8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 22:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe
Size

256KB
MD5

f9c1b9ef4892f43440f0ca209ba2ccea
SHA1

43b77bb94b2b5c54fef498b42648b51c9263c9c4
SHA256

8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3
SHA512

80b064c90019d9e5bb15d515d514173de1c677b599ab5a300b054dade96733555fd093b5510fb1d3e60765ac93b63bc50465527bfd715c7320217d32f130b3ee
SSDEEP

6144:Q+XSCgM6BtL7o5zePpxiFzxkEjiPISUOgW9X+h8:3wMKtL8MPpxi/kmZzcui

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	TVWMVC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CSAV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NFOU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	QLYGNP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DIX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WVLK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	KGFTRV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BMMWY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NLSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CSIYI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BSSFSYJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	EXKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	PTAKG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ASYSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AKD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FREKGDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HLP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DBFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	EBRFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ZXRMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	STAFPWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	IXIBV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	RKTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ZNXCBCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ENBWL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	EAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LBNSQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	SOAQORU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	MHS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GBYIZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	QEERI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LASBHU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	SGHMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CTJGQR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LRZM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LFC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	YSUZQVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	KGSKL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LPODS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CGBHEBP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NDPNWJF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WTVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HMY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GZZWNIW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	PAVI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NMFLY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	UVEICCI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LQZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ATVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	EUL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ERPC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	PXOX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HQFJKJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DIH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CCNZJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	PLLKZE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OPUKC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FZIKOT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	IXPXW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	QFFZMJE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	UNMH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GVXYGC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	TZQVU.exe

Executes dropped EXE 64 IoCs

pid	Process
2484	TVWMVC.exe
4568	BIASYA.exe
3588	SGHMS.exe
876	XJDS.exe
2452	HHRN.exe
1928	SZUXV.exe
2224	PAVI.exe
2544	ASYSH.exe
3000	EAF.exe
3972	EEXLVEN.exe
832	CTJGQR.exe
4076	BMMWY.exe
3744	AXWMHDF.exe
4468	EFDULV.exe
4504	XTO.exe
5052	VRCCHX.exe
3720	LBNSQ.exe
3248	HMV.exe
1140	FZUR.exe
3796	AKD.exe
2560	IQP.exe
1228	MGWWM.exe
3216	LRZM.exe
1840	WJCFDG.exe
3304	FREKGDX.exe
1752	LSLY.exe
1052	CSAV.exe
4044	KGSKL.exe
4440	ONLKZN.exe
1448	NYJIYA.exe
1580	PWPUOI.exe
412	SRGEZ.exe
4024	BSI.exe
628	LPODS.exe
1424	KAZL.exe
4060	EOVDDV.exe
4360	SYMTRY.exe
1144	HON.exe
2704	LETTK.exe
1624	CFIYXDB.exe
684	NXLRXK.exe
4584	QGM.exe
3152	NLSC.exe
432	CGBHEBP.exe
1952	ABA.exe
3232	VMJGPH.exe
2472	OPUKC.exe
3360	JSD.exe
868	JGD.exe
4356	WIL.exe
4484	ORNTK.exe
3152	MRVGTXY.exe
2840	DRX.exe
1840	LFC.exe
1660	NDPNWJF.exe
4460	GVXYGC.exe
1824	SOAQORU.exe
4276	STAFPWX.exe
1132	CRGZXFG.exe
4292	VJVKOGO.exe
4488	CAW.exe
3000	RVFOGO.exe
2472	BSLINW.exe
1100	LQZ.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\HQFJKJ.exe	YDBCZK.exe
File opened for modification	C:\windows\SysWOW64\NJCHC.exe	JGEMCWF.exe
File opened for modification	C:\windows\SysWOW64\DRWIAO.exe	WAV.exe
File opened for modification	C:\windows\SysWOW64\NSS.exe	XSCDFS.exe
File opened for modification	C:\windows\SysWOW64\FREKGDX.exe	WJCFDG.exe
File created	C:\windows\SysWOW64\FREKGDX.exe.bat	WJCFDG.exe
File created	C:\windows\SysWOW64\UTJHP.exe	HQFJKJ.exe
File opened for modification	C:\windows\SysWOW64\JGEMCWF.exe	BSSFSYJ.exe
File created	C:\windows\SysWOW64\WVEPU.exe	BIZ.exe
File created	C:\windows\SysWOW64\UVEICCI.exe.bat	XQGLV.exe
File created	C:\windows\SysWOW64\USDWUD.exe	KUQC.exe
File created	C:\windows\SysWOW64\MBTTNFQ.exe	VQQ.exe
File created	C:\windows\SysWOW64\LQZ.exe	BSLINW.exe
File created	C:\windows\SysWOW64\UTJHP.exe.bat	HQFJKJ.exe
File created	C:\windows\SysWOW64\JGEMCWF.exe.bat	BSSFSYJ.exe
File created	C:\windows\SysWOW64\MWXJWUL.exe	GBYIZ.exe
File created	C:\windows\SysWOW64\CPQDOOH.exe.bat	RWNKOG.exe
File created	C:\windows\SysWOW64\DRWIAO.exe	WAV.exe
File created	C:\windows\SysWOW64\KUQC.exe	GMJC.exe
File opened for modification	C:\windows\SysWOW64\LSLY.exe	FREKGDX.exe
File created	C:\windows\SysWOW64\DBFT.exe	MQPV.exe
File created	C:\windows\SysWOW64\WTVE.exe	DBFT.exe
File created	C:\windows\SysWOW64\NMFLY.exe	HMY.exe
File created	C:\windows\SysWOW64\NJCHC.exe	JGEMCWF.exe
File created	C:\windows\SysWOW64\WJCFDG.exe.bat	LRZM.exe
File created	C:\windows\SysWOW64\LFC.exe	DRX.exe
File created	C:\windows\SysWOW64\ERPC.exe	UTJHP.exe
File created	C:\windows\SysWOW64\ERPC.exe.bat	UTJHP.exe
File created	C:\windows\SysWOW64\MWXJWUL.exe.bat	GBYIZ.exe
File created	C:\windows\SysWOW64\NSS.exe	XSCDFS.exe
File created	C:\windows\SysWOW64\LQZ.exe.bat	BSLINW.exe
File created	C:\windows\SysWOW64\BJPFDAO.exe.bat	OMP.exe
File created	C:\windows\SysWOW64\DRWIAO.exe.bat	WAV.exe
File opened for modification	C:\windows\SysWOW64\YLXWEO.exe	FQF.exe
File opened for modification	C:\windows\SysWOW64\SGHMS.exe	BIASYA.exe
File created	C:\windows\SysWOW64\FREKGDX.exe	WJCFDG.exe
File opened for modification	C:\windows\SysWOW64\LFC.exe	DRX.exe
File created	C:\windows\SysWOW64\HQFJKJ.exe.bat	YDBCZK.exe
File created	C:\windows\SysWOW64\YLXWEO.exe.bat	FQF.exe
File opened for modification	C:\windows\SysWOW64\GDDMF.exe	LQZ.exe
File created	C:\windows\SysWOW64\NMFLY.exe.bat	HMY.exe
File opened for modification	C:\windows\SysWOW64\BJPFDAO.exe	OMP.exe
File opened for modification	C:\windows\SysWOW64\USDWUD.exe	KUQC.exe
File created	C:\windows\SysWOW64\USDWUD.exe.bat	KUQC.exe
File opened for modification	C:\windows\SysWOW64\XSCDFS.exe	BMWO.exe
File created	C:\windows\SysWOW64\MBTTNFQ.exe.bat	VQQ.exe
File created	C:\windows\SysWOW64\MLUKUDM.exe	WVLK.exe
File opened for modification	C:\windows\SysWOW64\MLUKUDM.exe	WVLK.exe
File created	C:\windows\SysWOW64\LMQXE.exe	ATVE.exe
File opened for modification	C:\windows\SysWOW64\UVEICCI.exe	XQGLV.exe
File opened for modification	C:\windows\SysWOW64\CVJLHMM.exe	PXBZ.exe
File opened for modification	C:\windows\SysWOW64\GZZWNIW.exe	NWNAI.exe
File opened for modification	C:\windows\SysWOW64\WOY.exe	HLP.exe
File created	C:\windows\SysWOW64\BIZ.exe	RKTL.exe
File opened for modification	C:\windows\SysWOW64\DBFT.exe	MQPV.exe
File created	C:\windows\SysWOW64\DBFT.exe.bat	MQPV.exe
File opened for modification	C:\windows\SysWOW64\ESYMCNV.exe	NFOU.exe
File opened for modification	C:\windows\SysWOW64\PLLKZE.exe	ZQB.exe
File opened for modification	C:\windows\SysWOW64\MBTTNFQ.exe	VQQ.exe
File opened for modification	C:\windows\SysWOW64\XJDS.exe	SGHMS.exe
File created	C:\windows\SysWOW64\WOY.exe	HLP.exe
File created	C:\windows\SysWOW64\RWNKOG.exe.bat	UVEICCI.exe
File created	C:\windows\SysWOW64\KGFTRV.exe.bat	PTAKG.exe
File created	C:\windows\SysWOW64\EFDULV.exe.bat	AXWMHDF.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\JGD.exe.bat	JSD.exe
File created	C:\windows\EIQVX.exe	WVEPU.exe
File created	C:\windows\system\HCGMSWA.exe.bat	EMA.exe
File created	C:\windows\YDBCZK.exe	KFVF.exe
File opened for modification	C:\windows\WZWHAK.exe	FZIKOT.exe
File opened for modification	C:\windows\system\EDMR.exe	YIAY.exe
File created	C:\windows\TZQVU.exe.bat	EUL.exe
File created	C:\windows\system\DHGIZO.exe	VWXHTK.exe
File created	C:\windows\system\UNMH.exe.bat	QFFZMJE.exe
File opened for modification	C:\windows\CGBHEBP.exe	NLSC.exe
File opened for modification	C:\windows\DIH.exe	UVWAPWP.exe
File created	C:\windows\system\XTO.exe	EFDULV.exe
File opened for modification	C:\windows\system\IXIBV.exe	TACEO.exe
File created	C:\windows\system\NWNAI.exe	PLLKZE.exe
File created	C:\windows\system\QFFZMJE.exe	DIX.exe
File opened for modification	C:\windows\system\MQPV.exe	XLJYJQQ.exe
File created	C:\windows\system\OMP.exe	KDJTPE.exe
File created	C:\windows\VQQ.exe.bat	UNMH.exe
File created	C:\windows\system\GOX.exe	LASBHU.exe
File opened for modification	C:\windows\system\IXPXW.exe	URPLUJQ.exe
File created	C:\windows\DIX.exe	IXPXW.exe
File opened for modification	C:\windows\VRCCHX.exe	XTO.exe
File created	C:\windows\system\EMA.exe.bat	DRWIAO.exe
File opened for modification	C:\windows\DIX.exe	IXPXW.exe
File created	C:\windows\system\DHGIZO.exe.bat	VWXHTK.exe
File opened for modification	C:\windows\XLJYJQQ.exe	NNDMB.exe
File created	C:\windows\ACN.exe.bat	CCNZJ.exe
File created	C:\windows\system\SZUXV.exe	HHRN.exe
File created	C:\windows\system\LBNSQ.exe	VRCCHX.exe
File opened for modification	C:\windows\HMV.exe	LBNSQ.exe
File created	C:\windows\system\JSD.exe	OPUKC.exe
File opened for modification	C:\windows\system\NDPNWJF.exe	LFC.exe
File created	C:\windows\system\CZB.exe.bat	VEYCQHZ.exe
File created	C:\windows\system\CQWMFF.exe.bat	HDRV.exe
File created	C:\windows\system\EMA.exe	DRWIAO.exe
File created	C:\windows\FZIKOT.exe	VRGF.exe
File created	C:\windows\system\NYJIYA.exe	ONLKZN.exe
File opened for modification	C:\windows\system\GABH.exe	OXJV.exe
File created	C:\windows\DIX.exe.bat	IXPXW.exe
File created	C:\windows\MYO.exe	NJCHC.exe
File created	C:\windows\VMJGPH.exe	ABA.exe
File created	C:\windows\system\ZNXCBCP.exe	ACN.exe
File created	C:\windows\system\IXPXW.exe.bat	URPLUJQ.exe
File created	C:\windows\HMV.exe.bat	LBNSQ.exe
File created	C:\windows\system\ATVE.exe.bat	GBFU.exe
File created	C:\windows\system\WVLK.exe	VSHPISN.exe
File opened for modification	C:\windows\FQF.exe	RVH.exe
File opened for modification	C:\windows\system\XTO.exe	EFDULV.exe
File created	C:\windows\system\NDPNWJF.exe.bat	LFC.exe
File opened for modification	C:\windows\system\CAW.exe	VJVKOGO.exe
File created	C:\windows\VRGF.exe.bat	CYQU.exe
File created	C:\windows\SRGEZ.exe	PWPUOI.exe
File created	C:\windows\KDJTPE.exe	CQWMFF.exe
File created	C:\windows\XRNS.exe.bat	KGFTRV.exe
File opened for modification	C:\windows\system\GVXYGC.exe	NDPNWJF.exe
File created	C:\windows\KDJTPE.exe.bat	CQWMFF.exe
File opened for modification	C:\windows\WAV.exe	CVJLHMM.exe
File created	C:\windows\system\VWI.exe	SBRAMEB.exe
File created	C:\windows\FZUR.exe.bat	HMV.exe
File opened for modification	C:\windows\LPODS.exe	BSI.exe
File opened for modification	C:\windows\system\EOVDDV.exe	KAZL.exe
File created	C:\windows\system\NNDMB.exe	YSUZQVZ.exe
File opened for modification	C:\windows\system\ILNFEL.exe	DIH.exe
File opened for modification	C:\windows\system\ZNXCBCP.exe	ACN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4284	1988	WerFault.exe	84
1424	2484	WerFault.exe	92
3640	4568	WerFault.exe	99
4588	3588	WerFault.exe	104
3152	876	WerFault.exe	109
3304	2452	WerFault.exe	114
3120	1928	WerFault.exe	121
4704	2224	WerFault.exe	128
4904	2544	WerFault.exe	133
4964	3000	WerFault.exe	138
3588	3972	WerFault.exe	143
868	832	WerFault.exe	149
2452	4076	WerFault.exe	154
2472	3744	WerFault.exe	159
2960	4468	WerFault.exe	166
4964	4504	WerFault.exe	170
3512	5052	WerFault.exe	176
1208	3720	WerFault.exe	181
4684	3248	WerFault.exe	186
1040	1140	WerFault.exe	191
760	3796	WerFault.exe	196
4864	2560	WerFault.exe	201
4712	1228	WerFault.exe	206
1008	3216	WerFault.exe	211
3720	1840	WerFault.exe	216
1244	3304	WerFault.exe	221
4584	1752	WerFault.exe	226
4488	1052	WerFault.exe	231
4368	4044	WerFault.exe	236
1120	4440	WerFault.exe	241
3548	1448	WerFault.exe	246
4856	1580	WerFault.exe	251
2840	412	WerFault.exe	256
2496	4024	WerFault.exe	261
4236	628	WerFault.exe	266
4088	1424	WerFault.exe	271
768	4060	WerFault.exe	277
3496	4360	WerFault.exe	282
2468	1144	WerFault.exe	287
3720	2704	WerFault.exe	292
2336	1624	WerFault.exe	297
380	684	WerFault.exe	302
4268	4584	WerFault.exe	307
1500	3152	WerFault.exe	312
3320	432	WerFault.exe	317
4280	1952	WerFault.exe	322
4756	3232	WerFault.exe	327
3528	2472	WerFault.exe	332
4568	3360	WerFault.exe	337
4248	868	WerFault.exe	342
3080	4356	WerFault.exe	347
4860	4484	WerFault.exe	352
3108	3152	WerFault.exe	357
3236	2840	WerFault.exe	362
2448	1840	WerFault.exe	367
2336	1660	WerFault.exe	372
1052	4460	WerFault.exe	377
4752	1824	WerFault.exe	382
3312	4276	WerFault.exe	387
432	1132	WerFault.exe	392
876	4292	WerFault.exe	397
4828	4488	WerFault.exe	402
3212	3000	WerFault.exe	407
3892	2472	WerFault.exe	412

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe
1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe
2484	TVWMVC.exe
2484	TVWMVC.exe
4568	BIASYA.exe
4568	BIASYA.exe
3588	SGHMS.exe
3588	SGHMS.exe
876	XJDS.exe
876	XJDS.exe
2452	HHRN.exe
2452	HHRN.exe
1928	SZUXV.exe
1928	SZUXV.exe
2224	PAVI.exe
2224	PAVI.exe
2544	ASYSH.exe
2544	ASYSH.exe
3000	EAF.exe
3000	EAF.exe
3972	EEXLVEN.exe
3972	EEXLVEN.exe
832	CTJGQR.exe
832	CTJGQR.exe
4076	BMMWY.exe
4076	BMMWY.exe
3744	AXWMHDF.exe
3744	AXWMHDF.exe
4468	EFDULV.exe
4468	EFDULV.exe
4504	XTO.exe
4504	XTO.exe
5052	VRCCHX.exe
5052	VRCCHX.exe
3720	LBNSQ.exe
3720	LBNSQ.exe
3248	HMV.exe
3248	HMV.exe
1140	FZUR.exe
1140	FZUR.exe
3796	AKD.exe
3796	AKD.exe
2560	IQP.exe
2560	IQP.exe
1228	MGWWM.exe
1228	MGWWM.exe
3216	LRZM.exe
3216	LRZM.exe
1840	WJCFDG.exe
1840	WJCFDG.exe
3304	FREKGDX.exe
3304	FREKGDX.exe
1752	LSLY.exe
1752	LSLY.exe
1052	CSAV.exe
1052	CSAV.exe
4044	KGSKL.exe
4044	KGSKL.exe
4440	ONLKZN.exe
4440	ONLKZN.exe
1448	NYJIYA.exe
1448	NYJIYA.exe
1580	PWPUOI.exe
1580	PWPUOI.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe
1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe
2484	TVWMVC.exe
2484	TVWMVC.exe
4568	BIASYA.exe
4568	BIASYA.exe
3588	SGHMS.exe
3588	SGHMS.exe
876	XJDS.exe
876	XJDS.exe
2452	HHRN.exe
2452	HHRN.exe
1928	SZUXV.exe
1928	SZUXV.exe
2224	PAVI.exe
2224	PAVI.exe
2544	ASYSH.exe
2544	ASYSH.exe
3000	EAF.exe
3000	EAF.exe
3972	EEXLVEN.exe
3972	EEXLVEN.exe
832	CTJGQR.exe
832	CTJGQR.exe
4076	BMMWY.exe
4076	BMMWY.exe
3744	AXWMHDF.exe
3744	AXWMHDF.exe
4468	EFDULV.exe
4468	EFDULV.exe
4504	XTO.exe
4504	XTO.exe
5052	VRCCHX.exe
5052	VRCCHX.exe
3720	LBNSQ.exe
3720	LBNSQ.exe
3248	HMV.exe
3248	HMV.exe
1140	FZUR.exe
1140	FZUR.exe
3796	AKD.exe
3796	AKD.exe
2560	IQP.exe
2560	IQP.exe
1228	MGWWM.exe
1228	MGWWM.exe
3216	LRZM.exe
3216	LRZM.exe
1840	WJCFDG.exe
1840	WJCFDG.exe
3304	FREKGDX.exe
3304	FREKGDX.exe
1752	LSLY.exe
1752	LSLY.exe
1052	CSAV.exe
1052	CSAV.exe
4044	KGSKL.exe
4044	KGSKL.exe
4440	ONLKZN.exe
4440	ONLKZN.exe
1448	NYJIYA.exe
1448	NYJIYA.exe
1580	PWPUOI.exe
1580	PWPUOI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3120	1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe	88
PID 1988 wrote to memory of 3120	1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe	88
PID 1988 wrote to memory of 3120	1988	8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe	88
PID 3120 wrote to memory of 2484	3120	cmd.exe	92
PID 3120 wrote to memory of 2484	3120	cmd.exe	92
PID 3120 wrote to memory of 2484	3120	cmd.exe	92
PID 2484 wrote to memory of 4468	2484	TVWMVC.exe	95
PID 2484 wrote to memory of 4468	2484	TVWMVC.exe	95
PID 2484 wrote to memory of 4468	2484	TVWMVC.exe	95
PID 4468 wrote to memory of 4568	4468	cmd.exe	99
PID 4468 wrote to memory of 4568	4468	cmd.exe	99
PID 4468 wrote to memory of 4568	4468	cmd.exe	99
PID 4568 wrote to memory of 3992	4568	BIASYA.exe	100
PID 4568 wrote to memory of 3992	4568	BIASYA.exe	100
PID 4568 wrote to memory of 3992	4568	BIASYA.exe	100
PID 3992 wrote to memory of 3588	3992	cmd.exe	104
PID 3992 wrote to memory of 3588	3992	cmd.exe	104
PID 3992 wrote to memory of 3588	3992	cmd.exe	104
PID 3588 wrote to memory of 2232	3588	SGHMS.exe	105
PID 3588 wrote to memory of 2232	3588	SGHMS.exe	105
PID 3588 wrote to memory of 2232	3588	SGHMS.exe	105
PID 2232 wrote to memory of 876	2232	cmd.exe	109
PID 2232 wrote to memory of 876	2232	cmd.exe	109
PID 2232 wrote to memory of 876	2232	cmd.exe	109
PID 876 wrote to memory of 620	876	XJDS.exe	110
PID 876 wrote to memory of 620	876	XJDS.exe	110
PID 876 wrote to memory of 620	876	XJDS.exe	110
PID 620 wrote to memory of 2452	620	cmd.exe	114
PID 620 wrote to memory of 2452	620	cmd.exe	114
PID 620 wrote to memory of 2452	620	cmd.exe	114
PID 2452 wrote to memory of 868	2452	HHRN.exe	117
PID 2452 wrote to memory of 868	2452	HHRN.exe	117
PID 2452 wrote to memory of 868	2452	HHRN.exe	117
PID 868 wrote to memory of 1928	868	cmd.exe	121
PID 868 wrote to memory of 1928	868	cmd.exe	121
PID 868 wrote to memory of 1928	868	cmd.exe	121
PID 1928 wrote to memory of 1120	1928	SZUXV.exe	124
PID 1928 wrote to memory of 1120	1928	SZUXV.exe	124
PID 1928 wrote to memory of 1120	1928	SZUXV.exe	124
PID 1120 wrote to memory of 2224	1120	cmd.exe	128
PID 1120 wrote to memory of 2224	1120	cmd.exe	128
PID 1120 wrote to memory of 2224	1120	cmd.exe	128
PID 2224 wrote to memory of 4064	2224	PAVI.exe	129
PID 2224 wrote to memory of 4064	2224	PAVI.exe	129
PID 2224 wrote to memory of 4064	2224	PAVI.exe	129
PID 4064 wrote to memory of 2544	4064	cmd.exe	133
PID 4064 wrote to memory of 2544	4064	cmd.exe	133
PID 4064 wrote to memory of 2544	4064	cmd.exe	133
PID 2544 wrote to memory of 4956	2544	ASYSH.exe	134
PID 2544 wrote to memory of 4956	2544	ASYSH.exe	134
PID 2544 wrote to memory of 4956	2544	ASYSH.exe	134
PID 4956 wrote to memory of 3000	4956	cmd.exe	138
PID 4956 wrote to memory of 3000	4956	cmd.exe	138
PID 4956 wrote to memory of 3000	4956	cmd.exe	138
PID 3000 wrote to memory of 3196	3000	EAF.exe	139
PID 3000 wrote to memory of 3196	3000	EAF.exe	139
PID 3000 wrote to memory of 3196	3000	EAF.exe	139
PID 3196 wrote to memory of 3972	3196	cmd.exe	143
PID 3196 wrote to memory of 3972	3196	cmd.exe	143
PID 3196 wrote to memory of 3972	3196	cmd.exe	143
PID 3972 wrote to memory of 4488	3972	EEXLVEN.exe	145
PID 3972 wrote to memory of 4488	3972	EEXLVEN.exe	145
PID 3972 wrote to memory of 4488	3972	EEXLVEN.exe	145
PID 4488 wrote to memory of 832	4488	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe
"C:\Users\Admin\AppData\Local\Temp\8c7182d7b48c22b0c69d3199cae67a3f9e60bd95d8fac146bd57f2f8d62555c3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\TVWMVC.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\windows\system\TVWMVC.exe
    C:\windows\system\TVWMVC.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\BIASYA.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\windows\BIASYA.exe
        
        C:\windows\BIASYA.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SGHMS.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\windows\SysWOW64\SGHMS.exe
        
        C:\windows\system32\SGHMS.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJDS.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\windows\SysWOW64\XJDS.exe
        
        C:\windows\system32\XJDS.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HHRN.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\windows\HHRN.exe
        
        C:\windows\HHRN.exe
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZUXV.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\windows\system\SZUXV.exe
        
        C:\windows\system\SZUXV.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PAVI.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\windows\system\PAVI.exe
        
        C:\windows\system\PAVI.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ASYSH.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\windows\system\ASYSH.exe
        
        C:\windows\system\ASYSH.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAF.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\windows\SysWOW64\EAF.exe
        
        C:\windows\system32\EAF.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EEXLVEN.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\windows\EEXLVEN.exe
        
        C:\windows\EEXLVEN.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTJGQR.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\windows\system\CTJGQR.exe
        
        C:\windows\system\CTJGQR.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BMMWY.exe.bat" "
        24⤵
        
        PID:1972
        
        C:\windows\system\BMMWY.exe
        
        C:\windows\system\BMMWY.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AXWMHDF.exe.bat" "
        26⤵
        
        PID:4024
        
        C:\windows\system\AXWMHDF.exe
        
        C:\windows\system\AXWMHDF.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EFDULV.exe.bat" "
        28⤵
        
        PID:4476
        
        C:\windows\SysWOW64\EFDULV.exe
        
        C:\windows\system32\EFDULV.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XTO.exe.bat" "
        30⤵
        
        PID:4280
        
        C:\windows\system\XTO.exe
        
        C:\windows\system\XTO.exe
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VRCCHX.exe.bat" "
        32⤵
        
        PID:3016
        
        C:\windows\VRCCHX.exe
        
        C:\windows\VRCCHX.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LBNSQ.exe.bat" "
        34⤵
        
        PID:2828
        
        C:\windows\system\LBNSQ.exe
        
        C:\windows\system\LBNSQ.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMV.exe.bat" "
        36⤵
        
        PID:3392
        
        C:\windows\HMV.exe
        
        C:\windows\HMV.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FZUR.exe.bat" "
        38⤵
        
        PID:3336
        
        C:\windows\FZUR.exe
        
        C:\windows\FZUR.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AKD.exe.bat" "
        40⤵
        
        PID:2468
        
        C:\windows\SysWOW64\AKD.exe
        
        C:\windows\system32\AKD.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IQP.exe.bat" "
        42⤵
        
        PID:1552
        
        C:\windows\IQP.exe
        
        C:\windows\IQP.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MGWWM.exe.bat" "
        44⤵
        
        PID:2336
        
        C:\windows\system\MGWWM.exe
        
        C:\windows\system\MGWWM.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LRZM.exe.bat" "
        46⤵
        
        PID:2828
        
        C:\windows\system\LRZM.exe
        
        C:\windows\system\LRZM.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WJCFDG.exe.bat" "
        48⤵
        
        PID:3848
        
        C:\windows\SysWOW64\WJCFDG.exe
        
        C:\windows\system32\WJCFDG.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FREKGDX.exe.bat" "
        50⤵
        
        PID:2912
        
        C:\windows\SysWOW64\FREKGDX.exe
        
        C:\windows\system32\FREKGDX.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LSLY.exe.bat" "
        52⤵
        
        PID:4552
        
        C:\windows\SysWOW64\LSLY.exe
        
        C:\windows\system32\LSLY.exe
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSAV.exe.bat" "
        54⤵
        
        PID:4520
        
        C:\windows\SysWOW64\CSAV.exe
        
        C:\windows\system32\CSAV.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KGSKL.exe.bat" "
        56⤵
        
        PID:684
        
        C:\windows\system\KGSKL.exe
        
        C:\windows\system\KGSKL.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ONLKZN.exe.bat" "
        58⤵
        
        PID:3268
        
        C:\windows\ONLKZN.exe
        
        C:\windows\ONLKZN.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NYJIYA.exe.bat" "
        60⤵
        
        PID:5044
        
        C:\windows\system\NYJIYA.exe
        
        C:\windows\system\NYJIYA.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PWPUOI.exe.bat" "
        62⤵
        
        PID:2556
        
        C:\windows\PWPUOI.exe
        
        C:\windows\PWPUOI.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SRGEZ.exe.bat" "
        64⤵
        
        PID:2928
        
        C:\windows\SRGEZ.exe
        
        C:\windows\SRGEZ.exe
        65⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSI.exe.bat" "
        66⤵
        
        PID:3248
        
        C:\windows\system\BSI.exe
        
        C:\windows\system\BSI.exe
        67⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LPODS.exe.bat" "
        68⤵
        
        PID:1040
        
        C:\windows\LPODS.exe
        
        C:\windows\LPODS.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAZL.exe.bat" "
        70⤵
        
        PID:1752
        
        C:\windows\SysWOW64\KAZL.exe
        
        C:\windows\system32\KAZL.exe
        71⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EOVDDV.exe.bat" "
        72⤵
        
        PID:4608
        
        C:\windows\system\EOVDDV.exe
        
        C:\windows\system\EOVDDV.exe
        73⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYMTRY.exe.bat" "
        74⤵
        
        PID:4676
        
        C:\windows\SysWOW64\SYMTRY.exe
        
        C:\windows\system32\SYMTRY.exe
        75⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HON.exe.bat" "
        76⤵
        
        PID:4276
        
        C:\windows\HON.exe
        
        C:\windows\HON.exe
        77⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LETTK.exe.bat" "
        78⤵
        
        PID:2504
        
        C:\windows\SysWOW64\LETTK.exe
        
        C:\windows\system32\LETTK.exe
        79⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CFIYXDB.exe.bat" "
        80⤵
        
        PID:3640
        
        C:\windows\system\CFIYXDB.exe
        
        C:\windows\system\CFIYXDB.exe
        81⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NXLRXK.exe.bat" "
        82⤵
        
        PID:1968
        
        C:\windows\system\NXLRXK.exe
        
        C:\windows\system\NXLRXK.exe
        83⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGM.exe.bat" "
        84⤵
        
        PID:1572
        
        C:\windows\SysWOW64\QGM.exe
        
        C:\windows\system32\QGM.exe
        85⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NLSC.exe.bat" "
        86⤵
        
        PID:2420
        
        C:\windows\system\NLSC.exe
        
        C:\windows\system\NLSC.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "
        88⤵
        
        PID:4484
        
        C:\windows\CGBHEBP.exe
        
        C:\windows\CGBHEBP.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ABA.exe.bat" "
        90⤵
        
        PID:1208
        
        C:\windows\system\ABA.exe
        
        C:\windows\system\ABA.exe
        91⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VMJGPH.exe.bat" "
        92⤵
        
        PID:4304
        
        C:\windows\VMJGPH.exe
        
        C:\windows\VMJGPH.exe
        93⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OPUKC.exe.bat" "
        94⤵
        
        PID:928
        
        C:\windows\system\OPUKC.exe
        
        C:\windows\system\OPUKC.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JSD.exe.bat" "
        96⤵
        
        PID:4856
        
        C:\windows\system\JSD.exe
        
        C:\windows\system\JSD.exe
        97⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JGD.exe.bat" "
        98⤵
        
        PID:912
        
        C:\windows\system\JGD.exe
        
        C:\windows\system\JGD.exe
        99⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WIL.exe.bat" "
        100⤵
        
        PID:3936
        
        C:\windows\WIL.exe
        
        C:\windows\WIL.exe
        101⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "
        102⤵
        
        PID:3588
        
        C:\windows\system\ORNTK.exe
        
        C:\windows\system\ORNTK.exe
        103⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MRVGTXY.exe.bat" "
        104⤵
        
        PID:2600
        
        C:\windows\system\MRVGTXY.exe
        
        C:\windows\system\MRVGTXY.exe
        105⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRX.exe.bat" "
        106⤵
        
        PID:4060
        
        C:\windows\system\DRX.exe
        
        C:\windows\system\DRX.exe
        107⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFC.exe.bat" "
        108⤵
        
        PID:4620
        
        C:\windows\SysWOW64\LFC.exe
        
        C:\windows\system32\LFC.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "
        110⤵
        
        PID:2120
        
        C:\windows\system\NDPNWJF.exe
        
        C:\windows\system\NDPNWJF.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GVXYGC.exe.bat" "
        112⤵
        
        PID:3512
        
        C:\windows\system\GVXYGC.exe
        
        C:\windows\system\GVXYGC.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOAQORU.exe.bat" "
        114⤵
        
        PID:1228
        
        C:\windows\SysWOW64\SOAQORU.exe
        
        C:\windows\system32\SOAQORU.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\STAFPWX.exe.bat" "
        116⤵
        
        PID:4728
        
        C:\windows\system\STAFPWX.exe
        
        C:\windows\system\STAFPWX.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRGZXFG.exe.bat" "
        118⤵
        
        PID:2560
        
        C:\windows\SysWOW64\CRGZXFG.exe
        
        C:\windows\system32\CRGZXFG.exe
        119⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VJVKOGO.exe.bat" "
        120⤵
        
        PID:2444
        
        C:\windows\VJVKOGO.exe
        
        C:\windows\VJVKOGO.exe
        121⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAW.exe.bat" "
        122⤵
        
        PID:3148
        
        C:\windows\system\CAW.exe
        
        C:\windows\system\CAW.exe
        123⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RVFOGO.exe.bat" "
        124⤵
        
        PID:3236
        
        C:\windows\system\RVFOGO.exe
        
        C:\windows\system\RVFOGO.exe
        125⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSLINW.exe.bat" "
        126⤵
        
        PID:700
        
        C:\windows\system\BSLINW.exe
        
        C:\windows\system\BSLINW.exe
        127⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LQZ.exe.bat" "
        128⤵
        
        PID:1712
        
        C:\windows\SysWOW64\LQZ.exe
        
        C:\windows\system32\LQZ.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDDMF.exe.bat" "
        130⤵
        
        PID:3056
        
        C:\windows\SysWOW64\GDDMF.exe
        
        C:\windows\system32\GDDMF.exe
        131⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOC.exe.bat" "
        132⤵
        
        PID:4284
        
        C:\windows\system\KOC.exe
        
        C:\windows\system\KOC.exe
        133⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OXIHRQI.exe.bat" "
        134⤵
        
        PID:3312
        
        C:\windows\OXIHRQI.exe
        
        C:\windows\OXIHRQI.exe
        135⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NHLX.exe.bat" "
        136⤵
        
        PID:4456
        
        C:\windows\NHLX.exe
        
        C:\windows\NHLX.exe
        137⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MAUQOI.exe.bat" "
        138⤵
        
        PID:3148
        
        C:\windows\system\MAUQOI.exe
        
        C:\windows\system\MAUQOI.exe
        139⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIAY.exe.bat" "
        140⤵
        
        PID:4608
        
        C:\windows\SysWOW64\YIAY.exe
        
        C:\windows\system32\YIAY.exe
        141⤵
        Drops file in Windows directory
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDMR.exe.bat" "
        142⤵
        
        PID:2580
        
        C:\windows\system\EDMR.exe
        
        C:\windows\system\EDMR.exe
        143⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GBFU.exe.bat" "
        144⤵
        
        PID:4708
        
        C:\windows\GBFU.exe
        
        C:\windows\GBFU.exe
        145⤵
        Drops file in Windows directory
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ATVE.exe.bat" "
        146⤵
        
        PID:2472
        
        C:\windows\system\ATVE.exe
        
        C:\windows\system\ATVE.exe
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMQXE.exe.bat" "
        148⤵
        
        PID:1688
        
        C:\windows\SysWOW64\LMQXE.exe
        
        C:\windows\system32\LMQXE.exe
        149⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TACEO.exe.bat" "
        150⤵
        
        PID:2176
        
        C:\windows\system\TACEO.exe
        
        C:\windows\system\TACEO.exe
        151⤵
        Drops file in Windows directory
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXIBV.exe.bat" "
        152⤵
        
        PID:2560
        
        C:\windows\system\IXIBV.exe
        
        C:\windows\system\IXIBV.exe
        153⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVON.exe.bat" "
        154⤵
        
        PID:1428
        
        C:\windows\SysWOW64\SVON.exe
        
        C:\windows\system32\SVON.exe
        155⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HLP.exe.bat" "
        156⤵
        
        PID:2912
        
        C:\windows\system\HLP.exe
        
        C:\windows\system\HLP.exe
        157⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOY.exe.bat" "
        158⤵
        
        PID:3000
        
        C:\windows\SysWOW64\WOY.exe
        
        C:\windows\system32\WOY.exe
        159⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EUL.exe.bat" "
        160⤵
        
        PID:4584
        
        C:\windows\system\EUL.exe
        
        C:\windows\system\EUL.exe
        161⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TZQVU.exe.bat" "
        162⤵
        
        PID:3944
        
        C:\windows\TZQVU.exe
        
        C:\windows\TZQVU.exe
        163⤵
        Checks computer location settings
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKTL.exe.bat" "
        164⤵
        
        PID:4728
        
        C:\windows\system\RKTL.exe
        
        C:\windows\system\RKTL.exe
        165⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BIZ.exe.bat" "
        166⤵
        
        PID:1824
        
        C:\windows\SysWOW64\BIZ.exe
        
        C:\windows\system32\BIZ.exe
        167⤵
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVEPU.exe.bat" "
        168⤵
        
        PID:3216
        
        C:\windows\SysWOW64\WVEPU.exe
        
        C:\windows\system32\WVEPU.exe
        169⤵
        Drops file in Windows directory
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EIQVX.exe.bat" "
        170⤵
        
        PID:1008
        
        C:\windows\EIQVX.exe
        
        C:\windows\EIQVX.exe
        171⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RGQ.exe.bat" "
        172⤵
        
        PID:1264
        
        C:\windows\RGQ.exe
        
        C:\windows\RGQ.exe
        173⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VWXHTK.exe.bat" "
        174⤵
        
        PID:1344
        
        C:\windows\VWXHTK.exe
        
        C:\windows\VWXHTK.exe
        175⤵
        Drops file in Windows directory
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DHGIZO.exe.bat" "
        176⤵
        
        PID:2504
        
        C:\windows\system\DHGIZO.exe
        
        C:\windows\system\DHGIZO.exe
        177⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CSIYI.exe.bat" "
        178⤵
        
        PID:1172
        
        C:\windows\CSIYI.exe
        
        C:\windows\CSIYI.exe
        179⤵
        Checks computer location settings
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KFVF.exe.bat" "
        180⤵
        
        PID:3924
        
        C:\windows\KFVF.exe
        
        C:\windows\KFVF.exe
        181⤵
        Drops file in Windows directory
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YDBCZK.exe.bat" "
        182⤵
        
        PID:1920
        
        C:\windows\YDBCZK.exe
        
        C:\windows\YDBCZK.exe
        183⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQFJKJ.exe.bat" "
        184⤵
        
        PID:3292
        
        C:\windows\SysWOW64\HQFJKJ.exe
        
        C:\windows\system32\HQFJKJ.exe
        185⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UTJHP.exe.bat" "
        186⤵
        
        PID:4244
        
        C:\windows\SysWOW64\UTJHP.exe
        
        C:\windows\system32\UTJHP.exe
        187⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERPC.exe.bat" "
        188⤵
        
        PID:912
        
        C:\windows\SysWOW64\ERPC.exe
        
        C:\windows\system32\ERPC.exe
        189⤵
        Checks computer location settings
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SWVZ.exe.bat" "
        190⤵
        
        PID:3424
        
        C:\windows\system\SWVZ.exe
        
        C:\windows\system\SWVZ.exe
        191⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSUZQVZ.exe.bat" "
        192⤵
        
        PID:868
        
        C:\windows\system\YSUZQVZ.exe
        
        C:\windows\system\YSUZQVZ.exe
        193⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NNDMB.exe.bat" "
        194⤵
        
        PID:404
        
        C:\windows\system\NNDMB.exe
        
        C:\windows\system\NNDMB.exe
        195⤵
        Drops file in Windows directory
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XLJYJQQ.exe.bat" "
        196⤵
        
        PID:4188
        
        C:\windows\XLJYJQQ.exe
        
        C:\windows\XLJYJQQ.exe
        197⤵
        Drops file in Windows directory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MQPV.exe.bat" "
        198⤵
        
        PID:1548
        
        C:\windows\system\MQPV.exe
        
        C:\windows\system\MQPV.exe
        199⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBFT.exe.bat" "
        200⤵
        
        PID:1120
        
        C:\windows\SysWOW64\DBFT.exe
        
        C:\windows\system32\DBFT.exe
        201⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WTVE.exe.bat" "
        202⤵
        
        PID:1608
        
        C:\windows\SysWOW64\WTVE.exe
        
        C:\windows\system32\WTVE.exe
        203⤵
        Checks computer location settings
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HMY.exe.bat" "
        204⤵
        
        PID:3428
        
        C:\windows\SysWOW64\HMY.exe
        
        C:\windows\system32\HMY.exe
        205⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NMFLY.exe.bat" "
        206⤵
        
        PID:540
        
        C:\windows\SysWOW64\NMFLY.exe
        
        C:\windows\system32\NMFLY.exe
        207⤵
        Checks computer location settings
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCT.exe.bat" "
        208⤵
        
        PID:4004
        
        C:\windows\DCT.exe
        
        C:\windows\DCT.exe
        209⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BSSFSYJ.exe.bat" "
        210⤵
        
        PID:1056
        
        C:\windows\SysWOW64\BSSFSYJ.exe
        
        C:\windows\system32\BSSFSYJ.exe
        211⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JGEMCWF.exe.bat" "
        212⤵
        
        PID:5076
        
        C:\windows\SysWOW64\JGEMCWF.exe
        
        C:\windows\system32\JGEMCWF.exe
        213⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJCHC.exe.bat" "
        214⤵
        
        PID:4540
        
        C:\windows\SysWOW64\NJCHC.exe
        
        C:\windows\system32\NJCHC.exe
        215⤵
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MYO.exe.bat" "
        216⤵
        
        PID:4712
        
        C:\windows\MYO.exe
        
        C:\windows\MYO.exe
        217⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EBRFD.exe.bat" "
        218⤵
        
        PID:4564
        
        C:\windows\EBRFD.exe
        
        C:\windows\EBRFD.exe
        219⤵
        Checks computer location settings
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MHS.exe.bat" "
        220⤵
        
        PID:3740
        
        C:\windows\MHS.exe
        
        C:\windows\MHS.exe
        221⤵
        Checks computer location settings
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UVWAPWP.exe.bat" "
        222⤵
        
        PID:2432
        
        C:\windows\UVWAPWP.exe
        
        C:\windows\UVWAPWP.exe
        223⤵
        Drops file in Windows directory
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DIH.exe.bat" "
        224⤵
        
        PID:4492
        
        C:\windows\DIH.exe
        
        C:\windows\DIH.exe
        225⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILNFEL.exe.bat" "
        226⤵
        
        PID:4584
        
        C:\windows\system\ILNFEL.exe
        
        C:\windows\system\ILNFEL.exe
        227⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBYIZ.exe.bat" "
        228⤵
        
        PID:4280
        
        C:\windows\system\GBYIZ.exe
        
        C:\windows\system\GBYIZ.exe
        229⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MWXJWUL.exe.bat" "
        230⤵
        
        PID:4236
        
        C:\windows\SysWOW64\MWXJWUL.exe
        
        C:\windows\system32\MWXJWUL.exe
        231⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QEERI.exe.bat" "
        232⤵
        
        PID:4188
        
        C:\windows\QEERI.exe
        
        C:\windows\QEERI.exe
        233⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFOU.exe.bat" "
        234⤵
        
        PID:448
        
        C:\windows\system\NFOU.exe
        
        C:\windows\system\NFOU.exe
        235⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESYMCNV.exe.bat" "
        236⤵
        
        PID:1020
        
        C:\windows\SysWOW64\ESYMCNV.exe
        
        C:\windows\system32\ESYMCNV.exe
        237⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSS.exe.bat" "
        238⤵
        
        PID:876
        
        C:\windows\system\NSS.exe
        
        C:\windows\system\NSS.exe
        239⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQGLV.exe.bat" "
        240⤵
        
        PID:3500
        
        C:\windows\system\XQGLV.exe
        
        C:\windows\system\XQGLV.exe
        241⤵
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UVEICCI.exe.bat" "
        242⤵
        
        PID:3320
        
        C:\windows\SysWOW64\UVEICCI.exe
        
        C:\windows\system32\UVEICCI.exe
        243⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWNKOG.exe.bat" "
        244⤵
        
        PID:388
        
        C:\windows\SysWOW64\RWNKOG.exe
        
        C:\windows\system32\RWNKOG.exe
        245⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPQDOOH.exe.bat" "
        246⤵
        
        PID:4748
        
        C:\windows\SysWOW64\CPQDOOH.exe
        
        C:\windows\system32\CPQDOOH.exe
        247⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXJV.exe.bat" "
        248⤵
        
        PID:3016
        
        C:\windows\system\OXJV.exe
        
        C:\windows\system\OXJV.exe
        249⤵
        Drops file in Windows directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GABH.exe.bat" "
        250⤵
        
        PID:3372
        
        C:\windows\system\GABH.exe
        
        C:\windows\system\GABH.exe
        251⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDRV.exe.bat" "
        252⤵
        
        PID:3864
        
        C:\windows\SysWOW64\HDRV.exe
        
        C:\windows\system32\HDRV.exe
        253⤵
        Drops file in Windows directory
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQWMFF.exe.bat" "
        254⤵
        
        PID:3708
        
        C:\windows\system\CQWMFF.exe
        
        C:\windows\system\CQWMFF.exe
        255⤵
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KDJTPE.exe.bat" "
        256⤵
        
        PID:1424
        
        C:\windows\KDJTPE.exe
        
        C:\windows\KDJTPE.exe
        257⤵
        Drops file in Windows directory
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OMP.exe.bat" "
        258⤵
        
        PID:876
        
        C:\windows\system\OMP.exe
        
        C:\windows\system\OMP.exe
        259⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BJPFDAO.exe.bat" "
        260⤵
        
        PID:4524
        
        C:\windows\SysWOW64\BJPFDAO.exe
        
        C:\windows\system32\BJPFDAO.exe
        261⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUYDSKB.exe.bat" "
        262⤵
        
        PID:4488
        
        C:\windows\SysWOW64\WUYDSKB.exe
        
        C:\windows\system32\WUYDSKB.exe
        263⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXBZ.exe.bat" "
        264⤵
        
        PID:3744
        
        C:\windows\system\PXBZ.exe
        
        C:\windows\system\PXBZ.exe
        265⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVJLHMM.exe.bat" "
        266⤵
        
        PID:2960
        
        C:\windows\SysWOW64\CVJLHMM.exe
        
        C:\windows\system32\CVJLHMM.exe
        267⤵
        Drops file in Windows directory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WAV.exe.bat" "
        268⤵
        
        PID:1420
        
        C:\windows\WAV.exe
        
        C:\windows\WAV.exe
        269⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRWIAO.exe.bat" "
        270⤵
        
        PID:1056
        
        C:\windows\SysWOW64\DRWIAO.exe
        
        C:\windows\system32\DRWIAO.exe
        271⤵
        Drops file in Windows directory
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EMA.exe.bat" "
        272⤵
        
        PID:1368
        
        C:\windows\system\EMA.exe
        
        C:\windows\system\EMA.exe
        273⤵
        Drops file in Windows directory
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HCGMSWA.exe.bat" "
        274⤵
        
        PID:3312
        
        C:\windows\system\HCGMSWA.exe
        
        C:\windows\system\HCGMSWA.exe
        275⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GMJC.exe.bat" "
        276⤵
        
        PID:3676
        
        C:\windows\SysWOW64\GMJC.exe
        
        C:\windows\system32\GMJC.exe
        277⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUQC.exe.bat" "
        278⤵
        
        PID:3876
        
        C:\windows\SysWOW64\KUQC.exe
        
        C:\windows\system32\KUQC.exe
        279⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\USDWUD.exe.bat" "
        280⤵
        
        PID:4620
        
        C:\windows\SysWOW64\USDWUD.exe
        
        C:\windows\system32\USDWUD.exe
        281⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LASBHU.exe.bat" "
        282⤵
        
        PID:1748
        
        C:\windows\system\LASBHU.exe
        
        C:\windows\system\LASBHU.exe
        283⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GOX.exe.bat" "
        284⤵
        
        PID:1100
        
        C:\windows\system\GOX.exe
        
        C:\windows\system\GOX.exe
        285⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEYCQHZ.exe.bat" "
        286⤵
        
        PID:824
        
        C:\windows\SysWOW64\VEYCQHZ.exe
        
        C:\windows\system32\VEYCQHZ.exe
        287⤵
        Drops file in Windows directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CZB.exe.bat" "
        288⤵
        
        PID:4832
        
        C:\windows\system\CZB.exe
        
        C:\windows\system\CZB.exe
        289⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCNZJ.exe.bat" "
        290⤵
        
        PID:2640
        
        C:\windows\system\CCNZJ.exe
        
        C:\windows\system\CCNZJ.exe
        291⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ACN.exe.bat" "
        292⤵
        
        PID:3600
        
        C:\windows\ACN.exe
        
        C:\windows\ACN.exe
        293⤵
        Drops file in Windows directory
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZNXCBCP.exe.bat" "
        294⤵
        
        PID:1440
        
        C:\windows\system\ZNXCBCP.exe
        
        C:\windows\system\ZNXCBCP.exe
        295⤵
        Checks computer location settings
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZQB.exe.bat" "
        296⤵
        
        PID:3052
        
        C:\windows\system\ZQB.exe
        
        C:\windows\system\ZQB.exe
        297⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLLKZE.exe.bat" "
        298⤵
        
        PID:1132
        
        C:\windows\SysWOW64\PLLKZE.exe
        
        C:\windows\system32\PLLKZE.exe
        299⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NWNAI.exe.bat" "
        300⤵
        
        PID:4988
        
        C:\windows\system\NWNAI.exe
        
        C:\windows\system\NWNAI.exe
        301⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZZWNIW.exe.bat" "
        302⤵
        
        PID:2740
        
        C:\windows\SysWOW64\GZZWNIW.exe
        
        C:\windows\system32\GZZWNIW.exe
        303⤵
        Checks computer location settings
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BMWO.exe.bat" "
        304⤵
        
        PID:3640
        
        C:\windows\BMWO.exe
        
        C:\windows\BMWO.exe
        305⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSCDFS.exe.bat" "
        306⤵
        
        PID:3056
        
        C:\windows\SysWOW64\XSCDFS.exe
        
        C:\windows\system32\XSCDFS.exe
        307⤵
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NSS.exe.bat" "
        308⤵
        
        PID:4484
        
        C:\windows\SysWOW64\NSS.exe
        
        C:\windows\system32\NSS.exe
        309⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYQU.exe.bat" "
        310⤵
        
        PID:2536
        
        C:\windows\system\CYQU.exe
        
        C:\windows\system\CYQU.exe
        311⤵
        Drops file in Windows directory
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VRGF.exe.bat" "
        312⤵
        
        PID:1300
        
        C:\windows\VRGF.exe
        
        C:\windows\VRGF.exe
        313⤵
        Drops file in Windows directory
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FZIKOT.exe.bat" "
        314⤵
        
        PID:1612
        
        C:\windows\FZIKOT.exe
        
        C:\windows\FZIKOT.exe
        315⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WZWHAK.exe.bat" "
        316⤵
        
        PID:5048
        
        C:\windows\WZWHAK.exe
        
        C:\windows\WZWHAK.exe
        317⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ENBWL.exe.bat" "
        318⤵
        
        PID:2220
        
        C:\windows\system\ENBWL.exe
        
        C:\windows\system\ENBWL.exe
        319⤵
        Checks computer location settings
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZXRMR.exe.bat" "
        320⤵
        
        PID:1580
        
        C:\windows\ZXRMR.exe
        
        C:\windows\ZXRMR.exe
        321⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HNSMYHK.exe.bat" "
        322⤵
        
        PID:1444
        
        C:\windows\HNSMYHK.exe
        
        C:\windows\HNSMYHK.exe
        323⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLYGNP.exe.bat" "
        324⤵
        
        PID:2988
        
        C:\windows\system\QLYGNP.exe
        
        C:\windows\system\QLYGNP.exe
        325⤵
        Checks computer location settings
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBRAMEB.exe.bat" "
        326⤵
        
        PID:4856
        
        C:\windows\system\SBRAMEB.exe
        
        C:\windows\system\SBRAMEB.exe
        327⤵
        Drops file in Windows directory
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VWI.exe.bat" "
        328⤵
        
        PID:1680
        
        C:\windows\system\VWI.exe
        
        C:\windows\system\VWI.exe
        329⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EXKP.exe.bat" "
        330⤵
        
        PID:3892
        
        C:\windows\EXKP.exe
        
        C:\windows\EXKP.exe
        331⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKXV.exe.bat" "
        332⤵
        
        PID:384
        
        C:\windows\system\MKXV.exe
        
        C:\windows\system\MKXV.exe
        333⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXOX.exe.bat" "
        334⤵
        
        PID:2412
        
        C:\windows\system\PXOX.exe
        
        C:\windows\system\PXOX.exe
        335⤵
        Checks computer location settings
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RVH.exe.bat" "
        336⤵
        
        PID:5036
        
        C:\windows\RVH.exe
        
        C:\windows\RVH.exe
        337⤵
        Drops file in Windows directory
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FQF.exe.bat" "
        338⤵
        
        PID:2452
        
        C:\windows\FQF.exe
        
        C:\windows\FQF.exe
        339⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLXWEO.exe.bat" "
        340⤵
        
        PID:3152
        
        C:\windows\SysWOW64\YLXWEO.exe
        
        C:\windows\system32\YLXWEO.exe
        341⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\URPLUJQ.exe.bat" "
        342⤵
        
        PID:3604
        
        C:\windows\URPLUJQ.exe
        
        C:\windows\URPLUJQ.exe
        343⤵
        Drops file in Windows directory
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXPXW.exe.bat" "
        344⤵
        
        PID:684
        
        C:\windows\system\IXPXW.exe
        
        C:\windows\system\IXPXW.exe
        345⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DIX.exe.bat" "
        346⤵
        
        PID:2344
        
        C:\windows\DIX.exe
        
        C:\windows\DIX.exe
        347⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QFFZMJE.exe.bat" "
        348⤵
        
        PID:1680
        
        C:\windows\system\QFFZMJE.exe
        
        C:\windows\system\QFFZMJE.exe
        349⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UNMH.exe.bat" "
        350⤵
        
        PID:2828
        
        C:\windows\system\UNMH.exe
        
        C:\windows\system\UNMH.exe
        351⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VQQ.exe.bat" "
        352⤵
        
        PID:384
        
        C:\windows\VQQ.exe
        
        C:\windows\VQQ.exe
        353⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBTTNFQ.exe.bat" "
        354⤵
        
        PID:1248
        
        C:\windows\SysWOW64\MBTTNFQ.exe
        
        C:\windows\system32\MBTTNFQ.exe
        355⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOD.exe.bat" "
        356⤵
        
        PID:4620
        
        C:\windows\system\DOD.exe
        
        C:\windows\system\DOD.exe
        357⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VSHPISN.exe.bat" "
        358⤵
        
        PID:2324
        
        C:\windows\VSHPISN.exe
        
        C:\windows\VSHPISN.exe
        359⤵
        Drops file in Windows directory
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVLK.exe.bat" "
        360⤵
        
        PID:1120
        
        C:\windows\system\WVLK.exe
        
        C:\windows\system\WVLK.exe
        361⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLUKUDM.exe.bat" "
        362⤵
        
        PID:984
        
        C:\windows\SysWOW64\MLUKUDM.exe
        
        C:\windows\system32\MLUKUDM.exe
        363⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTAKG.exe.bat" "
        364⤵
        
        PID:1632
        
        C:\windows\PTAKG.exe
        
        C:\windows\PTAKG.exe
        365⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KGFTRV.exe.bat" "
        366⤵
        
        PID:5116
        
        C:\windows\SysWOW64\KGFTRV.exe
        
        C:\windows\system32\KGFTRV.exe
        367⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XRNS.exe.bat" "
        368⤵
        
        PID:3232
        
        C:\windows\XRNS.exe
        
        C:\windows\XRNS.exe
        369⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DMNTBBZ.exe.bat" "
        370⤵
        
        PID:620
        
        C:\windows\DMNTBBZ.exe
        
        C:\windows\DMNTBBZ.exe
        371⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 876
        370⤵
        
        PID:648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1004
        368⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 960
        366⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 960
        364⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1300
        362⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 960
        360⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 960
        358⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1316
        356⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 960
        354⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1324
        352⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1268
        350⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1336
        348⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 988
        346⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1004
        344⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 988
        342⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1328
        340⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1324
        338⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 960
        336⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1336
        334⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 960
        332⤵
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1264
        330⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 988
        328⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1336
        326⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1332
        324⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 988
        322⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 988
        320⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1336
        318⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 960
        316⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 960
        314⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1308
        312⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1316
        310⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 960
        308⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1328
        306⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1324
        304⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 960
        302⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 872
        300⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1004
        298⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1320
        296⤵
        
        PID:396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1004
        294⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1008
        292⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1336
        290⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1336
        288⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 988
        286⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1312
        284⤵
        
        PID:184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 960
        282⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 960
        280⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 960
        278⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1252
        276⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1004
        274⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1004
        272⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1296
        270⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1288
        268⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1304
        266⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 960
        264⤵
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1008
        262⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 988
        260⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1008
        258⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 960
        256⤵
        
        PID:384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1012
        254⤵
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1304
        252⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 988
        250⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 960
        248⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1328
        246⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 964
        244⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1328
        242⤵
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1272
        240⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 872
        238⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 960
        236⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1236
        234⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 988
        232⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 988
        230⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 960
        228⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 988
        226⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1324
        224⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1292
        222⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1324
        220⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 960
        218⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1324
        216⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1328
        214⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 960
        212⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 964
        210⤵
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1288
        208⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1256
        206⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1296
        204⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1328
        202⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1312
        200⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1336
        198⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1252
        196⤵
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1336
        194⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1336
        192⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1336
        190⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1292
        188⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1240
        186⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1308
        184⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 988
        182⤵
        
        PID:464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1252
        180⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1324
        178⤵
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1336
        176⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 988
        174⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 960
        172⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 960
        170⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1328
        168⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 872
        166⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 1004
        164⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 988
        162⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1332
        160⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 988
        158⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1004
        156⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 988
        154⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1336
        152⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1272
        150⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1320
        148⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 988
        146⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1324
        144⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1336
        142⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1328
        140⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 960
        138⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 960
        136⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 988
        134⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1248
        132⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1332
        130⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 960
        128⤵
        Program crash
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1008
        126⤵
        Program crash
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 988
        124⤵
        Program crash
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 872
        122⤵
        Program crash
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 988
        120⤵
        Program crash
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 960
        118⤵
        Program crash
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1004
        116⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1004
        114⤵
        Program crash
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1004
        112⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 988
        110⤵
        Program crash
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 960
        108⤵
        Program crash
        
        PID:3236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 988
        106⤵
        Program crash
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1248
        104⤵
        Program crash
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 988
        102⤵
        Program crash
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1324
        100⤵
        Program crash
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 988
        98⤵
        Program crash
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1336
        96⤵
        Program crash
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1008
        94⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1008
        92⤵
        Program crash
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1008
        90⤵
        Program crash
        
        PID:3320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 960
        88⤵
        Program crash
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1316
        86⤵
        Program crash
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1296
        84⤵
        Program crash
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1336
        82⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1336
        80⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 960
        78⤵
        Program crash
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1324
        76⤵
        Program crash
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 872
        74⤵
        Program crash
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1272
        72⤵
        Program crash
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1328
        70⤵
        Program crash
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1324
        68⤵
        Program crash
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1336
        66⤵
        Program crash
        
        PID:2840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1336
        64⤵
        Program crash
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 988
        62⤵
        Program crash
        
        PID:3548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1312
        60⤵
        Program crash
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 960
        58⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 960
        56⤵
        Program crash
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 960
        54⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1320
        52⤵
        Program crash
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 996
        50⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1004
        48⤵
        Program crash
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1308
        46⤵
        Program crash
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 988
        44⤵
        Program crash
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1316
        42⤵
        Program crash
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1296
        40⤵
        Program crash
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1004
        38⤵
        Program crash
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1300
        36⤵
        Program crash
        
        PID:1208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1264
        34⤵
        Program crash
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1288
        32⤵
        Program crash
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1336
        30⤵
        Program crash
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 960
        28⤵
        Program crash
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1336
        26⤵
        Program crash
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1336
        24⤵
        Program crash
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1304
        22⤵
        Program crash
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 960
        20⤵
        Program crash
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 964
        18⤵
        Program crash
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 968
        16⤵
        Program crash
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1336
        14⤵
        Program crash
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1336
        12⤵
        Program crash
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 960
        10⤵
        Program crash
        
        PID:3152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1328
        8⤵
        Program crash
        
        PID:4588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 976
        6⤵
        Program crash
        
        PID:3640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1292
      4⤵
      Program crash
      PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 976
  2⤵
  - Program crash
  PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1988 -ip 1988
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2484 -ip 2484
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4568 -ip 4568
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3588 -ip 3588
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 876 -ip 876
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2452 -ip 2452
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1928 -ip 1928
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2224 -ip 2224
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2544 -ip 2544
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3000 -ip 3000
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3972 -ip 3972
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 832 -ip 832
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4076 -ip 4076
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3744 -ip 3744
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4468 -ip 4468
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4504 -ip 4504
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5052 -ip 5052
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3720 -ip 3720
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3248 -ip 3248
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1140 -ip 1140
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3796 -ip 3796
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2560 -ip 2560
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1228 -ip 1228
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3216 -ip 3216
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1840 -ip 1840
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3304 -ip 3304
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1752 -ip 1752
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1052 -ip 1052
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4044 -ip 4044
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4440 -ip 4440
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1448 -ip 1448
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1580 -ip 1580
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 412 -ip 412
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4024 -ip 4024
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 628 -ip 628
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4060 -ip 4060
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4360 -ip 4360
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1144 -ip 1144
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2704 -ip 2704
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1624 -ip 1624
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 684 -ip 684
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4584 -ip 4584
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3152 -ip 3152
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 432 -ip 432
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1952 -ip 1952
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3232 -ip 3232
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2472 -ip 2472
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3360 -ip 3360
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 868 -ip 868
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4356 -ip 4356
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4484 -ip 4484
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3152 -ip 3152
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2840 -ip 2840
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1840 -ip 1840
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1660 -ip 1660
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4460 -ip 4460
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1824 -ip 1824
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4276 -ip 4276
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1132 -ip 1132
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4292 -ip 4292
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4488 -ip 4488
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3000 -ip 3000
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2472 -ip 2472
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1100 -ip 1100
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2564 -ip 2564
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2544 -ip 2544
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1348 -ip 1348
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2912 -ip 2912
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4572 -ip 4572
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1468 -ip 1468
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1616 -ip 1616
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1928 -ip 1928
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4072 -ip 4072
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3740 -ip 3740
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4964 -ip 4964
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4552 -ip 4552
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3472 -ip 3472
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1516 -ip 1516
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3548 -ip 3548
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3372 -ip 3372
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 616 -ip 616
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3332 -ip 3332
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3264 -ip 3264
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4740 -ip 4740
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4028 -ip 4028
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2828 -ip 2828
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2960 -ip 2960
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3396 -ip 3396
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3408 -ip 3408
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3352 -ip 3352
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3152 -ip 3152
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1072 -ip 1072
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2344 -ip 2344
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2512 -ip 2512
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1344 -ip 1344
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3304 -ip 3304
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1356 -ip 1356
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4276 -ip 4276
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2616 -ip 2616
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2176 -ip 2176
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2232 -ip 2232
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4868 -ip 4868
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1992 -ip 1992
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1984 -ip 1984
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3600 -ip 3600
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1972 -ip 1972
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1424 -ip 1424
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3796 -ip 3796
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2224 -ip 2224
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4736 -ip 4736
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4024 -ip 4024
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4516 -ip 4516
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4248 -ip 4248
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3424 -ip 3424
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1352 -ip 1352
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1928 -ip 1928
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3244 -ip 3244
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4564 -ip 4564
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3796 -ip 3796
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3492 -ip 3492
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2912 -ip 2912
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 912 -ip 912
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4856 -ip 4856
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4672 -ip 4672
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3396 -ip 3396
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4172 -ip 4172
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1344 -ip 1344
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3932 -ip 3932
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1748 -ip 1748
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2232 -ip 2232
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3184 -ip 3184
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4832 -ip 4832
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2300 -ip 2300
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2764 -ip 2764
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4664 -ip 4664
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4332 -ip 4332
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1104 -ip 1104
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2492 -ip 2492
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4296 -ip 4296
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2488 -ip 2488
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 960 -ip 960
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4520 -ip 4520
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3212 -ip 3212
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3944 -ip 3944
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2928 -ip 2928
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2412 -ip 2412
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2192 -ip 2192
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3236 -ip 3236
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4536 -ip 4536
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5084 -ip 5084
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3968 -ip 3968
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4076 -ip 4076
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4576 -ip 4576
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1992 -ip 1992
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3668 -ip 3668
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1516 -ip 1516
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1344 -ip 1344
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4380 -ip 4380
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5044 -ip 5044
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5056 -ip 5056
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4568 -ip 4568
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3232 -ip 3232
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4924 -ip 4924
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4672 -ip 4672
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4448 -ip 4448
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5024 -ip 5024
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1920 -ip 1920
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1040 -ip 1040
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1144 -ip 1144
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4180 -ip 4180
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3720 -ip 3720
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2612 -ip 2612
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4684 -ip 4684
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4384 -ip 4384
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2456 -ip 2456
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1208 -ip 1208
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3964 -ip 3964
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1700 -ip 1700
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1580 -ip 1580
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5112 -ip 5112
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1100 -ip 1100
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1680 -ip 1680
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4576 -ip 4576
1⤵
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BIASYA.exe

Filesize
256KB

MD5
1f9039de95e915a26496fa93de9a7369

SHA1
bb4f5056cbcd0eec7bf575bfacf22daf25554cc1

SHA256
e90ac45ec2374855ed44654e729bf0321d4c5f35ce6c9b25f402b0a7f6d8f028

SHA512
fd0234220d93ed332237207f80a13824b5c170e98de1aed48ac104c701e5c6850009f4687dda6e71f281baf67eb58134bba739ac2e0355cc959a362976f9eb2c

Download Submit
C:\Windows\FZUR.exe

Filesize
256KB

MD5
265a06d75af46ad1fc888460a3c6a0d4

SHA1
6c297d772ea15fdf0ad089ccc79629fe9f560434

SHA256
cc8258f048afb36aa8ddcafe45611b703278690e01287ccf6065813d32a475cb

SHA512
29f3df9f23711be15485d5943865b4173fea3f05b1321c9985fe69ae330a8636fbc82c557eb40635ff50e2d89a64e42991aa999cec38bc38cf9778a1ca395891

Download Submit
C:\Windows\HHRN.exe

Filesize
256KB

MD5
6c12c4625611367483bfb19c3a570232

SHA1
797c8d9ec85ca62b9fac7ee893d84126f8ee6aab

SHA256
cee36a5f46baccc10111450c6e4f2ca5bf518e75347a0489a1750e1056e12b91

SHA512
25111a027060147d40f16fc9fb76cd2318939dca9a835a38bd972c3d1bcd5595203290de0284aed36af351d0a297d97a4c963037522b2d08d0979dfe6dc85ebb

Download Submit
C:\Windows\IQP.exe

Filesize
256KB

MD5
db43b099e64c4b92f8bf1a349307b15a

SHA1
7a14de240b2721d496dc5591b21dbc82de93ead3

SHA256
5c7724170d94161947361e6b473bcc90c9e3900ac9b69df43b5363fbd36246e9

SHA512
54962438b74923e52cb496b6cb19678b41ad8335f748b556509a4c6020ec051451954f7489b5e98a1b8ad6391f33ed9fa368ff4adfcc3ab875c1c6f41cda7108

Download Submit
C:\Windows\SysWOW64\AKD.exe

Filesize
256KB

MD5
cb0be3d803f12fb92ce4b38f5f0b39ff

SHA1
d50d4e7b493fdbfa3364a2a86162db3922d58f38

SHA256
6b3a2f99f3a515d6b794b0480136ac72295cbdeae78aa4a54b69cd7848b6a734

SHA512
19cbbd0bd7d47209462b1beb31dcfae6adbe280a498cf60ece2d3233de61bd30327222ed564c419dd514f6f51b76b878ee35ac27d693614519eb253651e9f3e2

Download Submit
C:\Windows\SysWOW64\EAF.exe

Filesize
256KB

MD5
f01ddd478f3c40fb02bb89fb4a5e7cff

SHA1
5a784e0ddffff93e9fb8ab9ef843c9e25364a944

SHA256
da954b66018833f7988089915c9eb59e26d5b8b3dd5348f2bec5565ba31cf64c

SHA512
82e4d0639f893f35ccff238914ef2b218157eda508fd456d35680ff7806812926b220a78e255796d83395ab4e81c64ed91a70d771d8e24c20244a5e53592b94b

Download Submit
C:\Windows\SysWOW64\SGHMS.exe

Filesize
256KB

MD5
27e1263512b217b8f5b6461cb3586836

SHA1
615d7abb8b2345d41b64a4581b546e325d4576c2

SHA256
7736875a605c1be14bc20c422e86907ae320ca8a33152aba5b2c5c735a7739b5

SHA512
91899f0813ddb8b08a4b4020689d76880d9585055a4dd88de43d3c2c64e3fad3ee9b5212e4aeb0297a6601f2d1fd5b28e3cd566844200a33b57af3d2c2284d19

Download Submit
C:\Windows\System\AXWMHDF.exe

Filesize
256KB

MD5
99887055e540603323114621ea93937d

SHA1
a7df1b7e77b18fc0ddc72c66b1136ddcd915d83b

SHA256
ab8810bb59d5480dc89fb250d4c36b2845e11c79d51d835f7ad2b0e3f49b4968

SHA512
c0aed4830e36eed05898dcfd45c76245e2bbee097401da7e7bc9242c48e7522988c332011a2f58f9356175477175e50e1ac20aa7da1ac3d864bfae74c202614c

Download Submit
C:\Windows\System\PAVI.exe

Filesize
256KB

MD5
06f329b0c6752a56f674c39ddf7dada9

SHA1
5519a9d4b3b42d112c0ad5ae6232fc8f1353464b

SHA256
21cd873882c09e3b117b40a2979e80d98de9c1334f2beae77ff976e2842d961e

SHA512
965426abe41c7c7766d0bb2d4d9ffcc68a1fbd1fadf3f3413f2301815f1a34bfe51f3d3933703d861f10911923a19057fd2e7d845c25e5ee6230c86c3614ffd6

Download Submit
C:\Windows\System\TVWMVC.exe

Filesize
256KB

MD5
8c0a78d3022a2ee0a0f4182670bea331

SHA1
5edba7c740ed7ae8d1089b0db4860492d59bba7a

SHA256
9ae4ed61138e2aa737a903e41a3bb27488c5a1b4e3047b8b4e18fdd9774711ee

SHA512
af11bdf3f60ab4fcc3f977c91dbe79aab8a65239bb43b8f4ca950c0df79965fac5c712506e5d668457e79fda140a704ef99d6956b4377cbffba042b28a10dc62

Download Submit
C:\Windows\System\XTO.exe

Filesize
256KB

MD5
0bb776e58155cb13759de3d59393b754

SHA1
c08dea4aae8a62b5ff5ae97649d94c820aa0d8ca

SHA256
7c4ab187e3914de0582cc74694330b60af60a6ed8a3ca08804ad62afbdd92c4b

SHA512
bc694587f5f1d5d3cfff42995dd93f58f1484e1a9c6fbfc81df314403133e011014a0048730da31903dcc0abefb53e347199962cbc5c845fe4eac7005e1ca137

Download Submit
C:\Windows\VRCCHX.exe

Filesize
256KB

MD5
d48222b64f314ede5bee0a3e7f8adb4e

SHA1
f8ad6bf2b42d83d7ff03ea5a69d5ba4b394056fb

SHA256
118ecbd8d37508829a26264142391172a0989576c200c9fc05d3973c1969f7aa

SHA512
1f342ea9b78630fb3f68a05cace60e6b817587d8971cd17540ba2daa817b1510030b079c0f9acd9ea7d3371310e333d826829298560675ea57b0247facbeacac

Download Submit
C:\windows\BIASYA.exe.bat

Filesize
58B

MD5
3182bd37ce511693d8d688a276bed40d

SHA1
2c7d99e12cbd7ff9f3fe8a061ac1d4aba5150f34

SHA256
50a7144fc21522b16f6686c49759d9e709abae99f161987711d79f47c2604cf5

SHA512
721e085016d74791065dcb152a170df9ed57ac2e7458a57f5f51f3e6604f664df4cf3ef4a27e4ae14259c45f9d9625ed142b954ebf9d44a33c6d80d1f941a988

Download Submit
C:\windows\EEXLVEN.exe

Filesize
256KB

MD5
fc0290c0a263d569f290d45e0ef1f0cc

SHA1
d92527a7b49ac4dd01e6b5fc141189e39ed103e6

SHA256
93ce232082c2aadda720ee32c74baa63fd47a8812ae7f982a671d0a392b0328d

SHA512
643780946d99a6fed363cd45e38244b2b83cc1ee86d4af406311e5d98871b60da1ee0d8725643d35876579b8b5a3d917c3cad53ed3275154fb257555c4f516d1

Download Submit
C:\windows\EEXLVEN.exe.bat

Filesize
60B

MD5
6edb2a7db26a53cfca98960a4bdfa0ca

SHA1
a83f9c778c1ac042e0b5e9fcb0ce5538f7b537b7

SHA256
9ce077b0f88a8882a942830ebae95361c7996dc355a20ccfb45305fa31870780

SHA512
e95912162f1085e81cad5d919172e622b1fb00aeffc437fc50a2c9bb8758e221eda15a77a30decf87aba6d4c53d0466bf67f3ba903b32467c69628a20f23ff7d

Download Submit
C:\windows\FZUR.exe.bat

Filesize
54B

MD5
0f13de5457dcac8f81abc0a2224d23b6

SHA1
5ae074d06cc4339aaec5138fd7b1b94ee7cdd75a

SHA256
6a99230c63eeb486d66b51679e607de76df5240d7ef18a9d8ab03dfdc4b3ce57

SHA512
122c1e8be17f7906bf3ec22a1a246bfe56e8a7e4012072356881b6ff515dd1f139ea83966f16b38c6f8a0abe361612f25b7a4529fba817365d2ee2f746889dea

Download Submit
C:\windows\HHRN.exe.bat

Filesize
54B

MD5
b2f0adbf48b6104d5e0336d9f64fdaaf

SHA1
088091ab03adbc47b1d032b68f6fb150f4f837de

SHA256
024ad3e692317ad6108ac04c6f6cb07f0d9765144b85f20e3920baa8749b74a1

SHA512
c4f71df72cdaefd51f2310fd45ce5e3bb5cff74dce8cd1a8c9856f233c752b58e02f5d64ddcb83d8d247455443865b95d050b232bfef954bad7114c627f41d34

Download Submit
C:\windows\HMV.exe

Filesize
256KB

MD5
4d6e61e8355622799834a9ec8bb90d39

SHA1
154fc0aafbc25efcf5d30f400a3fbad029d43b08

SHA256
052e6972b4d809eb8db69c518de44486bac984c2327e4159b39363e8cb042777

SHA512
c20758dcce8306b5ff9bbf70dbc11bf54fb822dcc68df1986cd525d674f8d11d449c3891d2a9a00464b1663a14baaf6037b6a13cdf1b7d3693ed712d7ed26448

Download Submit
C:\windows\HMV.exe.bat

Filesize
52B

MD5
c2859f3c4fa101b44a06ac29ffcc22c1

SHA1
847965f21f7a669c8cb8f6fd00b61093c0e29737

SHA256
98a2d4265fe729d71a81a51c580c0daa94da7d9ed89d7726d2108ab27f107d93

SHA512
25e4be8fad9f3dc20296a60a1019d946ea660b3c9d4062531a02ff1eb82d83b7d6a1e1067ba01095347b1420bbae6573724da82d5e7d3ddde8ccc60aa37aa0a3

Download Submit
C:\windows\IQP.exe.bat

Filesize
52B

MD5
a79e8bc54ca7a5bd02e4fc25ab8a8af0

SHA1
4c893a0b8245fe6a588e2589bc0b855acd2883c9

SHA256
d28f87b53e53a2c8bbe805946829bc23b43dee7f59d47490ea4f34a46744675b

SHA512
049b8bfd11365416de244fabba3da1ffc7956b1eaf2dcf13e44766d52d4c1a328b6266e7d607d5064aa06e948473860a37905a1aca352f569cc421db7723dfdd

Download Submit
C:\windows\SysWOW64\AKD.exe.bat

Filesize
70B

MD5
706729ada7bccbe132299fee77cd514d

SHA1
616bece13b1c4406bc8bb3170217952e4cea20ab

SHA256
192b7132f349ba78d6f3b61fc1fe37c288fd9c68cc51bcfb839e5ae7eb36c01e

SHA512
5b69f49642d10a2b02e4ae38a001e2ce09b9b59af1e3f62d72c5c0ee7c78dfeb22e609cea19a53e8babebbf166a97a19ab44ff7a830a32b406c283610e387808

Download Submit
C:\windows\SysWOW64\EAF.exe.bat

Filesize
70B

MD5
193786671a9268a6a19dd01241a7a214

SHA1
61b18443db70968d1d11cbf9c42597acdafe2753

SHA256
c4fac27a8697921ca13f8b262d84d25a51f9efdc60d0470dbad0741f6f48df46

SHA512
e86663ca09daf2f033866aa523b4ec39d6915e2cdc86c7f15e60b9d98dc660521fc94b3fd859092cbb56e15d9e89ad4baefbc55067e60f849b5fdb9f959fce92

Download Submit
C:\windows\SysWOW64\EFDULV.exe

Filesize
256KB

MD5
40280aca2268a339026edeb6ff044c50

SHA1
73bb125923ce1fb2e054e738ea99b6a2badc3b9b

SHA256
8561213ababb5ec7eee1e3efea2a6e66505caf99ee5f7cd67749ab48d83d5942

SHA512
b58d9ce23f7a968f060d0175a56ad4a9769f9749330dd71371d59196cf5b9b944c8b1faf2a4caa1204e7c28b19df41581e7d761953b166c95738998afc87e2f1

Download Submit
C:\windows\SysWOW64\EFDULV.exe.bat

Filesize
76B

MD5
6bb9a6091954f5aef49d7335fc9fa997

SHA1
2cadbf74e793da2c8b3bb24e2c3b9e1983d6b84f

SHA256
c7708bd40c7a53ab0a752fe55273eee9eb6efe055665f0032daf754e3b3fc348

SHA512
ad0353dd3031222d27b3e75e43390d4e2d6db5131fdbac22f744d87be0b7eccd8f8a5afe95464b344da24c7f29f2acc9ee8e9f908b4ed85b78388ec59193ecfa

Download Submit
C:\windows\SysWOW64\SGHMS.exe.bat

Filesize
74B

MD5
b17dc71c891a953ffbaa669703bc1697

SHA1
b9b1d6063848ae50f396750315bd13d4909ad835

SHA256
1660c5cd86ed692b68108cf9c3916350bf8714b6d59bba63ec69f63161c70cca

SHA512
1ed8b80a908040ccb8537ca7560956d35a3c7e6abe940abadcd272751b33360b08706f3a09a703352512eecd37d4bb0c374acc3fcb0ce792685434301a3c7577

Download Submit
C:\windows\SysWOW64\XJDS.exe.bat

Filesize
72B

MD5
aa9e31a23da4b0ea12f44de06566e544

SHA1
3871e0979ff8b3566ac0a1fe6bc6bf7425da7191

SHA256
6bfb5f85c7b4c904538ebfe4422efeb1cdaf9912f009a9322c8ca3b1e1e910bd

SHA512
205ee646411d7c6059594522c1cfd3a7b483996449635e5c229b569bfd030c63f25498c8c9874f21029ac7350557aeefc8af9518d4a3759f7ab1246855120254

Download Submit
C:\windows\VRCCHX.exe.bat

Filesize
58B

MD5
210baa1d63672ce777d526ded96485e3

SHA1
ce273825d8f75d29a9eb8b78e586a7e83c5efa0a

SHA256
1da5007395a37c293c921c8f8e0731fd2d7869dbd371b2578cbf91ee7f5192b0

SHA512
3ebcc2ab96a88e073bd76d77c913c32757f3dea2ac85ec9b53eab8672f19a5e7bddf3fa262c4eda481171ec55ad4eb44f00090bd0fc4bed27d6debad6c8a73d9

Download Submit
C:\windows\system\ASYSH.exe.bat

Filesize
70B

MD5
c7c756be8ce7e8407615a3722ecfb183

SHA1
cb19e79a1116150544669448466fadde1dd7d9ed

SHA256
15043da5fa1f5c0bdbb381d6fa67df0510fe59d252a8450f86d343035bc0d3a2

SHA512
030c2439dca431347ab2594464e11142189f742fafd29469a0ec54c24cc40f882032ee84b5dea342f7fe8e1b446fc67ede9f12e9915a78f8639f7bbc7d83289d

Download Submit
C:\windows\system\AXWMHDF.exe.bat

Filesize
74B

MD5
82d68be9236fd76f7b046fa7c7bf5880

SHA1
0deff1a11a6a96e7427f8e2e49082bbc6790906e

SHA256
f69da226d7d89da7ffaf1268e5a894effdeba06ad2014b48f516097e940a115f

SHA512
e0062ccb3508f45c15c5c65c217e5d7c051cd586889e23e169530808845aa6e2c816ebe78e60db59b9fbf1fb85b4ccca8e3312d5049312605f47281600367c7f

Download Submit
C:\windows\system\BMMWY.exe

Filesize
256KB

MD5
fe7e6d800bccdfe15ba5b2d52236728f

SHA1
142544b00cae8e1795151f14f950fe5e6d44f70f

SHA256
b05b72e7429b9d9b612a8b8b7a3dcf154f6748083e093611405f3a7c0ad2265a

SHA512
56ece90bf2efab9c80a9bcaa2fd75fc20774f265073b1482357f9a8b6f60f77f00f0d3cbc1a619369ffeeb5f34a0ccafe4505e2b7375006d4deb10363ee568ad

Download Submit
C:\windows\system\BMMWY.exe.bat

Filesize
70B

MD5
6ae8d4337037d4da705c4ca4e16eaa0d

SHA1
087c878c330486cba7643e0060d26c70676c6140

SHA256
889a0837827f94eff9a0638636baf3fd5343be36e6f35b09c37bbd1a3241dd00

SHA512
7ebcfce0089697ffd766137cc9f90ebef7f13748e9c360c5a44a63fa989148f5684ad2d0c2c34da0e1b932f295e7e4bb89fbc34d2db15a7ec3510d61958f1518

Download Submit
C:\windows\system\CTJGQR.exe

Filesize
256KB

MD5
cbfaa7d133afa5ba916bf60f9a5dcd79

SHA1
35f529f33428e4b95d233fff61fead5435ac577c

SHA256
797736f7873725ea35810c43ee38e5b8948458b91a5f0532b9e9dabb365ccfa4

SHA512
16aaa682a2adfe0a1c54077b6b04436bda7f0429949e2d5438d605c3dde5d2dec139a337d45f38099d6cdc0ed7584c23b5af8d696a0d22915684cc7667a883e1

Download Submit
C:\windows\system\CTJGQR.exe.bat

Filesize
72B

MD5
52e865dc184144f3a791c06932a36e01

SHA1
bb5bc8052845ff2c8fca4dd2a1331b31f1eedfdb

SHA256
dfb3885791327be46a94aa198dd6893c519d1fd75b967ef90bc21c95abd1aa9e

SHA512
32c8574e2f002bf111ad9d55c738159d02bf31793a44d0e17e46d01a418c3968f5e41ddda1e3a9a759e39753abb07bf5f3744440d72b9b05bbc62075d04ee350

Download Submit
C:\windows\system\LBNSQ.exe.bat

Filesize
70B

MD5
47da35b0decb285331cd0e3257d7910b

SHA1
fb59cf6297c8a6d71e0e5fa77668e978f638f183

SHA256
1fa6b6612f65748d950b5aeec6f0c291818f7e1d225594bee68d2020f24a6cb5

SHA512
ff798f10ad578a137cb5c6abe6994bafa563a2e7164d98d1e45e856776843e4d22dd175f30bb64767dd7f0c000f2a3c02674af674a85fabcf642d7ca9b05de92

Download Submit
C:\windows\system\MGWWM.exe.bat

Filesize
70B

MD5
b1505922c4a0340f122a874a99bb9721

SHA1
8ec343d313c46a5fd2535ce3e8b81b121551c984

SHA256
5ea64658f3324f4ae145b1f1faf535943d84ecf0ea70b38a08ad9c7ef6fb7d2c

SHA512
3f2914609376f1949e687187fee713aa97415bf8fac57d4bdfd6cbd0aa96d9c56eb16202f64c5d223d18bdfaa41971f251f496cd49288bb687fac9a907f0fb91

Download Submit
C:\windows\system\PAVI.exe.bat

Filesize
68B

MD5
7fd960db75d291f2f612ea6e0341ffe0

SHA1
3f83c6a4f1e5eb3ce089d950a712cfe5af156387

SHA256
d65e6e836655e69a9c1bc97b26e02ffddfe2a92b0fdcd52078b4e574f6dfc7d0

SHA512
4aa194baeb7a4ff4fa39ce211d0ea742ee53135c27d66076647dc15ecae2673d0787e1a197b835fbf00e7937334c19d2a6808521aa8b876da8e0b6ddc9ade271

Download Submit
C:\windows\system\SZUXV.exe

Filesize
256KB

MD5
8d7ddf216ab2a2124c1391f531a0480c

SHA1
b838505ba4a7b3c24a062dbb3fed3292beb00293

SHA256
45463177dc204fcbbbf811a6f656b88071e39df9bfad2fb349b7b4c1db0a5bc3

SHA512
c68986c0173e46058dc4b1a2897639eb47b1a86e3364107a2c69c9b602229845e7eea8ba78d2aad2285fdf1cadb995f303785e4e98f5af1e7767ab4fa9481af3

Download Submit
C:\windows\system\SZUXV.exe.bat

Filesize
70B

MD5
696f8b925239280fac770e26f88811f8

SHA1
e522cce457c7377fd76408032d23ce43799fbd08

SHA256
89cf0442ed1eae0ef1083b09af28498c9914c2695f724c5ad27766b582443a1b

SHA512
6dcfb9a4062466836c07adf288b6e300d0c221b3f82442486acd0b639baacb8f461608d5c2a967c0f0e469abc35ebb9028c3747a0cfc736b22bece75102b2c9f

Download Submit
C:\windows\system\TVWMVC.exe.bat

Filesize
72B

MD5
c6c5e07ccea957855b0691f3d183549c

SHA1
bbe5b483f40a45b80b6a78438535a5d063de841c

SHA256
266c2957dd633ecd0273a4b45f6cf2a1aeecfb18199e29f86421dca9e69cf98c

SHA512
cc6ff457c01cb30d7e1ee5ce214eab418f8df94bd32ee4d890d9fbe7ebcb1a7d1c52cabf637c8b15de9a460d06b86ef00dcabe636020641e35e6d4e1213ca422

Download Submit
C:\windows\system\XTO.exe.bat

Filesize
66B

MD5
c7325d8266c6cecff6f78aa272f0b338

SHA1
4108331ca8ee1e08a93b876dac35f9c653521c5c

SHA256
5b6cc7a637794f4ce75ff652d1e071db567dfa4d000eb813ef7fac1acceb0006

SHA512
b57f3984787612190f7191443df1cf35a4856b3b19f9d1a9528a00b584731ade651805d5a37cca846d67522a7d2c97b19216f0b66d936580c88aee2f6be7b55a

Download Submit
memory/412-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/832-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/876-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/876-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1580-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1840-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1840-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1928-92-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1928-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2452-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2452-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2484-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2484-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2560-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2560-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3000-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3000-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3216-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3216-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3720-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3720-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3744-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3744-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3796-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4076-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4076-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4440-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4440-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4504-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4504-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4568-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4568-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5052-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5052-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download