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FDH.exe.bat" "
88⤵
PID:4432

C:\windows\FDH.exe
C:\windows\FDH.exe
89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBKXS.exe.bat" "
90⤵
PID:1292

C:\windows\SysWOW64\YBKXS.exe
C:\windows\system32\YBKXS.exe
91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PKSCSG.exe.bat" "
92⤵
PID:2924

C:\windows\PKSCSG.exe
C:\windows\PKSCSG.exe
93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HNK.exe.bat" "
94⤵
PID:2524

C:\windows\HNK.exe
C:\windows\HNK.exe
95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MJCCUX.exe.bat" "
96⤵
PID:3752

C:\windows\MJCCUX.exe
C:\windows\MJCCUX.exe
97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CCTYP.exe.bat" "
98⤵
PID:1996

C:\windows\CCTYP.exe
C:\windows\CCTYP.exe
99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TVREX.exe.bat" "
100⤵
PID:1624

C:\windows\TVREX.exe
C:\windows\TVREX.exe
101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HVIL.exe.bat" "
102⤵
PID:3792

C:\windows\HVIL.exe
C:\windows\HVIL.exe
103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XELYESU.exe.bat" "
104⤵
PID:4964

C:\windows\system\XELYESU.exe
C:\windows\system\XELYESU.exe
105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LZBRT.exe.bat" "
106⤵
PID:436

C:\windows\LZBRT.exe
C:\windows\LZBRT.exe
107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNP.exe.bat" "
108⤵
PID:4728

C:\windows\SysWOW64\DNP.exe
C:\windows\system32\DNP.exe
109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JIBMEOL.exe.bat" "
110⤵
PID:3876

C:\windows\JIBMEOL.exe
C:\windows\JIBMEOL.exe
111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBSRQPH.exe.bat" "
112⤵
PID:1816

C:\windows\system\HBSRQPH.exe
C:\windows\system\HBSRQPH.exe
113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ORMFL.exe.bat" "
114⤵
PID:924

C:\windows\ORMFL.exe
C:\windows\ORMFL.exe
115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YKEFXQ.exe.bat" "
116⤵
PID:3312

C:\windows\YKEFXQ.exe
C:\windows\YKEFXQ.exe
117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PBYI.exe.bat" "
118⤵
PID:2864

C:\windows\SysWOW64\PBYI.exe
C:\windows\system32\PBYI.exe
119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBBUF.exe.bat" "
120⤵
PID:2416

C:\windows\SysWOW64\FBBUF.exe
C:\windows\system32\FBBUF.exe
121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JMMHOP.exe.bat" "
122⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1292

C:\windows\SysWOW64\JMMHOP.exe
C:\windows\system32\JMMHOP.exe
123⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CKUGGUO.exe.bat" "
124⤵
PID:560

C:\windows\SysWOW64\CKUGGUO.exe
C:\windows\system32\CKUGGUO.exe
125⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NLDW.exe.bat" "
126⤵
PID:4924

C:\windows\SysWOW64\NLDW.exe
C:\windows\system32\NLDW.exe
127⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJMMJ.exe.bat" "
128⤵
PID:2856

C:\windows\SysWOW64\NJMMJ.exe
C:\windows\system32\NJMMJ.exe
129⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUJIK.exe.bat" "
130⤵
PID:2908

C:\windows\SysWOW64\ZUJIK.exe
C:\windows\system32\ZUJIK.exe
131⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XAES.exe.bat" "
132⤵
PID:2388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:1816

C:\windows\SysWOW64\XAES.exe
C:\windows\system32\XAES.exe
133⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WTTR.exe.bat" "
134⤵
PID:3232

C:\windows\WTTR.exe
C:\windows\WTTR.exe
135⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WRCZBUK.exe.bat" "
136⤵
PID:488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:924

C:\windows\system\WRCZBUK.exe
C:\windows\system\WRCZBUK.exe
137⤵
- Drops file in Windows directory
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMNN.exe.bat" "
138⤵
PID:2900

C:\windows\system\QMNN.exe
C:\windows\system\QMNN.exe
139⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TQNHLK.exe.bat" "
140⤵
PID:4016

C:\windows\TQNHLK.exe
C:\windows\TQNHLK.exe
141⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GWNQ.exe.bat" "
142⤵
PID:1892

C:\windows\GWNQ.exe
C:\windows\GWNQ.exe
143⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GZYB.exe.bat" "
144⤵
PID:4704

C:\windows\GZYB.exe
C:\windows\GZYB.exe
145⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKVG.exe.bat" "
146⤵
PID:4648

C:\windows\SysWOW64\SKVG.exe
C:\windows\system32\SKVG.exe
147⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NGEABL.exe.bat" "
148⤵
PID:1796

C:\windows\system\NGEABL.exe
C:\windows\system\NGEABL.exe
149⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BBPBH.exe.bat" "
150⤵
PID:4208

C:\windows\BBPBH.exe
C:\windows\BBPBH.exe
151⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WCGHKB.exe.bat" "
152⤵
PID:4980

C:\windows\system\WCGHKB.exe
C:\windows\system\WCGHKB.exe
153⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SITL.exe.bat" "
154⤵
PID:1920

C:\windows\SITL.exe
C:\windows\SITL.exe
155⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYVX.exe.bat" "
156⤵
PID:3036

C:\windows\SysWOW64\MYVX.exe
C:\windows\system32\MYVX.exe
157⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YBFL.exe.bat" "
158⤵
PID:4748

C:\windows\system\YBFL.exe
C:\windows\system\YBFL.exe
159⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TMEDDD.exe.bat" "
160⤵
PID:4652

C:\windows\SysWOW64\TMEDDD.exe
C:\windows\system32\TMEDDD.exe
161⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KVNPK.exe.bat" "
162⤵
PID:3288

C:\windows\KVNPK.exe
C:\windows\KVNPK.exe
163⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MOENXU.exe.bat" "
164⤵
PID:1096

C:\windows\MOENXU.exe
C:\windows\MOENXU.exe
165⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWOGS.exe.bat" "
166⤵
PID:4988

C:\windows\SysWOW64\CWOGS.exe
C:\windows\system32\CWOGS.exe
167⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RUBOIE.exe.bat" "
168⤵
PID:708

C:\windows\SysWOW64\RUBOIE.exe
C:\windows\system32\RUBOIE.exe
169⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VQICW.exe.bat" "
170⤵
PID:3164

C:\windows\system\VQICW.exe
C:\windows\system\VQICW.exe
171⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEBG.exe.bat" "
172⤵
PID:3980

C:\windows\SysWOW64\VEBG.exe
C:\windows\system32\VEBG.exe
173⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUDNFTD.exe.bat" "
174⤵
PID:184

C:\windows\system\RUDNFTD.exe
C:\windows\system\RUDNFTD.exe
175⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPC.exe.bat" "
176⤵
PID:216

C:\windows\system\QPC.exe
C:\windows\system\QPC.exe
177⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BAGY.exe.bat" "
178⤵
PID:4976

C:\windows\system\BAGY.exe
C:\windows\system\BAGY.exe
179⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FWZVU.exe.bat" "
180⤵
PID:3632

C:\windows\system\FWZVU.exe
C:\windows\system\FWZVU.exe
181⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SCHHWK.exe.bat" "
182⤵
PID:700

C:\windows\system\SCHHWK.exe
C:\windows\system\SCHHWK.exe
183⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVFJVC.exe.bat" "
184⤵
PID:2292

C:\windows\SysWOW64\HVFJVC.exe
C:\windows\system32\HVFJVC.exe
185⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PQJM.exe.bat" "
186⤵
PID:4352

C:\windows\PQJM.exe
C:\windows\PQJM.exe
187⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOLBIXQ.exe.bat" "
188⤵
PID:2360

C:\windows\SysWOW64\WOLBIXQ.exe
C:\windows\system32\WOLBIXQ.exe
189⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JKDIRHH.exe.bat" "
190⤵
PID:3668

C:\windows\system\JKDIRHH.exe
C:\windows\system\JKDIRHH.exe
191⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 960
190⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1272
188⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1292
186⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1000
184⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 964
182⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 960
180⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 960
178⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1248
176⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1336
174⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 960
172⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1004
170⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1328
168⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1328
166⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 968
164⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1324
162⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 960
160⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1272
158⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1296
156⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1004
154⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1004
152⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 964
150⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1228
148⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 988
146⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1324
144⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 960
142⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 960
140⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1336
138⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1316
136⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1324
134⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1004
132⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1256
130⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 960
128⤵
- Program crash
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 988
126⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 988
124⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1328
122⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1304
120⤵
- Program crash
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1328
118⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1312
116⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 960
114⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 960
112⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 960
110⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 976
108⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 960
106⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1308
104⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1324
102⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 988
100⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 988
98⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1324
96⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 960
94⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1324
92⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1308
90⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 960
88⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988
86⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 960
84⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1300
82⤵
- Program crash
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 960
80⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 988
78⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1296
76⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 960
74⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 960
72⤵
- Program crash
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1292
70⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1328
68⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1336
66⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1336
64⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 996
62⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1324
60⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 984
58⤵
- Program crash
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 960
56⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1008
54⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1296
52⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 960
50⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 964
48⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1296
46⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1328
44⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 960
42⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1332
40⤵
- Program crash
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 960
38⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 960
36⤵
- Program crash
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1328
34⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1256
32⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 988
30⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 988
28⤵
- Program crash
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1316
26⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 872
24⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1324
22⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 960
20⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1324
18⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1324
16⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1304
14⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1328
12⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1272
8⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 960
6⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 960
4⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 972
2⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1804 -ip 1804
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5016 -ip 5016
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4220 -ip 4220
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1336 -ip 1336
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1836 -ip 1836
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3984 -ip 3984
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1624 -ip 1624
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4960 -ip 4960
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4468 -ip 4468
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 552
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2992 -ip 2992
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4348 -ip 4348
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 564 -ip 564
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1432 -ip 1432
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1688 -ip 1688
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 976 -ip 976
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 656 -ip 656
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5108 -ip 5108
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2100 -ip 2100
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4316 -ip 4316
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3392 -ip 3392
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1996 -ip 1996
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4608 -ip 4608
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4236 -ip 4236
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1920 -ip 1920
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4652 -ip 4652
1⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1004 -ip 1004
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2296 -ip 2296
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1996 -ip 1996
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2256 -ip 2256
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1920 -ip 1920
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2944 -ip 2944
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3792 -ip 3792
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2980 -ip 2980
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3976 -ip 3976
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3520 -ip 3520
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 832 -ip 832
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2836 -ip 2836
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1528 -ip 1528
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4008 -ip 4008
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3588 -ip 3588
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1920 -ip 1920
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4336 -ip 4336
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3636 -ip 3636
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2220 -ip 2220
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2660 -ip 2660
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4356 -ip 4356
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3588 -ip 3588
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4620 -ip 4620
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4480 -ip 4480
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4932 -ip 4932
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2024 -ip 2024
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1008 -ip 1008
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1836 -ip 1836
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2100 -ip 2100
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5036 -ip 5036
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3896 -ip 3896
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4896 -ip 4896
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1516 -ip 1516
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4568 -ip 4568
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1556 -ip 1556
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1988 -ip 1988
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 820 -ip 820
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4004 -ip 4004
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2864 -ip 2864
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2288 -ip 2288
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4124 -ip 4124
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4524 -ip 4524
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4020 -ip 4020
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4456 -ip 4456
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2372 -ip 2372
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1932 -ip 1932
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2136 -ip 2136
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 2336 -ip 2336
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1996 -ip 1996
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4348 -ip 4348
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3580 -ip 3580
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2844 -ip 2844
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4620 -ip 4620
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1336 -ip 1336
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1188 -ip 1188
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4020 -ip 4020
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 856 -ip 856
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4992 -ip 4992
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1100 -ip 1100
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1556 -ip 1556
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 924 -ip 924
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5048 -ip 5048
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2164 -ip 2164
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4020 -ip 4020
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 396 -ip 396
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4856 -ip 4856
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4772 -ip 4772
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3968 -ip 3968
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3876 -ip 3876
1⤵
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AFVRD.exe
Filesize
282KB

MD5
8b4621e207b0d49d26eca2960c085697

SHA1
99eba4ec0f41214eff0a2c5d8b96f675f9ff6c3d

SHA256
d16d57823848ef9554928a21080d55f2ceb3520f214ca545785629772996fd8a

SHA512
e13ee30971b63a4a3c50ba40cc608b2f8344ad51b4bda0c4b34940e065617e8419e6108504dddb35148a1ab4a636d25efe7ea110cc2c2c7715adcf088a493445

Download Submit
C:\Windows\KYRRQT.exe
Filesize
282KB

MD5
43131be3781affecd9dfc53b72fb208c

SHA1
c93edb1c080fdafef72c5bca02f5dcd055c6df04

SHA256
e4460d2f9cf05ec817f0dae34214bc4393e22fb36905bfa3f6f568b241ec4f98

SHA512
d0d9e2578d90cd6d18a57110a030eda295cdc2083c1c0680b05a6c16e57e4315881d22e2722f308092cce9e34d4def1f7a1b5c7980b35a01c50cc01b95e7c9e8

Download Submit
C:\Windows\PDCZT.exe
Filesize
282KB

MD5
f193048f23b213a50b05fb26f00fea55

SHA1
edb13dad7955de2af0a1ca0c97609a7f398d3ae5

SHA256
276381bbdbc4ca25a01d94b6727ab91a4487086f83e08f16a6b6e28fb698cf80

SHA512
37135cad7ca2addaab3f7031602de25d0f0ecf1cc6ebec441670107f30c0f988a303bc77f91e0147b0ec1fbaa772a4d75ff46941c559e9969ca703f9f72c67be

Download Submit
C:\Windows\RXP.exe
Filesize
282KB

MD5
3a1ffbadebb5607f6b48b3f67dacdaa0

SHA1
aa11e8e5e75a541c3dd26283d531b6cb5590a2d3

SHA256
6bee0b5530c7e67af2556be7883d8abe6446bdf25e01493f045d3db82dc408d2

SHA512
647a7371072c8052437b4379b092392eba06d41740edc437da6c5541605569d4389ca6d264638329f3ae20e59ae056dcd241282d6d7277f8fba4e341523696c3

Download Submit
C:\Windows\SysWOW64\AMD.exe
Filesize
282KB

MD5
adc17c5eb81d14d78a58cb4c3bf0d542

SHA1
7e3b997a38edcdb540f0d5104fe60bc71264df48

SHA256
0c5fe7b6e125bb71b7e5cd03b9f143a8220290da355c2eb26e33329d4bd52168

SHA512
c865b8f77ca81088a042a41733a0473fc2886080fad168fc05e85eda2af022b32f395b051bf4d11d731c0388318f52e3af0cac2824fb7a8455851c6a9927023b

Download Submit
C:\Windows\SysWOW64\CBMRFW.exe
Filesize
282KB

MD5
28e28e28a05638bb276ee11895b06f30

SHA1
507715826b625a562a623cc630c09df9e3ffd949

SHA256
a20aadc7fe0398adc04c09505323edcd7dda0e900d608aa3a922594505819b0e

SHA512
13d8c0d93ad8e6003edc9b3f0b0641e91f1455736f453e543b15ea1dcd565e33f82680c81d6d36685825046b16c15de41714d12ae2fb95e1fe59808196c22b5d

Download Submit
C:\Windows\SysWOW64\EMHKDCX.exe
Filesize
282KB

MD5
cd5162830bf1aec888f82ca851489ba9

SHA1
8b07d6a454e41fb108ba2b4ce7f07716ef84b35b

SHA256
438fb19daba46d83e2e11a0c6b8ac94cbc274835476ffaef3451289a1f366fdb

SHA512
2a0cd35ca1b4752eb326066b19c0ceefd592eaa493f2ef3614bc4a13f82d3475cfc8a96a7188879a557c89cd1527a0d0dd3ff985a1ff8c2f22e8059bd4a20862

Download Submit
C:\Windows\SysWOW64\VZZJ.exe
Filesize
282KB

MD5
3df8cc96f07fd2a48b0828d2e3843068

SHA1
8ae28a0b7c52eea9d7a5d4241cedbc7cb7432694

SHA256
5e91a3f494ee0568cd63adb457fad9d600c432f468bc96e3e81ec3bac14ab5e9

SHA512
f9f70060e6543cc4d6e2fd12cf32c53a09f83817404ac7a6fa2adc69a9ab48ebd54791ca9d560de2feef3820ee7beb73baaa4a82976f9171bedcd8a675d77917

Download Submit
C:\Windows\SysWOW64\VZZJ.exe
Filesize
282KB

MD5
71b552c9994c98ce3d49a0d8a6a2ea7e

SHA1
f73e00fc228c5450f4ac4461fdc6e5d552b60729

SHA256
1e2bfc9330ddd029b00dc7f2973d39d34c5df1b55bc9d2c8ea04783cc0c1a634

SHA512
cf8e05bbb78246defaf8bfd6f2ce2a9a321102d110612b87ad02b92e9d27ab582d0bf76b3f03d2216d51cfb76d6ab2c82e5d4a50187b4e68a2e596ea36208aa2

Download Submit
C:\Windows\SysWOW64\XDHJDXR.exe
Filesize
282KB

MD5
4f5fe06076040c29b491f423a204bbcd

SHA1
9392a161adc3f2c60f8e776986fccbbeb9972ccf

SHA256
416bf3ae7f0a5466f95ee4d9a97244c3162c7da111fb933695c648b48232f4a2

SHA512
e82e336affbfa1dce89d7c16fca01276e7767407076f6ed8e59ab08ed04fe2f949ab072269f6f488c212aa6964f8a6aca56e715441ec8aec92f08bf3a3d99d31

Download Submit
C:\Windows\System\BOGB.exe
Filesize
282KB

MD5
e030252e4584fe21a54fe59466ca4bb4

SHA1
59eddfe5a597e751436294952cb41ab18026ab2a

SHA256
1c148b7ac6db92b7cc733ddba3083701be2dac15c4bcceca8d9317c84bed5217

SHA512
5cb08da7f2f4149275eee2bdc9fff3c8ba589d75c622a81769af804c8afed627cd6d2b0b4364563160d8da257d00569a72b4fa2a530de55fae8f5f2d506f71e7

Download Submit
C:\Windows\System\HELJZJ.exe
Filesize
282KB

MD5
2a6a948bef8c098d3b4ca4f163593ff3

SHA1
21c17e89c2b8c8fad3952eaad68caf7827ab7551

SHA256
164d238f664ddc24f3c9f8c9d77cca478d88056653536ea345e3c873d97cae59

SHA512
38eecf1fe5ee9ede7df873053ba2bbe2659b2bdc2c4a33a84185d7960db877071a8f9e2d887ef8c3b92b7d8920d7dfb581a7ac41a9114d4da5c83a3761b3a609

Download Submit
C:\Windows\System\RXFP.exe
Filesize
282KB

MD5
86fb685b8267f48ec245800ff0a3e0c9

SHA1
c3393c14099b8f37ef2f13be56e1ebda50b1560a

SHA256
a8623e41eed3c1f67d2f42cb83f792076ba9be0d64756c8afaec8c761f4085f8

SHA512
903f2a97aa2493f2b5657a9a96bfec89cd35339093d9f36c7881fc1b1a29a71879f61f7ae6dc04f78ed674a5ccf44484699f471d75da0bf6fdc2f86d8838f26e

Download Submit
C:\Windows\System\ZFUZC.exe
Filesize
282KB

MD5
68052b307a4d9fd6b52643325b07cbb6

SHA1
9ae3ceee2bde447f5d35361eacbe800472a9699a

SHA256
17f1c4b92e221463653a9ab1d466151fa12e55268347ea0ff074a08bd900cf25

SHA512
924dc7fa3c8c873eb839b95ca6e6516a9737adc4c098b3db587f111b43787f0a40c21ca5e6e89bce2cf2a95d1e5bb673d00b5be2105d387db5f0bd632066225c

Download Submit
C:\Windows\WXHSM.exe
Filesize
282KB

MD5
4d42444c321e497aaebf230d4e110699

SHA1
8ca3c51fdbe6cc8985d322c70e0e596baffd3ad7

SHA256
15ed8150699c13cc9aa6318a4982b5d6dbaba60f6981bb6e9d762e548db101a2

SHA512
8e47b3e66a08fbecd36242561210ed95057f0ae48e5b48b8cc03e03cf64c98912b6baf0ffcaf8f11e7658b8929f77cc3a7fecc7b0019178e8382d736a79f05cc

Download Submit
C:\windows\AFVRD.exe.bat
Filesize
56B

MD5
f9b83b831e7bda77e45855013df19fbe

SHA1
adc7a4507cceb3d147c2217509db5fa80740df38

SHA256
63843817919b7c3ffe1f80fbc4efa7550dfc1d8024078fada5d18169c2c8c495

SHA512
0a3cd41d670dde996169ba5290b730fc03a83194127f191d0af4dc6a3077d283678bf13b41376d08f3bca11d2e191e6ccab8bc3a852431ceb0d2e9a6440aa2df

Download Submit
C:\windows\DFGY.exe
Filesize
282KB

MD5
918f27d9c7f261404e16eb93787333a6

SHA1
1b36f96ec625fd3bd4b2430c88e2b36a9a604e98

SHA256
d528e9a09df01fb5c5eb139c206dce8a387c0759103e20f5babb96568a31c457

SHA512
841368d3ae15eba4e0f08b3379959465a47c48cb754ef27339611401d35d263700fcd52afdf472dbb9bcdb3e765e1e618ee72833e18bb2e4c5b1b886cb734bfd

Download Submit
C:\windows\DFGY.exe.bat
Filesize
54B

MD5
5574ca74ec1f996dab5b446818cfd586

SHA1
3a6a5e410650f5a0292b12e9a8ae116af111fb8b

SHA256
73a18c984335f52e218084eedce7cbe372762e8dd3a068cccae291a7b212d2bd

SHA512
331b951e1724c114d3a4f6ab88e16da312a1ca090fd70875cbf11c431873685a78d9f61158375e3b779fc3daa70f8d7fd157634edad05b7222e77d023c0dd6ae

Download Submit
C:\windows\KYRRQT.exe.bat
Filesize
58B

MD5
88a869445d7b77304bf7de73e0cfd875

SHA1
5789b34c7b5091265729fc00eefa0d388b593961

SHA256
9f312176923bac9e66413456545dd8db61554eaae9fbe960f964ed6a0223fa6e

SHA512
68d0f9a0966ccb84dbf7ba5366947da585e8c694a434612129a43023bf406c2e29d22d810c482d8cff4077b2bcf1f267389b86b8491d25c2ab6db20c126ad3da

Download Submit
C:\windows\PDCZT.exe.bat
Filesize
56B

MD5
fccb71c9af9cc6fad6554a50f5381486

SHA1
3bb9a99519b4ee6962f488cdbc5621ac4eee3d6f

SHA256
33482544c168e52bb70688e17bff5b6443eaa05608a5181f5799fd32edc9e321

SHA512
52f5238d1c8d904cc758f07d7af957833773d49830b2cc02f38cd9915701143841a666d14621cd5d32b74b227fdabd2329f922726bb836c5578e227c2d518cc3

Download Submit
C:\windows\PVL.exe
Filesize
282KB

MD5
43d761c02f880094341d6cfbd6b9ba40

SHA1
52bcece1276f0ff8a16f0ef1ee553f7820ed7fe7

SHA256
1b23c3d1461ca3e1262bea24938f882357cc5992d63e71d5a15c874c35be42b3

SHA512
f677c551277bb5ce8bb0dd4ae3781442b407285d3712c47a8bb9e2aebaf794ffe08f9b712539dbed4cfb1649b66f3933f6590e44fad0d83cd968611c3e52b7ee

Download Submit
C:\windows\PVL.exe.bat
Filesize
52B

MD5
2deec1bcab3037221af25fa765411231

SHA1
5880ac2456f7f8cc14ddd00a0ed7f15de712c1f5

SHA256
216fdc3445242523e11553a5d63fa10c2c2fce1717e5094099863132c10d69c2

SHA512
3408946526b37d8ecd32c3a6013017ec37241b80e9d67b784e76b2020c4d044d34f619e3de2a8612e938a5d394636a9dd350a8fe59084991dabafe0140b72718

Download Submit
C:\windows\RXP.exe.bat
Filesize
52B

MD5
4b049c3dc99cc8a2e8260bf8bedc8742

SHA1
7532de92fe883471d237b321c9801770fdc73bc5

SHA256
f2d5c40b9601aa668c56e2fcf49503576724f8edffde565ae21dc05b5d06376a

SHA512
2c8f06520f8654135bab39a2cc74808b950d9a10b9f6b0128b6960d907ba5e8d7f473bf38e20a2419baff714a474f39946a0258e1d9c71a0b65c1324eb264f6d

Download Submit
C:\windows\SysWOW64\AJWXU.exe
Filesize
282KB

MD5
ddf2b0fbe6c01d2ea4528f967ac36b85

SHA1
77fa599ab4ec67f9dd066025246591b860c1e290

SHA256
af8ca33b8a4f78a718d5b93a778b13c246ba1263f198d90a754ea700e8926eb2

SHA512
6d5fa5bc93eeded6fae62f34e0240b5f356030f7c02adee339c103ec59424fb1454a78add9fd94d94a3308f4e35f8d6dd2c594851ad7d0b31579f203305df909

Download Submit
C:\windows\SysWOW64\AJWXU.exe.bat
Filesize
74B

MD5
213b78f0780f8c540bd65419c00e1a3e

SHA1
5706a589312b56db5ad6cefd9e5c8ee6985288d9

SHA256
4fadbb9388f0a30414b0b29ca8a467a1676ecd0dfaee6dee9ff1733aeebd0a92

SHA512
c0d9af1e044c495437645f97a6a1eeea203a8c03a5bd38e14c0fc4ab62dc423041a43f4f84536e293e490ed878bbf3df687baa880c5a5b6660220c399ff8bbd6

Download Submit
C:\windows\SysWOW64\AMD.exe.bat
Filesize
70B

MD5
3b51da397ac8280c82b9fa2bf6c962d3

SHA1
cadb6ccf919428bae0a355205df3097af779cf91

SHA256
297e2047024a937d11f447ffd25aff9b24a12c8f6498ca9516f9cfe6d9a3b87c

SHA512
4350eecd2e32584af49515ba772cd5a02d00d068d42d1e82cec6b488d60a3c96ec504189bfba8749f1735be65a8cce7721fd49119831fc65948d97c1346ffc20

Download Submit
C:\windows\SysWOW64\CBMRFW.exe.bat
Filesize
76B

MD5
d7c92514c1f8ea25cc7568a4ddc6a240

SHA1
acb1df419c7a7df890478235501d69457c00696c

SHA256
4472e9154681b4f155aa8bcd69e99cb7f4ccdbe2f5b83137fb820323bde498d1

SHA512
a90713a493174a2522d26caa0f81b8234613274a73a805129865d3a75b39807d75c7f8430190448e6c3f94d5357387b5650645cdf64e9c91a7b1e553149fe13e

Download Submit
C:\windows\SysWOW64\EMHKDCX.exe.bat
Filesize
78B

MD5
63fc09f901067688ca05515c91db73ff

SHA1
7e9130435e8ad21a377f34142553d15d11f96ade

SHA256
99742377c29140ca123c4a01ca60da52a14a0a465eca3a1ad6501b4cf2d0ba22

SHA512
9380f453a07439b9c72cc1690bd7aa9778ebd953f9c7a3e6f6d55deece59c9e5359605591069dd786acaae0192a16dc2650c8f09040cb8eec12272d520026f5f

Download Submit
C:\windows\SysWOW64\JVY.exe.bat
Filesize
70B

MD5
6360296fe84fd0990aebc7c30dab17c9

SHA1
3172c5d5d01bdae4f82f0d11233dae73936a2b5e

SHA256
23571d9b3f08033059b2f28647dabf175cdaf97881dde7b2dc5c5bed195b3455

SHA512
61e34c15004164e7447459c0e66f19105382a28fab943a28cd5c41435166883925a4257dacbce74a441ab2d055f181d20d27e8e0fcacf84f19ce933e24bacf65

Download Submit
C:\windows\SysWOW64\VZZJ.exe.bat
Filesize
72B

MD5
c827c3ad3c884da04f0f87a65fbc5a12

SHA1
1294dbf2588bfcf2012e7ce1b0a61bd00850bab7

SHA256
0b2e80be66ad6631c0d4ffe9233bb79374a88dcb6801485f1b2f4d803105610a

SHA512
b9039d91d5de221d456774466d6141de358981da658e370f452c69afa913f02764ac275a7a0a880058616fa38f2a0ffe906965245916afd7644bd56f2dce77f5

Download Submit
C:\windows\SysWOW64\XDHJDXR.exe.bat
Filesize
78B

MD5
b4f499c93282aa379660098c41286c0b

SHA1
b9f02d6122fc70b3e3c57ea27465763b923cfbc3

SHA256
98a659cf26a6b8ac6a1b258ad9c5e64c64b07b07025726780a1b0421d7da78da

SHA512
e08c9c6a57876787dc1d517762722fef873607b86ae599673a1cb0a71c63237f466f7e3db1fd36f2c6056a6f6c81df577bfc32523e5ac940b514d65a333a2370

Download Submit
C:\windows\WXHSM.exe.bat
Filesize
56B

MD5
c056108532d905d4aceb555170581e5e

SHA1
29848ca9aa7e0d152fb8012dd8ac5ac5df14fc4d

SHA256
c148ed77e6956cbc17b841d1c283d909e1c1a6e1086eeee073a0eeaa798de59b

SHA512
f83805ad00a70de18783512dc009bcd67c3648e4ea97721133c7ae5f383d829a614a1e67c467ed48171dfac3e92ba9ae6765dbad70c372c023ad61f757e36703

Download Submit
C:\windows\YGBGP.exe
Filesize
282KB

MD5
af46289fe14fa07c151a8590d7107060

SHA1
2d611076a32f4720ca0151ef304878382d8db345

SHA256
84a41d6d57bdd501e7c40ec743b2d162cfbc7d674dfab48888ce7389050e9089

SHA512
9a4400582c6494a18aa9921e2955f5bd0f870f8439efec72148149c175bf37f13be615a46d979a5b50fb9428375ead80d49a7eaf411b318a9eb79f1841babf24

Download Submit
C:\windows\YGBGP.exe.bat
Filesize
56B

MD5
9f05adf7bb35c0474f068b7ebd049b55

SHA1
b7a544ab9a404be200aaedcd245f2dc58fbb7abe

SHA256
eb5840a851d7be18f3853375158a712b0ca7c5bb8fc6fcb4fea5ce08cb8373dd

SHA512
de4ae5aae89aaa9cae6bfc7640f46c475f69eeb7f127f1947d1641ec9340434cf2ae6fc9a891d1f29308c428809240fd4a6a7a940df9a73c3c31156d98e0fcb7

Download Submit
C:\windows\YJUR.exe
Filesize
282KB

MD5
dc0b4295aaa9579039517dea3aac8316

SHA1
3e7a8bf64f87e76304fa95df4fb9d5b3a4cf82c5

SHA256
2ba5791d4b44a5ec1b9271e97e2ffe5501f659f182c7edf5fc4e7428b14134d8

SHA512
2971c9ba9c05304a2f692393934e72f9a8913cb0ee33c67c285fb0dcd8f7a78553aecde2ab3f623adc64acad78b7623e28295c30353d29f39e59b1b2c2291a83

Download Submit
C:\windows\YJUR.exe.bat
Filesize
54B

MD5
d6d438ad6c66d739062756f08129e22c

SHA1
b558888705ec54b19b7b0c1cf46904cd00f9113d

SHA256
43e4e8eed1ca4b389a3b385be9e583dfbd04ac8a6256dda8c0eece805c8ce7d9

SHA512
fb5c2b071f3d5afbeaa14fa79bc45dc642c22ed098fccb67a8dbe36b51ac2045adf0daedd8b8bf76ff6f04db92d305db69c728b4a8f935db414dddf3ea0196e9

Download Submit
C:\windows\system\BOGB.exe.bat
Filesize
68B

MD5
04eb7ebe993bc9d609cc2b46bbaa5f77

SHA1
9af803711e98d353918bdcf79325778e1d9a1369

SHA256
4b7e6834c2f2cbd88158fdf443d882afc9b4ff162cba4f625535ed8321c2b92a

SHA512
8e51086447a19849cf9074f7026e14e22127708a1e61be5c55c9e02773bdc794c72db47413a0c813e011604aaa2090816ed0618629287bb865ead35f4290a90d

Download Submit
C:\windows\system\HELJZJ.exe.bat
Filesize
72B

MD5
56a4dc57994db26c97ad18cf67185a96

SHA1
63e9a2670a49b7fdc016091e87f60427da60b749

SHA256
52d9c811e6d2cd4a00edc32125ab2ed036f8b44dd571974cbb3c4870f3c0c581

SHA512
81ce81f20b955cb73672def99bea9337413e8bbdecebfcd9101a27b69c4349d476cbfe04ffacbd587f4888c0982c8f981b9a6dbc5d4a88c466828affcee15432

Download Submit
C:\windows\system\RMZK.exe
Filesize
282KB

MD5
4fed4d6d05444ef6e73c4a1ae6afcb75

SHA1
9b7b5a0892b22358d5c01b2f2655b8113ae4731a

SHA256
3918fe1fd61e155f919bb64775d4dc5d7fcd3d76bfb7e11e6f016eb0e440cd52

SHA512
abfda4a0ac43bbd86b3485ee66f5948685da5a5cbdac67191ffcd6c3b6b2b8ec664d6586349e98b76b4da99fd9380f6178483c382e4ebe9299fc1a293dd1adec

Download Submit
C:\windows\system\RMZK.exe.bat
Filesize
68B

MD5
9419c959e597181905e01da1d0f15fa6

SHA1
df14156fc144db2d5d8972f84097f6afb152a2db

SHA256
e32ceac2aa488cf7f1d32d6e0a0840fbb8903b995f6ee391d25cf45cf3974721

SHA512
99d4fcd60a6ee61530fdacd6ca367248ea3ba705c1792374d0d1452dbf7a2a1fdca3c7208c066fd27efb8e45b1ea1618115d3386a67f61e86ce9a4988cd1af69

Download Submit
C:\windows\system\RXFP.exe.bat
Filesize
68B

MD5
11cccf9db69d72c79291559aa9703f61

SHA1
b269634d0f07b787914f9c735c12c31ed3c19cde

SHA256
ca4848da5056d061e50175b3d04d102aff8aaa73a868de571a547b82d9795e21

SHA512
9736433cb01c7800b7d03d589ff6c49999da155925b10c121f017d34eb98c5e5a779601c9fab8b2f540986e67ef944925f1d1d2ac9135b0a8503cc734edf1bf2

Download Submit
C:\windows\system\XSSX.exe
Filesize
282KB

MD5
53310e158b01806ebf7283159560b7f3

SHA1
2dc467f1738dfa73a1f38414c7831a63ec161141

SHA256
e8701dac0e59c4e8b1abf6887814f882a48937e4b90d915c3a4a412d565d61a4

SHA512
9f140a2551af8b4f5425894c54b50ae11a2747449253e7934a8d2ff3276181c706cd1aa8455b5a563baa363bf5f03121edcca77ae3c516f279bde919c7e4b5d8

Download Submit
C:\windows\system\XSSX.exe.bat
Filesize
68B

MD5
9326580af8061c4d1ec599b7e701fa68

SHA1
8c167f860bdac4895b323c9f8014487d00a0307c

SHA256
268cd48f354c12560b07ae9c494bfe43d00264373eb70868a31ef6c2731402de

SHA512
f3deca5f056f2774c0120ddc35fa018345a6d5594e428747209eb33afe40ac3f2c6c2149a4d705e5b2d1681221bcb0c85849175d917e4fb024c7ca1b833392a4

Download Submit
C:\windows\system\ZFUZC.exe.bat
Filesize
70B

MD5
88bdf663b79393defad19c4439ff0c31

SHA1
385c09bae3503accc57c616d3d6479e41e2edec7

SHA256
fea141b47b9670d197edf0fb8cb79243b3f7027d0d71955a15215ea9af49aefb

SHA512
1d9568165af08b9debaa3a432e1200b4c88f972d27489092d4e66344f5f52d913e4efcf31e4e458b5091ebc799e10b9788bdd488e01610dca9dd1be9e4d9439a

Download Submit
memory/552-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/564-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/564-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/656-211-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/656-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1336-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1336-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1432-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1432-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1528-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1528-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1836-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1836-51-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1996-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2100-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2100-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2256-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2256-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2980-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2980-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2992-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2992-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3392-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3392-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3520-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3520-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3792-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3792-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3976-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3976-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3984-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3984-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4220-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4220-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4236-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4236-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-113-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5108-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5108-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download