5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593d

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
Size

289KB
MD5

94796ee5b62354f967affb902485a930
SHA1

97d2b3b229463ed26b06e99969cf4e834fad8188
SHA256

5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593d
SHA512

dcc9cab77d07df9200e7f6e648b9b0302047407394ddb962086ae4ea919ba8c02ee85e34829f351a3c554a93d5c27dacdbed142476e662a49648dc3623e940bb
SSDEEP

6144:UOIHIBVw49kOBGOFDw6pskECzJLaQVbU5:UroLJFE6qklJLJbU5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HEP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ODUPM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	OLMJWUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	NYHUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	TKSBVX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	TXMDLCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	IPOLEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	YPYDIM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	GKDZQXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	GPTZC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DCUU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HALAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WFS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	LAMA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	AMYMUXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	FQF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	JIJDSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	XKE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	NOSX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RWYXNM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	STAUVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	EMYNJPH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	PNFEZIH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	KTP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	UWANDVU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	XLJYJQQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	GOAMGW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RGHXYX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	YBWP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	IBYCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	GVXYGC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	NNZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	SXYAJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	FMEAXH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	XHFCD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	SJXY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	MCFM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	LBNNRUW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ATVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	JDM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	PINCIP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	KRDQNM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	SRTOSDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DDQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ZJQMSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	IXLDTXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ATGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	FGMMW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	MYVICI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	XCERJM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WPQK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	XZHWEY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	BUZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ZQTZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	TIOBTY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	BWH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CKMCOU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	JNRMHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	BGWS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RQIOFV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WBT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HPJWJP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	TVMEDT.exe

Executes dropped EXE 64 IoCs

pid	Process
3728	LENI.exe
2152	HEP.exe
2028	AXTK.exe
1736	PNU.exe
4116	RLZWYEY.exe
1952	QWCMGK.exe
1556	SRTOSDB.exe
5060	GPTZC.exe
4512	XCERJM.exe
3044	DXQ.exe
5084	DDQ.exe
4536	IIIWPIM.exe
3020	EJKYTM.exe
976	OJME.exe
1128	WPQK.exe
3764	RZHJVTO.exe
1380	TXMDLCP.exe
1692	ODUPM.exe
2340	AVCAW.exe
5076	KTP.exe
1288	ZJQMSK.exe
4052	UWANDVU.exe
3008	CKMCOU.exe
4092	IXLDTXF.exe
3612	GVXYGC.exe
4396	OBJMQ.exe
3540	ATMXZQ.exe
5064	DJTF.exe
4508	SEFYR.exe
4672	NNZO.exe
2560	XKE.exe
2600	BSLINW.exe
2068	LBNNRUW.exe
4196	NOSX.exe
5100	RWYXNM.exe
3488	HMZWU.exe
5048	JKNQ.exe
4188	JNRMHG.exe
5056	HNZ.exe
4984	GYBQHOD.exe
1992	ATGZ.exe
4292	ATVE.exe
4196	SXYAJV.exe
1068	GHHZPF.exe
1800	ONHNZKN.exe
1556	QLNI.exe
4924	UTBISLJ.exe
1128	WOY.exe
4756	KMGD.exe
4116	VENOOXQ.exe
372	HUUWAI.exe
2760	ZPG.exe
3000	RYAXR.exe
704	JBMA.exe
1352	BGWS.exe
1356	ZZZ.exe
2448	XZHWEY.exe
1212	BCF.exe
3848	XFNISC.exe
4584	IYQ.exe
4540	KVWVI.exe
2672	FGMMW.exe
4892	FMEAXH.exe
1944	EEPQG.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\SEFYR.exe.bat	DJTF.exe
File opened for modification	C:\windows\SysWOW64\WOY.exe	UTBISLJ.exe
File created	C:\windows\SysWOW64\KMGD.exe.bat	WOY.exe
File created	C:\windows\SysWOW64\EEPQG.exe.bat	FMEAXH.exe
File created	C:\windows\SysWOW64\FDRP.exe.bat	NDCS.exe
File opened for modification	C:\windows\SysWOW64\AERFX.exe	QGLKP.exe
File opened for modification	C:\windows\SysWOW64\IBYCSC.exe	OOTS.exe
File opened for modification	C:\windows\SysWOW64\GYBQHOD.exe	HNZ.exe
File created	C:\windows\SysWOW64\QLNI.exe	ONHNZKN.exe
File created	C:\windows\SysWOW64\BGQVWNH.exe.bat	JDM.exe
File opened for modification	C:\windows\SysWOW64\YPYDIM.exe	DCUU.exe
File created	C:\windows\SysWOW64\SJXY.exe	RGTCOQX.exe
File created	C:\windows\SysWOW64\XKE.exe.bat	NNZO.exe
File created	C:\windows\SysWOW64\HNZ.exe.bat	JNRMHG.exe
File opened for modification	C:\windows\SysWOW64\VZFGO.exe	BGQVWNH.exe
File opened for modification	C:\windows\SysWOW64\SVV.exe	TKSBVX.exe
File opened for modification	C:\windows\SysWOW64\NMRFKKN.exe	WZGNU.exe
File opened for modification	C:\windows\SysWOW64\QWCMGK.exe	RLZWYEY.exe
File created	C:\windows\SysWOW64\QLNI.exe.bat	ONHNZKN.exe
File created	C:\windows\SysWOW64\BCF.exe	XZHWEY.exe
File created	C:\windows\SysWOW64\SFCOHGR.exe	BUZ.exe
File created	C:\windows\SysWOW64\EMYNJPH.exe.bat	AERFX.exe
File created	C:\windows\SysWOW64\TKSBVX.exe	YONK.exe
File created	C:\windows\SysWOW64\SVV.exe	TKSBVX.exe
File created	C:\windows\SysWOW64\HEP.exe	LENI.exe
File created	C:\windows\SysWOW64\KTP.exe	AVCAW.exe
File opened for modification	C:\windows\SysWOW64\BGQVWNH.exe	JDM.exe
File created	C:\windows\SysWOW64\FRREP.exe	FDRP.exe
File created	C:\windows\SysWOW64\EVLDAFK.exe	LAMA.exe
File created	C:\windows\SysWOW64\SEFYR.exe	DJTF.exe
File opened for modification	C:\windows\SysWOW64\JKNQ.exe	HMZWU.exe
File created	C:\windows\SysWOW64\YPYDIM.exe	DCUU.exe
File created	C:\windows\SysWOW64\SFCOHGR.exe.bat	BUZ.exe
File opened for modification	C:\windows\SysWOW64\ZQTZJ.exe	JAMWXJ.exe
File created	C:\windows\SysWOW64\TIOBTY.exe	OHZ.exe
File created	C:\windows\SysWOW64\OUICT.exe.bat	IUA.exe
File created	C:\windows\SysWOW64\OLMJWUE.exe.bat	MYVICI.exe
File created	C:\windows\SysWOW64\JIJDSH.exe.bat	WDBRQVW.exe
File created	C:\windows\SysWOW64\JKNQ.exe.bat	HMZWU.exe
File created	C:\windows\SysWOW64\ONHNZKN.exe.bat	GHHZPF.exe
File created	C:\windows\SysWOW64\KLMKL.exe.bat	RQIOFV.exe
File created	C:\windows\SysWOW64\JAMWXJ.exe	GKDZQXQ.exe
File opened for modification	C:\windows\SysWOW64\TIOBTY.exe	OHZ.exe
File opened for modification	C:\windows\SysWOW64\EPWSMJ.exe	KRDQNM.exe
File created	C:\windows\SysWOW64\OOTS.exe.bat	JIJDSH.exe
File opened for modification	C:\windows\SysWOW64\SFCOHGR.exe	BUZ.exe
File opened for modification	C:\windows\SysWOW64\KLMKL.exe	RQIOFV.exe
File opened for modification	C:\windows\SysWOW64\LZTZU.exe	MGQJMK.exe
File created	C:\windows\SysWOW64\IBYCSC.exe.bat	OOTS.exe
File created	C:\windows\SysWOW64\AVCAW.exe	ODUPM.exe
File created	C:\windows\SysWOW64\JAMWXJ.exe.bat	GKDZQXQ.exe
File created	C:\windows\SysWOW64\OUICT.exe	IUA.exe
File created	C:\windows\SysWOW64\HPJWJP.exe	MCFM.exe
File created	C:\windows\SysWOW64\NOSX.exe.bat	LBNNRUW.exe
File created	C:\windows\SysWOW64\JKNQ.exe	HMZWU.exe
File created	C:\windows\SysWOW64\GYBQHOD.exe	HNZ.exe
File created	C:\windows\SysWOW64\WOY.exe.bat	UTBISLJ.exe
File opened for modification	C:\windows\SysWOW64\KMGD.exe	WOY.exe
File opened for modification	C:\windows\SysWOW64\XZHWEY.exe	ZZZ.exe
File created	C:\windows\SysWOW64\KFXEPPM.exe.bat	EEPQG.exe
File opened for modification	C:\windows\SysWOW64\FDRP.exe	NDCS.exe
File created	C:\windows\SysWOW64\EPWSMJ.exe.bat	KRDQNM.exe
File created	C:\windows\SysWOW64\YEDRND.exe	DRZH.exe
File created	C:\windows\SysWOW64\JNRMHG.exe.bat	JKNQ.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\EJKYTM.exe.bat	IIIWPIM.exe
File created	C:\windows\HMZWU.exe.bat	RWYXNM.exe
File created	C:\windows\FMEAXH.exe	FGMMW.exe
File created	C:\windows\LXQ.exe.bat	HPJWJP.exe
File created	C:\windows\system\AXTK.exe	HEP.exe
File opened for modification	C:\windows\OJME.exe	EJKYTM.exe
File opened for modification	C:\windows\NNZO.exe	SEFYR.exe
File opened for modification	C:\windows\system\IYQ.exe	XFNISC.exe
File created	C:\windows\WNKG.exe	YPYDIM.exe
File created	C:\windows\system\STAUVZ.exe.bat	KOVOKBG.exe
File created	C:\windows\system\MCFM.exe.bat	AMYMUXQ.exe
File opened for modification	C:\windows\system\RGHXYX.exe	GOAMGW.exe
File opened for modification	C:\windows\DZKQYEN.exe	RGHXYX.exe
File created	C:\windows\system\OHZ.exe	LZTZU.exe
File created	C:\windows\XCERJM.exe.bat	GPTZC.exe
File created	C:\windows\HUUWAI.exe.bat	VENOOXQ.exe
File opened for modification	C:\windows\system\XFNISC.exe	BCF.exe
File opened for modification	C:\windows\system\FGMMW.exe	KVWVI.exe
File created	C:\windows\system\IYQ.exe.bat	XFNISC.exe
File opened for modification	C:\windows\IPOLEE.exe	XWLAV.exe
File opened for modification	C:\windows\system\OHZ.exe	LZTZU.exe
File created	C:\windows\DRZH.exe.bat	BWH.exe
File created	C:\windows\system\WFS.exe	PPRQ.exe
File created	C:\windows\system\OBJMQ.exe.bat	GVXYGC.exe
File created	C:\windows\system\BSLINW.exe	XKE.exe
File opened for modification	C:\windows\system\LQXJQCQ.exe	DNOW.exe
File opened for modification	C:\windows\system\ARVCTC.exe	LWE.exe
File created	C:\windows\WPQK.exe.bat	OJME.exe
File created	C:\windows\ATMXZQ.exe	OBJMQ.exe
File created	C:\windows\HMZWU.exe	RWYXNM.exe
File created	C:\windows\system\DNOW.exe	IPOLEE.exe
File created	C:\windows\IXLDTXF.exe	CKMCOU.exe
File created	C:\windows\XHFCD.exe	KFXEPPM.exe
File created	C:\windows\WPQK.exe	OJME.exe
File created	C:\windows\SXYAJV.exe	ATVE.exe
File opened for modification	C:\windows\system\GHHZPF.exe	SXYAJV.exe
File opened for modification	C:\windows\system\YONK.exe	AEKCK.exe
File created	C:\windows\system\DJTF.exe	ATMXZQ.exe
File created	C:\windows\system\WFS.exe.bat	PPRQ.exe
File opened for modification	C:\windows\system\GKDZQXQ.exe	EMYNJPH.exe
File created	C:\windows\MYVICI.exe.bat	AFSPCBZ.exe
File created	C:\windows\system\IUA.exe.bat	SJXY.exe
File opened for modification	C:\windows\system\AFSPCBZ.exe	OUICT.exe
File created	C:\windows\system\ATVE.exe	ATGZ.exe
File opened for modification	C:\windows\UTBISLJ.exe	QLNI.exe
File created	C:\windows\ZPG.exe.bat	HUUWAI.exe
File created	C:\windows\system\STAUVZ.exe	KOVOKBG.exe
File opened for modification	C:\windows\GPTZC.exe	SRTOSDB.exe
File opened for modification	C:\windows\CKMCOU.exe	UWANDVU.exe
File created	C:\windows\system\OHZ.exe.bat	LZTZU.exe
File created	C:\windows\system\CGL.exe.bat	HALAS.exe
File created	C:\windows\MYVICI.exe	AFSPCBZ.exe
File created	C:\windows\system\BWH.exe.bat	NYHUQ.exe
File opened for modification	C:\windows\system\TVMEDT.exe	PNFEZIH.exe
File created	C:\windows\OJME.exe	EJKYTM.exe
File created	C:\windows\CKMCOU.exe	UWANDVU.exe
File created	C:\windows\system\OBJMQ.exe	GVXYGC.exe
File opened for modification	C:\windows\DCUU.exe	FRREP.exe
File created	C:\windows\SRTOSDB.exe.bat	QWCMGK.exe
File created	C:\windows\VENOOXQ.exe	KMGD.exe
File created	C:\windows\system\NYHUQ.exe.bat	TLD.exe
File created	C:\windows\system\PNFEZIH.exe	YEDRND.exe
File created	C:\windows\system\LWE.exe	STAUVZ.exe
File created	C:\windows\system\AMYMUXQ.exe	SGTGKZU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4324	3680	WerFault.exe	81
1464	3728	WerFault.exe	86
2204	2152	WerFault.exe	92
2404	2028	WerFault.exe	97
840	1736	WerFault.exe	102
2784	4116	WerFault.exe	107
2128	1952	WerFault.exe	112
2560	1556	WerFault.exe	117
732	5060	WerFault.exe	122
540	4512	WerFault.exe	127
4968	3044	WerFault.exe	134
3932	5084	WerFault.exe	139
416	4536	WerFault.exe	146
4024	3020	WerFault.exe	151
4988	976	WerFault.exe	156
2864	1128	WerFault.exe	162
3272	3764	WerFault.exe	167
4756	1380	WerFault.exe	172
3120	1692	WerFault.exe	177
1168	2340	WerFault.exe	184
2260	5076	WerFault.exe	189
4672	1288	WerFault.exe	194
2564	4052	WerFault.exe	199
2312	3008	WerFault.exe	204
2244	4092	WerFault.exe	209
2028	3612	WerFault.exe	214
3704	4396	WerFault.exe	219
4900	3540	WerFault.exe	224
4436	5064	WerFault.exe	229
2376	4508	WerFault.exe	234
1072	4672	WerFault.exe	239
2952	2560	WerFault.exe	244
4556	2600	WerFault.exe	249
3164	2068	WerFault.exe	254
4132	4196	WerFault.exe	259
4420	5100	WerFault.exe	264
3896	3488	WerFault.exe	270
4460	5048	WerFault.exe	275
1900	4188	WerFault.exe	280
2736	5056	WerFault.exe	285
2448	4984	WerFault.exe	290
3784	1992	WerFault.exe	296
3324	4292	WerFault.exe	301
5044	4196	WerFault.exe	306
4164	1068	WerFault.exe	311
2348	1800	WerFault.exe	316
3524	1556	WerFault.exe	321
2600	4924	WerFault.exe	326
4440	1128	WerFault.exe	331
1360	4756	WerFault.exe	336
2024	4116	WerFault.exe	341
3016	372	WerFault.exe	346
1848	2760	WerFault.exe	351
4460	3000	WerFault.exe	356
4556	704	WerFault.exe	361
4532	1352	WerFault.exe	366
4324	1356	WerFault.exe	371
4328	2448	WerFault.exe	376
4496	1212	WerFault.exe	381
4140	3848	WerFault.exe	386
2404	4584	WerFault.exe	391
3664	4540	WerFault.exe	396
2312	2672	WerFault.exe	401
3320	4892	WerFault.exe	406

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LWE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DJTF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZQTZJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VZFGO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXMDLCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YBWP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TVMEDT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ONHNZKN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJCXWBL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OBJMQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OOTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JBMA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KLMKL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYVICI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRZH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EMYNJPH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VTSY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IBYCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WZGNU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVCAW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PINCIP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GGLMWEY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AXTK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDRP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LENI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ATGZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QLNI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPQK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARVCTC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KTP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZJQMSK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CKMCOU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TKSBVX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOSX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDCS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
3728	LENI.exe
3728	LENI.exe
2152	HEP.exe
2152	HEP.exe
2028	AXTK.exe
2028	AXTK.exe
1736	PNU.exe
1736	PNU.exe
4116	RLZWYEY.exe
4116	RLZWYEY.exe
1952	QWCMGK.exe
1952	QWCMGK.exe
1556	SRTOSDB.exe
1556	SRTOSDB.exe
5060	GPTZC.exe
5060	GPTZC.exe
4512	XCERJM.exe
4512	XCERJM.exe
3044	DXQ.exe
3044	DXQ.exe
5084	DDQ.exe
5084	DDQ.exe
4536	IIIWPIM.exe
4536	IIIWPIM.exe
3020	EJKYTM.exe
3020	EJKYTM.exe
976	OJME.exe
976	OJME.exe
1128	WPQK.exe
1128	WPQK.exe
3764	RZHJVTO.exe
3764	RZHJVTO.exe
1380	TXMDLCP.exe
1380	TXMDLCP.exe
1692	ODUPM.exe
1692	ODUPM.exe
2340	AVCAW.exe
2340	AVCAW.exe
5076	KTP.exe
5076	KTP.exe
1288	ZJQMSK.exe
1288	ZJQMSK.exe
4052	UWANDVU.exe
4052	UWANDVU.exe
3008	CKMCOU.exe
3008	CKMCOU.exe
4092	IXLDTXF.exe
4092	IXLDTXF.exe
3612	GVXYGC.exe
3612	GVXYGC.exe
4396	OBJMQ.exe
4396	OBJMQ.exe
3540	ATMXZQ.exe
3540	ATMXZQ.exe
5064	DJTF.exe
5064	DJTF.exe
4508	SEFYR.exe
4508	SEFYR.exe
4672	NNZO.exe
4672	NNZO.exe
2560	XKE.exe
2560	XKE.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
3728	LENI.exe
3728	LENI.exe
2152	HEP.exe
2152	HEP.exe
2028	AXTK.exe
2028	AXTK.exe
1736	PNU.exe
1736	PNU.exe
4116	RLZWYEY.exe
4116	RLZWYEY.exe
1952	QWCMGK.exe
1952	QWCMGK.exe
1556	SRTOSDB.exe
1556	SRTOSDB.exe
5060	GPTZC.exe
5060	GPTZC.exe
4512	XCERJM.exe
4512	XCERJM.exe
3044	DXQ.exe
3044	DXQ.exe
5084	DDQ.exe
5084	DDQ.exe
4536	IIIWPIM.exe
4536	IIIWPIM.exe
3020	EJKYTM.exe
3020	EJKYTM.exe
976	OJME.exe
976	OJME.exe
1128	WPQK.exe
1128	WPQK.exe
3764	RZHJVTO.exe
3764	RZHJVTO.exe
1380	TXMDLCP.exe
1380	TXMDLCP.exe
1692	ODUPM.exe
1692	ODUPM.exe
2340	AVCAW.exe
2340	AVCAW.exe
5076	KTP.exe
5076	KTP.exe
1288	ZJQMSK.exe
1288	ZJQMSK.exe
4052	UWANDVU.exe
4052	UWANDVU.exe
3008	CKMCOU.exe
3008	CKMCOU.exe
4092	IXLDTXF.exe
4092	IXLDTXF.exe
3612	GVXYGC.exe
3612	GVXYGC.exe
4396	OBJMQ.exe
4396	OBJMQ.exe
3540	ATMXZQ.exe
3540	ATMXZQ.exe
5064	DJTF.exe
5064	DJTF.exe
4508	SEFYR.exe
4508	SEFYR.exe
4672	NNZO.exe
4672	NNZO.exe
2560	XKE.exe
2560	XKE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 748	3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	82
PID 3680 wrote to memory of 748	3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	82
PID 3680 wrote to memory of 748	3680	5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe	82
PID 748 wrote to memory of 3728	748	cmd.exe	86
PID 748 wrote to memory of 3728	748	cmd.exe	86
PID 748 wrote to memory of 3728	748	cmd.exe	86
PID 3728 wrote to memory of 3568	3728	LENI.exe	88
PID 3728 wrote to memory of 3568	3728	LENI.exe	88
PID 3728 wrote to memory of 3568	3728	LENI.exe	88
PID 3568 wrote to memory of 2152	3568	cmd.exe	92
PID 3568 wrote to memory of 2152	3568	cmd.exe	92
PID 3568 wrote to memory of 2152	3568	cmd.exe	92
PID 2152 wrote to memory of 4216	2152	HEP.exe	93
PID 2152 wrote to memory of 4216	2152	HEP.exe	93
PID 2152 wrote to memory of 4216	2152	HEP.exe	93
PID 4216 wrote to memory of 2028	4216	cmd.exe	97
PID 4216 wrote to memory of 2028	4216	cmd.exe	97
PID 4216 wrote to memory of 2028	4216	cmd.exe	97
PID 2028 wrote to memory of 3468	2028	AXTK.exe	98
PID 2028 wrote to memory of 3468	2028	AXTK.exe	98
PID 2028 wrote to memory of 3468	2028	AXTK.exe	98
PID 3468 wrote to memory of 1736	3468	cmd.exe	102
PID 3468 wrote to memory of 1736	3468	cmd.exe	102
PID 3468 wrote to memory of 1736	3468	cmd.exe	102
PID 1736 wrote to memory of 2780	1736	PNU.exe	103
PID 1736 wrote to memory of 2780	1736	PNU.exe	103
PID 1736 wrote to memory of 2780	1736	PNU.exe	103
PID 2780 wrote to memory of 4116	2780	cmd.exe	107
PID 2780 wrote to memory of 4116	2780	cmd.exe	107
PID 2780 wrote to memory of 4116	2780	cmd.exe	107
PID 4116 wrote to memory of 2764	4116	RLZWYEY.exe	108
PID 4116 wrote to memory of 2764	4116	RLZWYEY.exe	108
PID 4116 wrote to memory of 2764	4116	RLZWYEY.exe	108
PID 2764 wrote to memory of 1952	2764	cmd.exe	112
PID 2764 wrote to memory of 1952	2764	cmd.exe	112
PID 2764 wrote to memory of 1952	2764	cmd.exe	112
PID 1952 wrote to memory of 1056	1952	QWCMGK.exe	113
PID 1952 wrote to memory of 1056	1952	QWCMGK.exe	113
PID 1952 wrote to memory of 1056	1952	QWCMGK.exe	113
PID 1056 wrote to memory of 1556	1056	cmd.exe	117
PID 1056 wrote to memory of 1556	1056	cmd.exe	117
PID 1056 wrote to memory of 1556	1056	cmd.exe	117
PID 1556 wrote to memory of 5040	1556	SRTOSDB.exe	118
PID 1556 wrote to memory of 5040	1556	SRTOSDB.exe	118
PID 1556 wrote to memory of 5040	1556	SRTOSDB.exe	118
PID 5040 wrote to memory of 5060	5040	cmd.exe	122
PID 5040 wrote to memory of 5060	5040	cmd.exe	122
PID 5040 wrote to memory of 5060	5040	cmd.exe	122
PID 5060 wrote to memory of 2696	5060	GPTZC.exe	123
PID 5060 wrote to memory of 2696	5060	GPTZC.exe	123
PID 5060 wrote to memory of 2696	5060	GPTZC.exe	123
PID 2696 wrote to memory of 4512	2696	cmd.exe	127
PID 2696 wrote to memory of 4512	2696	cmd.exe	127
PID 2696 wrote to memory of 4512	2696	cmd.exe	127
PID 4512 wrote to memory of 648	4512	XCERJM.exe	130
PID 4512 wrote to memory of 648	4512	XCERJM.exe	130
PID 4512 wrote to memory of 648	4512	XCERJM.exe	130
PID 648 wrote to memory of 3044	648	cmd.exe	134
PID 648 wrote to memory of 3044	648	cmd.exe	134
PID 648 wrote to memory of 3044	648	cmd.exe	134
PID 3044 wrote to memory of 4896	3044	DXQ.exe	135
PID 3044 wrote to memory of 4896	3044	DXQ.exe	135
PID 3044 wrote to memory of 4896	3044	DXQ.exe	135
PID 4896 wrote to memory of 5084	4896	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe
"C:\Users\Admin\AppData\Local\Temp\5e0353ae94d6464c1a5233d8cf40e783afe8bf50c80ef66f8db14919f503593dN.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\LENI.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\windows\system\LENI.exe
    C:\windows\system\LENI.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEP.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\windows\SysWOW64\HEP.exe
        
        C:\windows\system32\HEP.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AXTK.exe.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\windows\system\AXTK.exe
        
        C:\windows\system\AXTK.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNU.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\windows\system\PNU.exe
        
        C:\windows\system\PNU.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RLZWYEY.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\windows\RLZWYEY.exe
        
        C:\windows\RLZWYEY.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWCMGK.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\windows\SysWOW64\QWCMGK.exe
        
        C:\windows\system32\QWCMGK.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SRTOSDB.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\windows\SRTOSDB.exe
        
        C:\windows\SRTOSDB.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GPTZC.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\windows\GPTZC.exe
        
        C:\windows\GPTZC.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XCERJM.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\windows\XCERJM.exe
        
        C:\windows\XCERJM.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DXQ.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\windows\system\DXQ.exe
        
        C:\windows\system\DXQ.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DDQ.exe.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\windows\DDQ.exe
        
        C:\windows\DDQ.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IIIWPIM.exe.bat" "
        24⤵
        
        PID:2340
        
        C:\windows\system\IIIWPIM.exe
        
        C:\windows\system\IIIWPIM.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EJKYTM.exe.bat" "
        26⤵
        
        PID:3432
        
        C:\windows\EJKYTM.exe
        
        C:\windows\EJKYTM.exe
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OJME.exe.bat" "
        28⤵
        
        PID:2936
        
        C:\windows\OJME.exe
        
        C:\windows\OJME.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WPQK.exe.bat" "
        30⤵
        
        PID:1656
        
        C:\windows\WPQK.exe
        
        C:\windows\WPQK.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZHJVTO.exe.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\windows\system\RZHJVTO.exe
        
        C:\windows\system\RZHJVTO.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TXMDLCP.exe.bat" "
        34⤵
        
        PID:3416
        
        C:\windows\TXMDLCP.exe
        
        C:\windows\TXMDLCP.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ODUPM.exe.bat" "
        36⤵
        
        PID:648
        
        C:\windows\SysWOW64\ODUPM.exe
        
        C:\windows\system32\ODUPM.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVCAW.exe.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\windows\SysWOW64\AVCAW.exe
        
        C:\windows\system32\AVCAW.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KTP.exe.bat" "
        40⤵
        
        PID:3164
        
        C:\windows\SysWOW64\KTP.exe
        
        C:\windows\system32\KTP.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJQMSK.exe.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\windows\system\ZJQMSK.exe
        
        C:\windows\system\ZJQMSK.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UWANDVU.exe.bat" "
        44⤵
        
        PID:4612
        
        C:\windows\system\UWANDVU.exe
        
        C:\windows\system\UWANDVU.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CKMCOU.exe.bat" "
        46⤵
        
        PID:2784
        
        C:\windows\CKMCOU.exe
        
        C:\windows\CKMCOU.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IXLDTXF.exe.bat" "
        48⤵
        
        PID:4316
        
        C:\windows\IXLDTXF.exe
        
        C:\windows\IXLDTXF.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GVXYGC.exe.bat" "
        50⤵
        
        PID:648
        
        C:\windows\system\GVXYGC.exe
        
        C:\windows\system\GVXYGC.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OBJMQ.exe.bat" "
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\windows\system\OBJMQ.exe
        
        C:\windows\system\OBJMQ.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATMXZQ.exe.bat" "
        54⤵
        
        PID:1692
        
        C:\windows\ATMXZQ.exe
        
        C:\windows\ATMXZQ.exe
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DJTF.exe.bat" "
        56⤵
        
        PID:4844
        
        C:\windows\system\DJTF.exe
        
        C:\windows\system\DJTF.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEFYR.exe.bat" "
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\windows\SysWOW64\SEFYR.exe
        
        C:\windows\system32\SEFYR.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NNZO.exe.bat" "
        60⤵
        
        PID:3516
        
        C:\windows\NNZO.exe
        
        C:\windows\NNZO.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XKE.exe.bat" "
        62⤵
        
        PID:2568
        
        C:\windows\SysWOW64\XKE.exe
        
        C:\windows\system32\XKE.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSLINW.exe.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\windows\system\BSLINW.exe
        
        C:\windows\system\BSLINW.exe
        65⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBNNRUW.exe.bat" "
        66⤵
        
        PID:2228
        
        C:\windows\SysWOW64\LBNNRUW.exe
        
        C:\windows\system32\LBNNRUW.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOSX.exe.bat" "
        68⤵
        
        PID:4464
        
        C:\windows\SysWOW64\NOSX.exe
        
        C:\windows\system32\NOSX.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RWYXNM.exe.bat" "
        70⤵
        
        PID:1252
        
        C:\windows\RWYXNM.exe
        
        C:\windows\RWYXNM.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMZWU.exe.bat" "
        72⤵
        
        PID:4844
        
        C:\windows\HMZWU.exe
        
        C:\windows\HMZWU.exe
        73⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKNQ.exe.bat" "
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\windows\SysWOW64\JKNQ.exe
        
        C:\windows\system32\JKNQ.exe
        75⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNRMHG.exe.bat" "
        76⤵
        
        PID:3416
        
        C:\windows\SysWOW64\JNRMHG.exe
        
        C:\windows\system32\JNRMHG.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HNZ.exe.bat" "
        78⤵
        
        PID:4560
        
        C:\windows\SysWOW64\HNZ.exe
        
        C:\windows\system32\HNZ.exe
        79⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GYBQHOD.exe.bat" "
        80⤵
        
        PID:3592
        
        C:\windows\SysWOW64\GYBQHOD.exe
        
        C:\windows\system32\GYBQHOD.exe
        81⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATGZ.exe.bat" "
        82⤵
        
        PID:4832
        
        C:\windows\ATGZ.exe
        
        C:\windows\ATGZ.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ATVE.exe.bat" "
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\windows\system\ATVE.exe
        
        C:\windows\system\ATVE.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SXYAJV.exe.bat" "
        86⤵
        
        PID:2208
        
        C:\windows\SXYAJV.exe
        
        C:\windows\SXYAJV.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GHHZPF.exe.bat" "
        88⤵
        
        PID:1580
        
        C:\windows\system\GHHZPF.exe
        
        C:\windows\system\GHHZPF.exe
        89⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ONHNZKN.exe.bat" "
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\windows\SysWOW64\ONHNZKN.exe
        
        C:\windows\system32\ONHNZKN.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QLNI.exe.bat" "
        92⤵
        
        PID:2376
        
        C:\windows\SysWOW64\QLNI.exe
        
        C:\windows\system32\QLNI.exe
        93⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UTBISLJ.exe.bat" "
        94⤵
        
        PID:4124
        
        C:\windows\UTBISLJ.exe
        
        C:\windows\UTBISLJ.exe
        95⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOY.exe.bat" "
        96⤵
        
        PID:4304
        
        C:\windows\SysWOW64\WOY.exe
        
        C:\windows\system32\WOY.exe
        97⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMGD.exe.bat" "
        98⤵
        
        PID:2816
        
        C:\windows\SysWOW64\KMGD.exe
        
        C:\windows\system32\KMGD.exe
        99⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "
        100⤵
        
        PID:2244
        
        C:\windows\VENOOXQ.exe
        
        C:\windows\VENOOXQ.exe
        101⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HUUWAI.exe.bat" "
        102⤵
        
        PID:2272
        
        C:\windows\HUUWAI.exe
        
        C:\windows\HUUWAI.exe
        103⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZPG.exe.bat" "
        104⤵
        
        PID:4564
        
        C:\windows\ZPG.exe
        
        C:\windows\ZPG.exe
        105⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYAXR.exe.bat" "
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\windows\system\RYAXR.exe
        
        C:\windows\system\RYAXR.exe
        107⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBMA.exe.bat" "
        108⤵
        
        PID:2376
        
        C:\windows\system\JBMA.exe
        
        C:\windows\system\JBMA.exe
        109⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BGWS.exe.bat" "
        110⤵
        
        PID:2500
        
        C:\windows\system\BGWS.exe
        
        C:\windows\system\BGWS.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZZ.exe.bat" "
        112⤵
        
        PID:4004
        
        C:\windows\SysWOW64\ZZZ.exe
        
        C:\windows\system32\ZZZ.exe
        113⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZHWEY.exe.bat" "
        114⤵
        
        PID:2092
        
        C:\windows\SysWOW64\XZHWEY.exe
        
        C:\windows\system32\XZHWEY.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCF.exe.bat" "
        116⤵
        
        PID:1168
        
        C:\windows\SysWOW64\BCF.exe
        
        C:\windows\system32\BCF.exe
        117⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XFNISC.exe.bat" "
        118⤵
        
        PID:4756
        
        C:\windows\system\XFNISC.exe
        
        C:\windows\system\XFNISC.exe
        119⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IYQ.exe.bat" "
        120⤵
        
        PID:1668
        
        C:\windows\system\IYQ.exe
        
        C:\windows\system\IYQ.exe
        121⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KVWVI.exe.bat" "
        122⤵
        
        PID:4816
        
        C:\windows\system\KVWVI.exe
        
        C:\windows\system\KVWVI.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FGMMW.exe.bat" "
        124⤵
        
        PID:1812
        
        C:\windows\system\FGMMW.exe
        
        C:\windows\system\FGMMW.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMEAXH.exe.bat" "
        126⤵
        
        PID:2500
        
        C:\windows\FMEAXH.exe
        
        C:\windows\FMEAXH.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEPQG.exe.bat" "
        128⤵
        
        PID:3168
        
        C:\windows\SysWOW64\EEPQG.exe
        
        C:\windows\system32\EEPQG.exe
        129⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFXEPPM.exe.bat" "
        130⤵
        
        PID:924
        
        C:\windows\SysWOW64\KFXEPPM.exe
        
        C:\windows\system32\KFXEPPM.exe
        131⤵
        Drops file in Windows directory
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XHFCD.exe.bat" "
        132⤵
        
        PID:2208
        
        C:\windows\XHFCD.exe
        
        C:\windows\XHFCD.exe
        133⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XLJYJQQ.exe.bat" "
        134⤵
        
        PID:2248
        
        C:\windows\XLJYJQQ.exe
        
        C:\windows\XLJYJQQ.exe
        135⤵
        Checks computer location settings
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JDM.exe.bat" "
        136⤵
        
        PID:3224
        
        C:\windows\JDM.exe
        
        C:\windows\JDM.exe
        137⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BGQVWNH.exe.bat" "
        138⤵
        
        PID:4192
        
        C:\windows\SysWOW64\BGQVWNH.exe
        
        C:\windows\system32\BGQVWNH.exe
        139⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VZFGO.exe.bat" "
        140⤵
        
        PID:4832
        
        C:\windows\SysWOW64\VZFGO.exe
        
        C:\windows\system32\VZFGO.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XWLAV.exe.bat" "
        142⤵
        
        PID:1848
        
        C:\windows\XWLAV.exe
        
        C:\windows\XWLAV.exe
        143⤵
        Drops file in Windows directory
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IPOLEE.exe.bat" "
        144⤵
        
        PID:4080
        
        C:\windows\IPOLEE.exe
        
        C:\windows\IPOLEE.exe
        145⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNOW.exe.bat" "
        146⤵
        
        PID:4436
        
        C:\windows\system\DNOW.exe
        
        C:\windows\system\DNOW.exe
        147⤵
        Drops file in Windows directory
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQXJQCQ.exe.bat" "
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\windows\system\LQXJQCQ.exe
        
        C:\windows\system\LQXJQCQ.exe
        149⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDCS.exe.bat" "
        150⤵
        
        PID:3156
        
        C:\windows\system\NDCS.exe
        
        C:\windows\system\NDCS.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDRP.exe.bat" "
        152⤵
        
        PID:4200
        
        C:\windows\SysWOW64\FDRP.exe
        
        C:\windows\system32\FDRP.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRREP.exe.bat" "
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\windows\SysWOW64\FRREP.exe
        
        C:\windows\system32\FRREP.exe
        155⤵
        Drops file in Windows directory
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCUU.exe.bat" "
        156⤵
        
        PID:4948
        
        C:\windows\DCUU.exe
        
        C:\windows\DCUU.exe
        157⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YPYDIM.exe.bat" "
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\windows\SysWOW64\YPYDIM.exe
        
        C:\windows\system32\YPYDIM.exe
        159⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WNKG.exe.bat" "
        160⤵
        
        PID:4168
        
        C:\windows\WNKG.exe
        
        C:\windows\WNKG.exe
        161⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PINCIP.exe.bat" "
        162⤵
        
        PID:2736
        
        C:\windows\PINCIP.exe
        
        C:\windows\PINCIP.exe
        163⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOVOKBG.exe.bat" "
        164⤵
        
        PID:2900
        
        C:\windows\system\KOVOKBG.exe
        
        C:\windows\system\KOVOKBG.exe
        165⤵
        Drops file in Windows directory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\STAUVZ.exe.bat" "
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\windows\system\STAUVZ.exe
        
        C:\windows\system\STAUVZ.exe
        167⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LWE.exe.bat" "
        168⤵
        
        PID:4756
        
        C:\windows\system\LWE.exe
        
        C:\windows\system\LWE.exe
        169⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARVCTC.exe.bat" "
        170⤵
        
        PID:844
        
        C:\windows\system\ARVCTC.exe
        
        C:\windows\system\ARVCTC.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "
        172⤵
        
        PID:3664
        
        C:\windows\SysWOW64\BUZ.exe
        
        C:\windows\system32\BUZ.exe
        173⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SFCOHGR.exe.bat" "
        174⤵
        
        PID:1252
        
        C:\windows\SysWOW64\SFCOHGR.exe
        
        C:\windows\system32\SFCOHGR.exe
        175⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HALAS.exe.bat" "
        176⤵
        
        PID:1872
        
        C:\windows\SysWOW64\HALAS.exe
        
        C:\windows\system32\HALAS.exe
        177⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGL.exe.bat" "
        178⤵
        
        PID:892
        
        C:\windows\system\CGL.exe
        
        C:\windows\system\CGL.exe
        179⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GOAMGW.exe.bat" "
        180⤵
        
        PID:4204
        
        C:\windows\system\GOAMGW.exe
        
        C:\windows\system\GOAMGW.exe
        181⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RGHXYX.exe.bat" "
        182⤵
        
        PID:1632
        
        C:\windows\system\RGHXYX.exe
        
        C:\windows\system\RGHXYX.exe
        183⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DZKQYEN.exe.bat" "
        184⤵
        
        PID:3732
        
        C:\windows\DZKQYEN.exe
        
        C:\windows\DZKQYEN.exe
        185⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PPRQ.exe.bat" "
        186⤵
        
        PID:3308
        
        C:\windows\system\PPRQ.exe
        
        C:\windows\system\PPRQ.exe
        187⤵
        Drops file in Windows directory
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WFS.exe.bat" "
        188⤵
        
        PID:3600
        
        C:\windows\system\WFS.exe
        
        C:\windows\system\WFS.exe
        189⤵
        Checks computer location settings
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQIOFV.exe.bat" "
        190⤵
        
        PID:1384
        
        C:\windows\system\RQIOFV.exe
        
        C:\windows\system\RQIOFV.exe
        191⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLMKL.exe.bat" "
        192⤵
        
        PID:2640
        
        C:\windows\SysWOW64\KLMKL.exe
        
        C:\windows\system32\KLMKL.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QGLKP.exe.bat" "
        194⤵
        
        PID:1000
        
        C:\windows\QGLKP.exe
        
        C:\windows\QGLKP.exe
        195⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AERFX.exe.bat" "
        196⤵
        
        PID:5008
        
        C:\windows\SysWOW64\AERFX.exe
        
        C:\windows\system32\AERFX.exe
        197⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EMYNJPH.exe.bat" "
        198⤵
        
        PID:3044
        
        C:\windows\SysWOW64\EMYNJPH.exe
        
        C:\windows\system32\EMYNJPH.exe
        199⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKDZQXQ.exe.bat" "
        200⤵
        
        PID:2940
        
        C:\windows\system\GKDZQXQ.exe
        
        C:\windows\system\GKDZQXQ.exe
        201⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAMWXJ.exe.bat" "
        202⤵
        
        PID:2896
        
        C:\windows\SysWOW64\JAMWXJ.exe
        
        C:\windows\system32\JAMWXJ.exe
        203⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZQTZJ.exe.bat" "
        204⤵
        
        PID:3896
        
        C:\windows\SysWOW64\ZQTZJ.exe
        
        C:\windows\system32\ZQTZJ.exe
        205⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YBWP.exe.bat" "
        206⤵
        
        PID:3688
        
        C:\windows\YBWP.exe
        
        C:\windows\YBWP.exe
        207⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CJCXWBL.exe.bat" "
        208⤵
        
        PID:1384
        
        C:\windows\system\CJCXWBL.exe
        
        C:\windows\system\CJCXWBL.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "
        210⤵
        
        PID:4924
        
        C:\windows\MGQJMK.exe
        
        C:\windows\MGQJMK.exe
        211⤵
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZTZU.exe.bat" "
        212⤵
        
        PID:3892
        
        C:\windows\SysWOW64\LZTZU.exe
        
        C:\windows\system32\LZTZU.exe
        213⤵
        Drops file in Windows directory
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OHZ.exe.bat" "
        214⤵
        
        PID:1644
        
        C:\windows\system\OHZ.exe
        
        C:\windows\system\OHZ.exe
        215⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TIOBTY.exe.bat" "
        216⤵
        
        PID:2124
        
        C:\windows\SysWOW64\TIOBTY.exe
        
        C:\windows\system32\TIOBTY.exe
        217⤵
        Checks computer location settings
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GTSIYPI.exe.bat" "
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\windows\GTSIYPI.exe
        
        C:\windows\GTSIYPI.exe
        219⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WBT.exe.bat" "
        220⤵
        
        PID:3088
        
        C:\windows\system\WBT.exe
        
        C:\windows\system\WBT.exe
        221⤵
        Checks computer location settings
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GGLMWEY.exe.bat" "
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\windows\system\GGLMWEY.exe
        
        C:\windows\system\GGLMWEY.exe
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CERJDO.exe.bat" "
        224⤵
        
        PID:4756
        
        C:\windows\SysWOW64\CERJDO.exe
        
        C:\windows\system32\CERJDO.exe
        225⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KRDQNM.exe.bat" "
        226⤵
        
        PID:4948
        
        C:\windows\KRDQNM.exe
        
        C:\windows\KRDQNM.exe
        227⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EPWSMJ.exe.bat" "
        228⤵
        
        PID:4816
        
        C:\windows\SysWOW64\EPWSMJ.exe
        
        C:\windows\system32\EPWSMJ.exe
        229⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LAMA.exe.bat" "
        230⤵
        
        PID:4580
        
        C:\windows\system\LAMA.exe
        
        C:\windows\system\LAMA.exe
        231⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVLDAFK.exe.bat" "
        232⤵
        
        PID:4600
        
        C:\windows\SysWOW64\EVLDAFK.exe
        
        C:\windows\system32\EVLDAFK.exe
        233⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RGTCOQX.exe.bat" "
        234⤵
        
        PID:2460
        
        C:\windows\system\RGTCOQX.exe
        
        C:\windows\system\RGTCOQX.exe
        235⤵
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SJXY.exe.bat" "
        236⤵
        
        PID:4592
        
        C:\windows\SysWOW64\SJXY.exe
        
        C:\windows\system32\SJXY.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IUA.exe.bat" "
        238⤵
        
        PID:3964
        
        C:\windows\system\IUA.exe
        
        C:\windows\system\IUA.exe
        239⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OUICT.exe.bat" "
        240⤵
        
        PID:2724
        
        C:\windows\SysWOW64\OUICT.exe
        
        C:\windows\system32\OUICT.exe
        241⤵
        Drops file in Windows directory
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AFSPCBZ.exe.bat" "
        242⤵
        
        PID:2536
        
        C:\windows\system\AFSPCBZ.exe
        
        C:\windows\system\AFSPCBZ.exe
        243⤵
        Drops file in Windows directory
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MYVICI.exe.bat" "
        244⤵
        
        PID:1908
        
        C:\windows\MYVICI.exe
        
        C:\windows\MYVICI.exe
        245⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLMJWUE.exe.bat" "
        246⤵
        
        PID:3060
        
        C:\windows\SysWOW64\OLMJWUE.exe
        
        C:\windows\system32\OLMJWUE.exe
        247⤵
        Checks computer location settings
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OQF.exe.bat" "
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\windows\OQF.exe
        
        C:\windows\OQF.exe
        249⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGTGKZU.exe.bat" "
        250⤵
        
        PID:1784
        
        C:\windows\system\SGTGKZU.exe
        
        C:\windows\system\SGTGKZU.exe
        251⤵
        Drops file in Windows directory
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMYMUXQ.exe.bat" "
        252⤵
        
        PID:4600
        
        C:\windows\system\AMYMUXQ.exe
        
        C:\windows\system\AMYMUXQ.exe
        253⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MCFM.exe.bat" "
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\windows\system\MCFM.exe
        
        C:\windows\system\MCFM.exe
        255⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPJWJP.exe.bat" "
        256⤵
        
        PID:4844
        
        C:\windows\SysWOW64\HPJWJP.exe
        
        C:\windows\system32\HPJWJP.exe
        257⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LXQ.exe.bat" "
        258⤵
        
        PID:4144
        
        C:\windows\LXQ.exe
        
        C:\windows\LXQ.exe
        259⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TLD.exe.bat" "
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\windows\TLD.exe
        
        C:\windows\TLD.exe
        261⤵
        Drops file in Windows directory
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NYHUQ.exe.bat" "
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\windows\system\NYHUQ.exe
        
        C:\windows\system\NYHUQ.exe
        263⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BWH.exe.bat" "
        264⤵
        
        PID:1800
        
        C:\windows\system\BWH.exe
        
        C:\windows\system\BWH.exe
        265⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DRZH.exe.bat" "
        266⤵
        
        PID:1588
        
        C:\windows\DRZH.exe
        
        C:\windows\DRZH.exe
        267⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEDRND.exe.bat" "
        268⤵
        
        PID:528
        
        C:\windows\SysWOW64\YEDRND.exe
        
        C:\windows\system32\YEDRND.exe
        269⤵
        Drops file in Windows directory
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNFEZIH.exe.bat" "
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\windows\system\PNFEZIH.exe
        
        C:\windows\system\PNFEZIH.exe
        271⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TVMEDT.exe.bat" "
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\windows\system\TVMEDT.exe
        
        C:\windows\system\TVMEDT.exe
        273⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTSY.exe.bat" "
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\windows\SysWOW64\VTSY.exe
        
        C:\windows\system32\VTSY.exe
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FQF.exe.bat" "
        276⤵
        
        PID:360
        
        C:\windows\FQF.exe
        
        C:\windows\FQF.exe
        277⤵
        Checks computer location settings
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AEKCK.exe.bat" "
        278⤵
        
        PID:3432
        
        C:\windows\SysWOW64\AEKCK.exe
        
        C:\windows\system32\AEKCK.exe
        279⤵
        Drops file in Windows directory
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YONK.exe.bat" "
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\windows\system\YONK.exe
        
        C:\windows\system\YONK.exe
        281⤵
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKSBVX.exe.bat" "
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\windows\SysWOW64\TKSBVX.exe
        
        C:\windows\system32\TKSBVX.exe
        283⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVV.exe.bat" "
        284⤵
        
        PID:3488
        
        C:\windows\SysWOW64\SVV.exe
        
        C:\windows\system32\SVV.exe
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WDBRQVW.exe.bat" "
        286⤵
        
        PID:1588
        
        C:\windows\WDBRQVW.exe
        
        C:\windows\WDBRQVW.exe
        287⤵
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JIJDSH.exe.bat" "
        288⤵
        
        PID:2788
        
        C:\windows\SysWOW64\JIJDSH.exe
        
        C:\windows\system32\JIJDSH.exe
        289⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OOTS.exe.bat" "
        290⤵
        
        PID:1304
        
        C:\windows\SysWOW64\OOTS.exe
        
        C:\windows\system32\OOTS.exe
        291⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IBYCSC.exe.bat" "
        292⤵
        
        PID:1520
        
        C:\windows\SysWOW64\IBYCSC.exe
        
        C:\windows\system32\IBYCSC.exe
        293⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WZGNU.exe.bat" "
        294⤵
        
        PID:1128
        
        C:\windows\system\WZGNU.exe
        
        C:\windows\system\WZGNU.exe
        295⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NMRFKKN.exe.bat" "
        296⤵
        
        PID:2160
        
        C:\windows\SysWOW64\NMRFKKN.exe
        
        C:\windows\system32\NMRFKKN.exe
        297⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 880
        296⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 960
        294⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 1308
        292⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 888
        290⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 988
        288⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 988
        286⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1296
        284⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1232
        282⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1268
        280⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 1240
        278⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1288
        276⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1300
        274⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1316
        272⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1312
        270⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1296
        268⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1236
        266⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 960
        264⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1336
        262⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1320
        260⤵
        
        PID:732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1324
        258⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1256
        256⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1304
        254⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1336
        252⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 976
        250⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1304
        248⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1008
        246⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1324
        244⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1336
        242⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1328
        240⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1332
        238⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 988
        236⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 960
        234⤵
        
        PID:892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 988
        232⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1272
        230⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1328
        228⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1260
        226⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1260
        224⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 960
        222⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1336
        220⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 960
        218⤵
        
        PID:648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 960
        216⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 960
        214⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 960
        212⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1296
        210⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1304
        208⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1304
        206⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1300
        204⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 960
        202⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1272
        200⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1328
        198⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1328
        196⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1324
        194⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1316
        192⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 960
        190⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 960
        188⤵
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 988
        186⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1296
        184⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1300
        182⤵
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1328
        180⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1216
        178⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 1328
        176⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 988
        174⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1328
        172⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1304
        170⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1336
        168⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1336
        166⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1336
        164⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1292
        162⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1324
        160⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 960
        158⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1236
        156⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 960
        154⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1328
        152⤵
        
        PID:528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1304
        150⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1316
        148⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1248
        146⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 960
        144⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1004
        142⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1328
        140⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1328
        138⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1288
        136⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1236
        134⤵
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 1304
        132⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1328
        130⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 960
        128⤵
        Program crash
        
        PID:3320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 988
        126⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1336
        124⤵
        Program crash
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 960
        122⤵
        Program crash
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1304
        120⤵
        Program crash
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1280
        118⤵
        Program crash
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1252
        116⤵
        Program crash
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 960
        114⤵
        Program crash
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 960
        112⤵
        Program crash
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 1272
        110⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1280
        108⤵
        Program crash
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 960
        106⤵
        Program crash
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1324
        104⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1304
        102⤵
        Program crash
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1292
        100⤵
        Program crash
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1328
        98⤵
        Program crash
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1296
        96⤵
        Program crash
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1248
        94⤵
        Program crash
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1240
        92⤵
        Program crash
        
        PID:2348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1328
        90⤵
        Program crash
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1304
        88⤵
        Program crash
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 960
        86⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1336
        84⤵
        Program crash
        
        PID:3784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1304
        82⤵
        Program crash
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 988
        80⤵
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 988
        78⤵
        Program crash
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 960
        76⤵
        Program crash
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1300
        74⤵
        Program crash
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1324
        72⤵
        Program crash
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1324
        70⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1328
        68⤵
        Program crash
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 988
        66⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1316
        64⤵
        Program crash
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1176
        62⤵
        Program crash
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1324
        60⤵
        Program crash
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 960
        58⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1316
        56⤵
        Program crash
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 960
        54⤵
        Program crash
        
        PID:3704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 960
        52⤵
        Program crash
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1336
        50⤵
        Program crash
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1252
        48⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 960
        46⤵
        Program crash
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1336
        44⤵
        Program crash
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1004
        42⤵
        Program crash
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1296
        40⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 960
        38⤵
        Program crash
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1240
        36⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1000
        34⤵
        Program crash
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 960
        32⤵
        Program crash
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1324
        30⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1324
        28⤵
        Program crash
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1324
        26⤵
        Program crash
        
        PID:416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 988
        24⤵
        Program crash
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1324
        22⤵
        Program crash
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1316
        20⤵
        Program crash
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1324
        18⤵
        Program crash
        
        PID:732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1324
        16⤵
        Program crash
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1236
        14⤵
        Program crash
        
        PID:2128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 988
        12⤵
        Program crash
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 892
        10⤵
        Program crash
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 960
        8⤵
        Program crash
        
        PID:2404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1336
        6⤵
        Program crash
        
        PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 988
      4⤵
      Program crash
      PID:1464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1324
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3680 -ip 3680
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3728 -ip 3728
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2152 -ip 2152
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2028 -ip 2028
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1736 -ip 1736
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4116 -ip 4116
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1952 -ip 1952
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1556 -ip 1556
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5060 -ip 5060
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4512 -ip 4512
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3044 -ip 3044
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5084 -ip 5084
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4536 -ip 4536
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3020 -ip 3020
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 976 -ip 976
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1128 -ip 1128
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3764 -ip 3764
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1380 -ip 1380
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1692 -ip 1692
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2340 -ip 2340
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5076 -ip 5076
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1288 -ip 1288
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4052 -ip 4052
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3008 -ip 3008
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4092 -ip 4092
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3612 -ip 3612
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4396 -ip 4396
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3540 -ip 3540
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5064 -ip 5064
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4508 -ip 4508
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4672 -ip 4672
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2560 -ip 2560
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2600 -ip 2600
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2068 -ip 2068
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4196 -ip 4196
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5100 -ip 5100
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3488 -ip 3488
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5048 -ip 5048
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4188 -ip 4188
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5056 -ip 5056
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4984 -ip 4984
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1992 -ip 1992
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4292 -ip 4292
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4196 -ip 4196
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1068 -ip 1068
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1800 -ip 1800
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1556 -ip 1556
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4924 -ip 4924
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1128 -ip 1128
1⤵
PID:296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4756 -ip 4756
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4116 -ip 4116
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 372 -ip 372
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2760 -ip 2760
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3000 -ip 3000
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 704 -ip 704
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1352 -ip 1352
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1356 -ip 1356
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2448 -ip 2448
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1212 -ip 1212
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3848 -ip 3848
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4584 -ip 4584
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4540 -ip 4540
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2672 -ip 2672
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4892 -ip 4892
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1944 -ip 1944
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 360 -ip 360
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1608 -ip 1608
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4024 -ip 4024
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4008 -ip 4008
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4316 -ip 4316
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4572 -ip 4572
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4004 -ip 4004
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 376 -ip 376
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2332 -ip 2332
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2296 -ip 2296
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4672 -ip 4672
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1860 -ip 1860
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 612 -ip 612
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4164 -ip 4164
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1772 -ip 1772
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4324 -ip 4324
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4928 -ip 4928
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1388 -ip 1388
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1996 -ip 1996
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3540 -ip 3540
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2784 -ip 2784
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4856 -ip 4856
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 296 -ip 296
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4160 -ip 4160
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2060 -ip 2060
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2792 -ip 2792
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1360 -ip 1360
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4560 -ip 4560
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3016 -ip 3016
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 388 -ip 388
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 976 -ip 976
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3496 -ip 3496
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4584 -ip 4584
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2904 -ip 2904
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1296 -ip 1296
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1212 -ip 1212
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2332 -ip 2332
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1728 -ip 1728
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2140 -ip 2140
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3016 -ip 3016
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4380 -ip 4380
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1772 -ip 1772
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3496 -ip 3496
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4608 -ip 4608
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 996 -ip 996
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3568 -ip 3568
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 376 -ip 376
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1668 -ip 1668
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4088 -ip 4088
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2564 -ip 2564
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5036 -ip 5036
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4080 -ip 4080
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2380 -ip 2380
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3656 -ip 3656
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2428 -ip 2428
1⤵
PID:356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4140 -ip 4140
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3488 -ip 3488
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3896 -ip 3896
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1132 -ip 1132
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1412 -ip 1412
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3764 -ip 3764
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3564 -ip 3564
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5064 -ip 5064
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4940 -ip 4940
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2708 -ip 2708
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4132 -ip 4132
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1384 -ip 1384
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4340 -ip 4340
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4868 -ip 4868
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1520 -ip 1520
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3508 -ip 3508
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4724 -ip 4724
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2348 -ip 2348
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 708 -ip 708
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3596 -ip 3596
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1792 -ip 1792
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2336 -ip 2336
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1252 -ip 1252
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3132 -ip 3132
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 840 -ip 840
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 388 -ip 388
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4112 -ip 4112
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EJKYTM.exe

Filesize
289KB

MD5
905b6d70e2c3878ac81471aacd038c3d

SHA1
d6a7f8c83f09361145b0fd79a1189a04af8951c3

SHA256
d6eba71e0a7ca388f45be8c51f8186d36dfcdb5f3d66d2bb47ee7b5b6b1beea2

SHA512
4b686304054d85bbd1e0ca6081bac0ddcb666c61a367da99130e07b6d1a260ef54fe6c3ce653c079b2f53fe65a2846c9a046ba615c8b2f8e759a6897738324a3

Download Submit
C:\Windows\GPTZC.exe

Filesize
289KB

MD5
661d0be9a22510127ac9a636b6ec9751

SHA1
9fed6f80f370d793b3d44617d1ad88e70c3e20d3

SHA256
abb469b67a462cf8f3124e54db2d87004ff5f01d1e03e9c04beab635e05ac298

SHA512
d57eab7b2e757ca847fca96979fbad72648d8642f0409aac8ea8bdcd17b2c19afa1a7b10a1a5879f0ef2cdac3402b2a5ad717521d795b81d6e9dadf10c694adb

Download Submit
C:\Windows\OJME.exe

Filesize
289KB

MD5
7029cd9ebaf4c05a9a07d2b28df6e733

SHA1
446ddecf823393697118399d81936e303257d0df

SHA256
09459f82493737497a24aee86caecc41fb305c6061f08bea506347d4e36f3dae

SHA512
c5f3074e44637cb17caeb1c82192e51b8c17c9ed2caa6245e33e812eeb99e96098e361d567acb405f1ce1209439ea8d1b28ac6c2590c78e13e2ebd825f27f795

Download Submit
C:\Windows\RLZWYEY.exe

Filesize
289KB

MD5
fbbf3afa0722ab8be4378ccf1e4849af

SHA1
642dcf45f8542ff3d9c0dc224f08d8fa18dc95da

SHA256
373fdfee436206d9d6ad07cc088cd8838a4af9c9f4da2398cd124ed1ee075fc1

SHA512
f59bfdac2e1d683c7ddbeabcfeca87f22f3d8d0f8a4f4775450ab7ea746d945e22da97f95572d3ef4e485d3b80fd263c60bab299c71875952661883b9ca1a781

Download Submit
C:\Windows\SRTOSDB.exe

Filesize
289KB

MD5
90be43be9ec76b43f2c34f80a25ae6af

SHA1
a4aa357a63436ff95e66a1935abf6d1a0929351d

SHA256
95e641da0b34dbb36d4dcbab6765553770c50e7f17468a0f50f6a099872fffcb

SHA512
a27c655e6c31653b3d122b3d853688f5c4ec36ba2251ce1d3d2738b1d20744aa2164b9d962719fd93c559d11bd5b9f73956358b9fcca37bccd10c2961b7fa3d3

Download Submit
C:\Windows\SysWOW64\AVCAW.exe

Filesize
289KB

MD5
5435575808617829fb11bbb38e0c6564

SHA1
6bfe47a65985289f0e536f1261f6065c8a9dd30b

SHA256
7f2461a2a5ebf69f25b1e6733774496d6364209c9b97bb649ba3c2e3d3d0d888

SHA512
c0fa7eda371152f4ab150de1c589337ec2b6b683ad3362a8369ef1fec5f3c99b4c2d3f2100c6adddaf657b51b32fffe0ae4b6fe0d8babd2b1191e3573690fd43

Download Submit
C:\Windows\SysWOW64\KTP.exe

Filesize
289KB

MD5
bced91bbbe848e1e7d23ab0fad8711cf

SHA1
c71584854a36d4e981d4446e91f82b6554062a36

SHA256
bd12b2507bf05711bb826a90df0688b8e854cf0e6084638f486fa8e90ecbea72

SHA512
5d2c40da073294491d7dc404614bf1dc5260a1bb6442d2a6496854f2f73f4383480f04b72b30a43d111a90d0ac0d8b90c6fea7280df74c453dbe2b608264696d

Download Submit
C:\Windows\SysWOW64\ODUPM.exe

Filesize
289KB

MD5
733f801f9d10d6cd70296b1b2ac3e5bf

SHA1
3745672f5e72dd9980a0151760a6e67ecd3b2b4b

SHA256
78c222df8d6adb4b46e11b388c37ef77020803587a31d76eea1e0f5976af1438

SHA512
79fe5fa61caddec45859ecaf9416e989e07ebcfe8457e529bafbcf333587c373ba61303f17b974ddb23572e0588627e709ba11e7ec3c07655cbd6817d80babc5

Download Submit
C:\Windows\SysWOW64\QWCMGK.exe

Filesize
289KB

MD5
92fb718debc99bac5da5cca3def9fbce

SHA1
9a2a1860c1b0f6ae0b6305551db65fefcd994b81

SHA256
8751d83fcfb7b3e790c7d62242f6327865a2e38233d112d5b57a5584017c4e4f

SHA512
edc710ca8a5cd71c5e9256c773135e891579891b240bcea17e95f6fe338c788b348dadd5c6aac340d104ea940181b4b8e17ffa077e1542dc55e343bbe01e7248

Download Submit
C:\Windows\System\AXTK.exe

Filesize
289KB

MD5
7aa463772c3a790d743f32c7f96bf67e

SHA1
7b28d51f8db0597ae0de410d5f346f02876874e9

SHA256
6f8ef8d6a3c7490513afaf1da4fb7efcf7932fffdf931b13ff4f71c6f06eb0a2

SHA512
7fb8994f0bedf0bf666f8da14631197de909cbee37a8a888eedeafd4b80cd79496b97291aff46b0000937ac88405458c3660a963b3f87c6ce76981467d070e1e

Download Submit
C:\Windows\System\IIIWPIM.exe

Filesize
289KB

MD5
fb5af114378c3ce8c8d980fd4ec04497

SHA1
229ffed56ab5886d3675952bca87f6d5504752a6

SHA256
a42e36de817bd97cc195b8e7d2d6a0c3cacf933b6d943436c534ead6a488d592

SHA512
3f98f1a34189a55aa1060ee8aca9fe43deba5d6b2c6948a429a9ee9f1dad3f2ca023cb8563ce0abd185b898be2120d9532934416af3b4ce3f3a1b1b6bafce6d3

Download Submit
C:\windows\DDQ.exe

Filesize
289KB

MD5
96b90eabfc6b113b51c2b28756f00521

SHA1
a4921d0fd3df2986e487936602f874bb3aba42d5

SHA256
78b116bc3f943db1e9e596e73c5338d2eb42a5e18755096500af3e74e2fddb68

SHA512
1c44fcd02f57b5a0dc65d897b1854efb39baf8c2aef572db60b4e5b59dd94cecad1c4e7224696f94d9d866d55ee222d836e32fe94a53bf20acd95dc5be0375f7

Download Submit
C:\windows\DDQ.exe.bat

Filesize
52B

MD5
1f9b5f3441154e108949d19d962c3f78

SHA1
129ab0072d649a19fa397e89c537edf943d1d839

SHA256
445619c844ced8b4d6a811be4e4b5ecf0d34bc2d3ee398e5e502d161368d36a5

SHA512
be9aea87d359b5cc2ea2d4c0104b03e17f93bfec4de4fb9dd960e75119b71336303462cb9af3ea893119bf2419b3a373d9ace73471f4ae734da6de806626f4d4

Download Submit
C:\windows\EJKYTM.exe.bat

Filesize
58B

MD5
5dc20475814a863b0c209ba68e072a2d

SHA1
e341178699734e76e4ead13a9781bcc14afece1e

SHA256
6b9e951a343b40de1a7192b240a09e2798eba4378c2c4105cecaddb7807db4e9

SHA512
0fc591dae3cc7cfc2d577e6213a67bd8da4d3adae5f663fe514a15c5860bbaee27a52352949b30d6115d12d5eec5c16531e1ed17a995e1ef4bfc5ec2f77c7b47

Download Submit
C:\windows\GPTZC.exe.bat

Filesize
56B

MD5
97e332f6c61c86ee4e88eef08547948e

SHA1
0e4538774b31f7325a33d2bf50c9e8fd34a32cf9

SHA256
6062f06e57c3cd4ee2e16b687147ee24da148d904504b28a25dac8233bd338bc

SHA512
b6d4fd6a5c8dd04e9488be0baf7798156ea2897864fd1314b3acee5757e420bbe8f6ef0fd86161754f8a18a9866ac78494fef6abf934a0e252e3dc04f3a43e44

Download Submit
C:\windows\OJME.exe.bat

Filesize
54B

MD5
de0662eb53c5112719b108c6c0752ea7

SHA1
784cbe799e395691cbd56aac5f711e038185dc30

SHA256
e3e4dc0fcceb71ba917ceb754f251f226bccca6daf9de87d51183d99c8595bff

SHA512
5b6601aa02488011f9462faf18876f281960d6444eac4676ec0ce94d8640adc4731d056a09edb204230ead03a8d59927b92a1f899418edb7dd54f7d20d3e3926

Download Submit
C:\windows\RLZWYEY.exe.bat

Filesize
60B

MD5
39c647d4b17ddf4379bed5acd52e10e3

SHA1
37d239760c8959c356c80ca4704e8207607533d1

SHA256
5a77c48b3076d33bb790ac47a17e8a15d0bf3536bfef3a25695a53658b16f527

SHA512
1ab87a59bbe85c5c1ee142b55d0fef9fb2f947d45063cbfaa448dceeb0321ebaa5b042131c8c93e618d4ea75c35b517074df92c40145286309e3f91fa0e87260

Download Submit
C:\windows\SRTOSDB.exe.bat

Filesize
60B

MD5
cf5fd25bd0bf3ea872a773c8e4ee3fdd

SHA1
7610728a6d180a4cfdace02b2be1b042b1297f37

SHA256
04078abf5c59de3155a1142bf99f94b31a8d2aa08c9e93ab802004a818ccf477

SHA512
a2135b6ba95ec7a3448d319818903295ebb26cc2cc10d11045d40250c1d20f354006e3681290002899af9500e569ff46b84ba7ffb2f723dea98f3aaa1e5de85c

Download Submit
C:\windows\SysWOW64\AVCAW.exe.bat

Filesize
74B

MD5
016411df94549843570cf4a210087d4c

SHA1
3ee26e174a3926c313aa664b4416d12dd497228d

SHA256
903ae0f33a92cadbc630895230913d7c5ecdb9005a1a10c3491e6ecc06cb6ddb

SHA512
b55e235d41c622f04d3d2dfc7fc4a3813e44672e2310fa96ab6b77959b8a7766c3777cb1f3e6018ff0b4911c4f5ba35e31568d53e1a968b2c1fa252ab1a2dec2

Download Submit
C:\windows\SysWOW64\HEP.exe.bat

Filesize
70B

MD5
226cb363ce3094f8c553d6cbf1abab14

SHA1
5c466d7b379b052e4214943d475e76ee602508ff

SHA256
647d04df002f13404972d2fb3f5aa14f9e2e22bfba1390b07d19f3e4d4eff2c6

SHA512
2006fdce8c42b1f293ea4b61b0f32f6cc94d00a751743ae2c3e75479a572c2090678f677cde813a43263235214c3425e002b8c37945d5e9b19e7396989016414

Download Submit
C:\windows\SysWOW64\KTP.exe.bat

Filesize
70B

MD5
7fee8e283a59c9e01b6c7ce45506c6fa

SHA1
cb4f7285c1a1ed3d5874ae19c174db78e52fb190

SHA256
366875811cb62ffd1ca5a5416d67d0633703c3e5783ac43c1c2a46c11cb6cf0a

SHA512
d03b6f13698cdcab733db6663deeb16c648232b9728b3428937e390b672bf7093155bd69b41811cd193926e5d1aa125e9533b55e14cc142325f74db4435a1a49

Download Submit
C:\windows\SysWOW64\ODUPM.exe.bat

Filesize
74B

MD5
a86a6fd4bc509b336e21bcc1c53a82f5

SHA1
8bbf14c14f73870ef9923a75a6b94626656c7f8e

SHA256
91a085f9e3d10b576ad2ff80a40d66ad26d90f0d832c65e1cd35cb4fc4353894

SHA512
9c17110050562deb633e6bea2129db51389d5c53644cb730d16ed5603f23164955428eca89555d67a1866cc75bf29895f8c594eb9af9c253d8c6beb61f6ba833

Download Submit
C:\windows\SysWOW64\QWCMGK.exe.bat

Filesize
76B

MD5
49705f796c4c4cc28c899bbe034ccdd4

SHA1
4367d4f5b99b1c73cfce1923d722904e1cefd6d2

SHA256
36cb5a2446ea665b4c41961e8fec9ea8b231b237c7e4b489372cc3ea5a0810c3

SHA512
fc820e1f0bc2fea55716cd250f783e0cdcccb9c0bc058dfc55b4604b6d606b3322f040c56434749564fa12a36a19bc3f81a743bf4259b54568df66e772dcf1a0

Download Submit
C:\windows\TXMDLCP.exe

Filesize
289KB

MD5
771389d51168f4a059008519d012ffa2

SHA1
765b423512e95aece60c32083d9008f175e87116

SHA256
1e15ed35bb67fd695320d45be6c82f49ae0214c2992d0b9ab304d37b9d89127b

SHA512
3e3b9e3b7bbf735f8c896e403e73b5c428f79413706c96640675ad673bc910bf5f896b810c9c1a85fd2b4d9fb2c6d10e597740988bc000952af3bc8d49ff955f

Download Submit
C:\windows\TXMDLCP.exe.bat

Filesize
60B

MD5
8fc73c6757aee760b7d9c97bc479fc5f

SHA1
ea374dd3fd6ed2c0a4649c919f3acf62c6575ed2

SHA256
c98a909892e74f7c456a3e4e7adf5d776024d6b3f03fc6bae1c5f1bc42d9ad7a

SHA512
13e1f60960dac1bdade8f545f572468594dc96f76a28dff89c8de6f1768da6c7695933e749ffd5f43537c293da50356961e3e68fe9dbaf36924f5b0172209e07

Download Submit
C:\windows\WPQK.exe

Filesize
289KB

MD5
01571c75becfb5957c371063aaa91ead

SHA1
5fb236fa40067a7cf9659181b5a66302d271de12

SHA256
db1e29b914cf9eee1ec129a4da6977f70778bcde167dc50b22c93192291925c6

SHA512
14904386af8ed7b810c684f3456cd4e6e5f88d87c3a28b94f208631b752684569383640bab5fb79ed41d0efd28dac342deeaa663409361e91ccfba517324992f

Download Submit
C:\windows\WPQK.exe.bat

Filesize
54B

MD5
f106c96a5479b28e40277964bc5f0356

SHA1
71e9440e161f3832b3b9b9d52ed4aff65aa64b34

SHA256
445a1fa650074b3282eeb56f62e999954e5b6a44743d15267eec756e0a43ca17

SHA512
d6711cfe10c8a0b441d282c8cd7815cd56fac952b255a097297eb4c94fd32c5e9ac06f2ab76e0c97563f6ebd611e096df02370ed639a83c10a81c5f88ea08c64

Download Submit
C:\windows\XCERJM.exe.bat

Filesize
58B

MD5
a3b217c5fadd8002ada4bc8cc35ce345

SHA1
057e80ce0bf680d3e47e71760658266f491154f1

SHA256
f227443294e9a3de3280ae6788c4be8cede877db0e3933e8dc782c4666a91b7d

SHA512
01a8f444ab0bf9c82b38be893cc36818b2d62afbc62a66b34e168f5f2864b86aa9928b66546d0750fc60b5c86738ea4dcf8add036f152c95753624b9fce408c7

Download Submit
C:\windows\system\AXTK.exe.bat

Filesize
68B

MD5
a51a50abce2ce8a50cd6ed887e6293ea

SHA1
40d28c4baadcad9b68721d6b86fb03698c1e3be2

SHA256
4dccaf8f7d17d1cd62c0e70c84485a919dd98db7b1501ea883277360536a668b

SHA512
1b6945c24011edfef64bdba2515d8d6ced9c7cf3d5929ccc04daed82b8ed63f0d74c1910dd90edc70e27049893f5907dcc835f2b4901e12d9ec0564c7a8f0692

Download Submit
C:\windows\system\DXQ.exe

Filesize
289KB

MD5
1adf94f123774a4f356c72fe4696e1ca

SHA1
f0ea07f089f6019059ce9c64a9c59daa757cd3bd

SHA256
bffb24c36d15ca364f674d9e75ac97b816afaa50faf9f541ee5c207601a4bd7a

SHA512
1219adc530c6a6da41a92f8bd3fa3f16c5e40806301c947ba23051551964c3f6f4b852a4c4db870b2a627bde18b5d91e793820ebfbd623fff763405be76e8e3a

Download Submit
C:\windows\system\DXQ.exe.bat

Filesize
66B

MD5
666b1e7c3c6936577f6067284f320627

SHA1
169f20748a4236861dfb427a9924d09e9bfe6a4f

SHA256
dc705c93812afcdfa0b0fbe35180040e836df062a6a6eae15660bea1847e45f7

SHA512
01ececa782b511dc6667c8f39884942aadf6bb01bc44b4f883e3208a4d5d9986220ab860019caabc5d3cc4d609dcf5f24957eb3ad8c66fa0453badcab4003ec7

Download Submit
C:\windows\system\IIIWPIM.exe.bat

Filesize
74B

MD5
851abdbefbd3cefad39b3444dedbee67

SHA1
62aa0a86ac0752b5b4b47c36cb00d431d55561a0

SHA256
5f6127b53edf857d36ce1a8e4bc59ddf14a5db2f271ab019c3805497af13c16f

SHA512
81677ac8e7f892cf51e201b0239c16694d439300277cbe655b481dff140dcf9b78d38082fc29bf2e7f6ecaa31c1cf0339c05d44da3f12ffb00e334a5b4da0329

Download Submit
C:\windows\system\LENI.exe

Filesize
289KB

MD5
243fcfc079ac9c7c653cbc3966152040

SHA1
ac9a34480aca2587a662e0d568146dc06fb34f04

SHA256
f93d344ddf28c60fd19ebfe943d8475d0b05421f0d00e69af64b91f3ecb2d95a

SHA512
d6eba56b4be35caa9b61cddfc2df9727e4657343719b19a2cbbce008ed8dc991e11dd5aafab3f19bf3613e2f5a2032f5d3dbbd8db31d69d7cb289e2a82266c63

Download Submit
C:\windows\system\LENI.exe.bat

Filesize
68B

MD5
d953c841f69c215ba01374e988dc2f67

SHA1
c22a3f547980dc7bc634b9936fe937c2cb4a1c5e

SHA256
5255d1ded3adde0899a053bd86fd23c7b80f7abf2bea21f2f32d08c5ddd6055a

SHA512
1dd653885f2269d8203ce8591d1032d76b9834a059a17b6a8411a9cd0a4b7c0ec3252cb1a87270772f7d40a2181168138b1833a79b175ffe1773410568b29c32

Download Submit
C:\windows\system\PNU.exe.bat

Filesize
66B

MD5
4fe8e4d6019ad570e0809bcc5884f915

SHA1
f467caf1c163604c7577425b2bf7a9285d98f070

SHA256
e09ad2fec3c55391a3cd6a4249b95e946f3a93016643d82d629a52cb8ea940cc

SHA512
b7cfc66d2321e5c14d350d7f8746cb0252b7a9af0b14f6a6f08db5834e29fe6f31824636690efcc4d64984341881d5c8d0979458069067089e70bd30f310ea35

Download Submit
C:\windows\system\RZHJVTO.exe.bat

Filesize
74B

MD5
602690e49d01803aef69a6a84a1492b3

SHA1
eaee144023062274cbe8d670060b0066720fa3cd

SHA256
3e10fa74c43eb334072499f31f8f53c0bcbb26d45b45b6338682d01665e70b6a

SHA512
b2878ef803d15387b44a22a4f4731c669dd2dfd7b86a5befb6803d1119db8ead69f7aa34cb7e171cdaa3cf26518b7e0ad9af86fbdcc46b2dd021b3f1eabf883b

Download Submit
C:\windows\system\UWANDVU.exe.bat

Filesize
74B

MD5
d9517e9985a4766c2b184d6feb65f784

SHA1
e52c2580765fb0a2285311582608b2fd0cf533d2

SHA256
b644bde48468cbe070465dd05066aaa3c1f17004d2b62771be1ae8c0bc2e0908

SHA512
74267586961796906907a94076773a59e8f606ab183282bb6adcca236677cd6cc7e2bc8354c59091347845197da90e41ecfad740cfc65e0fdf959ff0e004a5cd

Download Submit
C:\windows\system\ZJQMSK.exe

Filesize
289KB

MD5
6ff58db85e2aa909d2673ba625d9fed7

SHA1
8d48263b38a65cdf82796e9656ee1f0e43eb1e7f

SHA256
199cba32ceb14c51a8fab1fb4e423e0c94d7da705323480808c8477a5da28cb2

SHA512
17426dff81c648f95953be9a7d6c72a2edcc499c0e8d349ee4a1e8601d9da744ecc18cb84512e0904352dc68355b8711123f369115a836dd59ff220e0c271a35

Download Submit
C:\windows\system\ZJQMSK.exe.bat

Filesize
72B

MD5
1d0c7c54889b8d022286a8e40acec925

SHA1
ef288aa3657017a9b3e49e24e07ff53221c320d6

SHA256
dd1b3aad1ffb78c216d70d23efe43acf3ffc13d3aa85862078419da2ddfc0177

SHA512
75bc5fe46b480f9804c2b77d8487dc4d8650b2904d1e20c1ddee33458647a98c8df8f4fc1280d3f5c1753ff6ccec75780149ecf6c27892684d7e60e06edf7afb

Download Submit
memory/976-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-475-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1288-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1288-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1736-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1736-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-34-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2340-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3680-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3680-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3728-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3728-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3764-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3764-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-58-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download