17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
Size

384KB
MD5

439d4a59b2b1f8daf1e4f8533e7af59e
SHA1

79452ba43ca5aac885ff8875de49b2fb1cea1a2c
SHA256

17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6
SHA512

9df0965ba18ebb0655db4ebab62f37e25720f7aaaf781ee4495dd82f71cbbe80493348ce01c94044dde03b59f674fe75cb440eb6a278bb0f4f98bc351985c541
SSDEEP

6144:InqQjhIlSAzZ02GANJQttkEjiPISUOgW9X+hOGzC/NM:InRbnANJQttkmZzcukG2/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	OZFAK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	LULU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	FMUHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DEXER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	HKWWCS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	ACFO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	TFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RUBPTFO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DHLURV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WQATHQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	CMAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WXR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	GFDFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	UUJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	XGATNJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	XWZAML.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	JDZIXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	HOTM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RMNFTCJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	HXPYAW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	EOMF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	YOPQP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	FCQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RYWAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	GRSRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	QAHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	QYO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DFITFHE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	QIX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	HEFO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	CQUGI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	MOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	CTA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	VQMBPP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	KVJNNTV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	USZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RUTH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	LWFMSR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WLKZMC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	MXKOO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	PBEYF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	IVLXN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	JMEI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	YIFGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	MQE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	GYJI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	LMTKL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	CLIRGGR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	GKU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	MZHK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	HMGSV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	KTRXBE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	PWDOC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	QSOCZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	AVR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	LWKLA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	MBAAAID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	USFUNR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	VVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	YOURJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	TKQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	UDNMVTC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	MGQQIJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	DDYG.exe

Executes dropped EXE 64 IoCs

pid	Process
2444	SXP.exe
2640	PNOC.exe
2580	SOYSRU.exe
3468	YJJSXR.exe
612	RMNFTCJ.exe
3600	WXR.exe
924	DDYG.exe
3796	RYWAT.exe
1756	KBAVYAR.exe
1140	UUJV.exe
1912	BKDYXIP.exe
1932	AIRNDF.exe
1052	VVW.exe
2860	YDR.exe
232	VTE.exe
1896	LRSVBH.exe
780	AITUAVL.exe
536	YXT.exe
4456	QAXAF.exe
1400	CJDIR.exe
904	ATVE.exe
4308	HKWWCS.exe
3404	GSWTYDX.exe
1840	FDZJ.exe
4840	ENC.exe
4608	NLW.exe
4252	RBDAF.exe
372	ACFO.exe
1828	XSSX.exe
3064	IKC.exe
2244	XNTJVN.exe
4708	QIX.exe
4872	GRSRR.exe
4352	CWYOY.exe
3364	GPBXPC.exe
1416	RIWQXJB.exe
4804	QAHG.exe
4148	XGATNJ.exe
3932	HEFO.exe
3384	NZRHI.exe
2184	GSGSRH.exe
4304	HQOBCRI.exe
4472	GFAEP.exe
3844	HDHMZGG.exe
3512	BRZOKAO.exe
3024	XWZAML.exe
4796	RKQJGW.exe
2948	USZ.exe
1932	YIFGZ.exe
1936	AVR.exe
3552	DEXER.exe
4352	WHJA.exe
952	OZFAK.exe
3844	HCWDO.exe
3408	TFT.exe
3348	GQPH.exe
3100	FBFPV.exe
1928	NOREG.exe
536	JMEI.exe
2936	HXPYAW.exe
2724	FVC.exe
4252	JDJPUV.exe
1784	CQUGI.exe
4636	MOI.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\PNOC.exe	SXP.exe
File created	C:\windows\SysWOW64\RPZTNPA.exe.bat	LUV.exe
File created	C:\windows\SysWOW64\FCQ.exe	DHLURV.exe
File opened for modification	C:\windows\SysWOW64\MBAAAID.exe	ALUA.exe
File opened for modification	C:\windows\SysWOW64\MXKOO.exe	SKF.exe
File opened for modification	C:\windows\SysWOW64\CQUGI.exe	JDJPUV.exe
File created	C:\windows\SysWOW64\MKYSE.exe.bat	SXT.exe
File created	C:\windows\SysWOW64\PBEYF.exe	GBNMXO.exe
File created	C:\windows\SysWOW64\GSGSRH.exe.bat	NZRHI.exe
File created	C:\windows\SysWOW64\ULOWCLK.exe.bat	RUBPTFO.exe
File created	C:\windows\SysWOW64\QZX.exe	MJRHD.exe
File created	C:\windows\SysWOW64\TFXGF.exe	SCUKRY.exe
File opened for modification	C:\windows\SysWOW64\MQE.exe	JDZIXQ.exe
File created	C:\windows\SysWOW64\RUBPTFO.exe	FMUHH.exe
File created	C:\windows\SysWOW64\OKYO.exe.bat	LCQ.exe
File opened for modification	C:\windows\SysWOW64\SVYTB.exe	MZHK.exe
File created	C:\windows\SysWOW64\PNOC.exe.bat	SXP.exe
File created	C:\windows\SysWOW64\GSGSRH.exe	NZRHI.exe
File created	C:\windows\SysWOW64\GQPH.exe	TFT.exe
File created	C:\windows\SysWOW64\GKDM.exe	MXKOO.exe
File created	C:\windows\SysWOW64\VTE.exe.bat	YDR.exe
File created	C:\windows\SysWOW64\SVYTB.exe	MZHK.exe
File created	C:\windows\SysWOW64\GSWTYDX.exe	HKWWCS.exe
File created	C:\windows\SysWOW64\HDHMZGG.exe.bat	GFAEP.exe
File opened for modification	C:\windows\SysWOW64\DDKA.exe	QSOCZ.exe
File created	C:\windows\SysWOW64\MXKOO.exe.bat	SKF.exe
File created	C:\windows\SysWOW64\FYCYLOW.exe	WQATHQ.exe
File opened for modification	C:\windows\SysWOW64\PBEYF.exe	GBNMXO.exe
File opened for modification	C:\windows\SysWOW64\RIWQXJB.exe	GPBXPC.exe
File opened for modification	C:\windows\SysWOW64\GISN.exe	CEUSFIT.exe
File opened for modification	C:\windows\SysWOW64\HXPYAW.exe	JMEI.exe
File created	C:\windows\SysWOW64\MKYSE.exe	SXT.exe
File created	C:\windows\SysWOW64\GYJI.exe.bat	MKYSE.exe
File created	C:\windows\SysWOW64\AVMZD.exe	KVJNNTV.exe
File opened for modification	C:\windows\SysWOW64\ULOWCLK.exe	RUBPTFO.exe
File created	C:\windows\SysWOW64\GVQ.exe.bat	USFUNR.exe
File opened for modification	C:\windows\SysWOW64\RUBPTFO.exe	FMUHH.exe
File created	C:\windows\SysWOW64\MIMJV.exe	BQC.exe
File created	C:\windows\SysWOW64\AITUAVL.exe	LRSVBH.exe
File opened for modification	C:\windows\SysWOW64\WHJA.exe	DEXER.exe
File created	C:\windows\SysWOW64\SVYTB.exe.bat	MZHK.exe
File opened for modification	C:\windows\SysWOW64\KVJNNTV.exe	GFDFB.exe
File created	C:\windows\SysWOW64\SOYSRU.exe	PNOC.exe
File opened for modification	C:\windows\SysWOW64\SOYSRU.exe	PNOC.exe
File created	C:\windows\SysWOW64\FYCYLOW.exe.bat	WQATHQ.exe
File opened for modification	C:\windows\SysWOW64\GYJI.exe	MKYSE.exe
File created	C:\windows\SysWOW64\WOLBIXQ.exe	LRAV.exe
File created	C:\windows\SysWOW64\GYJI.exe	MKYSE.exe
File created	C:\windows\SysWOW64\GRSRR.exe	QIX.exe
File created	C:\windows\SysWOW64\WUYDSKB.exe	HZOR.exe
File created	C:\windows\SysWOW64\CQUGI.exe	JDJPUV.exe
File opened for modification	C:\windows\SysWOW64\BAMMG.exe	FDOP.exe
File opened for modification	C:\windows\SysWOW64\NZRHI.exe	HEFO.exe
File opened for modification	C:\windows\SysWOW64\AVR.exe	YIFGZ.exe
File created	C:\windows\SysWOW64\KVJNNTV.exe.bat	GFDFB.exe
File created	C:\windows\SysWOW64\YJJSXR.exe.bat	SOYSRU.exe
File opened for modification	C:\windows\SysWOW64\AITUAVL.exe	LRSVBH.exe
File opened for modification	C:\windows\SysWOW64\DEXER.exe	AVR.exe
File opened for modification	C:\windows\SysWOW64\WOLBIXQ.exe	LRAV.exe
File opened for modification	C:\windows\SysWOW64\IVLXN.exe	TFXGF.exe
File opened for modification	C:\windows\SysWOW64\FCQ.exe	DHLURV.exe
File created	C:\windows\SysWOW64\GFDFB.exe.bat	CMAE.exe
File opened for modification	C:\windows\SysWOW64\GSWTYDX.exe	HKWWCS.exe
File created	C:\windows\SysWOW64\IVLXN.exe	TFXGF.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\LRAV.exe	NGIY.exe
File created	C:\windows\system\HKWWCS.exe.bat	ATVE.exe
File created	C:\windows\YIFGZ.exe	USZ.exe
File opened for modification	C:\windows\MOI.exe	CQUGI.exe
File created	C:\windows\system\CLIRGGR.exe	ULZFZ.exe
File opened for modification	C:\windows\system\CLIRGGR.exe	ULZFZ.exe
File created	C:\windows\system\AKSQQLB.exe	HOTM.exe
File opened for modification	C:\windows\NULNYA.exe	LWKLA.exe
File opened for modification	C:\windows\system\GBNMXO.exe	GYJI.exe
File created	C:\windows\VVW.exe.bat	AIRNDF.exe
File created	C:\windows\system\IKC.exe	XSSX.exe
File opened for modification	C:\windows\system\GFAEP.exe	HQOBCRI.exe
File created	C:\windows\NOREG.exe	FBFPV.exe
File opened for modification	C:\windows\ATXC.exe	BAMMG.exe
File created	C:\windows\system\LWFMSR.exe.bat	WGSD.exe
File opened for modification	C:\windows\system\PWDOC.exe	YOPQP.exe
File created	C:\windows\system\HOTM.exe.bat	YRZD.exe
File created	C:\windows\system\RBDAF.exe.bat	NLW.exe
File created	C:\windows\system\GFAEP.exe	HQOBCRI.exe
File created	C:\windows\system\POODSAU.exe	WLKZMC.exe
File created	C:\windows\DHLURV.exe	MGQQIJ.exe
File created	C:\windows\system\XXJ.exe.bat	FCQ.exe
File opened for modification	C:\windows\system\CQBJ.exe	GKDM.exe
File created	C:\windows\YXT.exe.bat	AITUAVL.exe
File created	C:\windows\system\QIX.exe	XNTJVN.exe
File created	C:\windows\YXT.exe	AITUAVL.exe
File created	C:\windows\LRAV.exe.bat	NGIY.exe
File created	C:\windows\system\RYWAT.exe.bat	DDYG.exe
File opened for modification	C:\windows\VVW.exe	AIRNDF.exe
File created	C:\windows\ERTK.exe	CTA.exe
File created	C:\windows\system\YOURJ.exe.bat	ULOWCLK.exe
File created	C:\windows\system\ATVE.exe.bat	CJDIR.exe
File created	C:\windows\YTLNX.exe.bat	QNZZMH.exe
File created	C:\windows\system\RKS.exe.bat	NULNYA.exe
File created	C:\windows\system\SXT.exe	CZG.exe
File opened for modification	C:\windows\system\QIX.exe	XNTJVN.exe
File created	C:\windows\system\YOPQP.exe	KTRXBE.exe
File created	C:\windows\system\FDOP.exe	WUYDSKB.exe
File opened for modification	C:\windows\KTRXBE.exe	YQGKR.exe
File created	C:\windows\DFITFHE.exe.bat	OKYO.exe
File opened for modification	C:\windows\system\QNZZMH.exe	RUWRMTV.exe
File created	C:\windows\system\HZOR.exe.bat	ERTK.exe
File created	C:\windows\system\OZFAK.exe	WHJA.exe
File opened for modification	C:\windows\system\FBFPV.exe	GQPH.exe
File created	C:\windows\MOI.exe.bat	CQUGI.exe
File created	C:\windows\system\QNZZMH.exe	RUWRMTV.exe
File created	C:\windows\HMGSV.exe	YOURJ.exe
File opened for modification	C:\windows\system\XXJ.exe	FCQ.exe
File created	C:\windows\KBAVYAR.exe.bat	RYWAT.exe
File created	C:\windows\QAHG.exe.bat	RIWQXJB.exe
File created	C:\windows\system\CQBJ.exe.bat	GKDM.exe
File created	C:\windows\KTRXBE.exe.bat	YQGKR.exe
File created	C:\windows\LRAV.exe	NGIY.exe
File created	C:\windows\system\HKWWCS.exe	ATVE.exe
File opened for modification	C:\windows\system\YOURJ.exe	ULOWCLK.exe
File created	C:\windows\LUV.exe	HMGSV.exe
File opened for modification	C:\windows\ENC.exe	FDZJ.exe
File opened for modification	C:\windows\YIFGZ.exe	USZ.exe
File created	C:\windows\JDJPUV.exe.bat	FVC.exe
File created	C:\windows\YTLNX.exe	QNZZMH.exe
File opened for modification	C:\windows\system\QSOCZ.exe	AKSQQLB.exe
File opened for modification	C:\windows\system\RKS.exe	NULNYA.exe
File created	C:\windows\system\SKF.exe.bat	POODSAU.exe
File opened for modification	C:\windows\system\DDYG.exe	WXR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4952	3928	WerFault.exe	81
3792	2444	WerFault.exe	89
1328	2640	WerFault.exe	96
4988	2580	WerFault.exe	101
4508	3468	WerFault.exe	106
3916	612	WerFault.exe	110
4764	3600	WerFault.exe	116
1704	924	WerFault.exe	121
3380	3796	WerFault.exe	126
3556	1756	WerFault.exe	131
4020	1140	WerFault.exe	136
3244	1912	WerFault.exe	141
3484	1932	WerFault.exe	146
4000	1052	WerFault.exe	151
3732	2860	WerFault.exe	156
4996	232	WerFault.exe	161
3552	1896	WerFault.exe	166
1332	780	WerFault.exe	171
4428	536	WerFault.exe	176
2940	4456	WerFault.exe	181
412	1400	WerFault.exe	186
4492	904	WerFault.exe	191
1940	4308	WerFault.exe	196
212	3404	WerFault.exe	201
1464	1840	WerFault.exe	206
5028	4840	WerFault.exe	211
4136	4608	WerFault.exe	216
3680	4252	WerFault.exe	221
1548	372	WerFault.exe	226
3300	1828	WerFault.exe	231
1400	3064	WerFault.exe	236
1404	2244	WerFault.exe	241
1468	4708	WerFault.exe	247
4396	4872	WerFault.exe	251
2440	4352	WerFault.exe	257
4608	3364	WerFault.exe	262
3880	1416	WerFault.exe	268
1964	4804	WerFault.exe	273
4528	4148	WerFault.exe	279
1932	3932	WerFault.exe	284
1244	3384	WerFault.exe	289
4712	2184	WerFault.exe	294
4916	4304	WerFault.exe	299
1824	4472	WerFault.exe	304
3364	3844	WerFault.exe	309
2428	3512	WerFault.exe	314
4456	3024	WerFault.exe	319
4936	4796	WerFault.exe	324
1468	2948	WerFault.exe	329
3316	1932	WerFault.exe	334
3868	1936	WerFault.exe	339
2240	3552	WerFault.exe	344
4316	4352	WerFault.exe	349
1248	952	WerFault.exe	354
376	3844	WerFault.exe	359
5040	3408	WerFault.exe	364
3648	3348	WerFault.exe	369
4764	3100	WerFault.exe	374
2212	1928	WerFault.exe	379
3240	536	WerFault.exe	384
2184	2936	WerFault.exe	389
1344	2724	WerFault.exe	394
2964	4252	WerFault.exe	399
4616	1784	WerFault.exe	404

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
2444	SXP.exe
2444	SXP.exe
2640	PNOC.exe
2640	PNOC.exe
2580	SOYSRU.exe
2580	SOYSRU.exe
3468	YJJSXR.exe
3468	YJJSXR.exe
612	RMNFTCJ.exe
612	RMNFTCJ.exe
3600	WXR.exe
3600	WXR.exe
924	DDYG.exe
924	DDYG.exe
3796	RYWAT.exe
3796	RYWAT.exe
1756	KBAVYAR.exe
1756	KBAVYAR.exe
1140	UUJV.exe
1140	UUJV.exe
1912	BKDYXIP.exe
1912	BKDYXIP.exe
1932	AIRNDF.exe
1932	AIRNDF.exe
1052	VVW.exe
1052	VVW.exe
2860	YDR.exe
2860	YDR.exe
232	VTE.exe
232	VTE.exe
1896	LRSVBH.exe
1896	LRSVBH.exe
780	AITUAVL.exe
780	AITUAVL.exe
536	YXT.exe
536	YXT.exe
4456	QAXAF.exe
4456	QAXAF.exe
1400	CJDIR.exe
1400	CJDIR.exe
904	ATVE.exe
904	ATVE.exe
4308	HKWWCS.exe
4308	HKWWCS.exe
3404	GSWTYDX.exe
3404	GSWTYDX.exe
1840	FDZJ.exe
1840	FDZJ.exe
4840	ENC.exe
4840	ENC.exe
4608	NLW.exe
4608	NLW.exe
4252	RBDAF.exe
4252	RBDAF.exe
372	ACFO.exe
372	ACFO.exe
1828	XSSX.exe
1828	XSSX.exe
3064	IKC.exe
3064	IKC.exe
2244	XNTJVN.exe
2244	XNTJVN.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
2444	SXP.exe
2444	SXP.exe
2640	PNOC.exe
2640	PNOC.exe
2580	SOYSRU.exe
2580	SOYSRU.exe
3468	YJJSXR.exe
3468	YJJSXR.exe
612	RMNFTCJ.exe
612	RMNFTCJ.exe
3600	WXR.exe
3600	WXR.exe
924	DDYG.exe
924	DDYG.exe
3796	RYWAT.exe
3796	RYWAT.exe
1756	KBAVYAR.exe
1756	KBAVYAR.exe
1140	UUJV.exe
1140	UUJV.exe
1912	BKDYXIP.exe
1912	BKDYXIP.exe
1932	AIRNDF.exe
1932	AIRNDF.exe
1052	VVW.exe
1052	VVW.exe
2860	YDR.exe
2860	YDR.exe
232	VTE.exe
232	VTE.exe
1896	LRSVBH.exe
1896	LRSVBH.exe
780	AITUAVL.exe
780	AITUAVL.exe
536	YXT.exe
536	YXT.exe
4456	QAXAF.exe
4456	QAXAF.exe
1400	CJDIR.exe
1400	CJDIR.exe
904	ATVE.exe
904	ATVE.exe
4308	HKWWCS.exe
4308	HKWWCS.exe
3404	GSWTYDX.exe
3404	GSWTYDX.exe
1840	FDZJ.exe
1840	FDZJ.exe
4840	ENC.exe
4840	ENC.exe
4608	NLW.exe
4608	NLW.exe
4252	RBDAF.exe
4252	RBDAF.exe
372	ACFO.exe
372	ACFO.exe
1828	XSSX.exe
1828	XSSX.exe
3064	IKC.exe
3064	IKC.exe
2244	XNTJVN.exe
2244	XNTJVN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2396	3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	85
PID 3928 wrote to memory of 2396	3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	85
PID 3928 wrote to memory of 2396	3928	17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe	85
PID 2396 wrote to memory of 2444	2396	cmd.exe	89
PID 2396 wrote to memory of 2444	2396	cmd.exe	89
PID 2396 wrote to memory of 2444	2396	cmd.exe	89
PID 2444 wrote to memory of 1564	2444	SXP.exe	92
PID 2444 wrote to memory of 1564	2444	SXP.exe	92
PID 2444 wrote to memory of 1564	2444	SXP.exe	92
PID 1564 wrote to memory of 2640	1564	cmd.exe	96
PID 1564 wrote to memory of 2640	1564	cmd.exe	96
PID 1564 wrote to memory of 2640	1564	cmd.exe	96
PID 2640 wrote to memory of 1828	2640	PNOC.exe	97
PID 2640 wrote to memory of 1828	2640	PNOC.exe	97
PID 2640 wrote to memory of 1828	2640	PNOC.exe	97
PID 1828 wrote to memory of 2580	1828	cmd.exe	101
PID 1828 wrote to memory of 2580	1828	cmd.exe	101
PID 1828 wrote to memory of 2580	1828	cmd.exe	101
PID 2580 wrote to memory of 60	2580	SOYSRU.exe	102
PID 2580 wrote to memory of 60	2580	SOYSRU.exe	102
PID 2580 wrote to memory of 60	2580	SOYSRU.exe	102
PID 60 wrote to memory of 3468	60	cmd.exe	106
PID 60 wrote to memory of 3468	60	cmd.exe	106
PID 60 wrote to memory of 3468	60	cmd.exe	106
PID 3468 wrote to memory of 2656	3468	YJJSXR.exe	107
PID 3468 wrote to memory of 2656	3468	YJJSXR.exe	107
PID 3468 wrote to memory of 2656	3468	YJJSXR.exe	107
PID 2656 wrote to memory of 612	2656	cmd.exe	110
PID 2656 wrote to memory of 612	2656	cmd.exe	110
PID 2656 wrote to memory of 612	2656	cmd.exe	110
PID 612 wrote to memory of 2008	612	RMNFTCJ.exe	112
PID 612 wrote to memory of 2008	612	RMNFTCJ.exe	112
PID 612 wrote to memory of 2008	612	RMNFTCJ.exe	112
PID 2008 wrote to memory of 3600	2008	cmd.exe	116
PID 2008 wrote to memory of 3600	2008	cmd.exe	116
PID 2008 wrote to memory of 3600	2008	cmd.exe	116
PID 3600 wrote to memory of 3436	3600	WXR.exe	117
PID 3600 wrote to memory of 3436	3600	WXR.exe	117
PID 3600 wrote to memory of 3436	3600	WXR.exe	117
PID 3436 wrote to memory of 924	3436	cmd.exe	121
PID 3436 wrote to memory of 924	3436	cmd.exe	121
PID 3436 wrote to memory of 924	3436	cmd.exe	121
PID 924 wrote to memory of 3348	924	DDYG.exe	122
PID 924 wrote to memory of 3348	924	DDYG.exe	122
PID 924 wrote to memory of 3348	924	DDYG.exe	122
PID 3348 wrote to memory of 3796	3348	cmd.exe	126
PID 3348 wrote to memory of 3796	3348	cmd.exe	126
PID 3348 wrote to memory of 3796	3348	cmd.exe	126
PID 3796 wrote to memory of 780	3796	RYWAT.exe	127
PID 3796 wrote to memory of 780	3796	RYWAT.exe	127
PID 3796 wrote to memory of 780	3796	RYWAT.exe	127
PID 780 wrote to memory of 1756	780	cmd.exe	131
PID 780 wrote to memory of 1756	780	cmd.exe	131
PID 780 wrote to memory of 1756	780	cmd.exe	131
PID 1756 wrote to memory of 4468	1756	KBAVYAR.exe	132
PID 1756 wrote to memory of 4468	1756	KBAVYAR.exe	132
PID 1756 wrote to memory of 4468	1756	KBAVYAR.exe	132
PID 4468 wrote to memory of 1140	4468	cmd.exe	136
PID 4468 wrote to memory of 1140	4468	cmd.exe	136
PID 4468 wrote to memory of 1140	4468	cmd.exe	136
PID 1140 wrote to memory of 2432	1140	UUJV.exe	137
PID 1140 wrote to memory of 2432	1140	UUJV.exe	137
PID 1140 wrote to memory of 2432	1140	UUJV.exe	137
PID 2432 wrote to memory of 1912	2432	cmd.exe	141

C:\Users\Admin\AppData\Local\Temp\17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe
"C:\Users\Admin\AppData\Local\Temp\17d990d130c81daff90003d5d64c5fd196a600adc165b957334460b99a202ae6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\SXP.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\windows\SXP.exe
    C:\windows\SXP.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNOC.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\windows\SysWOW64\PNOC.exe
        
        C:\windows\system32\PNOC.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOYSRU.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\windows\SysWOW64\SOYSRU.exe
        
        C:\windows\system32\SOYSRU.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YJJSXR.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\windows\SysWOW64\YJJSXR.exe
        
        C:\windows\system32\YJJSXR.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RMNFTCJ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\windows\system\RMNFTCJ.exe
        
        C:\windows\system\RMNFTCJ.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WXR.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\windows\SysWOW64\WXR.exe
        
        C:\windows\system32\WXR.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDYG.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\windows\system\DDYG.exe
        
        C:\windows\system\DDYG.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYWAT.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\windows\system\RYWAT.exe
        
        C:\windows\system\RYWAT.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KBAVYAR.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\windows\KBAVYAR.exe
        
        C:\windows\KBAVYAR.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UUJV.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\windows\UUJV.exe
        
        C:\windows\UUJV.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BKDYXIP.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\windows\system\BKDYXIP.exe
        
        C:\windows\system\BKDYXIP.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AIRNDF.exe.bat" "
        24⤵
        
        PID:2640
        
        C:\windows\system\AIRNDF.exe
        
        C:\windows\system\AIRNDF.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VVW.exe.bat" "
        26⤵
        
        PID:852
        
        C:\windows\VVW.exe
        
        C:\windows\VVW.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDR.exe.bat" "
        28⤵
        
        PID:3956
        
        C:\windows\SysWOW64\YDR.exe
        
        C:\windows\system32\YDR.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTE.exe.bat" "
        30⤵
        
        PID:3368
        
        C:\windows\SysWOW64\VTE.exe
        
        C:\windows\system32\VTE.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LRSVBH.exe.bat" "
        32⤵
        
        PID:556
        
        C:\windows\system\LRSVBH.exe
        
        C:\windows\system\LRSVBH.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AITUAVL.exe.bat" "
        34⤵
        
        PID:3000
        
        C:\windows\SysWOW64\AITUAVL.exe
        
        C:\windows\system32\AITUAVL.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YXT.exe.bat" "
        36⤵
        
        PID:1724
        
        C:\windows\YXT.exe
        
        C:\windows\YXT.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QAXAF.exe.bat" "
        38⤵
        
        PID:3324
        
        C:\windows\system\QAXAF.exe
        
        C:\windows\system\QAXAF.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CJDIR.exe.bat" "
        40⤵
        
        PID:968
        
        C:\windows\CJDIR.exe
        
        C:\windows\CJDIR.exe
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ATVE.exe.bat" "
        42⤵
        
        PID:4224
        
        C:\windows\system\ATVE.exe
        
        C:\windows\system\ATVE.exe
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HKWWCS.exe.bat" "
        44⤵
        
        PID:3488
        
        C:\windows\system\HKWWCS.exe
        
        C:\windows\system\HKWWCS.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GSWTYDX.exe.bat" "
        46⤵
        
        PID:612
        
        C:\windows\SysWOW64\GSWTYDX.exe
        
        C:\windows\system32\GSWTYDX.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDZJ.exe.bat" "
        48⤵
        
        PID:3080
        
        C:\windows\SysWOW64\FDZJ.exe
        
        C:\windows\system32\FDZJ.exe
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ENC.exe.bat" "
        50⤵
        
        PID:3384
        
        C:\windows\ENC.exe
        
        C:\windows\ENC.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NLW.exe.bat" "
        52⤵
        
        PID:1192
        
        C:\windows\system\NLW.exe
        
        C:\windows\system\NLW.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RBDAF.exe.bat" "
        54⤵
        
        PID:1896
        
        C:\windows\system\RBDAF.exe
        
        C:\windows\system\RBDAF.exe
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ACFO.exe.bat" "
        56⤵
        
        PID:2216
        
        C:\windows\SysWOW64\ACFO.exe
        
        C:\windows\system32\ACFO.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XSSX.exe.bat" "
        58⤵
        
        PID:2936
        
        C:\windows\system\XSSX.exe
        
        C:\windows\system\XSSX.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IKC.exe.bat" "
        60⤵
        
        PID:1504
        
        C:\windows\system\IKC.exe
        
        C:\windows\system\IKC.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XNTJVN.exe.bat" "
        62⤵
        
        PID:4080
        
        C:\windows\XNTJVN.exe
        
        C:\windows\XNTJVN.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QIX.exe.bat" "
        64⤵
        
        PID:3240
        
        C:\windows\system\QIX.exe
        
        C:\windows\system\QIX.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GRSRR.exe.bat" "
        66⤵
        
        PID:1936
        
        C:\windows\SysWOW64\GRSRR.exe
        
        C:\windows\system32\GRSRR.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWYOY.exe.bat" "
        68⤵
        
        PID:3608
        
        C:\windows\SysWOW64\CWYOY.exe
        
        C:\windows\system32\CWYOY.exe
        69⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPBXPC.exe.bat" "
        70⤵
        
        PID:2588
        
        C:\windows\SysWOW64\GPBXPC.exe
        
        C:\windows\system32\GPBXPC.exe
        71⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RIWQXJB.exe.bat" "
        72⤵
        
        PID:2740
        
        C:\windows\SysWOW64\RIWQXJB.exe
        
        C:\windows\system32\RIWQXJB.exe
        73⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QAHG.exe.bat" "
        74⤵
        
        PID:2768
        
        C:\windows\QAHG.exe
        
        C:\windows\QAHG.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XGATNJ.exe.bat" "
        76⤵
        
        PID:4920
        
        C:\windows\system\XGATNJ.exe
        
        C:\windows\system\XGATNJ.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HEFO.exe.bat" "
        78⤵
        
        PID:3912
        
        C:\windows\system\HEFO.exe
        
        C:\windows\system\HEFO.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZRHI.exe.bat" "
        80⤵
        
        PID:3560
        
        C:\windows\SysWOW64\NZRHI.exe
        
        C:\windows\system32\NZRHI.exe
        81⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GSGSRH.exe.bat" "
        82⤵
        
        PID:4320
        
        C:\windows\SysWOW64\GSGSRH.exe
        
        C:\windows\system32\GSGSRH.exe
        83⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HQOBCRI.exe.bat" "
        84⤵
        
        PID:2460
        
        C:\windows\system\HQOBCRI.exe
        
        C:\windows\system\HQOBCRI.exe
        85⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GFAEP.exe.bat" "
        86⤵
        
        PID:3444
        
        C:\windows\system\GFAEP.exe
        
        C:\windows\system\GFAEP.exe
        87⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDHMZGG.exe.bat" "
        88⤵
        
        PID:4344
        
        C:\windows\SysWOW64\HDHMZGG.exe
        
        C:\windows\system32\HDHMZGG.exe
        89⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BRZOKAO.exe.bat" "
        90⤵
        
        PID:2724
        
        C:\windows\BRZOKAO.exe
        
        C:\windows\BRZOKAO.exe
        91⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XWZAML.exe.bat" "
        92⤵
        
        PID:968
        
        C:\windows\XWZAML.exe
        
        C:\windows\XWZAML.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKQJGW.exe.bat" "
        94⤵
        
        PID:464
        
        C:\windows\RKQJGW.exe
        
        C:\windows\RKQJGW.exe
        95⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\USZ.exe.bat" "
        96⤵
        
        PID:1856
        
        C:\windows\USZ.exe
        
        C:\windows\USZ.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YIFGZ.exe.bat" "
        98⤵
        
        PID:1464
        
        C:\windows\YIFGZ.exe
        
        C:\windows\YIFGZ.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVR.exe.bat" "
        100⤵
        
        PID:2080
        
        C:\windows\SysWOW64\AVR.exe
        
        C:\windows\system32\AVR.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEXER.exe.bat" "
        102⤵
        
        PID:4136
        
        C:\windows\SysWOW64\DEXER.exe
        
        C:\windows\system32\DEXER.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WHJA.exe.bat" "
        104⤵
        
        PID:2236
        
        C:\windows\SysWOW64\WHJA.exe
        
        C:\windows\system32\WHJA.exe
        105⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OZFAK.exe.bat" "
        106⤵
        
        PID:4840
        
        C:\windows\system\OZFAK.exe
        
        C:\windows\system\OZFAK.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HCWDO.exe.bat" "
        108⤵
        
        PID:4612
        
        C:\windows\system\HCWDO.exe
        
        C:\windows\system\HCWDO.exe
        109⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TFT.exe.bat" "
        110⤵
        
        PID:3960
        
        C:\windows\TFT.exe
        
        C:\windows\TFT.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQPH.exe.bat" "
        112⤵
        
        PID:2400
        
        C:\windows\SysWOW64\GQPH.exe
        
        C:\windows\system32\GQPH.exe
        113⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBFPV.exe.bat" "
        114⤵
        
        PID:5088
        
        C:\windows\system\FBFPV.exe
        
        C:\windows\system\FBFPV.exe
        115⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NOREG.exe.bat" "
        116⤵
        
        PID:4968
        
        C:\windows\NOREG.exe
        
        C:\windows\NOREG.exe
        117⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JMEI.exe.bat" "
        118⤵
        
        PID:4944
        
        C:\windows\system\JMEI.exe
        
        C:\windows\system\JMEI.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXPYAW.exe.bat" "
        120⤵
        
        PID:4832
        
        C:\windows\SysWOW64\HXPYAW.exe
        
        C:\windows\system32\HXPYAW.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FVC.exe.bat" "
        122⤵
        
        PID:1780
        
        C:\windows\FVC.exe
        
        C:\windows\FVC.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JDJPUV.exe.bat" "
        124⤵
        
        PID:3552
        
        C:\windows\JDJPUV.exe
        
        C:\windows\JDJPUV.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CQUGI.exe.bat" "
        126⤵
        
        PID:3060
        
        C:\windows\SysWOW64\CQUGI.exe
        
        C:\windows\system32\CQUGI.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MOI.exe.bat" "
        128⤵
        
        PID:1704
        
        C:\windows\MOI.exe
        
        C:\windows\MOI.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DZKQYEN.exe.bat" "
        130⤵
        
        PID:1592
        
        C:\windows\DZKQYEN.exe
        
        C:\windows\DZKQYEN.exe
        131⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RUWRMTV.exe.bat" "
        132⤵
        
        PID:4148
        
        C:\windows\SysWOW64\RUWRMTV.exe
        
        C:\windows\system32\RUWRMTV.exe
        133⤵
        Drops file in Windows directory
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNZZMH.exe.bat" "
        134⤵
        
        PID:4864
        
        C:\windows\system\QNZZMH.exe
        
        C:\windows\system\QNZZMH.exe
        135⤵
        Drops file in Windows directory
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTLNX.exe.bat" "
        136⤵
        
        PID:4796
        
        C:\windows\YTLNX.exe
        
        C:\windows\YTLNX.exe
        137⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTA.exe.bat" "
        138⤵
        
        PID:4780
        
        C:\windows\system\CTA.exe
        
        C:\windows\system\CTA.exe
        139⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ERTK.exe.bat" "
        140⤵
        
        PID:2372
        
        C:\windows\ERTK.exe
        
        C:\windows\ERTK.exe
        141⤵
        Drops file in Windows directory
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HZOR.exe.bat" "
        142⤵
        
        PID:3868
        
        C:\windows\system\HZOR.exe
        
        C:\windows\system\HZOR.exe
        143⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUYDSKB.exe.bat" "
        144⤵
        
        PID:4612
        
        C:\windows\SysWOW64\WUYDSKB.exe
        
        C:\windows\system32\WUYDSKB.exe
        145⤵
        Drops file in Windows directory
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FDOP.exe.bat" "
        146⤵
        
        PID:4940
        
        C:\windows\system\FDOP.exe
        
        C:\windows\system\FDOP.exe
        147⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BAMMG.exe.bat" "
        148⤵
        
        PID:4324
        
        C:\windows\SysWOW64\BAMMG.exe
        
        C:\windows\system32\BAMMG.exe
        149⤵
        Drops file in Windows directory
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATXC.exe.bat" "
        150⤵
        
        PID:1136
        
        C:\windows\ATXC.exe
        
        C:\windows\ATXC.exe
        151⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QYO.exe.bat" "
        152⤵
        
        PID:3732
        
        C:\windows\SysWOW64\QYO.exe
        
        C:\windows\system32\QYO.exe
        153⤵
        Checks computer location settings
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMTKL.exe.bat" "
        154⤵
        
        PID:3156
        
        C:\windows\SysWOW64\LMTKL.exe
        
        C:\windows\system32\LMTKL.exe
        155⤵
        Checks computer location settings
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SCUKRY.exe.bat" "
        156⤵
        
        PID:4320
        
        C:\windows\SCUKRY.exe
        
        C:\windows\SCUKRY.exe
        157⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFXGF.exe.bat" "
        158⤵
        
        PID:4916
        
        C:\windows\SysWOW64\TFXGF.exe
        
        C:\windows\system32\TFXGF.exe
        159⤵
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IVLXN.exe.bat" "
        160⤵
        
        PID:2508
        
        C:\windows\SysWOW64\IVLXN.exe
        
        C:\windows\system32\IVLXN.exe
        161⤵
        Checks computer location settings
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ULZFZ.exe.bat" "
        162⤵
        
        PID:4460
        
        C:\windows\system\ULZFZ.exe
        
        C:\windows\system\ULZFZ.exe
        163⤵
        Drops file in Windows directory
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CLIRGGR.exe.bat" "
        164⤵
        
        PID:3960
        
        C:\windows\system\CLIRGGR.exe
        
        C:\windows\system\CLIRGGR.exe
        165⤵
        Checks computer location settings
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BJTUT.exe.bat" "
        166⤵
        
        PID:2068
        
        C:\windows\system\BJTUT.exe
        
        C:\windows\system\BJTUT.exe
        167⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LULU.exe.bat" "
        168⤵
        
        PID:2892
        
        C:\windows\LULU.exe
        
        C:\windows\LULU.exe
        169⤵
        Checks computer location settings
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUTH.exe.bat" "
        170⤵
        
        PID:3956
        
        C:\windows\system\RUTH.exe
        
        C:\windows\system\RUTH.exe
        171⤵
        Checks computer location settings
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKU.exe.bat" "
        172⤵
        
        PID:2356
        
        C:\windows\system\GKU.exe
        
        C:\windows\system\GKU.exe
        173⤵
        Checks computer location settings
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UNKAKM.exe.bat" "
        174⤵
        
        PID:4396
        
        C:\windows\system\UNKAKM.exe
        
        C:\windows\system\UNKAKM.exe
        175⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EOMF.exe.bat" "
        176⤵
        
        PID:2396
        
        C:\windows\system\EOMF.exe
        
        C:\windows\system\EOMF.exe
        177⤵
        Checks computer location settings
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZJ.exe.bat" "
        178⤵
        
        PID:1040
        
        C:\windows\SysWOW64\YZJ.exe
        
        C:\windows\system32\YZJ.exe
        179⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YEJZHD.exe.bat" "
        180⤵
        
        PID:1576
        
        C:\windows\system\YEJZHD.exe
        
        C:\windows\system\YEJZHD.exe
        181⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MZHK.exe.bat" "
        182⤵
        
        PID:4352
        
        C:\windows\MZHK.exe
        
        C:\windows\MZHK.exe
        183⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVYTB.exe.bat" "
        184⤵
        
        PID:952
        
        C:\windows\SysWOW64\SVYTB.exe
        
        C:\windows\system32\SVYTB.exe
        185⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JDZIXQ.exe.bat" "
        186⤵
        
        PID:2068
        
        C:\windows\SysWOW64\JDZIXQ.exe
        
        C:\windows\system32\JDZIXQ.exe
        187⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQE.exe.bat" "
        188⤵
        
        PID:4132
        
        C:\windows\SysWOW64\MQE.exe
        
        C:\windows\system32\MQE.exe
        189⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YOSSFPH.exe.bat" "
        190⤵
        
        PID:2308
        
        C:\windows\SysWOW64\YOSSFPH.exe
        
        C:\windows\system32\YOSSFPH.exe
        191⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TBXB.exe.bat" "
        192⤵
        
        PID:3864
        
        C:\windows\SysWOW64\TBXB.exe
        
        C:\windows\system32\TBXB.exe
        193⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMUHH.exe.bat" "
        194⤵
        
        PID:2740
        
        C:\windows\FMUHH.exe
        
        C:\windows\FMUHH.exe
        195⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RUBPTFO.exe.bat" "
        196⤵
        
        PID:3472
        
        C:\windows\SysWOW64\RUBPTFO.exe
        
        C:\windows\system32\RUBPTFO.exe
        197⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ULOWCLK.exe.bat" "
        198⤵
        
        PID:4788
        
        C:\windows\SysWOW64\ULOWCLK.exe
        
        C:\windows\system32\ULOWCLK.exe
        199⤵
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOURJ.exe.bat" "
        200⤵
        
        PID:3520
        
        C:\windows\system\YOURJ.exe
        
        C:\windows\system\YOURJ.exe
        201⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMGSV.exe.bat" "
        202⤵
        
        PID:4564
        
        C:\windows\HMGSV.exe
        
        C:\windows\HMGSV.exe
        203⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LUV.exe.bat" "
        204⤵
        
        PID:2208
        
        C:\windows\LUV.exe
        
        C:\windows\LUV.exe
        205⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RPZTNPA.exe.bat" "
        206⤵
        
        PID:2124
        
        C:\windows\SysWOW64\RPZTNPA.exe
        
        C:\windows\system32\RPZTNPA.exe
        207⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKQ.exe.bat" "
        208⤵
        
        PID:4132
        
        C:\windows\SysWOW64\TKQ.exe
        
        C:\windows\system32\TKQ.exe
        209⤵
        Checks computer location settings
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BQC.exe.bat" "
        210⤵
        
        PID:3668
        
        C:\windows\SysWOW64\BQC.exe
        
        C:\windows\system32\BQC.exe
        211⤵
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIMJV.exe.bat" "
        212⤵
        
        PID:3788
        
        C:\windows\SysWOW64\MIMJV.exe
        
        C:\windows\system32\MIMJV.exe
        213⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGSD.exe.bat" "
        214⤵
        
        PID:2740
        
        C:\windows\SysWOW64\WGSD.exe
        
        C:\windows\system32\WGSD.exe
        215⤵
        Drops file in Windows directory
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LWFMSR.exe.bat" "
        216⤵
        
        PID:1416
        
        C:\windows\system\LWFMSR.exe
        
        C:\windows\system\LWFMSR.exe
        217⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CEUSFIT.exe.bat" "
        218⤵
        
        PID:4532
        
        C:\windows\CEUSFIT.exe
        
        C:\windows\CEUSFIT.exe
        219⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GISN.exe.bat" "
        220⤵
        
        PID:3868
        
        C:\windows\SysWOW64\GISN.exe
        
        C:\windows\system32\GISN.exe
        221⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQGKR.exe.bat" "
        222⤵
        
        PID:1936
        
        C:\windows\system\YQGKR.exe
        
        C:\windows\system\YQGKR.exe
        223⤵
        Drops file in Windows directory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KTRXBE.exe.bat" "
        224⤵
        
        PID:3928
        
        C:\windows\KTRXBE.exe
        
        C:\windows\KTRXBE.exe
        225⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOPQP.exe.bat" "
        226⤵
        
        PID:4940
        
        C:\windows\system\YOPQP.exe
        
        C:\windows\system\YOPQP.exe
        227⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWDOC.exe.bat" "
        228⤵
        
        PID:3584
        
        C:\windows\system\PWDOC.exe
        
        C:\windows\system\PWDOC.exe
        229⤵
        Checks computer location settings
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LCQ.exe.bat" "
        230⤵
        
        PID:2640
        
        C:\windows\LCQ.exe
        
        C:\windows\LCQ.exe
        231⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKYO.exe.bat" "
        232⤵
        
        PID:4712
        
        C:\windows\SysWOW64\OKYO.exe
        
        C:\windows\system32\OKYO.exe
        233⤵
        Drops file in Windows directory
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFITFHE.exe.bat" "
        234⤵
        
        PID:4764
        
        C:\windows\DFITFHE.exe
        
        C:\windows\DFITFHE.exe
        235⤵
        Checks computer location settings
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLBOUBH.exe.bat" "
        236⤵
        
        PID:3808
        
        C:\windows\SysWOW64\KLBOUBH.exe
        
        C:\windows\system32\KLBOUBH.exe
        237⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YRZD.exe.bat" "
        238⤵
        
        PID:2896
        
        C:\windows\YRZD.exe
        
        C:\windows\YRZD.exe
        239⤵
        Drops file in Windows directory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOTM.exe.bat" "
        240⤵
        
        PID:2272
        
        C:\windows\system\HOTM.exe
        
        C:\windows\system\HOTM.exe
        241⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AKSQQLB.exe.bat" "
        242⤵
        
        PID:3876
        
        C:\windows\system\AKSQQLB.exe
        
        C:\windows\system\AKSQQLB.exe
        243⤵
        Drops file in Windows directory
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QSOCZ.exe.bat" "
        244⤵
        
        PID:3064
        
        C:\windows\system\QSOCZ.exe
        
        C:\windows\system\QSOCZ.exe
        245⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DDKA.exe.bat" "
        246⤵
        
        PID:3404
        
        C:\windows\SysWOW64\DDKA.exe
        
        C:\windows\system32\DDKA.exe
        247⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UDNMVTC.exe.bat" "
        248⤵
        
        PID:776
        
        C:\windows\system\UDNMVTC.exe
        
        C:\windows\system\UDNMVTC.exe
        249⤵
        Checks computer location settings
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MGQQIJ.exe.bat" "
        250⤵
        
        PID:4228
        
        C:\windows\SysWOW64\MGQQIJ.exe
        
        C:\windows\system32\MGQQIJ.exe
        251⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DHLURV.exe.bat" "
        252⤵
        
        PID:2492
        
        C:\windows\DHLURV.exe
        
        C:\windows\DHLURV.exe
        253⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FCQ.exe.bat" "
        254⤵
        
        PID:2508
        
        C:\windows\SysWOW64\FCQ.exe
        
        C:\windows\system32\FCQ.exe
        255⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XXJ.exe.bat" "
        256⤵
        
        PID:1604
        
        C:\windows\system\XXJ.exe
        
        C:\windows\system\XXJ.exe
        257⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FQJ.exe.bat" "
        258⤵
        
        PID:4684
        
        C:\windows\FQJ.exe
        
        C:\windows\FQJ.exe
        259⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VQMBPP.exe.bat" "
        260⤵
        
        PID:4312
        
        C:\windows\SysWOW64\VQMBPP.exe
        
        C:\windows\system32\VQMBPP.exe
        261⤵
        Checks computer location settings
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ABIAU.exe.bat" "
        262⤵
        
        PID:4352
        
        C:\windows\system\ABIAU.exe
        
        C:\windows\system\ABIAU.exe
        263⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UEFFEE.exe.bat" "
        264⤵
        
        PID:216
        
        C:\windows\UEFFEE.exe
        
        C:\windows\UEFFEE.exe
        265⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\USFUNR.exe.bat" "
        266⤵
        
        PID:4276
        
        C:\windows\USFUNR.exe
        
        C:\windows\USFUNR.exe
        267⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GVQ.exe.bat" "
        268⤵
        
        PID:2264
        
        C:\windows\SysWOW64\GVQ.exe
        
        C:\windows\system32\GVQ.exe
        269⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WQATHQ.exe.bat" "
        270⤵
        
        PID:1708
        
        C:\windows\system\WQATHQ.exe
        
        C:\windows\system\WQATHQ.exe
        271⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYCYLOW.exe.bat" "
        272⤵
        
        PID:3988
        
        C:\windows\SysWOW64\FYCYLOW.exe
        
        C:\windows\system32\FYCYLOW.exe
        273⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MJRHD.exe.bat" "
        274⤵
        
        PID:4212
        
        C:\windows\system\MJRHD.exe
        
        C:\windows\system\MJRHD.exe
        275⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QZX.exe.bat" "
        276⤵
        
        PID:1368
        
        C:\windows\SysWOW64\QZX.exe
        
        C:\windows\system32\QZX.exe
        277⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWKLA.exe.bat" "
        278⤵
        
        PID:3944
        
        C:\windows\SysWOW64\LWKLA.exe
        
        C:\windows\system32\LWKLA.exe
        279⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NULNYA.exe.bat" "
        280⤵
        
        PID:5064
        
        C:\windows\NULNYA.exe
        
        C:\windows\NULNYA.exe
        281⤵
        Drops file in Windows directory
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKS.exe.bat" "
        282⤵
        
        PID:4564
        
        C:\windows\system\RKS.exe
        
        C:\windows\system\RKS.exe
        283⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ALUA.exe.bat" "
        284⤵
        
        PID:4132
        
        C:\windows\ALUA.exe
        
        C:\windows\ALUA.exe
        285⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBAAAID.exe.bat" "
        286⤵
        
        PID:1624
        
        C:\windows\SysWOW64\MBAAAID.exe
        
        C:\windows\system32\MBAAAID.exe
        287⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WLKZMC.exe.bat" "
        288⤵
        
        PID:3968
        
        C:\windows\WLKZMC.exe
        
        C:\windows\WLKZMC.exe
        289⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\POODSAU.exe.bat" "
        290⤵
        
        PID:992
        
        C:\windows\system\POODSAU.exe
        
        C:\windows\system\POODSAU.exe
        291⤵
        Drops file in Windows directory
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKF.exe.bat" "
        292⤵
        
        PID:2380
        
        C:\windows\system\SKF.exe
        
        C:\windows\system\SKF.exe
        293⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MXKOO.exe.bat" "
        294⤵
        
        PID:1756
        
        C:\windows\SysWOW64\MXKOO.exe
        
        C:\windows\system32\MXKOO.exe
        295⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GKDM.exe.bat" "
        296⤵
        
        PID:940
        
        C:\windows\SysWOW64\GKDM.exe
        
        C:\windows\system32\GKDM.exe
        297⤵
        Drops file in Windows directory
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQBJ.exe.bat" "
        298⤵
        
        PID:4708
        
        C:\windows\system\CQBJ.exe
        
        C:\windows\system\CQBJ.exe
        299⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGCBPEE.exe.bat" "
        300⤵
        
        PID:3060
        
        C:\windows\system\SGCBPEE.exe
        
        C:\windows\system\SGCBPEE.exe
        301⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UTT.exe.bat" "
        302⤵
        
        PID:2764
        
        C:\windows\UTT.exe
        
        C:\windows\UTT.exe
        303⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CZG.exe.bat" "
        304⤵
        
        PID:3304
        
        C:\windows\CZG.exe
        
        C:\windows\CZG.exe
        305⤵
        Drops file in Windows directory
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SXT.exe.bat" "
        306⤵
        
        PID:4464
        
        C:\windows\system\SXT.exe
        
        C:\windows\system\SXT.exe
        307⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MKYSE.exe.bat" "
        308⤵
        
        PID:2264
        
        C:\windows\SysWOW64\MKYSE.exe
        
        C:\windows\system32\MKYSE.exe
        309⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GYJI.exe.bat" "
        310⤵
        
        PID:2488
        
        C:\windows\SysWOW64\GYJI.exe
        
        C:\windows\system32\GYJI.exe
        311⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBNMXO.exe.bat" "
        312⤵
        
        PID:3836
        
        C:\windows\system\GBNMXO.exe
        
        C:\windows\system\GBNMXO.exe
        313⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PBEYF.exe.bat" "
        314⤵
        
        PID:4872
        
        C:\windows\SysWOW64\PBEYF.exe
        
        C:\windows\system32\PBEYF.exe
        315⤵
        Checks computer location settings
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CMAE.exe.bat" "
        316⤵
        
        PID:4892
        
        C:\windows\SysWOW64\CMAE.exe
        
        C:\windows\system32\CMAE.exe
        317⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFDFB.exe.bat" "
        318⤵
        
        PID:4812
        
        C:\windows\SysWOW64\GFDFB.exe
        
        C:\windows\system32\GFDFB.exe
        319⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVJNNTV.exe.bat" "
        320⤵
        
        PID:3944
        
        C:\windows\SysWOW64\KVJNNTV.exe
        
        C:\windows\system32\KVJNNTV.exe
        321⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVMZD.exe.bat" "
        322⤵
        
        PID:1248
        
        C:\windows\SysWOW64\AVMZD.exe
        
        C:\windows\system32\AVMZD.exe
        323⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NGIY.exe.bat" "
        324⤵
        
        PID:3608
        
        C:\windows\NGIY.exe
        
        C:\windows\NGIY.exe
        325⤵
        Drops file in Windows directory
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LRAV.exe.bat" "
        326⤵
        
        PID:1332
        
        C:\windows\LRAV.exe
        
        C:\windows\LRAV.exe
        327⤵
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOLBIXQ.exe.bat" "
        328⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1240
        328⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1304
        326⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 984
        324⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 988
        322⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1296
        320⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1000
        318⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 960
        316⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1200
        314⤵
        
        PID:696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 960
        312⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 960
        310⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 964
        308⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1336
        306⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 960
        304⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1004
        302⤵
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1268
        300⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 960
        298⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 960
        296⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 988
        294⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 960
        292⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1308
        290⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 960
        288⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1008
        286⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 960
        284⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1008
        282⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1304
        280⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1008
        278⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 960
        276⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 960
        274⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 964
        272⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1268
        270⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 960
        268⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 960
        266⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1296
        264⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 960
        262⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1328
        260⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1324
        258⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1248
        256⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1300
        254⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1008
        252⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 964
        250⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1304
        248⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 964
        246⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 960
        244⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1248
        242⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 988
        240⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1000
        238⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1264
        236⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1008
        234⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 980
        232⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 880
        230⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1008
        228⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 960
        226⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 964
        224⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1336
        222⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 996
        220⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1324
        218⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 976
        216⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1296
        214⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1312
        212⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1328
        210⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1328
        208⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1328
        206⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1292
        204⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1324
        202⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1336
        200⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1256
        198⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1300
        196⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1296
        194⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1260
        192⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 960
        190⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1260
        188⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1004
        186⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 988
        184⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 960
        182⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1308
        180⤵
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1332
        178⤵
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 960
        176⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1336
        174⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1336
        172⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1316
        170⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1304
        168⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 976
        166⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1336
        164⤵
        
        PID:804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 1316
        162⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1328
        160⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1004
        158⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1304
        156⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1308
        154⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1308
        152⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1304
        150⤵
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1328
        148⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1336
        146⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 960
        144⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1336
        142⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1296
        140⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1316
        138⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 960
        136⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1336
        134⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1328
        132⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 960
        130⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1216
        128⤵
        Program crash
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1308
        126⤵
        Program crash
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 872
        124⤵
        Program crash
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1316
        122⤵
        Program crash
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 960
        120⤵
        Program crash
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 960
        118⤵
        Program crash
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 960
        116⤵
        Program crash
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 960
        114⤵
        Program crash
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 988
        112⤵
        Program crash
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 1324
        110⤵
        Program crash
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 872
        108⤵
        Program crash
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1336
        106⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1328
        104⤵
        Program crash
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 960
        102⤵
        Program crash
        
        PID:3868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 988
        100⤵
        Program crash
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 988
        98⤵
        Program crash
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 960
        96⤵
        Program crash
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 960
        94⤵
        Program crash
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 960
        92⤵
        Program crash
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 960
        90⤵
        Program crash
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1328
        88⤵
        Program crash
        
        PID:1824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1332
        86⤵
        Program crash
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 988
        84⤵
        Program crash
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 988
        82⤵
        Program crash
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1328
        80⤵
        Program crash
        
        PID:1932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1248
        78⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 960
        76⤵
        Program crash
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1324
        74⤵
        Program crash
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1328
        72⤵
        Program crash
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 960
        70⤵
        Program crash
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1332
        68⤵
        Program crash
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1328
        66⤵
        Program crash
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1260
        64⤵
        Program crash
        
        PID:1404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1300
        62⤵
        Program crash
        
        PID:1400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1336
        60⤵
        Program crash
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 960
        58⤵
        Program crash
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1300
        56⤵
        Program crash
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1336
        54⤵
        Program crash
        
        PID:4136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1336
        52⤵
        Program crash
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1304
        50⤵
        Program crash
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 988
        48⤵
        Program crash
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1240
        46⤵
        Program crash
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 988
        44⤵
        Program crash
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1336
        42⤵
        Program crash
        
        PID:412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 960
        40⤵
        Program crash
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1336
        38⤵
        Program crash
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1248
        36⤵
        Program crash
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1300
        34⤵
        Program crash
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1336
        32⤵
        Program crash
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1292
        30⤵
        Program crash
        
        PID:3732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1308
        28⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1324
        26⤵
        Program crash
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1336
        24⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1332
        22⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1008
        20⤵
        Program crash
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1324
        18⤵
        Program crash
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1304
        16⤵
        Program crash
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1308
        14⤵
        Program crash
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1268
        12⤵
        Program crash
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 988
        10⤵
        Program crash
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1260
        8⤵
        Program crash
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 960
        6⤵
        Program crash
        
        PID:1328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1000
      4⤵
      Program crash
      PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 976
  2⤵
  - Program crash
  PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3928 -ip 3928
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2444 -ip 2444
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2640 -ip 2640
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2580 -ip 2580
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3468 -ip 3468
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 612 -ip 612
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3600 -ip 3600
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 924 -ip 924
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3796 -ip 3796
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1756 -ip 1756
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1140 -ip 1140
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1912 -ip 1912
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1932 -ip 1932
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1052 -ip 1052
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2860 -ip 2860
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 232 -ip 232
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1896 -ip 1896
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 780 -ip 780
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 536 -ip 536
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4456 -ip 4456
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1400 -ip 1400
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 904 -ip 904
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4308 -ip 4308
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3404 -ip 3404
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1840 -ip 1840
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4840 -ip 4840
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4608 -ip 4608
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4252 -ip 4252
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 372 -ip 372
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1828 -ip 1828
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3064 -ip 3064
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2244 -ip 2244
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4708 -ip 4708
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4872 -ip 4872
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4352 -ip 4352
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3364 -ip 3364
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1416 -ip 1416
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4804 -ip 4804
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4148 -ip 4148
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3932 -ip 3932
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3384 -ip 3384
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2184 -ip 2184
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4304 -ip 4304
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4472 -ip 4472
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3844 -ip 3844
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3512 -ip 3512
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3024 -ip 3024
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4796 -ip 4796
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2948 -ip 2948
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1932 -ip 1932
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1936 -ip 1936
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3552 -ip 3552
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4352 -ip 4352
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 952 -ip 952
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3844 -ip 3844
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3408 -ip 3408
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3348 -ip 3348
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3100 -ip 3100
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 1928
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 536 -ip 536
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2936 -ip 2936
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2724 -ip 2724
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4252 -ip 4252
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1784 -ip 1784
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4636 -ip 4636
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 612 -ip 612
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3416 -ip 3416
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4936 -ip 4936
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4340 -ip 4340
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4620 -ip 4620
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1396 -ip 1396
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4124 -ip 4124
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5068 -ip 5068
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2252 -ip 2252
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2492 -ip 2492
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3788 -ip 3788
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4560 -ip 4560
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1040 -ip 1040
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1576 -ip 1576
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1820 -ip 1820
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3296 -ip 3296
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5076 -ip 5076
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4300 -ip 4300
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2028 -ip 2028
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 456 -ip 456
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2572 -ip 2572
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3472 -ip 3472
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1624 -ip 1624
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 796 -ip 796
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4500 -ip 4500
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4080 -ip 4080
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1344 -ip 1344
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4324 -ip 4324
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3300 -ip 3300
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1632 -ip 1632
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2492 -ip 2492
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1368 -ip 1368
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3012 -ip 3012
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2896 -ip 2896
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1576 -ip 1576
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4352 -ip 4352
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4380 -ip 4380
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4252 -ip 4252
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 776 -ip 776
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 232 -ip 232
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3136 -ip 3136
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4344 -ip 4344
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2952 -ip 2952
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1140 -ip 1140
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3608 -ip 3608
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1408 -ip 1408
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3968 -ip 3968
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3132 -ip 3132
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2688 -ip 2688
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1192 -ip 1192
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3728 -ip 3728
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2064 -ip 2064
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1124 -ip 1124
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1644 -ip 1644
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1920 -ip 1920
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3880 -ip 3880
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4616 -ip 4616
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4888 -ip 4888
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2480 -ip 2480
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2968 -ip 2968
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1368 -ip 1368
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4124 -ip 4124
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 412 -ip 412
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3388 -ip 3388
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1836 -ip 1836
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1964 -ip 1964
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4252 -ip 4252
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4484 -ip 4484
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4232 -ip 4232
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3124 -ip 3124
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1592 -ip 1592
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2704 -ip 2704
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3868 -ip 3868
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4452 -ip 4452
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1140 -ip 1140
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3976 -ip 3976
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 216 -ip 216
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2476 -ip 2476
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 224 -ip 224
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4484 -ip 4484
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4244 -ip 4244
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4088 -ip 4088
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4904 -ip 4904
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3368 -ip 3368
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2432 -ip 2432
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4988 -ip 4988
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4132 -ip 4132
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4276 -ip 4276
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4936 -ip 4936
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3744 -ip 3744
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 224 -ip 224
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 456 -ip 456
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2740 -ip 2740
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 796 -ip 796
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4460 -ip 4460
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4944 -ip 4944
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3996 -ip 3996
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3244 -ip 3244
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\KBAVYAR.exe

Filesize
384KB

MD5
d93d87b738bc9615684caf129dcdaba8

SHA1
23106d4bcf694c847808e8a04eddb5cb0289baaf

SHA256
7c67b4f5c0b379a3c4645452a44470e1a88ec110de410c25e7ec36373bf1f0db

SHA512
d34b0b7f94a23c7281eb864318a61f89265becc97e33bb53b91f40b3bb02d530222993ede7c57bf2b13d6cce5498cf59afd710258f4bc297748c773d8c95da02

Download Submit
C:\Windows\SXP.exe

Filesize
384KB

MD5
39f61dc6147be045156da9f58e8ff78b

SHA1
32cecabcb786e23cb9667063b30fc6e04edc6fd4

SHA256
3093d8d6f9c2bc7e579419cfc92ac1b498c82224153b7579ebcbc2a080a94461

SHA512
db3920b9f1bae4fb96d881de2411d9dc9194b3f9b86a0119d8de5b595b861336bd2770e4de6ed0995ecd66da362bb6516de40f2cd4df8fcc025f1d7f866fdf05

Download Submit
C:\Windows\SysWOW64\PNOC.exe

Filesize
384KB

MD5
08dd3eb9373f3c9f1444f42d722a9372

SHA1
8808e200a206bd91eae1ee6bf5ab66886725d3fe

SHA256
ba086838abbbf447e798caf30020d07d83e28746a3f520af35ac2ec85dac3898

SHA512
45b19ba8497c50ece8c743423f0584b8906fcfb585b83909a8b04d34bede62345441e394d3f0a92d6ff8915ec84cc7c6a198ce79141a7ba260c4bba63fef0702

Download Submit
C:\Windows\SysWOW64\VTE.exe

Filesize
384KB

MD5
ea05e93d8f09180411d5fb66ec0bccc1

SHA1
bf49005415190dab400e9674897d418706ea2437

SHA256
6fc2e39b7d55a24bdaaa41ad13035e1e35ed7890cbab80d13cddd92d357169b9

SHA512
848439d4cb2264514a317e37ba50650e8f841bc2264cce20c66d907c72ef369723e1957147ef82a8a850f41298610aa213d516e071974cadf6fab24f027c11aa

Download Submit
C:\Windows\SysWOW64\YJJSXR.exe

Filesize
384KB

MD5
e1d9bb2984fc56210311a73e1ca119dd

SHA1
de8d068232112cdc95b8414d0a20673178908d3c

SHA256
8e0c566336c6187f6e77610fb0367e883e92fadf5d8e31ae46b9f74f4e0cd753

SHA512
f1944eaf0a134d09bcd102702f7ee52eb5e86d51e2838560a84df138246da04aece75599c163fcbf66edfec69f4a7bdb20e5d3c3b16b13c7bcbd1b48bde176af

Download Submit
C:\Windows\System\BKDYXIP.exe

Filesize
384KB

MD5
7e4076c4103a03a8fa453461f054718d

SHA1
5fffc2c86d1a4257c93287b17017950e12095c65

SHA256
8c36d1287258fe33d5104892c3eddfae8f424e5179850dd17c201ace44a7a9e9

SHA512
cdfb7bbd2cc7c5a93b20da50cff9eb0031bf475e5203bc92630575cd89ef566026e78336b8af0e82a9ee674debd864cd4a1498daec6533cfbfbbd57f54f4855f

Download Submit
C:\Windows\System\DDYG.exe

Filesize
384KB

MD5
41501d4c1170b7005b53601e10846ae5

SHA1
ef25da75773f830f7df8eb8360721307a90db8d6

SHA256
1c883c4c0fff21c378bea27b0284d08d40bccae757751506ba25f09a8f89f459

SHA512
87e80057b19c09d923250829be1ed2ab2caca959f337d2296cf7839caae710b3ed5ccf3c551708d55744271ea86f799bf433a4addf3eae876f413208ab1902c6

Download Submit
C:\Windows\System\LRSVBH.exe

Filesize
384KB

MD5
7724622258f0a30c97dc645718279154

SHA1
be463642c067658f8e42296516d10adc4da11ea3

SHA256
c3aad0df2cbd502e185d4785607c3d00a9e50cc6e482f2e79f73b854867707ef

SHA512
f13aaa460b70bace779825d0858d3e426a1032c4ff18d7873f43b19fe03adf14e60e4da8387f024ee61f8c720d1b5565d2183458f2f42659fac59e3d77622119

Download Submit
C:\Windows\System\RMNFTCJ.exe

Filesize
384KB

MD5
66d4976882c87ad9794a41398b8744b9

SHA1
d825e5a9344014d631a7f8653924be16b1427058

SHA256
452200f84f9b5314588252a7a8018f8e87ed429f046df664b2df7facf088e71b

SHA512
d7914693b151d559874a3a59e5d01ebc2e63a2f3c1a3a51579420fb1624b5c1d41f3716829a2bf4ed6566d253b06e48fbaefcb19d7e3bc18fe42e39f836bd515

Download Submit
C:\Windows\VVW.exe

Filesize
384KB

MD5
e210b241e12268b074d322a7940f9cee

SHA1
dadb2d85a9dd55cd325dbbfb553cb502509a610e

SHA256
f16164d1d76d783f7df866d9a4f9f1e4a9d4b4acc48e3280bb4557e56d4092f2

SHA512
cd5a7b1f9d75d29f3c2fc301ca1388616fce32b147dc2acb5b3424c1bc683289eda84569e7eb1347de26e84c303f49709d6c9c84b2c1b768e9d10858e524a250

Download Submit
C:\Windows\YXT.exe

Filesize
384KB

MD5
c53bce1e93ee18f455411bd2e192e37e

SHA1
9fac84d66578b2e62a3eafb3a0ff58f6bc21b037

SHA256
11860a61805d3e5b44b08442ca6458bf33cf0b1eeca0f0a4b7865d431fa77fb8

SHA512
ac966b54b6b7d8c5d979aa58115d567866c3ffce1c6afa029d25e86dea38e4b8f6ea327c700004bf0f098bf3c58f16c1daec02c1a83b341b70296e9c50d3a0a3

Download Submit
C:\windows\CJDIR.exe

Filesize
384KB

MD5
e0be33ba8e03020e00a50f63842e14fc

SHA1
5050ed328c19c7f978d2f8d8029ae1b330e6366a

SHA256
10c57ab1de072dbbcdb56952cd3083f327acf2f3c2b4ac50b7e1cc2e2b240f2d

SHA512
81cd4eec4e66f97fc336447d62657a955e58911980caf0b2a5990a84c24aee34525dce6da4edc52847c9d6c17a9a3362a5165281a12b4e83e83191aca83e7f28

Download Submit
C:\windows\CJDIR.exe.bat

Filesize
56B

MD5
3c2add9b47e44d5ed706279ce7a05508

SHA1
5c014ad717e75b8f694cc5eec1791b908abb3a4a

SHA256
29eec26a75c76a0dfdeefdb40f85ad792845d7e99737e8e2dd406ec04c3be9eb

SHA512
cfa13d1d561bc320412634715b2bf5b574910585296abeb5d97ffe6b5a34d9eee7af12cdfc44900ac0028a8b74de22677493e96bac9309ecc39ea5135bce6d56

Download Submit
C:\windows\KBAVYAR.exe.bat

Filesize
60B

MD5
6f92d9e12dd54c13c43f4ca03bc8b68d

SHA1
53456587b367e6a5afcb3fa711940b88f6d3e321

SHA256
8a6c0546324a1f6f4af3251271a55a2b091336c402d7c54a1acada1f0ce596d1

SHA512
c160791f880ae2677529e7715ae7543c46a2be639e92445ae59f64a76992d2c56a77faa1bebbc7b3564e45970e1d2f322667565a29a8aaf1fc969d6cdf8557db

Download Submit
C:\windows\SXP.exe.bat

Filesize
52B

MD5
d35ea5067ebfd205343b55e3f260806e

SHA1
2f59ecefc2fa406675933e8210b391182a870f23

SHA256
d23d93892cf4842616098c50b2100edff113718810fa13e478f114bff5ebe960

SHA512
b0b1b1a61a56b6ea9f01644690299cb58911247bc34068893f402fbf20135a06fc832fe3930a994cdb4081ba0b9a826c15d8a2a6793861c14d96dbc56049b29d

Download Submit
C:\windows\SysWOW64\AITUAVL.exe

Filesize
384KB

MD5
bd6a51078d2d2c08c610fa9803361f98

SHA1
316bca90bdd2d535a73e8b2c8462c7804107db6a

SHA256
b5c15b73a373737276d6d4d4d17be86cf4a908b0a44392e4cdd35fac87391316

SHA512
193eac10e0edd1cf213512430812d425ae59519ad54ed77a9aabd1b82e93d4f9a71bb39ef9ed5e1bbcce6206735e0dc1f7d1a31e47007fbc8ae4954934052ad3

Download Submit
C:\windows\SysWOW64\AITUAVL.exe.bat

Filesize
78B

MD5
c225663b52a2b54a4caeaeefc49a576f

SHA1
4d966fa905ab0b6a2ec614930e5bbd4817609ae6

SHA256
dcfb72b25efae4c95821e4342e7b4b085af312963d985a84d55c42823457983a

SHA512
391eeb0357e99bcda8bc537ec552c04a5f9c8acd7f24d77bf9dc8df4a21eecbabb4285cf165011240d8664b99614cef4818e692aee8f8a81c5c37d17e4537974

Download Submit
C:\windows\SysWOW64\PNOC.exe.bat

Filesize
72B

MD5
3d7534cd0cc36c51267e905a2642eb30

SHA1
f5c192cfdfdeeca8a4dd0221751ca3425ad9d29e

SHA256
3119aa8714c150485bb064c55b18727c7d13817aa3990b64cd42bf2bd1124c59

SHA512
12d2e1e5a6ea6ac96c3166b29e6e67044db5c7edad902776289dd9bc7fa8eeabe8cc60f7282f53d389adc8c90e4fb58ee83baae7b3642b9c38da2a0a4b8c2248

Download Submit
C:\windows\SysWOW64\SOYSRU.exe

Filesize
384KB

MD5
bf9133f96a4ef35790ffee73408b16c9

SHA1
d79868677c9061349b0213d3acf472752ec61137

SHA256
a29a24422bee12ee7c794e569f2b5b0da656e4b06e9f431cc112c1aa1cc43513

SHA512
edfcaefb1b44aaaaa4d682c5fb9c68d748151d83e6ea7bf2af69e215d69efe60c30419b07747169745a6e72d4281bff59d8e99f4108b0d560ba4bd86dafd6959

Download Submit
C:\windows\SysWOW64\SOYSRU.exe.bat

Filesize
76B

MD5
fc1a364c61845f1951d69bd1d309119a

SHA1
8b0b0967f3fd5c8f92406a9025d50a8d514a5e03

SHA256
c7809142545d47231d6d3fdd7af69037f1ed8396db0314f1b8ae5c8709d4d85e

SHA512
2841a92f76a1bf5e1bab99ac105fbc19ca4373c3025f22a5204e307945ec44fae20fc684b5d29b1cec1d691d13bef3206b725d01ed949bec5389cbce1996f0ed

Download Submit
C:\windows\SysWOW64\VTE.exe.bat

Filesize
70B

MD5
8fd7e3fc5f20af97ed067907389db683

SHA1
2145c9a54712af1749ec9ea8e598542cf7859fb4

SHA256
c67f45bb7982349cd2998fadeee805a865e31b400cd834fced37e798a9b0adc5

SHA512
b492453522f014c8cffee7793341e44ab9cfd5ea042f10b05480962032113722d5ba70ea7276a04aed93493873d21e5f44a7e15a1cbedbec2774cfc3abc64b49

Download Submit
C:\windows\SysWOW64\WXR.exe.bat

Filesize
70B

MD5
ec74e178655e842745ad0455569e50ae

SHA1
7a4c1b9ca0a178facd6762d1de112d37fc742328

SHA256
5feeb9f10a80ad9642152f368de0f4870d3c2200ac0a8fed841c66e2711dad0c

SHA512
dd77ebc50d949510f48ea75df1518442cd5c42aacff67f81e125c5e9ef63fcca98664d9f6ca8486c042773aa05c75c87bac2a66f62a45f38f9810f42407574b2

Download Submit
C:\windows\SysWOW64\YDR.exe

Filesize
384KB

MD5
0501c5fadd7c42569186a5a388b8db56

SHA1
0f2d739d65261a7d02bba3ef2b422b9f770bdfd4

SHA256
997b545b30a7d81d45415e7c0fd3431da5c133b2f62b76bd4312a013539818bf

SHA512
9dea38c4c3b0ef7bcf021c9049a2976d2f2549c40b98f3e67084e864cf60fab02ed6b8fed747c12f9ec3c0483ea86544ed1831564e0e77e6a7b3309873dde715

Download Submit
C:\windows\SysWOW64\YDR.exe.bat

Filesize
70B

MD5
88a4bd25e265a6b92202b969673be2f1

SHA1
362726a78c3e8a1c75b4fd1c1216efd4e4347c7f

SHA256
9b6f2e37e9b8947b4ded416bbf12068b6b2f4c4618a67eae1b8d334a9dada23d

SHA512
dfbe973218436f17568294382e9c902c4c7ed34ecca2a026624bbfe6c5074d9ca22610af740907cee41c165c113d38b8431c4779c715f7ee196a8e6590b79b9c

Download Submit
C:\windows\SysWOW64\YJJSXR.exe.bat

Filesize
76B

MD5
88d0ffc755de2b4393db71f8f4a2f6b2

SHA1
8259d8af6c5997fd60f1fdb094674a22c356a75f

SHA256
308de8d1f03bfff50b521bd027128f04d6b95b39400d26afe24067ba72d8b845

SHA512
5b3daf248ac42e5f71e11f3bfd206e65fc7efb169626368612119c40f9ccc6345b2ec7b8f37ef76e7a9b72626af35dfe73a1574a8c4493b95245e93faf024d6d

Download Submit
C:\windows\UUJV.exe

Filesize
384KB

MD5
5e9f69492186e19986ef37196018608f

SHA1
d75db31d4a711d9f996188fdbb2940d84ce0367f

SHA256
9a03c74932764e3d882b900a6f75ebd7e7b01196b84e65a31eeca714fb01ec92

SHA512
7256bf82bf0ad5150209a1b9780eb0a0089b8666736b5bc7c354e582a4137b493199d5b461cda93dbefc25c6d2c3c3bcb851396c7ec42440864ae7eef9d361cb

Download Submit
C:\windows\UUJV.exe.bat

Filesize
54B

MD5
1b76626410c4cab1b164f3723f844811

SHA1
0f7316818360aed45948789ee25e7dbf338e99cf

SHA256
f17e5ff9936e9d70db4423b1d5e9dae40afcd873c68e870cb7c945fe58326a35

SHA512
37ee14018e959df284e06a725175be7c3a321523a07db0788eddb43ad5a6e57ba61e46a6763e80bd2a9c44ba998bf9b327399f1af64fbaa4adfc1a262c7648c0

Download Submit
C:\windows\VVW.exe.bat

Filesize
52B

MD5
ecd9b26bff8baf19157f610952a36ba1

SHA1
0437aafd245953e4288441e3a37e4764552d8950

SHA256
2a95e3e3940d82fca8cefdacafa91ee651dc1d409f7a4ee0e5b532395f5c9edc

SHA512
e46768671ec114d016617300bd9937f479dffd90548d66634619951ae311f84dc0496d1a185ff0fbf84e5c2ad1fdae8f74b670c0e30bd419190c210939286d6d

Download Submit
C:\windows\YXT.exe.bat

Filesize
52B

MD5
cca382ad6d86d76da756f05dde840442

SHA1
1104a56c360c81854dc49bdcd2cfec0a96ce8302

SHA256
4e09a4e7338f78e9e883c2e03edaec2f8db4b6321944b5609538a32682e9ac27

SHA512
c2bfd53701e9ee377b5ed0c1f6da9fcf5ed649461a04011d58c813fb68024fa299ccad65b0f935997b35c00ac2736e9ba5e6ed5271d9c337f56d2a06c23f4790

Download Submit
C:\windows\system\AIRNDF.exe

Filesize
384KB

MD5
6f5321c52c6f4b690c6135b0d1d7bc30

SHA1
4b93132590c40d7798e520d90d45572dc6f3ed7f

SHA256
43ea4ca2923977f8c73383d69f1e193e2343a55157b3703aa4d788977fbdb634

SHA512
7d8ca153581a301cd2288ccc66bbc34c6b4bc631bf7e462cfdd0cfd711773174450e84009a757acbaec9120b6ca21c8aaa4c516fde943c2de03cd4823795d562

Download Submit
C:\windows\system\AIRNDF.exe.bat

Filesize
72B

MD5
49e6ef512ea4ab1e00fb83c885665f44

SHA1
2d4162fc4bed433058cfdb271d9a19c09e153372

SHA256
64d1c9f474e377cccf9fadd7b2247941321d86397396eb8474bef2662f4ac687

SHA512
602c0477ad8ce0a548718d5152e7b54a05f8c9ceb0ee7ad89acd5e8b55a87ed43db88cd57d2ad81ba37d38c870cb731edaeb61ab86f8b3aa043d64234873efda

Download Submit
C:\windows\system\ATVE.exe

Filesize
384KB

MD5
e76cceb08f0f2e98c9ca463018f5aae7

SHA1
e07c94874fd6cec238dff2aabf7a840888dd36b7

SHA256
9558bcca751fb0e73b8019ed376dbe516619ede0365a60de073a3651f033e4f7

SHA512
c37cdc010d511cecc8623d1490fd48b7439d160c76dec1afc18d9f9d2811dbfdb0826dc2dfab6f35dc4a001c6f76748c05e6ea9b95e79e861cec29f8ff13eb05

Download Submit
C:\windows\system\ATVE.exe.bat

Filesize
68B

MD5
8a6c46eaf9be0f01fbd253d823175591

SHA1
ef8f27dfd439df3b59a6622e9e13c05fcba58269

SHA256
b1563f2eec8f34e7da822fc60047dd95bed265f6d72c4e0a339fa945a96565f4

SHA512
b5b034fab031523bbd58267f53823d7f1ce9ae0a62953bae889073a7d67267fc3105e06d9601ffbad3ef6547b90f3bc7f6a7912c64c91187f7feb38538150ea1

Download Submit
C:\windows\system\BKDYXIP.exe.bat

Filesize
74B

MD5
07668940cf6d18f22d2cc980e704fbd8

SHA1
d7a318693d358a77289699f69444d7f0b2561db3

SHA256
87eeaa29d34258392cf65f5497c18eb4426d1eb731aa8fb743d78499608c1419

SHA512
ff8fb32011313b6224ef8ea995f5e69c8791e33aa272870a4db5839a57525326fe089ccd8bc0c1037ce5a7bdb3286499754399b12a898ca59a8ba341af103c87

Download Submit
C:\windows\system\DDYG.exe.bat

Filesize
68B

MD5
57d8b088716ab54ef83eb45d3a3452a3

SHA1
dcdb5d99b6e66f4d8a7dfb645a91f97ab7176b3a

SHA256
d4b7d9956063441515b06db6657178bc3634cea45c83d18bde3cdfc2996fcfda

SHA512
d2502133f792d6d5f2800cce52dad8b93ff24b39ae4271f5582f81f28dc97ad16c1d72de489392cec41116c8813d6ca1029dc6fc71d6e6cff8c643772df1c344

Download Submit
C:\windows\system\HKWWCS.exe.bat

Filesize
72B

MD5
26c0a6c5926a4d35df66a3a03916035c

SHA1
f7b986a22f8f72a852649593bc165c24b23dd885

SHA256
e0707e2cd3d265db15cf0f108699d40dabe4608b1cccc0265511902b1da8b294

SHA512
8d98404373fdd080a240111c0923249bf344588700758cf63a450922c092ad1877d2bde082d3a4697ed54ace916109579dba5853603bcb57fcb92bbbd9c33bb1

Download Submit
C:\windows\system\LRSVBH.exe.bat

Filesize
72B

MD5
e627a0bef3d9dd0f905621d7d722fcda

SHA1
17bc46c123de0b1417fd06e8a81d6337acc86f19

SHA256
c2abcc34d55d79cb61f97b0c2412615a7db3b1eb14959a7b5d1e78e0cf616ede

SHA512
4aa0e54dd18af186073e7255a9ea712b60903296577014eadbba5591e33e2a325d9d9af0ddda61f8ff463a3e34ce95bf9d8470c6ece6ef0d272308dfd8becda6

Download Submit
C:\windows\system\QAXAF.exe

Filesize
384KB

MD5
3ca7599e195a42a74b073f93da7eceec

SHA1
4fc562e3744e6ded90dcc01ee83d80e19bf23410

SHA256
38b878cbb31527e8cd671671a867f14f6cc0c68dcde6546f7a28425006890cca

SHA512
8fd3ff3e256b8aeb6c5c8dd789bfea3a6cfd73149101c3cd50b0938c5668c13f142742a710c57bf3e3e99740d96ae9df68e5ec70a61756a6ae8b8e498b0c1fcb

Download Submit
C:\windows\system\QAXAF.exe.bat

Filesize
70B

MD5
46933e126ee3721a6ae52cce4416ad1c

SHA1
ca362136a3e3b615ba2ee8965e65d5fc9ff7e2cb

SHA256
49cc1f64b53566bdd8e692c9e5d8bfac712d45de899d00837423f479407bf016

SHA512
6b51ac4d2133a5e7c13a05c69c561ee314877fdc5702652707fd729bb12f8650b9b4f6162e60d01dd8dd63a3a7fb9958b30e644bdba21ff91e2b09c9006550fc

Download Submit
C:\windows\system\RMNFTCJ.exe.bat

Filesize
74B

MD5
afc17343e6fdeda9d9bbda32a99d5842

SHA1
7d0f03cfe4347fa8dcf32bdd63a9377ef76bfbba

SHA256
a2d6edb0e80ffcde7be5a5a2fa336d8d4c54fa31dbd1bfdc312399ea8a9fe2a5

SHA512
05984202971e11265e787b30703204caa48e4085de7fc8a9ebb9b8fccdd3ba52cdf04158e45e60aca52fabed9f2687b73d4a6469fe8aabbf20eafecc7e7c09e7

Download Submit
C:\windows\system\RYWAT.exe

Filesize
384KB

MD5
82f2c300e898639d1eecd658fe24ace6

SHA1
2d16575877bd383d314b95dd9dd56f3b2fbddea7

SHA256
c163fe2510e9cabd47c8197a4b0c194568efc798d1f518156dd826db9db44d21

SHA512
1a674b432a6911691e5745bf39643d3ad7434a136b994d8d0f9895153e5f8437926c1cd0d3c92d884a1812d251da8a6f94e4039464ee512f2e0c0cd5167887d4

Download Submit
C:\windows\system\RYWAT.exe.bat

Filesize
70B

MD5
dfab9813c7b97110a9368283ec4533a4

SHA1
fa3414cc0397aca53a1a9da3c57f3214860ef545

SHA256
8e3b91ead8985f27ce7e25966b19c575df55e02b99f2184faf94e50419f32d17

SHA512
7f0286e00faba3168e5bcbebc003b252329ccffb9abfd3ebcbdb09c2552a3f91a921d7729a88cbca49531c149f2ebdce5ccfb2730bb8fdac406ff6d0b120d88e

Download Submit
memory/232-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/232-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/372-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/372-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/612-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/612-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/780-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/780-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/904-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/904-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1416-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1416-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1840-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1840-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1896-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1896-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1912-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1912-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2184-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2184-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-34-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2640-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2640-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2860-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2860-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2948-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3364-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3364-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3384-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3384-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3404-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3404-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3468-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3468-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3600-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3600-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3844-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3844-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3928-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3928-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3932-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3932-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4148-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4148-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4708-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4708-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4796-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4804-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4804-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download