a649c2ae521eeb49475be0d2e04d5ea634f6dca7c32e2c5df7a5e9a6af332cb6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 01:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba3bd6064ab7a5f4e231232d993f2a10.exe
Size

209KB
MD5

ba3bd6064ab7a5f4e231232d993f2a10
SHA1

7f8372539943ee00b8aad794ed968e2bec2bec3a
SHA256

a649c2ae521eeb49475be0d2e04d5ea634f6dca7c32e2c5df7a5e9a6af332cb6
SHA512

102e025effaf838caf6191cf2985176dcd63d9759d2066f798fe16ea8d08544e328cff1fd0ba0b66b18487f90a5c6a59defc9035c5cc1f1dc77c1b5853048d64
SSDEEP

6144:7dmjvv0emGmGmGT/g4U11Ue1LCOfnM9/QAC3+bkEjR:7dmjvcF4U11UetCOfnoQAC3+bku

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	UITGEHV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	FVSJO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WXME.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	CYGCU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	KIJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	MQXVV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	URPKOW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WKIFQPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	PZBTUXT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	QMZUEBW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	JZL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	LBIGAL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	KLS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	XYJZTD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	VBB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	ZBGFZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	BEPQCV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	GCN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	BCGGO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	GLY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	CYW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	QZT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	KTPZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	HPZXPMY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WDNTN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	YZV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	CVP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	XWYKO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	RDTXA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	FPUB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	EHYFLRJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	KMYHD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	CGIDFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	HDUF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	EASUC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	FDKSG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WVNUT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	MWKMAQI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	ETW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	CBUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	SYXNZL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	TOLOJGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	BSLINW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	SVR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	EXKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	VXG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	FFHLFL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	VKAHK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	APNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	KRXO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	EABTVR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	FUHADP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	OVY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	JQS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	YTWGG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	SIXTT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	VTYCIP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	IOQHF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	UXTWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	EPDPBM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	KNSZJGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	XYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	EJWGAL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	BHDDE.exe

Executes dropped EXE 64 IoCs

pid	Process
4104	CMKPOBS.exe
3116	TXNFPH.exe
3324	CZXN.exe
3036	XNUEKV.exe
2644	MSZ.exe
3708	QAUJCM.exe
1788	VBB.exe
3164	SGHMS.exe
3352	UEAO.exe
3400	YMP.exe
3112	UUJWOWX.exe
944	JXSI.exe
4856	RDTXA.exe
4680	YYC.exe
3044	ZBGFZ.exe
4380	TOLOJGZ.exe
3364	URPKOW.exe
4216	YZV.exe
4680	WVUT.exe
3044	XYY.exe
4592	CYGCU.exe
364	TONNG.exe
4080	PTKK.exe
3424	IOKN.exe
3704	HMV.exe
4100	ZHZMJ.exe
1336	RPB.exe
4088	AQDW.exe
4380	GQKKHB.exe
1668	TBGQMS.exe
5004	MWKMAQI.exe
3728	QMZUEBW.exe
3168	QPDQ.exe
3204	XKA.exe
3068	JDDV.exe
2132	FABSJJ.exe
4012	LBIGAL.exe
2240	TRJF.exe
4884	EHYFLRJ.exe
3972	QZT.exe
1344	KMYHD.exe
1420	HSDEKI.exe
2344	HDMYYUE.exe
3972	RASSGC.exe
4060	ROSHHHH.exe
1408	ATC.exe
1608	EJWGAL.exe
2104	KKE.exe
3604	EXJET.exe
320	PPEWCU.exe
3584	BIHPKCL.exe
4440	KIJU.exe
2884	SBSW.exe
4060	FEOUG.exe
1144	DEVIPXY.exe
1752	WHNTU.exe
1672	UXTWX.exe
3632	KNSZJGD.exe
2872	SIXTT.exe
2656	HDUF.exe
4364	MOQE.exe
1512	JTWBP.exe
3728	ZJDET.exe
2616	UWANDVU.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\WVNUT.exe.bat	WDNTN.exe
File created	C:\windows\SysWOW64\FPUB.exe	APNN.exe
File created	C:\windows\SysWOW64\PTKK.exe.bat	TONNG.exe
File created	C:\windows\SysWOW64\WKF.exe.bat	UWANDVU.exe
File created	C:\windows\SysWOW64\KCIDD.exe	GMBVR.exe
File created	C:\windows\SysWOW64\CPQDOOH.exe.bat	HBMUEO.exe
File opened for modification	C:\windows\SysWOW64\YETXJ.exe	KTPZ.exe
File created	C:\windows\SysWOW64\RDTXA.exe	JXSI.exe
File created	C:\windows\SysWOW64\CGHOM.exe.bat	WKIFQPT.exe
File opened for modification	C:\windows\SysWOW64\KLS.exe	RIGORN.exe
File created	C:\windows\SysWOW64\XTMXXS.exe	CGHOM.exe
File created	C:\windows\SysWOW64\VKAHK.exe.bat	KRXO.exe
File created	C:\windows\SysWOW64\FPUB.exe.bat	APNN.exe
File created	C:\windows\SysWOW64\FBKXP.exe	FVSJO.exe
File opened for modification	C:\windows\SysWOW64\ZBNJRG.exe	XDMHLKB.exe
File created	C:\windows\SysWOW64\CGIDFB.exe.bat	BDEH.exe
File opened for modification	C:\windows\SysWOW64\XWYKO.exe	JQS.exe
File created	C:\windows\SysWOW64\XWYKO.exe.bat	JQS.exe
File opened for modification	C:\windows\SysWOW64\KTPZ.exe	SYXNZL.exe
File created	C:\windows\SysWOW64\UEAO.exe.bat	SGHMS.exe
File created	C:\windows\SysWOW64\RDTXA.exe.bat	JXSI.exe
File opened for modification	C:\windows\SysWOW64\GQKKHB.exe	AQDW.exe
File created	C:\windows\SysWOW64\UXTWX.exe.bat	WHNTU.exe
File created	C:\windows\SysWOW64\JLQDZI.exe.bat	CVP.exe
File opened for modification	C:\windows\SysWOW64\PNAV.exe	FPUB.exe
File created	C:\windows\SysWOW64\GQKKHB.exe	AQDW.exe
File opened for modification	C:\windows\SysWOW64\VKAHK.exe	KRXO.exe
File opened for modification	C:\windows\SysWOW64\RSPPB.exe	MPTI.exe
File created	C:\windows\SysWOW64\VTYCIP.exe.bat	ETW.exe
File created	C:\windows\SysWOW64\CGHOM.exe	WKIFQPT.exe
File created	C:\windows\SysWOW64\EASUC.exe	YIL.exe
File opened for modification	C:\windows\SysWOW64\KRXO.exe	CYW.exe
File created	C:\windows\SysWOW64\HNC.exe	KHF.exe
File created	C:\windows\SysWOW64\HNC.exe.bat	KHF.exe
File opened for modification	C:\windows\SysWOW64\JDDV.exe	XKA.exe
File created	C:\windows\SysWOW64\ATC.exe	ROSHHHH.exe
File opened for modification	C:\windows\SysWOW64\BRTTN.exe	CGIDFB.exe
File created	C:\windows\SysWOW64\CMKPOBS.exe	ba3bd6064ab7a5f4e231232d993f2a10.exe
File created	C:\windows\SysWOW64\BEPQCV.exe	ZBNJRG.exe
File created	C:\windows\SysWOW64\KTPZ.exe.bat	SYXNZL.exe
File opened for modification	C:\windows\SysWOW64\GLY.exe	QWRI.exe
File opened for modification	C:\windows\SysWOW64\KCIDD.exe	GMBVR.exe
File created	C:\windows\SysWOW64\YETXJ.exe	KTPZ.exe
File opened for modification	C:\windows\SysWOW64\APNN.exe	QHLIDB.exe
File opened for modification	C:\windows\SysWOW64\YYC.exe	RDTXA.exe
File created	C:\windows\SysWOW64\HDUF.exe.bat	SIXTT.exe
File created	C:\windows\SysWOW64\PZRVST.exe	PTRHRG.exe
File created	C:\windows\SysWOW64\RVGEEBO.exe	DSC.exe
File created	C:\windows\SysWOW64\PCIKLO.exe	WZEP.exe
File created	C:\windows\SysWOW64\PCIKLO.exe.bat	WZEP.exe
File created	C:\windows\SysWOW64\CMKPOBS.exe.bat	ba3bd6064ab7a5f4e231232d993f2a10.exe
File created	C:\windows\SysWOW64\UEAO.exe	SGHMS.exe
File created	C:\windows\SysWOW64\DEVIPXY.exe	FEOUG.exe
File created	C:\windows\SysWOW64\BRH.exe	WRZ.exe
File opened for modification	C:\windows\SysWOW64\JLQDZI.exe	CVP.exe
File opened for modification	C:\windows\SysWOW64\ZIMT.exe	OPR.exe
File opened for modification	C:\windows\SysWOW64\CVP.exe	BSLINW.exe
File opened for modification	C:\windows\SysWOW64\KRPPFV.exe	PVKF.exe
File created	C:\windows\SysWOW64\KTPZ.exe	SYXNZL.exe
File created	C:\windows\SysWOW64\KCIDD.exe.bat	GMBVR.exe
File opened for modification	C:\windows\SysWOW64\PZBTUXT.exe	JDCT.exe
File opened for modification	C:\windows\SysWOW64\ATC.exe	ROSHHHH.exe
File opened for modification	C:\windows\SysWOW64\CPQDOOH.exe	HBMUEO.exe
File created	C:\windows\SysWOW64\SGHMS.exe.bat	VBB.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\DSC.exe.bat	BVJ.exe
File created	C:\windows\system\WKIFQPT.exe.bat	JZL.exe
File created	C:\windows\VSG.exe.bat	XCVN.exe
File created	C:\windows\LGTWS.exe	WJNZL.exe
File opened for modification	C:\windows\WZWHAK.exe	LGTWS.exe
File opened for modification	C:\windows\SYXNZL.exe	KDABQKY.exe
File opened for modification	C:\windows\TONNG.exe	CYGCU.exe
File opened for modification	C:\windows\JDCT.exe	UITGEHV.exe
File opened for modification	C:\windows\WRZ.exe	MQXVV.exe
File opened for modification	C:\windows\ZSHPXJE.exe	VKAHK.exe
File created	C:\windows\system\YZV.exe	URPKOW.exe
File created	C:\windows\system\GMBVR.exe	VTYCIP.exe
File created	C:\windows\XWZAML.exe	CBUQ.exe
File created	C:\windows\system\XCVN.exe	CPQDOOH.exe
File created	C:\windows\system\DCYSF.exe.bat	BPU.exe
File created	C:\windows\system\WUE.exe.bat	YETXJ.exe
File created	C:\windows\system\CYW.exe.bat	NIVWQ.exe
File opened for modification	C:\windows\PTRHRG.exe	RVGEEBO.exe
File created	C:\windows\system\WKIFQPT.exe	JZL.exe
File opened for modification	C:\windows\system\OXLGC.exe	HNC.exe
File created	C:\windows\system\JTWBP.exe	MOQE.exe
File opened for modification	C:\windows\system\JXSI.exe	UUJWOWX.exe
File created	C:\windows\system\OVY.exe	VSG.exe
File created	C:\windows\BCGGO.exe	DCYSF.exe
File opened for modification	C:\windows\system\MSZ.exe	XNUEKV.exe
File opened for modification	C:\windows\RIGORN.exe	QMCTMXU.exe
File opened for modification	C:\windows\system\HXPIZQA.exe	VFUPRA.exe
File opened for modification	C:\windows\YIL.exe	FFHLFL.exe
File created	C:\windows\system\YCFZYD.exe.bat	DPAQ.exe
File opened for modification	C:\windows\system\DCYSF.exe	BPU.exe
File opened for modification	C:\windows\system\LIOHSYX.exe	PCIKLO.exe
File created	C:\windows\system\MOQE.exe	HDUF.exe
File created	C:\windows\system\TOLOJGZ.exe.bat	ZBGFZ.exe
File opened for modification	C:\windows\LRCTV.exe	OMW.exe
File opened for modification	C:\windows\system\BHDDE.exe	GLY.exe
File created	C:\windows\system\XCVN.exe.bat	CPQDOOH.exe
File created	C:\windows\system\SPNOBP.exe.bat	BEPQCV.exe
File created	C:\windows\YTWGG.exe	LIOHSYX.exe
File opened for modification	C:\windows\system\XNUEKV.exe	CZXN.exe
File created	C:\windows\QWRI.exe	IQZ.exe
File created	C:\windows\SVR.exe	EQLPYAH.exe
File created	C:\windows\system\HXPIZQA.exe.bat	VFUPRA.exe
File opened for modification	C:\windows\system\FVSJO.exe	OXLGC.exe
File opened for modification	C:\windows\system\EPDPBM.exe	LMZMOWI.exe
File created	C:\windows\system\MSBHBXJ.exe	VERX.exe
File created	C:\windows\GYXUIO.exe.bat	YTWGG.exe
File created	C:\windows\TRJF.exe	LBIGAL.exe
File opened for modification	C:\windows\ETW.exe	LQTBZU.exe
File created	C:\windows\system\FUHADP.exe.bat	JOBDWG.exe
File created	C:\windows\system\XYJZTD.exe	DJIFNPT.exe
File created	C:\windows\system\SBSW.exe	KIJU.exe
File opened for modification	C:\windows\system\TOLOJGZ.exe	ZBGFZ.exe
File created	C:\windows\FDKSG.exe	BVQKCS.exe
File created	C:\windows\BPU.exe.bat	PWRQURN.exe
File created	C:\windows\system\MSZ.exe.bat	XNUEKV.exe
File opened for modification	C:\windows\HXC.exe	ACFO.exe
File created	C:\windows\system\TXNFPH.exe.bat	CMKPOBS.exe
File created	C:\windows\system\WSD.exe	MSBHBXJ.exe
File opened for modification	C:\windows\system\BIHPKCL.exe	PPEWCU.exe
File opened for modification	C:\windows\system\KDFZAIS.exe	EABTVR.exe
File created	C:\windows\system\OYVMJ.exe	RSPPB.exe
File created	C:\windows\SYXNZL.exe	KDABQKY.exe
File created	C:\windows\YTWGG.exe.bat	LIOHSYX.exe
File created	C:\windows\system\BHDDE.exe	GLY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4660	3752	WerFault.exe	90
2704	4104	WerFault.exe	98
2252	3116	WerFault.exe	104
1156	3324	WerFault.exe	111
4884	3036	WerFault.exe	118
2344	2644	WerFault.exe	123
4144	3708	WerFault.exe	128
3116	1788	WerFault.exe	133
4100	3164	WerFault.exe	139
4532	3352	WerFault.exe	144
1844	3400	WerFault.exe	149
4144	3112	WerFault.exe	154
3788	944	WerFault.exe	159
64	4856	WerFault.exe	165
3972	4680	WerFault.exe	170
1068	3044	WerFault.exe	175
5076	4380	WerFault.exe	180
1028	3364	WerFault.exe	186
2044	4216	WerFault.exe	191
2704	4680	WerFault.exe	196
4440	3044	WerFault.exe	201
4884	4592	WerFault.exe	206
1072	364	WerFault.exe	211
4088	4080	WerFault.exe	217
3324	3424	WerFault.exe	222
3168	3704	WerFault.exe	227
1920	4100	WerFault.exe	232
1192	1336	WerFault.exe	237
1720	4088	WerFault.exe	242
4224	4380	WerFault.exe	247
2636	1668	WerFault.exe	252
1968	5004	WerFault.exe	257
3920	3728	WerFault.exe	262
2176	3168	WerFault.exe	267
696	3204	WerFault.exe	272
3712	3068	WerFault.exe	277
4440	2132	WerFault.exe	282
4596	4012	WerFault.exe	287
1408	2240	WerFault.exe	292
3844	4884	WerFault.exe	297
4852	3972	WerFault.exe	303
3640	1344	WerFault.exe	309
4884	1420	WerFault.exe	315
2784	2344	WerFault.exe	320
1680	3972	WerFault.exe	325
2484	4060	WerFault.exe	330
1720	1408	WerFault.exe	334
4440	1608	WerFault.exe	340
3972	2104	WerFault.exe	345
3168	3604	WerFault.exe	350
3408	320	WerFault.exe	355
2344	3584	WerFault.exe	360
4012	4440	WerFault.exe	365
1668	2884	WerFault.exe	370
4700	4060	WerFault.exe	375
3096	1144	WerFault.exe	380
1152	1752	WerFault.exe	385
3752	1672	WerFault.exe	390
3324	3632	WerFault.exe	395
3164	2872	WerFault.exe	400
3068	2656	WerFault.exe	404
4348	4364	WerFault.exe	410
2132	1512	WerFault.exe	415
3028	3728	WerFault.exe	420

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3752	ba3bd6064ab7a5f4e231232d993f2a10.exe
3752	ba3bd6064ab7a5f4e231232d993f2a10.exe
4104	CMKPOBS.exe
4104	CMKPOBS.exe
3116	TXNFPH.exe
3116	TXNFPH.exe
3324	CZXN.exe
3324	CZXN.exe
3036	XNUEKV.exe
3036	XNUEKV.exe
2644	MSZ.exe
2644	MSZ.exe
3708	QAUJCM.exe
3708	QAUJCM.exe
1788	VBB.exe
1788	VBB.exe
3164	SGHMS.exe
3164	SGHMS.exe
3352	UEAO.exe
3352	UEAO.exe
3400	YMP.exe
3400	YMP.exe
3112	UUJWOWX.exe
3112	UUJWOWX.exe
944	JXSI.exe
944	JXSI.exe
4856	RDTXA.exe
4856	RDTXA.exe
4680	YYC.exe
4680	YYC.exe
3044	ZBGFZ.exe
3044	ZBGFZ.exe
4380	TOLOJGZ.exe
4380	TOLOJGZ.exe
3364	URPKOW.exe
3364	URPKOW.exe
4216	YZV.exe
4216	YZV.exe
4680	WVUT.exe
4680	WVUT.exe
3044	XYY.exe
3044	XYY.exe
4592	CYGCU.exe
4592	CYGCU.exe
364	TONNG.exe
364	TONNG.exe
4080	PTKK.exe
4080	PTKK.exe
3424	IOKN.exe
3424	IOKN.exe
3704	HMV.exe
3704	HMV.exe
4100	ZHZMJ.exe
4100	ZHZMJ.exe
1336	RPB.exe
1336	RPB.exe
4088	AQDW.exe
4088	AQDW.exe
4380	GQKKHB.exe
4380	GQKKHB.exe
1668	TBGQMS.exe
1668	TBGQMS.exe
5004	MWKMAQI.exe
5004	MWKMAQI.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3752	ba3bd6064ab7a5f4e231232d993f2a10.exe
3752	ba3bd6064ab7a5f4e231232d993f2a10.exe
4104	CMKPOBS.exe
4104	CMKPOBS.exe
3116	TXNFPH.exe
3116	TXNFPH.exe
3324	CZXN.exe
3324	CZXN.exe
3036	XNUEKV.exe
3036	XNUEKV.exe
2644	MSZ.exe
2644	MSZ.exe
3708	QAUJCM.exe
3708	QAUJCM.exe
1788	VBB.exe
1788	VBB.exe
3164	SGHMS.exe
3164	SGHMS.exe
3352	UEAO.exe
3352	UEAO.exe
3400	YMP.exe
3400	YMP.exe
3112	UUJWOWX.exe
3112	UUJWOWX.exe
944	JXSI.exe
944	JXSI.exe
4856	RDTXA.exe
4856	RDTXA.exe
4680	YYC.exe
4680	YYC.exe
3044	ZBGFZ.exe
3044	ZBGFZ.exe
4380	TOLOJGZ.exe
4380	TOLOJGZ.exe
3364	URPKOW.exe
3364	URPKOW.exe
4216	YZV.exe
4216	YZV.exe
4680	WVUT.exe
4680	WVUT.exe
3044	XYY.exe
3044	XYY.exe
4592	CYGCU.exe
4592	CYGCU.exe
364	TONNG.exe
364	TONNG.exe
4080	PTKK.exe
4080	PTKK.exe
3424	IOKN.exe
3424	IOKN.exe
3704	HMV.exe
3704	HMV.exe
4100	ZHZMJ.exe
4100	ZHZMJ.exe
1336	RPB.exe
1336	RPB.exe
4088	AQDW.exe
4088	AQDW.exe
4380	GQKKHB.exe
4380	GQKKHB.exe
1668	TBGQMS.exe
1668	TBGQMS.exe
5004	MWKMAQI.exe
5004	MWKMAQI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 2616	3752	ba3bd6064ab7a5f4e231232d993f2a10.exe	94
PID 3752 wrote to memory of 2616	3752	ba3bd6064ab7a5f4e231232d993f2a10.exe	94
PID 3752 wrote to memory of 2616	3752	ba3bd6064ab7a5f4e231232d993f2a10.exe	94
PID 2616 wrote to memory of 4104	2616	cmd.exe	98
PID 2616 wrote to memory of 4104	2616	cmd.exe	98
PID 2616 wrote to memory of 4104	2616	cmd.exe	98
PID 4104 wrote to memory of 3256	4104	CMKPOBS.exe	100
PID 4104 wrote to memory of 3256	4104	CMKPOBS.exe	100
PID 4104 wrote to memory of 3256	4104	CMKPOBS.exe	100
PID 3256 wrote to memory of 3116	3256	cmd.exe	104
PID 3256 wrote to memory of 3116	3256	cmd.exe	104
PID 3256 wrote to memory of 3116	3256	cmd.exe	104
PID 3116 wrote to memory of 3124	3116	TXNFPH.exe	107
PID 3116 wrote to memory of 3124	3116	TXNFPH.exe	107
PID 3116 wrote to memory of 3124	3116	TXNFPH.exe	107
PID 3124 wrote to memory of 3324	3124	cmd.exe	111
PID 3124 wrote to memory of 3324	3124	cmd.exe	111
PID 3124 wrote to memory of 3324	3124	cmd.exe	111
PID 3324 wrote to memory of 4868	3324	CZXN.exe	114
PID 3324 wrote to memory of 4868	3324	CZXN.exe	114
PID 3324 wrote to memory of 4868	3324	CZXN.exe	114
PID 4868 wrote to memory of 3036	4868	cmd.exe	118
PID 4868 wrote to memory of 3036	4868	cmd.exe	118
PID 4868 wrote to memory of 3036	4868	cmd.exe	118
PID 3036 wrote to memory of 4516	3036	XNUEKV.exe	119
PID 3036 wrote to memory of 4516	3036	XNUEKV.exe	119
PID 3036 wrote to memory of 4516	3036	XNUEKV.exe	119
PID 4516 wrote to memory of 2644	4516	cmd.exe	123
PID 4516 wrote to memory of 2644	4516	cmd.exe	123
PID 4516 wrote to memory of 2644	4516	cmd.exe	123
PID 2644 wrote to memory of 3416	2644	MSZ.exe	124
PID 2644 wrote to memory of 3416	2644	MSZ.exe	124
PID 2644 wrote to memory of 3416	2644	MSZ.exe	124
PID 3416 wrote to memory of 3708	3416	cmd.exe	128
PID 3416 wrote to memory of 3708	3416	cmd.exe	128
PID 3416 wrote to memory of 3708	3416	cmd.exe	128
PID 3708 wrote to memory of 2420	3708	QAUJCM.exe	129
PID 3708 wrote to memory of 2420	3708	QAUJCM.exe	129
PID 3708 wrote to memory of 2420	3708	QAUJCM.exe	129
PID 2420 wrote to memory of 1788	2420	cmd.exe	133
PID 2420 wrote to memory of 1788	2420	cmd.exe	133
PID 2420 wrote to memory of 1788	2420	cmd.exe	133
PID 1788 wrote to memory of 4808	1788	VBB.exe	134
PID 1788 wrote to memory of 4808	1788	VBB.exe	134
PID 1788 wrote to memory of 4808	1788	VBB.exe	134
PID 4808 wrote to memory of 3164	4808	cmd.exe	139
PID 4808 wrote to memory of 3164	4808	cmd.exe	139
PID 4808 wrote to memory of 3164	4808	cmd.exe	139
PID 3164 wrote to memory of 4836	3164	SGHMS.exe	140
PID 3164 wrote to memory of 4836	3164	SGHMS.exe	140
PID 3164 wrote to memory of 4836	3164	SGHMS.exe	140
PID 4836 wrote to memory of 3352	4836	cmd.exe	144
PID 4836 wrote to memory of 3352	4836	cmd.exe	144
PID 4836 wrote to memory of 3352	4836	cmd.exe	144
PID 3352 wrote to memory of 3620	3352	UEAO.exe	145
PID 3352 wrote to memory of 3620	3352	UEAO.exe	145
PID 3352 wrote to memory of 3620	3352	UEAO.exe	145
PID 3620 wrote to memory of 3400	3620	cmd.exe	149
PID 3620 wrote to memory of 3400	3620	cmd.exe	149
PID 3620 wrote to memory of 3400	3620	cmd.exe	149
PID 3400 wrote to memory of 4456	3400	YMP.exe	150
PID 3400 wrote to memory of 4456	3400	YMP.exe	150
PID 3400 wrote to memory of 4456	3400	YMP.exe	150
PID 4456 wrote to memory of 3112	4456	cmd.exe	154

C:\Users\Admin\AppData\Local\Temp\ba3bd6064ab7a5f4e231232d993f2a10.exe
"C:\Users\Admin\AppData\Local\Temp\ba3bd6064ab7a5f4e231232d993f2a10.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CMKPOBS.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\windows\SysWOW64\CMKPOBS.exe
    C:\windows\system32\CMKPOBS.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\TXNFPH.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\windows\system\TXNFPH.exe
        
        C:\windows\system\TXNFPH.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CZXN.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\windows\SysWOW64\CZXN.exe
        
        C:\windows\system32\CZXN.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XNUEKV.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\windows\system\XNUEKV.exe
        
        C:\windows\system\XNUEKV.exe
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MSZ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\windows\system\MSZ.exe
        
        C:\windows\system\MSZ.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QAUJCM.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\windows\system\QAUJCM.exe
        
        C:\windows\system\QAUJCM.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBB.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\windows\system\VBB.exe
        
        C:\windows\system\VBB.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SGHMS.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\windows\SysWOW64\SGHMS.exe
        
        C:\windows\system32\SGHMS.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UEAO.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\windows\SysWOW64\UEAO.exe
        
        C:\windows\system32\UEAO.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YMP.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\windows\YMP.exe
        
        C:\windows\YMP.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UUJWOWX.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\windows\UUJWOWX.exe
        
        C:\windows\UUJWOWX.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JXSI.exe.bat" "
        24⤵
        
        PID:2544
        
        C:\windows\system\JXSI.exe
        
        C:\windows\system\JXSI.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RDTXA.exe.bat" "
        26⤵
        
        PID:4364
        
        C:\windows\SysWOW64\RDTXA.exe
        
        C:\windows\system32\RDTXA.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YYC.exe.bat" "
        28⤵
        
        PID:4428
        
        C:\windows\SysWOW64\YYC.exe
        
        C:\windows\system32\YYC.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZBGFZ.exe.bat" "
        30⤵
        
        PID:224
        
        C:\windows\SysWOW64\ZBGFZ.exe
        
        C:\windows\system32\ZBGFZ.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TOLOJGZ.exe.bat" "
        32⤵
        
        PID:2696
        
        C:\windows\system\TOLOJGZ.exe
        
        C:\windows\system\TOLOJGZ.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\URPKOW.exe.bat" "
        34⤵
        
        PID:4684
        
        C:\windows\URPKOW.exe
        
        C:\windows\URPKOW.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YZV.exe.bat" "
        36⤵
        
        PID:2040
        
        C:\windows\system\YZV.exe
        
        C:\windows\system\YZV.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUT.exe.bat" "
        38⤵
        
        PID:1040
        
        C:\windows\system\WVUT.exe
        
        C:\windows\system\WVUT.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XYY.exe.bat" "
        40⤵
        
        PID:3792
        
        C:\windows\system\XYY.exe
        
        C:\windows\system\XYY.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYGCU.exe.bat" "
        42⤵
        
        PID:3612
        
        C:\windows\system\CYGCU.exe
        
        C:\windows\system\CYGCU.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TONNG.exe.bat" "
        44⤵
        
        PID:3632
        
        C:\windows\TONNG.exe
        
        C:\windows\TONNG.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PTKK.exe.bat" "
        46⤵
        
        PID:4532
        
        C:\windows\SysWOW64\PTKK.exe
        
        C:\windows\system32\PTKK.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOKN.exe.bat" "
        48⤵
        
        PID:5024
        
        C:\windows\system\IOKN.exe
        
        C:\windows\system\IOKN.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMV.exe.bat" "
        50⤵
        
        PID:776
        
        C:\windows\HMV.exe
        
        C:\windows\HMV.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHZMJ.exe.bat" "
        52⤵
        
        PID:3564
        
        C:\windows\system\ZHZMJ.exe
        
        C:\windows\system\ZHZMJ.exe
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RPB.exe.bat" "
        54⤵
        
        PID:4348
        
        C:\windows\system\RPB.exe
        
        C:\windows\system\RPB.exe
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AQDW.exe.bat" "
        56⤵
        
        PID:3416
        
        C:\windows\AQDW.exe
        
        C:\windows\AQDW.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQKKHB.exe.bat" "
        58⤵
        
        PID:2280
        
        C:\windows\SysWOW64\GQKKHB.exe
        
        C:\windows\system32\GQKKHB.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TBGQMS.exe.bat" "
        60⤵
        
        PID:4592
        
        C:\windows\system\TBGQMS.exe
        
        C:\windows\system\TBGQMS.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MWKMAQI.exe.bat" "
        62⤵
        
        PID:4884
        
        C:\windows\SysWOW64\MWKMAQI.exe
        
        C:\windows\system32\MWKMAQI.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMZUEBW.exe.bat" "
        64⤵
        
        PID:3092
        
        C:\windows\system\QMZUEBW.exe
        
        C:\windows\system\QMZUEBW.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPDQ.exe.bat" "
        66⤵
        
        PID:4088
        
        C:\windows\system\QPDQ.exe
        
        C:\windows\system\QPDQ.exe
        67⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XKA.exe.bat" "
        68⤵
        
        PID:3632
        
        C:\windows\system\XKA.exe
        
        C:\windows\system\XKA.exe
        69⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JDDV.exe.bat" "
        70⤵
        
        PID:3004
        
        C:\windows\SysWOW64\JDDV.exe
        
        C:\windows\system32\JDDV.exe
        71⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FABSJJ.exe.bat" "
        72⤵
        
        PID:1208
        
        C:\windows\SysWOW64\FABSJJ.exe
        
        C:\windows\system32\FABSJJ.exe
        73⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBIGAL.exe.bat" "
        74⤵
        
        PID:4104
        
        C:\windows\SysWOW64\LBIGAL.exe
        
        C:\windows\system32\LBIGAL.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TRJF.exe.bat" "
        76⤵
        
        PID:5104
        
        C:\windows\TRJF.exe
        
        C:\windows\TRJF.exe
        77⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EHYFLRJ.exe.bat" "
        78⤵
        
        PID:3296
        
        C:\windows\SysWOW64\EHYFLRJ.exe
        
        C:\windows\system32\EHYFLRJ.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QZT.exe.bat" "
        80⤵
        
        PID:1336
        
        C:\windows\system\QZT.exe
        
        C:\windows\system\QZT.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KMYHD.exe.bat" "
        82⤵
        
        PID:64
        
        C:\windows\KMYHD.exe
        
        C:\windows\KMYHD.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSDEKI.exe.bat" "
        84⤵
        
        PID:3696
        
        C:\windows\SysWOW64\HSDEKI.exe
        
        C:\windows\system32\HSDEKI.exe
        85⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HDMYYUE.exe.bat" "
        86⤵
        
        PID:1460
        
        C:\windows\HDMYYUE.exe
        
        C:\windows\HDMYYUE.exe
        87⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RASSGC.exe.bat" "
        88⤵
        
        PID:4472
        
        C:\windows\RASSGC.exe
        
        C:\windows\RASSGC.exe
        89⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ROSHHHH.exe.bat" "
        90⤵
        
        PID:2620
        
        C:\windows\SysWOW64\ROSHHHH.exe
        
        C:\windows\system32\ROSHHHH.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATC.exe.bat" "
        92⤵
        
        PID:4360
        
        C:\windows\SysWOW64\ATC.exe
        
        C:\windows\system32\ATC.exe
        93⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EJWGAL.exe.bat" "
        94⤵
        
        PID:1968
        
        C:\windows\system\EJWGAL.exe
        
        C:\windows\system\EJWGAL.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKE.exe.bat" "
        96⤵
        
        PID:3028
        
        C:\windows\SysWOW64\KKE.exe
        
        C:\windows\system32\KKE.exe
        97⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EXJET.exe.bat" "
        98⤵
        
        PID:4940
        
        C:\windows\system\EXJET.exe
        
        C:\windows\system\EXJET.exe
        99⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PPEWCU.exe.bat" "
        100⤵
        
        PID:1668
        
        C:\windows\PPEWCU.exe
        
        C:\windows\PPEWCU.exe
        101⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BIHPKCL.exe.bat" "
        102⤵
        
        PID:4328
        
        C:\windows\system\BIHPKCL.exe
        
        C:\windows\system\BIHPKCL.exe
        103⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KIJU.exe.bat" "
        104⤵
        
        PID:4224
        
        C:\windows\system\KIJU.exe
        
        C:\windows\system\KIJU.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBSW.exe.bat" "
        106⤵
        
        PID:3044
        
        C:\windows\system\SBSW.exe
        
        C:\windows\system\SBSW.exe
        107⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEOUG.exe.bat" "
        108⤵
        
        PID:4340
        
        C:\windows\SysWOW64\FEOUG.exe
        
        C:\windows\system32\FEOUG.exe
        109⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEVIPXY.exe.bat" "
        110⤵
        
        PID:3324
        
        C:\windows\SysWOW64\DEVIPXY.exe
        
        C:\windows\system32\DEVIPXY.exe
        111⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WHNTU.exe.bat" "
        112⤵
        
        PID:3564
        
        C:\windows\SysWOW64\WHNTU.exe
        
        C:\windows\system32\WHNTU.exe
        113⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXTWX.exe.bat" "
        114⤵
        
        PID:5044
        
        C:\windows\SysWOW64\UXTWX.exe
        
        C:\windows\system32\UXTWX.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNSZJGD.exe.bat" "
        116⤵
        
        PID:4348
        
        C:\windows\SysWOW64\KNSZJGD.exe
        
        C:\windows\system32\KNSZJGD.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SIXTT.exe.bat" "
        118⤵
        
        PID:3728
        
        C:\windows\SIXTT.exe
        
        C:\windows\SIXTT.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDUF.exe.bat" "
        120⤵
        
        PID:2784
        
        C:\windows\SysWOW64\HDUF.exe
        
        C:\windows\system32\HDUF.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOQE.exe.bat" "
        122⤵
        
        PID:3584
        
        C:\windows\system\MOQE.exe
        
        C:\windows\system\MOQE.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JTWBP.exe.bat" "
        124⤵
        
        PID:2852
        
        C:\windows\system\JTWBP.exe
        
        C:\windows\system\JTWBP.exe
        125⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJDET.exe.bat" "
        126⤵
        
        PID:1208
        
        C:\windows\system\ZJDET.exe
        
        C:\windows\system\ZJDET.exe
        127⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UWANDVU.exe.bat" "
        128⤵
        
        PID:1788
        
        C:\windows\system\UWANDVU.exe
        
        C:\windows\system\UWANDVU.exe
        129⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WKF.exe.bat" "
        130⤵
        
        PID:3420
        
        C:\windows\SysWOW64\WKF.exe
        
        C:\windows\system32\WKF.exe
        131⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BVJ.exe.bat" "
        132⤵
        
        PID:2260
        
        C:\windows\system\BVJ.exe
        
        C:\windows\system\BVJ.exe
        133⤵
        Drops file in Windows directory
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DSC.exe.bat" "
        134⤵
        
        PID:5044
        
        C:\windows\DSC.exe
        
        C:\windows\DSC.exe
        135⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVGEEBO.exe.bat" "
        136⤵
        
        PID:1672
        
        C:\windows\SysWOW64\RVGEEBO.exe
        
        C:\windows\system32\RVGEEBO.exe
        137⤵
        Drops file in Windows directory
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTRHRG.exe.bat" "
        138⤵
        
        PID:1668
        
        C:\windows\PTRHRG.exe
        
        C:\windows\PTRHRG.exe
        139⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PZRVST.exe.bat" "
        140⤵
        
        PID:3364
        
        C:\windows\SysWOW64\PZRVST.exe
        
        C:\windows\system32\PZRVST.exe
        141⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ARU.exe.bat" "
        142⤵
        
        PID:3068
        
        C:\windows\ARU.exe
        
        C:\windows\ARU.exe
        143⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VERX.exe.bat" "
        144⤵
        
        PID:1332
        
        C:\windows\VERX.exe
        
        C:\windows\VERX.exe
        145⤵
        Drops file in Windows directory
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MSBHBXJ.exe.bat" "
        146⤵
        
        PID:4652
        
        C:\windows\system\MSBHBXJ.exe
        
        C:\windows\system\MSBHBXJ.exe
        147⤵
        Drops file in Windows directory
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WSD.exe.bat" "
        148⤵
        
        PID:4680
        
        C:\windows\system\WSD.exe
        
        C:\windows\system\WSD.exe
        149⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSLINW.exe.bat" "
        150⤵
        
        PID:2116
        
        C:\windows\system\BSLINW.exe
        
        C:\windows\system\BSLINW.exe
        151⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVP.exe.bat" "
        152⤵
        
        PID:3048
        
        C:\windows\SysWOW64\CVP.exe
        
        C:\windows\system32\CVP.exe
        153⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLQDZI.exe.bat" "
        154⤵
        
        PID:2280
        
        C:\windows\SysWOW64\JLQDZI.exe
        
        C:\windows\system32\JLQDZI.exe
        155⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XWUCF.exe.bat" "
        156⤵
        
        PID:1408
        
        C:\windows\system\XWUCF.exe
        
        C:\windows\system\XWUCF.exe
        157⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KZCAT.exe.bat" "
        158⤵
        
        PID:544
        
        C:\windows\KZCAT.exe
        
        C:\windows\KZCAT.exe
        159⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OPR.exe.bat" "
        160⤵
        
        PID:3200
        
        C:\windows\OPR.exe
        
        C:\windows\OPR.exe
        161⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIMT.exe.bat" "
        162⤵
        
        PID:1216
        
        C:\windows\SysWOW64\ZIMT.exe
        
        C:\windows\system32\ZIMT.exe
        163⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQTBZU.exe.bat" "
        164⤵
        
        PID:3692
        
        C:\windows\system\LQTBZU.exe
        
        C:\windows\system\LQTBZU.exe
        165⤵
        Drops file in Windows directory
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ETW.exe.bat" "
        166⤵
        
        PID:2056
        
        C:\windows\ETW.exe
        
        C:\windows\ETW.exe
        167⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTYCIP.exe.bat" "
        168⤵
        
        PID:1152
        
        C:\windows\SysWOW64\VTYCIP.exe
        
        C:\windows\system32\VTYCIP.exe
        169⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GMBVR.exe.bat" "
        170⤵
        
        PID:4520
        
        C:\windows\system\GMBVR.exe
        
        C:\windows\system\GMBVR.exe
        171⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KCIDD.exe.bat" "
        172⤵
        
        PID:1752
        
        C:\windows\SysWOW64\KCIDD.exe
        
        C:\windows\system32\KCIDD.exe
        173⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FPNMFPD.exe.bat" "
        174⤵
        
        PID:3920
        
        C:\windows\FPNMFPD.exe
        
        C:\windows\FPNMFPD.exe
        175⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VFUPRA.exe.bat" "
        176⤵
        
        PID:4336
        
        C:\windows\VFUPRA.exe
        
        C:\windows\VFUPRA.exe
        177⤵
        Drops file in Windows directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HXPIZQA.exe.bat" "
        178⤵
        
        PID:64
        
        C:\windows\system\HXPIZQA.exe
        
        C:\windows\system\HXPIZQA.exe
        179⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UITGEHV.exe.bat" "
        180⤵
        
        PID:8
        
        C:\windows\system\UITGEHV.exe
        
        C:\windows\system\UITGEHV.exe
        181⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JDCT.exe.bat" "
        182⤵
        
        PID:696
        
        C:\windows\JDCT.exe
        
        C:\windows\JDCT.exe
        183⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PZBTUXT.exe.bat" "
        184⤵
        
        PID:2744
        
        C:\windows\SysWOW64\PZBTUXT.exe
        
        C:\windows\system32\PZBTUXT.exe
        185⤵
        Checks computer location settings
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EEHQBGV.exe.bat" "
        186⤵
        
        PID:4440
        
        C:\windows\EEHQBGV.exe
        
        C:\windows\EEHQBGV.exe
        187⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ACFO.exe.bat" "
        188⤵
        
        PID:1592
        
        C:\windows\SysWOW64\ACFO.exe
        
        C:\windows\system32\ACFO.exe
        189⤵
        Drops file in Windows directory
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HXC.exe.bat" "
        190⤵
        
        PID:5092
        
        C:\windows\HXC.exe
        
        C:\windows\HXC.exe
        191⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JZL.exe.bat" "
        192⤵
        
        PID:2852
        
        C:\windows\JZL.exe
        
        C:\windows\JZL.exe
        193⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKIFQPT.exe.bat" "
        194⤵
        
        PID:460
        
        C:\windows\system\WKIFQPT.exe
        
        C:\windows\system\WKIFQPT.exe
        195⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGHOM.exe.bat" "
        196⤵
        
        PID:4440
        
        C:\windows\SysWOW64\CGHOM.exe
        
        C:\windows\system32\CGHOM.exe
        197⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTMXXS.exe.bat" "
        198⤵
        
        PID:3420
        
        C:\windows\SysWOW64\XTMXXS.exe
        
        C:\windows\system32\XTMXXS.exe
        199⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOVC.exe.bat" "
        200⤵
        
        PID:4100
        
        C:\windows\system\MOVC.exe
        
        C:\windows\system\MOVC.exe
        201⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OMW.exe.bat" "
        202⤵
        
        PID:2696
        
        C:\windows\system\OMW.exe
        
        C:\windows\system\OMW.exe
        203⤵
        Drops file in Windows directory
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LRCTV.exe.bat" "
        204⤵
        
        PID:3572
        
        C:\windows\LRCTV.exe
        
        C:\windows\LRCTV.exe
        205⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FFHLFL.exe.bat" "
        206⤵
        
        PID:4532
        
        C:\windows\SysWOW64\FFHLFL.exe
        
        C:\windows\system32\FFHLFL.exe
        207⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YIL.exe.bat" "
        208⤵
        
        PID:4364
        
        C:\windows\YIL.exe
        
        C:\windows\YIL.exe
        209⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EASUC.exe.bat" "
        210⤵
        
        PID:4100
        
        C:\windows\SysWOW64\EASUC.exe
        
        C:\windows\system32\EASUC.exe
        211⤵
        Checks computer location settings
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IQZ.exe.bat" "
        212⤵
        
        PID:3068
        
        C:\windows\IQZ.exe
        
        C:\windows\IQZ.exe
        213⤵
        Drops file in Windows directory
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QWRI.exe.bat" "
        214⤵
        
        PID:1460
        
        C:\windows\QWRI.exe
        
        C:\windows\QWRI.exe
        215⤵
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GLY.exe.bat" "
        216⤵
        
        PID:2104
        
        C:\windows\SysWOW64\GLY.exe
        
        C:\windows\system32\GLY.exe
        217⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHDDE.exe.bat" "
        218⤵
        
        PID:2800
        
        C:\windows\system\BHDDE.exe
        
        C:\windows\system\BHDDE.exe
        219⤵
        Checks computer location settings
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KHF.exe.bat" "
        220⤵
        
        PID:1568
        
        C:\windows\system\KHF.exe
        
        C:\windows\system\KHF.exe
        221⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HNC.exe.bat" "
        222⤵
        
        PID:3096
        
        C:\windows\SysWOW64\HNC.exe
        
        C:\windows\system32\HNC.exe
        223⤵
        Drops file in Windows directory
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXLGC.exe.bat" "
        224⤵
        
        PID:2280
        
        C:\windows\system\OXLGC.exe
        
        C:\windows\system\OXLGC.exe
        225⤵
        Drops file in Windows directory
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FVSJO.exe.bat" "
        226⤵
        
        PID:1604
        
        C:\windows\system\FVSJO.exe
        
        C:\windows\system\FVSJO.exe
        227⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBKXP.exe.bat" "
        228⤵
        
        PID:1196
        
        C:\windows\SysWOW64\FBKXP.exe
        
        C:\windows\system32\FBKXP.exe
        229⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBS.exe.bat" "
        230⤵
        
        PID:3584
        
        C:\windows\SysWOW64\LBS.exe
        
        C:\windows\system32\LBS.exe
        231⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBUQ.exe.bat" "
        232⤵
        
        PID:3044
        
        C:\windows\SysWOW64\CBUQ.exe
        
        C:\windows\system32\CBUQ.exe
        233⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XWZAML.exe.bat" "
        234⤵
        
        PID:3916
        
        C:\windows\XWZAML.exe
        
        C:\windows\XWZAML.exe
        235⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VXG.exe.bat" "
        236⤵
        
        PID:3200
        
        C:\windows\system\VXG.exe
        
        C:\windows\system\VXG.exe
        237⤵
        Checks computer location settings
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCGC.exe.bat" "
        238⤵
        
        PID:3696
        
        C:\windows\DCGC.exe
        
        C:\windows\DCGC.exe
        239⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MQRUU.exe.bat" "
        240⤵
        
        PID:3320
        
        C:\windows\system\MQRUU.exe
        
        C:\windows\system\MQRUU.exe
        241⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQT.exe.bat" "
        242⤵
        
        PID:1592
        
        C:\windows\system\DQT.exe
        
        C:\windows\system\DQT.exe
        243⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JQS.exe.bat" "
        244⤵
        
        PID:1680
        
        C:\windows\JQS.exe
        
        C:\windows\JQS.exe
        245⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWYKO.exe.bat" "
        246⤵
        
        PID:4592
        
        C:\windows\SysWOW64\XWYKO.exe
        
        C:\windows\system32\XWYKO.exe
        247⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOBDWG.exe.bat" "
        248⤵
        
        PID:4104
        
        C:\windows\SysWOW64\JOBDWG.exe
        
        C:\windows\system32\JOBDWG.exe
        249⤵
        Drops file in Windows directory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FUHADP.exe.bat" "
        250⤵
        
        PID:3844
        
        C:\windows\system\FUHADP.exe
        
        C:\windows\system\FUHADP.exe
        251⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMCTMXU.exe.bat" "
        252⤵
        
        PID:2888
        
        C:\windows\SysWOW64\QMCTMXU.exe
        
        C:\windows\system32\QMCTMXU.exe
        253⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RIGORN.exe.bat" "
        254⤵
        
        PID:2872
        
        C:\windows\RIGORN.exe
        
        C:\windows\RIGORN.exe
        255⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLS.exe.bat" "
        256⤵
        
        PID:3420
        
        C:\windows\SysWOW64\KLS.exe
        
        C:\windows\system32\KLS.exe
        257⤵
        Checks computer location settings
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SDS.exe.bat" "
        258⤵
        
        PID:4972
        
        C:\windows\SDS.exe
        
        C:\windows\SDS.exe
        259⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MQXVV.exe.bat" "
        260⤵
        
        PID:4104
        
        C:\windows\system\MQXVV.exe
        
        C:\windows\system\MQXVV.exe
        261⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WRZ.exe.bat" "
        262⤵
        
        PID:1344
        
        C:\windows\WRZ.exe
        
        C:\windows\WRZ.exe
        263⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BRH.exe.bat" "
        264⤵
        
        PID:320
        
        C:\windows\SysWOW64\BRH.exe
        
        C:\windows\system32\BRH.exe
        265⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DPAQ.exe.bat" "
        266⤵
        
        PID:1512
        
        C:\windows\DPAQ.exe
        
        C:\windows\DPAQ.exe
        267⤵
        Drops file in Windows directory
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "
        268⤵
        
        PID:1648
        
        C:\windows\system\YCFZYD.exe
        
        C:\windows\system\YCFZYD.exe
        269⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OSMKK.exe.bat" "
        270⤵
        
        PID:3712
        
        C:\windows\SysWOW64\OSMKK.exe
        
        C:\windows\system32\OSMKK.exe
        271⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LYRHRGZ.exe.bat" "
        272⤵
        
        PID:3976
        
        C:\windows\LYRHRGZ.exe
        
        C:\windows\LYRHRGZ.exe
        273⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BVQKCS.exe.bat" "
        274⤵
        
        PID:2024
        
        C:\windows\system\BVQKCS.exe
        
        C:\windows\system\BVQKCS.exe
        275⤵
        Drops file in Windows directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FDKSG.exe.bat" "
        276⤵
        
        PID:4060
        
        C:\windows\FDKSG.exe
        
        C:\windows\FDKSG.exe
        277⤵
        Checks computer location settings
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBMUEO.exe.bat" "
        278⤵
        
        PID:2176
        
        C:\windows\system\HBMUEO.exe
        
        C:\windows\system\HBMUEO.exe
        279⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPQDOOH.exe.bat" "
        280⤵
        
        PID:332
        
        C:\windows\SysWOW64\CPQDOOH.exe
        
        C:\windows\system32\CPQDOOH.exe
        281⤵
        Drops file in Windows directory
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XCVN.exe.bat" "
        282⤵
        
        PID:5044
        
        C:\windows\system\XCVN.exe
        
        C:\windows\system\XCVN.exe
        283⤵
        Drops file in Windows directory
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VSG.exe.bat" "
        284⤵
        
        PID:4604
        
        C:\windows\VSG.exe
        
        C:\windows\VSG.exe
        285⤵
        Drops file in Windows directory
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVY.exe.bat" "
        286⤵
        
        PID:1720
        
        C:\windows\system\OVY.exe
        
        C:\windows\system\OVY.exe
        287⤵
        Checks computer location settings
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SDETC.exe.bat" "
        288⤵
        
        PID:3068
        
        C:\windows\SDETC.exe
        
        C:\windows\SDETC.exe
        289⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XDMHLKB.exe.bat" "
        290⤵
        
        PID:2656
        
        C:\windows\system\XDMHLKB.exe
        
        C:\windows\system\XDMHLKB.exe
        291⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZBNJRG.exe.bat" "
        292⤵
        
        PID:460
        
        C:\windows\SysWOW64\ZBNJRG.exe
        
        C:\windows\system32\ZBNJRG.exe
        293⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BEPQCV.exe.bat" "
        294⤵
        
        PID:3316
        
        C:\windows\SysWOW64\BEPQCV.exe
        
        C:\windows\system32\BEPQCV.exe
        295⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SPNOBP.exe.bat" "
        296⤵
        
        PID:1592
        
        C:\windows\system\SPNOBP.exe
        
        C:\windows\system\SPNOBP.exe
        297⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LMZMOWI.exe.bat" "
        298⤵
        
        PID:2468
        
        C:\windows\system\LMZMOWI.exe
        
        C:\windows\system\LMZMOWI.exe
        299⤵
        Drops file in Windows directory
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPDPBM.exe.bat" "
        300⤵
        
        PID:5012
        
        C:\windows\system\EPDPBM.exe
        
        C:\windows\system\EPDPBM.exe
        301⤵
        Checks computer location settings
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ESG.exe.bat" "
        302⤵
        
        PID:884
        
        C:\windows\system\ESG.exe
        
        C:\windows\system\ESG.exe
        303⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YQA.exe.bat" "
        304⤵
        
        PID:3220
        
        C:\windows\YQA.exe
        
        C:\windows\YQA.exe
        305⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PVKF.exe.bat" "
        306⤵
        
        PID:2704
        
        C:\windows\SysWOW64\PVKF.exe
        
        C:\windows\system32\PVKF.exe
        307⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRPPFV.exe.bat" "
        308⤵
        
        PID:2044
        
        C:\windows\SysWOW64\KRPPFV.exe
        
        C:\windows\system32\KRPPFV.exe
        309⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJSIOCT.exe.bat" "
        310⤵
        
        PID:1928
        
        C:\windows\SysWOW64\VJSIOCT.exe
        
        C:\windows\system32\VJSIOCT.exe
        311⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GCN.exe.bat" "
        312⤵
        
        PID:3032
        
        C:\windows\SysWOW64\GCN.exe
        
        C:\windows\system32\GCN.exe
        313⤵
        Checks computer location settings
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DZTPD.exe.bat" "
        314⤵
        
        PID:2888
        
        C:\windows\DZTPD.exe
        
        C:\windows\DZTPD.exe
        315⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HPZXPMY.exe.bat" "
        316⤵
        
        PID:4788
        
        C:\windows\system\HPZXPMY.exe
        
        C:\windows\system\HPZXPMY.exe
        317⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BDEH.exe.bat" "
        318⤵
        
        PID:2040
        
        C:\windows\BDEH.exe
        
        C:\windows\BDEH.exe
        319⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGIDFB.exe.bat" "
        320⤵
        
        PID:3740
        
        C:\windows\SysWOW64\CGIDFB.exe
        
        C:\windows\system32\CGIDFB.exe
        321⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BRTTN.exe.bat" "
        322⤵
        
        PID:3088
        
        C:\windows\SysWOW64\BRTTN.exe
        
        C:\windows\system32\BRTTN.exe
        323⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWRQURN.exe.bat" "
        324⤵
        
        PID:4708
        
        C:\windows\system\PWRQURN.exe
        
        C:\windows\system\PWRQURN.exe
        325⤵
        Drops file in Windows directory
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BPU.exe.bat" "
        326⤵
        
        PID:3840
        
        C:\windows\BPU.exe
        
        C:\windows\BPU.exe
        327⤵
        Drops file in Windows directory
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DCYSF.exe.bat" "
        328⤵
        
        PID:944
        
        C:\windows\system\DCYSF.exe
        
        C:\windows\system\DCYSF.exe
        329⤵
        Drops file in Windows directory
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BCGGO.exe.bat" "
        330⤵
        
        PID:1720
        
        C:\windows\BCGGO.exe
        
        C:\windows\BCGGO.exe
        331⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EQLPYAH.exe.bat" "
        332⤵
        
        PID:2308
        
        C:\windows\EQLPYAH.exe
        
        C:\windows\EQLPYAH.exe
        333⤵
        Drops file in Windows directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SVR.exe.bat" "
        334⤵
        
        PID:3092
        
        C:\windows\SVR.exe
        
        C:\windows\SVR.exe
        335⤵
        Checks computer location settings
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NIVWQ.exe.bat" "
        336⤵
        
        PID:5004
        
        C:\windows\NIVWQ.exe
        
        C:\windows\NIVWQ.exe
        337⤵
        Drops file in Windows directory
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYW.exe.bat" "
        338⤵
        
        PID:2408
        
        C:\windows\system\CYW.exe
        
        C:\windows\system\CYW.exe
        339⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRXO.exe.bat" "
        340⤵
        
        PID:1592
        
        C:\windows\SysWOW64\KRXO.exe
        
        C:\windows\system32\KRXO.exe
        341⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VKAHK.exe.bat" "
        342⤵
        
        PID:4604
        
        C:\windows\SysWOW64\VKAHK.exe
        
        C:\windows\system32\VKAHK.exe
        343⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZSHPXJE.exe.bat" "
        344⤵
        
        PID:1156
        
        C:\windows\ZSHPXJE.exe
        
        C:\windows\ZSHPXJE.exe
        345⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXME.exe.bat" "
        346⤵
        
        PID:3640
        
        C:\windows\system\WXME.exe
        
        C:\windows\system\WXME.exe
        347⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WDNTN.exe.bat" "
        348⤵
        
        PID:4064
        
        C:\windows\system\WDNTN.exe
        
        C:\windows\system\WDNTN.exe
        349⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVNUT.exe.bat" "
        350⤵
        
        PID:2888
        
        C:\windows\SysWOW64\WVNUT.exe
        
        C:\windows\system32\WVNUT.exe
        351⤵
        Checks computer location settings
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YLOOZ.exe.bat" "
        352⤵
        
        PID:1592
        
        C:\windows\YLOOZ.exe
        
        C:\windows\YLOOZ.exe
        353⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WJNZL.exe.bat" "
        354⤵
        
        PID:2096
        
        C:\windows\WJNZL.exe
        
        C:\windows\WJNZL.exe
        355⤵
        Drops file in Windows directory
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LGTWS.exe.bat" "
        356⤵
        
        PID:4316
        
        C:\windows\LGTWS.exe
        
        C:\windows\LGTWS.exe
        357⤵
        Drops file in Windows directory
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WZWHAK.exe.bat" "
        358⤵
        
        PID:2248
        
        C:\windows\WZWHAK.exe
        
        C:\windows\WZWHAK.exe
        359⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NHQU.exe.bat" "
        360⤵
        
        PID:1460
        
        C:\windows\system\NHQU.exe
        
        C:\windows\system\NHQU.exe
        361⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TIYI.exe.bat" "
        362⤵
        
        PID:3792
        
        C:\windows\TIYI.exe
        
        C:\windows\TIYI.exe
        363⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EABTVR.exe.bat" "
        364⤵
        
        PID:660
        
        C:\windows\EABTVR.exe
        
        C:\windows\EABTVR.exe
        365⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDFZAIS.exe.bat" "
        366⤵
        
        PID:3712
        
        C:\windows\system\KDFZAIS.exe
        
        C:\windows\system\KDFZAIS.exe
        367⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DJIFNPT.exe.bat" "
        368⤵
        
        PID:4940
        
        C:\windows\system\DJIFNPT.exe
        
        C:\windows\system\DJIFNPT.exe
        369⤵
        Drops file in Windows directory
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XYJZTD.exe.bat" "
        370⤵
        
        PID:776
        
        C:\windows\system\XYJZTD.exe
        
        C:\windows\system\XYJZTD.exe
        371⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOQHF.exe.bat" "
        372⤵
        
        PID:3316
        
        C:\windows\system\IOQHF.exe
        
        C:\windows\system\IOQHF.exe
        373⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EXKP.exe.bat" "
        374⤵
        
        PID:2096
        
        C:\windows\EXKP.exe
        
        C:\windows\EXKP.exe
        375⤵
        Checks computer location settings
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPTI.exe.bat" "
        376⤵
        
        PID:4884
        
        C:\windows\system\MPTI.exe
        
        C:\windows\system\MPTI.exe
        377⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSPPB.exe.bat" "
        378⤵
        
        PID:4748
        
        C:\windows\SysWOW64\RSPPB.exe
        
        C:\windows\system32\RSPPB.exe
        379⤵
        Drops file in Windows directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYVMJ.exe.bat" "
        380⤵
        
        PID:4976
        
        C:\windows\system\OYVMJ.exe
        
        C:\windows\system\OYVMJ.exe
        381⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDABQKY.exe.bat" "
        382⤵
        
        PID:4824
        
        C:\windows\system\KDABQKY.exe
        
        C:\windows\system\KDABQKY.exe
        383⤵
        Drops file in Windows directory
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SYXNZL.exe.bat" "
        384⤵
        
        PID:2484
        
        C:\windows\SYXNZL.exe
        
        C:\windows\SYXNZL.exe
        385⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KTPZ.exe.bat" "
        386⤵
        
        PID:3772
        
        C:\windows\SysWOW64\KTPZ.exe
        
        C:\windows\system32\KTPZ.exe
        387⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YETXJ.exe.bat" "
        388⤵
        
        PID:3796
        
        C:\windows\SysWOW64\YETXJ.exe
        
        C:\windows\system32\YETXJ.exe
        389⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WUE.exe.bat" "
        390⤵
        
        PID:4100
        
        C:\windows\system\WUE.exe
        
        C:\windows\system\WUE.exe
        391⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WZEP.exe.bat" "
        392⤵
        
        PID:1500
        
        C:\windows\system\WZEP.exe
        
        C:\windows\system\WZEP.exe
        393⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PCIKLO.exe.bat" "
        394⤵
        
        PID:2580
        
        C:\windows\SysWOW64\PCIKLO.exe
        
        C:\windows\system32\PCIKLO.exe
        395⤵
        Drops file in Windows directory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LIOHSYX.exe.bat" "
        396⤵
        
        PID:4852
        
        C:\windows\system\LIOHSYX.exe
        
        C:\windows\system\LIOHSYX.exe
        397⤵
        Drops file in Windows directory
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTWGG.exe.bat" "
        398⤵
        
        PID:4108
        
        C:\windows\YTWGG.exe
        
        C:\windows\YTWGG.exe
        399⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GYXUIO.exe.bat" "
        400⤵
        
        PID:2176
        
        C:\windows\GYXUIO.exe
        
        C:\windows\GYXUIO.exe
        401⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WTGZ.exe.bat" "
        402⤵
        
        PID:5076
        
        C:\windows\SysWOW64\WTGZ.exe
        
        C:\windows\system32\WTGZ.exe
        403⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QHLIDB.exe.bat" "
        404⤵
        
        PID:5112
        
        C:\windows\QHLIDB.exe
        
        C:\windows\QHLIDB.exe
        405⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\APNN.exe.bat" "
        406⤵
        
        PID:2784
        
        C:\windows\SysWOW64\APNN.exe
        
        C:\windows\system32\APNN.exe
        407⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FPUB.exe.bat" "
        408⤵
        
        PID:4976
        
        C:\windows\SysWOW64\FPUB.exe
        
        C:\windows\system32\FPUB.exe
        409⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNAV.exe.bat" "
        410⤵
        
        PID:1040
        
        C:\windows\SysWOW64\PNAV.exe
        
        C:\windows\system32\PNAV.exe
        411⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTAKG.exe.bat" "
        412⤵
        
        PID:332
        
        C:\windows\PTAKG.exe
        
        C:\windows\PTAKG.exe
        413⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1008
        412⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1004
        410⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1328
        408⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 960
        406⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 960
        404⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 960
        402⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1312
        400⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1000
        398⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1336
        396⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1328
        394⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 960
        392⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 960
        390⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 960
        388⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 960
        386⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1244
        384⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1336
        382⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1336
        380⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 976
        378⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 960
        376⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1324
        374⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1304
        372⤵
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1300
        370⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1324
        368⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 960
        366⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1324
        364⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1292
        362⤵
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1336
        360⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1312
        358⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 960
        356⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 960
        354⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1264
        352⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1328
        350⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1336
        348⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1336
        346⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1260
        344⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1296
        342⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
        340⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1336
        338⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1300
        336⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 960
        334⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 960
        332⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 960
        330⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1336
        328⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1324
        326⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 960
        324⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1328
        322⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1004
        320⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 976
        318⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1336
        316⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1324
        314⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1292
        312⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1328
        310⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1328
        308⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 960
        306⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1324
        304⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1336
        302⤵
        
        PID:460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1272
        300⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 960
        298⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1336
        296⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 960
        294⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1296
        292⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1324
        290⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 960
        288⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1316
        286⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 960
        284⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1336
        282⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1328
        280⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1336
        278⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1256
        276⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1316
        274⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1324
        272⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 960
        270⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 960
        268⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1292
        266⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1316
        264⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1012
        262⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1336
        260⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1004
        258⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1328
        256⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 960
        254⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 960
        252⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1336
        250⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 960
        248⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1316
        246⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 960
        244⤵
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 960
        242⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1336
        240⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1324
        238⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 960
        236⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 988
        234⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1240
        232⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 960
        230⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 960
        228⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1308
        226⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1336
        224⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 960
        222⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1332
        220⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1304
        218⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 960
        216⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1324
        214⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 960
        212⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1328
        210⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1268
        208⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1328
        206⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 960
        204⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1332
        202⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1272
        200⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1328
        198⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1328
        196⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 960
        194⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1324
        192⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1296
        190⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 960
        188⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1312
        186⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1324
        184⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 960
        182⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1328
        180⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 960
        178⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1324
        176⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1008
        174⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 960
        172⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1336
        170⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1328
        168⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 960
        166⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 960
        164⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1328
        162⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1324
        160⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1324
        158⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1316
        156⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1308
        154⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1328
        152⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1264
        150⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1304
        148⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 960
        146⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 1324
        144⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1292
        142⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 960
        140⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 960
        138⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 960
        136⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1324
        134⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 964
        132⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1296
        130⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1336
        128⤵
        Program crash
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 992
        126⤵
        Program crash
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 960
        124⤵
        Program crash
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1304
        122⤵
        Program crash
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1328
        120⤵
        Program crash
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1324
        118⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1300
        116⤵
        Program crash
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1012
        114⤵
        Program crash
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1008
        112⤵
        Program crash
        
        PID:3096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1328
        110⤵
        Program crash
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1328
        108⤵
        Program crash
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1336
        106⤵
        Program crash
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 960
        104⤵
        Program crash
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 960
        102⤵
        Program crash
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 960
        100⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1308
        98⤵
        Program crash
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1320
        96⤵
        Program crash
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1336
        94⤵
        Program crash
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1296
        92⤵
        Program crash
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1300
        90⤵
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1324
        88⤵
        Program crash
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1260
        86⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 988
        84⤵
        Program crash
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 960
        82⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1336
        80⤵
        Program crash
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1296
        78⤵
        Program crash
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1324
        76⤵
        Program crash
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1296
        74⤵
        Program crash
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 960
        72⤵
        Program crash
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1316
        70⤵
        Program crash
        
        PID:696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 960
        68⤵
        Program crash
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 976
        66⤵
        Program crash
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1336
        64⤵
        Program crash
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1328
        62⤵
        Program crash
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1336
        60⤵
        Program crash
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 960
        58⤵
        Program crash
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 960
        56⤵
        Program crash
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1336
        54⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1336
        52⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1300
        50⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 988
        48⤵
        Program crash
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1292
        46⤵
        Program crash
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1332
        44⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1304
        42⤵
        Program crash
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1264
        40⤵
        Program crash
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 960
        38⤵
        Program crash
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1248
        36⤵
        Program crash
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1324
        34⤵
        Program crash
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1276
        32⤵
        Program crash
        
        PID:1068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1320
        30⤵
        Program crash
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1296
        28⤵
        Program crash
        
        PID:64
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 960
        26⤵
        Program crash
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 960
        24⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 976
        22⤵
        Program crash
        
        PID:1844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 960
        20⤵
        Program crash
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1328
        18⤵
        Program crash
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 960
        16⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 960
        14⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1304
        12⤵
        Program crash
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 960
        10⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 976
        8⤵
        Program crash
        
        PID:1156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1328
        6⤵
        Program crash
        
        PID:2252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 988
      4⤵
      Program crash
      PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1316
  2⤵
  - Program crash
  PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3752 -ip 3752
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4104 -ip 4104
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3116 -ip 3116
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 3324
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3036 -ip 3036
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2644 -ip 2644
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3708 -ip 3708
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1788 -ip 1788
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3164 -ip 3164
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3352 -ip 3352
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3400 -ip 3400
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3112 -ip 3112
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 944 -ip 944
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4856 -ip 4856
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4680 -ip 4680
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3044 -ip 3044
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4380 -ip 4380
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3364 -ip 3364
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4216 -ip 4216
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4680 -ip 4680
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3044 -ip 3044
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4592 -ip 4592
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 364 -ip 364
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4080 -ip 4080
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3424 -ip 3424
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3704 -ip 3704
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4100 -ip 4100
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1336 -ip 1336
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4088 -ip 4088
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4380 -ip 4380
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1668 -ip 1668
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5004 -ip 5004
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3728 -ip 3728
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3168 -ip 3168
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3204 -ip 3204
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3068 -ip 3068
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2132 -ip 2132
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4012 -ip 4012
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2240 -ip 2240
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4884 -ip 4884
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3972 -ip 3972
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1344 -ip 1344
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1420 -ip 1420
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2344 -ip 2344
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3972 -ip 3972
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4060 -ip 4060
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1408 -ip 1408
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1608 -ip 1608
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2104 -ip 2104
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3604 -ip 3604
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 320 -ip 320
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3584 -ip 3584
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4440 -ip 4440
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2884 -ip 2884
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4060 -ip 4060
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1144 -ip 1144
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1752 -ip 1752
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1672 -ip 1672
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3632 -ip 3632
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2872 -ip 2872
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2656 -ip 2656
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4364 -ip 4364
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1512 -ip 1512
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3728 -ip 3728
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2616 -ip 2616
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3584 -ip 3584
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3704 -ip 3704
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1420 -ip 1420
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4224 -ip 4224
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4336 -ip 4336
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1188 -ip 1188
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 708 -ip 708
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3400 -ip 3400
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 544 -ip 544
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2084 -ip 2084
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2344 -ip 2344
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4036 -ip 4036
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1456 -ip 1456
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4060 -ip 4060
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1424 -ip 1424
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1648 -ip 1648
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4684 -ip 4684
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3620 -ip 3620
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3364 -ip 3364
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4720 -ip 4720
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2428 -ip 2428
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4180 -ip 4180
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2872 -ip 2872
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4060 -ip 4060
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1720 -ip 1720
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1068 -ip 1068
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3424 -ip 3424
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3704 -ip 3704
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2076 -ip 2076
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2468 -ip 2468
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4852 -ip 4852
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4700 -ip 4700
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3424 -ip 3424
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2176 -ip 2176
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4984 -ip 4984
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2596 -ip 2596
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1452 -ip 1452
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3788 -ip 3788
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1568 -ip 1568
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1028 -ip 1028
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1668 -ip 1668
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2468 -ip 2468
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1196 -ip 1196
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3424 -ip 3424
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1332 -ip 1332
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3164 -ip 3164
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3068 -ip 3068
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2308 -ip 2308
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3800 -ip 3800
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4364 -ip 4364
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 904 -ip 904
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2248 -ip 2248
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1984 -ip 1984
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2724 -ip 2724
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1196 -ip 1196
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3204 -ip 3204
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1848 -ip 1848
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4760 -ip 4760
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3752 -ip 3752
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1668 -ip 1668
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1408 -ip 1408
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2084 -ip 2084
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1788 -ip 1788
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1152 -ip 1152
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4940 -ip 4940
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1804 -ip 1804
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3280 -ip 3280
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4952 -ip 4952
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1336 -ip 1336
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4692 -ip 4692
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 944 -ip 944
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5112 -ip 5112
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4244 -ip 4244
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4744 -ip 4744
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5076 -ip 5076
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3408 -ip 3408
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8 -ip 8
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2076 -ip 2076
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2248 -ip 2248
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4464 -ip 4464
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3148 -ip 3148
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1144 -ip 1144
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4952 -ip 4952
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3100 -ip 3100
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3796 -ip 3796
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1200 -ip 1200
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2596 -ip 2596
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2368 -ip 2368
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3704 -ip 3704
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3092 -ip 3092
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1196 -ip 1196
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1332 -ip 1332
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5076 -ip 5076
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4592 -ip 4592
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1156 -ip 1156
1⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4692 -ip 4692
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2656 -ip 2656
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2528 -ip 2528
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 884 -ip 884
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1420 -ip 1420
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4348 -ip 4348
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1984 -ip 1984
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2544 -ip 2544
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3048 -ip 3048
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4944 -ip 4944
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2040 -ip 2040
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3740 -ip 3740
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1168 -ip 1168
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4336 -ip 4336
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4984 -ip 4984
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2684 -ip 2684
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1044 -ip 1044
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4532 -ip 4532
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1500 -ip 1500
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4444 -ip 4444
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2584 -ip 2584
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3888 -ip 3888
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3416 -ip 3416
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2084 -ip 2084
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 404 -ip 404
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1504 -ip 1504
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4552 -ip 4552
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3624 -ip 3624
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4604 -ip 4604
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4244 -ip 4244
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3920 -ip 3920
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1324 -ip 1324
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3800 -ip 3800
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2056 -ip 2056
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2084 -ip 2084
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3168 -ip 3168
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2784 -ip 2784
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4988 -ip 4988
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4788 -ip 4788
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4568 -ip 4568
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5016 -ip 5016
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1444 -ip 1444
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2428 -ip 2428
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1652 -ip 1652
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4756 -ip 4756
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2872 -ip 2872
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SGHMS.exe

Filesize
209KB

MD5
269cf35d34c8de736af3ed263285cbb8

SHA1
24c47dbc33479922432a4fed0227ba34378e9a0f

SHA256
6d119b645fb2959601167f8ba063d0e157ae0fb0b7dc7e1dd90ead2bed36bce9

SHA512
7215b675ad275ea4dcffb92f9c65d303923027d8fb1d73368d554549ac60c7ba56184ece175da6ffda5d9c1390b50ffd2d01b3661890f86247c32ab806d2bd92

Download Submit
C:\Windows\SysWOW64\ZBGFZ.exe

Filesize
209KB

MD5
7ef3cd3aef4c3c0dd6338ba6d00b12cc

SHA1
1dc15e4e4ab5a1a62834f2f1c26edfb2ce72b4cf

SHA256
408d26872387355f7c3984658c99eb0f8dff7c718db6c24241ee60cf6e1d5789

SHA512
df8dcd1c318cae375540b6ba5e70a37b935aeb18ef42188040b8e8ba09cfdbc386abed2136e21ac362a8384b290a86ff8cbcf5b0f467c387ff67bafdb5a661e8

Download Submit
C:\Windows\System\QAUJCM.exe

Filesize
209KB

MD5
8c43531732615181f41a58519dd10850

SHA1
7da2c35301ec508bb84118d75a8b0e794d6909b9

SHA256
b0ceb6b2b118830b225ccd2112a4e86c0a42d2b79722d480a488368e70b9d9ea

SHA512
4fc21a6fbbe8ed5fc71cde0303d5bb4b63c72026c88bb1c1978c933d0667157fea757005cb00945c373e9f6a7c02e04e8352c921fe7a0db29f9c4cb1516e7125

Download Submit
C:\Windows\System\TOLOJGZ.exe

Filesize
209KB

MD5
076cabf474c15da62badcf4d29993772

SHA1
e73e7016c90d52efe48b196e47396ea644f96237

SHA256
adb0f7392dcdbac724bf1b735fa4d09783f92649d9b2173c574af9abb5646a26

SHA512
b4735988158076a35d907afff313f6b4ce45a3d2302b1a138c70139c2784718a232aa1c886d23c77a87fe46ec064348703a356fd4a48966d433ddf6e67f4dadf

Download Submit
C:\Windows\System\VBB.exe

Filesize
209KB

MD5
85c5309efdf1a139859e7aec72543c24

SHA1
48f7f06cb72ec4e91a548ecc93ebedfb38375e49

SHA256
0316bbfb61dd606ed2e883b6f1a54d9bab84448ae25ef5fbcde4371e56b92fae

SHA512
f597aa6af06a2dd5b835dc8571d2a703e0107a018c1dd20ba3e0baf7f7b069aa791dad2ea76455256a0f6419f6e99898e2786f78047bcb757e70df49c343c710

Download Submit
C:\Windows\System\XNUEKV.exe

Filesize
209KB

MD5
db3056112cfb15e50894077b6f432d6a

SHA1
0f59f017bd5d37fb91a1d414ccd8225cf634d278

SHA256
0e715aeef7f0e85f32973927c5bbeafcd202eedf171318bf64d6540e8e94cae0

SHA512
f2fa3201fd8815a46909a4a105ba425816ba1df70cdfcbfc11ba5de2603b877856e5345f2203e31babd327e0ccac54338cec2b0421489da3c8d4d4d0a7561059

Download Submit
C:\Windows\System\XYY.exe

Filesize
209KB

MD5
57a0c23b76da85fd60368b84b079c149

SHA1
50e1df767fd084655c3c0a2746ae1718f26d7fa3

SHA256
685cdcd72b8820b00be1f00802ad5c7fc2c1cbe6166d027b7c5ef5d07d58f215

SHA512
4882fa82106eac9ab1e1a36a33567a983cc758f86b4324a082e0e38a003cc8c7b01276f9777fff85615a972860cd113a20cf9b2a7cbc580f405a1cdba329d663

Download Submit
C:\Windows\System\YZV.exe

Filesize
209KB

MD5
b18a2d725081f08c6c20a834c8bfa4b2

SHA1
94a9ceee27bdff3079ae1adc0658d3839b54e5a7

SHA256
c92081fd5ef7b8a13ee1d8716e748ea6a1cb430c387b1df43e04f9f747a0e6db

SHA512
5ee2acba484a52c5b58cbac9d58f1cc5efdb7a1162e37120994b64681bd9fdb808b383eb7d954267ccf8cbabbba228af6eba0639d6aa5366af2724cdf7459664

Download Submit
C:\Windows\UUJWOWX.exe

Filesize
209KB

MD5
7d1aa2931c064b171295b4068b191ab9

SHA1
960334f6f4fec1e28eaff3024e271a489c06ebf3

SHA256
e7b99eab83c4d42eb09517c0f98eac7323207711508f11d75873b67648059e27

SHA512
d06b1edff264a44a3172b1971a36173c2f896c0eef8e24d3355b9307cea9755867a26fc901240bdb962c947b11c9834b1a2c37b74198885c86c1a0c3ac5f76ec

Download Submit
C:\Windows\YMP.exe

Filesize
209KB

MD5
3510fa678e156b6f7838531a911d4447

SHA1
e3c225cbaca7c7374947a93b3b1f721debda7371

SHA256
8040b8365b206fc3cefe68fc45f4f8689f0d664b45a190b0fad5899117cbf946

SHA512
ad92688e056f4e420cf0e734cdc7333e609e367ed0db4c87988bf939bcf7e879bbcbb99da74811b175d5ad80bc7b3016d128cd8159bc11b291fb47ea76119fe6

Download Submit
C:\windows\SysWOW64\CMKPOBS.exe

Filesize
209KB

MD5
5f3961c35f26a646fe85d6f31a118811

SHA1
b643ed616c86bca77ce78be783cff67204d1df83

SHA256
43d091b9da4717280c32937d8df518e1215be319437840965ddef796d8ddb34f

SHA512
b1b64285c6a2880bee2cd1137e4cbaedec54633c915a13762985a470c6484d880aa2fe0a471073a2a5f257a13c2fe7b0d54ded05fde441186830e502f3a38f52

Download Submit
C:\windows\SysWOW64\CMKPOBS.exe.bat

Filesize
78B

MD5
e836a5372a542882f5501e13c8d81397

SHA1
1dd2d9f135df2db16d82bd10d9438b5d4b1e546e

SHA256
ae855ee4175278ab150fc07a93896fca982f04cbc51d1240f855f9a8790e4fa0

SHA512
573b2d873173b9afeec517a7ddd441dfe30b86f3e084bb6eeca73fd0d2944932cbe586902b5de8d9be69026f8d3be7ec342bd55f62832cc1801470352f15b155

Download Submit
C:\windows\SysWOW64\CZXN.exe

Filesize
209KB

MD5
1f00bb0fb1b6216ca24d327ec2a44888

SHA1
8b420bafda18722a597fe4228a722357a2b303eb

SHA256
2e5c9564375fe8a7298a7582a5f74208e240bacfce3effa73bf137679438fedb

SHA512
c612a62f70ea408fbd92108b3358450d7866134ee5874311017c2f74b60e462b0aea516eeb2f0e4f2436a1ed8d9819327b285de6804728f8b0794e1781f97461

Download Submit
C:\windows\SysWOW64\CZXN.exe.bat

Filesize
72B

MD5
b622e0b476f5d6f56e340ef7409fe75b

SHA1
da9b66ecca4f0cca3aef6f00dafb7da7a7f0daee

SHA256
2f2447135579704c970910a4e31a08d72763c0dcbc8be59c909b778d858891db

SHA512
805c3784e207386064af2fe6127096f1cc10c4452caaefe4b898cfed0ec4e53b698e5622ba1d79d00942090b10448b64021e7522dfbe48a66c37f1e8d9c8e3bd

Download Submit
C:\windows\SysWOW64\RDTXA.exe

Filesize
209KB

MD5
befc001a38b63440a3f687568c9a9cc0

SHA1
3f3c07bb6823f54beed0e8f920585152e15c0cf8

SHA256
90e572909af8c4400bf8b967e204cbe101c4df243759e6fb337ab6bd22ca1a6f

SHA512
cacd71d27b27348463bda7d85f8b20cf77fc6f2445a2177104916a87266f05730ad997a52061b3602b94c773dff4686bae2f078c0b5b029bbdf821b85cc963d4

Download Submit
C:\windows\SysWOW64\RDTXA.exe.bat

Filesize
74B

MD5
73b747c8d7f734d5ab2596a6f1968a72

SHA1
1cfe46c11a86d447f9885b87f24c4729bddaca87

SHA256
a0f9bf25b6fbd849be4b24553021d8618df116ce443e2ca252c9d0bed61a0082

SHA512
fc5e5023930979c1a4863475d04df27d4388e13374cd1f6ff7146bbb1f28bc2e6568690f439ce57e4b034ae9a403d0ea63d1457cf1115c2d5730e1049280d794

Download Submit
C:\windows\SysWOW64\SGHMS.exe.bat

Filesize
74B

MD5
b17dc71c891a953ffbaa669703bc1697

SHA1
b9b1d6063848ae50f396750315bd13d4909ad835

SHA256
1660c5cd86ed692b68108cf9c3916350bf8714b6d59bba63ec69f63161c70cca

SHA512
1ed8b80a908040ccb8537ca7560956d35a3c7e6abe940abadcd272751b33360b08706f3a09a703352512eecd37d4bb0c374acc3fcb0ce792685434301a3c7577

Download Submit
C:\windows\SysWOW64\UEAO.exe.bat

Filesize
72B

MD5
54792db49b33a435f889178b47ab32e9

SHA1
4409924c508eccd51070c3009db012d4ca02f279

SHA256
0f87ebc98b6556d05610a153b8e3ee4f010fe721a522b549103e03dbe08da097

SHA512
300a5b9e1b3d7388ec055a447df56b0be1f2acb2bc00231485d34d3bbc2446ecc75ef4c61372181e2b8632f2cdd73bca67c95ee99154d4a6ce3b2f3e17eb8a8e

Download Submit
C:\windows\SysWOW64\YYC.exe

Filesize
209KB

MD5
c0a99e8ab29a046eabc8b39e453bf961

SHA1
b47185881555a15e8b01405a8ca7efb5fccb966c

SHA256
88e2723651fdcbca1a7290e9ace196a0bca73508f8833f029cb12df0435d22ef

SHA512
ade837fbc8131f55b42f24262e2c9881095cbc47373a8ed2bfbab9939702a2bed0de38a8bf2fa43c4e42155629118663a0c818a04c31a53b7ca2d6573870002c

Download Submit
C:\windows\SysWOW64\YYC.exe.bat

Filesize
70B

MD5
e674fc384fb61372646a0b563f96b8e0

SHA1
f47b6a81495b004b70a845d1049d695007dcb05a

SHA256
7d6917c8a4d19e156927de7a3ae5cdc50d3090b668994038ccdb7a278ca816da

SHA512
b0d0654425e25925e7b2db996a2d3daeb09bb30abe4ed08094e1590e63bd9f67f14b7dc9ed3cca92448c28d5ee3f672a84fde55212ffebe57df0041cbb6ae043

Download Submit
C:\windows\SysWOW64\ZBGFZ.exe.bat

Filesize
74B

MD5
32609617da15a70dc9b0306bf60bd371

SHA1
988d8ce2f178cbb62e934b87148b2d204c84b1b2

SHA256
d554759abe6af91575d9519af4cdf146d297b6c6a60a7eabca888ac8cdec93ec

SHA512
4968ddbbb3f173cef2b104e738ef0f5df4a38948c1ed88c75b184100ca27513cee44bbf78caa2658a358d2fffc98804bc73101cb7f1fd21f17e681cbc583aa09

Download Submit
C:\windows\TONNG.exe.bat

Filesize
56B

MD5
ba646085dad330d209a433b1a93f1fca

SHA1
c581e42960689c7cc53db00be07aeb8ae9fc6180

SHA256
2ce4f6536ce6151ecb525699553b40d82de78e9123e819d56dcab1dfc2e55a84

SHA512
ef0185654a9eb6a33074591c1da5ba3922c7ffebbc77f12c645046d5d4d81431d8e810752997c2ce9cab571b161cc273052fab6dc2ef2933c981ac635a3da820

Download Submit
C:\windows\URPKOW.exe.bat

Filesize
58B

MD5
069eed6c282b7c7b108a55c4f31e99ad

SHA1
df823f2700ae6d13608099949c759e821ef3c346

SHA256
49f0e43253f85a7ac9b9f0a6dcf2ca7e670ef00c8b183f76d75745f5953b3c35

SHA512
93c60809ae848f86d2fccb923845d0402d2f4ea8a9f4fc6c2a0fde80cbd6399790a1b8ff482177057af11d5ce5b5729aa2c18b653bcf2f943350418d10d0df4a

Download Submit
C:\windows\UUJWOWX.exe.bat

Filesize
60B

MD5
eadc9a77001593bc090646457ba81f51

SHA1
7b2e191a58d5a240ff1f02f99cfcb89f33515147

SHA256
a1d8d33f99c7a20d5a1f21a239ae8631fb3d4200c644b3b77e13a6b472af33e8

SHA512
3e917278d0b58d05d25a837d3214b7538ddb4233a87aa81cb43082ecb731c610587f6479f107cdb575c3418078e9fed385be4932116ab1b1b144477a41e918b0

Download Submit
C:\windows\YMP.exe.bat

Filesize
52B

MD5
47631f449c01fc796a8af8469bbf07a1

SHA1
3ea659772f95d9bfb349a9814f37d9de961c5388

SHA256
e2af43fdff5b4afbfec9bddef80ff8a36149688b6f3d9b484a486053e86ac3f5

SHA512
3cbbde0c22d82491599d46ffb777aad097dfe72faefcf49c43a193c245c9e23888ffb113983d697ab6477654103b7107afd8e8b20a8049beaadab8ea918d6ba0

Download Submit
C:\windows\system\CYGCU.exe.bat

Filesize
70B

MD5
6329a63776047fc355d507b99aded5c2

SHA1
4dcbd54e513b8a0bf46dda770c5d659f18f1683b

SHA256
b20a011ccfd8a3968ec9aa95f4ef299f5c2e3674c5b19dacc75300fe8cb9dca3

SHA512
d80c5a040ce26023e2baa39cb965db07d735900d2cdb106ab47c6a452b8c2382569e8ff35d7a4b3396768a203caa2bd244158f1f99478326c98823205a8c5818

Download Submit
C:\windows\system\JXSI.exe.bat

Filesize
68B

MD5
ca59cddf0d50650c37efbd29237ed0f8

SHA1
0a5b31a8ce20a8f164b1d1380a93dd910e34b248

SHA256
873123ab906852a10be556613327a68957328e45f081382012fbeef2a7fa778f

SHA512
ae03a593c3b02d84b477d3eb34a4a5cecc0576f59c974786698b04b36e086746f2874e4aacae317375fb1f97a9f2eea8ab4ff771d5b271b80226d95672ffdf04

Download Submit
C:\windows\system\MSZ.exe.bat

Filesize
66B

MD5
1b13e712fc85360c5937b67c9972d553

SHA1
76bacd3fa923672f9e78f63a4fa72d56ed56afb2

SHA256
dde8a10f506e39f8455b78ba6d513c08759c145ecf8c92b77f191cb81a8db05f

SHA512
b773e236e5ec0ba7c15afc4d967335a2f0c0121215263a567e843a29c6f0483c950c1747709699d9429c81206e23a9237705810a2406f6c57ce86086c164b36f

Download Submit
C:\windows\system\QAUJCM.exe.bat

Filesize
72B

MD5
ed88f55c353c518833a76eba8b1a2b76

SHA1
5736c0dfb7a334399c33a3bcaf1ce905f2bcdf1d

SHA256
803590851c4df6b48d7a2a39e51c28ced5c30cca4e7c2bb785d1fa7c886db3f1

SHA512
eb75d0b308d410dce315d91dcf11a29c78daaf4049f6a0c3eed162efff4e0794c2961bc6eb82e6a1fb924ce1b599cf672a555e22de2cf11c1fc2a01caa752ed0

Download Submit
C:\windows\system\TOLOJGZ.exe.bat

Filesize
74B

MD5
3405928c6e11dc4d10c68c2c0d8bceb0

SHA1
89a4731d1875f16bce90d7c973796d786286b04b

SHA256
22e3304794cf8874da9065a3762956abf583267f09b1d0ee539a134de64efc35

SHA512
a47af937d5e543b427aa472ccc5186198d885888e85968c8119b5e66836899c3b2e9c0a73bd6da5cbd9d0a7876cd289aedcf1e869d0d762fbfa2d33849721424

Download Submit
C:\windows\system\TXNFPH.exe.bat

Filesize
72B

MD5
f2b110fd76faf8d68e1dc0f3ce0cd287

SHA1
c32884189416ae03b73cca9c53ae0fb96a449277

SHA256
b0c958f80aafad9ed4ef98e88b9bacd9964899411bf7518a5691dfe6ddbe9683

SHA512
b6bc08abe78350218099e46b25d4bab06ea4212ddf3a50c59ae2284eddb55e0d6101e6b30c1b1165d035326835aeb663a03bb2e49e13383063b36fffd89cfe67

Download Submit
C:\windows\system\VBB.exe.bat

Filesize
66B

MD5
509eb2df3ce464e1db27afcae719ac45

SHA1
c9d545a84abc873eaa2a95a9ee69865f3d38889c

SHA256
fb9962ba5769ccbf35b274a4f9853cc6e2d35aa7dc2c74302b35773f68e6d19e

SHA512
9e1cbcb19ad057b76fa137962a13e1aba331026922e4f2414dda0ec28b4f911d1f228d1bb68f7e4a200a0701c2202ca21ef33eec43bea5ed7892c7c30270d567

Download Submit
C:\windows\system\WVUT.exe

Filesize
209KB

MD5
2789859c37ab01963eabf80700eb663b

SHA1
5250fba237eb3906a676bb43cbdac407259aadd5

SHA256
b443d657b2a786138c030d5466fa0cff7d82433b5f75bfc97b55ef9d8173b47c

SHA512
e75b75351414586b69662fbc2c5667a3f7e912a8f06c3f4a24ecf8bf6049e123e7a5228f3757e88d03faef631fe50a7c586bf3e5c6a6f93bca664b00b3056ba4

Download Submit
C:\windows\system\WVUT.exe.bat

Filesize
68B

MD5
2297125ba243c1bdd1652019c1ccf942

SHA1
562ccaa6ca8a02fb748fafc7124730ffe743b8a1

SHA256
47a80c15c59fade3754e4ee606abb20583ee978d8f9a12194368e27ddb5d2384

SHA512
fe15701db372717197cbc52f650cbad7a2399e2b391f2789bee41f21027b4c6d6d0b87dd1df38eb545187567b58f639c1a92f6ca67f68535ec39407cb0207d75

Download Submit
C:\windows\system\XNUEKV.exe.bat

Filesize
72B

MD5
421a830c68b4c2015fd7aec29e26a6ad

SHA1
75dde69429137a0c8c002b65c990fb8c2fa130f4

SHA256
e3b7165acda2094c747c558de57ebef3f18e5a44fabbf13b2c8940f70f75b560

SHA512
deefc547527c68f3e21f9b0cae6e3d6c72a5a536ed6b276456abb8e3cdfbc3d3ac3919432e4c0817d68e007279e92a7afa34096883c52f97ae6866afca9a5f8c

Download Submit
C:\windows\system\XYY.exe.bat

Filesize
66B

MD5
701881e37d88ff6f0965e18cb22e0067

SHA1
5852f2391a7c47bf313943a73e2e6c11eada102d

SHA256
e62f42d2b028f026089b16073896dfcf10188d78a8fee6a86a4e72a0f1c78a0b

SHA512
e12a6bcbb65580932b2834802006bd0a32bcb3941aa7a4d9d5b3183a53515aba17aafacb5c2b71f872c5791c0f7eee956a0fa0e07ac7963d3f785ffd8b51a039

Download Submit
C:\windows\system\YZV.exe.bat

Filesize
66B

MD5
4869ac00a990bd13ab1d8c3aa8a33e57

SHA1
5400309e33088d25b8856b137412506235fd764f

SHA256
565c63001659442abdd8301b2a42606ed4fd76b5e7b8a455edb31f418db15eaf

SHA512
249ca89b71aab7ac47669ab59222bcbf3f66bfd8e43662b6a128a3d62bb71fe0db09785d868f1635819018b3852560d067fccc5303097caa86e4fe7373b2a201

Download Submit
memory/364-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/364-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/944-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/944-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1336-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1336-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2644-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2644-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3036-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3036-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3112-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3112-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3116-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3116-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3324-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3324-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3364-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3364-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3400-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3400-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3704-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3704-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3708-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3708-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3728-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3752-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3752-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4080-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4080-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4088-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4100-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4100-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4104-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4104-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4216-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4216-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4380-204-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4380-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4380-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4592-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4592-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4856-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4856-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5004-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5004-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download