21579b6c8c0f5588ab7c20813f1fb0ba52e9a1647733456a39529327c45af8ed

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
Size

208KB
MD5

01c07d09ff212f857e96c20e57e4b4fc
SHA1

641f73b9004808f62c308c634993ed4137cee914
SHA256

21579b6c8c0f5588ab7c20813f1fb0ba52e9a1647733456a39529327c45af8ed
SHA512

8ddc52aa7fc4e31f335ae03d7caca969961efe66cd4253eb02ba495e737d0b59854ba8db123bc3b316cde8f00b3de185120a22d259d3484f3e100a4ea67066d1
SSDEEP

6144:arYTgEMnRNL+I3YHBC/vMYRbbdfHKpkEj1:OBrI6U8IpkC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DVEZPN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LXFBJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LHLZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RPLAQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ICVHP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BNAIW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	UWQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ORHXD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HRKODK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BZMX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RVTWXUL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SZXSYU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SYZLKA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PMIPKOO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ILL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QACTN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KYGNRJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZPDLR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XVHF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	FGEAZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QKIS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MLDHOYU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OWFWYMN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	NCKMOHW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WOOTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BCGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RILXZP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VRJGAQE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	EPYHZUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DLSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZAOFS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LDK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QXYUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VFS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SEPGAHO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IOLCBK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	STN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PYYFTCI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	EQCESH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OPR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZZVZYT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XZPZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QONCWG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ARZHJD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SRKHU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BVIEW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MPRPJFS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	AIJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	GCXAB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HTW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	YVXZNTZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZAJXL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RKYMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ONSJPUA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OUQXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XNUEKV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RWAD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PJIWL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QJVGE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZKXX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KAEQXHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
3792	FGEAZ.exe
1840	VBO.exe
2948	XZPZ.exe
5032	CZXN.exe
3972	XNUEKV.exe
1580	BVIEW.exe
4548	SOZCW.exe
4032	QDKX.exe
4272	QJKLS.exe
2612	FETQDNA.exe
4280	EPS.exe
840	ZKXX.exe
5052	KIADZ.exe
3512	VADVIV.exe
2516	ZIKV.exe
1900	KBNOC.exe
4996	CJPTGA.exe
3772	NCKMOHW.exe
3360	RKYMS.exe
528	WVUT.exe
5000	TAAQM.exe
1304	PYYFTCI.exe
972	PQHGHPX.exe
3252	RDLQ.exe
4340	LBNSQ.exe
4932	DCHXTJ.exe
4884	MPRPJFS.exe
4356	ONSJPUA.exe
1360	KSYG.exe
4048	FGDPHE.exe
1636	ATA.exe
2352	UGEQ.exe
2868	XCJADD.exe
5056	RPO.exe
2032	RZX.exe
5072	SCBGH.exe
4996	DVEZPN.exe
912	OOZ.exe
4076	HRKODK.exe
3876	WMUSOFC.exe
4472	RZZJ.exe
1312	VHTRB.exe
1168	ZXZROWA.exe
2284	DFUZR.exe
1072	IQYFWMY.exe
4704	QBYHKQN.exe
376	BTB.exe
1840	PZH.exe
4988	SMMY.exe
3128	NZRILH.exe
3844	HVW.exe
1524	SNRK.exe
4544	SYZLKA.exe
2440	EQCESH.exe
4352	JRK.exe
3416	BZMX.exe
4600	RPLAQB.exe
1884	OUQXF.exe
1148	AIJ.exe
4848	VVOXJ.exe
4460	QISHTQU.exe
2568	XBTI.exe
1968	ZRU.exe
2248	LJPV.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\YQYBVG.exe.bat	DCTS.exe
File created	C:\windows\SysWOW64\BVIEW.exe.bat	XNUEKV.exe
File created	C:\windows\SysWOW64\LJPV.exe.bat	ZRU.exe
File opened for modification	C:\windows\SysWOW64\NGDBEL.exe	BNAIW.exe
File created	C:\windows\SysWOW64\FGEAZ.exe.bat	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\NZRILH.exe	SMMY.exe
File opened for modification	C:\windows\SysWOW64\KKAE.exe	UZCO.exe
File opened for modification	C:\windows\SysWOW64\PMIPKOO.exe	RWJ.exe
File created	C:\windows\SysWOW64\TAAQM.exe.bat	WVUT.exe
File created	C:\windows\SysWOW64\IAMX.exe	KKFU.exe
File created	C:\windows\SysWOW64\KKAE.exe.bat	UZCO.exe
File created	C:\windows\SysWOW64\IOLCBK.exe.bat	NBGS.exe
File opened for modification	C:\windows\SysWOW64\EDGD.exe	JIBMEOL.exe
File created	C:\windows\SysWOW64\AJQWU.exe.bat	LDK.exe
File created	C:\windows\SysWOW64\XIWBX.exe.bat	MPTI.exe
File created	C:\windows\SysWOW64\NCKMOHW.exe	CJPTGA.exe
File created	C:\windows\SysWOW64\HRKODK.exe.bat	OOZ.exe
File created	C:\windows\SysWOW64\QBYHKQN.exe.bat	IQYFWMY.exe
File created	C:\windows\SysWOW64\QISHTQU.exe.bat	VVOXJ.exe
File opened for modification	C:\windows\SysWOW64\FOIA.exe	KAEQXHG.exe
File opened for modification	C:\windows\SysWOW64\CZXN.exe	XZPZ.exe
File created	C:\windows\SysWOW64\BVIEW.exe	XNUEKV.exe
File created	C:\windows\SysWOW64\ZXZROWA.exe	VHTRB.exe
File created	C:\windows\SysWOW64\OYABT.exe	TDV.exe
File opened for modification	C:\windows\SysWOW64\RTAAQNR.exe	PVHGSY.exe
File created	C:\windows\SysWOW64\SUQL.exe	IMO.exe
File created	C:\windows\SysWOW64\JENCAD.exe.bat	HBD.exe
File opened for modification	C:\windows\SysWOW64\IOLCBK.exe	NBGS.exe
File created	C:\windows\SysWOW64\BTB.exe	QBYHKQN.exe
File opened for modification	C:\windows\SysWOW64\BTB.exe	QBYHKQN.exe
File opened for modification	C:\windows\SysWOW64\OYABT.exe	TDV.exe
File created	C:\windows\SysWOW64\BCGY.exe	TWG.exe
File opened for modification	C:\windows\SysWOW64\UWQ.exe	RILXZP.exe
File created	C:\windows\SysWOW64\CBRO.exe	MLSD.exe
File created	C:\windows\SysWOW64\ZIKV.exe.bat	VADVIV.exe
File created	C:\windows\SysWOW64\XBTI.exe	QISHTQU.exe
File opened for modification	C:\windows\SysWOW64\XBTI.exe	QISHTQU.exe
File created	C:\windows\SysWOW64\NBGS.exe.bat	RWAD.exe
File created	C:\windows\SysWOW64\NYGXXW.exe.bat	RTAAQNR.exe
File created	C:\windows\SysWOW64\SUQL.exe.bat	IMO.exe
File opened for modification	C:\windows\SysWOW64\NCKMOHW.exe	CJPTGA.exe
File opened for modification	C:\windows\SysWOW64\QBYHKQN.exe	IQYFWMY.exe
File created	C:\windows\SysWOW64\EQCESH.exe.bat	SYZLKA.exe
File opened for modification	C:\windows\SysWOW64\YQYBVG.exe	DCTS.exe
File created	C:\windows\SysWOW64\PMIPKOO.exe	RWJ.exe
File opened for modification	C:\windows\SysWOW64\WHOYERB.exe	OWFWYMN.exe
File opened for modification	C:\windows\SysWOW64\PKFBJVK.exe	WHOYERB.exe
File created	C:\windows\SysWOW64\HDL.exe	LXFBJU.exe
File created	C:\windows\SysWOW64\UWQ.exe	RILXZP.exe
File created	C:\windows\SysWOW64\SRKHU.exe.bat	EMEK.exe
File opened for modification	C:\windows\SysWOW64\JENCAD.exe	HBD.exe
File opened for modification	C:\windows\SysWOW64\NBGS.exe	RWAD.exe
File created	C:\windows\SysWOW64\BSAOOR.exe	PAXVG.exe
File created	C:\windows\SysWOW64\QCOS.exe	OPR.exe
File created	C:\windows\SysWOW64\UXT.exe.bat	NUJRR.exe
File created	C:\windows\SysWOW64\PKFBJVK.exe.bat	WHOYERB.exe
File opened for modification	C:\windows\SysWOW64\ZXZROWA.exe	VHTRB.exe
File created	C:\windows\SysWOW64\XBTI.exe.bat	QISHTQU.exe
File created	C:\windows\SysWOW64\JENCAD.exe	HBD.exe
File created	C:\windows\SysWOW64\CZXN.exe	XZPZ.exe
File opened for modification	C:\windows\SysWOW64\BVIEW.exe	XNUEKV.exe
File created	C:\windows\SysWOW64\OLYDLQ.exe.bat	CTVK.exe
File created	C:\windows\SysWOW64\NZPE.exe.bat	HYIQ.exe
File created	C:\windows\SysWOW64\HVW.exe.bat	NZRILH.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\LHLZ.exe	PKFBJVK.exe
File created	C:\windows\system\VBO.exe.bat	FGEAZ.exe
File created	C:\windows\RVTWXUL.exe	GCQDON.exe
File created	C:\windows\system\RUR.exe.bat	WHNBUH.exe
File created	C:\windows\system\EWH.exe	YVZKGH.exe
File opened for modification	C:\windows\system\DCTS.exe	YCLWCEF.exe
File created	C:\windows\system\XNUEKV.exe.bat	CZXN.exe
File opened for modification	C:\windows\system\ZKXX.exe	EPS.exe
File created	C:\windows\LDK.exe	PXFB.exe
File opened for modification	C:\windows\system\HBD.exe	IMEKDVT.exe
File opened for modification	C:\windows\system\YFNLNK.exe	UXT.exe
File created	C:\windows\WAYSTXE.exe	CMTAJX.exe
File created	C:\windows\system\RILXZP.exe.bat	XVHF.exe
File opened for modification	C:\windows\system\PQHGHPX.exe	PYYFTCI.exe
File opened for modification	C:\windows\system\FGS.exe	IAMX.exe
File created	C:\windows\VRJGAQE.exe	KYGNRJ.exe
File created	C:\windows\EMEK.exe	ORHXD.exe
File opened for modification	C:\windows\PZH.exe	BTB.exe
File created	C:\windows\SNRK.exe	HVW.exe
File opened for modification	C:\windows\system\RUR.exe	WHNBUH.exe
File opened for modification	C:\windows\system\KYGNRJ.exe	PLBE.exe
File created	C:\windows\SCBGH.exe.bat	RZX.exe
File created	C:\windows\QXYUQ.exe.bat	HPWPNKN.exe
File created	C:\windows\system\BZMX.exe.bat	JRK.exe
File created	C:\windows\system\TDV.exe	CSE.exe
File created	C:\windows\system\CTVK.exe	CFVW.exe
File opened for modification	C:\windows\VFS.exe	QCWN.exe
File created	C:\windows\HTW.exe	BTOPOI.exe
File opened for modification	C:\windows\SNRK.exe	HVW.exe
File created	C:\windows\system\LLOM.exe.bat	SDOW.exe
File opened for modification	C:\windows\system\VSUP.exe	SEPGAHO.exe
File created	C:\windows\system\ILL.exe	NYGXXW.exe
File created	C:\windows\QJKLS.exe	QDKX.exe
File created	C:\windows\WHNBUH.exe.bat	PMIPKOO.exe
File created	C:\windows\RKYMS.exe	NCKMOHW.exe
File created	C:\windows\system\KYGNRJ.exe	PLBE.exe
File created	C:\windows\system\DOD.exe.bat	XOV.exe
File opened for modification	C:\windows\JRK.exe	EQCESH.exe
File created	C:\windows\system\STN.exe.bat	EWH.exe
File created	C:\windows\TENWUF.exe.bat	NIVWQ.exe
File opened for modification	C:\windows\system\RZX.exe	RPO.exe
File opened for modification	C:\windows\system\ZRU.exe	XBTI.exe
File created	C:\windows\LHLZ.exe.bat	PKFBJVK.exe
File opened for modification	C:\windows\system\ATA.exe	FGDPHE.exe
File created	C:\windows\system\STN.exe	EWH.exe
File created	C:\windows\EMEK.exe.bat	ORHXD.exe
File opened for modification	C:\windows\EPS.exe	FETQDNA.exe
File opened for modification	C:\windows\RKYMS.exe	NCKMOHW.exe
File created	C:\windows\CSE.exe	RVTWXUL.exe
File created	C:\windows\CSE.exe.bat	RVTWXUL.exe
File opened for modification	C:\windows\system\LLOM.exe	SDOW.exe
File opened for modification	C:\windows\system\ZZVZYT.exe	ILL.exe
File created	C:\windows\JIBMEOL.exe.bat	YQYBVG.exe
File created	C:\windows\system\YFNLNK.exe.bat	UXT.exe
File created	C:\windows\system\LLOM.exe	SDOW.exe
File created	C:\windows\system\CMTAJX.exe	RUQQ.exe
File created	C:\windows\NIVWQ.exe	SVR.exe
File opened for modification	C:\windows\IQYFWMY.exe	DFUZR.exe
File created	C:\windows\system\YPOFGIT.exe	RUR.exe
File opened for modification	C:\windows\system\TWG.exe	XRIVBN.exe
File created	C:\windows\KSYG.exe.bat	ONSJPUA.exe
File created	C:\windows\TFEHAZG.exe.bat	WAYSTXE.exe
File created	C:\windows\system\RZZJ.exe.bat	WMUSOFC.exe
File created	C:\windows\system\VHTRB.exe.bat	RZZJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2008	912	WerFault.exe	79
2116	3792	WerFault.exe	87
2860	1840	WerFault.exe	93
5052	2948	WerFault.exe	98
2520	5032	WerFault.exe	103
5116	3972	WerFault.exe	108
1900	1580	WerFault.exe	113
216	4548	WerFault.exe	118
3716	4032	WerFault.exe	123
3640	4272	WerFault.exe	128
1960	2612	WerFault.exe	133
4644	4280	WerFault.exe	138
456	840	WerFault.exe	143
1176	5052	WerFault.exe	148
1528	3512	WerFault.exe	153
4916	2516	WerFault.exe	158
3496	1900	WerFault.exe	163
2736	4996	WerFault.exe	168
4708	3772	WerFault.exe	173
2628	3360	WerFault.exe	178
1392	528	WerFault.exe	183
1400	5000	WerFault.exe	188
1176	1304	WerFault.exe	193
5116	972	WerFault.exe	197
1168	3252	WerFault.exe	203
744	4340	WerFault.exe	208
2200	4932	WerFault.exe	213
4528	4884	WerFault.exe	218
1260	4356	WerFault.exe	222
3500	1360	WerFault.exe	228
380	4048	WerFault.exe	233
1656	1636	WerFault.exe	238
3844	2352	WerFault.exe	243
3272	2868	WerFault.exe	248
532	5056	WerFault.exe	253
2256	2032	WerFault.exe	258
1660	5072	WerFault.exe	262
1276	4996	WerFault.exe	268
3816	912	WerFault.exe	273
4212	4076	WerFault.exe	278
3204	3876	WerFault.exe	283
2352	4472	WerFault.exe	289
1904	1312	WerFault.exe	295
4992	1168	WerFault.exe	300
4200	2284	WerFault.exe	304
5072	1072	WerFault.exe	310
2620	4704	WerFault.exe	315
4488	376	WerFault.exe	320
3292	1840	WerFault.exe	325
2364	4988	WerFault.exe	330
2520	3128	WerFault.exe	335
4480	3844	WerFault.exe	340
4552	1524	WerFault.exe	345
1168	4544	WerFault.exe	350
2284	2440	WerFault.exe	355
3884	4352	WerFault.exe	360
4272	3416	WerFault.exe	365
2920	4600	WerFault.exe	370
1516	1884	WerFault.exe	375
4988	1148	WerFault.exe	380
5032	4848	WerFault.exe	385
3512	4460	WerFault.exe	390
688	2568	WerFault.exe	395
400	1968	WerFault.exe	400

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
3792	FGEAZ.exe
3792	FGEAZ.exe
1840	VBO.exe
1840	VBO.exe
2948	XZPZ.exe
2948	XZPZ.exe
5032	CZXN.exe
5032	CZXN.exe
3972	XNUEKV.exe
3972	XNUEKV.exe
1580	BVIEW.exe
1580	BVIEW.exe
4548	SOZCW.exe
4548	SOZCW.exe
4032	QDKX.exe
4032	QDKX.exe
4272	QJKLS.exe
4272	QJKLS.exe
2612	FETQDNA.exe
2612	FETQDNA.exe
4280	EPS.exe
4280	EPS.exe
840	ZKXX.exe
840	ZKXX.exe
5052	KIADZ.exe
5052	KIADZ.exe
3512	VADVIV.exe
3512	VADVIV.exe
2516	ZIKV.exe
2516	ZIKV.exe
1900	KBNOC.exe
1900	KBNOC.exe
4996	CJPTGA.exe
4996	CJPTGA.exe
3772	NCKMOHW.exe
3772	NCKMOHW.exe
3360	RKYMS.exe
3360	RKYMS.exe
528	WVUT.exe
528	WVUT.exe
5000	TAAQM.exe
5000	TAAQM.exe
1304	PYYFTCI.exe
1304	PYYFTCI.exe
972	PQHGHPX.exe
972	PQHGHPX.exe
3252	RDLQ.exe
3252	RDLQ.exe
4340	LBNSQ.exe
4340	LBNSQ.exe
4932	DCHXTJ.exe
4932	DCHXTJ.exe
4884	MPRPJFS.exe
4884	MPRPJFS.exe
4356	ONSJPUA.exe
4356	ONSJPUA.exe
1360	KSYG.exe
1360	KSYG.exe
4048	FGDPHE.exe
4048	FGDPHE.exe
1636	ATA.exe
1636	ATA.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
3792	FGEAZ.exe
3792	FGEAZ.exe
1840	VBO.exe
1840	VBO.exe
2948	XZPZ.exe
2948	XZPZ.exe
5032	CZXN.exe
5032	CZXN.exe
3972	XNUEKV.exe
3972	XNUEKV.exe
1580	BVIEW.exe
1580	BVIEW.exe
4548	SOZCW.exe
4548	SOZCW.exe
4032	QDKX.exe
4032	QDKX.exe
4272	QJKLS.exe
4272	QJKLS.exe
2612	FETQDNA.exe
2612	FETQDNA.exe
4280	EPS.exe
4280	EPS.exe
840	ZKXX.exe
840	ZKXX.exe
5052	KIADZ.exe
5052	KIADZ.exe
3512	VADVIV.exe
3512	VADVIV.exe
2516	ZIKV.exe
2516	ZIKV.exe
1900	KBNOC.exe
1900	KBNOC.exe
4996	CJPTGA.exe
4996	CJPTGA.exe
3772	NCKMOHW.exe
3772	NCKMOHW.exe
3360	RKYMS.exe
3360	RKYMS.exe
528	WVUT.exe
528	WVUT.exe
5000	TAAQM.exe
5000	TAAQM.exe
1304	PYYFTCI.exe
1304	PYYFTCI.exe
972	PQHGHPX.exe
972	PQHGHPX.exe
3252	RDLQ.exe
3252	RDLQ.exe
4340	LBNSQ.exe
4340	LBNSQ.exe
4932	DCHXTJ.exe
4932	DCHXTJ.exe
4884	MPRPJFS.exe
4884	MPRPJFS.exe
4356	ONSJPUA.exe
4356	ONSJPUA.exe
1360	KSYG.exe
1360	KSYG.exe
4048	FGDPHE.exe
4048	FGDPHE.exe
1636	ATA.exe
1636	ATA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 3084	912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	83
PID 912 wrote to memory of 3084	912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	83
PID 912 wrote to memory of 3084	912	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	83
PID 3084 wrote to memory of 3792	3084	cmd.exe	87
PID 3084 wrote to memory of 3792	3084	cmd.exe	87
PID 3084 wrote to memory of 3792	3084	cmd.exe	87
PID 3792 wrote to memory of 1228	3792	FGEAZ.exe	89
PID 3792 wrote to memory of 1228	3792	FGEAZ.exe	89
PID 3792 wrote to memory of 1228	3792	FGEAZ.exe	89
PID 1228 wrote to memory of 1840	1228	cmd.exe	93
PID 1228 wrote to memory of 1840	1228	cmd.exe	93
PID 1228 wrote to memory of 1840	1228	cmd.exe	93
PID 1840 wrote to memory of 3876	1840	VBO.exe	94
PID 1840 wrote to memory of 3876	1840	VBO.exe	94
PID 1840 wrote to memory of 3876	1840	VBO.exe	94
PID 3876 wrote to memory of 2948	3876	cmd.exe	98
PID 3876 wrote to memory of 2948	3876	cmd.exe	98
PID 3876 wrote to memory of 2948	3876	cmd.exe	98
PID 2948 wrote to memory of 4412	2948	XZPZ.exe	99
PID 2948 wrote to memory of 4412	2948	XZPZ.exe	99
PID 2948 wrote to memory of 4412	2948	XZPZ.exe	99
PID 4412 wrote to memory of 5032	4412	cmd.exe	103
PID 4412 wrote to memory of 5032	4412	cmd.exe	103
PID 4412 wrote to memory of 5032	4412	cmd.exe	103
PID 5032 wrote to memory of 4056	5032	CZXN.exe	104
PID 5032 wrote to memory of 4056	5032	CZXN.exe	104
PID 5032 wrote to memory of 4056	5032	CZXN.exe	104
PID 4056 wrote to memory of 3972	4056	cmd.exe	108
PID 4056 wrote to memory of 3972	4056	cmd.exe	108
PID 4056 wrote to memory of 3972	4056	cmd.exe	108
PID 3972 wrote to memory of 3952	3972	XNUEKV.exe	109
PID 3972 wrote to memory of 3952	3972	XNUEKV.exe	109
PID 3972 wrote to memory of 3952	3972	XNUEKV.exe	109
PID 3952 wrote to memory of 1580	3952	cmd.exe	113
PID 3952 wrote to memory of 1580	3952	cmd.exe	113
PID 3952 wrote to memory of 1580	3952	cmd.exe	113
PID 1580 wrote to memory of 1504	1580	BVIEW.exe	114
PID 1580 wrote to memory of 1504	1580	BVIEW.exe	114
PID 1580 wrote to memory of 1504	1580	BVIEW.exe	114
PID 1504 wrote to memory of 4548	1504	cmd.exe	118
PID 1504 wrote to memory of 4548	1504	cmd.exe	118
PID 1504 wrote to memory of 4548	1504	cmd.exe	118
PID 4548 wrote to memory of 4596	4548	SOZCW.exe	119
PID 4548 wrote to memory of 4596	4548	SOZCW.exe	119
PID 4548 wrote to memory of 4596	4548	SOZCW.exe	119
PID 4596 wrote to memory of 4032	4596	cmd.exe	123
PID 4596 wrote to memory of 4032	4596	cmd.exe	123
PID 4596 wrote to memory of 4032	4596	cmd.exe	123
PID 4032 wrote to memory of 2440	4032	QDKX.exe	124
PID 4032 wrote to memory of 2440	4032	QDKX.exe	124
PID 4032 wrote to memory of 2440	4032	QDKX.exe	124
PID 2440 wrote to memory of 4272	2440	cmd.exe	128
PID 2440 wrote to memory of 4272	2440	cmd.exe	128
PID 2440 wrote to memory of 4272	2440	cmd.exe	128
PID 4272 wrote to memory of 4852	4272	QJKLS.exe	129
PID 4272 wrote to memory of 4852	4272	QJKLS.exe	129
PID 4272 wrote to memory of 4852	4272	QJKLS.exe	129
PID 4852 wrote to memory of 2612	4852	cmd.exe	133
PID 4852 wrote to memory of 2612	4852	cmd.exe	133
PID 4852 wrote to memory of 2612	4852	cmd.exe	133
PID 2612 wrote to memory of 3384	2612	FETQDNA.exe	134
PID 2612 wrote to memory of 3384	2612	FETQDNA.exe	134
PID 2612 wrote to memory of 3384	2612	FETQDNA.exe	134
PID 3384 wrote to memory of 4280	3384	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGEAZ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\windows\SysWOW64\FGEAZ.exe
    C:\windows\system32\FGEAZ.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBO.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\windows\system\VBO.exe
        
        C:\windows\system\VBO.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZPZ.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\windows\SysWOW64\XZPZ.exe
        
        C:\windows\system32\XZPZ.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CZXN.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\windows\SysWOW64\CZXN.exe
        
        C:\windows\system32\CZXN.exe
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XNUEKV.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\windows\system\XNUEKV.exe
        
        C:\windows\system\XNUEKV.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVIEW.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\windows\SysWOW64\BVIEW.exe
        
        C:\windows\system32\BVIEW.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SOZCW.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\windows\system\SOZCW.exe
        
        C:\windows\system\SOZCW.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QDKX.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\windows\SysWOW64\QDKX.exe
        
        C:\windows\system32\QDKX.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QJKLS.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\windows\QJKLS.exe
        
        C:\windows\QJKLS.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FETQDNA.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\windows\system\FETQDNA.exe
        
        C:\windows\system\FETQDNA.exe
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EPS.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\windows\EPS.exe
        
        C:\windows\EPS.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZKXX.exe.bat" "
        24⤵
        
        PID:4332
        
        C:\windows\system\ZKXX.exe
        
        C:\windows\system\ZKXX.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KIADZ.exe.bat" "
        26⤵
        
        PID:3484
        
        C:\windows\system\KIADZ.exe
        
        C:\windows\system\KIADZ.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VADVIV.exe.bat" "
        28⤵
        
        PID:4848
        
        C:\windows\system\VADVIV.exe
        
        C:\windows\system\VADVIV.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIKV.exe.bat" "
        30⤵
        
        PID:1380
        
        C:\windows\SysWOW64\ZIKV.exe
        
        C:\windows\system32\ZIKV.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KBNOC.exe.bat" "
        32⤵
        
        PID:3272
        
        C:\windows\KBNOC.exe
        
        C:\windows\KBNOC.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CJPTGA.exe.bat" "
        34⤵
        
        PID:1536
        
        C:\windows\system\CJPTGA.exe
        
        C:\windows\system\CJPTGA.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKMOHW.exe.bat" "
        36⤵
        
        PID:1424
        
        C:\windows\SysWOW64\NCKMOHW.exe
        
        C:\windows\system32\NCKMOHW.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKYMS.exe.bat" "
        38⤵
        
        PID:3036
        
        C:\windows\RKYMS.exe
        
        C:\windows\RKYMS.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUT.exe.bat" "
        40⤵
        
        PID:4844
        
        C:\windows\system\WVUT.exe
        
        C:\windows\system\WVUT.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAAQM.exe.bat" "
        42⤵
        
        PID:3500
        
        C:\windows\SysWOW64\TAAQM.exe
        
        C:\windows\system32\TAAQM.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PYYFTCI.exe.bat" "
        44⤵
        
        PID:4988
        
        C:\windows\PYYFTCI.exe
        
        C:\windows\PYYFTCI.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PQHGHPX.exe.bat" "
        46⤵
        
        PID:3480
        
        C:\windows\system\PQHGHPX.exe
        
        C:\windows\system\PQHGHPX.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RDLQ.exe.bat" "
        48⤵
        
        PID:4936
        
        C:\windows\system\RDLQ.exe
        
        C:\windows\system\RDLQ.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LBNSQ.exe.bat" "
        50⤵
        
        PID:2152
        
        C:\windows\system\LBNSQ.exe
        
        C:\windows\system\LBNSQ.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DCHXTJ.exe.bat" "
        52⤵
        
        PID:4008
        
        C:\windows\system\DCHXTJ.exe
        
        C:\windows\system\DCHXTJ.exe
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPRPJFS.exe.bat" "
        54⤵
        
        PID:4300
        
        C:\windows\system\MPRPJFS.exe
        
        C:\windows\system\MPRPJFS.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONSJPUA.exe.bat" "
        56⤵
        
        PID:2984
        
        C:\windows\system\ONSJPUA.exe
        
        C:\windows\system\ONSJPUA.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KSYG.exe.bat" "
        58⤵
        
        PID:2624
        
        C:\windows\KSYG.exe
        
        C:\windows\KSYG.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGDPHE.exe.bat" "
        60⤵
        
        PID:1884
        
        C:\windows\SysWOW64\FGDPHE.exe
        
        C:\windows\system32\FGDPHE.exe
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ATA.exe.bat" "
        62⤵
        
        PID:4248
        
        C:\windows\system\ATA.exe
        
        C:\windows\system\ATA.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGEQ.exe.bat" "
        64⤵
        
        PID:4084
        
        C:\windows\system\UGEQ.exe
        
        C:\windows\system\UGEQ.exe
        65⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XCJADD.exe.bat" "
        66⤵
        
        PID:2924
        
        C:\windows\SysWOW64\XCJADD.exe
        
        C:\windows\system32\XCJADD.exe
        67⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RPO.exe.bat" "
        68⤵
        
        PID:3120
        
        C:\windows\system\RPO.exe
        
        C:\windows\system\RPO.exe
        69⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZX.exe.bat" "
        70⤵
        
        PID:2292
        
        C:\windows\system\RZX.exe
        
        C:\windows\system\RZX.exe
        71⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SCBGH.exe.bat" "
        72⤵
        
        PID:3112
        
        C:\windows\SCBGH.exe
        
        C:\windows\SCBGH.exe
        73⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DVEZPN.exe.bat" "
        74⤵
        
        PID:4548
        
        C:\windows\DVEZPN.exe
        
        C:\windows\DVEZPN.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OOZ.exe.bat" "
        76⤵
        
        PID:2420
        
        C:\windows\SysWOW64\OOZ.exe
        
        C:\windows\system32\OOZ.exe
        77⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRKODK.exe.bat" "
        78⤵
        
        PID:4844
        
        C:\windows\SysWOW64\HRKODK.exe
        
        C:\windows\system32\HRKODK.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WMUSOFC.exe.bat" "
        80⤵
        
        PID:4952
        
        C:\windows\SysWOW64\WMUSOFC.exe
        
        C:\windows\system32\WMUSOFC.exe
        81⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZZJ.exe.bat" "
        82⤵
        
        PID:1516
        
        C:\windows\system\RZZJ.exe
        
        C:\windows\system\RZZJ.exe
        83⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHTRB.exe.bat" "
        84⤵
        
        PID:1828
        
        C:\windows\system\VHTRB.exe
        
        C:\windows\system\VHTRB.exe
        85⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZXZROWA.exe.bat" "
        86⤵
        
        PID:2460
        
        C:\windows\SysWOW64\ZXZROWA.exe
        
        C:\windows\system32\ZXZROWA.exe
        87⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFUZR.exe.bat" "
        88⤵
        
        PID:2636
        
        C:\windows\DFUZR.exe
        
        C:\windows\DFUZR.exe
        89⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IQYFWMY.exe.bat" "
        90⤵
        
        PID:2248
        
        C:\windows\IQYFWMY.exe
        
        C:\windows\IQYFWMY.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QBYHKQN.exe.bat" "
        92⤵
        
        PID:4932
        
        C:\windows\SysWOW64\QBYHKQN.exe
        
        C:\windows\system32\QBYHKQN.exe
        93⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BTB.exe.bat" "
        94⤵
        
        PID:4884
        
        C:\windows\SysWOW64\BTB.exe
        
        C:\windows\system32\BTB.exe
        95⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PZH.exe.bat" "
        96⤵
        
        PID:2324
        
        C:\windows\PZH.exe
        
        C:\windows\PZH.exe
        97⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SMMY.exe.bat" "
        98⤵
        
        PID:3484
        
        C:\windows\system\SMMY.exe
        
        C:\windows\system\SMMY.exe
        99⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZRILH.exe.bat" "
        100⤵
        
        PID:4660
        
        C:\windows\SysWOW64\NZRILH.exe
        
        C:\windows\system32\NZRILH.exe
        101⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVW.exe.bat" "
        102⤵
        
        PID:1920
        
        C:\windows\SysWOW64\HVW.exe
        
        C:\windows\system32\HVW.exe
        103⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SNRK.exe.bat" "
        104⤵
        
        PID:3972
        
        C:\windows\SNRK.exe
        
        C:\windows\SNRK.exe
        105⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SYZLKA.exe.bat" "
        106⤵
        
        PID:3232
        
        C:\windows\system\SYZLKA.exe
        
        C:\windows\system\SYZLKA.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EQCESH.exe.bat" "
        108⤵
        
        PID:1772
        
        C:\windows\SysWOW64\EQCESH.exe
        
        C:\windows\system32\EQCESH.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JRK.exe.bat" "
        110⤵
        
        PID:1424
        
        C:\windows\JRK.exe
        
        C:\windows\JRK.exe
        111⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BZMX.exe.bat" "
        112⤵
        
        PID:2588
        
        C:\windows\system\BZMX.exe
        
        C:\windows\system\BZMX.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RPLAQB.exe.bat" "
        114⤵
        
        PID:1260
        
        C:\windows\RPLAQB.exe
        
        C:\windows\RPLAQB.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OUQXF.exe.bat" "
        116⤵
        
        PID:1704
        
        C:\windows\SysWOW64\OUQXF.exe
        
        C:\windows\system32\OUQXF.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AIJ.exe.bat" "
        118⤵
        
        PID:3928
        
        C:\windows\AIJ.exe
        
        C:\windows\AIJ.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VVOXJ.exe.bat" "
        120⤵
        
        PID:3068
        
        C:\windows\system\VVOXJ.exe
        
        C:\windows\system\VVOXJ.exe
        121⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QISHTQU.exe.bat" "
        122⤵
        
        PID:1436
        
        C:\windows\SysWOW64\QISHTQU.exe
        
        C:\windows\system32\QISHTQU.exe
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBTI.exe.bat" "
        124⤵
        
        PID:3712
        
        C:\windows\SysWOW64\XBTI.exe
        
        C:\windows\system32\XBTI.exe
        125⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRU.exe.bat" "
        126⤵
        
        PID:2004
        
        C:\windows\system\ZRU.exe
        
        C:\windows\system\ZRU.exe
        127⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJPV.exe.bat" "
        128⤵
        
        PID:1120
        
        C:\windows\SysWOW64\LJPV.exe
        
        C:\windows\system32\LJPV.exe
        129⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WPBBI.exe.bat" "
        130⤵
        
        PID:1020
        
        C:\windows\system\WPBBI.exe
        
        C:\windows\system\WPBBI.exe
        131⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HHEUIN.exe.bat" "
        132⤵
        
        PID:64
        
        C:\windows\system\HHEUIN.exe
        
        C:\windows\system\HHEUIN.exe
        133⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BVJ.exe.bat" "
        134⤵
        
        PID:2640
        
        C:\windows\system\BVJ.exe
        
        C:\windows\system\BVJ.exe
        135⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXFB.exe.bat" "
        136⤵
        
        PID:4344
        
        C:\windows\system\PXFB.exe
        
        C:\windows\system\PXFB.exe
        137⤵
        Drops file in Windows directory
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LDK.exe.bat" "
        138⤵
        
        PID:1732
        
        C:\windows\LDK.exe
        
        C:\windows\LDK.exe
        139⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJQWU.exe.bat" "
        140⤵
        
        PID:2832
        
        C:\windows\SysWOW64\AJQWU.exe
        
        C:\windows\system32\AJQWU.exe
        141⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOOTB.exe.bat" "
        142⤵
        
        PID:3108
        
        C:\windows\SysWOW64\WOOTB.exe
        
        C:\windows\system32\WOOTB.exe
        143⤵
        Checks computer location settings
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CBNUGKT.exe.bat" "
        144⤵
        
        PID:1060
        
        C:\windows\system\CBNUGKT.exe
        
        C:\windows\system\CBNUGKT.exe
        145⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICVHP.exe.bat" "
        146⤵
        
        PID:4596
        
        C:\windows\system\ICVHP.exe
        
        C:\windows\system\ICVHP.exe
        147⤵
        Checks computer location settings
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GCQDON.exe.bat" "
        148⤵
        
        PID:644
        
        C:\windows\system\GCQDON.exe
        
        C:\windows\system\GCQDON.exe
        149⤵
        Drops file in Windows directory
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RVTWXUL.exe.bat" "
        150⤵
        
        PID:1536
        
        C:\windows\RVTWXUL.exe
        
        C:\windows\RVTWXUL.exe
        151⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CSE.exe.bat" "
        152⤵
        
        PID:4328
        
        C:\windows\CSE.exe
        
        C:\windows\CSE.exe
        153⤵
        Drops file in Windows directory
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TDV.exe.bat" "
        154⤵
        
        PID:1432
        
        C:\windows\system\TDV.exe
        
        C:\windows\system\TDV.exe
        155⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYABT.exe.bat" "
        156⤵
        
        PID:1040
        
        C:\windows\SysWOW64\OYABT.exe
        
        C:\windows\system32\OYABT.exe
        157⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IMEKDVT.exe.bat" "
        158⤵
        
        PID:3480
        
        C:\windows\IMEKDVT.exe
        
        C:\windows\IMEKDVT.exe
        159⤵
        Drops file in Windows directory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBD.exe.bat" "
        160⤵
        
        PID:760
        
        C:\windows\system\HBD.exe
        
        C:\windows\system\HBD.exe
        161⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JENCAD.exe.bat" "
        162⤵
        
        PID:1828
        
        C:\windows\SysWOW64\JENCAD.exe
        
        C:\windows\system32\JENCAD.exe
        163⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OPR.exe.bat" "
        164⤵
        
        PID:3272
        
        C:\windows\OPR.exe
        
        C:\windows\OPR.exe
        165⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QCOS.exe.bat" "
        166⤵
        
        PID:4184
        
        C:\windows\SysWOW64\QCOS.exe
        
        C:\windows\system32\QCOS.exe
        167⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QIOYR.exe.bat" "
        168⤵
        
        PID:4080
        
        C:\windows\QIOYR.exe
        
        C:\windows\QIOYR.exe
        169⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDX.exe.bat" "
        170⤵
        
        PID:4340
        
        C:\windows\SysWOW64\GDX.exe
        
        C:\windows\system32\GDX.exe
        171⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RWAD.exe.bat" "
        172⤵
        
        PID:3124
        
        C:\windows\RWAD.exe
        
        C:\windows\RWAD.exe
        173⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBGS.exe.bat" "
        174⤵
        
        PID:2860
        
        C:\windows\SysWOW64\NBGS.exe
        
        C:\windows\system32\NBGS.exe
        175⤵
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOLCBK.exe.bat" "
        176⤵
        
        PID:4248
        
        C:\windows\SysWOW64\IOLCBK.exe
        
        C:\windows\system32\IOLCBK.exe
        177⤵
        Checks computer location settings
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PJIWL.exe.bat" "
        178⤵
        
        PID:1920
        
        C:\windows\PJIWL.exe
        
        C:\windows\PJIWL.exe
        179⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INM.exe.bat" "
        180⤵
        
        PID:3980
        
        C:\windows\SysWOW64\INM.exe
        
        C:\windows\system32\INM.exe
        181⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KKFU.exe.bat" "
        182⤵
        
        PID:3964
        
        C:\windows\KKFU.exe
        
        C:\windows\KKFU.exe
        183⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAMX.exe.bat" "
        184⤵
        
        PID:4100
        
        C:\windows\SysWOW64\IAMX.exe
        
        C:\windows\system32\IAMX.exe
        185⤵
        Drops file in Windows directory
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FGS.exe.bat" "
        186⤵
        
        PID:4360
        
        C:\windows\system\FGS.exe
        
        C:\windows\system\FGS.exe
        187⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KJOS.exe.bat" "
        188⤵
        
        PID:2032
        
        C:\windows\system\KJOS.exe
        
        C:\windows\system\KJOS.exe
        189⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJVGE.exe.bat" "
        190⤵
        
        PID:4352
        
        C:\windows\SysWOW64\QJVGE.exe
        
        C:\windows\system32\QJVGE.exe
        191⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZCO.exe.bat" "
        192⤵
        
        PID:2372
        
        C:\windows\SysWOW64\UZCO.exe
        
        C:\windows\system32\UZCO.exe
        193⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKAE.exe.bat" "
        194⤵
        
        PID:2640
        
        C:\windows\SysWOW64\KKAE.exe
        
        C:\windows\system32\KKAE.exe
        195⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QKIS.exe.bat" "
        196⤵
        
        PID:2364
        
        C:\windows\system\QKIS.exe
        
        C:\windows\system\QKIS.exe
        197⤵
        Checks computer location settings
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXFBJU.exe.bat" "
        198⤵
        
        PID:2924
        
        C:\windows\system\LXFBJU.exe
        
        C:\windows\system\LXFBJU.exe
        199⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDL.exe.bat" "
        200⤵
        
        PID:4292
        
        C:\windows\SysWOW64\HDL.exe
        
        C:\windows\system32\HDL.exe
        201⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GTR.exe.bat" "
        202⤵
        
        PID:5004
        
        C:\windows\SysWOW64\GTR.exe
        
        C:\windows\system32\GTR.exe
        203⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWJ.exe.bat" "
        204⤵
        
        PID:3432
        
        C:\windows\SysWOW64\RWJ.exe
        
        C:\windows\system32\RWJ.exe
        205⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMIPKOO.exe.bat" "
        206⤵
        
        PID:4484
        
        C:\windows\SysWOW64\PMIPKOO.exe
        
        C:\windows\system32\PMIPKOO.exe
        207⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WHNBUH.exe.bat" "
        208⤵
        
        PID:4172
        
        C:\windows\WHNBUH.exe
        
        C:\windows\WHNBUH.exe
        209⤵
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUR.exe.bat" "
        210⤵
        
        PID:1020
        
        C:\windows\system\RUR.exe
        
        C:\windows\system\RUR.exe
        211⤵
        Drops file in Windows directory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YPOFGIT.exe.bat" "
        212⤵
        
        PID:4452
        
        C:\windows\system\YPOFGIT.exe
        
        C:\windows\system\YPOFGIT.exe
        213⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NKYJZ.exe.bat" "
        214⤵
        
        PID:212
        
        C:\windows\NKYJZ.exe
        
        C:\windows\NKYJZ.exe
        215⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CFVW.exe.bat" "
        216⤵
        
        PID:2472
        
        C:\windows\CFVW.exe
        
        C:\windows\CFVW.exe
        217⤵
        Drops file in Windows directory
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTVK.exe.bat" "
        218⤵
        
        PID:1840
        
        C:\windows\system\CTVK.exe
        
        C:\windows\system\CTVK.exe
        219⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLYDLQ.exe.bat" "
        220⤵
        
        PID:3372
        
        C:\windows\SysWOW64\OLYDLQ.exe
        
        C:\windows\system32\OLYDLQ.exe
        221⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XRIVBN.exe.bat" "
        222⤵
        
        PID:5100
        
        C:\windows\XRIVBN.exe
        
        C:\windows\XRIVBN.exe
        223⤵
        Drops file in Windows directory
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TWG.exe.bat" "
        224⤵
        
        PID:1532
        
        C:\windows\system\TWG.exe
        
        C:\windows\system\TWG.exe
        225⤵
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCGY.exe.bat" "
        226⤵
        
        PID:1436
        
        C:\windows\SysWOW64\BCGY.exe
        
        C:\windows\system32\BCGY.exe
        227⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NUJRR.exe.bat" "
        228⤵
        
        PID:4596
        
        C:\windows\NUJRR.exe
        
        C:\windows\NUJRR.exe
        229⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXT.exe.bat" "
        230⤵
        
        PID:512
        
        C:\windows\SysWOW64\UXT.exe
        
        C:\windows\system32\UXT.exe
        231⤵
        Drops file in Windows directory
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YFNLNK.exe.bat" "
        232⤵
        
        PID:4524
        
        C:\windows\system\YFNLNK.exe
        
        C:\windows\system\YFNLNK.exe
        233⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QONCWG.exe.bat" "
        234⤵
        
        PID:4760
        
        C:\windows\QONCWG.exe
        
        C:\windows\QONCWG.exe
        235⤵
        Checks computer location settings
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SDOW.exe.bat" "
        236⤵
        
        PID:3100
        
        C:\windows\system\SDOW.exe
        
        C:\windows\system\SDOW.exe
        237⤵
        Drops file in Windows directory
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LLOM.exe.bat" "
        238⤵
        
        PID:4868
        
        C:\windows\system\LLOM.exe
        
        C:\windows\system\LLOM.exe
        239⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUQAP.exe.bat" "
        240⤵
        
        PID:1316
        
        C:\windows\SysWOW64\UUQAP.exe
        
        C:\windows\system32\UUQAP.exe
        241⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GCXAB.exe.bat" "
        242⤵
        
        PID:1348
        
        C:\windows\system\GCXAB.exe
        
        C:\windows\system\GCXAB.exe
        243⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\APBJDO.exe.bat" "
        244⤵
        
        PID:3680
        
        C:\windows\system\APBJDO.exe
        
        C:\windows\system\APBJDO.exe
        245⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PVHGSY.exe.bat" "
        246⤵
        
        PID:3212
        
        C:\windows\system\PVHGSY.exe
        
        C:\windows\system\PVHGSY.exe
        247⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RTAAQNR.exe.bat" "
        248⤵
        
        PID:3632
        
        C:\windows\SysWOW64\RTAAQNR.exe
        
        C:\windows\system32\RTAAQNR.exe
        249⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "
        250⤵
        
        PID:1940
        
        C:\windows\SysWOW64\NYGXXW.exe
        
        C:\windows\system32\NYGXXW.exe
        251⤵
        Drops file in Windows directory
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILL.exe.bat" "
        252⤵
        
        PID:728
        
        C:\windows\system\ILL.exe
        
        C:\windows\system\ILL.exe
        253⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZZVZYT.exe.bat" "
        254⤵
        
        PID:1888
        
        C:\windows\system\ZZVZYT.exe
        
        C:\windows\system\ZZVZYT.exe
        255⤵
        Checks computer location settings
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZEONZGZ.exe.bat" "
        256⤵
        
        PID:4844
        
        C:\windows\system\ZEONZGZ.exe
        
        C:\windows\system\ZEONZGZ.exe
        257⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HPWPNKN.exe.bat" "
        258⤵
        
        PID:3652
        
        C:\windows\HPWPNKN.exe
        
        C:\windows\HPWPNKN.exe
        259⤵
        Drops file in Windows directory
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QXYUQ.exe.bat" "
        260⤵
        
        PID:2356
        
        C:\windows\QXYUQ.exe
        
        C:\windows\QXYUQ.exe
        261⤵
        Checks computer location settings
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NDERX.exe.bat" "
        262⤵
        
        PID:1152
        
        C:\windows\NDERX.exe
        
        C:\windows\NDERX.exe
        263⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YVZKGH.exe.bat" "
        264⤵
        
        PID:3704
        
        C:\windows\YVZKGH.exe
        
        C:\windows\YVZKGH.exe
        265⤵
        Drops file in Windows directory
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EWH.exe.bat" "
        266⤵
        
        PID:632
        
        C:\windows\system\EWH.exe
        
        C:\windows\system\EWH.exe
        267⤵
        Drops file in Windows directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\STN.exe.bat" "
        268⤵
        
        PID:3212
        
        C:\windows\system\STN.exe
        
        C:\windows\system\STN.exe
        269⤵
        Checks computer location settings
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NOREG.exe.bat" "
        270⤵
        
        PID:3632
        
        C:\windows\NOREG.exe
        
        C:\windows\NOREG.exe
        271⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCWN.exe.bat" "
        272⤵
        
        PID:832
        
        C:\windows\system\QCWN.exe
        
        C:\windows\system\QCWN.exe
        273⤵
        Drops file in Windows directory
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VFS.exe.bat" "
        274⤵
        
        PID:3080
        
        C:\windows\VFS.exe
        
        C:\windows\VFS.exe
        275⤵
        Checks computer location settings
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PAXVG.exe.bat" "
        276⤵
        
        PID:884
        
        C:\windows\SysWOW64\PAXVG.exe
        
        C:\windows\system32\PAXVG.exe
        277⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BSAOOR.exe.bat" "
        278⤵
        
        PID:1636
        
        C:\windows\SysWOW64\BSAOOR.exe
        
        C:\windows\system32\BSAOOR.exe
        279⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLDHOYU.exe.bat" "
        280⤵
        
        PID:908
        
        C:\windows\SysWOW64\MLDHOYU.exe
        
        C:\windows\system32\MLDHOYU.exe
        281⤵
        Checks computer location settings
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HYIQ.exe.bat" "
        282⤵
        
        PID:4180
        
        C:\windows\HYIQ.exe
        
        C:\windows\HYIQ.exe
        283⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZPE.exe.bat" "
        284⤵
        
        PID:3940
        
        C:\windows\SysWOW64\NZPE.exe
        
        C:\windows\system32\NZPE.exe
        285⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZXSYU.exe.bat" "
        286⤵
        
        PID:1828
        
        C:\windows\system\SZXSYU.exe
        
        C:\windows\system\SZXSYU.exe
        287⤵
        Checks computer location settings
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEPGAHO.exe.bat" "
        288⤵
        
        PID:3364
        
        C:\windows\system\SEPGAHO.exe
        
        C:\windows\system\SEPGAHO.exe
        289⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VSUP.exe.bat" "
        290⤵
        
        PID:4552
        
        C:\windows\system\VSUP.exe
        
        C:\windows\system\VSUP.exe
        291⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNZZMH.exe.bat" "
        292⤵
        
        PID:2228
        
        C:\windows\system\QNZZMH.exe
        
        C:\windows\system\QNZZMH.exe
        293⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAEQXHG.exe.bat" "
        294⤵
        
        PID:4328
        
        C:\windows\SysWOW64\KAEQXHG.exe
        
        C:\windows\system32\KAEQXHG.exe
        295⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FOIA.exe.bat" "
        296⤵
        
        PID:4016
        
        C:\windows\SysWOW64\FOIA.exe
        
        C:\windows\system32\FOIA.exe
        297⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BTOPOI.exe.bat" "
        298⤵
        
        PID:5068
        
        C:\windows\BTOPOI.exe
        
        C:\windows\BTOPOI.exe
        299⤵
        Drops file in Windows directory
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HTW.exe.bat" "
        300⤵
        
        PID:1672
        
        C:\windows\HTW.exe
        
        C:\windows\HTW.exe
        301⤵
        Checks computer location settings
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUQQ.exe.bat" "
        302⤵
        
        PID:5028
        
        C:\windows\system\RUQQ.exe
        
        C:\windows\system\RUQQ.exe
        303⤵
        Drops file in Windows directory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CMTAJX.exe.bat" "
        304⤵
        
        PID:1148
        
        C:\windows\system\CMTAJX.exe
        
        C:\windows\system\CMTAJX.exe
        305⤵
        Drops file in Windows directory
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WAYSTXE.exe.bat" "
        306⤵
        
        PID:3768
        
        C:\windows\WAYSTXE.exe
        
        C:\windows\WAYSTXE.exe
        307⤵
        Drops file in Windows directory
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TFEHAZG.exe.bat" "
        308⤵
        
        PID:2832
        
        C:\windows\TFEHAZG.exe
        
        C:\windows\TFEHAZG.exe
        309⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PLBE.exe.bat" "
        310⤵
        
        PID:972
        
        C:\windows\PLBE.exe
        
        C:\windows\PLBE.exe
        311⤵
        Drops file in Windows directory
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYGNRJ.exe.bat" "
        312⤵
        
        PID:1436
        
        C:\windows\system\KYGNRJ.exe
        
        C:\windows\system\KYGNRJ.exe
        313⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VRJGAQE.exe.bat" "
        314⤵
        
        PID:3632
        
        C:\windows\VRJGAQE.exe
        
        C:\windows\VRJGAQE.exe
        315⤵
        Checks computer location settings
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XTTNKMG.exe.bat" "
        316⤵
        
        PID:1528
        
        C:\windows\XTTNKMG.exe
        
        C:\windows\XTTNKMG.exe
        317⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IMO.exe.bat" "
        318⤵
        
        PID:4544
        
        C:\windows\IMO.exe
        
        C:\windows\IMO.exe
        319⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUQL.exe.bat" "
        320⤵
        
        PID:2036
        
        C:\windows\SysWOW64\SUQL.exe
        
        C:\windows\system32\SUQL.exe
        321⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YVXZNTZ.exe.bat" "
        322⤵
        
        PID:3928
        
        C:\windows\system\YVXZNTZ.exe
        
        C:\windows\system\YVXZNTZ.exe
        323⤵
        Checks computer location settings
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKEKRF.exe.bat" "
        324⤵
        
        PID:1992
        
        C:\windows\system\OKEKRF.exe
        
        C:\windows\system\OKEKRF.exe
        325⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BNAIW.exe.bat" "
        326⤵
        
        PID:4412
        
        C:\windows\system\BNAIW.exe
        
        C:\windows\system\BNAIW.exe
        327⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGDBEL.exe.bat" "
        328⤵
        
        PID:4052
        
        C:\windows\SysWOW64\NGDBEL.exe
        
        C:\windows\system32\NGDBEL.exe
        329⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARZHJD.exe.bat" "
        330⤵
        
        PID:1744
        
        C:\windows\SysWOW64\ARZHJD.exe
        
        C:\windows\system32\ARZHJD.exe
        331⤵
        Checks computer location settings
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OWFWYMN.exe.bat" "
        332⤵
        
        PID:2320
        
        C:\windows\system\OWFWYMN.exe
        
        C:\windows\system\OWFWYMN.exe
        333⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WHOYERB.exe.bat" "
        334⤵
        
        PID:4848
        
        C:\windows\SysWOW64\WHOYERB.exe
        
        C:\windows\system32\WHOYERB.exe
        335⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PKFBJVK.exe.bat" "
        336⤵
        
        PID:2228
        
        C:\windows\SysWOW64\PKFBJVK.exe
        
        C:\windows\system32\PKFBJVK.exe
        337⤵
        Drops file in Windows directory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LHLZ.exe.bat" "
        338⤵
        
        PID:2824
        
        C:\windows\LHLZ.exe
        
        C:\windows\LHLZ.exe
        339⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EQLPYAH.exe.bat" "
        340⤵
        
        PID:1740
        
        C:\windows\EQLPYAH.exe
        
        C:\windows\EQLPYAH.exe
        341⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SVR.exe.bat" "
        342⤵
        
        PID:2624
        
        C:\windows\SVR.exe
        
        C:\windows\SVR.exe
        343⤵
        Drops file in Windows directory
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NIVWQ.exe.bat" "
        344⤵
        
        PID:5036
        
        C:\windows\NIVWQ.exe
        
        C:\windows\NIVWQ.exe
        345⤵
        Drops file in Windows directory
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TENWUF.exe.bat" "
        346⤵
        
        PID:3276
        
        C:\windows\TENWUF.exe
        
        C:\windows\TENWUF.exe
        347⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PJS.exe.bat" "
        348⤵
        
        PID:3844
        
        C:\windows\PJS.exe
        
        C:\windows\PJS.exe
        349⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZPDLR.exe.bat" "
        350⤵
        
        PID:2040
        
        C:\windows\ZPDLR.exe
        
        C:\windows\ZPDLR.exe
        351⤵
        Checks computer location settings
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPYHZUD.exe.bat" "
        352⤵
        
        PID:1436
        
        C:\windows\system\EPYHZUD.exe
        
        C:\windows\system\EPYHZUD.exe
        353⤵
        Checks computer location settings
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TUE.exe.bat" "
        354⤵
        
        PID:1804
        
        C:\windows\TUE.exe
        
        C:\windows\TUE.exe
        355⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QACTN.exe.bat" "
        356⤵
        
        PID:3012
        
        C:\windows\QACTN.exe
        
        C:\windows\QACTN.exe
        357⤵
        Checks computer location settings
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XVHF.exe.bat" "
        358⤵
        
        PID:716
        
        C:\windows\SysWOW64\XVHF.exe
        
        C:\windows\system32\XVHF.exe
        359⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RILXZP.exe.bat" "
        360⤵
        
        PID:4388
        
        C:\windows\system\RILXZP.exe
        
        C:\windows\system\RILXZP.exe
        361⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UWQ.exe.bat" "
        362⤵
        
        PID:3932
        
        C:\windows\SysWOW64\UWQ.exe
        
        C:\windows\system32\UWQ.exe
        363⤵
        Checks computer location settings
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GJJXLV.exe.bat" "
        364⤵
        
        PID:5036
        
        C:\windows\SysWOW64\GJJXLV.exe
        
        C:\windows\system32\GJJXLV.exe
        365⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MJQLCX.exe.bat" "
        366⤵
        
        PID:1140
        
        C:\windows\SysWOW64\MJQLCX.exe
        
        C:\windows\system32\MJQLCX.exe
        367⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCLWCEF.exe.bat" "
        368⤵
        
        PID:4536
        
        C:\windows\system\YCLWCEF.exe
        
        C:\windows\system\YCLWCEF.exe
        369⤵
        Drops file in Windows directory
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DCTS.exe.bat" "
        370⤵
        
        PID:628
        
        C:\windows\system\DCTS.exe
        
        C:\windows\system\DCTS.exe
        371⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YQYBVG.exe.bat" "
        372⤵
        
        PID:644
        
        C:\windows\SysWOW64\YQYBVG.exe
        
        C:\windows\system32\YQYBVG.exe
        373⤵
        Drops file in Windows directory
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JIBMEOL.exe.bat" "
        374⤵
        
        PID:1268
        
        C:\windows\JIBMEOL.exe
        
        C:\windows\JIBMEOL.exe
        375⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EDGD.exe.bat" "
        376⤵
        
        PID:1696
        
        C:\windows\SysWOW64\EDGD.exe
        
        C:\windows\system32\EDGD.exe
        377⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZRKNYN.exe.bat" "
        378⤵
        
        PID:2292
        
        C:\windows\ZRKNYN.exe
        
        C:\windows\ZRKNYN.exe
        379⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KJFFYVW.exe.bat" "
        380⤵
        
        PID:4212
        
        C:\windows\system\KJFFYVW.exe
        
        C:\windows\system\KJFFYVW.exe
        381⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EXKP.exe.bat" "
        382⤵
        
        PID:4528
        
        C:\windows\EXKP.exe
        
        C:\windows\EXKP.exe
        383⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPTI.exe.bat" "
        384⤵
        
        PID:1200
        
        C:\windows\system\MPTI.exe
        
        C:\windows\system\MPTI.exe
        385⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XIWBX.exe.bat" "
        386⤵
        
        PID:1140
        
        C:\windows\SysWOW64\XIWBX.exe
        
        C:\windows\system32\XIWBX.exe
        387⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DLSH.exe.bat" "
        388⤵
        
        PID:3472
        
        C:\windows\system\DLSH.exe
        
        C:\windows\system\DLSH.exe
        389⤵
        Checks computer location settings
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JLZVTAS.exe.bat" "
        390⤵
        
        PID:4660
        
        C:\windows\JLZVTAS.exe
        
        C:\windows\JLZVTAS.exe
        391⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FQF.exe.bat" "
        392⤵
        
        PID:644
        
        C:\windows\FQF.exe
        
        C:\windows\FQF.exe
        393⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORHXD.exe.bat" "
        394⤵
        
        PID:744
        
        C:\windows\system\ORHXD.exe
        
        C:\windows\system\ORHXD.exe
        395⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EMEK.exe.bat" "
        396⤵
        
        PID:1676
        
        C:\windows\EMEK.exe
        
        C:\windows\EMEK.exe
        397⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SRKHU.exe.bat" "
        398⤵
        
        PID:2292
        
        C:\windows\SysWOW64\SRKHU.exe
        
        C:\windows\system32\SRKHU.exe
        399⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JAMMYXB.exe.bat" "
        400⤵
        
        PID:4212
        
        C:\windows\JAMMYXB.exe
        
        C:\windows\JAMMYXB.exe
        401⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NITM.exe.bat" "
        402⤵
        
        PID:1144
        
        C:\windows\system\NITM.exe
        
        C:\windows\system\NITM.exe
        403⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZAOFS.exe.bat" "
        404⤵
        
        PID:1516
        
        C:\windows\SysWOW64\ZAOFS.exe
        
        C:\windows\system32\ZAOFS.exe
        405⤵
        Checks computer location settings
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLSD.exe.bat" "
        406⤵
        
        PID:2532
        
        C:\windows\SysWOW64\MLSD.exe
        
        C:\windows\system32\MLSD.exe
        407⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBRO.exe.bat" "
        408⤵
        
        PID:3472
        
        C:\windows\SysWOW64\CBRO.exe
        
        C:\windows\system32\CBRO.exe
        409⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XOV.exe.bat" "
        410⤵
        
        PID:3212
        
        C:\windows\SysWOW64\XOV.exe
        
        C:\windows\system32\XOV.exe
        411⤵
        Drops file in Windows directory
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOD.exe.bat" "
        412⤵
        
        PID:4012
        
        C:\windows\system\DOD.exe
        
        C:\windows\system\DOD.exe
        413⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MXFQGZ.exe.bat" "
        414⤵
        
        PID:4456
        
        C:\windows\MXFQGZ.exe
        
        C:\windows\MXFQGZ.exe
        415⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZAJXL.exe.bat" "
        416⤵
        
        PID:64
        
        C:\windows\SysWOW64\ZAJXL.exe
        
        C:\windows\system32\ZAJXL.exe
        417⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PVS.exe.bat" "
        418⤵
        
        PID:4992
        
        C:\windows\SysWOW64\PVS.exe
        
        C:\windows\system32\PVS.exe
        419⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 976
        418⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 988
        416⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 964
        414⤵
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1304
        412⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 960
        410⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1328
        408⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1008
        406⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 992
        404⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1328
        402⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 960
        400⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1296
        398⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1324
        396⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1304
        394⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 960
        392⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1324
        390⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1304
        388⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1316
        386⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1332
        384⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 1324
        382⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1300
        380⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1324
        378⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1264
        376⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1324
        374⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1328
        372⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1272
        370⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1336
        368⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 960
        366⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 1328
        364⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1264
        362⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1300
        360⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 960
        358⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 960
        356⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1324
        354⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 960
        352⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1296
        350⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1256
        348⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1324
        346⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 960
        344⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1008
        342⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 964
        340⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1300
        338⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1328
        336⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1328
        334⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1336
        332⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 960
        330⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1268
        328⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1336
        326⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1336
        324⤵
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 960
        322⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1296
        320⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 960
        318⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1264
        316⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1296
        314⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1336
        312⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1300
        310⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1324
        308⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1316
        306⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1336
        304⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1336
        302⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 960
        300⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 960
        298⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1292
        296⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1296
        294⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1264
        292⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 960
        290⤵
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1324
        288⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 960
        286⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1292
        284⤵
        
        PID:680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1324
        282⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1328
        280⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 960
        278⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1296
        276⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1324
        274⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1332
        272⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 960
        270⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 960
        268⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1336
        266⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1324
        264⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 976
        262⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1292
        260⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 960
        258⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 952
        256⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1328
        254⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1336
        252⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1328
        250⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1328
        248⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1304
        246⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 960
        244⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1328
        242⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1004
        240⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1336
        238⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1336
        236⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1324
        234⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 1272
        232⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 960
        230⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1324
        228⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1328
        226⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1272
        224⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 964
        222⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1316
        220⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1328
        218⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1292
        216⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1324
        214⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1328
        212⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 988
        210⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 960
        208⤵
        
        PID:348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1328
        206⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1328
        204⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1328
        202⤵
        
        PID:116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1292
        200⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1328
        198⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 960
        196⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1328
        194⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1296
        192⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 960
        190⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 960
        188⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1336
        186⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1296
        184⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 960
        182⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1244
        180⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1324
        178⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 992
        176⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1328
        174⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1324
        172⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1328
        170⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 960
        168⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 960
        166⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1324
        164⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1328
        162⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 960
        160⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 960
        158⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 960
        156⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 960
        154⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 992
        152⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 960
        150⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1316
        148⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1328
        146⤵
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1304
        144⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1292
        142⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1320
        140⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1292
        138⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 960
        136⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1336
        134⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1304
        132⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1304
        130⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 960
        128⤵
        Program crash
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1324
        126⤵
        Program crash
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1320
        124⤵
        Program crash
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1296
        122⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 976
        120⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1312
        118⤵
        Program crash
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1308
        116⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1324
        114⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 960
        112⤵
        Program crash
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1292
        110⤵
        Program crash
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1260
        108⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1336
        106⤵
        Program crash
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 1292
        104⤵
        Program crash
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1328
        102⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1264
        100⤵
        Program crash
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1336
        98⤵
        Program crash
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1324
        96⤵
        Program crash
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1256
        94⤵
        Program crash
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1256
        92⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 988
        90⤵
        Program crash
        
        PID:4200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1324
        88⤵
        Program crash
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1260
        86⤵
        Program crash
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1336
        84⤵
        Program crash
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 960
        82⤵
        Program crash
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1328
        80⤵
        Program crash
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1316
        78⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1328
        76⤵
        Program crash
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1236
        74⤵
        Program crash
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 960
        72⤵
        Program crash
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 960
        70⤵
        Program crash
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1336
        68⤵
        Program crash
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1328
        66⤵
        Program crash
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1336
        64⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1316
        62⤵
        Program crash
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 960
        60⤵
        Program crash
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 960
        58⤵
        Program crash
        
        PID:1260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 960
        56⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1304
        54⤵
        Program crash
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1336
        52⤵
        Program crash
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 976
        50⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 976
        48⤵
        Program crash
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1336
        46⤵
        Program crash
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1324
        44⤵
        Program crash
        
        PID:1400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1260
        42⤵
        Program crash
        
        PID:1392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1336
        40⤵
        Program crash
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1316
        38⤵
        Program crash
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 976
        36⤵
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1248
        34⤵
        Program crash
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1324
        32⤵
        Program crash
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1308
        30⤵
        Program crash
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1336
        28⤵
        Program crash
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 960
        26⤵
        Program crash
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1340
        24⤵
        Program crash
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1008
        22⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1336
        20⤵
        Program crash
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1324
        18⤵
        Program crash
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 960
        16⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 960
        14⤵
        Program crash
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1324
        12⤵
        Program crash
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1336
        10⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1328
        8⤵
        Program crash
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1328
        6⤵
        Program crash
        
        PID:2860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 960
      4⤵
      Program crash
      PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1240
  2⤵
  - Program crash
  PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 912
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3792 -ip 3792
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2948 -ip 2948
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5032 -ip 5032
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3972 -ip 3972
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1580 -ip 1580
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4548 -ip 4548
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4032 -ip 4032
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2612 -ip 2612
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4280 -ip 4280
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 840 -ip 840
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5052 -ip 5052
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3512 -ip 3512
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2516 -ip 2516
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1900 -ip 1900
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4996 -ip 4996
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3772 -ip 3772
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3360 -ip 3360
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 528 -ip 528
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5000 -ip 5000
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1304 -ip 1304
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 972 -ip 972
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3252 -ip 3252
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4340 -ip 4340
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4932 -ip 4932
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4884 -ip 4884
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1360 -ip 1360
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4048 -ip 4048
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1636 -ip 1636
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2352 -ip 2352
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2868 -ip 2868
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5056 -ip 5056
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2032 -ip 2032
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5072 -ip 5072
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4996 -ip 4996
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 912 -ip 912
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4076 -ip 4076
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3876 -ip 3876
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4472 -ip 4472
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1312 -ip 1312
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1168 -ip 1168
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2284 -ip 2284
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1072 -ip 1072
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4704 -ip 4704
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 376 -ip 376
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4988 -ip 4988
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3128 -ip 3128
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3844 -ip 3844
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1524 -ip 1524
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4544 -ip 4544
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2440 -ip 2440
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4352 -ip 4352
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3416 -ip 3416
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4600 -ip 4600
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1884 -ip 1884
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1148 -ip 1148
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4848 -ip 4848
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4460 -ip 4460
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2568 -ip 2568
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1968 -ip 1968
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2248 -ip 2248
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3052 -ip 3052
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2816 -ip 2816
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 624 -ip 624
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4644 -ip 4644
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 456 -ip 456
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5000 -ip 5000
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2608 -ip 2608
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3232 -ip 3232
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 4432
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1968 -ip 1968
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4712 -ip 4712
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4528 -ip 4528
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3940 -ip 3940
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4048 -ip 4048
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2948 -ip 2948
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1532 -ip 1532
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2120 -ip 2120
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2608 -ip 2608
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4524 -ip 4524
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2036 -ip 2036
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2224 -ip 2224
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1704 -ip 1704
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1736 -ip 1736
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4060 -ip 4060
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2152 -ip 2152
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5096 -ip 5096
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3440 -ip 3440
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4976 -ip 4976
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4544 -ip 4544
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2252 -ip 2252
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3384 -ip 3384
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3816 -ip 3816
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3372 -ip 3372
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 556 -ip 556
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4616 -ip 4616
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1052 -ip 1052
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4188 -ip 4188
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3896 -ip 3896
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1424 -ip 1424
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2420 -ip 2420
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2748 -ip 2748
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4908 -ip 4908
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3812 -ip 3812
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4052 -ip 4052
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1228 -ip 1228
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3644 -ip 3644
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4184 -ip 4184
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1504 -ip 1504
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1676 -ip 1676
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1888 -ip 1888
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4844 -ip 4844
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8 -ip 8
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2364 -ip 2364
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1920 -ip 1920
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4660 -ip 4660
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3208 -ip 3208
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3060 -ip 3060
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2152 -ip 2152
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4188 -ip 4188
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4340 -ip 4340
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1272 -ip 1272
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4760 -ip 4760
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3100 -ip 3100
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 844 -ip 844
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3136 -ip 3136
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1920 -ip 1920
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4660 -ip 4660
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 4616
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4100 -ip 4100
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3920 -ip 3920
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3916 -ip 3916
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4300 -ip 4300
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4524 -ip 4524
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3412 -ip 3412
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1304 -ip 1304
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2104 -ip 2104
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4332 -ip 4332
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1228 -ip 1228
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 2312
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4484 -ip 4484
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4548 -ip 4548
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1504 -ip 1504
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4188 -ip 4188
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4636 -ip 4636
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2532 -ip 2532
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2916 -ip 2916
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3792 -ip 3792
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5000 -ip 5000
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 516 -ip 516
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1184 -ip 1184
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3280 -ip 3280
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4100 -ip 4100
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3884 -ip 3884
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3716 -ip 3716
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1144 -ip 1144
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2684 -ip 2684
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3580 -ip 3580
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2116 -ip 2116
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3460 -ip 3460
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3880 -ip 3880
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3572 -ip 3572
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2948 -ip 2948
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3280 -ip 3280
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3628 -ip 3628
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1324 -ip 1324
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3068 -ip 3068
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2600 -ip 2600
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3100 -ip 3100
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 556 -ip 556
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 640 -ip 640
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3540 -ip 3540
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2616 -ip 2616
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1708 -ip 1708
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4932 -ip 4932
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 916 -ip 916
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3476 -ip 3476
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2532 -ip 2532
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3480 -ip 3480
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3792 -ip 3792
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1532 -ip 1532
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1052 -ip 1052
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4992 -ip 4992
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1424 -ip 1424
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 348 -ip 348
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3056 -ip 3056
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3500 -ip 3500
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4284 -ip 4284
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1132 -ip 1132
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4900 -ip 4900
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2460 -ip 2460
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2212 -ip 2212
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3540 -ip 3540
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2948 -ip 2948
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4568 -ip 4568
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4620 -ip 4620
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2744 -ip 2744
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1744 -ip 1744
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3812 -ip 3812
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1132 -ip 1132
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5056 -ip 5056
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4008 -ip 4008
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4348 -ip 4348
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EPS.exe

Filesize
208KB

MD5
c19f3f30968cdaac22adcb51f756db41

SHA1
94c1d869ae63432e87a3a846578c5e0b1d719e05

SHA256
cc8fcbea91113c4a11005f4a87fe1f99d670a6883e1b93fa03f4606aec063e9b

SHA512
c63d05ffda73a429f368fe3d0f775b9e996a672cf56a78a5516b7c4991e80b1e7b74245131ed951408656349ff10f0752301e7c687fb3cbb8c4eaa09d51836e4

Download Submit
C:\Windows\QJKLS.exe

Filesize
208KB

MD5
d0b1efbfd9e83f4344598608cd09144f

SHA1
bf25ff76204c9919475d29db44b35cd0f854e738

SHA256
ec45603a31fbe4ec1fa3af26a4c11f54ca176c45b39c0afd5d96df55de2a823d

SHA512
a35d9c34f46858984ad03744ff5e21de27c6f83b1f80f44ed191b1c6b16b3e62c2012d626e8b6772fbdde34318f2ad313621f98f4853734891de62432562623c

Download Submit
C:\Windows\SysWOW64\BVIEW.exe

Filesize
208KB

MD5
42850fd14f23aa7c55820fb19ede80e9

SHA1
9bf5f1659132f3358db9e9662b947b754af3401c

SHA256
ca5a51ea40bf03674033f9d63de86e9d9453027f1c21a9fb4d58993988edaba3

SHA512
9b4455b8203eb3e059acde98f6e834858b81f2c68a9de08350a5e8335edd6e65b158d97826cdfa25a474cc177187c7eb145e855a2720c5f34fcd2985bba14416

Download Submit
C:\Windows\SysWOW64\FGEAZ.exe

Filesize
208KB

MD5
068271de7ceeee27c795a20dc4f2cee0

SHA1
37e9734ddcce251a2cb3672859a33978804ffb8c

SHA256
79d5845162d8a51abc3b73d890853de968968c1994935e8fbbae7409800bb8f9

SHA512
5e5a77692383bb6a7e625635f9facd9b1fc6c88e816c5d406f593cbc0a1f846a830c7e6290bc3136e8f52a1f94ffec1ab147fb458ec0b94582a594be42ad3617

Download Submit
C:\Windows\SysWOW64\NCKMOHW.exe

Filesize
208KB

MD5
4bef982ad3a50d32dae05b23cf739c82

SHA1
e1662ccfd301f2902d3b0a652056f40aa0585769

SHA256
16e522233c9976e9b36bafc5dc646bb38fbe7e2bd350d01681dbff4a62052425

SHA512
1805f9ad9f5a78e0e2f69ed872878150de02a1c8fe135119e2b1e66719b2f6c2a0f1140f83637cb8fbec3b5361ae0b7225ff63698c1a802b82066f709ac464b6

Download Submit
C:\Windows\SysWOW64\XZPZ.exe

Filesize
208KB

MD5
7b82357f618d1e5d819cffb487f5f529

SHA1
10c6d73609c752a740a3fcf387f50b58ac41e85a

SHA256
85674a6d58b8ebf8a2826a75426dc174d0114298b915e831747dee8d982fcc12

SHA512
a5188a32371e3f64bdabfaa76d9ae85550951b39ef41d8c40ab17526c49c9d48fde914f622634c94e20dd52398567f7ddd6324fcfd557a196008d00169d5450e

Download Submit
C:\Windows\System\CJPTGA.exe

Filesize
208KB

MD5
e6269f97e70a428ef3bd69cf237244df

SHA1
e6ad08315c5ca25187cd2a0eb4412070137a044a

SHA256
88351d9c4c1af2a740c106b7dba8b2eeee7441c260100485e74bb8cc50640929

SHA512
064f0ba73ef9d52765e425b8ca53171aaa3dd9af3b7f87aec217b3a1afadc0943f620e9a6a1d9961b753ceb1b453f1d57c6b2ae959bd88594832dbcf5e36c3eb

Download Submit
C:\Windows\System\FETQDNA.exe

Filesize
208KB

MD5
eb45aa862508d3c14b187798d866f1a2

SHA1
ad9b4b1d0c7e13f5fa2dca20c552fc1f33e415b3

SHA256
40606bad27dd6b4838b02e22544d9b4ea1cc4cdd48b043acb76fdb855a354537

SHA512
155507e77dc58e7ea1b08d1d94df536da9a734d3d7d8d3df68a91e30397ca1da566631a1d92a3759d7dea231ffb1cc78f5478126e08469a5fd0568f9b46296c7

Download Submit
C:\Windows\System\KIADZ.exe

Filesize
208KB

MD5
61db1caf96f5f2419617ffbc171781c1

SHA1
cdcbf57755f81f42719becbca686b5781b9f76ad

SHA256
eb002db8d2b4b434534e0d7afe23ea221112d70f00e90bec71fa174ffb12f674

SHA512
6d67134c8218526b089add72e682e086ab516fc296dd9c3e90db16f13faa0c2f27fa6dad77a99a12f8336b4c9e565cf95ce8f25016922a948b23727ed85875cd

Download Submit
C:\Windows\System\SOZCW.exe

Filesize
208KB

MD5
70b0f9fac9447d325f81f67c76f325a7

SHA1
be3a573d2988f497bc472e167002ce8ffb76a0f2

SHA256
9f7e259b18b1a1137fde2b0bf0b2fa642ec410c4ad6e1a6bfb0814374f60d2bc

SHA512
2617443239cd9fc0d01dd1cb52ee1a539d7fcdc55554bdb36569e6a80be9ce22deb9d5ab8233a2dd201727d57f48af3a2628e37a568938f5fbaa430696a12340

Download Submit
C:\Windows\System\VADVIV.exe

Filesize
208KB

MD5
037df18804ae4f356b0f954ec97e7a9b

SHA1
a39c73d4c444c46936f344cd4aa5c19d6d7ad710

SHA256
4b3dc1a9bbe1fde76c49d3a3e0d3b89fa84ba5aa36b37aa5e088dec44c4929cc

SHA512
6596c104aa08b1d16576566e84e0a262ac1224aee0bb9842e4efbb5be4c79700a0be0385b0766d0cfbd1fd069e3b7f479504b0872e634a303effa14cd16b755d

Download Submit
C:\Windows\System\VBO.exe

Filesize
208KB

MD5
b1688f3ad8bace7b469b0367a99375fa

SHA1
34da48c6771496398d6c6102d61158f93f8c19f7

SHA256
03d17dd42494c3a5d4cd4e0327667cc4458daa4b00c9ac5c68f1e61c89f30a0b

SHA512
6e0943fc2920fe5aea5fa347a3b09f92a99b0935e81985a9ad41ccffc64f087da00221be30fd67ccc3ee5e7a931ffdbcce094436ed379ac9762040710e01ed32

Download Submit
C:\Windows\System\VBO.exe

Filesize
208KB

MD5
52d10f4c83f060da624e2e99ec312096

SHA1
48cf60db9d2d8f2a0929fe5caa30e29d75844a7a

SHA256
dcf677e7f3fcdbf3d4562bb8e7e9372809f86a80a6e4c435776bec9c175429b8

SHA512
3d470a15e5af6a063906129672900ce17ccf159976a9ab6d2f21cb61d8cd32c85c990c75cc5774080544b411c4a3059ebb23b3364bd06f1702f3d3e7a869e357

Download Submit
C:\windows\EPS.exe.bat

Filesize
52B

MD5
6952507ddb245c01e7d833db89cfe30a

SHA1
c1f613b5b30ca8f5cf795bbdc05068cbfcde76b2

SHA256
9e2f29ac98e1448fc21ce9451ddebed06b1b31d3e3a52b4638a83a5db4eb543e

SHA512
abfb1e111a6980593ca7a44b3b750b8b51333eb3a46d458cdbf8cf2909b46a19d009e4f5fa71a2d14fc688b8b1e93776962a66b721397815b8c9cbdf41226ff0

Download Submit
C:\windows\KBNOC.exe.bat

Filesize
56B

MD5
514d0acb50072dbde19f09f8c19ac3ae

SHA1
7f1a9e36647211c020654132359fcab69989d3e5

SHA256
81086813df73ed1b9352e980b31b1a8d07d2a41970c897d3f0f234cbfb074a4d

SHA512
000f5b896430a40518c218094088d2ff664c525024d49ca2c3af1aa896c273e71c04787c6a1446eeed3cce4ca67e0f1271542d736b509be543a8ddd2ebe0c89b

Download Submit
C:\windows\PYYFTCI.exe.bat

Filesize
60B

MD5
c55021dace4029d9de9c0f12ab1ec334

SHA1
f9086439637fd454cb0b2d40f050f44b042e7704

SHA256
7cfc68b3bfcfdd36a728aa975c8a24e0b5ec13a9895d4f8cfc74844af3d65d62

SHA512
e99e67bff3fbc70928faca33d760884a6cc6bbd22f3e0aee9cca3d40577a800d41b509fd68b967f758a66c2ec20ff93b58c48934825e42d0fe62b1423d98af71

Download Submit
C:\windows\QJKLS.exe.bat

Filesize
56B

MD5
e8d9138ea3c84646dafb85636ee049dd

SHA1
17815b3746f229f6e5002b5268c3b99607b0222a

SHA256
2eeb29e5ff5b83081fca2449052baaaeddb76452c8ae8c5098dfca0241405ec1

SHA512
67177cbcfd1f59c452ec17d0fd040c871a571a71cb8f426510482f1bc36d0deb51e35bf3e6b3a14629559f4dc212a0fd8cb1fd134f891f97a7abb4ad8be889fb

Download Submit
C:\windows\RKYMS.exe

Filesize
208KB

MD5
6f77a93989943ef80305c1f6cc4c47eb

SHA1
e37ae2456a236d57af12b57f93df1bbf9e6b4cd1

SHA256
2710b5a75e102d2e158532509ffd919b8d4a9721a9392fcc4ac9bfa906d0aed7

SHA512
7d2875612aa6467fb567b0987aab55d02c4ce6eceb57912dd8d39dfaec8a4b4897cd800f3c880c63bef8d4a3243030d416b724d3b03b1525ea72640fdf5bbf69

Download Submit
C:\windows\RKYMS.exe.bat

Filesize
56B

MD5
6f3281a55a6de46f79836b86f2ff2940

SHA1
f79508e240d406734efee4ec2dea1ad3eb5869ea

SHA256
4806fa63398568d94dd2109dbf27f650ebdb6e75c07f2b231fcba9ca1869b6de

SHA512
7208cd48c20029579b362b4cd84a72a1cf84f5de82d5d07007f7b8b82740c11fff9d2b326fe735b019668a2e307ce197056a4f81126cc570fcb7022de9bd4c5e

Download Submit
C:\windows\SysWOW64\BVIEW.exe.bat

Filesize
74B

MD5
72a8fa12fe2b74194c3d146c9fe2153d

SHA1
042acd4ff9f0e0eab3e6717efc3ceb2842a6587c

SHA256
9314e2ff5dc8ff00e100ed0de7f5c4b6a7765c46d32ea98b01a5a88c38af2a35

SHA512
118db61e07ea548d6d13cb52f691b2c4f3b121f25c64c6da9f8576904f316380c405d086a875e9261336086254fb4963e9c82a12cdb8b65a956689494b09dcae

Download Submit
C:\windows\SysWOW64\CZXN.exe.bat

Filesize
72B

MD5
b622e0b476f5d6f56e340ef7409fe75b

SHA1
da9b66ecca4f0cca3aef6f00dafb7da7a7f0daee

SHA256
2f2447135579704c970910a4e31a08d72763c0dcbc8be59c909b778d858891db

SHA512
805c3784e207386064af2fe6127096f1cc10c4452caaefe4b898cfed0ec4e53b698e5622ba1d79d00942090b10448b64021e7522dfbe48a66c37f1e8d9c8e3bd

Download Submit
C:\windows\SysWOW64\FGEAZ.exe.bat

Filesize
74B

MD5
04aaa36bc56a4ecbd4cd6d3a997311ce

SHA1
42709605d2ec963d50fbaccd6b92d07ce51ed094

SHA256
72d06e308459d01232f601c041b5bbd89e5a20eeee1910636d3f0fe4aaf77a8f

SHA512
9205bf8acf729e397938b15154c2f0e28915e38a295401aee0a509b174e52e5dcbac3ebd7865cc7b943dda3200488215ac7ee40f945dfc78d8a19b7322e43daa

Download Submit
C:\windows\SysWOW64\NCKMOHW.exe.bat

Filesize
78B

MD5
3a98d28424e90c57a8b7829aeaa64e4b

SHA1
e2497065bc23d0419f18e11464e460350caf081e

SHA256
f7134cb2726cdb74d6156034eac4e32adb73c9a636eb98d075fc18aa0378fc89

SHA512
6b005f240eb425eb53beb61c93d05ca2f5bad06940b70a0422f84a8a7a78331e4269d79b51486778f464b882d43279fea69266e15859ea503f1ea1a028b53cc6

Download Submit
C:\windows\SysWOW64\QDKX.exe.bat

Filesize
72B

MD5
3d0cdd669d849391dd12a5a026cc8461

SHA1
ae189371e29b9329dbcea8a379641fea9ae0315e

SHA256
3fa36d733dbe7806d7853ee086827181681c356e83923a77f0e650b44bc4fbd9

SHA512
387df48cc3aa0442df2a8f72ed9323b39636b772bfa89ac390c8b3943c94ddde47bbb3ccf5e8b9f3ae248418166ce3e3ed92631439cad5d56308e1c830354a4f

Download Submit
C:\windows\SysWOW64\TAAQM.exe

Filesize
208KB

MD5
57b687bd39d410296dc9ba4e9576fa91

SHA1
ed7595c1e37b877003bf29f8a800b3da89c741b9

SHA256
975e15256149fd07b673e079f3f0cd01fd03a016ae1e58fb89b348ee14cf88f3

SHA512
d09d95f644a987edf6d39f9380cf8bee03e8ab38f86da7c0763474ad3f70b2d5144d040d51ab2a3e148855f36c057c32244074e98764f13f5234779fe5f2e2ba

Download Submit
C:\windows\SysWOW64\TAAQM.exe.bat

Filesize
74B

MD5
c88eaf69d6ad53c831198d5cc92fffed

SHA1
b451889acbac267d90dbf25f0cb998ee39be58b9

SHA256
ab46b41851a78384bdd8c02a20b31fbd49b6dfcef5c73bc7218ec24068967f7e

SHA512
9e51d084167389d2c61a7f99fc576b7188603708dc907fe2eb010c5d6780914559adae1dcdb79cefbe22e9fb279da46ea05e3702a9705bff86b5a6f22bef64f1

Download Submit
C:\windows\SysWOW64\XZPZ.exe.bat

Filesize
72B

MD5
77d6e568ad799eeb1a20cff94d0437dc

SHA1
bf717a6643013627e73a4de52444ef48e34cb513

SHA256
9bf638528077afd4289b2024000e32ef1a7c22c1a5be90b420233e602f18e0be

SHA512
1e7a8ee6355bb177857d70e2e469190d85644d7e491b13a036a3522ba9e9539f81f57f75790779728b5c3afeae9bc5b46382d2ec31c966d6cc9f27441c7cdfb0

Download Submit
C:\windows\SysWOW64\ZIKV.exe

Filesize
208KB

MD5
0e91e2379d9a0a9d0dca8a908d0341ae

SHA1
920bbc57a85b4d75a36ec4eea0a4aaac8b54050d

SHA256
ce0d96141a919c6d1f97276b6af3cfb3b6142ef05e62b6fa71631567aca34eae

SHA512
1b642aade56f5a6d62609148b370022b82ef3e88c1d46b24053e7f471e53d05334c565e58ab915fdfbecf21e2e60548d1546eb27f37bd24cf5afb1a3fdde35d5

Download Submit
C:\windows\SysWOW64\ZIKV.exe.bat

Filesize
72B

MD5
82a7fc582856d855df3fb6c91f1f460d

SHA1
6d6c71a35ca77edf62819ea10c1391692d17b10a

SHA256
d4d56193e8bd506d530ea6ba05528a1db9dc613c985925fe7e39ce0dd6f62ed7

SHA512
971923a08b8a9afb8790eecb19893685164ca540533d7b77d658543b2f358c7b4de6ffa08e1e13f36849cbde13fe25f1d9d02493e5d8b4fff83bfc1064a2a8c2

Download Submit
C:\windows\system\CJPTGA.exe.bat

Filesize
72B

MD5
291f3a5e73dc896d8d3dc5e01f1fb710

SHA1
b4efa65fa4eb8da76104ca89e026bacc02b01767

SHA256
51745a23a5c849e3b26293e1e03bdb72063ae7498c94bfc09cac2aff622cad75

SHA512
bbdf78ed77ede188f8e2a2aed8e309cebca7a1e8f843312724f90ae28be7d266e346243d3cfd5a0435001d3f4aa2f328e3e829e629f6c28a2e1f9725a206fe76

Download Submit
C:\windows\system\FETQDNA.exe.bat

Filesize
74B

MD5
a52c270b7605740372723138dcf1a2b2

SHA1
a08848757972ea70e4f78c445057b4f7250dec31

SHA256
347f7718abfa0912088918c64934477ea6f2312d0b2bff6ff83ecec06fc14079

SHA512
09bc239495d08a41dda51fe0fd199c2b2c7f17e6548122a69564983706953edf1ddce7407ff6d69c55b02b6f27c627770679931875d9c15adeb0716c918fcaaa

Download Submit
C:\windows\system\KIADZ.exe.bat

Filesize
70B

MD5
26e1c32de4b811c69e23d5b9579ba7c1

SHA1
a733826794d68de3ddea99bf44f9af397ff86a72

SHA256
89957cd6ef67bab66609bdb56ff3be76843abb4abfe79f89e84e8976684dc883

SHA512
030e09fe45ac765b33c33be2716f0213533488f2f02cc08a1247ddf05a67798e301ce92f77f7c59e4b1bd220ebe68898e2d2e0629daff69f31db0cb2834a9748

Download Submit
C:\windows\system\SOZCW.exe.bat

Filesize
70B

MD5
b32999e0e58f984baf86c6bd51f57428

SHA1
93b1537e692e05a809f8824aae204dc81428d530

SHA256
b20ddbb38cc30817afd58bb0f7dd8698f4cb39aab75638d1ac34c46ccb29dc88

SHA512
0645b8d24a32dcb525dd636786cbe7c26e97d740a02d5d1af4453dbf7fe1fa48b175639bda240694e7eefecdd47f58541c16a506823958479ed993d071ce9511

Download Submit
C:\windows\system\VADVIV.exe.bat

Filesize
72B

MD5
2ad1c414a7f57aac25a6890bcaf4f842

SHA1
810128c6616611cea93bda4170a91562b574cb08

SHA256
03caf01b2c5c4b0adb6ca083a76cf2633b414aee1c49eef1202308da89eb0a55

SHA512
22f50c11337e7cf1800d7f582ef1d3bc49d0df05dbcc4249dc5286e38b70beaf0233b843b9b33f022a9ac3d4ea84e5ce7929cd4c1ecfa9a3ba4b698ffc9ad884

Download Submit
C:\windows\system\VBO.exe.bat

Filesize
66B

MD5
e60e00fcd5a7236e7f310b1a4e23406d

SHA1
f8597f18e84c87fdb4de827876bf1b487059daa7

SHA256
bf7036aed44396b1c212d6d61b6006cfabad7c9e2537ab885e5b71860d1d2a22

SHA512
e7f904b23027af3f758d5285b57c6e4502b0e75df19ace4d71c73961d4acbd8c2a38a2cfa43012f87f1606c835c0c1f4c9d1cc667d473c341910b8dd6fa09df9

Download Submit
C:\windows\system\WVUT.exe.bat

Filesize
68B

MD5
2297125ba243c1bdd1652019c1ccf942

SHA1
562ccaa6ca8a02fb748fafc7124730ffe743b8a1

SHA256
47a80c15c59fade3754e4ee606abb20583ee978d8f9a12194368e27ddb5d2384

SHA512
fe15701db372717197cbc52f650cbad7a2399e2b391f2789bee41f21027b4c6d6d0b87dd1df38eb545187567b58f639c1a92f6ca67f68535ec39407cb0207d75

Download Submit
C:\windows\system\XNUEKV.exe

Filesize
208KB

MD5
b856294bdc02339f3d3605de82af9aa1

SHA1
ca73c01bd1a34638ecbeeda7fa2806911fc9155e

SHA256
0f86086d0261a295fbfa262fb51a000215efebf9c45a9b809fca30c3b087c55f

SHA512
2e132734ab2ac7c7fc9b8298d9bd62e1453aa7ea865362fdaa1aaf36b75d11240eabaf107e4c8ad46ef67e4cb01a3a2c32a0a346c9bcfb233f0f8f1fdade1d78

Download Submit
C:\windows\system\XNUEKV.exe.bat

Filesize
72B

MD5
421a830c68b4c2015fd7aec29e26a6ad

SHA1
75dde69429137a0c8c002b65c990fb8c2fa130f4

SHA256
e3b7165acda2094c747c558de57ebef3f18e5a44fabbf13b2c8940f70f75b560

SHA512
deefc547527c68f3e21f9b0cae6e3d6c72a5a536ed6b276456abb8e3cdfbc3d3ac3919432e4c0817d68e007279e92a7afa34096883c52f97ae6866afca9a5f8c

Download Submit
C:\windows\system\ZKXX.exe.bat

Filesize
68B

MD5
77259c15adfd544578469f43a3b0fffa

SHA1
4aa52b550dd896dcdd22821a84607513a9a7fc8f

SHA256
f34649fb1e0ddfc34cc09cfc961c7bed7f109dc63845db5b26e6949456223ae7

SHA512
acbe68e5cfee1aa80c9964f735d0cb32ead9dcd8f233b4c015991e7cabef81e34c9c5d7a9af2e866bed7af0bc4044fbb56648794d837cdfc3b5507967559d147

Download Submit
memory/376-496-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/376-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/528-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/528-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/840-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/840-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/912-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/912-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/912-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/972-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/972-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-478-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-460-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1304-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1304-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1312-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1312-451-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1360-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1360-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1580-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1580-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1900-204-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-389-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-469-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2516-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2516-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2612-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2612-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2868-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2868-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2948-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3252-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3252-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3360-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3360-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3512-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3512-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3772-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3772-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3792-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3792-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3876-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3876-433-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4032-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4032-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4048-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4048-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4076-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4076-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4280-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4280-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4340-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4340-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4472-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4472-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4548-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4548-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-487-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4996-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4996-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4996-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4996-397-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5000-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5000-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5032-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5032-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5052-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5052-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5056-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5056-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-398-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download