ac9800ae8fb5c0376287d5c9c0364e6a864e1d905f8321f4d1318f4a47756fa2

Analysis

max time kernel
150s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
Size

282KB
MD5

1e32d9cb4a2d3d7d843d7c88d1db18d0
SHA1

15bc49079cebbdf9c9755e63c95e95b16a5f7f53
SHA256

ac9800ae8fb5c0376287d5c9c0364e6a864e1d905f8321f4d1318f4a47756fa2
SHA512

c56d640d738928ceada5a439940a8157baf9003a5fd0f0020b724d6d90a14d460baf600cb4240a1094fe4f635af5531f63996a9df410ab0244a67d96bfed05a4
SSDEEP

6144:jTO7ZF3ThZ4/fykEjiPISUOgW9X+hOGzC/:u9Blq/akmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\QKDCZ.exe	family_berbew
C:\Windows\System\FNUGKLV.exe	family_berbew
C:\Windows\SysWOW64\PRAPBG.exe	family_berbew
C:\Windows\CHJURW.exe	family_berbew
C:\windows\SysWOW64\DKZQGFR.exe	family_berbew
C:\Windows\System\UKB.exe	family_berbew
C:\windows\SysWOW64\NNFZXAD.exe	family_berbew
C:\Windows\ZQQM.exe	family_berbew
C:\Windows\WWA.exe	family_berbew
C:\windows\ZEJQ.exe	family_berbew
C:\windows\system\HVLT.exe	family_berbew
C:\windows\SysWOW64\XLM.exe	family_berbew
C:\Windows\System\DVCAT.exe	family_berbew
C:\Windows\YEKPS.exe	family_berbew
C:\windows\SysWOW64\BZCZL.exe	family_berbew
C:\windows\SysWOW64\AFIU.exe	family_berbew
C:\Windows\System\YUUXDJU.exe	family_berbew
C:\windows\DVEZPN.exe	family_berbew
C:\windows\SLRR.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DTO.exeSAHMRCE.exeFQSNW.exeAGN.exeXGL.exeRYIT.exeWNKG.exeSLRR.exeUUBMO.exeWUTFKY.exeYKWQJSN.exeSJLBD.exeOJRBAVS.exeSBRAMEB.exeRMGG.exeWVWPQTS.exeCBMQC.exeFBAV.exeDBK.exeIONIVZ.exeEZGHW.exeBYTNCYN.exeHPQSJ.exeLCR.exeRHD.exeXUWX.exeUAOFHG.exeUTGFWWM.exeNNFZXAD.exeBEITY.exeFZUR.exeJKVQG.exeIWHQMPW.exeCAXYFDQ.exeWDB.exeEQJATI.exeURMLG.exeCHJURW.exeIBSIEPH.exeFDZJ.exeGBCKPBA.exeAHMJOPB.exeKVJSM.exeQKDCZ.exeKAA.exeLDXOJTN.exeEYBZO.exeZPQTIA.exeDABHRE.exeQMNN.exeKWJSPA.exeDOHIJGW.exeMOI.exeYEKPS.exeDDOICQ.exeEXTK.exeQXIA.exeVSH.exeGPITQ.exePRAPBG.exeZEJQ.exeBHAFK.exeZQQM.exeBZCZL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SAHMRCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FQSNW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AGN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XGL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RYIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WNKG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SLRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UUBMO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WUTFKY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YKWQJSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SJLBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	OJRBAVS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SBRAMEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RMGG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WVWPQTS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CBMQC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FBAV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DBK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	IONIVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EZGHW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BYTNCYN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HPQSJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LCR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RHD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XUWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UAOFHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UTGFWWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NNFZXAD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BEITY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FZUR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	JKVQG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	IWHQMPW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CAXYFDQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EQJATI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	URMLG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CHJURW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	IBSIEPH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FDZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GBCKPBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AHMJOPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KVJSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QKDCZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LDXOJTN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EYBZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ZPQTIA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DABHRE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QMNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KWJSPA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DOHIJGW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YEKPS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DDOICQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EXTK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QXIA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GPITQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PRAPBG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ZEJQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BHAFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ZQQM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BZCZL.exe

Executes dropped EXE 64 IoCs

Processes:

QKDCZ.exeFNUGKLV.exePRAPBG.exeAJVIKNO.exeCHJURW.exeDKZQGFR.exeUKB.exeNNFZXAD.exeZQQM.exeWWA.exeZEJQ.exeFZUR.exeHVLT.exeXLM.exeDVCAT.exeYEKPS.exeBZCZL.exeAFIU.exeYUUXDJU.exeDVEZPN.exeSLRR.exeIBSIEPH.exeKWJSPA.exeWCIQUC.exeBHAFK.exeHDMYYUE.exeDDOICQ.exeEGSEH.exeOESQYI.exeJRP.exeKPWJ.exeIAH.exeLNYA.exeIOA.exeKWV.exeUUBMO.exeRULOAG.exeYNAW.exeXYDMST.exeDTO.exeAJOXXIX.exeLCR.exeQCGKKF.exeSAHMRCE.exeBYTNCYN.exeDOHIJGW.exeAMURZNL.exeDUPGPTZ.exeEXTK.exeFNBTX.exeBSLINW.exeJGYPY.exeEEZ.exeGCE.exeHPQSJ.exeWVWPQTS.exeHDRWGGO.exeQLT.exeAECIN.exeGPGX.exePXALNZF.exeFDZJ.exeAYETJI.exeFQSNW.exe

pid	process
2692	QKDCZ.exe
4240	FNUGKLV.exe
2668	PRAPBG.exe
3000	AJVIKNO.exe
3616	CHJURW.exe
4892	DKZQGFR.exe
3432	UKB.exe
4640	NNFZXAD.exe
4064	ZQQM.exe
980	WWA.exe
3628	ZEJQ.exe
5088	FZUR.exe
4656	HVLT.exe
720	XLM.exe
2556	DVCAT.exe
4352	YEKPS.exe
2876	BZCZL.exe
2656	AFIU.exe
3500	YUUXDJU.exe
3384	DVEZPN.exe
4912	SLRR.exe
4008	IBSIEPH.exe
4876	KWJSPA.exe
2740	WCIQUC.exe
2876	BHAFK.exe
4472	HDMYYUE.exe
616	DDOICQ.exe
1428	EGSEH.exe
3664	OESQYI.exe
2288	JRP.exe
1892	KPWJ.exe
4640	IAH.exe
4580	LNYA.exe
844	IOA.exe
1908	KWV.exe
812	UUBMO.exe
4064	RULOAG.exe
3284	YNAW.exe
2356	XYDMST.exe
1608	DTO.exe
5040	AJOXXIX.exe
2052	LCR.exe
4304	QCGKKF.exe
4152	SAHMRCE.exe
4108	BYTNCYN.exe
3616	DOHIJGW.exe
1428	AMURZNL.exe
4740	DUPGPTZ.exe
4696	EXTK.exe
1668	FNBTX.exe
4304	BSLINW.exe
1476	JGYPY.exe
616	EEZ.exe
2356	GCE.exe
4208	HPQSJ.exe
4976	WVWPQTS.exe
3896	HDRWGGO.exe
548	QLT.exe
4304	AECIN.exe
1544	GPGX.exe
912	PXALNZF.exe
4424	FDZJ.exe
1564	AYETJI.exe
4764	FQSNW.exe

Drops file in System32 directory 64 IoCs

Processes:

HPQSJ.exeFDZJ.exeJNM.exeIWHQMPW.exeIAMSKB.exeCJM.exeQXIA.exeFNUGKLV.exeOKF.exeFQSNW.exeOOOZZA.exeOEGKV.exeWUTFKY.exeYKWQJSN.exeOXSNYLQ.exeVSH.exeJRP.exeDABHRE.exe1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exeEYBZO.exeXUWX.exeFUQ.exeHVLT.exeKVJSM.exeJGMIUJP.exeYZJ.exeUKB.exeBYTNCYN.exeWVWPQTS.exeFRPF.exeQMNN.exeWCIQUC.exeWDB.exeOJRBAVS.exeBZCZL.exeOXXC.exeYEKPS.exePXALNZF.exeYNAW.exeBFJJW.exeGFAEP.exe

description	ioc	process
File created	C:\windows\SysWOW64\WVWPQTS.exe	HPQSJ.exe
File opened for modification	C:\windows\SysWOW64\AYETJI.exe	FDZJ.exe
File created	C:\windows\SysWOW64\LLRGC.exe.bat	JNM.exe
File created	C:\windows\SysWOW64\CJM.exe.bat	IWHQMPW.exe
File created	C:\windows\SysWOW64\MDX.exe	IAMSKB.exe
File opened for modification	C:\windows\SysWOW64\MDX.exe	IAMSKB.exe
File opened for modification	C:\windows\SysWOW64\AHMJOPB.exe	CJM.exe
File created	C:\windows\SysWOW64\AHMJOPB.exe.bat	CJM.exe
File opened for modification	C:\windows\SysWOW64\QIRT.exe	QXIA.exe
File created	C:\windows\SysWOW64\PRAPBG.exe.bat	FNUGKLV.exe
File created	C:\windows\SysWOW64\BVN.exe	OKF.exe
File created	C:\windows\SysWOW64\XTWRJWT.exe.bat	FQSNW.exe
File created	C:\windows\SysWOW64\WUTFKY.exe	OOOZZA.exe
File created	C:\windows\SysWOW64\CJM.exe	IWHQMPW.exe
File opened for modification	C:\windows\SysWOW64\ZXJCDD.exe	OEGKV.exe
File opened for modification	C:\windows\SysWOW64\BUPA.exe	WUTFKY.exe
File opened for modification	C:\windows\SysWOW64\MIECLV.exe	YKWQJSN.exe
File created	C:\windows\SysWOW64\ZFYN.exe.bat	OXSNYLQ.exe
File created	C:\windows\SysWOW64\IVYVUP.exe	VSH.exe
File created	C:\windows\SysWOW64\KPWJ.exe	JRP.exe
File opened for modification	C:\windows\SysWOW64\KPWJ.exe	JRP.exe
File created	C:\windows\SysWOW64\PIIHDX.exe	DABHRE.exe
File opened for modification	C:\windows\SysWOW64\QKDCZ.exe	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\YZJ.exe.bat	EYBZO.exe
File opened for modification	C:\windows\SysWOW64\PIIHDX.exe	DABHRE.exe
File opened for modification	C:\windows\SysWOW64\WVWPQTS.exe	HPQSJ.exe
File opened for modification	C:\windows\SysWOW64\UUY.exe	XUWX.exe
File created	C:\windows\SysWOW64\VEBLS.exe	FUQ.exe
File opened for modification	C:\windows\SysWOW64\XLM.exe	HVLT.exe
File created	C:\windows\SysWOW64\WVWPQTS.exe.bat	HPQSJ.exe
File created	C:\windows\SysWOW64\MIECLV.exe.bat	YKWQJSN.exe
File opened for modification	C:\windows\SysWOW64\JGMIUJP.exe	KVJSM.exe
File created	C:\windows\SysWOW64\NWSIZB.exe	JGMIUJP.exe
File opened for modification	C:\windows\SysWOW64\PRAPBG.exe	FNUGKLV.exe
File created	C:\windows\SysWOW64\BVN.exe.bat	OKF.exe
File opened for modification	C:\windows\SysWOW64\ZPQTIA.exe	YZJ.exe
File created	C:\windows\SysWOW64\NNFZXAD.exe	UKB.exe
File created	C:\windows\SysWOW64\DOHIJGW.exe.bat	BYTNCYN.exe
File created	C:\windows\SysWOW64\HDRWGGO.exe.bat	WVWPQTS.exe
File created	C:\windows\SysWOW64\YKWQJSN.exe	FRPF.exe
File created	C:\windows\SysWOW64\VEBLS.exe.bat	FUQ.exe
File created	C:\windows\SysWOW64\NFX.exe	QMNN.exe
File opened for modification	C:\windows\SysWOW64\BHAFK.exe	WCIQUC.exe
File opened for modification	C:\windows\SysWOW64\WUTFKY.exe	OOOZZA.exe
File created	C:\windows\SysWOW64\HWKVT.exe.bat	WDB.exe
File opened for modification	C:\windows\SysWOW64\DEIFT.exe	OJRBAVS.exe
File created	C:\windows\SysWOW64\ZPQTIA.exe	YZJ.exe
File created	C:\windows\SysWOW64\UUY.exe	XUWX.exe
File created	C:\windows\SysWOW64\PIIHDX.exe.bat	DABHRE.exe
File created	C:\windows\SysWOW64\QKDCZ.exe.bat	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\AFIU.exe	BZCZL.exe
File created	C:\windows\SysWOW64\XTWRJWT.exe	FQSNW.exe
File opened for modification	C:\windows\SysWOW64\LLRGC.exe	JNM.exe
File created	C:\windows\SysWOW64\JKCMHF.exe.bat	OXXC.exe
File created	C:\windows\SysWOW64\QKDCZ.exe	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\BZCZL.exe	YEKPS.exe
File created	C:\windows\SysWOW64\FDZJ.exe.bat	PXALNZF.exe
File opened for modification	C:\windows\SysWOW64\JKCMHF.exe	OXXC.exe
File created	C:\windows\SysWOW64\BHAFK.exe.bat	WCIQUC.exe
File created	C:\windows\SysWOW64\XYDMST.exe	YNAW.exe
File opened for modification	C:\windows\SysWOW64\JKVQG.exe	BFJJW.exe
File opened for modification	C:\windows\SysWOW64\ALB.exe	GFAEP.exe
File created	C:\windows\SysWOW64\QIRT.exe	QXIA.exe
File opened for modification	C:\windows\SysWOW64\IVYVUP.exe	VSH.exe

Drops file in Windows directory 64 IoCs

Processes:

ZQQM.exeLNYA.exeRHD.exeBFIZBDU.exeDKZQGFR.exeZEJQ.exeOIQRD.exeNFX.exePRAPBG.exeKWJSPA.exeHDMYYUE.exeUUBMO.exeGCE.exeHRZS.exeGBCKPBA.exeAJVIKNO.exeUAOFHG.exeJKVQG.exeDUPGPTZ.exeBSLINW.exeYANXEX.exeNAH.exeHWKVT.exeYDC.exeFZUR.exeDOHIJGW.exeAECIN.exeUQJMVMU.exePKCAL.exeFDTN.exeIYVYWU.exePIIHDX.exeZXJCDD.exeWWA.exeMIECLV.exeZFV.exeTIEJ.exeZPQTIA.exeLDXOJTN.exeMOI.exeAGN.exeSBRAMEB.exeAFIU.exeKAA.exeEEZ.exeZFYN.exeRYIT.exeAMURZNL.exeNNFZXAD.exeYUUXDJU.exeIOA.exeQKDCZ.exeOESQYI.exeBEITY.exeHBFCM.exeIOC.exe

description	ioc	process
File created	C:\windows\WWA.exe.bat	ZQQM.exe
File opened for modification	C:\windows\IOA.exe	LNYA.exe
File created	C:\windows\system\BFJJW.exe.bat	RHD.exe
File opened for modification	C:\windows\system\VSH.exe	BFIZBDU.exe
File created	C:\windows\system\UKB.exe	DKZQGFR.exe
File opened for modification	C:\windows\FZUR.exe	ZEJQ.exe
File created	C:\windows\HBFCM.exe	OIQRD.exe
File opened for modification	C:\windows\system\GIBTPEM.exe	NFX.exe
File opened for modification	C:\windows\system\AJVIKNO.exe	PRAPBG.exe
File opened for modification	C:\windows\system\WCIQUC.exe	KWJSPA.exe
File created	C:\windows\DDOICQ.exe	HDMYYUE.exe
File created	C:\windows\RULOAG.exe	UUBMO.exe
File opened for modification	C:\windows\HPQSJ.exe	GCE.exe
File opened for modification	C:\windows\BEITY.exe	HRZS.exe
File opened for modification	C:\windows\system\OOOZZA.exe	GBCKPBA.exe
File created	C:\windows\system\GIBTPEM.exe.bat	NFX.exe
File created	C:\windows\CHJURW.exe.bat	AJVIKNO.exe
File created	C:\windows\system\EYBZO.exe.bat	UAOFHG.exe
File created	C:\windows\system\JNM.exe	JKVQG.exe
File opened for modification	C:\windows\EXTK.exe	DUPGPTZ.exe
File opened for modification	C:\windows\system\JGYPY.exe	BSLINW.exe
File created	C:\windows\system\GFAEP.exe	YANXEX.exe
File created	C:\windows\TWS.exe	NAH.exe
File opened for modification	C:\windows\FHNL.exe	HWKVT.exe
File opened for modification	C:\windows\system\EZGHW.exe	YDC.exe
File created	C:\windows\FZUR.exe.bat	ZEJQ.exe
File created	C:\windows\system\HVLT.exe	FZUR.exe
File opened for modification	C:\windows\system\AMURZNL.exe	DOHIJGW.exe
File opened for modification	C:\windows\system\GPGX.exe	AECIN.exe
File created	C:\windows\WDB.exe	UQJMVMU.exe
File opened for modification	C:\windows\system\RSCXSF.exe	PKCAL.exe
File created	C:\windows\UTGFWWM.exe	FDTN.exe
File opened for modification	C:\windows\KVJSM.exe	IYVYWU.exe
File opened for modification	C:\windows\CHJURW.exe	AJVIKNO.exe
File created	C:\windows\BEITY.exe.bat	HRZS.exe
File opened for modification	C:\windows\system\TIEJ.exe	PIIHDX.exe
File opened for modification	C:\windows\system\IVVDOH.exe	ZXJCDD.exe
File created	C:\windows\ZEJQ.exe.bat	WWA.exe
File opened for modification	C:\windows\ZSNAAG.exe	MIECLV.exe
File created	C:\windows\NAH.exe.bat	ZFV.exe
File opened for modification	C:\windows\system\IOC.exe	TIEJ.exe
File opened for modification	C:\windows\system\HVLT.exe	FZUR.exe
File created	C:\windows\system\DABHRE.exe.bat	ZPQTIA.exe
File created	C:\windows\system\IWHQMPW.exe.bat	LDXOJTN.exe
File created	C:\windows\SJLBD.exe.bat	MOI.exe
File opened for modification	C:\windows\system\SBRAMEB.exe	AGN.exe
File created	C:\windows\FBAV.exe	SBRAMEB.exe
File created	C:\windows\system\YUUXDJU.exe.bat	AFIU.exe
File created	C:\windows\system\GBCKPBA.exe.bat	KAA.exe
File created	C:\windows\FHNL.exe	HWKVT.exe
File opened for modification	C:\windows\GCE.exe	EEZ.exe
File created	C:\windows\BEITY.exe	HRZS.exe
File created	C:\windows\EQJATI.exe.bat	ZFYN.exe
File created	C:\windows\system\SOPCDZ.exe.bat	RYIT.exe
File created	C:\windows\system\DUPGPTZ.exe	AMURZNL.exe
File created	C:\windows\ZQQM.exe.bat	NNFZXAD.exe
File created	C:\windows\DVEZPN.exe	YUUXDJU.exe
File opened for modification	C:\windows\KWV.exe	IOA.exe
File created	C:\windows\ZSNAAG.exe.bat	MIECLV.exe
File opened for modification	C:\windows\system\FNUGKLV.exe	QKDCZ.exe
File created	C:\windows\JRP.exe	OESQYI.exe
File created	C:\windows\APT.exe.bat	BEITY.exe
File created	C:\windows\system\STN.exe.bat	HBFCM.exe
File created	C:\windows\URMLG.exe	IOC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1660	2004	WerFault.exe	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
4640	2692	WerFault.exe	QKDCZ.exe
220	4240	WerFault.exe	FNUGKLV.exe
4100	2668	WerFault.exe	PRAPBG.exe
452	3000	WerFault.exe	AJVIKNO.exe
2352	3616	WerFault.exe	CHJURW.exe
5104	4892	WerFault.exe	DKZQGFR.exe
1380	3432	WerFault.exe	UKB.exe
548	4640	WerFault.exe	NNFZXAD.exe
1476	4064	WerFault.exe	ZQQM.exe
1448	980	WerFault.exe	WWA.exe
4128	3628	WerFault.exe	ZEJQ.exe
3952	5088	WerFault.exe	FZUR.exe
2452	4656	WerFault.exe	HVLT.exe
3936	720	WerFault.exe	XLM.exe
980	2556	WerFault.exe	DVCAT.exe
4040	4352	WerFault.exe	YEKPS.exe
4976	2876	WerFault.exe	BZCZL.exe
5004	2656	WerFault.exe	AFIU.exe
3272	3500	WerFault.exe	YUUXDJU.exe
4556	3384	WerFault.exe	DVEZPN.exe
5076	4912	WerFault.exe	SLRR.exe
3484	4008	WerFault.exe	IBSIEPH.exe
3760	4876	WerFault.exe	KWJSPA.exe
1776	2740	WerFault.exe	WCIQUC.exe
2680	2876	WerFault.exe	BHAFK.exe
3196	4472	WerFault.exe	HDMYYUE.exe
4556	616	WerFault.exe	DDOICQ.exe
1148	1428	WerFault.exe	EGSEH.exe
4208	3664	WerFault.exe	OESQYI.exe
1432	2288	WerFault.exe	JRP.exe
2956	1892	WerFault.exe	KPWJ.exe
4100	4640	WerFault.exe	IAH.exe
2716	4580	WerFault.exe	LNYA.exe
2904	844	WerFault.exe	IOA.exe
2988	1908	WerFault.exe	KWV.exe
3392	812	WerFault.exe	UUBMO.exe
5004	4064	WerFault.exe	RULOAG.exe
1892	3284	WerFault.exe	YNAW.exe
1688	2356	WerFault.exe	XYDMST.exe
728	1608	WerFault.exe	DTO.exe
4876	5040	WerFault.exe	AJOXXIX.exe
508	2052	WerFault.exe	LCR.exe
3124	4304	WerFault.exe	QCGKKF.exe
2908	4152	WerFault.exe	SAHMRCE.exe
2216	4108	WerFault.exe	BYTNCYN.exe
3632	3616	WerFault.exe	DOHIJGW.exe
3628	1428	WerFault.exe	AMURZNL.exe
5044	4740	WerFault.exe	DUPGPTZ.exe
4620	4696	WerFault.exe	EXTK.exe
3392	1668	WerFault.exe	FNBTX.exe
2752	4304	WerFault.exe	BSLINW.exe
1172	1476	WerFault.exe	JGYPY.exe
216	616	WerFault.exe	EEZ.exe
1852	2356	WerFault.exe	GCE.exe
4312	4208	WerFault.exe	HPQSJ.exe
4668	4976	WerFault.exe	WVWPQTS.exe
1380	3896	WerFault.exe	HDRWGGO.exe
3720	548	WerFault.exe	QLT.exe
2840	4304	WerFault.exe	AECIN.exe
3400	1544	WerFault.exe	GPGX.exe
1908	912	WerFault.exe	PXALNZF.exe
4576	4424	WerFault.exe	FDZJ.exe
2372	1564	WerFault.exe	AYETJI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exeQKDCZ.exeFNUGKLV.exePRAPBG.exeAJVIKNO.exeCHJURW.exeDKZQGFR.exeUKB.exeNNFZXAD.exeZQQM.exeWWA.exeZEJQ.exeFZUR.exeHVLT.exeXLM.exeDVCAT.exeYEKPS.exeBZCZL.exeAFIU.exeYUUXDJU.exeDVEZPN.exeSLRR.exeIBSIEPH.exeKWJSPA.exeWCIQUC.exeBHAFK.exeHDMYYUE.exeDDOICQ.exeEGSEH.exeOESQYI.exeJRP.exeKPWJ.exe

pid	process
2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
2692	QKDCZ.exe
2692	QKDCZ.exe
4240	FNUGKLV.exe
4240	FNUGKLV.exe
2668	PRAPBG.exe
2668	PRAPBG.exe
3000	AJVIKNO.exe
3000	AJVIKNO.exe
3616	CHJURW.exe
3616	CHJURW.exe
4892	DKZQGFR.exe
4892	DKZQGFR.exe
3432	UKB.exe
3432	UKB.exe
4640	NNFZXAD.exe
4640	NNFZXAD.exe
4064	ZQQM.exe
4064	ZQQM.exe
980	WWA.exe
980	WWA.exe
3628	ZEJQ.exe
3628	ZEJQ.exe
5088	FZUR.exe
5088	FZUR.exe
4656	HVLT.exe
4656	HVLT.exe
720	XLM.exe
720	XLM.exe
2556	DVCAT.exe
2556	DVCAT.exe
4352	YEKPS.exe
4352	YEKPS.exe
2876	BZCZL.exe
2876	BZCZL.exe
2656	AFIU.exe
2656	AFIU.exe
3500	YUUXDJU.exe
3500	YUUXDJU.exe
3384	DVEZPN.exe
3384	DVEZPN.exe
4912	SLRR.exe
4912	SLRR.exe
4008	IBSIEPH.exe
4008	IBSIEPH.exe
4876	KWJSPA.exe
4876	KWJSPA.exe
2740	WCIQUC.exe
2740	WCIQUC.exe
2876	BHAFK.exe
2876	BHAFK.exe
4472	HDMYYUE.exe
4472	HDMYYUE.exe
616	DDOICQ.exe
616	DDOICQ.exe
1428	EGSEH.exe
1428	EGSEH.exe
3664	OESQYI.exe
3664	OESQYI.exe
2288	JRP.exe
2288	JRP.exe
1892	KPWJ.exe
1892	KPWJ.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
2692	QKDCZ.exe
2692	QKDCZ.exe
4240	FNUGKLV.exe
4240	FNUGKLV.exe
2668	PRAPBG.exe
2668	PRAPBG.exe
3000	AJVIKNO.exe
3000	AJVIKNO.exe
3616	CHJURW.exe
3616	CHJURW.exe
4892	DKZQGFR.exe
4892	DKZQGFR.exe
3432	UKB.exe
3432	UKB.exe
4640	NNFZXAD.exe
4640	NNFZXAD.exe
4064	ZQQM.exe
4064	ZQQM.exe
980	WWA.exe
980	WWA.exe
3628	ZEJQ.exe
3628	ZEJQ.exe
5088	FZUR.exe
5088	FZUR.exe
4656	HVLT.exe
4656	HVLT.exe
720	XLM.exe
720	XLM.exe
2556	DVCAT.exe
2556	DVCAT.exe
4352	YEKPS.exe
4352	YEKPS.exe
2876	BZCZL.exe
2876	BZCZL.exe
2656	AFIU.exe
2656	AFIU.exe
3500	YUUXDJU.exe
3500	YUUXDJU.exe
3384	DVEZPN.exe
3384	DVEZPN.exe
4912	SLRR.exe
4912	SLRR.exe
4008	IBSIEPH.exe
4008	IBSIEPH.exe
4876	KWJSPA.exe
4876	KWJSPA.exe
2740	WCIQUC.exe
2740	WCIQUC.exe
2876	BHAFK.exe
2876	BHAFK.exe
4472	HDMYYUE.exe
4472	HDMYYUE.exe
616	DDOICQ.exe
616	DDOICQ.exe
1428	EGSEH.exe
1428	EGSEH.exe
3664	OESQYI.exe
3664	OESQYI.exe
2288	JRP.exe
2288	JRP.exe
1892	KPWJ.exe
1892	KPWJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.execmd.exeQKDCZ.execmd.exeFNUGKLV.execmd.exePRAPBG.execmd.exeAJVIKNO.execmd.exeCHJURW.execmd.exeDKZQGFR.execmd.exeUKB.execmd.exeNNFZXAD.execmd.exeZQQM.execmd.exeWWA.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 656	2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe	cmd.exe
PID 2004 wrote to memory of 656	2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe	cmd.exe
PID 2004 wrote to memory of 656	2004	1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe	cmd.exe
PID 656 wrote to memory of 2692	656	cmd.exe	QKDCZ.exe
PID 656 wrote to memory of 2692	656	cmd.exe	QKDCZ.exe
PID 656 wrote to memory of 2692	656	cmd.exe	QKDCZ.exe
PID 2692 wrote to memory of 2716	2692	QKDCZ.exe	cmd.exe
PID 2692 wrote to memory of 2716	2692	QKDCZ.exe	cmd.exe
PID 2692 wrote to memory of 2716	2692	QKDCZ.exe	cmd.exe
PID 2716 wrote to memory of 4240	2716	cmd.exe	FNUGKLV.exe
PID 2716 wrote to memory of 4240	2716	cmd.exe	FNUGKLV.exe
PID 2716 wrote to memory of 4240	2716	cmd.exe	FNUGKLV.exe
PID 4240 wrote to memory of 3952	4240	FNUGKLV.exe	cmd.exe
PID 4240 wrote to memory of 3952	4240	FNUGKLV.exe	cmd.exe
PID 4240 wrote to memory of 3952	4240	FNUGKLV.exe	cmd.exe
PID 3952 wrote to memory of 2668	3952	cmd.exe	PRAPBG.exe
PID 3952 wrote to memory of 2668	3952	cmd.exe	PRAPBG.exe
PID 3952 wrote to memory of 2668	3952	cmd.exe	PRAPBG.exe
PID 2668 wrote to memory of 3948	2668	PRAPBG.exe	cmd.exe
PID 2668 wrote to memory of 3948	2668	PRAPBG.exe	cmd.exe
PID 2668 wrote to memory of 3948	2668	PRAPBG.exe	cmd.exe
PID 3948 wrote to memory of 3000	3948	cmd.exe	AJVIKNO.exe
PID 3948 wrote to memory of 3000	3948	cmd.exe	AJVIKNO.exe
PID 3948 wrote to memory of 3000	3948	cmd.exe	AJVIKNO.exe
PID 3000 wrote to memory of 1640	3000	AJVIKNO.exe	cmd.exe
PID 3000 wrote to memory of 1640	3000	AJVIKNO.exe	cmd.exe
PID 3000 wrote to memory of 1640	3000	AJVIKNO.exe	cmd.exe
PID 1640 wrote to memory of 3616	1640	cmd.exe	CHJURW.exe
PID 1640 wrote to memory of 3616	1640	cmd.exe	CHJURW.exe
PID 1640 wrote to memory of 3616	1640	cmd.exe	CHJURW.exe
PID 3616 wrote to memory of 2956	3616	CHJURW.exe	cmd.exe
PID 3616 wrote to memory of 2956	3616	CHJURW.exe	cmd.exe
PID 3616 wrote to memory of 2956	3616	CHJURW.exe	cmd.exe
PID 2956 wrote to memory of 4892	2956	cmd.exe	DKZQGFR.exe
PID 2956 wrote to memory of 4892	2956	cmd.exe	DKZQGFR.exe
PID 2956 wrote to memory of 4892	2956	cmd.exe	DKZQGFR.exe
PID 4892 wrote to memory of 2280	4892	DKZQGFR.exe	cmd.exe
PID 4892 wrote to memory of 2280	4892	DKZQGFR.exe	cmd.exe
PID 4892 wrote to memory of 2280	4892	DKZQGFR.exe	cmd.exe
PID 2280 wrote to memory of 3432	2280	cmd.exe	UKB.exe
PID 2280 wrote to memory of 3432	2280	cmd.exe	UKB.exe
PID 2280 wrote to memory of 3432	2280	cmd.exe	UKB.exe
PID 3432 wrote to memory of 4380	3432	UKB.exe	cmd.exe
PID 3432 wrote to memory of 4380	3432	UKB.exe	cmd.exe
PID 3432 wrote to memory of 4380	3432	UKB.exe	cmd.exe
PID 4380 wrote to memory of 4640	4380	cmd.exe	NNFZXAD.exe
PID 4380 wrote to memory of 4640	4380	cmd.exe	NNFZXAD.exe
PID 4380 wrote to memory of 4640	4380	cmd.exe	NNFZXAD.exe
PID 4640 wrote to memory of 2932	4640	NNFZXAD.exe	cmd.exe
PID 4640 wrote to memory of 2932	4640	NNFZXAD.exe	cmd.exe
PID 4640 wrote to memory of 2932	4640	NNFZXAD.exe	cmd.exe
PID 2932 wrote to memory of 4064	2932	cmd.exe	ZQQM.exe
PID 2932 wrote to memory of 4064	2932	cmd.exe	ZQQM.exe
PID 2932 wrote to memory of 4064	2932	cmd.exe	ZQQM.exe
PID 4064 wrote to memory of 4468	4064	ZQQM.exe	cmd.exe
PID 4064 wrote to memory of 4468	4064	ZQQM.exe	cmd.exe
PID 4064 wrote to memory of 4468	4064	ZQQM.exe	cmd.exe
PID 4468 wrote to memory of 980	4468	cmd.exe	WWA.exe
PID 4468 wrote to memory of 980	4468	cmd.exe	WWA.exe
PID 4468 wrote to memory of 980	4468	cmd.exe	WWA.exe
PID 980 wrote to memory of 4612	980	WWA.exe	cmd.exe
PID 980 wrote to memory of 4612	980	WWA.exe	cmd.exe
PID 980 wrote to memory of 4612	980	WWA.exe	cmd.exe
PID 4612 wrote to memory of 3628	4612	cmd.exe	ZEJQ.exe

C:\Users\Admin\AppData\Local\Temp\1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e32d9cb4a2d3d7d843d7c88d1db18d0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QKDCZ.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\windows\SysWOW64\QKDCZ.exe
C:\windows\system32\QKDCZ.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FNUGKLV.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\windows\system\FNUGKLV.exe
C:\windows\system\FNUGKLV.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PRAPBG.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\windows\SysWOW64\PRAPBG.exe
C:\windows\system32\PRAPBG.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AJVIKNO.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\windows\system\AJVIKNO.exe
C:\windows\system\AJVIKNO.exe
9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CHJURW.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\windows\CHJURW.exe
C:\windows\CHJURW.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKZQGFR.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\windows\SysWOW64\DKZQGFR.exe
C:\windows\system32\DKZQGFR.exe
13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UKB.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\windows\system\UKB.exe
C:\windows\system\UKB.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNFZXAD.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\windows\SysWOW64\NNFZXAD.exe
C:\windows\system32\NNFZXAD.exe
17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZQQM.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\windows\ZQQM.exe
C:\windows\ZQQM.exe
19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WWA.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\windows\WWA.exe
C:\windows\WWA.exe
21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZEJQ.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\windows\ZEJQ.exe
C:\windows\ZEJQ.exe
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FZUR.exe.bat" "
24⤵
PID:2216

C:\windows\FZUR.exe
C:\windows\FZUR.exe
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HVLT.exe.bat" "
26⤵
PID:4516

C:\windows\system\HVLT.exe
C:\windows\system\HVLT.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLM.exe.bat" "
28⤵
PID:448

C:\windows\SysWOW64\XLM.exe
C:\windows\system32\XLM.exe
29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DVCAT.exe.bat" "
30⤵
PID:3744

C:\windows\system\DVCAT.exe
C:\windows\system\DVCAT.exe
31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YEKPS.exe.bat" "
32⤵
PID:5052

C:\windows\YEKPS.exe
C:\windows\YEKPS.exe
33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BZCZL.exe.bat" "
34⤵
PID:3564

C:\windows\SysWOW64\BZCZL.exe
C:\windows\system32\BZCZL.exe
35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFIU.exe.bat" "
36⤵
PID:2284

C:\windows\SysWOW64\AFIU.exe
C:\windows\system32\AFIU.exe
37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YUUXDJU.exe.bat" "
38⤵
PID:2668

C:\windows\system\YUUXDJU.exe
C:\windows\system\YUUXDJU.exe
39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DVEZPN.exe.bat" "
40⤵
PID:3124

C:\windows\DVEZPN.exe
C:\windows\DVEZPN.exe
41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SLRR.exe.bat" "
42⤵
PID:540

C:\windows\SLRR.exe
C:\windows\SLRR.exe
43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBSIEPH.exe.bat" "
44⤵
PID:3324

C:\windows\system\IBSIEPH.exe
C:\windows\system\IBSIEPH.exe
45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KWJSPA.exe.bat" "
46⤵
PID:3572

C:\windows\KWJSPA.exe
C:\windows\KWJSPA.exe
47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WCIQUC.exe.bat" "
48⤵
PID:4208

C:\windows\system\WCIQUC.exe
C:\windows\system\WCIQUC.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHAFK.exe.bat" "
50⤵
PID:2924

C:\windows\SysWOW64\BHAFK.exe
C:\windows\system32\BHAFK.exe
51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HDMYYUE.exe.bat" "
52⤵
PID:3516

C:\windows\HDMYYUE.exe
C:\windows\HDMYYUE.exe
53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DDOICQ.exe.bat" "
54⤵
PID:2888

C:\windows\DDOICQ.exe
C:\windows\DDOICQ.exe
55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGSEH.exe.bat" "
56⤵
PID:4940

C:\windows\SysWOW64\EGSEH.exe
C:\windows\system32\EGSEH.exe
57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OESQYI.exe.bat" "
58⤵
PID:2904

C:\windows\SysWOW64\OESQYI.exe
C:\windows\system32\OESQYI.exe
59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JRP.exe.bat" "
60⤵
PID:4236

C:\windows\JRP.exe
C:\windows\JRP.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPWJ.exe.bat" "
62⤵
PID:2496

C:\windows\SysWOW64\KPWJ.exe
C:\windows\system32\KPWJ.exe
63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAH.exe.bat" "
64⤵
PID:2552

C:\windows\SysWOW64\IAH.exe
C:\windows\system32\IAH.exe
65⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LNYA.exe.bat" "
66⤵
PID:3616

C:\windows\LNYA.exe
C:\windows\LNYA.exe
67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IOA.exe.bat" "
68⤵
PID:3016

C:\windows\IOA.exe
C:\windows\IOA.exe
69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KWV.exe.bat" "
70⤵
PID:3500

C:\windows\KWV.exe
C:\windows\KWV.exe
71⤵
- Executes dropped EXE
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUBMO.exe.bat" "
72⤵
PID:3564

C:\windows\SysWOW64\UUBMO.exe
C:\windows\system32\UUBMO.exe
73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RULOAG.exe.bat" "
74⤵
PID:1604

C:\windows\RULOAG.exe
C:\windows\RULOAG.exe
75⤵
- Executes dropped EXE
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YNAW.exe.bat" "
76⤵
PID:3896

C:\windows\system\YNAW.exe
C:\windows\system\YNAW.exe
77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYDMST.exe.bat" "
78⤵
PID:3008

C:\windows\SysWOW64\XYDMST.exe
C:\windows\system32\XYDMST.exe
79⤵
- Executes dropped EXE
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DTO.exe.bat" "
80⤵
PID:3568

C:\windows\DTO.exe
C:\windows\DTO.exe
81⤵
- Checks computer location settings
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AJOXXIX.exe.bat" "
82⤵
PID:2072

C:\windows\AJOXXIX.exe
C:\windows\AJOXXIX.exe
83⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCR.exe.bat" "
84⤵
PID:5052

C:\windows\SysWOW64\LCR.exe
C:\windows\system32\LCR.exe
85⤵
- Checks computer location settings
- Executes dropped EXE
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCGKKF.exe.bat" "
86⤵
PID:2988

C:\windows\system\QCGKKF.exe
C:\windows\system\QCGKKF.exe
87⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SAHMRCE.exe.bat" "
88⤵
PID:4616

C:\windows\SysWOW64\SAHMRCE.exe
C:\windows\system32\SAHMRCE.exe
89⤵
- Checks computer location settings
- Executes dropped EXE
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BYTNCYN.exe.bat" "
90⤵
PID:4812

C:\windows\system\BYTNCYN.exe
C:\windows\system\BYTNCYN.exe
91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DOHIJGW.exe.bat" "
92⤵
PID:1776

C:\windows\SysWOW64\DOHIJGW.exe
C:\windows\system32\DOHIJGW.exe
93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMURZNL.exe.bat" "
94⤵
PID:4628

C:\windows\system\AMURZNL.exe
C:\windows\system\AMURZNL.exe
95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DUPGPTZ.exe.bat" "
96⤵
PID:1484

C:\windows\system\DUPGPTZ.exe
C:\windows\system\DUPGPTZ.exe
97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "
98⤵
PID:3012

C:\windows\EXTK.exe
C:\windows\EXTK.exe
99⤵
- Checks computer location settings
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FNBTX.exe.bat" "
100⤵
PID:1508

C:\windows\SysWOW64\FNBTX.exe
C:\windows\system32\FNBTX.exe
101⤵
- Executes dropped EXE
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSLINW.exe.bat" "
102⤵
PID:4064

C:\windows\system\BSLINW.exe
C:\windows\system\BSLINW.exe
103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JGYPY.exe.bat" "
104⤵
PID:1808

C:\windows\system\JGYPY.exe
C:\windows\system\JGYPY.exe
105⤵
- Executes dropped EXE
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEZ.exe.bat" "
106⤵
PID:3972

C:\windows\SysWOW64\EEZ.exe
C:\windows\system32\EEZ.exe
107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GCE.exe.bat" "
108⤵
PID:4460

C:\windows\GCE.exe
C:\windows\GCE.exe
109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HPQSJ.exe.bat" "
110⤵
PID:2496

C:\windows\HPQSJ.exe
C:\windows\HPQSJ.exe
111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVWPQTS.exe.bat" "
112⤵
PID:4132

C:\windows\SysWOW64\WVWPQTS.exe
C:\windows\system32\WVWPQTS.exe
113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDRWGGO.exe.bat" "
114⤵
PID:3512

C:\windows\SysWOW64\HDRWGGO.exe
C:\windows\system32\HDRWGGO.exe
115⤵
- Executes dropped EXE
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLT.exe.bat" "
116⤵
PID:4948

C:\windows\system\QLT.exe
C:\windows\system\QLT.exe
117⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AECIN.exe.bat" "
118⤵
PID:2532

C:\windows\system\AECIN.exe
C:\windows\system\AECIN.exe
119⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GPGX.exe.bat" "
120⤵
PID:2452

C:\windows\system\GPGX.exe
C:\windows\system\GPGX.exe
121⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PXALNZF.exe.bat" "
122⤵
PID:4796

C:\windows\PXALNZF.exe
C:\windows\PXALNZF.exe
123⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDZJ.exe.bat" "
124⤵
PID:3664

C:\windows\SysWOW64\FDZJ.exe
C:\windows\system32\FDZJ.exe
125⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AYETJI.exe.bat" "
126⤵
PID:892

C:\windows\SysWOW64\AYETJI.exe
C:\windows\system32\AYETJI.exe
127⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQSNW.exe.bat" "
128⤵
PID:5096

C:\windows\SysWOW64\FQSNW.exe
C:\windows\system32\FQSNW.exe
129⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTWRJWT.exe.bat" "
130⤵
PID:224

C:\windows\SysWOW64\XTWRJWT.exe
C:\windows\system32\XTWRJWT.exe
131⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RHD.exe.bat" "
132⤵
PID:3896

C:\windows\RHD.exe
C:\windows\RHD.exe
133⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BFJJW.exe.bat" "
134⤵
PID:2280

C:\windows\system\BFJJW.exe
C:\windows\system\BFJJW.exe
135⤵
- Drops file in System32 directory
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKVQG.exe.bat" "
136⤵
PID:4896

C:\windows\SysWOW64\JKVQG.exe
C:\windows\system32\JKVQG.exe
137⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JNM.exe.bat" "
138⤵
PID:2672

C:\windows\system\JNM.exe
C:\windows\system\JNM.exe
139⤵
- Drops file in System32 directory
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LLRGC.exe.bat" "
140⤵
PID:3860

C:\windows\SysWOW64\LLRGC.exe
C:\windows\system32\LLRGC.exe
141⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HRZS.exe.bat" "
142⤵
PID:3512

C:\windows\HRZS.exe
C:\windows\HRZS.exe
143⤵
- Drops file in Windows directory
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BEITY.exe.bat" "
144⤵
PID:5040

C:\windows\BEITY.exe
C:\windows\BEITY.exe
145⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\APT.exe.bat" "
146⤵
PID:3936

C:\windows\APT.exe
C:\windows\APT.exe
147⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OKF.exe.bat" "
148⤵
PID:1776

C:\windows\OKF.exe
C:\windows\OKF.exe
149⤵
- Drops file in System32 directory
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVN.exe.bat" "
150⤵
PID:4896

C:\windows\SysWOW64\BVN.exe
C:\windows\system32\BVN.exe
151⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAA.exe.bat" "
152⤵
PID:4864

C:\windows\system\KAA.exe
C:\windows\system\KAA.exe
153⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBCKPBA.exe.bat" "
154⤵
PID:4684

C:\windows\system\GBCKPBA.exe
C:\windows\system\GBCKPBA.exe
155⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOOZZA.exe.bat" "
156⤵
PID:2408

C:\windows\system\OOOZZA.exe
C:\windows\system\OOOZZA.exe
157⤵
- Drops file in System32 directory
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUTFKY.exe.bat" "
158⤵
PID:5056

C:\windows\SysWOW64\WUTFKY.exe
C:\windows\system32\WUTFKY.exe
159⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUPA.exe.bat" "
160⤵
PID:4496

C:\windows\SysWOW64\BUPA.exe
C:\windows\system32\BUPA.exe
161⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YANXEX.exe.bat" "
162⤵
PID:5104

C:\windows\system\YANXEX.exe
C:\windows\system\YANXEX.exe
163⤵
- Drops file in Windows directory
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GFAEP.exe.bat" "
164⤵
PID:4008

C:\windows\system\GFAEP.exe
C:\windows\system\GFAEP.exe
165⤵
- Drops file in System32 directory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALB.exe.bat" "
166⤵
PID:1472

C:\windows\SysWOW64\ALB.exe
C:\windows\system32\ALB.exe
167⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LEWHM.exe.bat" "
168⤵
PID:4544

C:\windows\LEWHM.exe
C:\windows\LEWHM.exe
169⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FRPF.exe.bat" "
170⤵
PID:5040

C:\windows\FRPF.exe
C:\windows\FRPF.exe
171⤵
- Drops file in System32 directory
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKWQJSN.exe.bat" "
172⤵
PID:4240

C:\windows\SysWOW64\YKWQJSN.exe
C:\windows\system32\YKWQJSN.exe
173⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIECLV.exe.bat" "
174⤵
PID:2036

C:\windows\SysWOW64\MIECLV.exe
C:\windows\system32\MIECLV.exe
175⤵
- Drops file in Windows directory
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZSNAAG.exe.bat" "
176⤵
PID:3020

C:\windows\ZSNAAG.exe
C:\windows\ZSNAAG.exe
177⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDXOJTN.exe.bat" "
178⤵
PID:2212

C:\windows\SysWOW64\LDXOJTN.exe
C:\windows\system32\LDXOJTN.exe
179⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IWHQMPW.exe.bat" "
180⤵
PID:1084

C:\windows\system\IWHQMPW.exe
C:\windows\system\IWHQMPW.exe
181⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CJM.exe.bat" "
182⤵
PID:5080

C:\windows\SysWOW64\CJM.exe
C:\windows\system32\CJM.exe
183⤵
- Drops file in System32 directory
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AHMJOPB.exe.bat" "
184⤵
PID:2356

C:\windows\SysWOW64\AHMJOPB.exe
C:\windows\system32\AHMJOPB.exe
185⤵
- Checks computer location settings
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WNKG.exe.bat" "
186⤵
PID:3620

C:\windows\WNKG.exe
C:\windows\WNKG.exe
187⤵
- Checks computer location settings
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OIQRD.exe.bat" "
188⤵
PID:3200

C:\windows\OIQRD.exe
C:\windows\OIQRD.exe
189⤵
- Drops file in Windows directory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HBFCM.exe.bat" "
190⤵
PID:2032

C:\windows\HBFCM.exe
C:\windows\HBFCM.exe
191⤵
- Drops file in Windows directory
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\STN.exe.bat" "
192⤵
PID:1776

C:\windows\system\STN.exe
C:\windows\system\STN.exe
193⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XUWX.exe.bat" "
194⤵
PID:2320

C:\windows\XUWX.exe
C:\windows\XUWX.exe
195⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUY.exe.bat" "
196⤵
PID:4612

C:\windows\SysWOW64\UUY.exe
C:\windows\system32\UUY.exe
197⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAXYFDQ.exe.bat" "
198⤵
PID:4044

C:\windows\system\CAXYFDQ.exe
C:\windows\system\CAXYFDQ.exe
199⤵
- Checks computer location settings
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFV.exe.bat" "
200⤵
PID:3336

C:\windows\SysWOW64\ZFV.exe
C:\windows\system32\ZFV.exe
201⤵
- Drops file in Windows directory
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NAH.exe.bat" "
202⤵
PID:5044

C:\windows\NAH.exe
C:\windows\NAH.exe
203⤵
- Drops file in Windows directory
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TWS.exe.bat" "
204⤵
PID:4172

C:\windows\TWS.exe
C:\windows\TWS.exe
205⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MOI.exe.bat" "
206⤵
PID:4328

C:\windows\MOI.exe
C:\windows\MOI.exe
207⤵
- Checks computer location settings
- Drops file in Windows directory
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SJLBD.exe.bat" "
208⤵
PID:5076

C:\windows\SJLBD.exe
C:\windows\SJLBD.exe
209⤵
- Checks computer location settings
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAMSKB.exe.bat" "
210⤵
PID:1696

C:\windows\SysWOW64\IAMSKB.exe
C:\windows\system32\IAMSKB.exe
211⤵
- Drops file in System32 directory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDX.exe.bat" "
212⤵
PID:4064

C:\windows\SysWOW64\MDX.exe
C:\windows\system32\MDX.exe
213⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UQJMVMU.exe.bat" "
214⤵
PID:3420

C:\windows\system\UQJMVMU.exe
C:\windows\system\UQJMVMU.exe
215⤵
- Drops file in Windows directory
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WDB.exe.bat" "
216⤵
PID:2012

C:\windows\WDB.exe
C:\windows\WDB.exe
217⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HWKVT.exe.bat" "
218⤵
PID:4668

C:\windows\SysWOW64\HWKVT.exe
C:\windows\system32\HWKVT.exe
219⤵
- Drops file in Windows directory
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FHNL.exe.bat" "
220⤵
PID:4636

C:\windows\FHNL.exe
C:\windows\FHNL.exe
221⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QXIA.exe.bat" "
222⤵
PID:5068

C:\windows\SysWOW64\QXIA.exe
C:\windows\system32\QXIA.exe
223⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QIRT.exe.bat" "
224⤵
PID:3808

C:\windows\SysWOW64\QIRT.exe
C:\windows\system32\QIRT.exe
225⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LNDXRDB.exe.bat" "
226⤵
PID:4944

C:\windows\system\LNDXRDB.exe
C:\windows\system\LNDXRDB.exe
227⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IONIVZ.exe.bat" "
228⤵
PID:1496

C:\windows\SysWOW64\IONIVZ.exe
C:\windows\system32\IONIVZ.exe
229⤵
- Checks computer location settings
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJRBAVS.exe.bat" "
230⤵
PID:4556

C:\windows\SysWOW64\OJRBAVS.exe
C:\windows\system32\OJRBAVS.exe
231⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEIFT.exe.bat" "
232⤵
PID:4740

C:\windows\SysWOW64\DEIFT.exe
C:\windows\system32\DEIFT.exe
233⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OXSNYLQ.exe.bat" "
234⤵
PID:4624

C:\windows\OXSNYLQ.exe
C:\windows\OXSNYLQ.exe
235⤵
- Drops file in System32 directory
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFYN.exe.bat" "
236⤵
PID:2812

C:\windows\SysWOW64\ZFYN.exe
C:\windows\system32\ZFYN.exe
237⤵
- Drops file in Windows directory
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EQJATI.exe.bat" "
238⤵
PID:1780

C:\windows\EQJATI.exe
C:\windows\EQJATI.exe
239⤵
- Checks computer location settings
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBMQC.exe.bat" "
240⤵
PID:2716

C:\windows\SysWOW64\CBMQC.exe
C:\windows\system32\CBMQC.exe
241⤵
- Checks computer location settings
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDC.exe.bat" "
242⤵
PID:4744

C:\windows\SysWOW64\YDC.exe
C:\windows\system32\YDC.exe
243⤵
- Drops file in Windows directory
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EZGHW.exe.bat" "
244⤵
PID:4500

C:\windows\system\EZGHW.exe
C:\windows\system\EZGHW.exe
245⤵
- Checks computer location settings
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CSRX.exe.bat" "
246⤵
PID:2680

C:\windows\CSRX.exe
C:\windows\CSRX.exe
247⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GAXXQT.exe.bat" "
248⤵
PID:4636

C:\windows\GAXXQT.exe
C:\windows\GAXXQT.exe
249⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QXDS.exe.bat" "
250⤵
PID:788

C:\windows\SysWOW64\QXDS.exe
C:\windows\system32\QXDS.exe
251⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAOFHG.exe.bat" "
252⤵
PID:4956

C:\windows\SysWOW64\UAOFHG.exe
C:\windows\system32\UAOFHG.exe
253⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EYBZO.exe.bat" "
254⤵
PID:4964

C:\windows\system\EYBZO.exe
C:\windows\system\EYBZO.exe
255⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZJ.exe.bat" "
256⤵
PID:4328

C:\windows\SysWOW64\YZJ.exe
C:\windows\system32\YZJ.exe
257⤵
- Drops file in System32 directory
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPQTIA.exe.bat" "
258⤵
PID:2208

C:\windows\SysWOW64\ZPQTIA.exe
C:\windows\system32\ZPQTIA.exe
259⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DABHRE.exe.bat" "
260⤵
PID:4696

C:\windows\system\DABHRE.exe
C:\windows\system\DABHRE.exe
261⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PIIHDX.exe.bat" "
262⤵
PID:2956

C:\windows\SysWOW64\PIIHDX.exe
C:\windows\system32\PIIHDX.exe
263⤵
- Drops file in Windows directory
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TIEJ.exe.bat" "
264⤵
PID:3696

C:\windows\system\TIEJ.exe
C:\windows\system\TIEJ.exe
265⤵
- Drops file in Windows directory
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOC.exe.bat" "
266⤵
PID:3592

C:\windows\system\IOC.exe
C:\windows\system\IOC.exe
267⤵
- Drops file in Windows directory
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\URMLG.exe.bat" "
268⤵
PID:1128

C:\windows\URMLG.exe
C:\windows\URMLG.exe
269⤵
- Checks computer location settings
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OEGKV.exe.bat" "
270⤵
PID:2372

C:\windows\OEGKV.exe
C:\windows\OEGKV.exe
271⤵
- Drops file in System32 directory
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZXJCDD.exe.bat" "
272⤵
PID:4392

C:\windows\SysWOW64\ZXJCDD.exe
C:\windows\system32\ZXJCDD.exe
273⤵
- Drops file in Windows directory
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IVVDOH.exe.bat" "
274⤵
PID:2872

C:\windows\system\IVVDOH.exe
C:\windows\system\IVVDOH.exe
275⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFLU.exe.bat" "
276⤵
PID:3020

C:\windows\SysWOW64\VFLU.exe
C:\windows\system32\VFLU.exe
277⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AGN.exe.bat" "
278⤵
PID:4344

C:\windows\system\AGN.exe
C:\windows\system\AGN.exe
279⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBRAMEB.exe.bat" "
280⤵
PID:4636

C:\windows\system\SBRAMEB.exe
C:\windows\system\SBRAMEB.exe
281⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FBAV.exe.bat" "
282⤵
PID:3592

C:\windows\FBAV.exe
C:\windows\FBAV.exe
283⤵
- Checks computer location settings
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PKCAL.exe.bat" "
284⤵
PID:2128

C:\windows\PKCAL.exe
C:\windows\PKCAL.exe
285⤵
- Drops file in Windows directory
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RSCXSF.exe.bat" "
286⤵
PID:1148

C:\windows\system\RSCXSF.exe
C:\windows\system\RSCXSF.exe
287⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FDTN.exe.bat" "
288⤵
PID:452

C:\windows\system\FDTN.exe
C:\windows\system\FDTN.exe
289⤵
- Drops file in Windows directory
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UTGFWWM.exe.bat" "
290⤵
PID:4604

C:\windows\UTGFWWM.exe
C:\windows\UTGFWWM.exe
291⤵
- Checks computer location settings
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XGL.exe.bat" "
292⤵
PID:720

C:\windows\XGL.exe
C:\windows\XGL.exe
293⤵
- Checks computer location settings
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FUQ.exe.bat" "
294⤵
PID:4460

C:\windows\SysWOW64\FUQ.exe
C:\windows\system32\FUQ.exe
295⤵
- Drops file in System32 directory
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEBLS.exe.bat" "
296⤵
PID:548

C:\windows\SysWOW64\VEBLS.exe
C:\windows\system32\VEBLS.exe
297⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BFIZBDU.exe.bat" "
298⤵
PID:2952

C:\windows\system\BFIZBDU.exe
C:\windows\system\BFIZBDU.exe
299⤵
- Drops file in Windows directory
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VSH.exe.bat" "
300⤵
PID:4088

C:\windows\system\VSH.exe
C:\windows\system\VSH.exe
301⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IVYVUP.exe.bat" "
302⤵
PID:4976

C:\windows\SysWOW64\IVYVUP.exe
C:\windows\system32\IVYVUP.exe
303⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DBK.exe.bat" "
304⤵
PID:532

C:\windows\DBK.exe
C:\windows\DBK.exe
305⤵
- Checks computer location settings
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RMGG.exe.bat" "
306⤵
PID:3200

C:\windows\system\RMGG.exe
C:\windows\system\RMGG.exe
307⤵
- Checks computer location settings
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXXC.exe.bat" "
308⤵
PID:1640

C:\windows\system\OXXC.exe
C:\windows\system\OXXC.exe
309⤵
- Drops file in System32 directory
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKCMHF.exe.bat" "
310⤵
PID:2656

C:\windows\SysWOW64\JKCMHF.exe
C:\windows\system32\JKCMHF.exe
311⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EXTVTQ.exe.bat" "
312⤵
PID:1800

C:\windows\SysWOW64\EXTVTQ.exe
C:\windows\system32\EXTVTQ.exe
313⤵
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IYVYWU.exe.bat" "
314⤵
PID:1936

C:\windows\SysWOW64\IYVYWU.exe
C:\windows\system32\IYVYWU.exe
315⤵
- Drops file in Windows directory
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KVJSM.exe.bat" "
316⤵
PID:4948

C:\windows\KVJSM.exe
C:\windows\KVJSM.exe
317⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JGMIUJP.exe.bat" "
318⤵
PID:4664

C:\windows\SysWOW64\JGMIUJP.exe
C:\windows\system32\JGMIUJP.exe
319⤵
- Drops file in System32 directory
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NWSIZB.exe.bat" "
320⤵
PID:64

C:\windows\SysWOW64\NWSIZB.exe
C:\windows\system32\NWSIZB.exe
321⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPITQ.exe.bat" "
322⤵
PID:3420

C:\windows\SysWOW64\GPITQ.exe
C:\windows\system32\GPITQ.exe
323⤵
- Checks computer location settings
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMNN.exe.bat" "
324⤵
PID:2992

C:\windows\system\QMNN.exe
C:\windows\system\QMNN.exe
325⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NFX.exe.bat" "
326⤵
PID:2660

C:\windows\SysWOW64\NFX.exe
C:\windows\system32\NFX.exe
327⤵
- Drops file in Windows directory
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GIBTPEM.exe.bat" "
328⤵
PID:1616

C:\windows\system\GIBTPEM.exe
C:\windows\system\GIBTPEM.exe
329⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYIT.exe.bat" "
330⤵
PID:4044

C:\windows\system\RYIT.exe
C:\windows\system\RYIT.exe
331⤵
- Checks computer location settings
- Drops file in Windows directory
PID:504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SOPCDZ.exe.bat" "
332⤵
PID:2904

C:\windows\system\SOPCDZ.exe
C:\windows\system\SOPCDZ.exe
333⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BBAUTV.exe.bat" "
334⤵
PID:3692

C:\windows\BBAUTV.exe
C:\windows\BBAUTV.exe
335⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKCZX.exe.bat" "
336⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1008
336⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1324
334⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 1336
332⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 960
330⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 976
328⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1328
326⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1336
324⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 964
322⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 964
320⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1328
318⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 980
316⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1296
314⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1296
312⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1004
310⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1336
308⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 960
306⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1324
304⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 964
302⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 988
300⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 988
298⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 960
296⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 988
294⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1216
292⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 976
290⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 960
288⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 988
286⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1292
284⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 960
282⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 988
280⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 960
278⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 960
276⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1004
274⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1328
272⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1324
270⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1324
268⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1336
266⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 988
264⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 960
262⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 988
260⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 988
258⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1300
256⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1336
254⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 960
252⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 960
250⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1296
248⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1324
246⤵
PID:604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1248
244⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 960
242⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1296
240⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1324
238⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1328
236⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1324
234⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1256
232⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1176
230⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1300
228⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1336
226⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1328
224⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 976
222⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1320
220⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1304
218⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1296
216⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1316
214⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 960
212⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 960
210⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1324
208⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1324
206⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1324
204⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 976
202⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1328
200⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 960
198⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1300
196⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1324
194⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1008
192⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1324
190⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 960
188⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1304
186⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 960
184⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 988
182⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1316
180⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1328
178⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1236
176⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 960
174⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 960
172⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 960
170⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1324
168⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 960
166⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 960
164⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1304
162⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1296
160⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 960
158⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 872
156⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 988
154⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1308
152⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1264
150⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 996
148⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1324
146⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1304
144⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 960
142⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1328
140⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 988
138⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 964
136⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 976
134⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1324
132⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1320
130⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 960
128⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1328
126⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1308
124⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1324
122⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1304
120⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1240
118⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1336
116⤵
- Program crash
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1292
114⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1304
112⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1324
110⤵
- Program crash
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 1324
108⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 964
106⤵
- Program crash
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1248
104⤵
- Program crash
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1324
102⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1272
100⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1004
98⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 988
96⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 960
94⤵
- Program crash
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1256
92⤵
- Program crash
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 960
90⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1328
88⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 960
86⤵
- Program crash
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 960
84⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1324
82⤵
- Program crash
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1324
80⤵
- Program crash
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1308
78⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1308
76⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1324
74⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1308
72⤵
- Program crash
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 988
70⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 960
68⤵
- Program crash
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1268
66⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 960
64⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 964
62⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1324
60⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 960
58⤵
- Program crash
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 1328
56⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 988
54⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 960
52⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 960
50⤵
- Program crash
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1336
48⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1324
46⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1304
44⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1004
42⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1300
40⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 960
38⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 960
36⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 960
34⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1324
32⤵
- Program crash
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 960
30⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1000
28⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1336
26⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 960
24⤵
- Program crash
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 876
22⤵
- Program crash
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1304
20⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1256
18⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1328
16⤵
- Program crash
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 976
14⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1260
12⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 960
10⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1260
8⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1308
6⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1336
4⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 976
2⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2004 -ip 2004
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2692 -ip 2692
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4240 -ip 4240
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2668 -ip 2668
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3000 -ip 3000
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3616 -ip 3616
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4892 -ip 4892
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3432 -ip 3432
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4640 -ip 4640
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4064 -ip 4064
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 980 -ip 980
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3628 -ip 3628
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5088 -ip 5088
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4656 -ip 4656
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 720 -ip 720
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2556 -ip 2556
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4352 -ip 4352
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2876 -ip 2876
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2656 -ip 2656
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3500 -ip 3500
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3384 -ip 3384
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4912 -ip 4912
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4008 -ip 4008
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4876 -ip 4876
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2740 -ip 2740
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2876 -ip 2876
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4472 -ip 4472
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 616 -ip 616
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1428 -ip 1428
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3664 -ip 3664
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2288 -ip 2288
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1892 -ip 1892
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4640 -ip 4640
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4580 -ip 4580
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 844 -ip 844
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1908 -ip 1908
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 812 -ip 812
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4064 -ip 4064
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3284 -ip 3284
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2356 -ip 2356
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1608 -ip 1608
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5040 -ip 5040
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2052 -ip 2052
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4304 -ip 4304
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4152 -ip 4152
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4108 -ip 4108
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3616 -ip 3616
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1428 -ip 1428
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4740 -ip 4740
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4696 -ip 4696
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1668 -ip 1668
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4304 -ip 4304
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1476 -ip 1476
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 616 -ip 616
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2356 -ip 2356
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4208 -ip 4208
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4976 -ip 4976
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3896 -ip 3896
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 548 -ip 548
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4304 -ip 4304
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1544 -ip 1544
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 912 -ip 912
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4424 -ip 4424
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1564 -ip 1564
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4764 -ip 4764
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1540 -ip 1540
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4824 -ip 4824
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4152 -ip 4152
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4516 -ip 4516
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3788 -ip 3788
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1124 -ip 1124
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4072 -ip 4072
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2052 -ip 2052
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 548 -ip 548
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4688 -ip 4688
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1544 -ip 1544
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5044 -ip 5044
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3012 -ip 3012
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 412 -ip 412
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4364 -ip 4364
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1088 -ip 1088
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 756 -ip 756
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4932 -ip 4932
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1464 -ip 1464
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2672 -ip 2672
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 728 -ip 728
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3240 -ip 3240
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 232 -ip 232
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1896 -ip 1896
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2656 -ip 2656
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5060 -ip 5060
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2128 -ip 2128
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3744 -ip 3744
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5064 -ip 5064
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4068 -ip 4068
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2876 -ip 2876
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1600 -ip 1600
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1000 -ip 1000
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4252 -ip 4252
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1676 -ip 1676
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1428 -ip 1428
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2468 -ip 2468
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4984 -ip 4984
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 844 -ip 844
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2524 -ip 2524
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3016 -ip 3016
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2284 -ip 2284
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3972 -ip 3972
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2904 -ip 2904
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1676 -ip 1676
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4640 -ip 4640
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1448 -ip 1448
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5004 -ip 5004
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1320 -ip 1320
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2332 -ip 2332
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1660 -ip 1660
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3008 -ip 3008
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4476 -ip 4476
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4536 -ip 4536
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1272 -ip 1272
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3428 -ip 3428
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3912 -ip 3912
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4932 -ip 4932
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4788 -ip 4788
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1148 -ip 1148
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4544 -ip 4544
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3644 -ip 3644
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2960 -ip 2960
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4812 -ip 4812
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4608 -ip 4608
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2836 -ip 2836
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2532 -ip 2532
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3460 -ip 3460
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5044 -ip 5044
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2904 -ip 2904
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 940 -ip 940
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 668 -ip 668
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2960 -ip 2960
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4380 -ip 4380
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5060 -ip 5060
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3696 -ip 3696
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3664 -ip 3664
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1540 -ip 1540
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3908 -ip 3908
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2464 -ip 2464
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5004 -ip 5004
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3364 -ip 3364
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2388 -ip 2388
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 604 -ip 604
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3972 -ip 3972
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3284 -ip 3284
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3512 -ip 3512
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2924 -ip 2924
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4068 -ip 4068
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3400 -ip 3400
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4868 -ip 4868
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 508 -ip 508
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2956 -ip 2956
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3008 -ip 3008
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 532 -ip 532
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2716 -ip 2716
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1496 -ip 1496
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4932 -ip 4932
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1504 -ip 1504
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4268 -ip 4268
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 504 -ip 504
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5104 -ip 5104
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 408 -ip 408
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CHJURW.exe
Filesize
282KB

MD5
dbea91229a7e54d5fd7d8149eca7112c

SHA1
a2ab6d2142373f882ff7adbfbf63be57909c2c85

SHA256
434cd4937bd054cc696d23a5f29095006b008075441b5b178b5209eb307c6339

SHA512
b65bbfd1db9bd9570c1df2c24083e4ba420ca9c860b4b527bba26875b94df88319db8d792d28dd91973fd7a317b4bef6d24e4a503755ae7fb2009e9fa0340ff5

Download Submit
C:\Windows\SysWOW64\PRAPBG.exe
Filesize
282KB

MD5
5125a2ce8601741d6962f932711300d4

SHA1
78658d0e353688a2d43b3805a1f3e2d7820633a5

SHA256
339326e4408e6452175b10e35e1f551c0faa2dd7e93cd712399e3c7c5fe4d241

SHA512
770234a4b2f75f07854a226b909e24a0b67b2331cdff1a7c770f1645438a71c48d7edb544725535757084b2ce8865d7bd785eb15d4cac034453ce7eff9e9cc85

Download Submit
C:\Windows\SysWOW64\QKDCZ.exe
Filesize
282KB

MD5
b3676bc15d701a4c05d5f5ed9c692e7a

SHA1
939aae7ca6e7bf24dfc85551179ed4d608933596

SHA256
725f3295ba83e48ca200feac93c26bd8cd45d8bbf85c8acda2239f0b477b698b

SHA512
9f48fd634385de778e1ad4a4aa734f74d4ee9fe478299c52bca53cebe5f1db61d7cb742146d27e09d85b896bca4830af34562bf3915cfba25ba432e404dfabeb

Download Submit
C:\Windows\System\DVCAT.exe
Filesize
282KB

MD5
730291471734d00b71f40e6e3f6706ae

SHA1
07d8cf0f48442cf24357eabc38cc5edb92734b85

SHA256
13ce3c08893467962948750c3b61675499e9b0d25f9a536283a2bb06fd861af3

SHA512
0a300af25a5b844560699a310d4bf58ee3ec03a194e7682782b311205e5b7b63b34d1c05c0ca7e462a598531da8b492b9c8612e920a40140d5b9bddd4636fc37

Download Submit
C:\Windows\System\FNUGKLV.exe
Filesize
282KB

MD5
a3fc5765868b901c1ef9cae8f884948a

SHA1
1831d4b3410bf4f914f42ae93c427e7b161de805

SHA256
bf7562aacf7ef12395c45c97fb050c367cb8f89c2646955898018cc73a042392

SHA512
e17488f51f92a270f66b0935ee5fc90059e4b1fa7f0701e472e96cd6c668f195e30564f82bdca5fb6e93e2e6ea518a2f1da54e4edd23f225ebefbd6eb9ecd27d

Download Submit
C:\Windows\System\UKB.exe
Filesize
282KB

MD5
53d0b99b2ad6ac96f539236b616985f0

SHA1
2916fddf4eda185f9aa30d2746614a38edb1f774

SHA256
8907291c8f9db4cac8d824b484736f21c32afda3d2c4013b910e7d1755414be7

SHA512
19e18dd7712eb3fb710faf23846296f5947a523c96af2356aafaa6ced07c0bc08fae693ddf86ae72c599bbeac6f8b278039c2c321c11542e18164c27de865434

Download Submit
C:\Windows\System\YUUXDJU.exe
Filesize
282KB

MD5
2247eaaf0e7d9ae262cd2f2a05f4d77b

SHA1
8596d083fcc4af5afb6627e652a2f5a7586e578c

SHA256
1fcec84b2dd586cc46587de61170f1b9dd3062e9a7d3633b129f0a7df2da8a41

SHA512
16a90d5a218c2eea324f50aedda00b7793a5b2eef2f3b82de312c767760c4eb454bc57767437e691480857841172b6828327eb505e67bc173e3990e1db5a6149

Download Submit
C:\Windows\WWA.exe
Filesize
282KB

MD5
0ebe6216d000f9351488d5e4a939a9be

SHA1
b9ac50137b952a261ac1e748e35e7ec760b0af5f

SHA256
aa1a7303be5a39b84d0afe6f02edf2d4075ba956c5683cf411b55e29c5001910

SHA512
57c84ca5db3587ce950fe058127c299fde7b743855d88168247fd9400f95e4047e2913e437e39861546093b44b5f1bbfd2098498bf67c1b4897b0c20a0f454e1

Download Submit
C:\Windows\YEKPS.exe
Filesize
282KB

MD5
a498069f98cf5727c82394b44630450c

SHA1
f64114e68c7cc897ef8e93d436a7108546824608

SHA256
91201bd892d83a436ac1082084be5cafc1b0318964e94ea25fa5c65d8e794306

SHA512
01e3c377c61071bd9139e8db0b652c85420eba3b6274c934863c23946e877ede79556fce80032a11c516b497d287994905e641aad4f725a5a4368f539e53c9c1

Download Submit
C:\Windows\ZQQM.exe
Filesize
282KB

MD5
82e469dffbb292d262f3dead3a4ad41b

SHA1
f05ffdc45aa82b10041d78e3e8f0855f2a862e27

SHA256
154f5c044d1803c226a173a6603ef0d77a3155c9bd25521dbb01d7993c21a9dd

SHA512
5fef0351b89633dcb58717b1e241e44532328e688c2bf54242329bda58a49e48a0a38d3042a1fabe0bf1f81cdceea97c4698ca413468622aa3a3f1f1b0a774d3

Download Submit
C:\windows\CHJURW.exe.bat
Filesize
58B

MD5
ad36300e3027238385c707e8cc2e7580

SHA1
646035fd0d1b4ed6fd53c4460ed5ee743f903972

SHA256
0d47cee9dd87c4c30c374d3709ed090633d625bddf8e794d8686d3d564236084

SHA512
518e2f1a9e5c415e92a044e2f2ddc093dcbe3ab621421a784ab18401460e47471caa1966147866d2714175be6104334d906c0765bc0a43e17fb65747a3181fdf

Download Submit
C:\windows\DVEZPN.exe
Filesize
282KB

MD5
70f64335d66ba43ceb353ed33d29058e

SHA1
a0790365cf6fc2612d6d859488277c0f3b0e0573

SHA256
00eff18a74438de1334fd6acb20854f15950c21b22eb7fcad4d118ef5f3bcd28

SHA512
0f80672c83770903286f3d82bcaca19da4ff35c9cbc9d6a2d4febbd324cb11975214743c8b5d13bb5bd483e50a2879c9b89066c58c9ad3e621a1dd72a441ee81

Download Submit
C:\windows\DVEZPN.exe.bat
Filesize
58B

MD5
90cbc4001fc11bd659ae204c8e98daf4

SHA1
735bcaf1100768736d4fb65bc7ca81a5c545bdfe

SHA256
e4bc5062b1b08cf2abe078b6992c7b61dc2629bfceb6169f8bfe4f7970fae808

SHA512
2f567028a216d58c340431ab68d8ed8ae2af20021058c57d3cb67e50410782ad3cbe947533323f0cacbee7ff43741362ff5f2b84e740eba160fd46ff71ccedbb

Download Submit
C:\windows\FZUR.exe.bat
Filesize
54B

MD5
0f13de5457dcac8f81abc0a2224d23b6

SHA1
5ae074d06cc4339aaec5138fd7b1b94ee7cdd75a

SHA256
6a99230c63eeb486d66b51679e607de76df5240d7ef18a9d8ab03dfdc4b3ce57

SHA512
122c1e8be17f7906bf3ec22a1a246bfe56e8a7e4012072356881b6ff515dd1f139ea83966f16b38c6f8a0abe361612f25b7a4529fba817365d2ee2f746889dea

Download Submit
C:\windows\SLRR.exe
Filesize
282KB

MD5
07370a0ccfb3bc5f8d9b907576eb6bce

SHA1
6a528858c04d3a082b1ce11ce39bfb544cdcb11d

SHA256
6ed5ba73b9eb6516012612e91de6c8a5759483ba6f0e1ecb9fde2740a0d1d152

SHA512
7fe58fc93d44df6b51592fac75a80d3894b4aea39de4bdca747b7b0992ef9ec1f1592fda4fdc5556b3f45759e57258cb9f82905e5f5a1fae89921a0b05b5a6b0

Download Submit
C:\windows\SLRR.exe.bat
Filesize
54B

MD5
93e0f770c74222254b712267f650d774

SHA1
2ffc700cce9b90419f91390fbca8262cbc9bdfe6

SHA256
c63e285e91493cc1e259b347f653f30273059916a71695856cca3545913460ac

SHA512
df6175c94b20e418f21f81bcd98b032fbd27ee09f0b29b51fa47b273f235bc0968e074909e7e3816c51c373829b01030fed5c1afd1bae5011996f6922ff03545

Download Submit
C:\windows\SysWOW64\AFIU.exe
Filesize
282KB

MD5
210b69d67d8fd80793a1dc5777860250

SHA1
587c733ddc31d2657234916b88fdce71a2ca7e7f

SHA256
239c9af8602f0e753f6305ae78b8db9d887945f75fd67d5090beb6ddb3819035

SHA512
df4f50ef1f123606a488feda87a12a0dd79247e3333648cd8effbb62d0929c47bc57ea1b59a3c80bddef757668908ee14ba3ecc2b13ba48291fee8d455d25f9e

Download Submit
C:\windows\SysWOW64\AFIU.exe.bat
Filesize
72B

MD5
a152a94ac798ba8f6a23387d83595816

SHA1
50952560a19236a19724218c8da28a4878d563cc

SHA256
e5995fd72760359987d02a4f5117db01d24ed33c3737f0b3271e4bba02cdab34

SHA512
9253686c4a7c6e027e44440ce478325f71982ffbf72d243da21a077288b5b29b1e783aa3a50e5b2a9ea0462a67d58beea4796c7cbf473a671dafb9b5b454f531

Download Submit
C:\windows\SysWOW64\BZCZL.exe
Filesize
282KB

MD5
dcbaabb69d4e0c701fad0b287c1f4a57

SHA1
28467bf412ef1f781da6d914c40c4aae58157964

SHA256
80639b7db81f2468f3a3be10bc43f21d2c203d67df213308b4211a9653d4c0d3

SHA512
d96fd1b6170114980cce9b36f2c5318f28b2ac4d4ba364e93aa8d27eac01c9deb04249dfa54cfabcead91ba3c52e6d4d623b7e7593dad2715c1ba50d24696d98

Download Submit
C:\windows\SysWOW64\BZCZL.exe.bat
Filesize
74B

MD5
66fb49fa24015b9fb73e41e3b93bc097

SHA1
5d787e82bd46cad4519fa29a532532a9a5d1e14b

SHA256
4e2d4cac04c712dd730867af8d13cba46e49558e187ca686c83cc62f9574dda3

SHA512
b063037f18f4237f7fd7dd8c22b6d34a5a1ff0d65be2ec7454642d3310d17f1f73c240b4352288fcce14fff0156be7e72a57d1886771cc1274f56b49b02ac9c1

Download Submit
C:\windows\SysWOW64\DKZQGFR.exe
Filesize
282KB

MD5
2fa1ef67b464f343bc330f184c7518b0

SHA1
20128edacba7c9c5461da74eabc28d1d79f2ee9d

SHA256
0ca8e0a774ad56355a07aadc9b07b37a716b16e8861b5e685dc630925e4715c0

SHA512
bf78f20bb44c4acb61bbb57623e7df2bc6ba5eb0691dead12a7031d3ce62c1408ac35afbb3ca1dd93138b4dc8b4d247be6ccf1dfd0ed84792cbfb29da578669c

Download Submit
C:\windows\SysWOW64\DKZQGFR.exe.bat
Filesize
78B

MD5
f20526a2c79a175a79e67d89add3e8f9

SHA1
d8d2319001fd23e6874bac17ad0b61b139154692

SHA256
6d9f7c01dfc40e6ac8f03b36fc3a1343937bbfb5d006e1836d8a48bbd3765f86

SHA512
53b60971675a889f240e7d2d75318e78ca5d9ad9f8af6a1330f9bf1d412897971233e650684bc0f8d6970bacb046ec073f2074f119343a463c722cf404835d7d

Download Submit
C:\windows\SysWOW64\NNFZXAD.exe
Filesize
282KB

MD5
81f780f3bb3c329cd3d6af8d5d579dc2

SHA1
99b6bad3b594fbfd6ae754425b150f586a1fdd67

SHA256
f38969df36b10a162badc803071547edca4f4de663043d204b1804d2c8e1b3da

SHA512
d080848c0f3306a9913f99dba4ea3518b66c2c7d2d4e96c9bc6dad1d66bb3877b6cbb794fe0367104a8a4b19139945f74064542ef4adcecf1e21ee5515d7cb1c

Download Submit
C:\windows\SysWOW64\NNFZXAD.exe.bat
Filesize
78B

MD5
9433fd7539bfc51fbc965e2d629fa60d

SHA1
97028f64a043f477dffdccd3b9f4a26007973e1f

SHA256
ff663e4b8273a03410218a30bf384858904fae6af19db763828d461f567d508f

SHA512
f58659e597d0237bc399b048877111638307f1d0e63a96d8e1d2a173935d6de0f6fc2eeb3eb1b43f8a3d874a80afefb08eff7961884b698606ec4b98449ebb03

Download Submit
C:\windows\SysWOW64\PRAPBG.exe.bat
Filesize
76B

MD5
50189f57aea095f483a2fb0a56e9e8f4

SHA1
f3d6a4212520579e0789003524bf1cc4ddb5253d

SHA256
65c7e0ac8d084b91e20bf1ebe4b657a6e254d2b4f940018b788c8925d531d704

SHA512
0b0862618d0ffbbd9286c9d91288c69f7194783a9b2c5a75f70fed260307383b4485a8f9daf5365defaaa34af18ce4073fe6ab6bd348bd48738faeef0241763d

Download Submit
C:\windows\SysWOW64\QKDCZ.exe.bat
Filesize
74B

MD5
27c86cba78ad7eeb737b3ede4bd7fed1

SHA1
0db78539951c895a22dce81c6abfd2d30e4f33c8

SHA256
4ae71daa584a5875598df9d76485c686b4d4dba6188e4f48b5a61aa8cb6a7eb6

SHA512
393d2acb280cedf5568d42018cbb232ac22dd9f146ce0195fa9faea47cf3b94fd2fd43c5a908e6008c13e19ea758075e12dec2d18939ae73e82d6aadebb24907

Download Submit
C:\windows\SysWOW64\XLM.exe
Filesize
282KB

MD5
8783712b41bc584836f1b57216a410b6

SHA1
d2829f9a149e53226afda11473169a170be7cc6f

SHA256
dc95373bfcf4730c044fe1ec046e97643b2105b08b5967f316021a736fbd39f9

SHA512
100b8e7cd64eb7ffe81ef153a2c540d6a50d490eb21e30ba43d6bafb51dcaa1b5afec72d49b9b76714518a121aa981c30a61f2797797c4afea856954bf4861d9

Download Submit
C:\windows\SysWOW64\XLM.exe.bat
Filesize
70B

MD5
b6b69603268facdd0c5e3a8196e33994

SHA1
99a6a346ef36de574e4beb63d9d586bcfd79206a

SHA256
91b1c761dbd37ad2d35c130891b6768306f7240ef6e637d54daa06eeded53358

SHA512
37ca8a4abf8c1482ca9a2499a9718da1effea01481f3a223e72314e51e219d688ef897feeb886044fe3bd4e54decfd0776ec44c2f4e806974aa10498f40be008

Download Submit
C:\windows\WWA.exe.bat
Filesize
52B

MD5
33cdf7189dc0d08cfd5672377d315ce2

SHA1
a22555d7aede883b18ba6b3d2dbce96e9fe5bf88

SHA256
8ab2183b9d1fb8fca08229cc7f42c723c655352de333f57859dedc93758d8ff6

SHA512
ad242be1097ccf08fe553774becaad69a36cc6f558b7c83f2978babcacf8a0a2c21ef2fc4f667000dcce8c883a456e61866490876cc8e7f71deb7242767e7e3c

Download Submit
C:\windows\YEKPS.exe.bat
Filesize
56B

MD5
bb1b0e22a6fc43382280db01bfd070fc

SHA1
9bbf47830b5031def381029463d74b6545fe827e

SHA256
1f4c40a74c95a8f4cf922bbbf0706fc1d1de1d876ebb65a9466246a5867fcf1a

SHA512
c4f33119eed68bfb47a98b8eafa23a34ff1814fd0fe754d307b6135d2c76ed8c1e01fded06b68518170c06df48398c80e092fc6b79061830cdd15aa19b79ec7d

Download Submit
C:\windows\ZEJQ.exe
Filesize
282KB

MD5
c5bf278f77d500834b1af2914b461885

SHA1
eaf4c36998d4d78f244267393ccb877e6062e3c1

SHA256
63d8dba50bc7d50729faff35db4fa09ee1993d065951f9402fbef5076de206bc

SHA512
189967601c3df843935304147c910ed5ac3d370d1675a6d8afc956de1213cc32ce39318c3af81ceb9c6db2d5abeb7b4b4be07b827c481aa173311f7540a83dc1

Download Submit
C:\windows\ZEJQ.exe.bat
Filesize
54B

MD5
e07a000f84c3e4a091168a478375590c

SHA1
ca25ba5a72d0b952f1db1f5bf257886b1fb2e7bd

SHA256
7210ef935a1acd43f61e7140023dc6c5af8b32d5ef4dd1c1db568929ccd4e597

SHA512
fd5efed33067fba3414f925b12467d1ebe08a5360d666bf2f204bb2807eef123deb0405b27ae6cef8e4bc32d12999aa1b6d134a81830b851aec98de9737d7a44

Download Submit
C:\windows\ZQQM.exe.bat
Filesize
54B

MD5
e5dcaa90a5b9a3d44779761b23219ca2

SHA1
e8065aeda3256ee3f888623c7638ca8d90bf1d6a

SHA256
19fe60c41933dd4f79ae7acca9d2901e6246ea7271257fb09225063d8e4107f9

SHA512
c1d19529811679e30aa1950e35f21ff87f7d12ba76ea4557e3be487848254bd5f037ecc8ef0406d163adc4e5e2034d07d59f5a61d1eee3f93395e262d353a6c5

Download Submit
C:\windows\system\AJVIKNO.exe.bat
Filesize
74B

MD5
232f5bdd004bd70770ec994149da6ed4

SHA1
193ff3b3f20d0d506681d63cf8728f38a156a6c1

SHA256
36846b70ef2de402b6f675c10a05cc2e66cb23e93df0f94b5f822fa95cd9d70e

SHA512
8ea8f23fb8a36843c9706240a7ad0545c4c72568cf1e8e9b74e8a4c10b4a3ca17eb8e7025d33b2952a276392c92d610168c7bdcaef37f0e86d9c1a02c696d34b

Download Submit
C:\windows\system\DVCAT.exe.bat
Filesize
70B

MD5
f6ce408a45c3ee6253e94a6ed00df6ca

SHA1
a566f88013318492b0a5f454db7d3ded5c1a7958

SHA256
c4c191bec459b576bf1054c6875109989cde837b29671c1443af6c012028a6f6

SHA512
f2569f3fae5788ae46f3b68dcf18d82f5786951ad8e6c3369030efa878e50a85091464116ac837071dbf30aec694f1f4f22505ba1f236a56f2e8096654ab2443

Download Submit
C:\windows\system\FNUGKLV.exe.bat
Filesize
74B

MD5
d787947332407bacc24130aea2b50ded

SHA1
0b53076590537d2efacec526ab093aa7f21a3f66

SHA256
ecf0b84d61165e64f6d9f72f542525b211411d6bafb959c635ad23fc0657d1bf

SHA512
3a81a92bb0913bd89b545743b3e298f345632c1014761557a7a3a00df44e12bf651a8fe473d7096a6d95f224b494c65fdd298e350d2d0273d71b78f581e01665

Download Submit
C:\windows\system\HVLT.exe
Filesize
282KB

MD5
b214ca6fc993ae6d051c9f9a4b0105a7

SHA1
9a3c546c661f23631e45cecca10d070a13c1856d

SHA256
2375796b449733d64a9fc7589fc427dfd39dbfc7992fbd43cdcf884dc4966721

SHA512
94fa4abc0845c7c96b11129d8c64fc4823095e78e2b485fd67d07af644a58308a3d001649437217112b14ab462f563d6ed0785619b057fb92560125babe0cf4e

Download Submit
C:\windows\system\HVLT.exe.bat
Filesize
68B

MD5
be09a01c263e55246400ac5601c68e99

SHA1
e9bc33b32f47a415809614a47884767981653222

SHA256
0db9bc9abd56fa80e11c558586c53115e565ac6fbcf8e2302dd19d51a4a63485

SHA512
1352282bdd60d27f7701b9adaf2cd996f790021881cc7a73674ae32e49d221941f9119bc64a4b767db305ee66414a550ae94957216f3d2c75635a4f11a6f2b08

Download Submit
C:\windows\system\IBSIEPH.exe.bat
Filesize
74B

MD5
eccc61d1d0db83f90649d095eb50bdbf

SHA1
85d823816324443968e9f4fc529b6e2aa3878fbd

SHA256
e84543086be8b5b8c0d980cd4a5b74410657533f3f21880de29b3a49001de9af

SHA512
6c05b35f53535ca061fecf49f6f51fe9eb69735fc3e947e82b100e2a41c5d96d612fd80595e918728ec1d71dafd23f37a6b3a282cdeab7fb47211bc02a91b7c7

Download Submit
C:\windows\system\UKB.exe.bat
Filesize
66B

MD5
1b57c0c8e4c797c430593552bb8fb17f

SHA1
4f47e3aa8a33180c537a5a4095290661cbf4d4bb

SHA256
4fc9bd9b4f4cd6a4663cbee6a01e149401e31dc28a7c6458dc3a690bf2eb3150

SHA512
a47bbedc3a5d904a388a3707ac23f5cfafa07ee5d47169a0c2da9b38b96c0f43a6112435aa1fe9ec3a6665f7ef548a5f0cf44a45906c07aa819081bc81e307b2

Download Submit
C:\windows\system\YUUXDJU.exe.bat
Filesize
74B

MD5
45d85f4a3afc289c74f21412d131ff14

SHA1
934f0afe289c0fa1b00c4f8aaf582a14757f7c0a

SHA256
2e9a46075e44a48980e1ba91be966e1b1f09ba3af7a50e89c697635def01f8c3

SHA512
9a65a4fd169320aec473322cf247d77c9f7bea84c754876b80cd36b58afde0023492f8dde6a8f6edb1162090d83dce8524d6f61c9c7266cc3eb79684f3f5d008

Download Submit
memory/616-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/616-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/720-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/720-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/812-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/812-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/844-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/844-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/980-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/980-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1608-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1608-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2004-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2004-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2052-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2052-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3000-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3000-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3384-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3384-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3500-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3500-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3628-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3628-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4108-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4108-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4740-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4912-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4912-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download