9f0d6526f9ef0200194801a1cbb5578e22a3dc30cded11f5a093e73a50489f0f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9db15425411b48afe0d8e5ae56f647b2.exe
Size

208KB
MD5

9db15425411b48afe0d8e5ae56f647b2
SHA1

218f8049aaf1bc4a3f2b79147a72495965cfc0c4
SHA256

9f0d6526f9ef0200194801a1cbb5578e22a3dc30cded11f5a093e73a50489f0f
SHA512

e51ac2d8e0f471152f46b967f6558f120392cb69bf499477230178f67b9e7347ea6d84fa12d3fedc870ee0f87b4c962daae98cf143c2eb41c3c33361b93af79a
SSDEEP

3072:LjP3Xywnj68OY3eZrq8gRcXZcRqG6gzEhKqfXII6z4NLthEjQT67:f3X5OHY3eZrqRGkqcqA/zQEj9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	RJPZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OVON.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CNYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	9db15425411b48afe0d8e5ae56f647b2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OGS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	KVLRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	SPUPKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	JODRYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AZUIH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	UHQQQBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AXUNCO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ZRYW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AEEISLQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GMBVR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FOKCAU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ZGIHHT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	YULRGVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LJNXU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GGWIIF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	VYORZEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	DGHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OZC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	QKNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NTZNVRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NYGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	KZI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AFOOIR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OMDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	SNMMWK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LQXGKVP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	NZEAMI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	TSGBBOW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FBN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HPLUBFF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	VOZGQZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OWFWYMN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	QJSEDCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	YLKGXQA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HYO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	CHOSZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	PIYICTZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	KTU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	IPCSUSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	MZUM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	XBXB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	HFQCSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AKUISF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BFFEXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	UKYPV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GNP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OPGFOKJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	SUJB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LLIBIC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	YOFKOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GENYU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	PDCZT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	BHBE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ULWKK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ABUWG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OOPUAQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OEGKV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FSQSNCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	FLZKKJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	YUQ.exe

Executes dropped EXE 64 IoCs

pid	Process
952	FUZ.exe
1360	LPL.exe
1220	AKUISF.exe
4832	SNMMWK.exe
4296	AXUNCO.exe
4648	LQXGKVP.exe
3664	NTZNVRR.exe
2140	XBB.exe
2852	REYY.exe
2408	VHWTZGR.exe
548	WKN.exe
1372	LAAGV.exe
3900	YGA.exe
4444	VMG.exe
4708	ZRYW.exe
4320	VZSEFMC.exe
624	MPRPJFS.exe
2880	FSQSNCA.exe
3008	UNNFPD.exe
3900	FLZKKJ.exe
1124	XGQO.exe
4012	FBN.exe
3720	GEXP.exe
3036	NZU.exe
624	RPO.exe
3676	RZX.exe
4564	YUUXDJU.exe
4784	YYMZNUD.exe
1804	HYO.exe
3360	JTA.exe
2092	LJNXU.exe
4948	HPLUBFF.exe
2148	LFFCE.exe
4808	SAKO.exe
4516	AGPV.exe
4016	GGWIIF.exe
3316	TRNH.exe
4896	AEEISLQ.exe
2092	UZJR.exe
2608	EXJET.exe
4052	NXLRXK.exe
2244	OAPMK.exe
1464	JOUWMAH.exe
4320	UGP.exe
3244	NZEAMI.exe
4896	TZMN.exe
2680	CHOSZ.exe
3332	EFHVFX.exe
3900	OKR.exe
1772	JQRYXFN.exe
5024	NYGY.exe
2232	KZI.exe
228	GENYU.exe
1784	PKYQKI.exe
5048	OUOOJC.exe
4700	BFFEXF.exe
464	JTJTI.exe
3380	IEUBRSJ.exe
536	KBAVYAR.exe
1540	QCHJ.exe
4788	KPMSRU.exe
3716	SUEHTHK.exe
3908	TXDDHQM.exe
4884	BLHJSPI.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\BFFEXF.exe	OUOOJC.exe
File created	C:\windows\SysWOW64\TXDDHQM.exe.bat	SUEHTHK.exe
File created	C:\windows\SysWOW64\VIOYC.exe	PNPXXMZ.exe
File created	C:\windows\SysWOW64\GEXP.exe.bat	FBN.exe
File created	C:\windows\SysWOW64\AGPV.exe.bat	SAKO.exe
File created	C:\windows\SysWOW64\JQRYXFN.exe	OKR.exe
File created	C:\windows\SysWOW64\KVLRR.exe	LLIBIC.exe
File created	C:\windows\SysWOW64\EFHVFX.exe	CHOSZ.exe
File created	C:\windows\SysWOW64\BHBE.exe.bat	IPTT.exe
File opened for modification	C:\windows\SysWOW64\GNP.exe	SHPB.exe
File opened for modification	C:\windows\SysWOW64\FLZKKJ.exe	UNNFPD.exe
File opened for modification	C:\windows\SysWOW64\JLTYO.exe	JBKXB.exe
File created	C:\windows\SysWOW64\OHWXJ.exe.bat	OEGKV.exe
File created	C:\windows\SysWOW64\ABUWG.exe	GNP.exe
File opened for modification	C:\windows\SysWOW64\OGS.exe	YQRER.exe
File created	C:\windows\SysWOW64\OWJGO.exe	ZGIHHT.exe
File created	C:\windows\SysWOW64\JLTYO.exe	JBKXB.exe
File created	C:\windows\SysWOW64\MVOWEUS.exe	TCYLVTK.exe
File opened for modification	C:\windows\SysWOW64\AXUNCO.exe	SNMMWK.exe
File opened for modification	C:\windows\SysWOW64\GENYU.exe	KZI.exe
File opened for modification	C:\windows\SysWOW64\TXDDHQM.exe	SUEHTHK.exe
File created	C:\windows\SysWOW64\SNMMWK.exe.bat	AKUISF.exe
File created	C:\windows\SysWOW64\IEUBRSJ.exe.bat	JTJTI.exe
File opened for modification	C:\windows\SysWOW64\BLHJSPI.exe	TXDDHQM.exe
File created	C:\windows\SysWOW64\MZUM.exe	IJOMCG.exe
File created	C:\windows\SysWOW64\OWJGO.exe.bat	ZGIHHT.exe
File opened for modification	C:\windows\SysWOW64\OHWXJ.exe	OEGKV.exe
File opened for modification	C:\windows\SysWOW64\FBN.exe	XGQO.exe
File created	C:\windows\SysWOW64\JQRYXFN.exe.bat	OKR.exe
File created	C:\windows\SysWOW64\SHPB.exe.bat	BHBE.exe
File created	C:\windows\SysWOW64\JOUWMAH.exe	OAPMK.exe
File opened for modification	C:\windows\SysWOW64\AITUAVL.exe	VHJ.exe
File created	C:\windows\SysWOW64\BHBE.exe	IPTT.exe
File created	C:\windows\SysWOW64\UFRZBBD.exe.bat	UZRKZOI.exe
File opened for modification	C:\windows\SysWOW64\VHWTZGR.exe	REYY.exe
File created	C:\windows\SysWOW64\LJNXU.exe	JTA.exe
File created	C:\windows\SysWOW64\LJNXU.exe.bat	JTA.exe
File created	C:\windows\SysWOW64\UHDS.exe	XGB.exe
File created	C:\windows\SysWOW64\CBRO.exe.bat	YLKGXQA.exe
File opened for modification	C:\windows\SysWOW64\OQX.exe	VXI.exe
File created	C:\windows\SysWOW64\HDHMZGG.exe	GAERL.exe
File created	C:\windows\SysWOW64\IPCSUSN.exe	ACPMKUR.exe
File created	C:\windows\SysWOW64\VHWTZGR.exe.bat	REYY.exe
File opened for modification	C:\windows\SysWOW64\UHDS.exe	XGB.exe
File created	C:\windows\SysWOW64\YOFKOI.exe.bat	QJSEDCE.exe
File created	C:\windows\SysWOW64\BLHJSPI.exe	TXDDHQM.exe
File created	C:\windows\SysWOW64\LQXGKVP.exe	AXUNCO.exe
File created	C:\windows\SysWOW64\LAAGV.exe	WKN.exe
File created	C:\windows\SysWOW64\LAAGV.exe.bat	WKN.exe
File created	C:\windows\SysWOW64\VDJBQHP.exe	PIYICTZ.exe
File opened for modification	C:\windows\SysWOW64\YOFKOI.exe	QJSEDCE.exe
File created	C:\windows\SysWOW64\UCV.exe	OHWXJ.exe
File created	C:\windows\SysWOW64\NYGY.exe.bat	JQRYXFN.exe
File opened for modification	C:\windows\SysWOW64\BHBE.exe	IPTT.exe
File opened for modification	C:\windows\SysWOW64\VIOYC.exe	PNPXXMZ.exe
File opened for modification	C:\windows\SysWOW64\XEGAFVO.exe	RJPZ.exe
File opened for modification	C:\windows\SysWOW64\HDHMZGG.exe	GAERL.exe
File opened for modification	C:\windows\SysWOW64\IPCSUSN.exe	ACPMKUR.exe
File opened for modification	C:\windows\SysWOW64\OWJGO.exe	ZGIHHT.exe
File created	C:\windows\SysWOW64\SNMMWK.exe	AKUISF.exe
File created	C:\windows\SysWOW64\AXUNCO.exe.bat	SNMMWK.exe
File created	C:\windows\SysWOW64\NZEAMI.exe.bat	UGP.exe
File created	C:\windows\SysWOW64\TXDDHQM.exe	SUEHTHK.exe
File created	C:\windows\SysWOW64\VXI.exe.bat	AHH.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\YUUXDJU.exe.bat	RZX.exe
File created	C:\windows\CNYY.exe.bat	QKNT.exe
File opened for modification	C:\windows\system\UEJ.exe	KGDUU.exe
File created	C:\windows\system\WKN.exe.bat	VHWTZGR.exe
File opened for modification	C:\windows\system\JQUQDND.exe	BLHJSPI.exe
File created	C:\windows\EZV.exe.bat	JQUQDND.exe
File opened for modification	C:\windows\VTY.exe	GYGND.exe
File opened for modification	C:\windows\system\YLKGXQA.exe	FFL.exe
File created	C:\windows\system\XBB.exe.bat	NTZNVRR.exe
File created	C:\windows\XIP.exe.bat	RNYNNEU.exe
File opened for modification	C:\windows\system\AFOOIR.exe	SZCIYT.exe
File opened for modification	C:\windows\system\QNLZ.exe	OPGFOKJ.exe
File created	C:\windows\system\QJSEDCE.exe.bat	YGOAY.exe
File created	C:\windows\system\QKNT.exe	YBZODGC.exe
File created	C:\windows\system\FFL.exe.bat	BPWIGW.exe
File opened for modification	C:\windows\system\VMG.exe	YGA.exe
File created	C:\windows\system\NZU.exe	GEXP.exe
File opened for modification	C:\windows\system\HYO.exe	YYMZNUD.exe
File opened for modification	C:\windows\XIP.exe	RNYNNEU.exe
File opened for modification	C:\windows\system\GPLVR.exe	XMVICWM.exe
File opened for modification	C:\windows\JLYZA.exe	DPNG.exe
File created	C:\windows\system\MKVTBV.exe.bat	UKPWOE.exe
File created	C:\windows\KGDUU.exe	CBRO.exe
File opened for modification	C:\windows\JZL.exe	UKYPV.exe
File opened for modification	C:\windows\OPGFOKJ.exe	ERSKZCA.exe
File created	C:\windows\system\BPWIGW.exe.bat	XHQABD.exe
File opened for modification	C:\windows\system\YYMZNUD.exe	YUUXDJU.exe
File opened for modification	C:\windows\ULWKK.exe	OQX.exe
File created	C:\windows\system\AKUISF.exe.bat	LPL.exe
File created	C:\windows\system\YUUXDJU.exe	RZX.exe
File created	C:\windows\system\VYORZEC.exe	PDCZT.exe
File created	C:\windows\JZL.exe.bat	UKYPV.exe
File created	C:\windows\system\AFOOIR.exe.bat	SZCIYT.exe
File created	C:\windows\system\SUJB.exe.bat	OMDB.exe
File created	C:\windows\system\JQUQDND.exe.bat	BLHJSPI.exe
File created	C:\windows\YUQ.exe.bat	GMBVR.exe
File created	C:\windows\AETETL.exe.bat	VDJBQHP.exe
File created	C:\windows\HIS.exe.bat	MVOWEUS.exe
File created	C:\windows\system\VYORZEC.exe.bat	PDCZT.exe
File opened for modification	C:\windows\system\DGHH.exe	VOZGQZ.exe
File created	C:\windows\UZKON.exe.bat	OZC.exe
File created	C:\windows\system\FOKCAU.exe.bat	HDHMZGG.exe
File created	C:\windows\URDDLKI.exe.bat	SUJB.exe
File created	C:\windows\PIYICTZ.exe	SPWYYP.exe
File opened for modification	C:\windows\system\QKNT.exe	YBZODGC.exe
File created	C:\windows\UHQQQBA.exe.bat	XBXB.exe
File created	C:\windows\system\YYMZNUD.exe.bat	YUUXDJU.exe
File created	C:\windows\CHOSZ.exe	TZMN.exe
File opened for modification	C:\windows\CHOSZ.exe	TZMN.exe
File created	C:\windows\system\DDTGKC.exe.bat	VYORZEC.exe
File opened for modification	C:\windows\system\AKUISF.exe	LPL.exe
File opened for modification	C:\windows\system\NTZNVRR.exe	LQXGKVP.exe
File opened for modification	C:\windows\system\WKN.exe	VHWTZGR.exe
File created	C:\windows\ULWKK.exe.bat	OQX.exe
File created	C:\windows\YLIS.exe.bat	YGIDTL.exe
File created	C:\windows\system\ZGIHHT.exe	OGS.exe
File created	C:\windows\VTY.exe.bat	GYGND.exe
File created	C:\windows\system\UGGKH.exe.bat	JODRYY.exe
File created	C:\windows\system\FFL.exe	BPWIGW.exe
File created	C:\windows\VZSEFMC.exe.bat	ZRYW.exe
File created	C:\windows\system\OAPMK.exe.bat	NXLRXK.exe
File created	C:\windows\EZV.exe	JQUQDND.exe
File created	C:\windows\HFQCSM.exe	UHQQQBA.exe
File created	C:\windows\system\EXJET.exe	UZJR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4444	4412	WerFault.exe	85
3624	952	WerFault.exe	93
3988	1360	WerFault.exe	99
2244	1220	WerFault.exe	106
2668	4832	WerFault.exe	111
4368	4296	WerFault.exe	118
3240	4648	WerFault.exe	123
3724	3664	WerFault.exe	128
2944	2140	WerFault.exe	134
1804	2852	WerFault.exe	139
1960	2408	WerFault.exe	144
4100	548	WerFault.exe	149
4860	1372	WerFault.exe	156
1168	3900	WerFault.exe	161
440	4444	WerFault.exe	166
2136	4708	WerFault.exe	171
2408	4320	WerFault.exe	176
3784	624	WerFault.exe	181
5040	2880	WerFault.exe	186
4988	3008	WerFault.exe	191
2032	3900	WerFault.exe	196
2920	1124	WerFault.exe	201
1308	4012	WerFault.exe	206
2160	3720	WerFault.exe	211
4368	3036	WerFault.exe	216
5040	624	WerFault.exe	221
1780	3676	WerFault.exe	226
2228	4564	WerFault.exe	231
1316	4784	WerFault.exe	236
4068	1804	WerFault.exe	241
4288	3360	WerFault.exe	246
4308	2092	WerFault.exe	251
4860	4948	WerFault.exe	256
1468	2148	WerFault.exe	261
1860	4808	WerFault.exe	266
3840	4516	WerFault.exe	271
3592	4016	WerFault.exe	276
2980	3316	WerFault.exe	281
4664	4896	WerFault.exe	286
1148	2092	WerFault.exe	292
2148	2608	WerFault.exe	297
3900	4052	WerFault.exe	302
1772	2244	WerFault.exe	307
3520	1464	WerFault.exe	312
3488	4320	WerFault.exe	317
2956	3244	WerFault.exe	322
1148	4896	WerFault.exe	327
952	2680	WerFault.exe	332
3328	3332	WerFault.exe	337
2664	3900	WerFault.exe	342
4132	1772	WerFault.exe	347
4792	5024	WerFault.exe	352
4480	2232	WerFault.exe	357
2880	228	WerFault.exe	362
2044	1784	WerFault.exe	367
4008	5048	WerFault.exe	372
792	4700	WerFault.exe	377
3668	464	WerFault.exe	382
3720	3380	WerFault.exe	387
2956	536	WerFault.exe	392
3780	1540	WerFault.exe	397
4072	4788	WerFault.exe	402
3984	3716	WerFault.exe	407
1852	3908	WerFault.exe	412

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	9db15425411b48afe0d8e5ae56f647b2.exe
4412	9db15425411b48afe0d8e5ae56f647b2.exe
952	FUZ.exe
952	FUZ.exe
1360	LPL.exe
1360	LPL.exe
1220	AKUISF.exe
1220	AKUISF.exe
4832	SNMMWK.exe
4832	SNMMWK.exe
4296	AXUNCO.exe
4296	AXUNCO.exe
4648	LQXGKVP.exe
4648	LQXGKVP.exe
3664	NTZNVRR.exe
3664	NTZNVRR.exe
2140	XBB.exe
2140	XBB.exe
2852	REYY.exe
2852	REYY.exe
2408	VHWTZGR.exe
2408	VHWTZGR.exe
548	WKN.exe
548	WKN.exe
1372	LAAGV.exe
1372	LAAGV.exe
3900	YGA.exe
3900	YGA.exe
4444	VMG.exe
4444	VMG.exe
4708	ZRYW.exe
4708	ZRYW.exe
4320	VZSEFMC.exe
4320	VZSEFMC.exe
624	MPRPJFS.exe
624	MPRPJFS.exe
2880	FSQSNCA.exe
2880	FSQSNCA.exe
3008	UNNFPD.exe
3008	UNNFPD.exe
3900	FLZKKJ.exe
3900	FLZKKJ.exe
1124	XGQO.exe
1124	XGQO.exe
4012	FBN.exe
4012	FBN.exe
3720	GEXP.exe
3720	GEXP.exe
3036	NZU.exe
3036	NZU.exe
624	RPO.exe
624	RPO.exe
3676	RZX.exe
3676	RZX.exe
4564	YUUXDJU.exe
4564	YUUXDJU.exe
4784	YYMZNUD.exe
4784	YYMZNUD.exe
1804	HYO.exe
1804	HYO.exe
3360	JTA.exe
3360	JTA.exe
2092	LJNXU.exe
2092	LJNXU.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4412	9db15425411b48afe0d8e5ae56f647b2.exe
4412	9db15425411b48afe0d8e5ae56f647b2.exe
952	FUZ.exe
952	FUZ.exe
1360	LPL.exe
1360	LPL.exe
1220	AKUISF.exe
1220	AKUISF.exe
4832	SNMMWK.exe
4832	SNMMWK.exe
4296	AXUNCO.exe
4296	AXUNCO.exe
4648	LQXGKVP.exe
4648	LQXGKVP.exe
3664	NTZNVRR.exe
3664	NTZNVRR.exe
2140	XBB.exe
2140	XBB.exe
2852	REYY.exe
2852	REYY.exe
2408	VHWTZGR.exe
2408	VHWTZGR.exe
548	WKN.exe
548	WKN.exe
1372	LAAGV.exe
1372	LAAGV.exe
3900	YGA.exe
3900	YGA.exe
4444	VMG.exe
4444	VMG.exe
4708	ZRYW.exe
4708	ZRYW.exe
4320	VZSEFMC.exe
4320	VZSEFMC.exe
624	MPRPJFS.exe
624	MPRPJFS.exe
2880	FSQSNCA.exe
2880	FSQSNCA.exe
3008	UNNFPD.exe
3008	UNNFPD.exe
3900	FLZKKJ.exe
3900	FLZKKJ.exe
1124	XGQO.exe
1124	XGQO.exe
4012	FBN.exe
4012	FBN.exe
3720	GEXP.exe
3720	GEXP.exe
3036	NZU.exe
3036	NZU.exe
624	RPO.exe
624	RPO.exe
3676	RZX.exe
3676	RZX.exe
4564	YUUXDJU.exe
4564	YUUXDJU.exe
4784	YYMZNUD.exe
4784	YYMZNUD.exe
1804	HYO.exe
1804	HYO.exe
3360	JTA.exe
3360	JTA.exe
2092	LJNXU.exe
2092	LJNXU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1148	4412	9db15425411b48afe0d8e5ae56f647b2.exe	89
PID 4412 wrote to memory of 1148	4412	9db15425411b48afe0d8e5ae56f647b2.exe	89
PID 4412 wrote to memory of 1148	4412	9db15425411b48afe0d8e5ae56f647b2.exe	89
PID 1148 wrote to memory of 952	1148	cmd.exe	93
PID 1148 wrote to memory of 952	1148	cmd.exe	93
PID 1148 wrote to memory of 952	1148	cmd.exe	93
PID 952 wrote to memory of 4672	952	FUZ.exe	95
PID 952 wrote to memory of 4672	952	FUZ.exe	95
PID 952 wrote to memory of 4672	952	FUZ.exe	95
PID 4672 wrote to memory of 1360	4672	cmd.exe	99
PID 4672 wrote to memory of 1360	4672	cmd.exe	99
PID 4672 wrote to memory of 1360	4672	cmd.exe	99
PID 1360 wrote to memory of 3308	1360	LPL.exe	102
PID 1360 wrote to memory of 3308	1360	LPL.exe	102
PID 1360 wrote to memory of 3308	1360	LPL.exe	102
PID 3308 wrote to memory of 1220	3308	cmd.exe	106
PID 3308 wrote to memory of 1220	3308	cmd.exe	106
PID 3308 wrote to memory of 1220	3308	cmd.exe	106
PID 1220 wrote to memory of 4012	1220	AKUISF.exe	107
PID 1220 wrote to memory of 4012	1220	AKUISF.exe	107
PID 1220 wrote to memory of 4012	1220	AKUISF.exe	107
PID 4012 wrote to memory of 4832	4012	cmd.exe	111
PID 4012 wrote to memory of 4832	4012	cmd.exe	111
PID 4012 wrote to memory of 4832	4012	cmd.exe	111
PID 4832 wrote to memory of 4792	4832	SNMMWK.exe	114
PID 4832 wrote to memory of 4792	4832	SNMMWK.exe	114
PID 4832 wrote to memory of 4792	4832	SNMMWK.exe	114
PID 4792 wrote to memory of 4296	4792	cmd.exe	118
PID 4792 wrote to memory of 4296	4792	cmd.exe	118
PID 4792 wrote to memory of 4296	4792	cmd.exe	118
PID 4296 wrote to memory of 3904	4296	AXUNCO.exe	119
PID 4296 wrote to memory of 3904	4296	AXUNCO.exe	119
PID 4296 wrote to memory of 3904	4296	AXUNCO.exe	119
PID 3904 wrote to memory of 4648	3904	cmd.exe	123
PID 3904 wrote to memory of 4648	3904	cmd.exe	123
PID 3904 wrote to memory of 4648	3904	cmd.exe	123
PID 4648 wrote to memory of 2956	4648	LQXGKVP.exe	124
PID 4648 wrote to memory of 2956	4648	LQXGKVP.exe	124
PID 4648 wrote to memory of 2956	4648	LQXGKVP.exe	124
PID 2956 wrote to memory of 3664	2956	cmd.exe	128
PID 2956 wrote to memory of 3664	2956	cmd.exe	128
PID 2956 wrote to memory of 3664	2956	cmd.exe	128
PID 3664 wrote to memory of 1528	3664	NTZNVRR.exe	130
PID 3664 wrote to memory of 1528	3664	NTZNVRR.exe	130
PID 3664 wrote to memory of 1528	3664	NTZNVRR.exe	130
PID 1528 wrote to memory of 2140	1528	cmd.exe	134
PID 1528 wrote to memory of 2140	1528	cmd.exe	134
PID 1528 wrote to memory of 2140	1528	cmd.exe	134
PID 2140 wrote to memory of 2152	2140	XBB.exe	135
PID 2140 wrote to memory of 2152	2140	XBB.exe	135
PID 2140 wrote to memory of 2152	2140	XBB.exe	135
PID 2152 wrote to memory of 2852	2152	cmd.exe	139
PID 2152 wrote to memory of 2852	2152	cmd.exe	139
PID 2152 wrote to memory of 2852	2152	cmd.exe	139
PID 2852 wrote to memory of 4544	2852	REYY.exe	140
PID 2852 wrote to memory of 4544	2852	REYY.exe	140
PID 2852 wrote to memory of 4544	2852	REYY.exe	140
PID 4544 wrote to memory of 2408	4544	cmd.exe	144
PID 4544 wrote to memory of 2408	4544	cmd.exe	144
PID 4544 wrote to memory of 2408	4544	cmd.exe	144
PID 2408 wrote to memory of 3668	2408	VHWTZGR.exe	145
PID 2408 wrote to memory of 3668	2408	VHWTZGR.exe	145
PID 2408 wrote to memory of 3668	2408	VHWTZGR.exe	145
PID 3668 wrote to memory of 548	3668	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\9db15425411b48afe0d8e5ae56f647b2.exe
"C:\Users\Admin\AppData\Local\Temp\9db15425411b48afe0d8e5ae56f647b2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\FUZ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\windows\FUZ.exe
    C:\windows\FUZ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPL.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\windows\system\LPL.exe
        
        C:\windows\system\LPL.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AKUISF.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\windows\system\AKUISF.exe
        
        C:\windows\system\AKUISF.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SNMMWK.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\windows\SysWOW64\SNMMWK.exe
        
        C:\windows\system32\SNMMWK.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AXUNCO.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\windows\SysWOW64\AXUNCO.exe
        
        C:\windows\system32\AXUNCO.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LQXGKVP.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\windows\SysWOW64\LQXGKVP.exe
        
        C:\windows\system32\LQXGKVP.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NTZNVRR.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\windows\system\NTZNVRR.exe
        
        C:\windows\system\NTZNVRR.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XBB.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\windows\system\XBB.exe
        
        C:\windows\system\XBB.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\REYY.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\windows\REYY.exe
        
        C:\windows\REYY.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHWTZGR.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\windows\SysWOW64\VHWTZGR.exe
        
        C:\windows\system32\VHWTZGR.exe
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKN.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\windows\system\WKN.exe
        
        C:\windows\system\WKN.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAAGV.exe.bat" "
        24⤵
        
        PID:3116
        
        C:\windows\SysWOW64\LAAGV.exe
        
        C:\windows\system32\LAAGV.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YGA.exe.bat" "
        26⤵
        
        PID:3488
        
        C:\windows\system\YGA.exe
        
        C:\windows\system\YGA.exe
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VMG.exe.bat" "
        28⤵
        
        PID:4668
        
        C:\windows\system\VMG.exe
        
        C:\windows\system\VMG.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZRYW.exe.bat" "
        30⤵
        
        PID:4268
        
        C:\windows\ZRYW.exe
        
        C:\windows\ZRYW.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VZSEFMC.exe.bat" "
        32⤵
        
        PID:3444
        
        C:\windows\VZSEFMC.exe
        
        C:\windows\VZSEFMC.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPRPJFS.exe.bat" "
        34⤵
        
        PID:1464
        
        C:\windows\system\MPRPJFS.exe
        
        C:\windows\system\MPRPJFS.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FSQSNCA.exe.bat" "
        36⤵
        
        PID:772
        
        C:\windows\system\FSQSNCA.exe
        
        C:\windows\system\FSQSNCA.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UNNFPD.exe.bat" "
        38⤵
        
        PID:2592
        
        C:\windows\SysWOW64\UNNFPD.exe
        
        C:\windows\system32\UNNFPD.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FLZKKJ.exe.bat" "
        40⤵
        
        PID:1780
        
        C:\windows\SysWOW64\FLZKKJ.exe
        
        C:\windows\system32\FLZKKJ.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XGQO.exe.bat" "
        42⤵
        
        PID:4268
        
        C:\windows\SysWOW64\XGQO.exe
        
        C:\windows\system32\XGQO.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBN.exe.bat" "
        44⤵
        
        PID:1560
        
        C:\windows\SysWOW64\FBN.exe
        
        C:\windows\system32\FBN.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GEXP.exe.bat" "
        46⤵
        
        PID:1176
        
        C:\windows\SysWOW64\GEXP.exe
        
        C:\windows\system32\GEXP.exe
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NZU.exe.bat" "
        48⤵
        
        PID:264
        
        C:\windows\system\NZU.exe
        
        C:\windows\system\NZU.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RPO.exe.bat" "
        50⤵
        
        PID:4664
        
        C:\windows\system\RPO.exe
        
        C:\windows\system\RPO.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZX.exe.bat" "
        52⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2592
        
        C:\windows\system\RZX.exe
        
        C:\windows\system\RZX.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YUUXDJU.exe.bat" "
        54⤵
        
        PID:1168
        
        C:\windows\system\YUUXDJU.exe
        
        C:\windows\system\YUUXDJU.exe
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YYMZNUD.exe.bat" "
        56⤵
        
        PID:4052
        
        C:\windows\system\YYMZNUD.exe
        
        C:\windows\system\YYMZNUD.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HYO.exe.bat" "
        58⤵
        
        PID:4064
        
        C:\windows\system\HYO.exe
        
        C:\windows\system\HYO.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTA.exe.bat" "
        60⤵
        
        PID:3592
        
        C:\windows\SysWOW64\JTA.exe
        
        C:\windows\system32\JTA.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJNXU.exe.bat" "
        62⤵
        
        PID:1832
        
        C:\windows\SysWOW64\LJNXU.exe
        
        C:\windows\system32\LJNXU.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPLUBFF.exe.bat" "
        64⤵
        
        PID:4232
        
        C:\windows\SysWOW64\HPLUBFF.exe
        
        C:\windows\system32\HPLUBFF.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LFFCE.exe.bat" "
        66⤵
        
        PID:2288
        
        C:\windows\LFFCE.exe
        
        C:\windows\LFFCE.exe
        67⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SAKO.exe.bat" "
        68⤵
        
        PID:1136
        
        C:\windows\SAKO.exe
        
        C:\windows\SAKO.exe
        69⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AGPV.exe.bat" "
        70⤵
        
        PID:876
        
        C:\windows\SysWOW64\AGPV.exe
        
        C:\windows\system32\AGPV.exe
        71⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GGWIIF.exe.bat" "
        72⤵
        
        PID:1852
        
        C:\windows\SysWOW64\GGWIIF.exe
        
        C:\windows\system32\GGWIIF.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TRNH.exe.bat" "
        74⤵
        
        PID:4312
        
        C:\windows\system\TRNH.exe
        
        C:\windows\system\TRNH.exe
        75⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AEEISLQ.exe.bat" "
        76⤵
        
        PID:956
        
        C:\windows\AEEISLQ.exe
        
        C:\windows\AEEISLQ.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZJR.exe.bat" "
        78⤵
        
        PID:4652
        
        C:\windows\SysWOW64\UZJR.exe
        
        C:\windows\system32\UZJR.exe
        79⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EXJET.exe.bat" "
        80⤵
        
        PID:2304
        
        C:\windows\system\EXJET.exe
        
        C:\windows\system\EXJET.exe
        81⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NXLRXK.exe.bat" "
        82⤵
        
        PID:3120
        
        C:\windows\system\NXLRXK.exe
        
        C:\windows\system\NXLRXK.exe
        83⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OAPMK.exe.bat" "
        84⤵
        
        PID:3416
        
        C:\windows\system\OAPMK.exe
        
        C:\windows\system\OAPMK.exe
        85⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOUWMAH.exe.bat" "
        86⤵
        
        PID:3872
        
        C:\windows\SysWOW64\JOUWMAH.exe
        
        C:\windows\system32\JOUWMAH.exe
        87⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UGP.exe.bat" "
        88⤵
        
        PID:1616
        
        C:\windows\UGP.exe
        
        C:\windows\UGP.exe
        89⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZEAMI.exe.bat" "
        90⤵
        
        PID:4296
        
        C:\windows\SysWOW64\NZEAMI.exe
        
        C:\windows\system32\NZEAMI.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZMN.exe.bat" "
        92⤵
        
        PID:4652
        
        C:\windows\SysWOW64\TZMN.exe
        
        C:\windows\system32\TZMN.exe
        93⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CHOSZ.exe.bat" "
        94⤵
        
        PID:736
        
        C:\windows\CHOSZ.exe
        
        C:\windows\CHOSZ.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EFHVFX.exe.bat" "
        96⤵
        
        PID:2044
        
        C:\windows\SysWOW64\EFHVFX.exe
        
        C:\windows\system32\EFHVFX.exe
        97⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKR.exe.bat" "
        98⤵
        
        PID:1560
        
        C:\windows\SysWOW64\OKR.exe
        
        C:\windows\system32\OKR.exe
        99⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQRYXFN.exe.bat" "
        100⤵
        
        PID:792
        
        C:\windows\SysWOW64\JQRYXFN.exe
        
        C:\windows\system32\JQRYXFN.exe
        101⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGY.exe.bat" "
        102⤵
        
        PID:3404
        
        C:\windows\SysWOW64\NYGY.exe
        
        C:\windows\system32\NYGY.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KZI.exe.bat" "
        104⤵
        
        PID:3808
        
        C:\windows\system\KZI.exe
        
        C:\windows\system\KZI.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GENYU.exe.bat" "
        106⤵
        
        PID:3240
        
        C:\windows\SysWOW64\GENYU.exe
        
        C:\windows\system32\GENYU.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PKYQKI.exe.bat" "
        108⤵
        
        PID:2640
        
        C:\windows\PKYQKI.exe
        
        C:\windows\PKYQKI.exe
        109⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OUOOJC.exe.bat" "
        110⤵
        
        PID:5040
        
        C:\windows\OUOOJC.exe
        
        C:\windows\OUOOJC.exe
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFFEXF.exe.bat" "
        112⤵
        
        PID:1860
        
        C:\windows\SysWOW64\BFFEXF.exe
        
        C:\windows\system32\BFFEXF.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JTJTI.exe.bat" "
        114⤵
        
        PID:3844
        
        C:\windows\system\JTJTI.exe
        
        C:\windows\system\JTJTI.exe
        115⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IEUBRSJ.exe.bat" "
        116⤵
        
        PID:264
        
        C:\windows\SysWOW64\IEUBRSJ.exe
        
        C:\windows\system32\IEUBRSJ.exe
        117⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KBAVYAR.exe.bat" "
        118⤵
        
        PID:1396
        
        C:\windows\KBAVYAR.exe
        
        C:\windows\KBAVYAR.exe
        119⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QCHJ.exe.bat" "
        120⤵
        
        PID:4348
        
        C:\windows\QCHJ.exe
        
        C:\windows\QCHJ.exe
        121⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KPMSRU.exe.bat" "
        122⤵
        
        PID:1372
        
        C:\windows\KPMSRU.exe
        
        C:\windows\KPMSRU.exe
        123⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUEHTHK.exe.bat" "
        124⤵
        
        PID:3536
        
        C:\windows\SysWOW64\SUEHTHK.exe
        
        C:\windows\system32\SUEHTHK.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TXDDHQM.exe.bat" "
        126⤵
        
        PID:4908
        
        C:\windows\SysWOW64\TXDDHQM.exe
        
        C:\windows\system32\TXDDHQM.exe
        127⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BLHJSPI.exe.bat" "
        128⤵
        
        PID:4268
        
        C:\windows\SysWOW64\BLHJSPI.exe
        
        C:\windows\system32\BLHJSPI.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JQUQDND.exe.bat" "
        130⤵
        
        PID:3300
        
        C:\windows\system\JQUQDND.exe
        
        C:\windows\system\JQUQDND.exe
        131⤵
        Drops file in Windows directory
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EZV.exe.bat" "
        132⤵
        
        PID:1532
        
        C:\windows\EZV.exe
        
        C:\windows\EZV.exe
        133⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHJ.exe.bat" "
        134⤵
        
        PID:3200
        
        C:\windows\system\VHJ.exe
        
        C:\windows\system\VHJ.exe
        135⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AITUAVL.exe.bat" "
        136⤵
        
        PID:4632
        
        C:\windows\SysWOW64\AITUAVL.exe
        
        C:\windows\system32\AITUAVL.exe
        137⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PDCZT.exe.bat" "
        138⤵
        
        PID:1372
        
        C:\windows\PDCZT.exe
        
        C:\windows\PDCZT.exe
        139⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VYORZEC.exe.bat" "
        140⤵
        
        PID:4332
        
        C:\windows\system\VYORZEC.exe
        
        C:\windows\system\VYORZEC.exe
        141⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDTGKC.exe.bat" "
        142⤵
        
        PID:4908
        
        C:\windows\system\DDTGKC.exe
        
        C:\windows\system\DDTGKC.exe
        143⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GMBVR.exe.bat" "
        144⤵
        
        PID:3632
        
        C:\windows\system\GMBVR.exe
        
        C:\windows\system\GMBVR.exe
        145⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUQ.exe.bat" "
        146⤵
        
        PID:3560
        
        C:\windows\YUQ.exe
        
        C:\windows\YUQ.exe
        147⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AHH.exe.bat" "
        148⤵
        
        PID:912
        
        C:\windows\system\AHH.exe
        
        C:\windows\system\AHH.exe
        149⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VXI.exe.bat" "
        150⤵
        
        PID:1908
        
        C:\windows\SysWOW64\VXI.exe
        
        C:\windows\system32\VXI.exe
        151⤵
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OQX.exe.bat" "
        152⤵
        
        PID:3496
        
        C:\windows\SysWOW64\OQX.exe
        
        C:\windows\system32\OQX.exe
        153⤵
        Drops file in Windows directory
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ULWKK.exe.bat" "
        154⤵
        
        PID:1168
        
        C:\windows\ULWKK.exe
        
        C:\windows\ULWKK.exe
        155⤵
        Checks computer location settings
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RJPZ.exe.bat" "
        156⤵
        
        PID:1212
        
        C:\windows\RJPZ.exe
        
        C:\windows\RJPZ.exe
        157⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XEGAFVO.exe.bat" "
        158⤵
        
        PID:3012
        
        C:\windows\SysWOW64\XEGAFVO.exe
        
        C:\windows\system32\XEGAFVO.exe
        159⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UKYPV.exe.bat" "
        160⤵
        
        PID:3776
        
        C:\windows\UKYPV.exe
        
        C:\windows\UKYPV.exe
        161⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JZL.exe.bat" "
        162⤵
        
        PID:3872
        
        C:\windows\JZL.exe
        
        C:\windows\JZL.exe
        163⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RNYNNEU.exe.bat" "
        164⤵
        
        PID:4512
        
        C:\windows\system\RNYNNEU.exe
        
        C:\windows\system\RNYNNEU.exe
        165⤵
        Drops file in Windows directory
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XIP.exe.bat" "
        166⤵
        
        PID:3180
        
        C:\windows\XIP.exe
        
        C:\windows\XIP.exe
        167⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDBSXXL.exe.bat" "
        168⤵
        
        PID:5056
        
        C:\windows\system\YDBSXXL.exe
        
        C:\windows\system\YDBSXXL.exe
        169⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KTU.exe.bat" "
        170⤵
        
        PID:228
        
        C:\windows\system\KTU.exe
        
        C:\windows\system\KTU.exe
        171⤵
        Checks computer location settings
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IPTT.exe.bat" "
        172⤵
        
        PID:2180
        
        C:\windows\system\IPTT.exe
        
        C:\windows\system\IPTT.exe
        173⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHBE.exe.bat" "
        174⤵
        
        PID:2888
        
        C:\windows\SysWOW64\BHBE.exe
        
        C:\windows\system32\BHBE.exe
        175⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHPB.exe.bat" "
        176⤵
        
        PID:3632
        
        C:\windows\SysWOW64\SHPB.exe
        
        C:\windows\system32\SHPB.exe
        177⤵
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNP.exe.bat" "
        178⤵
        
        PID:4236
        
        C:\windows\SysWOW64\GNP.exe
        
        C:\windows\system32\GNP.exe
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABUWG.exe.bat" "
        180⤵
        
        PID:4628
        
        C:\windows\SysWOW64\ABUWG.exe
        
        C:\windows\system32\ABUWG.exe
        181⤵
        Checks computer location settings
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VOZGQZ.exe.bat" "
        182⤵
        
        PID:1720
        
        C:\windows\system\VOZGQZ.exe
        
        C:\windows\system\VOZGQZ.exe
        183⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DGHH.exe.bat" "
        184⤵
        
        PID:3496
        
        C:\windows\system\DGHH.exe
        
        C:\windows\system\DGHH.exe
        185⤵
        Checks computer location settings
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OZC.exe.bat" "
        186⤵
        
        PID:2084
        
        C:\windows\system\OZC.exe
        
        C:\windows\system\OZC.exe
        187⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZKON.exe.bat" "
        188⤵
        
        PID:4764
        
        C:\windows\UZKON.exe
        
        C:\windows\UZKON.exe
        189⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNPXXMZ.exe.bat" "
        190⤵
        
        PID:5076
        
        C:\windows\system\PNPXXMZ.exe
        
        C:\windows\system\PNPXXMZ.exe
        191⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VIOYC.exe.bat" "
        192⤵
        
        PID:2660
        
        C:\windows\SysWOW64\VIOYC.exe
        
        C:\windows\system32\VIOYC.exe
        193⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GAERL.exe.bat" "
        194⤵
        
        PID:2240
        
        C:\windows\SysWOW64\GAERL.exe
        
        C:\windows\system32\GAERL.exe
        195⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDHMZGG.exe.bat" "
        196⤵
        
        PID:4148
        
        C:\windows\SysWOW64\HDHMZGG.exe
        
        C:\windows\system32\HDHMZGG.exe
        197⤵
        Drops file in Windows directory
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOKCAU.exe.bat" "
        198⤵
        
        PID:1316
        
        C:\windows\system\FOKCAU.exe
        
        C:\windows\system\FOKCAU.exe
        199⤵
        Checks computer location settings
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ACPMKUR.exe.bat" "
        200⤵
        
        PID:3876
        
        C:\windows\SysWOW64\ACPMKUR.exe
        
        C:\windows\system32\ACPMKUR.exe
        201⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPCSUSN.exe.bat" "
        202⤵
        
        PID:212
        
        C:\windows\SysWOW64\IPCSUSN.exe
        
        C:\windows\system32\IPCSUSN.exe
        203⤵
        Checks computer location settings
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TIJDMTV.exe.bat" "
        204⤵
        
        PID:4408
        
        C:\windows\TIJDMTV.exe
        
        C:\windows\TIJDMTV.exe
        205⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVON.exe.bat" "
        206⤵
        
        PID:1760
        
        C:\windows\system\OVON.exe
        
        C:\windows\system\OVON.exe
        207⤵
        Checks computer location settings
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FDQAA.exe.bat" "
        208⤵
        
        PID:1536
        
        C:\windows\FDQAA.exe
        
        C:\windows\FDQAA.exe
        209⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CJIP.exe.bat" "
        210⤵
        
        PID:1544
        
        C:\windows\CJIP.exe
        
        C:\windows\CJIP.exe
        211⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PGITSXQ.exe.bat" "
        212⤵
        
        PID:4912
        
        C:\windows\PGITSXQ.exe
        
        C:\windows\PGITSXQ.exe
        213⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XMVICWM.exe.bat" "
        214⤵
        
        PID:3332
        
        C:\windows\system\XMVICWM.exe
        
        C:\windows\system\XMVICWM.exe
        215⤵
        Drops file in Windows directory
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GPLVR.exe.bat" "
        216⤵
        
        PID:2984
        
        C:\windows\system\GPLVR.exe
        
        C:\windows\system\GPLVR.exe
        217⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DPNG.exe.bat" "
        218⤵
        
        PID:880
        
        C:\windows\DPNG.exe
        
        C:\windows\DPNG.exe
        219⤵
        Drops file in Windows directory
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JLYZA.exe.bat" "
        220⤵
        
        PID:1720
        
        C:\windows\JLYZA.exe
        
        C:\windows\JLYZA.exe
        221⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YGIDTL.exe.bat" "
        222⤵
        
        PID:2956
        
        C:\windows\SysWOW64\YGIDTL.exe
        
        C:\windows\system32\YGIDTL.exe
        223⤵
        Drops file in Windows directory
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YLIS.exe.bat" "
        224⤵
        
        PID:3376
        
        C:\windows\YLIS.exe
        
        C:\windows\YLIS.exe
        225⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IJOMCG.exe.bat" "
        226⤵
        
        PID:2148
        
        C:\windows\system\IJOMCG.exe
        
        C:\windows\system\IJOMCG.exe
        227⤵
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZUM.exe.bat" "
        228⤵
        
        PID:4612
        
        C:\windows\SysWOW64\MZUM.exe
        
        C:\windows\system32\MZUM.exe
        229⤵
        Checks computer location settings
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SZCIYT.exe.bat" "
        230⤵
        
        PID:392
        
        C:\windows\SZCIYT.exe
        
        C:\windows\SZCIYT.exe
        231⤵
        Drops file in Windows directory
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AFOOIR.exe.bat" "
        232⤵
        
        PID:3400
        
        C:\windows\system\AFOOIR.exe
        
        C:\windows\system\AFOOIR.exe
        233⤵
        Checks computer location settings
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQRER.exe.bat" "
        234⤵
        
        PID:1176
        
        C:\windows\system\YQRER.exe
        
        C:\windows\system\YQRER.exe
        235⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGS.exe.bat" "
        236⤵
        
        PID:620
        
        C:\windows\SysWOW64\OGS.exe
        
        C:\windows\system32\OGS.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGIHHT.exe.bat" "
        238⤵
        
        PID:2616
        
        C:\windows\system\ZGIHHT.exe
        
        C:\windows\system\ZGIHHT.exe
        239⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OWJGO.exe.bat" "
        240⤵
        
        PID:1908
        
        C:\windows\SysWOW64\OWJGO.exe
        
        C:\windows\system32\OWJGO.exe
        241⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERSKZCA.exe.bat" "
        242⤵
        
        PID:1764
        
        C:\windows\SysWOW64\ERSKZCA.exe
        
        C:\windows\system32\ERSKZCA.exe
        243⤵
        Drops file in Windows directory
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OPGFOKJ.exe.bat" "
        244⤵
        
        PID:3372
        
        C:\windows\OPGFOKJ.exe
        
        C:\windows\OPGFOKJ.exe
        245⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNLZ.exe.bat" "
        246⤵
        
        PID:3848
        
        C:\windows\system\QNLZ.exe
        
        C:\windows\system\QNLZ.exe
        247⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBKXB.exe.bat" "
        248⤵
        
        PID:4784
        
        C:\windows\system\JBKXB.exe
        
        C:\windows\system\JBKXB.exe
        249⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLTYO.exe.bat" "
        250⤵
        
        PID:3676
        
        C:\windows\SysWOW64\JLTYO.exe
        
        C:\windows\system32\JLTYO.exe
        251⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OMDB.exe.bat" "
        252⤵
        
        PID:1960
        
        C:\windows\OMDB.exe
        
        C:\windows\OMDB.exe
        253⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SUJB.exe.bat" "
        254⤵
        
        PID:3524
        
        C:\windows\system\SUJB.exe
        
        C:\windows\system\SUJB.exe
        255⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\URDDLKI.exe.bat" "
        256⤵
        
        PID:1316
        
        C:\windows\URDDLKI.exe
        
        C:\windows\URDDLKI.exe
        257⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SPWYYP.exe.bat" "
        258⤵
        
        PID:4392
        
        C:\windows\SysWOW64\SPWYYP.exe
        
        C:\windows\system32\SPWYYP.exe
        259⤵
        Drops file in Windows directory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PIYICTZ.exe.bat" "
        260⤵
        
        PID:2112
        
        C:\windows\PIYICTZ.exe
        
        C:\windows\PIYICTZ.exe
        261⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDJBQHP.exe.bat" "
        262⤵
        
        PID:1540
        
        C:\windows\SysWOW64\VDJBQHP.exe
        
        C:\windows\system32\VDJBQHP.exe
        263⤵
        Drops file in Windows directory
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AETETL.exe.bat" "
        264⤵
        
        PID:1760
        
        C:\windows\AETETL.exe
        
        C:\windows\AETETL.exe
        265⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOIM.exe.bat" "
        266⤵
        
        PID:3508
        
        C:\windows\system\YOIM.exe
        
        C:\windows\system\YOIM.exe
        267⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZRKZOI.exe.bat" "
        268⤵
        
        PID:4364
        
        C:\windows\UZRKZOI.exe
        
        C:\windows\UZRKZOI.exe
        269⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFRZBBD.exe.bat" "
        270⤵
        
        PID:3328
        
        C:\windows\SysWOW64\UFRZBBD.exe
        
        C:\windows\system32\UFRZBBD.exe
        271⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SPUPKH.exe.bat" "
        272⤵
        
        PID:2152
        
        C:\windows\SPUPKH.exe
        
        C:\windows\SPUPKH.exe
        273⤵
        Checks computer location settings
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UNHJRP.exe.bat" "
        274⤵
        
        PID:1176
        
        C:\windows\UNHJRP.exe
        
        C:\windows\UNHJRP.exe
        275⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OOPUAQ.exe.bat" "
        276⤵
        
        PID:3180
        
        C:\windows\OOPUAQ.exe
        
        C:\windows\OOPUAQ.exe
        277⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYZ.exe.bat" "
        278⤵
        
        PID:3948
        
        C:\windows\system\MYZ.exe
        
        C:\windows\system\MYZ.exe
        279⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OWFWYMN.exe.bat" "
        280⤵
        
        PID:5064
        
        C:\windows\system\OWFWYMN.exe
        
        C:\windows\system\OWFWYMN.exe
        281⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YULRGVW.exe.bat" "
        282⤵
        
        PID:1536
        
        C:\windows\YULRGVW.exe
        
        C:\windows\YULRGVW.exe
        283⤵
        Checks computer location settings
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IUN.exe.bat" "
        284⤵
        
        PID:4536
        
        C:\windows\system\IUN.exe
        
        C:\windows\system\IUN.exe
        285⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SSA.exe.bat" "
        286⤵
        
        PID:4788
        
        C:\windows\SSA.exe
        
        C:\windows\SSA.exe
        287⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LLIBIC.exe.bat" "
        288⤵
        
        PID:1612
        
        C:\windows\system\LLIBIC.exe
        
        C:\windows\system\LLIBIC.exe
        289⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVLRR.exe.bat" "
        290⤵
        
        PID:3908
        
        C:\windows\SysWOW64\KVLRR.exe
        
        C:\windows\system32\KVLRR.exe
        291⤵
        Checks computer location settings
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XGB.exe.bat" "
        292⤵
        
        PID:4596
        
        C:\windows\XGB.exe
        
        C:\windows\XGB.exe
        293⤵
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UHDS.exe.bat" "
        294⤵
        
        PID:2984
        
        C:\windows\SysWOW64\UHDS.exe
        
        C:\windows\system32\UHDS.exe
        295⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UKPWOE.exe.bat" "
        296⤵
        
        PID:388
        
        C:\windows\system\UKPWOE.exe
        
        C:\windows\system\UKPWOE.exe
        297⤵
        Drops file in Windows directory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKVTBV.exe.bat" "
        298⤵
        
        PID:4936
        
        C:\windows\system\MKVTBV.exe
        
        C:\windows\system\MKVTBV.exe
        299⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VSXY.exe.bat" "
        300⤵
        
        PID:384
        
        C:\windows\system\VSXY.exe
        
        C:\windows\system\VSXY.exe
        301⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YGOAY.exe.bat" "
        302⤵
        
        PID:3984
        
        C:\windows\SysWOW64\YGOAY.exe
        
        C:\windows\system32\YGOAY.exe
        303⤵
        Drops file in Windows directory
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJSEDCE.exe.bat" "
        304⤵
        
        PID:2764
        
        C:\windows\system\QJSEDCE.exe
        
        C:\windows\system\QJSEDCE.exe
        305⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YOFKOI.exe.bat" "
        306⤵
        
        PID:4008
        
        C:\windows\SysWOW64\YOFKOI.exe
        
        C:\windows\system32\YOFKOI.exe
        307⤵
        Checks computer location settings
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OEGKV.exe.bat" "
        308⤵
        
        PID:4268
        
        C:\windows\OEGKV.exe
        
        C:\windows\OEGKV.exe
        309⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHWXJ.exe.bat" "
        310⤵
        
        PID:5048
        
        C:\windows\SysWOW64\OHWXJ.exe
        
        C:\windows\system32\OHWXJ.exe
        311⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCV.exe.bat" "
        312⤵
        
        PID:1912
        
        C:\windows\SysWOW64\UCV.exe
        
        C:\windows\system32\UCV.exe
        313⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TSGBBOW.exe.bat" "
        314⤵
        
        PID:116
        
        C:\windows\TSGBBOW.exe
        
        C:\windows\TSGBBOW.exe
        315⤵
        Checks computer location settings
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GYGND.exe.bat" "
        316⤵
        
        PID:1976
        
        C:\windows\GYGND.exe
        
        C:\windows\GYGND.exe
        317⤵
        Drops file in Windows directory
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VTY.exe.bat" "
        318⤵
        
        PID:372
        
        C:\windows\VTY.exe
        
        C:\windows\VTY.exe
        319⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YBZODGC.exe.bat" "
        320⤵
        
        PID:3224
        
        C:\windows\system\YBZODGC.exe
        
        C:\windows\system\YBZODGC.exe
        321⤵
        Drops file in Windows directory
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QKNT.exe.bat" "
        322⤵
        
        PID:4332
        
        C:\windows\system\QKNT.exe
        
        C:\windows\system\QKNT.exe
        323⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CNYY.exe.bat" "
        324⤵
        
        PID:1760
        
        C:\windows\CNYY.exe
        
        C:\windows\CNYY.exe
        325⤵
        Checks computer location settings
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IIJZEY.exe.bat" "
        326⤵
        
        PID:2884
        
        C:\windows\IIJZEY.exe
        
        C:\windows\IIJZEY.exe
        327⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ODVAKN.exe.bat" "
        328⤵
        
        PID:1436
        
        C:\windows\ODVAKN.exe
        
        C:\windows\ODVAKN.exe
        329⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JODRYY.exe.bat" "
        330⤵
        
        PID:3632
        
        C:\windows\system\JODRYY.exe
        
        C:\windows\system\JODRYY.exe
        331⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGGKH.exe.bat" "
        332⤵
        
        PID:4124
        
        C:\windows\system\UGGKH.exe
        
        C:\windows\system\UGGKH.exe
        333⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PULTRFY.exe.bat" "
        334⤵
        
        PID:2568
        
        C:\windows\system\PULTRFY.exe
        
        C:\windows\system\PULTRFY.exe
        335⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XHQABD.exe.bat" "
        336⤵
        
        PID:1908
        
        C:\windows\XHQABD.exe
        
        C:\windows\XHQABD.exe
        337⤵
        Drops file in Windows directory
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPWIGW.exe.bat" "
        338⤵
        
        PID:3780
        
        C:\windows\system\BPWIGW.exe
        
        C:\windows\system\BPWIGW.exe
        339⤵
        Drops file in Windows directory
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FFL.exe.bat" "
        340⤵
        
        PID:1064
        
        C:\windows\system\FFL.exe
        
        C:\windows\system\FFL.exe
        341⤵
        Drops file in Windows directory
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YLKGXQA.exe.bat" "
        342⤵
        
        PID:4016
        
        C:\windows\system\YLKGXQA.exe
        
        C:\windows\system\YLKGXQA.exe
        343⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBRO.exe.bat" "
        344⤵
        
        PID:4568
        
        C:\windows\SysWOW64\CBRO.exe
        
        C:\windows\system32\CBRO.exe
        345⤵
        Drops file in Windows directory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KGDUU.exe.bat" "
        346⤵
        
        PID:1716
        
        C:\windows\KGDUU.exe
        
        C:\windows\KGDUU.exe
        347⤵
        Drops file in Windows directory
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UEJ.exe.bat" "
        348⤵
        
        PID:4532
        
        C:\windows\system\UEJ.exe
        
        C:\windows\system\UEJ.exe
        349⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AZUIH.exe.bat" "
        350⤵
        
        PID:1196
        
        C:\windows\AZUIH.exe
        
        C:\windows\AZUIH.exe
        351⤵
        Checks computer location settings
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TCYLVTK.exe.bat" "
        352⤵
        
        PID:972
        
        C:\windows\system\TCYLVTK.exe
        
        C:\windows\system\TCYLVTK.exe
        353⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOWEUS.exe.bat" "
        354⤵
        
        PID:1776
        
        C:\windows\SysWOW64\MVOWEUS.exe
        
        C:\windows\system32\MVOWEUS.exe
        355⤵
        Drops file in Windows directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HIS.exe.bat" "
        356⤵
        
        PID:4896
        
        C:\windows\HIS.exe
        
        C:\windows\HIS.exe
        357⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RGYAWC.exe.bat" "
        358⤵
        
        PID:2864
        
        C:\windows\RGYAWC.exe
        
        C:\windows\RGYAWC.exe
        359⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XBXB.exe.bat" "
        360⤵
        
        PID:4872
        
        C:\windows\system\XBXB.exe
        
        C:\windows\system\XBXB.exe
        361⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UHQQQBA.exe.bat" "
        362⤵
        
        PID:2092
        
        C:\windows\UHQQQBA.exe
        
        C:\windows\UHQQQBA.exe
        363⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HFQCSM.exe.bat" "
        364⤵
        
        PID:264
        
        C:\windows\HFQCSM.exe
        
        C:\windows\HFQCSM.exe
        365⤵
        Checks computer location settings
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UPYBHP.exe.bat" "
        366⤵
        
        PID:3592
        
        C:\windows\system\UPYBHP.exe
        
        C:\windows\system\UPYBHP.exe
        367⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XDD.exe.bat" "
        368⤵
        
        PID:2652
        
        C:\windows\system\XDD.exe
        
        C:\windows\system\XDD.exe
        369⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 976
        368⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 960
        366⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 1324
        364⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 988
        362⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1288
        360⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 976
        358⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1008
        356⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1000
        354⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1304
        352⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1292
        350⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1336
        348⤵
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 988
        346⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 960
        344⤵
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 996
        342⤵
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1280
        340⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1312
        338⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1324
        336⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1272
        334⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 960
        332⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 960
        330⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1324
        328⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1252
        326⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1324
        324⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1316
        322⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 960
        320⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1324
        318⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 960
        316⤵
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1324
        314⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1296
        312⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 960
        310⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 964
        308⤵
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1328
        306⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1000
        304⤵
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1320
        302⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 960
        300⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 960
        298⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1332
        296⤵
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 960
        294⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 960
        292⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1328
        290⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 960
        288⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1004
        286⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1336
        284⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 960
        282⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1328
        280⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1336
        278⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1268
        276⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1324
        274⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1292
        272⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1292
        270⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1288
        268⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1336
        266⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 960
        264⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1264
        262⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1324
        260⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1324
        258⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1324
        256⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1344
        254⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1324
        252⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1328
        250⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1312
        248⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1280
        246⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1312
        244⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 988
        242⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 960
        240⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1336
        238⤵
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1260
        236⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1336
        234⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1336
        232⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1260
        230⤵
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 960
        228⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1336
        226⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1288
        224⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 960
        222⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1292
        220⤵
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1012
        218⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 960
        216⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 960
        214⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1292
        212⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1324
        210⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 960
        208⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1328
        206⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1320
        204⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1296
        202⤵
        
        PID:956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1328
        200⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960
        198⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1008
        196⤵
        
        PID:116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1296
        194⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 960
        192⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1304
        190⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1296
        188⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1336
        186⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1336
        184⤵
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 960
        182⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1304
        180⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1296
        178⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 960
        176⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 960
        174⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1304
        172⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 964
        170⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 976
        168⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1324
        166⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 960
        164⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1324
        162⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1324
        160⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960
        158⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1288
        156⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 960
        154⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 960
        152⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 960
        150⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 960
        148⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1268
        146⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 960
        144⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1336
        142⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1336
        140⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 976
        138⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1328
        136⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 960
        134⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1292
        132⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1004
        130⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 960
        128⤵
        Program crash
        
        PID:1852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1008
        126⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1316
        124⤵
        Program crash
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 960
        122⤵
        Program crash
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1324
        120⤵
        Program crash
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1328
        118⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1292
        116⤵
        Program crash
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1328
        114⤵
        Program crash
        
        PID:792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 960
        112⤵
        Program crash
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1324
        110⤵
        Program crash
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1004
        108⤵
        Program crash
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 960
        106⤵
        Program crash
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 960
        104⤵
        Program crash
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 960
        102⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1296
        100⤵
        Program crash
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1300
        98⤵
        Program crash
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1304
        96⤵
        Program crash
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1324
        94⤵
        Program crash
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1324
        92⤵
        Program crash
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 960
        90⤵
        Program crash
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 960
        88⤵
        Program crash
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1328
        86⤵
        Program crash
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 960
        84⤵
        Program crash
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1300
        82⤵
        Program crash
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1324
        80⤵
        Program crash
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1328
        78⤵
        Program crash
        
        PID:4664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 960
        76⤵
        Program crash
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 960
        74⤵
        Program crash
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 960
        72⤵
        Program crash
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1296
        70⤵
        Program crash
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 960
        68⤵
        Program crash
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1320
        66⤵
        Program crash
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1328
        64⤵
        Program crash
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 960
        62⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1328
        60⤵
        Program crash
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1316
        58⤵
        Program crash
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1324
        56⤵
        Program crash
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1336
        54⤵
        Program crash
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1336
        52⤵
        Program crash
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1308
        50⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1336
        48⤵
        Program crash
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 960
        46⤵
        Program crash
        
        PID:1308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1328
        44⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1328
        42⤵
        Program crash
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1300
        40⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1328
        38⤵
        Program crash
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1304
        36⤵
        Program crash
        
        PID:3784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 960
        34⤵
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1324
        32⤵
        Program crash
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1324
        30⤵
        Program crash
        
        PID:440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 960
        28⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1336
        26⤵
        Program crash
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1328
        24⤵
        Program crash
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1332
        22⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1272
        20⤵
        Program crash
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 976
        18⤵
        Program crash
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 968
        16⤵
        Program crash
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 960
        14⤵
        Program crash
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1328
        12⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1328
        10⤵
        Program crash
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 960
        8⤵
        Program crash
        
        PID:2244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 960
        6⤵
        Program crash
        
        PID:3988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1316
      4⤵
      Program crash
      PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 992
  2⤵
  - Program crash
  PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4412 -ip 4412
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 952 -ip 952
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1360 -ip 1360
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1220 -ip 1220
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4832 -ip 4832
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4296 -ip 4296
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4648 -ip 4648
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3664 -ip 3664
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2140 -ip 2140
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2852 -ip 2852
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2408 -ip 2408
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 548 -ip 548
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1372 -ip 1372
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3900 -ip 3900
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4444 -ip 4444
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4708 -ip 4708
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4320 -ip 4320
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 624 -ip 624
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2880 -ip 2880
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3008 -ip 3008
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3900 -ip 3900
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1124 -ip 1124
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4012 -ip 4012
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3720 -ip 3720
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3036 -ip 3036
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 624 -ip 624
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3676 -ip 3676
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4564 -ip 4564
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4784 -ip 4784
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1804 -ip 1804
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3360 -ip 3360
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2092 -ip 2092
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4948 -ip 4948
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2148 -ip 2148
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4808 -ip 4808
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4516 -ip 4516
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4016 -ip 4016
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3316 -ip 3316
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4896 -ip 4896
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2092 -ip 2092
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2608 -ip 2608
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4052 -ip 4052
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2244 -ip 2244
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1464 -ip 1464
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4320 -ip 4320
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3244 -ip 3244
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4896 -ip 4896
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2680 -ip 2680
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3332 -ip 3332
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3900 -ip 3900
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1772 -ip 1772
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5024 -ip 5024
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2232 -ip 2232
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 228 -ip 228
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1784 -ip 1784
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5048 -ip 5048
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4700 -ip 4700
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 464 -ip 464
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3380 -ip 3380
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 536 -ip 536
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1540 -ip 1540
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4788 -ip 4788
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3716 -ip 3716
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3908 -ip 3908
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4884 -ip 4884
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5064 -ip 5064
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 220 -ip 220
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3488 -ip 3488
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 536 -ip 536
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1392 -ip 1392
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4788 -ip 4788
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3036 -ip 3036
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1096 -ip 1096
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3752 -ip 3752
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 216 -ip 216
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3316 -ip 3316
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2136 -ip 2136
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 736 -ip 736
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3692 -ip 3692
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3416 -ip 3416
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2796 -ip 2796
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3688 -ip 3688
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3104 -ip 3104
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 708 -ip 708
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 3324
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3676 -ip 3676
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4920 -ip 4920
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3900 -ip 3900
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1316 -ip 1316
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1464 -ip 1464
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2112 -ip 2112
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2548 -ip 2548
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4056 -ip 4056
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 736 -ip 736
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4052 -ip 4052
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4060 -ip 4060
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3228 -ip 3228
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 3948
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 2852
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3472 -ip 3472
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1780 -ip 1780
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1064 -ip 1064
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4364 -ip 4364
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3400 -ip 3400
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4012 -ip 4012
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1132 -ip 1132
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1396 -ip 1396
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5064 -ip 5064
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1764 -ip 1764
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3372 -ip 3372
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3624 -ip 3624
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3120 -ip 3120
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 940 -ip 940
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1268 -ip 1268
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3332 -ip 3332
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4780 -ip 4780
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 880 -ip 880
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1720 -ip 1720
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1748 -ip 1748
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4860 -ip 4860
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4064 -ip 4064
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4768 -ip 4768
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1204 -ip 1204
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3308 -ip 3308
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2296 -ip 2296
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3116 -ip 3116
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4492 -ip 4492
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4480 -ip 4480
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1764 -ip 1764
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 468 -ip 468
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4052 -ip 4052
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2244 -ip 2244
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2372 -ip 2372
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1832 -ip 1832
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1356 -ip 1356
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3768 -ip 3768
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4348 -ip 4348
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2732 -ip 2732
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2856 -ip 2856
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 876 -ip 876
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5052 -ip 5052
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4068 -ip 4068
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3520 -ip 3520
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2920 -ip 2920
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4208 -ip 4208
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3116 -ip 3116
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 372 -ip 372
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2640 -ip 2640
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1156 -ip 1156
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5112 -ip 5112
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 440 -ip 440
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3264 -ip 3264
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1680 -ip 1680
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4652 -ip 4652
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1356 -ip 1356
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3768 -ip 3768
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4348 -ip 4348
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1536 -ip 1536
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3984 -ip 3984
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2260 -ip 2260
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4236 -ip 4236
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3900 -ip 3900
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1196 -ip 1196
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5108 -ip 5108
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3156 -ip 3156
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 880 -ip 880
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4416 -ip 4416
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2440 -ip 2440
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2888 -ip 2888
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 760 -ip 760
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3404 -ip 3404
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5000 -ip 5000
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1836 -ip 1836
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4664 -ip 4664
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 548 -ip 548
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4616 -ip 4616
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4280 -ip 4280
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 228 -ip 228
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2196 -ip 2196
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2932 -ip 2932
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 440 -ip 440
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2504 -ip 2504
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\FUZ.exe

Filesize
208KB

MD5
34b26260c67a7c4ed105121a2e065a2a

SHA1
f8b7bf19ca945bdf7e5ba21d408cc6f8ec7d5130

SHA256
c75e783480c2e914a3ff5c5d414489aa722bcf990924a62428cb3d533725c2bb

SHA512
faec27e4ff79bd38f712aa72ee0cd438941948b56ed5a1e98822b191031e074dfbd444fe08e5aa1420c778f2de98485573d7198dd06876797c0801672d5d987a

Download Submit
C:\Windows\REYY.exe

Filesize
208KB

MD5
18c12a55726703c26b4cd0ae07b4f157

SHA1
1a27b1cb23f6f23d9f126ecedc6c318f68dfb9ae

SHA256
bce0475b0b10f9319d7d12cb75ec883357203f8d3e5e4364d3283963264ab5f6

SHA512
6b53b558d1b5a1a7c9cd97f2b10300221f9e037cd4958c19ea647f23f6dbabe740d7b2845cb1edb22319eba986e86f80f90363efeab0bad419b02dd66e436579

Download Submit
C:\Windows\SysWOW64\AXUNCO.exe

Filesize
208KB

MD5
939dce001188c2f21194e7ab05c19b24

SHA1
6d66da601a03acccc946ce1e898313bf8bcb6a45

SHA256
e9d433f74ff2a7b9ba70932ba5e416562893871e123db3880024171b090e820e

SHA512
6495478b9cab454b79bc81da4fa8af9abd242e763388fd1517ff301b3a23791e1bacb56a88c82a9710105427843fbfa547cadcba2462335d87c7b20fb9c7a164

Download Submit
C:\Windows\SysWOW64\FLZKKJ.exe

Filesize
208KB

MD5
18d3609e400108561d9fb7bf28044afa

SHA1
e3c7b15fe0350faf5b9a2c5132e56b984a02ac69

SHA256
2aebcbcfc801a648ac7813457db79676712b37da3535acbc02f973689633a45d

SHA512
a5e63c14502b5f784528fc95498fee13076a7f9ed8424aa8573efb3937ea96c651a2bf18fadeca24545226432f79e37b2b44783ff22c37bfdc6d0080a81a0eca

Download Submit
C:\Windows\SysWOW64\SNMMWK.exe

Filesize
208KB

MD5
0576e65281f357f7522c287b0fe9a11b

SHA1
ea5a4271579589d708a366a8217071f23108fb1a

SHA256
a1cadb6efac05dbf8f0702c7d67613a68033e5933d0452cfbfe20a63d4bf59c8

SHA512
978a20f691014f89348a430a6f3eb1b6812e5ffe34f34e349724a3a3c863c9227f034103db5359d1fcc81bf34cafde083ebd51f7681056ba4dfe7346157b9561

Download Submit
C:\Windows\SysWOW64\VHWTZGR.exe

Filesize
208KB

MD5
96b9723079adf24a4dfb67689925d348

SHA1
66dba489779981c1a5defd1c9a2a472101437aed

SHA256
eb848dadb6ea5162da758b4c4a834d779842611a23c93cd515b8c4dbb07c77dd

SHA512
f6b0baac4f1bd53a603c85573f5803d79811f6f97ab71f6a9d3cf3025e0b348a4147688a30bbacc6484d53150e49096da04d7e2b5259b93ef0700f1dbf4bb603

Download Submit
C:\Windows\System\FSQSNCA.exe

Filesize
208KB

MD5
41a539ee001ed8d9ab8979697d4bdfc8

SHA1
6b4e0a949edfcd8ad6a22adef6611847faa36499

SHA256
34426a80e31f44c3969b6022e1a010926f5a5d17bd870b671334eefad7a8a5db

SHA512
4105d76b2aab6925f5eca180e3a0476f254ac4206f5dd5c670f8d8d5379d92549927ad0ab65e1a3eb7eb754cdd4c5776e0dd2fd93b3294e824cb83150b230db1

Download Submit
C:\Windows\System\VMG.exe

Filesize
208KB

MD5
0ad598609fbdb69b3c29f4d939e02469

SHA1
84d9b582f69f9840afae2422d27945552c689293

SHA256
3a10719bd806f1c12b62915b69a1b6cab99af7308801cca4c1d6316e4664246d

SHA512
279fd93fb6747ab0f58a38b2ba3d0d45507babf8905fcbfa0798dcb093e4d38f5488ccb83f3ee4f41fb24715986712ce2303b67c71c3242c94f4491268613f9c

Download Submit
C:\Windows\System\WKN.exe

Filesize
208KB

MD5
f6d04d817fcf64414751810581981199

SHA1
f129db7ee44bd652baa35f90cc40d2381cd9e074

SHA256
b5f0b2d08d6b4b50e6647ed49337fc8b8413f09e47d6b4aede56340ab7a14468

SHA512
fdd5d04250198b272b2ee0c8e9fa19d10f7ad237f450e26de117d81a2e4428f34d301b08456ef41aaac95d7d4681a813881dc40966079d42394ec37460b19be8

Download Submit
C:\Windows\System\XBB.exe

Filesize
208KB

MD5
423c5a4c65cd98aa26178ad41dae5598

SHA1
330192e515b59d7d1336be1bf51d2731538ef481

SHA256
c3645a3eeafc384c5b19e861a25cd6637964d3729106fd16ebb53bdf912526be

SHA512
1bcea8edb6c4f1b8b9880d6378b3eb6e6044cf8e96d93f846c9b76e95993350a585ccff324585be9f3b249c51ec20fcc7f83c2aa643a17e84ceac8770126b1a2

Download Submit
C:\Windows\System\YGA.exe

Filesize
208KB

MD5
daaacd55616a8dc8210907d5fba50af4

SHA1
e431ba381f8b4e182f0adf83ec76555334372b83

SHA256
08ede4865e326c095d54adf1058a8a95d2983c1977759c75d9264b67a372ce38

SHA512
bdf4450e2bb697fba5dca80833d6354acb55c9a401f6995a709cfcb1e7367640a8fb81d7c4c6ddefe00620fd71cf3e0ade110567d468a7e99927f55965099472

Download Submit
C:\Windows\ZRYW.exe

Filesize
208KB

MD5
1270dd7a2a52c8401830b8a2139226c6

SHA1
68cd16f0a93bd55f5f51ef7e717834c5243e9c63

SHA256
242c5e4078143533f122bef1a83ac63da9ec702df1a7ddd6ae82cc6e8b65ef3e

SHA512
eb5d959fc1c9b49ebfff96ea762a6614fb8487b9291e7028688881759d6b92646f77d412511f14b3ff19b277789abd0632392e93e14ef0c09455a1e43605fb96

Download Submit
C:\windows\FUZ.exe.bat

Filesize
52B

MD5
87f532a0b61ac41da0a4ec90729be0e2

SHA1
bf5e08caf4ccc23969f30a070df2a94042808091

SHA256
e1adc9af480545b79a5bb117d39cbb05eaabd17f9bc6cafaf88dcd7a4812bdb6

SHA512
d6befca40f8ebbbc8bbb680786f2ac8c42f95d05c8900d47fda9f3fe9829fd6908b29b04e9e8b1d8363c4b9cb7524a0f48f6628d61a5c05f9681c80c6e329c84

Download Submit
C:\windows\REYY.exe.bat

Filesize
54B

MD5
f4f2858fc666c3de58b000cfc13fbefc

SHA1
05e8c75ae669222fa05a5b1a66633e593d564099

SHA256
9f4dfc1b1ab0cde89d592179742582d198a1e898dad0bda256833c218cc4c572

SHA512
1356a33e86b9744b864875eb8416e63e0f9bbae344ff48f7bbb384666dcf231b22e2554e37516c51ce3b31a67e68908283cde690e5ca87e443cbc4c73c578996

Download Submit
C:\windows\SysWOW64\AXUNCO.exe.bat

Filesize
76B

MD5
3015fd3edf462b4d180054e51aa90f71

SHA1
89a38e9af4b8fd07ace0521a70f767fec433e716

SHA256
31a3039347c52f6dce9e4357185d13f73cc720cac165c7dcda4683fac42db5c0

SHA512
be211d2677453b89348fc9325747fe85145a1bfac0b9e65006fc9ff6d7f65288e2d958276c4588e7966685e92d3af33d5efc144ece1db4a410ca02e3ae35e766

Download Submit
C:\windows\SysWOW64\FBN.exe.bat

Filesize
70B

MD5
37abb6d8368a6e8e40e8380c3df4afe0

SHA1
86cb5b6fb87f30759f5e850624ea6b490c059471

SHA256
60787317703df6c93547f39a69c97ab61be9047b4a20c181fb53a78863d473e1

SHA512
63602f3deb0fec4af0fca1ed983af018ae7d1886e36f460ca3b8bd1fde065819b18736d656ccdf2f53133be93d6e6e4b21af39090b9533f682a25300df8d03c1

Download Submit
C:\windows\SysWOW64\FLZKKJ.exe.bat

Filesize
76B

MD5
4960789a92ace15073f7ceebf5705b90

SHA1
71c9cf0e6fa0f42eb92399f28a9617d2df061d9b

SHA256
ce41c00b70e038ec78af2ddc1b15a3a5db8eb729e85c57cc628184247b3404fc

SHA512
ae1971531829b45a129b9b0a6ecf01bc2d3c39545b1c540ec579c8d9819cce7294f7ac7ea34ebc2f4bdd267d54b73b2fcf0ccd3e6c956af5e463576946181744

Download Submit
C:\windows\SysWOW64\LAAGV.exe.bat

Filesize
74B

MD5
ab5d8eb0ab7de9c254ed56ff4f77188f

SHA1
a868f0d32d674d03ec3876924b37bf4a1b9a6719

SHA256
1b80f8a256248b56171c50d54403eb842cc05b66836b2c6256699c4babc8dc8e

SHA512
ac90012751a521df834faf64daf6c7b9c0be6ce45ffc75fc3d2d0a5f346b2e75631e37b0da6014bd80ed0c2d91d309c757195f69b749ba443f47cdb0112b2d4c

Download Submit
C:\windows\SysWOW64\LQXGKVP.exe.bat

Filesize
78B

MD5
ba5604c87298a2676e9846efc3491374

SHA1
0aa26a645951741d49ad7c5ff7b3914576df2030

SHA256
1fc6c6d318cdeaf8d851dee4ce4d99d1ed7960be4ce58866afefbfa91af354c4

SHA512
d6125e922dfd62130286882699c80932cec9827cea1b93220e8c5ea3aa0dd51ae4baa747ceaf45a8f16fcc7f6ba3bb84f229eac5151fe7ba26b53f7d88387771

Download Submit
C:\windows\SysWOW64\SNMMWK.exe.bat

Filesize
76B

MD5
323a359e4871d114a4915b71128228af

SHA1
0e04a49f8cccb38251ed43fd794174027198aa78

SHA256
e7e60fdf71f5c6931ae74b8064525a5707d1b14679fbe4f791586e48d77a1392

SHA512
5abea852f53d84d7a1c2e1c20ba8f4d46a2a95854e8cea8f0263293249d57e04c9e1889493805c14c134985726b85280bb495bbea219838e02b57784279e1fba

Download Submit
C:\windows\SysWOW64\UNNFPD.exe.bat

Filesize
76B

MD5
3326402731ccd8611a83b0bb31962514

SHA1
8e0170ccd26f8e66bf51095b1f89361a6fe50f9e

SHA256
697980398e2673e539bdeaf0369f746e3b58a980c4d3248c559be7984e1f34a6

SHA512
238e915244c3c80f9e8dbbd8ccfe1f4135a35d338941c5a8c15ae1176ad169a8a394f0dd60c12d38b4d011fbea0801bdae8ac226db5ff89d116e7f4de1c827e8

Download Submit
C:\windows\SysWOW64\VHWTZGR.exe.bat

Filesize
78B

MD5
4c81ad6efedb25a0ddc82aa902afd2bf

SHA1
339d42da20fe2c7641994b0fd4e6e00fec2fafad

SHA256
f3be29a6d2176beef5e1324659a1128a6148ccdbd504823c57ead38d1be87e4c

SHA512
98102843de310c8fe9190026212a1a6f4071825db793f4384e74c28e1aaf062b21a822e54470be6c1a099d19336c8a7e8fabdc2d5dbf1f37434d68f103a3e3e1

Download Submit
C:\windows\SysWOW64\XGQO.exe

Filesize
208KB

MD5
024c23b94ae4b8cc9298bcda04c46f15

SHA1
e4dd263a7f3098e63f39e6121c8b76bcc9e2fbfa

SHA256
1b232229f03a3d1b4cd3f90afb2db7d97207086d9bc63d0e86658d5061f8ba84

SHA512
498f37b3918799bb93d81076d0bbf1c2875eeb7ac8827cd44308f6e2d38a274050eabf346fa9fa11b9d170e753ae8e1bf56f97f9ca153c2c0baa849865a71f47

Download Submit
C:\windows\SysWOW64\XGQO.exe.bat

Filesize
72B

MD5
ab8269938f2a705ac3fe27b6c46de50e

SHA1
3be9f3c71e8f3dca226f8df54d1b4a0789a0af03

SHA256
bf412945555f5df32e8aecab71a7b3dcd69d378cec350d0799b619d93b30995d

SHA512
c05c117eb9a2dc25e213132b667753f16f390a9a8eecfb31b6c46e1802ea0f6db627bbe0bb41227596a1892481845247e548f3c32eaa4261112f838c3fa93d53

Download Submit
C:\windows\VZSEFMC.exe

Filesize
208KB

MD5
ba59d279e982cf89eee26fd231bef9dc

SHA1
bb66d1f97f841a487b429c260abc21a56e706f7d

SHA256
289ebf9096aeb551b1f5f9ed5ded86d683a3a08b7ba3a39d5b01fecb2156d2d5

SHA512
53b57af842ef31aac628747c4ca130f972fa34be52efb732e44d423292f97522e713aaad237bcb4e99ff84ee45cf4ff76cef8a5c9ac1d5ca4def323b144cf320

Download Submit
C:\windows\VZSEFMC.exe.bat

Filesize
60B

MD5
1daac31897c54c70b969e4444f88781f

SHA1
4e781db49acf655aa73c5aef2ebaaec22aca4aec

SHA256
f3d8bb5ab061df3ad1bea8f507147d40fd9c602da20abdc43fdc0c92be453596

SHA512
e37dbce3eac5bda0e788579baebcc7b935f599b021d358e040bd69dcb45b93e89acfd187d2fa21d21db04bed79b9a4d1de178ae1c9f9150f2af82159bbf72dcb

Download Submit
C:\windows\ZRYW.exe.bat

Filesize
54B

MD5
a38d11db7395dadca633eb04a26f8b43

SHA1
d8e5680e254aaf6c28ac5ac9b8c5d9971dcb9b75

SHA256
4755ef2c7f8227bd46a5cda6bae02350b92729d8f7acf583f2a0b52aa86f364b

SHA512
d1f0a32578c600b8404259d4c9cd3fb39b01cee3de940406abced30eb4beb727704b920b4b7865316dce9b8eade72edc8fdf9ad06d4449cd1ee0e97cad1d8fe8

Download Submit
C:\windows\system\AKUISF.exe

Filesize
208KB

MD5
8dcf8eebde7248044370a8a8d9ad9d41

SHA1
d1c5517059c90d9dc3d7ca66b6b7f42dd28218f9

SHA256
c3af847c99839818239bd69eeb50ffa978802319bc44d12ce31ef00fb63bfea9

SHA512
f088e94daca93fc41fdcba633daa4f62d8ad8a89d86fd7ea306850d51cc6ee7271402098263330e3a8eee798e7b5016c98b4b67b874e4ac3768d3774201e0ce3

Download Submit
C:\windows\system\AKUISF.exe.bat

Filesize
72B

MD5
9ac95ca71f77bdd0ce8f078f7f598a82

SHA1
7a4a94f8779e75a308d5ca0ba205861266cb454e

SHA256
76c157826dbe60d6824bb0f976a3c38e19e2378c138a1207672ce56f24795a39

SHA512
ef3fc171a75e1a77fcd5e9d12e9fd3ddd515d2f89422ab0032c130b3ac9e5b6e79fe5aab3e4f3c514968122a8fe982586e4a84d8793857ab6ccbb6b04177e285

Download Submit
C:\windows\system\FSQSNCA.exe.bat

Filesize
74B

MD5
6993e2023c4478f80013664fe0ddcc13

SHA1
5a88f31abf029bb52ab04102ff2d2d47abfabe96

SHA256
8eacce7de06c29cfb51655888040043d3bd40f4636273d7c8ab05066a1d13410

SHA512
2f5976f68e3c3b7df3e426476ddc2a6df4ca750bfd37ab0b7705825b3bc1aec0e427a3ed53a23826fa411865c68912618981b92b586e29252c9c88ea51a011b6

Download Submit
C:\windows\system\LPL.exe.bat

Filesize
66B

MD5
1b3e155d1374db50fd612b4351b77304

SHA1
5db8c5a983dc7de25edb116c0ccb5b54f980fa9e

SHA256
541e5779a3f45cae80cf84719687b3e39e79fa72a6e9af8ceeeac161e483960d

SHA512
f6a0509a6682e5cb1b48554f25ef5fa09bb6c1c17db608ca5e5ccf1052cd2e17d5d7d4707938faae28cd2d36a8d53946591b5a08861df4a398de839c7d13be28

Download Submit
C:\windows\system\MPRPJFS.exe.bat

Filesize
74B

MD5
6c48c965bf2f5f3a65d9c386d2fc31b2

SHA1
c19b027c7cd3c1a2fc0d863972d0aaff6691be5b

SHA256
04ccc82567a7807429488cb0f55d562d5307b5d1e68e26a74923ebe461206497

SHA512
c8430664507534134a3e81deb362a3ec4624cbefcc3650a1edf230fbccbb480faf4c51f47b86146551832dd94af8da5d3fb972733beab7b0419ceb60a2cac28c

Download Submit
C:\windows\system\NTZNVRR.exe

Filesize
208KB

MD5
a75865d6dd698fd37fc6a50186115e8f

SHA1
e8f9174e227f416630ca1a9fb9117e3745d93949

SHA256
b41ce2f58c87cc7c68022b6cf71b2b845d107ac0da6ccfff0115020cd36fd0e4

SHA512
8f4d6e79e87b2a076fc6a81d7c206ffb51dc0d479ca698cd772d9e4189db7d2de8a33d82dc20b6a259682fc71b5c1ad900c2d4507cbd980da91d572291612200

Download Submit
C:\windows\system\NTZNVRR.exe.bat

Filesize
74B

MD5
9782e72f9160a12e484ac1dd8aa391b8

SHA1
505b3f016e75dc7f970e989298d9d2eedc5c6a1e

SHA256
76990aa8022ad49f636de91191a07e46649485a3496faafa35a3d2e2ef3eef04

SHA512
8a7604c9ed3244d075062545ebc1e10e27addd009c4dba5c0606d94d5741be1524624665600fdf6f9b79ddec2dd032197f9788194f2ce6defd827ea703f0e93c

Download Submit
C:\windows\system\VMG.exe.bat

Filesize
66B

MD5
b99416876ccf5cea243d0595dabfe07f

SHA1
6ba94fb815738b895ce7dbb156226de3fc5b26be

SHA256
9a3543cbc76e84bdd069d5eb14fabeee95ef5877530b9bd9e8b466b53f248849

SHA512
62dace4536b6ccac7a60aa40ba85f2131326378a16f42d95bb928e082755e31be79f41f6e417ac9efdb00d270d8179f82dacbe5ef64b97c97831328f2eca870b

Download Submit
C:\windows\system\WKN.exe.bat

Filesize
66B

MD5
fb3dbd3e4452dd30e344366ac7626b06

SHA1
bf24d47727f044458fee3ee2c3a5f7f304b5990e

SHA256
0bf4ebf84073f4612849abdec8d35e75e27b1e1c9c9dd393afeea5e8cbce2a49

SHA512
35d7c88e594a2dd4329ae2fed991ba3523247ea55ff4ceed6c47152814d43733d7d07600950ab750e528ff58389baa7fede810f64de0080858ad8e806219fcf0

Download Submit
C:\windows\system\XBB.exe.bat

Filesize
66B

MD5
1b71d68eae7cc472821b1029cf14f083

SHA1
2dbb0be0f7f609e00f2670509b4659c53cd7b69c

SHA256
b17c5560048427b926a69314f43e2ce617b60c6b0a2b3c2488f5bbe3a1fc20ae

SHA512
6870b1e78037c68a545f9f592a7993fe8c5542a0113c2d8992b2b4d0c417aaf7c02266fa691d80ebe831dcb3cf654dba9f2fff372c81875453a76330632b159f

Download Submit
C:\windows\system\YGA.exe.bat

Filesize
66B

MD5
b5439b7fb0aa88106fe172a819866a82

SHA1
70342e042e8314ad505acc60a5198b29b86c2714

SHA256
673089b13fc6bc57a7b751627b1e0abe007da9ecea92cffe92fbbc75b21e68e1

SHA512
2e2533d0c2f2b474192d987a5c36255ad57b216ec364debf02c2147ccc634d1528b09df475c36f75e9e3748f21b410839bd509be8abc34d15bcfb4e5c9bfb40b

Download Submit
memory/548-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/548-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/624-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/624-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/624-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/624-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1124-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1124-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1220-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1220-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1360-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1360-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1372-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1372-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1804-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1804-338-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2092-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2140-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2140-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2880-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2880-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3036-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3036-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3360-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3360-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3664-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3664-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3676-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3676-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3720-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3720-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4012-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4012-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4296-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4296-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-204-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4412-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4648-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4708-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4708-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4784-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4784-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4948-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download