e73ea851a05c004157c6e41a3d6aa84ceefe4b82369ab9b79a385dccff33d78a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
Size

282KB
MD5

5daf9572c2a632329758888668015d80
SHA1

706452dd65d03cb83e3f3a99efc06d9c995272d8
SHA256

e73ea851a05c004157c6e41a3d6aa84ceefe4b82369ab9b79a385dccff33d78a
SHA512

3f5d8da190a1bae56d7245e8745debe2a85e97cc6da8dd26cd23ab58582dd5e3d93d979bd2c608a2140d653352eac7abc246c23a1ee9d8827e90989087fc96c3
SSDEEP

6144:ustaRDOzrIzIAUdL+SkEjiPISUOgW9X+hOGzC/:e8zXdVkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 17 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\WMWZ.exe	family_berbew
C:\Windows\System\MEG.exe	family_berbew
C:\windows\system\JFQIOP.exe	family_berbew
C:\windows\SysWOW64\YGGQNK.exe	family_berbew
C:\Windows\ORFXJ.exe	family_berbew
C:\windows\NIUU.exe	family_berbew
C:\Windows\System\WLLQIAO.exe	family_berbew
C:\Windows\SysWOW64\GDCP.exe	family_berbew
C:\windows\SysWOW64\MZG.exe	family_berbew
C:\Windows\SysWOW64\UMS.exe	family_berbew
C:\Windows\System\CSX.exe	family_berbew
C:\windows\JCUMO.exe	family_berbew
C:\windows\SysWOW64\YAI.exe	family_berbew
C:\Windows\SysWOW64\OQJV.exe	family_berbew
C:\Windows\QEAEN.exe	family_berbew
C:\windows\EJMIYHW.exe	family_berbew
C:\windows\AFHVUO.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NIUU.exeSRLJ.exeELN.exeQXFRVRF.exeILMDAGO.exeJBSNO.exeORFXJ.exeJQEQGZ.exeQWSMDZJ.exeVXZH.exeXWHUF.exeIZIKDC.exeWEREIFU.exeAKIQJUK.exeBCEK.exeRQV.exeJENBWC.exeVYL.exeOQJV.exeNSVB.exeEPKTO.exeVXOV.exeKZR.exeTHMZTK.exeXPIJO.exeMEG.exeBLBNOO.exeDLMO.exeKDPDQ.exeHBFCM.exeUSHF.exeBRTTN.exeRVLBI.exeZTQ.exeTJKUTRJ.exeLUTBC.exeWMWZ.exeXVVBUFK.exeLRCTV.exeALB.exeLRMKZCI.exePWCVTK.exeYGGQNK.exeSIB.exeJMDLHG.exeBHRYF.exeASUO.exeRSX.exeXOPA.exePRLZBRB.exeLIOHSYX.exeVYTAT.exeXABEIT.exeFGGKTR.exeCAVZ.exeSZHYS.exeTNU.exe5daf9572c2a632329758888668015d80_NeikiAnalytics.exeGRW.exeFYD.exeEBRFD.exeAHO.exeXZSY.exeVPRSFOH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NIUU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SRLJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ELN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QXFRVRF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ILMDAGO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	JBSNO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ORFXJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	JQEQGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QWSMDZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VXZH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XWHUF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	IZIKDC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WEREIFU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AKIQJUK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BCEK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RQV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	JENBWC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VYL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	OQJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NSVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EPKTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VXOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	THMZTK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XPIJO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MEG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BLBNOO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DLMO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KDPDQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HBFCM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	USHF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BRTTN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RVLBI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ZTQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	TJKUTRJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LUTBC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WMWZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XVVBUFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LRCTV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ALB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LRMKZCI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PWCVTK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YGGQNK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SIB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	JMDLHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BHRYF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ASUO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RSX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XOPA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PRLZBRB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LIOHSYX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VYTAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XABEIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FGGKTR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CAVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SZHYS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	TNU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GRW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FYD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EBRFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AHO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XZSY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VPRSFOH.exe

Executes dropped EXE 64 IoCs

Processes:

WMWZ.exeMEG.exeJFQIOP.exeVYL.exeYGGQNK.exeUGISQGZ.exeORFXJ.exeAKIQJUK.exeNIUU.exeWLLQIAO.exeGDCP.exeMZG.exeUMS.exeCSX.exeJCUMO.exeYAI.exeOQJV.exeQEAEN.exeEJMIYHW.exeOHSDOPF.exeAFHVUO.exeRSRN.exeBLBNOO.exeAWLDW.exeZHBLGTD.exeAKFP.exeVPRSFOH.exeSIB.exeYDE.exePMT.exeNCGKR.exeBXEW.exeBCEK.exeRQV.exeXLHK.exeWWKAPM.exeRCWE.exeZCN.exeRKB.exeTYTE.exeHTWXU.exeYEHNCHW.exeWCUFK.exeCPYY.exeVPNJ.exeTAFOUF.exeJQEQGZ.exeQWSMDZJ.exeZJDET.exeWZQVJ.exeVUH.exeVYTAT.exeXNZU.exeFBEB.exePZRVST.exeJMDLHG.exeNSVB.exeVXZH.exeDLMO.exeNLOBWEB.exeTGAUBAS.exeGRW.exeVHJ.exeBHRYF.exe

pid	process
4540	WMWZ.exe
752	MEG.exe
880	JFQIOP.exe
3028	VYL.exe
3032	YGGQNK.exe
3304	UGISQGZ.exe
3452	ORFXJ.exe
1488	AKIQJUK.exe
3892	NIUU.exe
1468	WLLQIAO.exe
4572	GDCP.exe
392	MZG.exe
1072	UMS.exe
4128	CSX.exe
3528	JCUMO.exe
1680	YAI.exe
948	OQJV.exe
764	QEAEN.exe
4148	EJMIYHW.exe
468	OHSDOPF.exe
3032	AFHVUO.exe
1576	RSRN.exe
4476	BLBNOO.exe
1228	AWLDW.exe
1452	ZHBLGTD.exe
1612	AKFP.exe
3284	VPRSFOH.exe
1484	SIB.exe
772	YDE.exe
1916	PMT.exe
3024	NCGKR.exe
3088	BXEW.exe
4088	BCEK.exe
2792	RQV.exe
4176	XLHK.exe
3496	WWKAPM.exe
2588	RCWE.exe
4392	ZCN.exe
4596	RKB.exe
1504	TYTE.exe
2444	HTWXU.exe
4064	YEHNCHW.exe
2420	WCUFK.exe
4976	CPYY.exe
5068	VPNJ.exe
1480	TAFOUF.exe
3032	JQEQGZ.exe
2616	QWSMDZJ.exe
948	ZJDET.exe
2140	WZQVJ.exe
4660	VUH.exe
1868	VYTAT.exe
1396	XNZU.exe
3228	FBEB.exe
4568	PZRVST.exe
2548	JMDLHG.exe
1892	NSVB.exe
3320	VXZH.exe
3768	DLMO.exe
4660	NLOBWEB.exe
2716	TGAUBAS.exe
3680	GRW.exe
1540	VHJ.exe
4236	BHRYF.exe

Drops file in System32 directory 64 IoCs

Processes:

YAI.exeRSRN.exeFGGKTR.exeFRJUXU.exeSJSYHO.exeQBF.exeQITWYT.exeLYAHV.exeXOPA.exeBRTTN.exeAFHVUO.exeXLHK.exeVUH.exeASUO.exeMYJDMPP.exeVYL.exeTAFOUF.exeWSQRIF.exeWLLQIAO.exePRLZBRB.exe5daf9572c2a632329758888668015d80_NeikiAnalytics.exeVYTAT.exeNLOBWEB.exeDMWUINS.exeYPTDOU.exeJCUMO.exeALB.exeAHO.exeEJMIYHW.exeFFVB.exeGLKQS.exeORFXJ.exeBCEK.exeQYZ.exeREBM.exeGDCP.exeHDB.exeELN.exeBXEW.exeBHRYF.exeKDPDQ.exeXPIJO.exeMYNM.exePWCVTK.exe

description	ioc	process
File opened for modification	C:\windows\SysWOW64\OQJV.exe	YAI.exe
File created	C:\windows\SysWOW64\BLBNOO.exe.bat	RSRN.exe
File created	C:\windows\SysWOW64\ALB.exe.bat	FGGKTR.exe
File opened for modification	C:\windows\SysWOW64\PRLZBRB.exe	FRJUXU.exe
File opened for modification	C:\windows\SysWOW64\THMZTK.exe	SJSYHO.exe
File created	C:\windows\SysWOW64\JWJDP.exe	QBF.exe
File opened for modification	C:\windows\SysWOW64\MYNM.exe	QITWYT.exe
File created	C:\windows\SysWOW64\MYNM.exe.bat	QITWYT.exe
File opened for modification	C:\windows\SysWOW64\QYO.exe	LYAHV.exe
File created	C:\windows\SysWOW64\YRFWWIP.exe.bat	XOPA.exe
File created	C:\windows\SysWOW64\SZHYS.exe.bat	BRTTN.exe
File created	C:\windows\SysWOW64\RSRN.exe	AFHVUO.exe
File opened for modification	C:\windows\SysWOW64\RSRN.exe	AFHVUO.exe
File created	C:\windows\SysWOW64\WWKAPM.exe	XLHK.exe
File created	C:\windows\SysWOW64\VYTAT.exe	VUH.exe
File created	C:\windows\SysWOW64\ZDE.exe	ASUO.exe
File created	C:\windows\SysWOW64\RRTNQL.exe.bat	MYJDMPP.exe
File created	C:\windows\SysWOW64\YGGQNK.exe	VYL.exe
File opened for modification	C:\windows\SysWOW64\JQEQGZ.exe	TAFOUF.exe
File opened for modification	C:\windows\SysWOW64\AAXR.exe	WSQRIF.exe
File created	C:\windows\SysWOW64\GDCP.exe	WLLQIAO.exe
File created	C:\windows\SysWOW64\GZZWNIW.exe.bat	PRLZBRB.exe
File created	C:\windows\SysWOW64\WMWZ.exe	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\XNZU.exe	VYTAT.exe
File opened for modification	C:\windows\SysWOW64\TGAUBAS.exe	NLOBWEB.exe
File created	C:\windows\SysWOW64\UUY.exe	DMWUINS.exe
File created	C:\windows\SysWOW64\EQB.exe.bat	YPTDOU.exe
File created	C:\windows\SysWOW64\RSRN.exe.bat	AFHVUO.exe
File created	C:\windows\SysWOW64\THMZTK.exe	SJSYHO.exe
File opened for modification	C:\windows\SysWOW64\YAI.exe	JCUMO.exe
File created	C:\windows\SysWOW64\YZAXIR.exe	ALB.exe
File created	C:\windows\SysWOW64\KAGPT.exe.bat	AHO.exe
File created	C:\windows\SysWOW64\PRLZBRB.exe.bat	FRJUXU.exe
File created	C:\windows\SysWOW64\OHSDOPF.exe	EJMIYHW.exe
File opened for modification	C:\windows\SysWOW64\BLBNOO.exe	RSRN.exe
File opened for modification	C:\windows\SysWOW64\SCDNSMK.exe	FFVB.exe
File created	C:\windows\SysWOW64\JBDQNR.exe.bat	GLKQS.exe
File opened for modification	C:\windows\SysWOW64\AKIQJUK.exe	ORFXJ.exe
File opened for modification	C:\windows\SysWOW64\RQV.exe	BCEK.exe
File opened for modification	C:\windows\SysWOW64\RWHOC.exe	QYZ.exe
File created	C:\windows\SysWOW64\BCGY.exe.bat	REBM.exe
File created	C:\windows\SysWOW64\SCDNSMK.exe.bat	FFVB.exe
File created	C:\windows\SysWOW64\MZG.exe	GDCP.exe
File created	C:\windows\SysWOW64\JQEQGZ.exe.bat	TAFOUF.exe
File created	C:\windows\SysWOW64\RVLBI.exe.bat	HDB.exe
File created	C:\windows\SysWOW64\BRTTN.exe.bat	ELN.exe
File opened for modification	C:\windows\SysWOW64\BCEK.exe	BXEW.exe
File opened for modification	C:\windows\SysWOW64\XNZU.exe	VYTAT.exe
File opened for modification	C:\windows\SysWOW64\ASUO.exe	BHRYF.exe
File created	C:\windows\SysWOW64\ASUO.exe.bat	BHRYF.exe
File opened for modification	C:\windows\SysWOW64\ZTQ.exe	KDPDQ.exe
File created	C:\windows\SysWOW64\ALB.exe	FGGKTR.exe
File created	C:\windows\SysWOW64\SCDNSMK.exe	FFVB.exe
File created	C:\windows\SysWOW64\TNU.exe	XPIJO.exe
File opened for modification	C:\windows\SysWOW64\OHSDOPF.exe	EJMIYHW.exe
File created	C:\windows\SysWOW64\JQEQGZ.exe	TAFOUF.exe
File opened for modification	C:\windows\SysWOW64\TJKUTRJ.exe	MYNM.exe
File created	C:\windows\SysWOW64\EQB.exe	YPTDOU.exe
File created	C:\windows\SysWOW64\YLXWEO.exe	PWCVTK.exe
File created	C:\windows\SysWOW64\TNU.exe.bat	XPIJO.exe
File created	C:\windows\SysWOW64\ZTQ.exe	KDPDQ.exe
File opened for modification	C:\windows\SysWOW64\JBDQNR.exe	GLKQS.exe
File created	C:\windows\SysWOW64\KAGPT.exe	AHO.exe
File created	C:\windows\SysWOW64\QYO.exe.bat	LYAHV.exe

Drops file in Windows directory 64 IoCs

Processes:

YDE.exeTYTE.exeXWHUF.exeLRCTV.exeLRMKZCI.exeAKFP.exeJFQIOP.exeYYUGXZ.exeBCGY.exeMEG.exeDLMO.exeXEMB.exeBPT.exeJBDQNR.exeKZR.exeQYO.exeJQEQGZ.exePCVCEI.exeWEREIFU.exeJMDLHG.exeZTQ.exeTJKUTRJ.exeIUN.exeWWKAPM.exeGRW.exeJWJDP.exeWXNOQY.exeQVXX.exeVPRSFOH.exeLIOHSYX.exeXZSY.exeILMDAGO.exePZRVST.exeUPYEWD.exeVXOV.exeCPYY.exeUIN.exeGCXZPND.exeSVZM.exeUGISQGZ.exeNHYH.exeTNU.exeAKIQJUK.exeEQB.exeSIB.exeNSVB.exeLUTBC.exeGAGFNIP.exeBNMNUXI.exeSQXYEI.exeRSRNYN.exeOHSDOPF.exeZPAQ.exeWMWZ.exeNCGKR.exeRVLBI.exe

description	ioc	process
File created	C:\windows\PMT.exe	YDE.exe
File created	C:\windows\system\HTWXU.exe	TYTE.exe
File opened for modification	C:\windows\NMV.exe	XWHUF.exe
File created	C:\windows\system\ZPAQ.exe	LRCTV.exe
File opened for modification	C:\windows\DMWUINS.exe	LRMKZCI.exe
File created	C:\windows\VPRSFOH.exe	AKFP.exe
File created	C:\windows\system\VYL.exe.bat	JFQIOP.exe
File created	C:\windows\system\REBM.exe	YYUGXZ.exe
File opened for modification	C:\windows\BPT.exe	BCGY.exe
File opened for modification	C:\windows\system\JFQIOP.exe	MEG.exe
File created	C:\windows\NLOBWEB.exe.bat	DLMO.exe
File opened for modification	C:\windows\RSX.exe	XEMB.exe
File opened for modification	C:\windows\system\ZPAQ.exe	LRCTV.exe
File opened for modification	C:\windows\XABEIT.exe	BPT.exe
File created	C:\windows\system\JENBWC.exe	JBDQNR.exe
File opened for modification	C:\windows\YPTDOU.exe	KZR.exe
File created	C:\windows\XOPA.exe	QYO.exe
File opened for modification	C:\windows\QWSMDZJ.exe	JQEQGZ.exe
File created	C:\windows\XPIJO.exe.bat	PCVCEI.exe
File created	C:\windows\GCXZPND.exe.bat	WEREIFU.exe
File opened for modification	C:\windows\NSVB.exe	JMDLHG.exe
File opened for modification	C:\windows\QBF.exe	ZTQ.exe
File created	C:\windows\EBRFD.exe	TJKUTRJ.exe
File opened for modification	C:\windows\HDB.exe	IUN.exe
File opened for modification	C:\windows\system\RCWE.exe	WWKAPM.exe
File opened for modification	C:\windows\system\HTWXU.exe	TYTE.exe
File created	C:\windows\QWSMDZJ.exe.bat	JQEQGZ.exe
File opened for modification	C:\windows\NLOBWEB.exe	DLMO.exe
File created	C:\windows\system\VHJ.exe	GRW.exe
File created	C:\windows\RSX.exe	XEMB.exe
File created	C:\windows\LRCTV.exe	JWJDP.exe
File created	C:\windows\UHCX.exe.bat	WXNOQY.exe
File opened for modification	C:\windows\system\ELN.exe	QVXX.exe
File opened for modification	C:\windows\system\SIB.exe	VPRSFOH.exe
File opened for modification	C:\windows\system\FBV.exe	LIOHSYX.exe
File opened for modification	C:\windows\PCVCEI.exe	XZSY.exe
File created	C:\windows\SJSYHO.exe.bat	ILMDAGO.exe
File created	C:\windows\JMDLHG.exe	PZRVST.exe
File created	C:\windows\system\KDPDQ.exe.bat	UPYEWD.exe
File created	C:\windows\system\USHF.exe.bat	VXOV.exe
File created	C:\windows\VPNJ.exe.bat	CPYY.exe
File opened for modification	C:\windows\system\YYUGXZ.exe	UIN.exe
File created	C:\windows\LUTBC.exe	GCXZPND.exe
File created	C:\windows\system\ILMDAGO.exe	SVZM.exe
File created	C:\windows\ORFXJ.exe	UGISQGZ.exe
File opened for modification	C:\windows\system\XEMB.exe	NHYH.exe
File opened for modification	C:\windows\XDBVLEU.exe	TNU.exe
File opened for modification	C:\windows\NIUU.exe	AKIQJUK.exe
File created	C:\windows\MYJDMPP.exe	EQB.exe
File created	C:\windows\system\ELN.exe.bat	QVXX.exe
File created	C:\windows\system\XEMB.exe	NHYH.exe
File opened for modification	C:\windows\system\YDE.exe	SIB.exe
File created	C:\windows\VXZH.exe.bat	NSVB.exe
File created	C:\windows\GAGFNIP.exe	LUTBC.exe
File created	C:\windows\YIUCAZJ.exe	GAGFNIP.exe
File created	C:\windows\SQXYEI.exe.bat	BNMNUXI.exe
File created	C:\windows\PWCVTK.exe	SQXYEI.exe
File created	C:\windows\system\BPWIGW.exe	RSRNYN.exe
File opened for modification	C:\windows\AFHVUO.exe	OHSDOPF.exe
File created	C:\windows\EPKTO.exe	ZPAQ.exe
File opened for modification	C:\windows\system\MEG.exe	WMWZ.exe
File opened for modification	C:\windows\system\BXEW.exe	NCGKR.exe
File opened for modification	C:\windows\EBRFD.exe	TJKUTRJ.exe
File created	C:\windows\FRJUXU.exe	RVLBI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3944	5108	WerFault.exe	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
816	4540	WerFault.exe	WMWZ.exe
1120	752	WerFault.exe	MEG.exe
4548	880	WerFault.exe	JFQIOP.exe
2368	3028	WerFault.exe	VYL.exe
1800	3032	WerFault.exe	YGGQNK.exe
4604	3304	WerFault.exe	UGISQGZ.exe
2448	3452	WerFault.exe	ORFXJ.exe
3040	1488	WerFault.exe	AKIQJUK.exe
1944	3892	WerFault.exe	NIUU.exe
4360	1468	WerFault.exe	WLLQIAO.exe
1708	4572	WerFault.exe	GDCP.exe
1544	392	WerFault.exe	MZG.exe
4484	1072	WerFault.exe	UMS.exe
440	4128	WerFault.exe	CSX.exe
3220	3528	WerFault.exe	JCUMO.exe
1708	1680	WerFault.exe	YAI.exe
1396	948	WerFault.exe	OQJV.exe
400	764	WerFault.exe	QEAEN.exe
1388	4148	WerFault.exe	EJMIYHW.exe
3508	468	WerFault.exe	OHSDOPF.exe
3944	3032	WerFault.exe	AFHVUO.exe
2716	1576	WerFault.exe	RSRN.exe
2452	4476	WerFault.exe	BLBNOO.exe
4660	1228	WerFault.exe	AWLDW.exe
2696	1452	WerFault.exe	ZHBLGTD.exe
3996	1612	WerFault.exe	AKFP.exe
4968	3284	WerFault.exe	VPRSFOH.exe
2140	1484	WerFault.exe	SIB.exe
3964	772	WerFault.exe	YDE.exe
2836	1916	WerFault.exe	PMT.exe
2640	3024	WerFault.exe	NCGKR.exe
1520	3088	WerFault.exe	BXEW.exe
3716	4088	WerFault.exe	BCEK.exe
4964	2792	WerFault.exe	RQV.exe
2348	4176	WerFault.exe	XLHK.exe
4836	3496	WerFault.exe	WWKAPM.exe
2932	2588	WerFault.exe	RCWE.exe
2120	4392	WerFault.exe	ZCN.exe
3684	4596	WerFault.exe	RKB.exe
4396	1504	WerFault.exe	TYTE.exe
3900	2444	WerFault.exe	HTWXU.exe
1392	4064	WerFault.exe	YEHNCHW.exe
4420	2420	WerFault.exe	WCUFK.exe
2720	4976	WerFault.exe	CPYY.exe
4148	5068	WerFault.exe	VPNJ.exe
4488	1480	WerFault.exe	TAFOUF.exe
3396	3032	WerFault.exe	JQEQGZ.exe
2808	2616	WerFault.exe	QWSMDZJ.exe
3528	948	WerFault.exe	ZJDET.exe
3288	2140	WerFault.exe	WZQVJ.exe
2620	4660	WerFault.exe	VUH.exe
1488	1868	WerFault.exe	VYTAT.exe
1088	1396	WerFault.exe	XNZU.exe
1480	3228	WerFault.exe	FBEB.exe
4612	4568	WerFault.exe	PZRVST.exe
2008	2548	WerFault.exe	JMDLHG.exe
3508	1892	WerFault.exe	NSVB.exe
3288	3320	WerFault.exe	VXZH.exe
4836	3768	WerFault.exe	DLMO.exe
1328	4660	WerFault.exe	NLOBWEB.exe
1396	2716	WerFault.exe	TGAUBAS.exe
4128	3680	WerFault.exe	GRW.exe
772	1540	WerFault.exe	VHJ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5daf9572c2a632329758888668015d80_NeikiAnalytics.exeWMWZ.exeMEG.exeJFQIOP.exeVYL.exeYGGQNK.exeUGISQGZ.exeORFXJ.exeAKIQJUK.exeNIUU.exeWLLQIAO.exeGDCP.exeMZG.exeUMS.exeCSX.exeJCUMO.exeYAI.exeOQJV.exeQEAEN.exeEJMIYHW.exeOHSDOPF.exeAFHVUO.exeRSRN.exeBLBNOO.exeAWLDW.exeZHBLGTD.exeAKFP.exeVPRSFOH.exeSIB.exeYDE.exePMT.exeNCGKR.exe

pid	process
5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
4540	WMWZ.exe
4540	WMWZ.exe
752	MEG.exe
752	MEG.exe
880	JFQIOP.exe
880	JFQIOP.exe
3028	VYL.exe
3028	VYL.exe
3032	YGGQNK.exe
3032	YGGQNK.exe
3304	UGISQGZ.exe
3304	UGISQGZ.exe
3452	ORFXJ.exe
3452	ORFXJ.exe
1488	AKIQJUK.exe
1488	AKIQJUK.exe
3892	NIUU.exe
3892	NIUU.exe
1468	WLLQIAO.exe
1468	WLLQIAO.exe
4572	GDCP.exe
4572	GDCP.exe
392	MZG.exe
392	MZG.exe
1072	UMS.exe
1072	UMS.exe
4128	CSX.exe
4128	CSX.exe
3528	JCUMO.exe
3528	JCUMO.exe
1680	YAI.exe
1680	YAI.exe
948	OQJV.exe
948	OQJV.exe
764	QEAEN.exe
764	QEAEN.exe
4148	EJMIYHW.exe
4148	EJMIYHW.exe
468	OHSDOPF.exe
468	OHSDOPF.exe
3032	AFHVUO.exe
3032	AFHVUO.exe
1576	RSRN.exe
1576	RSRN.exe
4476	BLBNOO.exe
4476	BLBNOO.exe
1228	AWLDW.exe
1228	AWLDW.exe
1452	ZHBLGTD.exe
1452	ZHBLGTD.exe
1612	AKFP.exe
1612	AKFP.exe
3284	VPRSFOH.exe
3284	VPRSFOH.exe
1484	SIB.exe
1484	SIB.exe
772	YDE.exe
772	YDE.exe
1916	PMT.exe
1916	PMT.exe
3024	NCGKR.exe
3024	NCGKR.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
4540	WMWZ.exe
4540	WMWZ.exe
752	MEG.exe
752	MEG.exe
880	JFQIOP.exe
880	JFQIOP.exe
3028	VYL.exe
3028	VYL.exe
3032	YGGQNK.exe
3032	YGGQNK.exe
3304	UGISQGZ.exe
3304	UGISQGZ.exe
3452	ORFXJ.exe
3452	ORFXJ.exe
1488	AKIQJUK.exe
1488	AKIQJUK.exe
3892	NIUU.exe
3892	NIUU.exe
1468	WLLQIAO.exe
1468	WLLQIAO.exe
4572	GDCP.exe
4572	GDCP.exe
392	MZG.exe
392	MZG.exe
1072	UMS.exe
1072	UMS.exe
4128	CSX.exe
4128	CSX.exe
3528	JCUMO.exe
3528	JCUMO.exe
1680	YAI.exe
1680	YAI.exe
948	OQJV.exe
948	OQJV.exe
764	QEAEN.exe
764	QEAEN.exe
4148	EJMIYHW.exe
4148	EJMIYHW.exe
468	OHSDOPF.exe
468	OHSDOPF.exe
3032	AFHVUO.exe
3032	AFHVUO.exe
1576	RSRN.exe
1576	RSRN.exe
4476	BLBNOO.exe
4476	BLBNOO.exe
1228	AWLDW.exe
1228	AWLDW.exe
1452	ZHBLGTD.exe
1452	ZHBLGTD.exe
1612	AKFP.exe
1612	AKFP.exe
3284	VPRSFOH.exe
3284	VPRSFOH.exe
1484	SIB.exe
1484	SIB.exe
772	YDE.exe
772	YDE.exe
1916	PMT.exe
1916	PMT.exe
3024	NCGKR.exe
3024	NCGKR.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5daf9572c2a632329758888668015d80_NeikiAnalytics.execmd.exeWMWZ.execmd.exeMEG.execmd.exeJFQIOP.execmd.exeVYL.execmd.exeYGGQNK.execmd.exeUGISQGZ.execmd.exeORFXJ.execmd.exeAKIQJUK.execmd.exeNIUU.execmd.exeWLLQIAO.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 2096	5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe	cmd.exe
PID 5108 wrote to memory of 2096	5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe	cmd.exe
PID 5108 wrote to memory of 2096	5108	5daf9572c2a632329758888668015d80_NeikiAnalytics.exe	cmd.exe
PID 2096 wrote to memory of 4540	2096	cmd.exe	WMWZ.exe
PID 2096 wrote to memory of 4540	2096	cmd.exe	WMWZ.exe
PID 2096 wrote to memory of 4540	2096	cmd.exe	WMWZ.exe
PID 4540 wrote to memory of 2808	4540	WMWZ.exe	cmd.exe
PID 4540 wrote to memory of 2808	4540	WMWZ.exe	cmd.exe
PID 4540 wrote to memory of 2808	4540	WMWZ.exe	cmd.exe
PID 2808 wrote to memory of 752	2808	cmd.exe	MEG.exe
PID 2808 wrote to memory of 752	2808	cmd.exe	MEG.exe
PID 2808 wrote to memory of 752	2808	cmd.exe	MEG.exe
PID 752 wrote to memory of 3088	752	MEG.exe	cmd.exe
PID 752 wrote to memory of 3088	752	MEG.exe	cmd.exe
PID 752 wrote to memory of 3088	752	MEG.exe	cmd.exe
PID 3088 wrote to memory of 880	3088	cmd.exe	JFQIOP.exe
PID 3088 wrote to memory of 880	3088	cmd.exe	JFQIOP.exe
PID 3088 wrote to memory of 880	3088	cmd.exe	JFQIOP.exe
PID 880 wrote to memory of 1464	880	JFQIOP.exe	cmd.exe
PID 880 wrote to memory of 1464	880	JFQIOP.exe	cmd.exe
PID 880 wrote to memory of 1464	880	JFQIOP.exe	cmd.exe
PID 1464 wrote to memory of 3028	1464	cmd.exe	VYL.exe
PID 1464 wrote to memory of 3028	1464	cmd.exe	VYL.exe
PID 1464 wrote to memory of 3028	1464	cmd.exe	VYL.exe
PID 3028 wrote to memory of 2120	3028	VYL.exe	cmd.exe
PID 3028 wrote to memory of 2120	3028	VYL.exe	cmd.exe
PID 3028 wrote to memory of 2120	3028	VYL.exe	cmd.exe
PID 2120 wrote to memory of 3032	2120	cmd.exe	YGGQNK.exe
PID 2120 wrote to memory of 3032	2120	cmd.exe	YGGQNK.exe
PID 2120 wrote to memory of 3032	2120	cmd.exe	YGGQNK.exe
PID 3032 wrote to memory of 4736	3032	YGGQNK.exe	cmd.exe
PID 3032 wrote to memory of 4736	3032	YGGQNK.exe	cmd.exe
PID 3032 wrote to memory of 4736	3032	YGGQNK.exe	cmd.exe
PID 4736 wrote to memory of 3304	4736	cmd.exe	UGISQGZ.exe
PID 4736 wrote to memory of 3304	4736	cmd.exe	UGISQGZ.exe
PID 4736 wrote to memory of 3304	4736	cmd.exe	UGISQGZ.exe
PID 3304 wrote to memory of 2548	3304	UGISQGZ.exe	cmd.exe
PID 3304 wrote to memory of 2548	3304	UGISQGZ.exe	cmd.exe
PID 3304 wrote to memory of 2548	3304	UGISQGZ.exe	cmd.exe
PID 2548 wrote to memory of 3452	2548	cmd.exe	ORFXJ.exe
PID 2548 wrote to memory of 3452	2548	cmd.exe	ORFXJ.exe
PID 2548 wrote to memory of 3452	2548	cmd.exe	ORFXJ.exe
PID 3452 wrote to memory of 812	3452	ORFXJ.exe	cmd.exe
PID 3452 wrote to memory of 812	3452	ORFXJ.exe	cmd.exe
PID 3452 wrote to memory of 812	3452	ORFXJ.exe	cmd.exe
PID 812 wrote to memory of 1488	812	cmd.exe	AKIQJUK.exe
PID 812 wrote to memory of 1488	812	cmd.exe	AKIQJUK.exe
PID 812 wrote to memory of 1488	812	cmd.exe	AKIQJUK.exe
PID 1488 wrote to memory of 1492	1488	AKIQJUK.exe	cmd.exe
PID 1488 wrote to memory of 1492	1488	AKIQJUK.exe	cmd.exe
PID 1488 wrote to memory of 1492	1488	AKIQJUK.exe	cmd.exe
PID 1492 wrote to memory of 3892	1492	cmd.exe	NIUU.exe
PID 1492 wrote to memory of 3892	1492	cmd.exe	NIUU.exe
PID 1492 wrote to memory of 3892	1492	cmd.exe	NIUU.exe
PID 3892 wrote to memory of 3768	3892	NIUU.exe	cmd.exe
PID 3892 wrote to memory of 3768	3892	NIUU.exe	cmd.exe
PID 3892 wrote to memory of 3768	3892	NIUU.exe	cmd.exe
PID 3768 wrote to memory of 1468	3768	cmd.exe	WLLQIAO.exe
PID 3768 wrote to memory of 1468	3768	cmd.exe	WLLQIAO.exe
PID 3768 wrote to memory of 1468	3768	cmd.exe	WLLQIAO.exe
PID 1468 wrote to memory of 1132	1468	WLLQIAO.exe	cmd.exe
PID 1468 wrote to memory of 1132	1468	WLLQIAO.exe	cmd.exe
PID 1468 wrote to memory of 1132	1468	WLLQIAO.exe	cmd.exe
PID 1132 wrote to memory of 4572	1132	cmd.exe	GDCP.exe

C:\Users\Admin\AppData\Local\Temp\5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5daf9572c2a632329758888668015d80_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WMWZ.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\windows\SysWOW64\WMWZ.exe
C:\windows\system32\WMWZ.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEG.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\windows\system\MEG.exe
C:\windows\system\MEG.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JFQIOP.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\windows\system\JFQIOP.exe
C:\windows\system\JFQIOP.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VYL.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\windows\system\VYL.exe
C:\windows\system\VYL.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YGGQNK.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\windows\SysWOW64\YGGQNK.exe
C:\windows\system32\YGGQNK.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UGISQGZ.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\windows\SysWOW64\UGISQGZ.exe
C:\windows\system32\UGISQGZ.exe
13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ORFXJ.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\windows\ORFXJ.exe
C:\windows\ORFXJ.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AKIQJUK.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\windows\SysWOW64\AKIQJUK.exe
C:\windows\system32\AKIQJUK.exe
17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NIUU.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\windows\NIUU.exe
C:\windows\NIUU.exe
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLLQIAO.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\windows\system\WLLQIAO.exe
C:\windows\system\WLLQIAO.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDCP.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\windows\SysWOW64\GDCP.exe
C:\windows\system32\GDCP.exe
23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZG.exe.bat" "
24⤵
PID:1052

C:\windows\SysWOW64\MZG.exe
C:\windows\system32\MZG.exe
25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMS.exe.bat" "
26⤵
PID:2212

C:\windows\SysWOW64\UMS.exe
C:\windows\system32\UMS.exe
27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CSX.exe.bat" "
28⤵
PID:2640

C:\windows\system\CSX.exe
C:\windows\system\CSX.exe
29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JCUMO.exe.bat" "
30⤵
PID:4844

C:\windows\JCUMO.exe
C:\windows\JCUMO.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YAI.exe.bat" "
32⤵
PID:2720

C:\windows\SysWOW64\YAI.exe
C:\windows\system32\YAI.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OQJV.exe.bat" "
34⤵
PID:2796

C:\windows\SysWOW64\OQJV.exe
C:\windows\system32\OQJV.exe
35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QEAEN.exe.bat" "
36⤵
PID:780

C:\windows\QEAEN.exe
C:\windows\QEAEN.exe
37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EJMIYHW.exe.bat" "
38⤵
PID:4044

C:\windows\EJMIYHW.exe
C:\windows\EJMIYHW.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHSDOPF.exe.bat" "
40⤵
PID:680

C:\windows\SysWOW64\OHSDOPF.exe
C:\windows\system32\OHSDOPF.exe
41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AFHVUO.exe.bat" "
42⤵
PID:4964

C:\windows\AFHVUO.exe
C:\windows\AFHVUO.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSRN.exe.bat" "
44⤵
PID:4924

C:\windows\SysWOW64\RSRN.exe
C:\windows\system32\RSRN.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BLBNOO.exe.bat" "
46⤵
PID:2000

C:\windows\SysWOW64\BLBNOO.exe
C:\windows\system32\BLBNOO.exe
47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AWLDW.exe.bat" "
48⤵
PID:3928

C:\windows\AWLDW.exe
C:\windows\AWLDW.exe
49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHBLGTD.exe.bat" "
50⤵
PID:716

C:\windows\system\ZHBLGTD.exe
C:\windows\system\ZHBLGTD.exe
51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AKFP.exe.bat" "
52⤵
PID:4536

C:\windows\system\AKFP.exe
C:\windows\system\AKFP.exe
53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VPRSFOH.exe.bat" "
54⤵
PID:2524

C:\windows\VPRSFOH.exe
C:\windows\VPRSFOH.exe
55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SIB.exe.bat" "
56⤵
PID:4740

C:\windows\system\SIB.exe
C:\windows\system\SIB.exe
57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDE.exe.bat" "
58⤵
PID:468

C:\windows\system\YDE.exe
C:\windows\system\YDE.exe
59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PMT.exe.bat" "
60⤵
PID:2488

C:\windows\PMT.exe
C:\windows\PMT.exe
61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCGKR.exe.bat" "
62⤵
PID:2588

C:\windows\SysWOW64\NCGKR.exe
C:\windows\system32\NCGKR.exe
63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BXEW.exe.bat" "
64⤵
PID:404

C:\windows\system\BXEW.exe
C:\windows\system\BXEW.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCEK.exe.bat" "
66⤵
PID:4268

C:\windows\SysWOW64\BCEK.exe
C:\windows\system32\BCEK.exe
67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RQV.exe.bat" "
68⤵
PID:3684

C:\windows\SysWOW64\RQV.exe
C:\windows\system32\RQV.exe
69⤵
- Checks computer location settings
- Executes dropped EXE
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XLHK.exe.bat" "
70⤵
PID:4872

C:\windows\system\XLHK.exe
C:\windows\system\XLHK.exe
71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWKAPM.exe.bat" "
72⤵
PID:1124

C:\windows\SysWOW64\WWKAPM.exe
C:\windows\system32\WWKAPM.exe
73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RCWE.exe.bat" "
74⤵
PID:2208

C:\windows\system\RCWE.exe
C:\windows\system\RCWE.exe
75⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCN.exe.bat" "
76⤵
PID:3040

C:\windows\system\ZCN.exe
C:\windows\system\ZCN.exe
77⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKB.exe.bat" "
78⤵
PID:3016

C:\windows\SysWOW64\RKB.exe
C:\windows\system32\RKB.exe
79⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TYTE.exe.bat" "
80⤵
PID:1240

C:\windows\TYTE.exe
C:\windows\TYTE.exe
81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HTWXU.exe.bat" "
82⤵
PID:4308

C:\windows\system\HTWXU.exe
C:\windows\system\HTWXU.exe
83⤵
- Executes dropped EXE
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YEHNCHW.exe.bat" "
84⤵
PID:4100

C:\windows\system\YEHNCHW.exe
C:\windows\system\YEHNCHW.exe
85⤵
- Executes dropped EXE
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WCUFK.exe.bat" "
86⤵
PID:2280

C:\windows\system\WCUFK.exe
C:\windows\system\WCUFK.exe
87⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPYY.exe.bat" "
88⤵
PID:3184

C:\windows\SysWOW64\CPYY.exe
C:\windows\system32\CPYY.exe
89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VPNJ.exe.bat" "
90⤵
PID:4928

C:\windows\VPNJ.exe
C:\windows\VPNJ.exe
91⤵
- Executes dropped EXE
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TAFOUF.exe.bat" "
92⤵
PID:2904

C:\windows\system\TAFOUF.exe
C:\windows\system\TAFOUF.exe
93⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQEQGZ.exe.bat" "
94⤵
PID:1516

C:\windows\SysWOW64\JQEQGZ.exe
C:\windows\system32\JQEQGZ.exe
95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QWSMDZJ.exe.bat" "
96⤵
PID:3684

C:\windows\QWSMDZJ.exe
C:\windows\QWSMDZJ.exe
97⤵
- Checks computer location settings
- Executes dropped EXE
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJDET.exe.bat" "
98⤵
PID:3944

C:\windows\system\ZJDET.exe
C:\windows\system\ZJDET.exe
99⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WZQVJ.exe.bat" "
100⤵
PID:3748

C:\windows\WZQVJ.exe
C:\windows\WZQVJ.exe
101⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VUH.exe.bat" "
102⤵
PID:4064

C:\windows\system\VUH.exe
C:\windows\system\VUH.exe
103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VYTAT.exe.bat" "
104⤵
PID:4672

C:\windows\SysWOW64\VYTAT.exe
C:\windows\system32\VYTAT.exe
105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XNZU.exe.bat" "
106⤵
PID:4360

C:\windows\SysWOW64\XNZU.exe
C:\windows\system32\XNZU.exe
107⤵
- Executes dropped EXE
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBEB.exe.bat" "
108⤵
PID:3720

C:\windows\SysWOW64\FBEB.exe
C:\windows\system32\FBEB.exe
109⤵
- Executes dropped EXE
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PZRVST.exe.bat" "
110⤵
PID:8

C:\windows\SysWOW64\PZRVST.exe
C:\windows\system32\PZRVST.exe
111⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JMDLHG.exe.bat" "
112⤵
PID:4604

C:\windows\JMDLHG.exe
C:\windows\JMDLHG.exe
113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NSVB.exe.bat" "
114⤵
PID:4968

C:\windows\NSVB.exe
C:\windows\NSVB.exe
115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VXZH.exe.bat" "
116⤵
PID:1428

C:\windows\VXZH.exe
C:\windows\VXZH.exe
117⤵
- Checks computer location settings
- Executes dropped EXE
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DLMO.exe.bat" "
118⤵
PID:4528

C:\windows\system\DLMO.exe
C:\windows\system\DLMO.exe
119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NLOBWEB.exe.bat" "
120⤵
PID:1664

C:\windows\NLOBWEB.exe
C:\windows\NLOBWEB.exe
121⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGAUBAS.exe.bat" "
122⤵
PID:3016

C:\windows\SysWOW64\TGAUBAS.exe
C:\windows\system32\TGAUBAS.exe
123⤵
- Executes dropped EXE
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GRW.exe.bat" "
124⤵
PID:60

C:\windows\GRW.exe
C:\windows\GRW.exe
125⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHJ.exe.bat" "
126⤵
PID:1516

C:\windows\system\VHJ.exe
C:\windows\system\VHJ.exe
127⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BHRYF.exe.bat" "
128⤵
PID:1096

C:\windows\BHRYF.exe
C:\windows\BHRYF.exe
129⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASUO.exe.bat" "
130⤵
PID:3844

C:\windows\SysWOW64\ASUO.exe
C:\windows\system32\ASUO.exe
131⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZDE.exe.bat" "
132⤵
PID:2740

C:\windows\SysWOW64\ZDE.exe
C:\windows\system32\ZDE.exe
133⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XWHUF.exe.bat" "
134⤵
PID:2508

C:\windows\system\XWHUF.exe
C:\windows\system\XWHUF.exe
135⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NMV.exe.bat" "
136⤵
PID:1008

C:\windows\NMV.exe
C:\windows\NMV.exe
137⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NHYH.exe.bat" "
138⤵
PID:1800

C:\windows\NHYH.exe
C:\windows\NHYH.exe
139⤵
- Drops file in Windows directory
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XEMB.exe.bat" "
140⤵
PID:4160

C:\windows\system\XEMB.exe
C:\windows\system\XEMB.exe
141⤵
- Drops file in Windows directory
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RSX.exe.bat" "
142⤵
PID:2572

C:\windows\RSX.exe
C:\windows\RSX.exe
143⤵
- Checks computer location settings
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYD.exe.bat" "
144⤵
PID:2960

C:\windows\SysWOW64\FYD.exe
C:\windows\system32\FYD.exe
145⤵
- Checks computer location settings
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVVBUFK.exe.bat" "
146⤵
PID:4524

C:\windows\system\XVVBUFK.exe
C:\windows\system\XVVBUFK.exe
147⤵
- Checks computer location settings
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QYZ.exe.bat" "
148⤵
PID:2740

C:\windows\system\QYZ.exe
C:\windows\system\QYZ.exe
149⤵
- Drops file in System32 directory
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWHOC.exe.bat" "
150⤵
PID:3040

C:\windows\SysWOW64\RWHOC.exe
C:\windows\system32\RWHOC.exe
151⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SRLJ.exe.bat" "
152⤵
PID:2920

C:\windows\SysWOW64\SRLJ.exe
C:\windows\system32\SRLJ.exe
153⤵
- Checks computer location settings
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UPYEWD.exe.bat" "
154⤵
PID:2324

C:\windows\UPYEWD.exe
C:\windows\UPYEWD.exe
155⤵
- Drops file in Windows directory
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDPDQ.exe.bat" "
156⤵
PID:3456

C:\windows\system\KDPDQ.exe
C:\windows\system\KDPDQ.exe
157⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZTQ.exe.bat" "
158⤵
PID:4656

C:\windows\SysWOW64\ZTQ.exe
C:\windows\system32\ZTQ.exe
159⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QBF.exe.bat" "
160⤵
PID:380

C:\windows\QBF.exe
C:\windows\QBF.exe
161⤵
- Drops file in System32 directory
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JWJDP.exe.bat" "
162⤵
PID:2808

C:\windows\SysWOW64\JWJDP.exe
C:\windows\system32\JWJDP.exe
163⤵
- Drops file in Windows directory
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LRCTV.exe.bat" "
164⤵
PID:2004

C:\windows\LRCTV.exe
C:\windows\LRCTV.exe
165⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPAQ.exe.bat" "
166⤵
PID:2968

C:\windows\system\ZPAQ.exe
C:\windows\system\ZPAQ.exe
167⤵
- Drops file in Windows directory
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EPKTO.exe.bat" "
168⤵
PID:4744

C:\windows\EPKTO.exe
C:\windows\EPKTO.exe
169⤵
- Checks computer location settings
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFXKWY.exe.bat" "
170⤵
PID:3956

C:\windows\system\TFXKWY.exe
C:\windows\system\TFXKWY.exe
171⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UIN.exe.bat" "
172⤵
PID:1876

C:\windows\UIN.exe
C:\windows\UIN.exe
173⤵
- Drops file in Windows directory
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YYUGXZ.exe.bat" "
174⤵
PID:1228

C:\windows\system\YYUGXZ.exe
C:\windows\system\YYUGXZ.exe
175⤵
- Drops file in Windows directory
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\REBM.exe.bat" "
176⤵
PID:4236

C:\windows\system\REBM.exe
C:\windows\system\REBM.exe
177⤵
- Drops file in System32 directory
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCGY.exe.bat" "
178⤵
PID:2808

C:\windows\SysWOW64\BCGY.exe
C:\windows\system32\BCGY.exe
179⤵
- Drops file in Windows directory
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BPT.exe.bat" "
180⤵
PID:1576

C:\windows\BPT.exe
C:\windows\BPT.exe
181⤵
- Drops file in Windows directory
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XABEIT.exe.bat" "
182⤵
PID:1364

C:\windows\XABEIT.exe
C:\windows\XABEIT.exe
183⤵
- Checks computer location settings
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGGKTR.exe.bat" "
184⤵
PID:3044

C:\windows\SysWOW64\FGGKTR.exe
C:\windows\system32\FGGKTR.exe
185⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALB.exe.bat" "
186⤵
PID:3016

C:\windows\SysWOW64\ALB.exe
C:\windows\system32\ALB.exe
187⤵
- Checks computer location settings
- Drops file in System32 directory
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZAXIR.exe.bat" "
188⤵
PID:4640

C:\windows\SysWOW64\YZAXIR.exe
C:\windows\system32\YZAXIR.exe
189⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXNOQY.exe.bat" "
190⤵
PID:1428

C:\windows\system\WXNOQY.exe
C:\windows\system\WXNOQY.exe
191⤵
- Drops file in Windows directory
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UHCX.exe.bat" "
192⤵
PID:1096

C:\windows\UHCX.exe
C:\windows\UHCX.exe
193⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PVHGSY.exe.bat" "
194⤵
PID:2368

C:\windows\system\PVHGSY.exe
C:\windows\system\PVHGSY.exe
195⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QITWYT.exe.bat" "
196⤵
PID:2776

C:\windows\system\QITWYT.exe
C:\windows\system\QITWYT.exe
197⤵
- Drops file in System32 directory
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYNM.exe.bat" "
198⤵
PID:3764

C:\windows\SysWOW64\MYNM.exe
C:\windows\system32\MYNM.exe
199⤵
- Drops file in System32 directory
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TJKUTRJ.exe.bat" "
200⤵
PID:4644

C:\windows\SysWOW64\TJKUTRJ.exe
C:\windows\system32\TJKUTRJ.exe
201⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EBRFD.exe.bat" "
202⤵
PID:4576

C:\windows\EBRFD.exe
C:\windows\EBRFD.exe
203⤵
- Checks computer location settings
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FFVB.exe.bat" "
204⤵
PID:4492

C:\windows\FFVB.exe
C:\windows\FFVB.exe
205⤵
- Drops file in System32 directory
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SCDNSMK.exe.bat" "
206⤵
PID:4768

C:\windows\SysWOW64\SCDNSMK.exe
C:\windows\system32\SCDNSMK.exe
207⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAVZ.exe.bat" "
208⤵
PID:3484

C:\windows\system\CAVZ.exe
C:\windows\system\CAVZ.exe
209⤵
- Checks computer location settings
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HBFCM.exe.bat" "
210⤵
PID:4484

C:\windows\HBFCM.exe
C:\windows\HBFCM.exe
211⤵
- Checks computer location settings
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LRMKZCI.exe.bat" "
212⤵
PID:4672

C:\windows\system\LRMKZCI.exe
C:\windows\system\LRMKZCI.exe
213⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DMWUINS.exe.bat" "
214⤵
PID:5020

C:\windows\DMWUINS.exe
C:\windows\DMWUINS.exe
215⤵
- Drops file in System32 directory
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUY.exe.bat" "
216⤵
PID:2724

C:\windows\SysWOW64\UUY.exe
C:\windows\system32\UUY.exe
217⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VXOV.exe.bat" "
218⤵
PID:2744

C:\windows\VXOV.exe
C:\windows\VXOV.exe
219⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\USHF.exe.bat" "
220⤵
PID:3228

C:\windows\system\USHF.exe
C:\windows\system\USHF.exe
221⤵
- Checks computer location settings
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GLKQS.exe.bat" "
222⤵
PID:2416

C:\windows\system\GLKQS.exe
C:\windows\system\GLKQS.exe
223⤵
- Drops file in System32 directory
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBDQNR.exe.bat" "
224⤵
PID:3532

C:\windows\SysWOW64\JBDQNR.exe
C:\windows\system32\JBDQNR.exe
225⤵
- Drops file in Windows directory
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JENBWC.exe.bat" "
226⤵
PID:1248

C:\windows\system\JENBWC.exe
C:\windows\system\JENBWC.exe
227⤵
- Checks computer location settings
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KZR.exe.bat" "
228⤵
PID:2804

C:\windows\KZR.exe
C:\windows\KZR.exe
229⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YPTDOU.exe.bat" "
230⤵
PID:2524

C:\windows\YPTDOU.exe
C:\windows\YPTDOU.exe
231⤵
- Drops file in System32 directory
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EQB.exe.bat" "
232⤵
PID:3684

C:\windows\SysWOW64\EQB.exe
C:\windows\system32\EQB.exe
233⤵
- Drops file in Windows directory
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MYJDMPP.exe.bat" "
234⤵
PID:3288

C:\windows\MYJDMPP.exe
C:\windows\MYJDMPP.exe
235⤵
- Drops file in System32 directory
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RRTNQL.exe.bat" "
236⤵
PID:2944

C:\windows\SysWOW64\RRTNQL.exe
C:\windows\system32\RRTNQL.exe
237⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IZIKDC.exe.bat" "
238⤵
PID:3768

C:\windows\IZIKDC.exe
C:\windows\IZIKDC.exe
239⤵
- Checks computer location settings
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AHO.exe.bat" "
240⤵
PID:1740

C:\windows\system\AHO.exe
C:\windows\system\AHO.exe
241⤵
- Checks computer location settings
- Drops file in System32 directory
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAGPT.exe.bat" "
242⤵
PID:2776

C:\windows\SysWOW64\KAGPT.exe
C:\windows\system32\KAGPT.exe
243⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GFQE.exe.bat" "
244⤵
PID:1488

C:\windows\system\GFQE.exe
C:\windows\system\GFQE.exe
245⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LYAHV.exe.bat" "
246⤵
PID:2380

C:\windows\system\LYAHV.exe
C:\windows\system\LYAHV.exe
247⤵
- Drops file in System32 directory
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QYO.exe.bat" "
248⤵
PID:4920

C:\windows\SysWOW64\QYO.exe
C:\windows\system32\QYO.exe
249⤵
- Drops file in Windows directory
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XOPA.exe.bat" "
250⤵
PID:2140

C:\windows\XOPA.exe
C:\windows\XOPA.exe
251⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YRFWWIP.exe.bat" "
252⤵
PID:3768

C:\windows\SysWOW64\YRFWWIP.exe
C:\windows\system32\YRFWWIP.exe
253⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XCQEEW.exe.bat" "
254⤵
PID:4028

C:\windows\XCQEEW.exe
C:\windows\XCQEEW.exe
255⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVXX.exe.bat" "
256⤵
PID:4844

C:\windows\SysWOW64\QVXX.exe
C:\windows\system32\QVXX.exe
257⤵
- Drops file in Windows directory
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELN.exe.bat" "
258⤵
PID:2080

C:\windows\system\ELN.exe
C:\windows\system\ELN.exe
259⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BRTTN.exe.bat" "
260⤵
PID:644

C:\windows\SysWOW64\BRTTN.exe
C:\windows\system32\BRTTN.exe
261⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SZHYS.exe.bat" "
262⤵
PID:1956

C:\windows\SysWOW64\SZHYS.exe
C:\windows\system32\SZHYS.exe
263⤵
- Checks computer location settings
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKKO.exe.bat" "
264⤵
PID:1768

C:\windows\system\RKKO.exe
C:\windows\system\RKKO.exe
265⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IUN.exe.bat" "
266⤵
PID:2172

C:\windows\system\IUN.exe
C:\windows\system\IUN.exe
267⤵
- Drops file in Windows directory
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HDB.exe.bat" "
268⤵
PID:4968

C:\windows\HDB.exe
C:\windows\HDB.exe
269⤵
- Drops file in System32 directory
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVLBI.exe.bat" "
270⤵
PID:2576

C:\windows\SysWOW64\RVLBI.exe
C:\windows\system32\RVLBI.exe
271⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FRJUXU.exe.bat" "
272⤵
PID:4624

C:\windows\FRJUXU.exe
C:\windows\FRJUXU.exe
273⤵
- Drops file in System32 directory
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PRLZBRB.exe.bat" "
274⤵
PID:2524

C:\windows\SysWOW64\PRLZBRB.exe
C:\windows\system32\PRLZBRB.exe
275⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZZWNIW.exe.bat" "
276⤵
PID:1556

C:\windows\SysWOW64\GZZWNIW.exe
C:\windows\system32\GZZWNIW.exe
277⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QXFRVRF.exe.bat" "
278⤵
PID:1364

C:\windows\QXFRVRF.exe
C:\windows\QXFRVRF.exe
279⤵
- Checks computer location settings
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WSQRIF.exe.bat" "
280⤵
PID:2004

C:\windows\system\WSQRIF.exe
C:\windows\system\WSQRIF.exe
281⤵
- Drops file in System32 directory
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAXR.exe.bat" "
282⤵
PID:3644

C:\windows\SysWOW64\AAXR.exe
C:\windows\system32\AAXR.exe
283⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FBZUZ.exe.bat" "
284⤵
PID:2944

C:\windows\FBZUZ.exe
C:\windows\FBZUZ.exe
285⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WEREIFU.exe.bat" "
286⤵
PID:1916

C:\windows\system\WEREIFU.exe
C:\windows\system\WEREIFU.exe
287⤵
- Checks computer location settings
- Drops file in Windows directory
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GCXZPND.exe.bat" "
288⤵
PID:4836

C:\windows\GCXZPND.exe
C:\windows\GCXZPND.exe
289⤵
- Drops file in Windows directory
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LUTBC.exe.bat" "
290⤵
PID:4528

C:\windows\LUTBC.exe
C:\windows\LUTBC.exe
291⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GAGFNIP.exe.bat" "
292⤵
PID:2252

C:\windows\GAGFNIP.exe
C:\windows\GAGFNIP.exe
293⤵
- Drops file in Windows directory
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YIUCAZJ.exe.bat" "
294⤵
PID:4620

C:\windows\YIUCAZJ.exe
C:\windows\YIUCAZJ.exe
295⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SVZM.exe.bat" "
296⤵
PID:3892

C:\windows\system\SVZM.exe
C:\windows\system\SVZM.exe
297⤵
- Drops file in Windows directory
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILMDAGO.exe.bat" "
298⤵
PID:4324

C:\windows\system\ILMDAGO.exe
C:\windows\system\ILMDAGO.exe
299⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SJSYHO.exe.bat" "
300⤵
PID:2744

C:\windows\SJSYHO.exe
C:\windows\SJSYHO.exe
301⤵
- Drops file in System32 directory
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THMZTK.exe.bat" "
302⤵
PID:4776

C:\windows\SysWOW64\THMZTK.exe
C:\windows\system32\THMZTK.exe
303⤵
- Checks computer location settings
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BNMNUXI.exe.bat" "
304⤵
PID:3456

C:\windows\SysWOW64\BNMNUXI.exe
C:\windows\system32\BNMNUXI.exe
305⤵
- Drops file in Windows directory
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SQXYEI.exe.bat" "
306⤵
PID:536

C:\windows\SQXYEI.exe
C:\windows\SQXYEI.exe
307⤵
- Drops file in Windows directory
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PWCVTK.exe.bat" "
308⤵
PID:1644

C:\windows\PWCVTK.exe
C:\windows\PWCVTK.exe
309⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLXWEO.exe.bat" "
310⤵
PID:2404

C:\windows\SysWOW64\YLXWEO.exe
C:\windows\system32\YLXWEO.exe
311⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DWTUJFY.exe.bat" "
312⤵
PID:4600

C:\windows\system\DWTUJFY.exe
C:\windows\system\DWTUJFY.exe
313⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RSRNYN.exe.bat" "
314⤵
PID:2212

C:\windows\system\RSRNYN.exe
C:\windows\system\RSRNYN.exe
315⤵
- Drops file in Windows directory
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPWIGW.exe.bat" "
316⤵
PID:3448

C:\windows\system\BPWIGW.exe
C:\windows\system\BPWIGW.exe
317⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LIOHSYX.exe.bat" "
318⤵
PID:2200

C:\windows\system\LIOHSYX.exe
C:\windows\system\LIOHSYX.exe
319⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBV.exe.bat" "
320⤵
PID:3088

C:\windows\system\FBV.exe
C:\windows\system\FBV.exe
321⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBSNO.exe.bat" "
322⤵
PID:4852

C:\windows\system\JBSNO.exe
C:\windows\system\JBSNO.exe
323⤵
- Checks computer location settings
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XZSY.exe.bat" "
324⤵
PID:4996

C:\windows\system\XZSY.exe
C:\windows\system\XZSY.exe
325⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PCVCEI.exe.bat" "
326⤵
PID:2444

C:\windows\PCVCEI.exe
C:\windows\PCVCEI.exe
327⤵
- Drops file in Windows directory
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XPIJO.exe.bat" "
328⤵
PID:516

C:\windows\XPIJO.exe
C:\windows\XPIJO.exe
329⤵
- Checks computer location settings
- Drops file in System32 directory
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TNU.exe.bat" "
330⤵
PID:2004

C:\windows\SysWOW64\TNU.exe
C:\windows\system32\TNU.exe
331⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XDBVLEU.exe.bat" "
332⤵
PID:3956

C:\windows\XDBVLEU.exe
C:\windows\XDBVLEU.exe
333⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 988
332⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1328
330⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 988
328⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1324
326⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 960
324⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1272
322⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1272
320⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 988
318⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1336
316⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1264
314⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1316
312⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1300
310⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1324
308⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 960
306⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 988
304⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 960
302⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1324
300⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1268
298⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1336
296⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 960
294⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1268
292⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1324
290⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1324
288⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 960
286⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1256
284⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1296
282⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1308
280⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1324
278⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 960
276⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 1296
274⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1324
272⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1300
270⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1324
268⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 988
266⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 960
264⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1328
262⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1308
260⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1336
258⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1300
256⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1216
254⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1296
252⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1296
250⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 988
248⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1336
246⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1248
244⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1308
242⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1300
240⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 960
238⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 960
236⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1324
234⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1256
232⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 976
230⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 988
228⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1312
226⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1296
224⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1248
222⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 960
220⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1260
218⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1004
216⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1008
214⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1272
212⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 984
210⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1308
208⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1328
206⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1296
204⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1324
202⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 988
200⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 988
198⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 960
196⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 960
194⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1304
192⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1316
190⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 960
188⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1292
186⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1328
184⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 960
182⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1004
180⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1296
178⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1316
176⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 960
174⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 988
172⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1008
170⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 976
168⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1240
166⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1324
164⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 988
162⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 960
160⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1296
158⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 960
156⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 960
154⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 960
152⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 960
150⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 960
148⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 960
146⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1296
144⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 988
142⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1336
140⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1324
138⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 988
136⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1264
134⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1264
132⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1328
130⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 960
128⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1336
126⤵
- Program crash
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1304
124⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 960
122⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1252
120⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 960
118⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1288
116⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1004
114⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1292
112⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1328
110⤵
- Program crash
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1240
108⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 960
106⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 988
104⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 960
102⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1324
100⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 960
98⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 960
96⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1328
94⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1336
92⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1324
90⤵
- Program crash
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1328
88⤵
- Program crash
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1316
86⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1308
84⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1316
82⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1324
80⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1264
78⤵
- Program crash
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1276
76⤵
- Program crash
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1268
74⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1328
72⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1336
70⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 960
68⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1004
66⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1336
64⤵
- Program crash
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 960
62⤵
- Program crash
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1004
60⤵
- Program crash
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 988
58⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1336
56⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1236
54⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 988
52⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 960
50⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 960
48⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1296
46⤵
- Program crash
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1328
44⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1324
42⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 988
40⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1316
38⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1324
36⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 964
34⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 976
32⤵
- Program crash
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 872
30⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1304
28⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1300
26⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1328
24⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1328
22⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1288
20⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1324
18⤵
- Program crash
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1328
16⤵
- Program crash
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1324
14⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1316
12⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1004
10⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 960
8⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 960
6⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1300
4⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1316
2⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5108 -ip 5108
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4540 -ip 4540
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 752 -ip 752
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 880 -ip 880
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3028 -ip 3028
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3032 -ip 3032
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3304 -ip 3304
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3452 -ip 3452
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1488 -ip 1488
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3892 -ip 3892
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1468 -ip 1468
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4572 -ip 4572
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 392 -ip 392
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1072 -ip 1072
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4128 -ip 4128
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3528 -ip 3528
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1680 -ip 1680
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 948 -ip 948
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 764 -ip 764
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4148 -ip 4148
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 468 -ip 468
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3032 -ip 3032
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1576 -ip 1576
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4476 -ip 4476
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1228 -ip 1228
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1452 -ip 1452
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1612 -ip 1612
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3284 -ip 3284
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1484 -ip 1484
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 772 -ip 772
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1916 -ip 1916
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3024 -ip 3024
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3088 -ip 3088
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4088 -ip 4088
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2792 -ip 2792
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4176 -ip 4176
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3496 -ip 3496
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2588 -ip 2588
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4392 -ip 4392
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4596 -ip 4596
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1504 -ip 1504
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2444 -ip 2444
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4064 -ip 4064
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2420 -ip 2420
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4976 -ip 4976
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5068 -ip 5068
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1480 -ip 1480
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3032 -ip 3032
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2616 -ip 2616
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 948 -ip 948
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2140 -ip 2140
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4660 -ip 4660
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1868 -ip 1868
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1396 -ip 1396
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3228 -ip 3228
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4568 -ip 4568
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2548 -ip 2548
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1892 -ip 1892
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3320 -ip 3320
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3768 -ip 3768
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4660 -ip 4660
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2716 -ip 2716
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3680 -ip 3680
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1540 -ip 1540
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4236 -ip 4236
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3916 -ip 3916
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3668 -ip 3668
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4360 -ip 4360
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3720 -ip 3720
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4848 -ip 4848
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4100 -ip 4100
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1504 -ip 1504
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1496 -ip 1496
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2452 -ip 2452
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4512 -ip 4512
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3556 -ip 3556
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4052 -ip 4052
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2416 -ip 2416
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2848 -ip 2848
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2868 -ip 2868
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4856 -ip 4856
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1884 -ip 1884
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3848 -ip 3848
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2716 -ip 2716
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4964 -ip 4964
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3548 -ip 3548
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1688 -ip 1688
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2208 -ip 2208
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2776 -ip 2776
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 680 -ip 680
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2968 -ip 2968
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3052 -ip 3052
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2028 -ip 2028
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 772 -ip 772
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4596 -ip 4596
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4604 -ip 4604
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2212 -ip 2212
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 228 -ip 228
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4724 -ip 4724
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3288 -ip 3288
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4068 -ip 4068
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 764 -ip 764
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 748 -ip 748
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1920 -ip 1920
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3284 -ip 3284
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4236 -ip 4236
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4160 -ip 4160
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3208 -ip 3208
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4724 -ip 4724
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3768 -ip 3768
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4732 -ip 4732
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4396 -ip 4396
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3424 -ip 3424
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1500 -ip 1500
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1284 -ip 1284
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4512 -ip 4512
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3028 -ip 3028
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4724 -ip 4724
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3144 -ip 3144
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1680 -ip 1680
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 772 -ip 772
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4156 -ip 4156
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4268 -ip 4268
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 4064 -ip 4064
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4464 -ip 4464
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5008 -ip 5008
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 536 -ip 536
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2748 -ip 2748
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1328 -ip 1328
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1884 -ip 1884
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3832 -ip 3832
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3900 -ip 3900
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5028 -ip 5028
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2852 -ip 2852
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3768 -ip 3768
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1944 -ip 1944
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 700 -ip 700
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4484 -ip 4484
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2228 -ip 2228
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1964 -ip 1964
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3024 -ip 3024
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3208 -ip 3208
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1392 -ip 1392
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 816 -ip 816
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4864 -ip 4864
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1680 -ip 1680
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2212 -ip 2212
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3448 -ip 3448
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5072 -ip 5072
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3556 -ip 3556
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3028 -ip 3028
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4772 -ip 4772
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1392 -ip 1392
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5056 -ip 5056
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3160 -ip 3160
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1944 -ip 1944
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2904 -ip 2904
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3720 -ip 3720
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1104 -ip 1104
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2120 -ip 2120
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5008 -ip 5008
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 644 -ip 644
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4928 -ip 4928
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4904 -ip 4904
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 956 -ip 956
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2368 -ip 2368
1⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ORFXJ.exe
Filesize
282KB

MD5
4e9096310ce436ee57ca31eba7c9d188

SHA1
c39b1e8ba0ab64caecb2002f33322f53c816c613

SHA256
a80bf986dac7f3e187b7f952a928e55886771c33fdbdef05adb68ac03a7488b6

SHA512
df5da3e3efb79b6ba762e30f93143a8ec9ff627aace473e977a92aa05e64d5b0740737557bddd58fd78e17e4360312c07d0d0d096fd05efb6c44d0f91edd87d2

Download Submit
C:\Windows\QEAEN.exe
Filesize
282KB

MD5
575f06f2eaa85bcff4e71520bb7580a3

SHA1
b960d16e85a1c17b3c12cae7a973adfc540bc8c7

SHA256
076b6ad2169c71f1c8a90713121c92c4c1b0bf181e24a00fdf0c017555eefe8f

SHA512
0d9fcdd1d5ada4173a320831d0dedc27e706f13b593195dd9539d4de401417d09d21b502f9af4d1cf4e9330dfc738aaa4d24fb2d88e800c5382b299dd0cbf9af

Download Submit
C:\Windows\SysWOW64\GDCP.exe
Filesize
282KB

MD5
e6a6ca47dc952e16b80130c9d57afbba

SHA1
4f5af13afd1b88119a9952761bb84e3deceb90c6

SHA256
e63d166a14fc7a8787f3f28550ebd3f38150315ca286cd9b25e7e251788cb751

SHA512
ee1fc3839b39c8f772e8931af76a4dc59cd6952134ebab91eb854ac81920c8cb50f3940970c510ce5acbc966062249dc7413c46ec1f2be9d347295e85cf40baf

Download Submit
C:\Windows\SysWOW64\OQJV.exe
Filesize
282KB

MD5
81975bdfaff6b5272158e809d54ffedd

SHA1
15235eefae8b8a2a5772eca63b5f09c89bd5b3d9

SHA256
093abc4efc35783bfd60517ae42ff364245ee2f9682493de82a4dc17d6537f27

SHA512
4d6e6dd3ab1ead19eabbe6f9720a865ac697798a6a48f68d93d9b48bd972d5937d3e2d2ceffe3f6e40582485f792d8a8a6a89eabe27099909418eeeaf855a268

Download Submit
C:\Windows\SysWOW64\UMS.exe
Filesize
282KB

MD5
559fae823b7c7aff27aec59e654cb363

SHA1
70fb2f1ccbb799c7b890966e5ef0ea99448ed9f1

SHA256
d49b5d8cb6c1dce8d000946b92d1bb3d2610b5a224eb3789403fa65e76c6ee11

SHA512
4f917ab95b2d409ef6c33668b5cafe08a560764583ed26399aa8b66e0adf7ef18531355e1cefa50c2ae1f94d41a16ef71c3cf7e5df44f06dc2c2e0403be95bd7

Download Submit
C:\Windows\SysWOW64\WMWZ.exe
Filesize
282KB

MD5
3780f1e931ea2e65682bfe0b63ed6d53

SHA1
63c125af9fddfe1c0737cd89f0cee72c80b64924

SHA256
0b105dfbc9ce17a317021cbec7dd0ee65060389d4d39ab841a89ecf0066d2023

SHA512
f072910b5760cf91f60d7617dad0c809ed6f69650b34ce21c58669ed6335e72726136254b830725431ba934cc2d28d0cfb8932ab1f290ea41e671081ca8f4543

Download Submit
C:\Windows\System\CSX.exe
Filesize
282KB

MD5
e5eeb3e92900b426ec042da417bc6c3f

SHA1
48e262d7fe8c45a360c7987586e9538443fb41a3

SHA256
34e4e5a9d5c042d37e5a0952f326893c0b904ac5704c0255c51534ca8e85c9b5

SHA512
17c6aca45ecd7459c2c46caa6c727ff79b013447d2b0effc90ecdd57235eb370d98ee50b07a0f75311f2e06867275e7b9cc6c6bc765aaad87536a098d3a20a11

Download Submit
C:\Windows\System\MEG.exe
Filesize
282KB

MD5
1171855e3cc01388b3c02aabb30dcb41

SHA1
f46e912352136d6d23d46db7c43573d441fa61e2

SHA256
f370aec36cafee7ee648c8a07ca2462d16e6440085eb36f4c78f0ebdf0260a20

SHA512
c41d2dc6990e9a042404b0b8d4ca3adbbf16f78185573c8230da78b064ffedbff0c2979176d2b71a49ac3c64a3279d2f94f2102155ff5835c9fdca87ca665283

Download Submit
C:\Windows\System\WLLQIAO.exe
Filesize
282KB

MD5
31f170c21e40a3098d5b54a6f4d66c0e

SHA1
a568a9f2f1fc44e31aabc0b5c19dc555495153a8

SHA256
43a2e78c41bbc695be5c517bffe0c8063844c9a3b3c6aefcc6b63c1dec143b65

SHA512
141d9c93358f5280f5e7b2dcb056d1ccf202ced033e3174e41180def120c538e5a9079c3493730d21a0c679b26ff61fea9805f5700fb285099e77826aacce7c3

Download Submit
C:\windows\AFHVUO.exe
Filesize
282KB

MD5
7e0b3b519a39f89ee61db8c05d4c144d

SHA1
7f52e37fa600f7af31c705d78df2add9a939be54

SHA256
166b1f81feb002d5f017ba604b485a2e0f09e2637015adbeb39c686d811fd280

SHA512
552a35be20001c404c510f4df08c638a524d41f7cbe29fcd4b57d0fcc69bca88bdfc239e6ee7a70088be3886602346b647764427c34d2e1b92d1b009a79b5ea6

Download Submit
C:\windows\AFHVUO.exe.bat
Filesize
58B

MD5
66e03e07fa5a1a3b6716f54a903437b3

SHA1
ce4957aece0b63c647b6deb42e6b937bd774ae64

SHA256
38c2723dea9c9191599a08c2146fc5524a9d9217c5193cda0d824c1164f7b925

SHA512
db25e0f0077070e16226a494e6328fe870e54aa33e00031187cbaaea280cfd7f7d3f23f91f057817fab5a3cdad175e106cef89e7616ee19c6a804d914367aad3

Download Submit
C:\windows\EJMIYHW.exe
Filesize
282KB

MD5
059cf8f1f05be83d2e85917ecd6baaf6

SHA1
216558990dac406ec9cade6b5774bea5ec5a3fc8

SHA256
485673134c4abfdbd0c461874321e7bf98db6882cfc1f06717c422f54c32b47c

SHA512
bc4645fce045e8b8a4547a7dee9e267d3b7f1763bd4928834978ce306549d2fdc844c14532130d657a05f96886f4834805abb05e5c355b97d23410725da7ec33

Download Submit
C:\windows\EJMIYHW.exe.bat
Filesize
60B

MD5
ace0af73f73669b978be49dd33b706dd

SHA1
b2de8afae8a5db1a8aec7b7659f91b8361e6dabb

SHA256
46d2995c733dcd5788d730bebb37aeff996dcd8139bc1f2aa493f31fb91b86fa

SHA512
36d11c016a8b01316904b569931770cac81439e9810faa6cfeac4f12698dcfeb47c22e4fa7edf4de73f328b29d25bc71d3d37f6de26cb09f43546b39299349a4

Download Submit
C:\windows\JCUMO.exe
Filesize
282KB

MD5
c109ad26db2f7ebd465c3d655374cda2

SHA1
13c62f55a7066727d4923b9cf1fff2ee1aa5ddc4

SHA256
a1200f910cd87c32e65c647a83b61ee56baed7a6dd517837b3fce7c477d7d06a

SHA512
d896c9f17b983ce92ecd030e66e2d811b5331582474c6d30c4e364343da36d03e875ff309f1c0421f51125cc72c7fa3cf05e8e6cbc8eb57ce8a572ea3179b56e

Download Submit
C:\windows\JCUMO.exe.bat
Filesize
56B

MD5
7ecc0260307af97000c914bc073917b4

SHA1
5e1ed12996652f8739e7d250b1dbb254291e4b86

SHA256
6639dded8a01b5faad4e5a36045aea78f57b5c11af54005b607487abbd7df27b

SHA512
29d4d20680ef414921f42ad6501ddaebac21d4eada78d7a5adc841c8f2f597c3a83bde362b90a9a9255c9f894695e94b9d27d3314bd419ab01216ee94393c9f1

Download Submit
C:\windows\NIUU.exe
Filesize
282KB

MD5
07ec0574957fdc740b24321e64029a21

SHA1
93abe6fd11fea6823b578b4327b3b10fe2b62240

SHA256
c74efe48537ea3c826bdaf80188b3b7bf104b0695c0d6aae2820ce9ada3f13f6

SHA512
b81888f36f8b9eb792109108e10fc5fba17e2de11892a1ebb4e23c332ff78638ab12ac2e1c8c5920c8e70cc97721acd0e1159828f9c2f7a05c8898e0bf1a600d

Download Submit
C:\windows\NIUU.exe.bat
Filesize
54B

MD5
4a6a4696f181d7fc1709b2a5e8260380

SHA1
d2795ad18dad040ea0159e882e9569fd230d056f

SHA256
48514b8404980a7fc1b6b0300bbb267174b6c49579a761cf397453b9191a9fc9

SHA512
95eef38e143fdba942770d98519f32adef2765788398851e8767822fc74887bccac6f78628bb4da0302d21a4094c0e09cf2dddff65815a6eba273b11e1c1f6b8

Download Submit
C:\windows\ORFXJ.exe.bat
Filesize
56B

MD5
b26e7cd36bb91b9637fe9d5cbc25612b

SHA1
616313837bd1f095bcca620706ac5235ebb88b9e

SHA256
2219530505a782aa7edf54427570773713031053cff7f7f2813c233fd55ce87a

SHA512
f70e68d7ba08a3e92a80aeb7b75f03609a7a19f3a915880e3ecedfad99149bf2b841ed7b311441626977e2fe04097b47cc1a3564bb385780b467554a07959fa5

Download Submit
C:\windows\QEAEN.exe.bat
Filesize
56B

MD5
ebf7205e4076a0e7833aeda915b39723

SHA1
d1d969a5e25eac71ec96bff08f544e13b992dc75

SHA256
d82cd6aaa5fdf8a1345133ad513f28be12a7ec5f67409d692f78b32976d6fcd8

SHA512
493b4406b0e13741ae093913b16597068c36b1709b4af905109fcc7cda224a126b537e6aa443583ca8438370ee7c4a52024b9fe64b6f95fc31a308d6a88f05f5

Download Submit
C:\windows\SysWOW64\AKIQJUK.exe.bat
Filesize
78B

MD5
8bac5a21fe97eeb2eee24ab6bf08668b

SHA1
95909de717e410c9ff82d89432ac63ad81edccc5

SHA256
158494599dc27ebdacf8479221f7ed1abeefb9ebbb49ad6f8307b05418491a8d

SHA512
133816a1b2b55eb01fc63b8766149293dfe2321b93a04c702bcfaed6291901c849e836da9ead5d029daa83fcfb01f21d122792b780765dd9cd2ab5af8149e293

Download Submit
C:\windows\SysWOW64\GDCP.exe.bat
Filesize
72B

MD5
5dd074dc32c2f1f5ebed09a1c664892e

SHA1
534b91e4f789869f4d48795b100afe9155dfdfad

SHA256
7fc9889e71337e4e3987bee73d166f3ab631575440a173178bb11da56d8c3782

SHA512
6eaf3c7cc5d296dcd252595afd9bef238a91a69da4fdeeba2389e458642bc4ea830e5a84921b82f6ce7531bdcd8437b1cc3254ae249e9fe85d93b1f51eb957db

Download Submit
C:\windows\SysWOW64\MZG.exe
Filesize
282KB

MD5
3b05da908a91983611b258b5919fc159

SHA1
ca4c99f6aa46f32e3c3d14143b98696b79b8e394

SHA256
d30c2cd4351d50296b3484ecd055f212799b9f2230edd07217cd972afe5ad0f8

SHA512
4d1c33e7db06536228bcef89ba19a3d4c7df8366e4e041337807f92737539e4f52bea125c4a5f7065d1fa05f83c55d1f8d2425e9195b0b8538bfa2b9fac61df0

Download Submit
C:\windows\SysWOW64\MZG.exe.bat
Filesize
70B

MD5
0d69a9a2d656cf785ac54a5ffd38150a

SHA1
16f5a79365e14fc8503cd36faf5e06a05d9db2e0

SHA256
28d1d8787214489eb3b4672b2ad8a0a3aaddd9922d573e68e981b17a36a8edb7

SHA512
1f890efbca3d89593362096fe805b7154eefa3d728a85619df7626f3949d49f8c6cf60912de2490c6254cc5e7a94d86f396d333976fa7db4f8e0397809e43c40

Download Submit
C:\windows\SysWOW64\OHSDOPF.exe.bat
Filesize
78B

MD5
a549135875d55b22dc00ed039214c5af

SHA1
6f8ad48d73fbf51481820034b26a417585b8d969

SHA256
b5d3496c0b5ea7383eb9a159f90aa913bb0fe46ef0dca7748e70e3c1fe939e24

SHA512
fff27198d625ef0501b282c7aeab7b7cf58e8693279ba538c56f242434e3acc5cbba74a2c18adf262001256af9a66329bb9d66456f8ba8165a1bfdd4da9bffba

Download Submit
C:\windows\SysWOW64\OQJV.exe.bat
Filesize
72B

MD5
3a56b50ae8fb6a4eaebd1bef05e67044

SHA1
92d0c4f388ddd1b076ffe88ddc16c75d5544e98d

SHA256
7b529524c2650ef8a127497099bf4d1e8e688fbfe8dab972ac77414aa6a87faa

SHA512
d65316c7267ad497781e5e8fccaf2a28da51940d5bd72df2f07c603f226d99c3a7ad99724989143e5202816d00bfef97212ecb390dc58acab00e064777dbe92b

Download Submit
C:\windows\SysWOW64\RSRN.exe.bat
Filesize
72B

MD5
ab19c02189960e62f304e0772d150012

SHA1
75ae206aa53d4d584119a7d6d7efb6dcf192e15d

SHA256
e49556fb0e080bf9d29047e68bbfcaf43a22be7dfad75971c6b4d8c99cfc20f6

SHA512
068514d93405eb21f3d0630a12d2f83269affc958eee8204edd5d97f2e38fc7d26c0020eb0ac98e9448605cedb6c767dd271b64ecfdec9f3a4d935bce126de75

Download Submit
C:\windows\SysWOW64\UGISQGZ.exe.bat
Filesize
78B

MD5
aa5093bb942c4dc50cbae90948ca8abe

SHA1
2f2205ab82a243d6f7b426f0c602511da45fd649

SHA256
50872c36d76ae5ee2aac8384701b1660ecdd257f0bb4f13b488890abbb22bd62

SHA512
3761576c0e8e4f71a3e81ce8550413ba63f54d8286164b32d996c97810667e0e98a0d707079a0d483e8d25a172b3b88c10a2ae4bdeab06bd3593150e78979fb9

Download Submit
C:\windows\SysWOW64\UMS.exe.bat
Filesize
70B

MD5
ba4581bea4138ea063bd335a141efef0

SHA1
871789db7f3d1e4005566b5b9c46581b340e253c

SHA256
ea38e0ed3a41e871aab310eecbdf562f9aca2acc0b81a1cd21f5ea7b221109a4

SHA512
c37228c076b81ad1edc649d3607fade9c90ffd956c9f3ceebda4bb8c64d22efea6c7747d71f30b7244b1b449b557914aa7a1e7a143327bdcace38b1e8d6af8c2

Download Submit
C:\windows\SysWOW64\WMWZ.exe.bat
Filesize
72B

MD5
4a100a0c062562e2c81db486fdd57ea1

SHA1
2e01eab24ad03e66b44b95a29072cda63cbd77c8

SHA256
5936b021793cf26ca8de2e45edc45f7e9e0187aafe03d6cebdf226cb2c4e5f3b

SHA512
dc567e5890c01fbdec359a7bfa026d1033adad13d7d890777b82d97cb0cf65df6ad2afd5745b8eae3c20ea2186a1e2610415faf30e2c5d1a60bf57aacb1fb7c0

Download Submit
C:\windows\SysWOW64\YAI.exe
Filesize
282KB

MD5
c85dba2953061358df6ea9c64d3a7659

SHA1
2a7a9db3275aeaba8fcab3e050f6055ebdca3ac3

SHA256
c36b290e61a65e7ea81d138e6e63e453b478a1648fb207a641c68b024abd6820

SHA512
b468803d55f2b6fbfe975617e16992d5110da9b7b900b28e1a152e9537a26fc87c6ccd3f83428a1d9041c8fcbfb17b6f03c4f4d7cb7e8bdf41eb22a66877b9d2

Download Submit
C:\windows\SysWOW64\YAI.exe.bat
Filesize
70B

MD5
674afc7a9715a16a6f4a4902492f2347

SHA1
89c6108da85fc6b9cc14271ae38466558cdae757

SHA256
feb14f79a1f80497fe6bf5aed20daf3ebdbefbc66efe807b50eeac9e330e35ff

SHA512
86072b1b7b8a14cc9fdeaa91a393a406bc856e30fc1e08b5498dd3061c3107168af44b3ef7045fc5fcd884101ea446745fb0556f24edac35b73cdf743e634cc0

Download Submit
C:\windows\SysWOW64\YGGQNK.exe
Filesize
282KB

MD5
b442684ca8bebd294de144ce69764f41

SHA1
714d548d5d8ec5dddb6be62ae2893b992940f1ca

SHA256
cbd4cf16c20e853379cd8b9a27ddc77856a32447f7e82615341191834e05dcb4

SHA512
d4d5baef83848f19e8328321fdbb5b9a3c0abba7c12857a698263649b7f9bb00a8f8303693ef968e0bd0280963d521561ddad905ae8cd794894ff6747ce24365

Download Submit
C:\windows\SysWOW64\YGGQNK.exe.bat
Filesize
76B

MD5
0b682d7dc41641900d31d8761a58eb28

SHA1
8fb602f92c569f16edc575ac54154a10ed0b4c99

SHA256
c46f16999bcbeae3847b34744b4fa67b5a8d6cf15fc89a9911be53f88860a18b

SHA512
e9c54414390f796ce4699d68d89345d5772fc65dd226d9af7e0d7c55c874c0a7169399e10e093bb9652f7a58b768073254a1df0597ec63f73107c6340a339af7

Download Submit
C:\windows\system\CSX.exe.bat
Filesize
66B

MD5
3dd6360b27d04a1ad84e4e418bb33c00

SHA1
ff75f6b883107ec9f25f7b29337f1a9bd9d0f985

SHA256
6023501bd51d84497a95a17b0c98897c1de9a7572e637e1fadafbddd66acd28f

SHA512
942ebe1418e8f7b07c28c4029ffcf635f0213037f6e5a3b35e7c27629d9d9db2b0500d3ee6c9878a4d902a3850b096d17fc775f84d489be421a53501f2ebd00a

Download Submit
C:\windows\system\JFQIOP.exe
Filesize
282KB

MD5
d380b3bb3180aa5e5274c8335cca0964

SHA1
35ed17e1e18d0fe1aa18e980a15c6b804ba1af1b

SHA256
66b5bdcdca52ef4c1d989fdaa8fff7f4424ac14e3d0863a67953ec9a374b1485

SHA512
4116b2cfe64aef2924aa88a099fa4e3d338d6e662b9a4f05e3d83b714faba667b50d3ebce8e1247de776941022e8b2fe178c65c66e594f80dff48a025109c7a8

Download Submit
C:\windows\system\JFQIOP.exe.bat
Filesize
72B

MD5
c1508f11be90f7833f4080ea547df25d

SHA1
8f87473c240b1f8f58fdb95582e6715908534dfd

SHA256
91e546e1932a5a6e7e41c970421eb10062a165a3d69972d1981c7039af45e0a1

SHA512
8e646d65a309688bf48186329fb3f770ffaad4c16729fd3fd468e672c4b31c44beb7a970d1392d989e4009f40c865906969a848f8b95f9259747a32324c7bba6

Download Submit
C:\windows\system\MEG.exe.bat
Filesize
66B

MD5
fc265a581085c546c48dd26c359713e8

SHA1
83610f42aea951cab8fc6bdd5c1472e94ed53935

SHA256
19bfcb019ffc0d4211d4976007efffe8377d6034d57d8fb718cad429fe069ee8

SHA512
f13200fbe83542283d86478c4bb2dcc70c1c0735a822b115aa3def3289470457a5e4392d7dff806f2b644512e13dc34e3281775de7c3f75e1196d31f5eb05a4c

Download Submit
C:\windows\system\VYL.exe.bat
Filesize
66B

MD5
c7b09e062c8463a961f14cdfdff1f337

SHA1
32882f95c4197f14682de4f9ec90dde00fffb373

SHA256
0ad3abd5a5b7e7745e058b057dbb00e787c07d5e0f3410c792a28d563facc22f

SHA512
df669f3060f061ecf4dd6bcfabd00cf62f670a55f322e5fdecac8bdc42cc81e5bb031428cb40cc8c1847cb780cb779d861058a1aca1af9583cf26d08c816a402

Download Submit
C:\windows\system\WLLQIAO.exe.bat
Filesize
74B

MD5
99ae89fc18ef15481581419c85863d1a

SHA1
15697a465d7c3de8713109c6c7cd48fc3db14123

SHA256
1d5c94f162a044339b3066d4c98513d01ef04bd53f2901d867648680add9a768

SHA512
a428b490cddc87e5d19d479da5553e98ccebe9aceaa34ce88e123fef801ba35bad246fff490cf1853ad4eaa467b9618c7511de8c0888aaa13a92efebed7aba30

Download Submit
memory/392-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/392-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/468-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/468-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/764-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/764-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/948-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/948-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1072-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1072-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1468-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1468-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1484-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1484-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1504-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1504-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1576-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1576-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1612-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1612-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2588-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2588-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3028-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3028-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3496-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3496-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4088-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4088-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4128-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4128-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4148-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4148-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4176-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4176-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4392-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4392-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4540-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4540-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4572-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4596-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4596-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5108-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5108-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download