9c9cbede957d5bde9eede15bad06463145d71e4720000535159526389496da55

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a2ede8f521521a935a46a861571dcbb0N.exe
Size

448KB
MD5

a2ede8f521521a935a46a861571dcbb0
SHA1

46ee251845d8848d5a77c1d87cca40d98b1c7131
SHA256

9c9cbede957d5bde9eede15bad06463145d71e4720000535159526389496da55
SHA512

9be5c01f968316331df7374d5088c4793136754c1d9127ae0476d984bb7a284566e52f97d1ff8ac4d2c481bacf7729796d838ddf605f440a21aa2cf83c8f8cb3
SSDEEP

6144:EbPahFCuKGPRQXrP18w1YqGGbMQlkEjiPISUOgW9X+hOGzC/NM:EbyhNDRQXj1F1YfQkmZzcukG2/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 39 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	a2ede8f521521a935a46a861571dcbb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NXIRRCT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	QONDAHI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NRKBMMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	GFYHEUK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ISRPMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	UZZTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PMF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MVGET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MVCUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WCTG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MOQE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WWNB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	LRZM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	YWH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ZYE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RZZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	SMMY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ENZAW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	KQLJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	EYZVQOP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	AAGHS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	VNLQUBB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NBBUJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	FEOUG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	BXEW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	VKJNQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	UDMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	GVFQFWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	EHZM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MNNVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RJI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	FCVLZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PQREJS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MGGV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	YHRYMSY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	BHRIS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	KGSKL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	UOGGH.exe

Executes dropped EXE 39 IoCs

pid	Process
2844	EYZVQOP.exe
1968	GVFQFWX.exe
1164	WWNB.exe
2480	BHRIS.exe
1036	UZZTB.exe
3856	AAGHS.exe
3972	VNLQUBB.exe
1232	MNNVG.exe
4564	ZYE.exe
4064	LRZM.exe
2072	YWH.exe
384	PMF.exe
2544	NXIRRCT.exe
4388	MVCUE.exe
3484	KGSKL.exe
1208	MVGET.exe
1916	UOGGH.exe
5020	NRKBMMV.exe
2216	RZZJ.exe
4324	BXEW.exe
2584	VKJNQ.exe
3784	UDMV.exe
1992	PQREJS.exe
740	NBBUJ.exe
4712	RJI.exe
3824	SMMY.exe
2208	WCTG.exe
4896	FCVLZ.exe
3484	GFYHEUK.exe
4560	MGGV.exe
3088	QONDAHI.exe
4188	FEOUG.exe
2544	YHRYMSY.exe
4276	EHZM.exe
4688	ENZAW.exe
4292	ISRPMV.exe
4948	KQLJ.exe
336	MOQE.exe
4764	ZRU.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\PQREJS.exe.bat	UDMV.exe
File created	C:\windows\SysWOW64\EHZM.exe.bat	YHRYMSY.exe
File created	C:\windows\SysWOW64\WWNB.exe.bat	GVFQFWX.exe
File opened for modification	C:\windows\SysWOW64\MVCUE.exe	NXIRRCT.exe
File opened for modification	C:\windows\SysWOW64\UOGGH.exe	MVGET.exe
File created	C:\windows\SysWOW64\PQREJS.exe	UDMV.exe
File created	C:\windows\SysWOW64\FEOUG.exe.bat	QONDAHI.exe
File opened for modification	C:\windows\SysWOW64\EHZM.exe	YHRYMSY.exe
File created	C:\windows\SysWOW64\NXIRRCT.exe	PMF.exe
File created	C:\windows\SysWOW64\MVCUE.exe	NXIRRCT.exe
File created	C:\windows\SysWOW64\UOGGH.exe	MVGET.exe
File created	C:\windows\SysWOW64\UOGGH.exe.bat	MVGET.exe
File created	C:\windows\SysWOW64\GFYHEUK.exe.bat	FCVLZ.exe
File created	C:\windows\SysWOW64\GVFQFWX.exe.bat	EYZVQOP.exe
File created	C:\windows\SysWOW64\VKJNQ.exe	BXEW.exe
File opened for modification	C:\windows\SysWOW64\PQREJS.exe	UDMV.exe
File created	C:\windows\SysWOW64\VKJNQ.exe.bat	BXEW.exe
File created	C:\windows\SysWOW64\WWNB.exe	GVFQFWX.exe
File opened for modification	C:\windows\SysWOW64\WWNB.exe	GVFQFWX.exe
File opened for modification	C:\windows\SysWOW64\GFYHEUK.exe	FCVLZ.exe
File created	C:\windows\SysWOW64\MVCUE.exe.bat	NXIRRCT.exe
File opened for modification	C:\windows\SysWOW64\FEOUG.exe	QONDAHI.exe
File created	C:\windows\SysWOW64\EHZM.exe	YHRYMSY.exe
File opened for modification	C:\windows\SysWOW64\GVFQFWX.exe	EYZVQOP.exe
File opened for modification	C:\windows\SysWOW64\NXIRRCT.exe	PMF.exe
File created	C:\windows\SysWOW64\NXIRRCT.exe.bat	PMF.exe
File created	C:\windows\SysWOW64\FEOUG.exe	QONDAHI.exe
File created	C:\windows\SysWOW64\GVFQFWX.exe	EYZVQOP.exe
File opened for modification	C:\windows\SysWOW64\VKJNQ.exe	BXEW.exe
File created	C:\windows\SysWOW64\GFYHEUK.exe	FCVLZ.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\NBBUJ.exe.bat	PQREJS.exe
File opened for modification	C:\windows\RJI.exe	NBBUJ.exe
File created	C:\windows\system\MGGV.exe.bat	GFYHEUK.exe
File created	C:\windows\system\MOQE.exe	KQLJ.exe
File created	C:\windows\BHRIS.exe	WWNB.exe
File opened for modification	C:\windows\MVGET.exe	KGSKL.exe
File created	C:\windows\ISRPMV.exe.bat	ENZAW.exe
File opened for modification	C:\windows\UZZTB.exe	BHRIS.exe
File created	C:\windows\system\RZZJ.exe	NRKBMMV.exe
File created	C:\windows\system\RZZJ.exe.bat	NRKBMMV.exe
File created	C:\windows\FCVLZ.exe.bat	WCTG.exe
File opened for modification	C:\windows\system\MGGV.exe	GFYHEUK.exe
File opened for modification	C:\windows\ENZAW.exe	EHZM.exe
File created	C:\windows\ISRPMV.exe	ENZAW.exe
File opened for modification	C:\windows\RZJIS.exe	ZRU.exe
File created	C:\windows\EYZVQOP.exe.bat	a2ede8f521521a935a46a861571dcbb0N.exe
File opened for modification	C:\windows\NBBUJ.exe	PQREJS.exe
File opened for modification	C:\windows\system\QONDAHI.exe	MGGV.exe
File created	C:\windows\EYZVQOP.exe	a2ede8f521521a935a46a861571dcbb0N.exe
File created	C:\windows\system\LRZM.exe	ZYE.exe
File created	C:\windows\PMF.exe.bat	YWH.exe
File created	C:\windows\NRKBMMV.exe.bat	UOGGH.exe
File created	C:\windows\ZYE.exe.bat	MNNVG.exe
File opened for modification	C:\windows\system\LRZM.exe	ZYE.exe
File opened for modification	C:\windows\system\YWH.exe	LRZM.exe
File created	C:\windows\WCTG.exe.bat	SMMY.exe
File created	C:\windows\FCVLZ.exe	WCTG.exe
File created	C:\windows\UZZTB.exe.bat	BHRIS.exe
File opened for modification	C:\windows\system\KGSKL.exe	MVCUE.exe
File created	C:\windows\NRKBMMV.exe	UOGGH.exe
File created	C:\windows\system\BXEW.exe.bat	RZZJ.exe
File created	C:\windows\RJI.exe	NBBUJ.exe
File created	C:\windows\WCTG.exe	SMMY.exe
File created	C:\windows\system\MGGV.exe	GFYHEUK.exe
File opened for modification	C:\windows\system\ZRU.exe	MOQE.exe
File opened for modification	C:\windows\system\BXEW.exe	RZZJ.exe
File created	C:\windows\UDMV.exe	VKJNQ.exe
File created	C:\windows\ENZAW.exe	EHZM.exe
File opened for modification	C:\windows\system\MOQE.exe	KQLJ.exe
File opened for modification	C:\windows\EYZVQOP.exe	a2ede8f521521a935a46a861571dcbb0N.exe
File created	C:\windows\BHRIS.exe.bat	WWNB.exe
File created	C:\windows\MNNVG.exe	VNLQUBB.exe
File opened for modification	C:\windows\PMF.exe	YWH.exe
File opened for modification	C:\windows\system\SMMY.exe	RJI.exe
File created	C:\windows\RZJIS.exe.bat	ZRU.exe
File created	C:\windows\system\YWH.exe	LRZM.exe
File opened for modification	C:\windows\WCTG.exe	SMMY.exe
File created	C:\windows\KQLJ.exe	ISRPMV.exe
File opened for modification	C:\windows\KQLJ.exe	ISRPMV.exe
File created	C:\windows\UZZTB.exe	BHRIS.exe
File opened for modification	C:\windows\VNLQUBB.exe	AAGHS.exe
File created	C:\windows\system\KGSKL.exe.bat	MVCUE.exe
File created	C:\windows\MVGET.exe.bat	KGSKL.exe
File opened for modification	C:\windows\FCVLZ.exe	WCTG.exe
File created	C:\windows\ENZAW.exe.bat	EHZM.exe
File created	C:\windows\KQLJ.exe.bat	ISRPMV.exe
File created	C:\windows\system\ZRU.exe	MOQE.exe
File opened for modification	C:\windows\BHRIS.exe	WWNB.exe
File created	C:\windows\ZYE.exe	MNNVG.exe
File created	C:\windows\UDMV.exe.bat	VKJNQ.exe
File created	C:\windows\system\QONDAHI.exe	MGGV.exe
File opened for modification	C:\windows\ISRPMV.exe	ENZAW.exe
File created	C:\windows\system\ZRU.exe.bat	MOQE.exe
File created	C:\windows\system\AAGHS.exe.bat	UZZTB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 39 IoCs

pid	pid_target	Process	procid_target
2060	556	WerFault.exe	83
404	2844	WerFault.exe	91
1924	1968	WerFault.exe	97
872	1164	WerFault.exe	102
4880	2480	WerFault.exe	109
4732	1036	WerFault.exe	115
3712	3856	WerFault.exe	121
4712	3972	WerFault.exe	126
3804	1232	WerFault.exe	131
4696	4564	WerFault.exe	137
3888	4064	WerFault.exe	142
3264	2072	WerFault.exe	147
3088	384	WerFault.exe	152
5060	2544	WerFault.exe	159
1656	4388	WerFault.exe	164
872	3484	WerFault.exe	169
4284	1208	WerFault.exe	174
4736	1916	WerFault.exe	179
1472	5020	WerFault.exe	184
4512	2216	WerFault.exe	189
5080	4324	WerFault.exe	194
3812	2584	WerFault.exe	199
3916	3784	WerFault.exe	204
4284	1992	WerFault.exe	209
4676	740	WerFault.exe	214
1752	4712	WerFault.exe	219
4276	3824	WerFault.exe	224
3556	2208	WerFault.exe	229
4316	4896	WerFault.exe	234
744	3484	WerFault.exe	239
848	4560	WerFault.exe	244
3364	3088	WerFault.exe	249
2452	4188	WerFault.exe	254
544	2544	WerFault.exe	259
4424	4276	WerFault.exe	264
1948	4688	WerFault.exe	269
4736	4292	WerFault.exe	274
3200	4948	WerFault.exe	279
4704	336	WerFault.exe	284

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UDMV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BHRIS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PMF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UOGGH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VKJNQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBBUJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NRKBMMV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENZAW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZRU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VNLQUBB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LRZM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZZTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MGGV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KQLJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2ede8f521521a935a46a861571dcbb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WWNB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOQE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAGHS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YWH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PQREJS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QONDAHI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GVFQFWX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NXIRRCT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMMY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WCTG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MNNVG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZYE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FCVLZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISRPMV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EYZVQOP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
556	a2ede8f521521a935a46a861571dcbb0N.exe
556	a2ede8f521521a935a46a861571dcbb0N.exe
2844	EYZVQOP.exe
2844	EYZVQOP.exe
1968	GVFQFWX.exe
1968	GVFQFWX.exe
1164	WWNB.exe
1164	WWNB.exe
2480	BHRIS.exe
2480	BHRIS.exe
1036	UZZTB.exe
1036	UZZTB.exe
3856	AAGHS.exe
3856	AAGHS.exe
3972	VNLQUBB.exe
3972	VNLQUBB.exe
1232	MNNVG.exe
1232	MNNVG.exe
4564	ZYE.exe
4564	ZYE.exe
4064	LRZM.exe
4064	LRZM.exe
2072	YWH.exe
2072	YWH.exe
384	PMF.exe
384	PMF.exe
2544	NXIRRCT.exe
2544	NXIRRCT.exe
4388	MVCUE.exe
4388	MVCUE.exe
3484	KGSKL.exe
3484	KGSKL.exe
1208	MVGET.exe
1208	MVGET.exe
1916	UOGGH.exe
1916	UOGGH.exe
5020	NRKBMMV.exe
5020	NRKBMMV.exe
2216	RZZJ.exe
2216	RZZJ.exe
4324	BXEW.exe
4324	BXEW.exe
2584	VKJNQ.exe
2584	VKJNQ.exe
3784	UDMV.exe
3784	UDMV.exe
1992	PQREJS.exe
1992	PQREJS.exe
740	NBBUJ.exe
740	NBBUJ.exe
4712	RJI.exe
4712	RJI.exe
3824	SMMY.exe
3824	SMMY.exe
2208	WCTG.exe
2208	WCTG.exe
4896	FCVLZ.exe
4896	FCVLZ.exe
3484	GFYHEUK.exe
3484	GFYHEUK.exe
4560	MGGV.exe
4560	MGGV.exe
3088	QONDAHI.exe
3088	QONDAHI.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
556	a2ede8f521521a935a46a861571dcbb0N.exe
556	a2ede8f521521a935a46a861571dcbb0N.exe
2844	EYZVQOP.exe
2844	EYZVQOP.exe
1968	GVFQFWX.exe
1968	GVFQFWX.exe
1164	WWNB.exe
1164	WWNB.exe
2480	BHRIS.exe
2480	BHRIS.exe
1036	UZZTB.exe
1036	UZZTB.exe
3856	AAGHS.exe
3856	AAGHS.exe
3972	VNLQUBB.exe
3972	VNLQUBB.exe
1232	MNNVG.exe
1232	MNNVG.exe
4564	ZYE.exe
4564	ZYE.exe
4064	LRZM.exe
4064	LRZM.exe
2072	YWH.exe
2072	YWH.exe
384	PMF.exe
384	PMF.exe
2544	NXIRRCT.exe
2544	NXIRRCT.exe
4388	MVCUE.exe
4388	MVCUE.exe
3484	KGSKL.exe
3484	KGSKL.exe
1208	MVGET.exe
1208	MVGET.exe
1916	UOGGH.exe
1916	UOGGH.exe
5020	NRKBMMV.exe
5020	NRKBMMV.exe
2216	RZZJ.exe
2216	RZZJ.exe
4324	BXEW.exe
4324	BXEW.exe
2584	VKJNQ.exe
2584	VKJNQ.exe
3784	UDMV.exe
3784	UDMV.exe
1992	PQREJS.exe
1992	PQREJS.exe
740	NBBUJ.exe
740	NBBUJ.exe
4712	RJI.exe
4712	RJI.exe
3824	SMMY.exe
3824	SMMY.exe
2208	WCTG.exe
2208	WCTG.exe
4896	FCVLZ.exe
4896	FCVLZ.exe
3484	GFYHEUK.exe
3484	GFYHEUK.exe
4560	MGGV.exe
4560	MGGV.exe
3088	QONDAHI.exe
3088	QONDAHI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4760	556	a2ede8f521521a935a46a861571dcbb0N.exe	87
PID 556 wrote to memory of 4760	556	a2ede8f521521a935a46a861571dcbb0N.exe	87
PID 556 wrote to memory of 4760	556	a2ede8f521521a935a46a861571dcbb0N.exe	87
PID 4760 wrote to memory of 2844	4760	cmd.exe	91
PID 4760 wrote to memory of 2844	4760	cmd.exe	91
PID 4760 wrote to memory of 2844	4760	cmd.exe	91
PID 2844 wrote to memory of 4972	2844	EYZVQOP.exe	93
PID 2844 wrote to memory of 4972	2844	EYZVQOP.exe	93
PID 2844 wrote to memory of 4972	2844	EYZVQOP.exe	93
PID 4972 wrote to memory of 1968	4972	cmd.exe	97
PID 4972 wrote to memory of 1968	4972	cmd.exe	97
PID 4972 wrote to memory of 1968	4972	cmd.exe	97
PID 1968 wrote to memory of 1332	1968	GVFQFWX.exe	98
PID 1968 wrote to memory of 1332	1968	GVFQFWX.exe	98
PID 1968 wrote to memory of 1332	1968	GVFQFWX.exe	98
PID 1332 wrote to memory of 1164	1332	cmd.exe	102
PID 1332 wrote to memory of 1164	1332	cmd.exe	102
PID 1332 wrote to memory of 1164	1332	cmd.exe	102
PID 1164 wrote to memory of 2332	1164	WWNB.exe	105
PID 1164 wrote to memory of 2332	1164	WWNB.exe	105
PID 1164 wrote to memory of 2332	1164	WWNB.exe	105
PID 2332 wrote to memory of 2480	2332	cmd.exe	109
PID 2332 wrote to memory of 2480	2332	cmd.exe	109
PID 2332 wrote to memory of 2480	2332	cmd.exe	109
PID 2480 wrote to memory of 3060	2480	BHRIS.exe	111
PID 2480 wrote to memory of 3060	2480	BHRIS.exe	111
PID 2480 wrote to memory of 3060	2480	BHRIS.exe	111
PID 3060 wrote to memory of 1036	3060	cmd.exe	115
PID 3060 wrote to memory of 1036	3060	cmd.exe	115
PID 3060 wrote to memory of 1036	3060	cmd.exe	115
PID 1036 wrote to memory of 2968	1036	UZZTB.exe	117
PID 1036 wrote to memory of 2968	1036	UZZTB.exe	117
PID 1036 wrote to memory of 2968	1036	UZZTB.exe	117
PID 2968 wrote to memory of 3856	2968	cmd.exe	121
PID 2968 wrote to memory of 3856	2968	cmd.exe	121
PID 2968 wrote to memory of 3856	2968	cmd.exe	121
PID 3856 wrote to memory of 3760	3856	AAGHS.exe	122
PID 3856 wrote to memory of 3760	3856	AAGHS.exe	122
PID 3856 wrote to memory of 3760	3856	AAGHS.exe	122
PID 3760 wrote to memory of 3972	3760	cmd.exe	126
PID 3760 wrote to memory of 3972	3760	cmd.exe	126
PID 3760 wrote to memory of 3972	3760	cmd.exe	126
PID 3972 wrote to memory of 3564	3972	VNLQUBB.exe	127
PID 3972 wrote to memory of 3564	3972	VNLQUBB.exe	127
PID 3972 wrote to memory of 3564	3972	VNLQUBB.exe	127
PID 3564 wrote to memory of 1232	3564	cmd.exe	131
PID 3564 wrote to memory of 1232	3564	cmd.exe	131
PID 3564 wrote to memory of 1232	3564	cmd.exe	131
PID 1232 wrote to memory of 336	1232	MNNVG.exe	133
PID 1232 wrote to memory of 336	1232	MNNVG.exe	133
PID 1232 wrote to memory of 336	1232	MNNVG.exe	133
PID 336 wrote to memory of 4564	336	cmd.exe	137
PID 336 wrote to memory of 4564	336	cmd.exe	137
PID 336 wrote to memory of 4564	336	cmd.exe	137
PID 4564 wrote to memory of 4804	4564	ZYE.exe	138
PID 4564 wrote to memory of 4804	4564	ZYE.exe	138
PID 4564 wrote to memory of 4804	4564	ZYE.exe	138
PID 4804 wrote to memory of 4064	4804	cmd.exe	142
PID 4804 wrote to memory of 4064	4804	cmd.exe	142
PID 4804 wrote to memory of 4064	4804	cmd.exe	142
PID 4064 wrote to memory of 2856	4064	LRZM.exe	143
PID 4064 wrote to memory of 2856	4064	LRZM.exe	143
PID 4064 wrote to memory of 2856	4064	LRZM.exe	143
PID 2856 wrote to memory of 2072	2856	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\a2ede8f521521a935a46a861571dcbb0N.exe
"C:\Users\Admin\AppData\Local\Temp\a2ede8f521521a935a46a861571dcbb0N.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\EYZVQOP.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\windows\EYZVQOP.exe
    C:\windows\EYZVQOP.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GVFQFWX.exe.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\windows\SysWOW64\GVFQFWX.exe
        
        C:\windows\system32\GVFQFWX.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWNB.exe.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\windows\SysWOW64\WWNB.exe
        
        C:\windows\system32\WWNB.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BHRIS.exe.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\windows\BHRIS.exe
        
        C:\windows\BHRIS.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZZTB.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\windows\UZZTB.exe
        
        C:\windows\UZZTB.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AAGHS.exe.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\windows\system\AAGHS.exe
        
        C:\windows\system\AAGHS.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VNLQUBB.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\windows\VNLQUBB.exe
        
        C:\windows\VNLQUBB.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MNNVG.exe.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\windows\MNNVG.exe
        
        C:\windows\MNNVG.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZYE.exe.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\windows\ZYE.exe
        
        C:\windows\ZYE.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LRZM.exe.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\windows\system\LRZM.exe
        
        C:\windows\system\LRZM.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YWH.exe.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\windows\system\YWH.exe
        
        C:\windows\system\YWH.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PMF.exe.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\windows\PMF.exe
        
        C:\windows\PMF.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NXIRRCT.exe.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\windows\SysWOW64\NXIRRCT.exe
        
        C:\windows\system32\NXIRRCT.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVCUE.exe.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\windows\SysWOW64\MVCUE.exe
        
        C:\windows\system32\MVCUE.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KGSKL.exe.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\windows\system\KGSKL.exe
        
        C:\windows\system\KGSKL.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MVGET.exe.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\windows\MVGET.exe
        
        C:\windows\MVGET.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UOGGH.exe.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\windows\SysWOW64\UOGGH.exe
        
        C:\windows\system32\UOGGH.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NRKBMMV.exe.bat" "
        36⤵
        
        PID:1708
        
        C:\windows\NRKBMMV.exe
        
        C:\windows\NRKBMMV.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZZJ.exe.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\windows\system\RZZJ.exe
        
        C:\windows\system\RZZJ.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BXEW.exe.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\windows\system\BXEW.exe
        
        C:\windows\system\BXEW.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VKJNQ.exe.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\windows\SysWOW64\VKJNQ.exe
        
        C:\windows\system32\VKJNQ.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UDMV.exe.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\windows\UDMV.exe
        
        C:\windows\UDMV.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PQREJS.exe.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\windows\SysWOW64\PQREJS.exe
        
        C:\windows\system32\PQREJS.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NBBUJ.exe.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\windows\NBBUJ.exe
        
        C:\windows\NBBUJ.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RJI.exe.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\windows\RJI.exe
        
        C:\windows\RJI.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SMMY.exe.bat" "
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\windows\system\SMMY.exe
        
        C:\windows\system\SMMY.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WCTG.exe.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\windows\WCTG.exe
        
        C:\windows\WCTG.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FCVLZ.exe.bat" "
        56⤵
        
        PID:3520
        
        C:\windows\FCVLZ.exe
        
        C:\windows\FCVLZ.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFYHEUK.exe.bat" "
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\windows\SysWOW64\GFYHEUK.exe
        
        C:\windows\system32\GFYHEUK.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MGGV.exe.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\windows\system\MGGV.exe
        
        C:\windows\system\MGGV.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QONDAHI.exe.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\windows\system\QONDAHI.exe
        
        C:\windows\system\QONDAHI.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEOUG.exe.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\windows\SysWOW64\FEOUG.exe
        
        C:\windows\system32\FEOUG.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YHRYMSY.exe.bat" "
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\windows\YHRYMSY.exe
        
        C:\windows\YHRYMSY.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EHZM.exe.bat" "
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\windows\SysWOW64\EHZM.exe
        
        C:\windows\system32\EHZM.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ENZAW.exe.bat" "
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\windows\ENZAW.exe
        
        C:\windows\ENZAW.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ISRPMV.exe.bat" "
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\windows\ISRPMV.exe
        
        C:\windows\ISRPMV.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KQLJ.exe.bat" "
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\windows\KQLJ.exe
        
        C:\windows\KQLJ.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOQE.exe.bat" "
        76⤵
        
        PID:1292
        
        C:\windows\system\MOQE.exe
        
        C:\windows\system\MOQE.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRU.exe.bat" "
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\windows\system\ZRU.exe
        
        C:\windows\system\ZRU.exe
        79⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RZJIS.exe.bat" "
        80⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1248
        78⤵
        Program crash
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 976
        76⤵
        Program crash
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 960
        74⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1324
        72⤵
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 988
        70⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1300
        68⤵
        Program crash
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1324
        66⤵
        Program crash
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1300
        64⤵
        Program crash
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1336
        62⤵
        Program crash
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1336
        60⤵
        Program crash
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1328
        58⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 960
        56⤵
        Program crash
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1324
        54⤵
        Program crash
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1336
        52⤵
        Program crash
        
        PID:1752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1324
        50⤵
        Program crash
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 960
        48⤵
        Program crash
        
        PID:4284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1328
        46⤵
        Program crash
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1008
        44⤵
        Program crash
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 960
        42⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 960
        40⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 960
        38⤵
        Program crash
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 960
        36⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1328
        34⤵
        Program crash
        
        PID:4284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1292
        32⤵
        Program crash
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 976
        30⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1328
        28⤵
        Program crash
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 988
        26⤵
        Program crash
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 976
        24⤵
        Program crash
        
        PID:3264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 988
        22⤵
        Program crash
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1336
        20⤵
        Program crash
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1324
        18⤵
        Program crash
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1300
        16⤵
        Program crash
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 960
        14⤵
        Program crash
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 960
        12⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 960
        10⤵
        Program crash
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1256
        8⤵
        Program crash
        
        PID:872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1328
        6⤵
        Program crash
        
        PID:1924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1004
      4⤵
      Program crash
      PID:404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 980
  2⤵
  - Program crash
  PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 556 -ip 556
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2844 -ip 2844
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1164 -ip 1164
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2480 -ip 2480
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1036 -ip 1036
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3856 -ip 3856
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3972 -ip 3972
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1232 -ip 1232
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4564 -ip 4564
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4064 -ip 4064
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2072 -ip 2072
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 384 -ip 384
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2544 -ip 2544
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 4388
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3484 -ip 3484
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1208 -ip 1208
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1916 -ip 1916
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5020 -ip 5020
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2216 -ip 2216
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4324 -ip 4324
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2584 -ip 2584
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1992 -ip 1992
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 740 -ip 740
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4712 -ip 4712
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3824 -ip 3824
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2208 -ip 2208
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4896 -ip 4896
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3484 -ip 3484
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4560 -ip 4560
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3088 -ip 3088
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4188 -ip 4188
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2544 -ip 2544
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4276 -ip 4276
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4688 -ip 4688
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4292 -ip 4292
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4948 -ip 4948
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 336 -ip 336
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4764 -ip 4764
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EYZVQOP.exe

Filesize
448KB

MD5
aef158fb81e88b838ce6f79be031e7b5

SHA1
2f99b8a2278d336d404d2c00c7544c1c80a29fdd

SHA256
159029b319a7b2487ebb33a8abb211d20c8aa362a9e1e58150a23d2d9a68044a

SHA512
06e29db298ce398ebb647b57e58d990ff1bc091a1ada630aacca34b4b2abce317223da487432f4666014a36ec48a4fc4bedf837c07b3e06863dac600f44ff67e

Download Submit
C:\Windows\MNNVG.exe

Filesize
448KB

MD5
e840e40083ac381400fed527835a0419

SHA1
14eb54b0f694968c384b04546d94622e7a81f8d1

SHA256
a145cee91062a66d2e2adb9ee3b0b13ce70477f74c7d44a92836ec31c8961e44

SHA512
1cad9e9104ab29792047682721ce49f1f76b8634a6d5fab11d96dfab264d358c2dbd60a8556d15e2641b28d078f879b6f1254a652c4ba310e259b11ad92eb5ba

Download Submit
C:\Windows\MVGET.exe

Filesize
448KB

MD5
7be012af48bf58f1a608528c20748dce

SHA1
538aec942fab8c4985cbdca832fef190bbb06e60

SHA256
a18fa6b1c75247ded058c2224d149abb85dcef63b809406b6c3feab83119c71b

SHA512
63c82a64fc60397de804075377907ea38943a36876eb1dec4317af49a4b2582230f1490822459fae981591a64e19e2fb3737691659efc0590b66105a1bd9fa2b

Download Submit
C:\Windows\NRKBMMV.exe

Filesize
448KB

MD5
f9a47af8d36fb6436a0b2cf864a88d86

SHA1
c784acf33de7e55f2c99d60a0e21e2e65db7fc11

SHA256
bee568066b816b10e9b80e9b51aa6e011f6952d47449c55b71fd27b13e68ad3b

SHA512
c8b84f400dfb303ee79acdfceb684cb68c88a2ff39b278b3596cae27d1ecc3e4205ac305aeaa575195a27f4378a52eeeeae78e3a2cec22d4139e5215dcbd91d0

Download Submit
C:\Windows\SysWOW64\GVFQFWX.exe

Filesize
448KB

MD5
81ae359ea1ae0f3e9831c76968e8b729

SHA1
03949b25b93f0552a6553562c7a63e7d26b1f3cb

SHA256
6d5282eef5917a098b954970277568050205d3690085ed9d392dc158b66970b7

SHA512
0fa2689a1b14d2b0defeb5c91b7a13026413e992f9be320c69cbbecc5b9fbcbdd57e11b3c3f39804c2f6b492083e5e7e5e5461986727d3d3a33e9efb8e5a10e1

Download Submit
C:\Windows\SysWOW64\UOGGH.exe

Filesize
448KB

MD5
68065bab34335a9d9a2164928dd3f310

SHA1
8254bcf075ac8c1c3fdbbaea47e3cedc0121cee1

SHA256
95b0cd9406e718faebe95a2b3262462518f61d460a457db90a4994cbafba846b

SHA512
46f2681c174ef5933133cba1a558dbed02d457777c5d5f4737240210d19b02adf5e04dd9bcb183956c51012da329c9440bb1c335b3a08fedb395472fdc979e4e

Download Submit
C:\Windows\SysWOW64\VKJNQ.exe

Filesize
448KB

MD5
5c5704ada43d68df0b817e3325dd5606

SHA1
4dc21bcb3e29595dd17b8c68c3904c712b805ef5

SHA256
03cc5b39a20396fe3b1987e6ebfce276aaebe029c7547a0819080755f5a01e83

SHA512
231767e8306ed2bc6323266b3636b4dec1ef750273e026bc2526d071d0ee42276ef84026f2c465d8bf6798301dd60957deb2323340ae09637c28c5f300d7ae21

Download Submit
C:\Windows\SysWOW64\WWNB.exe

Filesize
448KB

MD5
7040c8725853a399959c8962b04878d1

SHA1
7b8e721c47133711f131cc45a7c937aaf39ae650

SHA256
114d16b2d9251fbe575dff6d1d5364c41ad0982e9abcd4bd101a1297f2344918

SHA512
88dee6ce5bd6433b18423cff34c9cc6ce47aaae191bbdd1bb71874aa04e99033f031981b1df741b2ebcf56848e0383d46753dd444ec10cb012767d0f96026b04

Download Submit
C:\Windows\System\LRZM.exe

Filesize
448KB

MD5
4d3fae7467cbc3f8d6d6425d0820a67c

SHA1
df7213fcd0c2c86dd7b0cb1863859ba0531116cb

SHA256
d85c5e58e4d1e1ae8bbfd0c1c51104f653af7cfc6a2216a8682a1f5dc24f49b9

SHA512
8806371b2bf62844a878c21ff6c9b6033bc0d50cf68006eae095e7cb69f28e22b13c5c5af83ea84c1233992dd0dd0aef55607125633513accfcb4b325436082a

Download Submit
C:\Windows\UZZTB.exe

Filesize
448KB

MD5
8b68a58ce160da76faf312c70890d61f

SHA1
e8bfd2ef6daab591f2f651205cb3072e34d1b16d

SHA256
d23629a55318d9837c904eea29d2db22e9663d37c7fbf03c3137399c1a950855

SHA512
ab6274969f714e298b2ab2964ed9dc607f3ae5db4844dfca2eb5e9a0a8a9f8e8092d735a3ac7a8937b65ec178197e6db772552c55f3eef4ab150db261c22dec5

Download Submit
C:\Windows\ZYE.exe

Filesize
448KB

MD5
07b01d2b901649b8cd030cd73a5dc5c1

SHA1
8518a71ab19606d53826e22f50fa066e70f14aa4

SHA256
c9377598ac9f457325fcc7d24512d95e33bcbfd4d1434ece3a3d9b2903a67b07

SHA512
be4ef996bc96cd8e753afc0a1086ca43b428d85d3e19f91d5d2db9d1fa3f09cb7b535f4398cc6ae15600b8838e6dd63a9cda950ae7e5c1cb4ca810cabf59772b

Download Submit
C:\windows\BHRIS.exe

Filesize
448KB

MD5
cfcb771e186ad8509c479e4a98da9fab

SHA1
39e9d011128e51a12b74509c7583148a7ecfd6f9

SHA256
72bb2ed509dfcc28d5584d0cb5afc39d7b7e73cad9e9d67686eeb461d4ba520c

SHA512
820a0f546e51810ecc4159696ffd386108ed1791689e403391cbaba764f09efcbdf4d4e1e32e536a40212fb58ae055ba7e4480039dd9725c9e3863f49cb30b0a

Download Submit
C:\windows\BHRIS.exe.bat

Filesize
56B

MD5
1f234c0c3efa23a898153c6df7a69c26

SHA1
30e7c89f6ea121f49fb8895bce39d6e7660d0ad4

SHA256
07f97524cdd16f549e4af36b4ed7f486ee228fc8f37cc751f21e27466d7c7cc4

SHA512
5b9cf5cb3884139847fa2ac6c6d63f9a10d8bea4d3e956a86bc6a02463cbb44f95c1e3340449d62daff758089c0b63449b24376f398b49b2d41421a4a2b8186b

Download Submit
C:\windows\EYZVQOP.exe.bat

Filesize
60B

MD5
beecd73c4a1bfabe6022b958f16cdef0

SHA1
ef01987e0261616b4f824fdcf7db9895746591f2

SHA256
cd03b25be8bce1f1cd1c93905d8083b6c15cfbbd2c0632b43b4e1cf6dfc7c20d

SHA512
2751e969cd50385e6613d5225a0e8fb461c5508d9d6cb4b7fe3b26a11ad646e96b4ebb5bc1e98c4d4c25a83b8a4632d3785f08859dd9d9e35ab74fd317158dda

Download Submit
C:\windows\MNNVG.exe.bat

Filesize
56B

MD5
2df7219a65556b8e04604d61a2fada00

SHA1
418b12296069c43fc64e9e78b378275dd362f6e9

SHA256
2e113ee92dd7052cef27e4410979d8cb7abe442e531ac79ef08ac069871c8cb8

SHA512
ca880f751e1bba742aa6e0c5a21eddbaf7f93151b2262437d7348b6e8eee07dd7e63582ab6fb3d99fe5048a10aeea4f99d84a765f4ba1ed2f62dd093940c9e00

Download Submit
C:\windows\MVGET.exe.bat

Filesize
56B

MD5
73c7617cd7f39ec10fffc8014d7511f6

SHA1
6be7380f48354ce191d7338a33583f940d548aa4

SHA256
a740bb2ec26dc2cb9682087d0dcc9a6409799ee5170267e2afb631ffcc90a5bf

SHA512
7036eac289ad307ce8c0b76b7b750cd0e76139f5cda81e16536df84b221f43816a5c1d9d0b87237d79f904a99a9ac4d4855ab7d16ff610441f5d0e0258182e20

Download Submit
C:\windows\NRKBMMV.exe.bat

Filesize
60B

MD5
84af73c6f13ea2b6c42b5053bd2e4bdb

SHA1
7533381e2de99b1a72a1a05865210fd57eb66efe

SHA256
109610d17e53c7d2d623756596f42407b30804c38106bc6e81e7b48b7fa5b76c

SHA512
05ef4f9b703e648e0756e715285d77f10fc12f815f1ceea339a325e5b3c154775ee6b3bbf488a6d610e248e24ef507b22dc5ab33775bcb040b0bc2360a53bef9

Download Submit
C:\windows\PMF.exe

Filesize
448KB

MD5
c5f9ac3b12b1f37fb99f598d1f0cc951

SHA1
50a098cf033928870b2bffd3747099ad5deed7b7

SHA256
8ed2a08e33a2c161d602b17b9e78492488e329caa189578df5372053f6310bcf

SHA512
b068ae55e451bceecf1ed10809d5a3921c3c703cba6e97882fd7b737a4b0b99c3b5380285ca0a3cb3e305a658f8c813070cc9f08bc8e5b51aa019611cdce37d6

Download Submit
C:\windows\PMF.exe.bat

Filesize
52B

MD5
af826bddfe75f254b248e1082e80831a

SHA1
2f24c2a5e012774c5b35b9929c0afcd96a2ac572

SHA256
942194be86137a65f169f82d504255ffe1d1c6c50b3cb022077947201d6c68cc

SHA512
8ee16d16cc33489a146204647e2eafb2af0cd650a9e9975c43289c1c3cf4a93a2810b731f7d842dfdd48828ab234e7b3c823888e6833f0e38b547a7bc5eeecea

Download Submit
C:\windows\SysWOW64\GVFQFWX.exe.bat

Filesize
78B

MD5
fb16da40b463c083009a2c4d2f3db83a

SHA1
de7dd0d0a7ada8a74bdb5d60451e7e5bc580fef7

SHA256
825f6d695365a12dba319bd69072caf139aead02ff7216377119479eceab4d1d

SHA512
27af7f8eccc5c01e10d985a5392e1f4287cc2bdb9198ec0b0762e9b5695372b1ee2de60536c9d27947fe55d6fa7622f72d88e5333344b9c45a4c8b83860dd601

Download Submit
C:\windows\SysWOW64\MVCUE.exe

Filesize
448KB

MD5
224de9edc62e325c1505496994fd299f

SHA1
410cea1cf3be75af6f716974852830579937aa95

SHA256
77083ad7c6245a378d95a271f79b76c5e19696f27a6e165a7ff2de122d4ff4a0

SHA512
61059c9ef37f8771574e281f37f9db2f5e3e70981b96a5a87b4c3a9a21e0522629992dc28da7ca5eb20929b130df1d56fe7cc70ca20a57b094d28a8e3e9bca31

Download Submit
C:\windows\SysWOW64\MVCUE.exe.bat

Filesize
74B

MD5
f1e3b20234dfac1551f210f6b8fe4131

SHA1
f61d31d25c56a755f8073f1629469c94d00092ec

SHA256
255d58822162acc9c6d42bbeab63157ceb7b80e34e4b1b2d6bdfe0b5c5b3bac5

SHA512
6055c221078c6376c4578e773e9b2de0b982a3148e416d20d9fc500be75d727379c15e342b8aff21bb47967d7c5df2bf7d16b61a82b45e4fb2ca52c628d247e5

Download Submit
C:\windows\SysWOW64\NXIRRCT.exe

Filesize
448KB

MD5
5c1063b4e030149ffbd81cac92c08a0f

SHA1
50ed6103b5f357cf7a71c3f5614f369d0c2e8dc5

SHA256
94cb8592d0a552d5e9337f62d40b3e01661b5eef423c6de7a890cccd1ad9e31e

SHA512
6912d4eb39cb31f70e9a4582849e104febaa45f39eab5a69d413f201bf01c24605c5656c9b12ca5a7a290d79eef46b0bbab0dc69d9add19ec90b76a37d0ed6e9

Download Submit
C:\windows\SysWOW64\NXIRRCT.exe.bat

Filesize
78B

MD5
12a5de49bf2c10c1931c8d6fe6de67e3

SHA1
2d4015d0eb7790cf5316104059f0b0c4c0fd39d3

SHA256
04c66913a3627ab876a2f1bac8e8d517bde9154a103934446b5c3202061b3e9b

SHA512
da0c9313cf53873b0d3219e3b1825d52314a4e1e7e28a0f57c249f622bd1223e35cfcec96de075cbd62ba4ccbda091c689ae54882db48a6d721cad36562fba76

Download Submit
C:\windows\SysWOW64\UOGGH.exe.bat

Filesize
74B

MD5
01b02ddeb18b6db28efc6c5c5aa1b978

SHA1
45fcbf664b865e9d0de8ee42b6c8beda745fd44d

SHA256
80d7a2f99fadc78cf2357886780e6eb983877ff148dab6cb207a589712907c17

SHA512
e19036170f97c61bc7e1fa359eb08f39968f1431b650f652d7ef8570d08130cd3ec5b6ca943d556606252e5778e91a37b5e69f6d3808205b96959d957e138b21

Download Submit
C:\windows\SysWOW64\VKJNQ.exe.bat

Filesize
74B

MD5
38459669044bd5f2263a51706a21aaca

SHA1
9019c4d9a9723ab5f34bcce9c0fed2939701ee88

SHA256
b24d18a69c348f592baaff1d5388b5975e0932fd85a1b234eeb210de3084c0b7

SHA512
eb4a212147fc928520511dc1b67b796202c9bd6c128c6d763066729bb5e01e26b8783c211e52a6b1b7b4282ebb626edd9b60e4f9d3baf226c56caf073e33b8e2

Download Submit
C:\windows\SysWOW64\WWNB.exe.bat

Filesize
72B

MD5
ef1e62b008dda9d83c1d4585d97c1dd6

SHA1
8d255df23cc4a360a982b59aea20b4211b865f3f

SHA256
d5a9bfe719704229de3d3100c4fcaad03dbf35e8b6ddeb917abb39e82710953f

SHA512
5bc0b909f5402abcaaa2b33720cdd711e2bd83bf4c5e97cdc40619d85f374d67c0ec75bbc0e14b57d6e91ffac94243ef8756a83d93710e179fb25bf55c3b29ce

Download Submit
C:\windows\UDMV.exe.bat

Filesize
54B

MD5
26972ad2379ea424e499a652dfcbdc76

SHA1
3739ba8ff73bc034d45c6b09be10c36e209c1801

SHA256
7ab86d8c0486a32bcb718dcac5c870ac63cc8354615200f9ccf75622f7b35c21

SHA512
3f89b6a72d1da755ed83ffb5239e0c758c33b10101c8d5eb9f6868733f9a4c93caf2b84071967a01140d94b2ea615fbb22621c79ac59cb07a3b20afeedece70c

Download Submit
C:\windows\UZZTB.exe.bat

Filesize
56B

MD5
3e1d1252b9c24271f238ac19818f3336

SHA1
a6caf4a2b28a73953ec33f1f6c4d64cb3b9306f1

SHA256
61db0049468085675b907068150a16981b78f51d5f059ce01084cc42684ac087

SHA512
9b7a7a350ec62e30ba40c54a3f1652dfe32d68ae4c626e2391a64ed72fc6f1db6dc5d85083d41a3ce9708e0aadd89c4629b4291a570e504290081a31061d1192

Download Submit
C:\windows\VNLQUBB.exe.bat

Filesize
60B

MD5
3ded05f61d21fe50564e1dde218a2c16

SHA1
977b96945543d4338a538e4ca5e4418c1e8fc1ee

SHA256
d9c111fd28c6af22abb88e36b218cfd0a9900dc65970ed26d3160ea9b38f5d83

SHA512
5a855f46cd60ee9ff70be6e4f6890d8091ac9fbe60044c6399f3c94b53ff6a4120a7d96ea4a935f8ce51c8d0cb32d6a9a57915100c090421d9e95b51d4150a23

Download Submit
C:\windows\ZYE.exe.bat

Filesize
52B

MD5
8ab6d6f1bd730a0bf2cb956f1f559285

SHA1
6514b1382de10927841ea0801d814ed3ba52eead

SHA256
dd5b8f3736b457012e51e2d59eb4bd69cc878ec220412eac8fe71d7b3388e6c6

SHA512
e6ebf17b784a1729f0c9996772835d2e9fbea38048945c70157f388f9fbfd1f92e7d4852fd212e7be6363374d6b6d4dd79f2c4eef36628c5d750fd65b5bf497b

Download Submit
C:\windows\system\AAGHS.exe

Filesize
448KB

MD5
3bddf23ec5112b812c03740dd9ba3901

SHA1
5d94974d1b2bb9f4b8e3fbf57b2b1cc2cea40573

SHA256
2ec2a64cd4724f2f6f0b3b9038b5093e37931c69bc4775922b49ecc953b149ce

SHA512
5b1df7a359c7ee7e639bf5809f7fd9cbfac526dc47226c4fc702f5fd91d461ec1bcc0a3f3a4987c657f64900a8602ea99e688c5a6724ca51c3b8324f303d6a4d

Download Submit
C:\windows\system\AAGHS.exe.bat

Filesize
70B

MD5
1dd94e20c54419b4cf820548b530de90

SHA1
52ea42d2835a26d90ad7f4a4b02299797e4436ea

SHA256
219b82a00c973f97f5dc9a2ff7d25d15865ed10f4b6f48a04d6883ae48d8d88f

SHA512
f12727bb0988782fc33c6df2d92005e56c19768186eba6239489e16df65cefff9ed4abb0803912bc016c0f6e304ab3b8ae2b243b8e02daf30f1bde52fe552e9f

Download Submit
C:\windows\system\BXEW.exe.bat

Filesize
68B

MD5
ac4dbee74b1dd6b5230315bfa51c69c7

SHA1
48f8f146aa710022cb02aded209cdf91ee34fa48

SHA256
e2756c94f70b3f41b4d03930122c984018ca5ab48b860018474da674062f7fab

SHA512
34cde705a2c86b3eab7d9eb3dcd3f4442498681a5b97fbacb8c0df29b3abb0ac820d11d808d1b831b7a699e6aea96a56eb46cd4d138bb6e9864edf5e66c26cd1

Download Submit
C:\windows\system\KGSKL.exe.bat

Filesize
70B

MD5
cfb2fa0ad42144611e33df5bba989255

SHA1
f4e3baf14e34910c87427f8f3712f034a8860a99

SHA256
0f14668fe239c216151773207ce1f92566af9605c2693b2000c2cd40066abd71

SHA512
3c5549ac6a223f3e5aee620f6420ed837ad7a172f2da65923d32d03b1f7c59bed13f5598bbe224108848c590bb33f9f76145acb4a1e4d2f6816140192a194f47

Download Submit
C:\windows\system\LRZM.exe.bat

Filesize
68B

MD5
cd4cbf2b5295f7276ece7ee5e7c1fd97

SHA1
f26a1beabf8ea7f22099db18270eb40d000e01e0

SHA256
f757f74f3f73cc092f726a83bdc8b46886dec79a28fc3fc0604b034637f49443

SHA512
a1fb993e2056c0e5d72f89bd9e9a1907a391132bc9a0cc6153e35aef9616839aa262f9977202cce541f810f93fca5749f1645e68a40cf0e7919c269c85f636ac

Download Submit
C:\windows\system\RZZJ.exe

Filesize
448KB

MD5
ad7aff4e1acd4807676d4d1ec06dc220

SHA1
27d1f01e47840b3a7e41f2c21704d16e137e390e

SHA256
1a5f4b6ab4ea28379fc2a186c5d5be59767afc34414f874ed38db7639fc8d5e8

SHA512
6a0aba25ddedce318ab6ec536feb4b3f8dc94c388b4aece693c098aad824ad4d9ee967b23f7edb42021e203892837f205890d876d992d64e84e947dc50a23e86

Download Submit
C:\windows\system\RZZJ.exe.bat

Filesize
68B

MD5
b143793f056b8e199cf58277279ac2e4

SHA1
3381b5cf0e23b07bc38cc2be4d642e459d32593c

SHA256
44ddc128c241db6f0ab37685fb5dfb4d6f0b7f9e9fc4058efe2a16af5c871c9f

SHA512
cb5fae9e7af4d67a59e62a3f44d30d4aecf9d781d09495f91b7215bcaad9fd9389a5d13c1b5e2712bdb3d8223f368250d280e6258649f86d2f2200bfc160f763

Download Submit
C:\windows\system\YWH.exe.bat

Filesize
66B

MD5
1dda7cdf47ce80a6bd8069848072632d

SHA1
5651ff7dfa5257d7a45189bc75a6686fa1c1e948

SHA256
e4795264a3056459fc73be36cdb814a20e67c1b2fe54bb73c69d48a34409b172

SHA512
839437fb6bdf7821ce9e03d9cf9927f8d8a840fb49cea542d482ea72aaecb39c749f5bda6793c56ff512126bff73d678180fe24ef08bc57a1c4df0ce5c7da4e4

Download Submit
memory/336-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/556-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/556-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1036-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1036-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1164-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1164-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1968-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1968-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1992-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1992-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2072-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2072-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2480-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2480-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2584-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2584-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3824-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3824-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4188-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4188-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4276-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4276-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4292-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-187-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4688-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4688-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4712-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4712-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4764-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4896-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4896-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4948-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4948-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5020-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5020-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download