d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183

Analysis

max time kernel
149s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe
Size

448KB
MD5

db2c95b84c57c44a8a8592c1f6cdcc38
SHA1

8f9216cf99f6393ceca693e5d69fd88d54e9cb41
SHA256

d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183
SHA512

7d1b03044e9661686953f869376b1c54a68a6476a911a865107a626cd7a2db1044ee0404138a8ffed614469c472c1bff0a0dfc09d1c58ef79704f8f3929d4f38
SSDEEP

6144:yDdxaOjFS7pQAnluY4Mzw5ykEjiPISUOgW9X+hOGzC/NM:UKq+SAlu0k5ykmZzcukG2/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	RKZLPZC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	FRJUXU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	PIIHDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	KDMPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	CHTBT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WBZP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HDTQQQU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HYWMVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YXJXHZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BHEFEH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	QGBMOKQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	OGEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	JNCQGQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YSYG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	EAOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XRTTC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YUGU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	FOC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	MBDLGID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ZIH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XWNRN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	GFVFH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	SBOUEBP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YPQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	IBPGDEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	LBCKAK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	RKOOZW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UXPYQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	AEODZUO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XFQHVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	CQOUFLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YVAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UKJYUZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	NNI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	DJIFNPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	EEN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UZCO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	DNMID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UXTWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	NVBWQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	SZB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	FCR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	QBJX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	RGWAWD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	QQI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	CNSFIZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	VXEPG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	QIHVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XCVN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	OMDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	TKIVBLS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	JOXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	RJSBXV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	RFV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	JNASNA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HWT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	OYYOJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	RJF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	REVLYQI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ONQKTFV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XGATNJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	DGNPQDE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	KCDVJ.exe

Executes dropped EXE 64 IoCs

pid	Process
4304	EEN.exe
3768	TZXRMU.exe
2572	RKOOZW.exe
4856	TIHI.exe
2620	ONUUIII.exe
2116	EIDYB.exe
3484	CTOO.exe
3312	BER.exe
432	OPHVYZ.exe
396	WCMJJ.exe
4476	AKTJV.exe
4704	OGEC.exe
228	MBDLGID.exe
3228	RGWAWD.exe
1956	OZXDA.exe
3664	OCO.exe
3968	CIOKYC.exe
2536	MFBX.exe
4756	SBNYU.exe
5020	LOY.exe
5040	HRH.exe
2712	UXPYQJ.exe
4476	JNCQGQT.exe
2880	ONQKTFV.exe
2324	ZGTDBM.exe
2040	HLYKE.exe
4152	BMNVV.exe
4288	LKTPC.exe
4940	CKHUP.exe
4020	AFHVUO.exe
1428	KDMPB.exe
3056	JOXF.exe
4052	YEKPS.exe
3244	PRVHHOP.exe
2012	OCYXQU.exe
512	NNBNZ.exe
2780	AXR.exe
2036	MLQK.exe
1536	QQI.exe
3460	UTGUI.exe
552	CHTBT.exe
1004	BXEW.exe
4568	ZIH.exe
4652	DYWUB.exe
3920	WBZP.exe
4064	VLCFPH.exe
396	KBDF.exe
4376	XEMVKNS.exe
548	WXWLKT.exe
2400	ZKONEFV.exe
4156	DNMID.exe
2952	HDTQQQU.exe
2856	HYWMVG.exe
4600	ZHLJIX.exe
3116	TUQ.exe
4588	UXTWX.exe
2128	LFIBKMR.exe
2264	NVBWQB.exe
3956	BGJUFL.exe
1636	KOLZIJW.exe
4204	WWAZ.exe
3784	YUGU.exe
2008	YXJXHZ.exe
4072	JQT.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\SBOUEBP.exe	EQYV.exe
File created	C:\windows\SysWOW64\CPQDOOH.exe	QBJX.exe
File opened for modification	C:\windows\SysWOW64\JXGJWKU.exe	JNYIIGG.exe
File created	C:\windows\SysWOW64\UTGUI.exe	QQI.exe
File created	C:\windows\SysWOW64\UZCO.exe	IJJ.exe
File created	C:\windows\SysWOW64\ZFYN.exe	RZMGZ.exe
File created	C:\windows\SysWOW64\OPHVYZ.exe	BER.exe
File opened for modification	C:\windows\SysWOW64\AKTJV.exe	WCMJJ.exe
File opened for modification	C:\windows\SysWOW64\VLCFPH.exe	WBZP.exe
File created	C:\windows\SysWOW64\UXTWX.exe	TUQ.exe
File created	C:\windows\SysWOW64\CNSFIZ.exe	TPFL.exe
File created	C:\windows\SysWOW64\CPQDOOH.exe.bat	QBJX.exe
File created	C:\windows\SysWOW64\UKJYUZR.exe	VSG.exe
File created	C:\windows\SysWOW64\OCYXQU.exe	PRVHHOP.exe
File created	C:\windows\SysWOW64\OCYXQU.exe.bat	PRVHHOP.exe
File opened for modification	C:\windows\SysWOW64\JPDFX.exe	UZCO.exe
File created	C:\windows\SysWOW64\NJZXNMC.exe	YSYG.exe
File opened for modification	C:\windows\SysWOW64\TIHI.exe	RKOOZW.exe
File opened for modification	C:\windows\SysWOW64\DNMID.exe	ZKONEFV.exe
File created	C:\windows\SysWOW64\UKJYUZR.exe.bat	VSG.exe
File opened for modification	C:\windows\SysWOW64\YSYG.exe	UKJYUZR.exe
File opened for modification	C:\windows\SysWOW64\HYWMVG.exe	HDTQQQU.exe
File opened for modification	C:\windows\SysWOW64\UZCO.exe	IJJ.exe
File created	C:\windows\SysWOW64\QGBMOKQ.exe.bat	IBPGDEU.exe
File created	C:\windows\SysWOW64\REEQFLJ.exe	UDC.exe
File created	C:\windows\SysWOW64\SBOUEBP.exe.bat	EQYV.exe
File created	C:\windows\SysWOW64\JPDFX.exe.bat	UZCO.exe
File created	C:\windows\SysWOW64\IBPGDEU.exe	GDWDXP.exe
File created	C:\windows\SysWOW64\FTVNF.exe.bat	XFQHVB.exe
File opened for modification	C:\windows\SysWOW64\OPHVYZ.exe	BER.exe
File opened for modification	C:\windows\SysWOW64\KBDF.exe	VLCFPH.exe
File created	C:\windows\SysWOW64\GFVFH.exe	FCR.exe
File created	C:\windows\SysWOW64\SBOUEBP.exe	EQYV.exe
File created	C:\windows\SysWOW64\TYJNH.exe	CQV.exe
File opened for modification	C:\windows\SysWOW64\YKWQJSN.exe	DZOR.exe
File opened for modification	C:\windows\SysWOW64\MYTJGT.exe	RDPZ.exe
File created	C:\windows\SysWOW64\QQI.exe.bat	MLQK.exe
File opened for modification	C:\windows\SysWOW64\UTGUI.exe	QQI.exe
File created	C:\windows\SysWOW64\KBDF.exe	VLCFPH.exe
File created	C:\windows\SysWOW64\OJNAPM.exe.bat	REVLYQI.exe
File opened for modification	C:\windows\SysWOW64\GDWDXP.exe	MIECLV.exe
File opened for modification	C:\windows\SysWOW64\MBDLGID.exe	OGEC.exe
File opened for modification	C:\windows\SysWOW64\MIECLV.exe	YKWQJSN.exe
File created	C:\windows\SysWOW64\GDWDXP.exe.bat	MIECLV.exe
File opened for modification	C:\windows\SysWOW64\WGN.exe	GQMGOKC.exe
File created	C:\windows\SysWOW64\THRZ.exe	AEODZUO.exe
File created	C:\windows\SysWOW64\TIHI.exe	RKOOZW.exe
File created	C:\windows\SysWOW64\OPHVYZ.exe.bat	BER.exe
File opened for modification	C:\windows\SysWOW64\PRVHHOP.exe	YEKPS.exe
File created	C:\windows\SysWOW64\KBDF.exe.bat	VLCFPH.exe
File created	C:\windows\SysWOW64\JQT.exe	YXJXHZ.exe
File opened for modification	C:\windows\SysWOW64\RGWAWD.exe	MBDLGID.exe
File created	C:\windows\SysWOW64\HYWMVG.exe	HDTQQQU.exe
File created	C:\windows\SysWOW64\FAJ.exe	CRAZLNW.exe
File opened for modification	C:\windows\SysWOW64\CNSFIZ.exe	TPFL.exe
File created	C:\windows\SysWOW64\IBPGDEU.exe.bat	GDWDXP.exe
File created	C:\windows\SysWOW64\FTVNF.exe	XFQHVB.exe
File created	C:\windows\SysWOW64\BMNVV.exe.bat	HLYKE.exe
File opened for modification	C:\windows\SysWOW64\QQI.exe	MLQK.exe
File opened for modification	C:\windows\SysWOW64\XEMVKNS.exe	KBDF.exe
File created	C:\windows\SysWOW64\SZB.exe	CJAMHW.exe
File opened for modification	C:\windows\SysWOW64\GFVFH.exe	FCR.exe
File created	C:\windows\SysWOW64\KOLZIJW.exe	BGJUFL.exe
File created	C:\windows\SysWOW64\MIECLV.exe.bat	YKWQJSN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\CRAZLNW.exe	HEVHB.exe
File opened for modification	C:\windows\SCALV.exe	LMZMOWI.exe
File created	C:\windows\system\HDTQQQU.exe.bat	DNMID.exe
File opened for modification	C:\windows\YUGU.exe	WWAZ.exe
File opened for modification	C:\windows\system\FCR.exe	SZB.exe
File created	C:\windows\EAOV.exe	NPPF.exe
File opened for modification	C:\windows\VSG.exe	XCVN.exe
File created	C:\windows\system\LMZMOWI.exe	SUJB.exe
File opened for modification	C:\windows\RZMGZ.exe	YHEVQ.exe
File created	C:\windows\AEODZUO.exe	FRJUXU.exe
File opened for modification	C:\windows\MFBX.exe	CIOKYC.exe
File created	C:\windows\system\YXJXHZ.exe.bat	YUGU.exe
File created	C:\windows\system\DDYG.exe.bat	JQT.exe
File created	C:\windows\QMRCNP.exe.bat	SBOUEBP.exe
File created	C:\windows\system\BHZ.exe	XRTTC.exe
File created	C:\windows\OMDB.exe.bat	NJZXNMC.exe
File created	C:\windows\RZMGZ.exe.bat	YHEVQ.exe
File created	C:\windows\system\TKIVBLS.exe	THRZ.exe
File opened for modification	C:\windows\system\ONUUIII.exe	TIHI.exe
File created	C:\windows\system\NNBNZ.exe.bat	OCYXQU.exe
File opened for modification	C:\windows\CHTBT.exe	UTGUI.exe
File created	C:\windows\QBJX.exe.bat	LBCKAK.exe
File opened for modification	C:\windows\OMDB.exe	NJZXNMC.exe
File opened for modification	C:\windows\GQMGOKC.exe	NNI.exe
File opened for modification	C:\windows\system\PWRQURN.exe	XTN.exe
File created	C:\windows\system\TTH.exe.bat	DJIFNPT.exe
File opened for modification	C:\windows\RVJYIY.exe	SKYIZKU.exe
File opened for modification	C:\windows\system\JNYIIGG.exe	VRMPC.exe
File created	C:\windows\system\OGEC.exe	AKTJV.exe
File created	C:\windows\UXPYQJ.exe.bat	HRH.exe
File opened for modification	C:\windows\ZIH.exe	BXEW.exe
File created	C:\windows\system\WGQRU.exe	JVISGKX.exe
File opened for modification	C:\windows\NNI.exe	SCALV.exe
File opened for modification	C:\windows\XTN.exe	PNI.exe
File opened for modification	C:\windows\system\TTH.exe	DJIFNPT.exe
File created	C:\windows\UDC.exe.bat	YVAY.exe
File opened for modification	C:\windows\AXR.exe	NNBNZ.exe
File created	C:\windows\ZHLJIX.exe	HYWMVG.exe
File opened for modification	C:\windows\XWNRN.exe	DDYG.exe
File created	C:\windows\system\WAYMK.exe.bat	ONTFAE.exe
File opened for modification	C:\windows\DFGY.exe	KCDVJ.exe
File created	C:\windows\system\CQRGXT.exe.bat	DFGY.exe
File opened for modification	C:\windows\system\OYYOJ.exe	CQRGXT.exe
File created	C:\windows\system\KCDVJ.exe.bat	AEXABHW.exe
File created	C:\windows\system\OYYOJ.exe.bat	CQRGXT.exe
File opened for modification	C:\windows\STS.exe	UIPF.exe
File created	C:\windows\system\LYQA.exe.bat	YVZKGH.exe
File created	C:\windows\system\RDPZ.exe	TSMJV.exe
File opened for modification	C:\windows\system\BXEW.exe	CHTBT.exe
File created	C:\windows\BGJUFL.exe.bat	NVBWQB.exe
File opened for modification	C:\windows\AEXABHW.exe	SZK.exe
File created	C:\windows\YVZKGH.exe.bat	QIHVE.exe
File created	C:\windows\system\JNASNA.exe	ZFYN.exe
File opened for modification	C:\windows\system\ZGTDBM.exe	ONQKTFV.exe
File created	C:\windows\system\MLQK.exe.bat	AXR.exe
File opened for modification	C:\windows\WWAZ.exe	KOLZIJW.exe
File created	C:\windows\VXEPG.exe.bat	YSUZQVZ.exe
File created	C:\windows\HWT.exe.bat	PWRQURN.exe
File opened for modification	C:\windows\system\XFQHVB.exe	NHDMNT.exe
File opened for modification	C:\windows\system\DYWUB.exe	ZIH.exe
File opened for modification	C:\windows\ZHLJIX.exe	HYWMVG.exe
File created	C:\windows\system\XGATNJ.exe.bat	OYYOJ.exe
File opened for modification	C:\windows\system\LBCKAK.exe	WGQRU.exe
File created	C:\windows\OMDB.exe	NJZXNMC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2988	4644	WerFault.exe	84
3484	4304	WerFault.exe	92
3700	3768	WerFault.exe	98
2644	2572	WerFault.exe	103
3808	4856	WerFault.exe	110
4288	2620	WerFault.exe	117
1360	2116	WerFault.exe	124
4272	3484	WerFault.exe	130
2484	3312	WerFault.exe	135
2816	432	WerFault.exe	141
1092	396	WerFault.exe	146
2320	4476	WerFault.exe	151
4016	4704	WerFault.exe	156
636	228	WerFault.exe	162
2680	3228	WerFault.exe	167
216	1956	WerFault.exe	172
3960	3664	WerFault.exe	177
4852	3968	WerFault.exe	183
2092	2536	WerFault.exe	188
4300	4756	WerFault.exe	193
4496	5020	WerFault.exe	198
3104	5040	WerFault.exe	203
4832	2712	WerFault.exe	208
3088	4476	WerFault.exe	213
5012	2880	WerFault.exe	218
3264	2324	WerFault.exe	223
2084	2040	WerFault.exe	228
1820	4152	WerFault.exe	233
452	4288	WerFault.exe	238
3484	4940	WerFault.exe	243
3956	4020	WerFault.exe	248
4892	1428	WerFault.exe	253
4556	3056	WerFault.exe	258
3156	4052	WerFault.exe	263
4184	3244	WerFault.exe	268
3992	2012	WerFault.exe	274
3624	512	WerFault.exe	279
2412	2780	WerFault.exe	284
3620	2036	WerFault.exe	289
4716	1536	WerFault.exe	294
4736	3460	WerFault.exe	299
4640	552	WerFault.exe	304
1864	1004	WerFault.exe	309
4272	4568	WerFault.exe	315
4000	4652	WerFault.exe	320
4756	3920	WerFault.exe	325
4716	4064	WerFault.exe	330
2256	396	WerFault.exe	335
1992	4376	WerFault.exe	340
452	548	WerFault.exe	345
5076	2400	WerFault.exe	350
3684	4156	WerFault.exe	355
2588	2952	WerFault.exe	360
3880	2856	WerFault.exe	365
2960	4600	WerFault.exe	370
4832	3116	WerFault.exe	375
4348	4588	WerFault.exe	380
4768	2128	WerFault.exe	385
4956	2264	WerFault.exe	390
2936	3956	WerFault.exe	395
3188	1636	WerFault.exe	400
4288	4204	WerFault.exe	405
3380	3784	WerFault.exe	410
2532	2008	WerFault.exe	415

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe
4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe
4304	EEN.exe
4304	EEN.exe
3768	TZXRMU.exe
3768	TZXRMU.exe
2572	RKOOZW.exe
2572	RKOOZW.exe
4856	TIHI.exe
4856	TIHI.exe
2620	ONUUIII.exe
2620	ONUUIII.exe
2116	EIDYB.exe
2116	EIDYB.exe
3484	CTOO.exe
3484	CTOO.exe
3312	BER.exe
3312	BER.exe
432	OPHVYZ.exe
432	OPHVYZ.exe
396	WCMJJ.exe
396	WCMJJ.exe
4476	AKTJV.exe
4476	AKTJV.exe
4704	OGEC.exe
4704	OGEC.exe
228	MBDLGID.exe
228	MBDLGID.exe
3228	RGWAWD.exe
3228	RGWAWD.exe
1956	OZXDA.exe
1956	OZXDA.exe
3664	OCO.exe
3664	OCO.exe
3968	CIOKYC.exe
3968	CIOKYC.exe
2536	MFBX.exe
2536	MFBX.exe
4756	SBNYU.exe
4756	SBNYU.exe
5020	LOY.exe
5020	LOY.exe
5040	HRH.exe
5040	HRH.exe
2712	UXPYQJ.exe
2712	UXPYQJ.exe
4476	JNCQGQT.exe
4476	JNCQGQT.exe
2880	ONQKTFV.exe
2880	ONQKTFV.exe
2324	ZGTDBM.exe
2324	ZGTDBM.exe
2040	HLYKE.exe
2040	HLYKE.exe
4152	BMNVV.exe
4152	BMNVV.exe
4288	LKTPC.exe
4288	LKTPC.exe
4940	CKHUP.exe
4940	CKHUP.exe
4020	AFHVUO.exe
4020	AFHVUO.exe
1428	KDMPB.exe
1428	KDMPB.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe
4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe
4304	EEN.exe
4304	EEN.exe
3768	TZXRMU.exe
3768	TZXRMU.exe
2572	RKOOZW.exe
2572	RKOOZW.exe
4856	TIHI.exe
4856	TIHI.exe
2620	ONUUIII.exe
2620	ONUUIII.exe
2116	EIDYB.exe
2116	EIDYB.exe
3484	CTOO.exe
3484	CTOO.exe
3312	BER.exe
3312	BER.exe
432	OPHVYZ.exe
432	OPHVYZ.exe
396	WCMJJ.exe
396	WCMJJ.exe
4476	AKTJV.exe
4476	AKTJV.exe
4704	OGEC.exe
4704	OGEC.exe
228	MBDLGID.exe
228	MBDLGID.exe
3228	RGWAWD.exe
3228	RGWAWD.exe
1956	OZXDA.exe
1956	OZXDA.exe
3664	OCO.exe
3664	OCO.exe
3968	CIOKYC.exe
3968	CIOKYC.exe
2536	MFBX.exe
2536	MFBX.exe
4756	SBNYU.exe
4756	SBNYU.exe
5020	LOY.exe
5020	LOY.exe
5040	HRH.exe
5040	HRH.exe
2712	UXPYQJ.exe
2712	UXPYQJ.exe
4476	JNCQGQT.exe
4476	JNCQGQT.exe
2880	ONQKTFV.exe
2880	ONQKTFV.exe
2324	ZGTDBM.exe
2324	ZGTDBM.exe
2040	HLYKE.exe
2040	HLYKE.exe
4152	BMNVV.exe
4152	BMNVV.exe
4288	LKTPC.exe
4288	LKTPC.exe
4940	CKHUP.exe
4940	CKHUP.exe
4020	AFHVUO.exe
4020	AFHVUO.exe
1428	KDMPB.exe
1428	KDMPB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4704	4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe	88
PID 4644 wrote to memory of 4704	4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe	88
PID 4644 wrote to memory of 4704	4644	d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe	88
PID 4704 wrote to memory of 4304	4704	cmd.exe	92
PID 4704 wrote to memory of 4304	4704	cmd.exe	92
PID 4704 wrote to memory of 4304	4704	cmd.exe	92
PID 4304 wrote to memory of 1092	4304	EEN.exe	94
PID 4304 wrote to memory of 1092	4304	EEN.exe	94
PID 4304 wrote to memory of 1092	4304	EEN.exe	94
PID 1092 wrote to memory of 3768	1092	cmd.exe	98
PID 1092 wrote to memory of 3768	1092	cmd.exe	98
PID 1092 wrote to memory of 3768	1092	cmd.exe	98
PID 3768 wrote to memory of 4056	3768	TZXRMU.exe	99
PID 3768 wrote to memory of 4056	3768	TZXRMU.exe	99
PID 3768 wrote to memory of 4056	3768	TZXRMU.exe	99
PID 4056 wrote to memory of 2572	4056	cmd.exe	103
PID 4056 wrote to memory of 2572	4056	cmd.exe	103
PID 4056 wrote to memory of 2572	4056	cmd.exe	103
PID 2572 wrote to memory of 4908	2572	RKOOZW.exe	106
PID 2572 wrote to memory of 4908	2572	RKOOZW.exe	106
PID 2572 wrote to memory of 4908	2572	RKOOZW.exe	106
PID 4908 wrote to memory of 4856	4908	cmd.exe	110
PID 4908 wrote to memory of 4856	4908	cmd.exe	110
PID 4908 wrote to memory of 4856	4908	cmd.exe	110
PID 4856 wrote to memory of 5064	4856	TIHI.exe	113
PID 4856 wrote to memory of 5064	4856	TIHI.exe	113
PID 4856 wrote to memory of 5064	4856	TIHI.exe	113
PID 5064 wrote to memory of 2620	5064	cmd.exe	117
PID 5064 wrote to memory of 2620	5064	cmd.exe	117
PID 5064 wrote to memory of 2620	5064	cmd.exe	117
PID 2620 wrote to memory of 408	2620	ONUUIII.exe	120
PID 2620 wrote to memory of 408	2620	ONUUIII.exe	120
PID 2620 wrote to memory of 408	2620	ONUUIII.exe	120
PID 408 wrote to memory of 2116	408	cmd.exe	124
PID 408 wrote to memory of 2116	408	cmd.exe	124
PID 408 wrote to memory of 2116	408	cmd.exe	124
PID 2116 wrote to memory of 5024	2116	EIDYB.exe	126
PID 2116 wrote to memory of 5024	2116	EIDYB.exe	126
PID 2116 wrote to memory of 5024	2116	EIDYB.exe	126
PID 5024 wrote to memory of 3484	5024	cmd.exe	130
PID 5024 wrote to memory of 3484	5024	cmd.exe	130
PID 5024 wrote to memory of 3484	5024	cmd.exe	130
PID 3484 wrote to memory of 3748	3484	CTOO.exe	131
PID 3484 wrote to memory of 3748	3484	CTOO.exe	131
PID 3484 wrote to memory of 3748	3484	CTOO.exe	131
PID 3748 wrote to memory of 3312	3748	cmd.exe	135
PID 3748 wrote to memory of 3312	3748	cmd.exe	135
PID 3748 wrote to memory of 3312	3748	cmd.exe	135
PID 3312 wrote to memory of 4496	3312	BER.exe	137
PID 3312 wrote to memory of 4496	3312	BER.exe	137
PID 3312 wrote to memory of 4496	3312	BER.exe	137
PID 4496 wrote to memory of 432	4496	cmd.exe	141
PID 4496 wrote to memory of 432	4496	cmd.exe	141
PID 4496 wrote to memory of 432	4496	cmd.exe	141
PID 432 wrote to memory of 5040	432	OPHVYZ.exe	142
PID 432 wrote to memory of 5040	432	OPHVYZ.exe	142
PID 432 wrote to memory of 5040	432	OPHVYZ.exe	142
PID 5040 wrote to memory of 396	5040	cmd.exe	146
PID 5040 wrote to memory of 396	5040	cmd.exe	146
PID 5040 wrote to memory of 396	5040	cmd.exe	146
PID 396 wrote to memory of 3920	396	WCMJJ.exe	147
PID 396 wrote to memory of 3920	396	WCMJJ.exe	147
PID 396 wrote to memory of 3920	396	WCMJJ.exe	147
PID 3920 wrote to memory of 4476	3920	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe
"C:\Users\Admin\AppData\Local\Temp\d9c1b1c573e275c5be6d52957e701bc30da803ed8a5dae727ba81fe4c9642183.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\EEN.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\windows\EEN.exe
    C:\windows\EEN.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\TZXRMU.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\windows\TZXRMU.exe
        
        C:\windows\TZXRMU.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKOOZW.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\windows\system\RKOOZW.exe
        
        C:\windows\system\RKOOZW.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TIHI.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\windows\SysWOW64\TIHI.exe
        
        C:\windows\system32\TIHI.exe
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONUUIII.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\windows\system\ONUUIII.exe
        
        C:\windows\system\ONUUIII.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EIDYB.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\windows\SysWOW64\EIDYB.exe
        
        C:\windows\system32\EIDYB.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTOO.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\windows\system\CTOO.exe
        
        C:\windows\system\CTOO.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BER.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\windows\system\BER.exe
        
        C:\windows\system\BER.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OPHVYZ.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\windows\SysWOW64\OPHVYZ.exe
        
        C:\windows\system32\OPHVYZ.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WCMJJ.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\windows\WCMJJ.exe
        
        C:\windows\WCMJJ.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AKTJV.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\windows\SysWOW64\AKTJV.exe
        
        C:\windows\system32\AKTJV.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OGEC.exe.bat" "
        24⤵
        
        PID:3632
        
        C:\windows\system\OGEC.exe
        
        C:\windows\system\OGEC.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBDLGID.exe.bat" "
        26⤵
        
        PID:2060
        
        C:\windows\SysWOW64\MBDLGID.exe
        
        C:\windows\system32\MBDLGID.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RGWAWD.exe.bat" "
        28⤵
        
        PID:4260
        
        C:\windows\SysWOW64\RGWAWD.exe
        
        C:\windows\system32\RGWAWD.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OZXDA.exe.bat" "
        30⤵
        
        PID:1072
        
        C:\windows\OZXDA.exe
        
        C:\windows\OZXDA.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OCO.exe.bat" "
        32⤵
        
        PID:4872
        
        C:\windows\OCO.exe
        
        C:\windows\OCO.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CIOKYC.exe.bat" "
        34⤵
        
        PID:2884
        
        C:\windows\system\CIOKYC.exe
        
        C:\windows\system\CIOKYC.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MFBX.exe.bat" "
        36⤵
        
        PID:2812
        
        C:\windows\MFBX.exe
        
        C:\windows\MFBX.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBNYU.exe.bat" "
        38⤵
        
        PID:972
        
        C:\windows\system\SBNYU.exe
        
        C:\windows\system\SBNYU.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LOY.exe.bat" "
        40⤵
        
        PID:788
        
        C:\windows\LOY.exe
        
        C:\windows\LOY.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HRH.exe.bat" "
        42⤵
        
        PID:772
        
        C:\windows\HRH.exe
        
        C:\windows\HRH.exe
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UXPYQJ.exe.bat" "
        44⤵
        
        PID:2416
        
        C:\windows\UXPYQJ.exe
        
        C:\windows\UXPYQJ.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "
        46⤵
        
        PID:452
        
        C:\windows\JNCQGQT.exe
        
        C:\windows\JNCQGQT.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ONQKTFV.exe.bat" "
        48⤵
        
        PID:1592
        
        C:\windows\SysWOW64\ONQKTFV.exe
        
        C:\windows\system32\ONQKTFV.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGTDBM.exe.bat" "
        50⤵
        
        PID:512
        
        C:\windows\system\ZGTDBM.exe
        
        C:\windows\system\ZGTDBM.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HLYKE.exe.bat" "
        52⤵
        
        PID:3696
        
        C:\windows\SysWOW64\HLYKE.exe
        
        C:\windows\system32\HLYKE.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BMNVV.exe.bat" "
        54⤵
        
        PID:3808
        
        C:\windows\SysWOW64\BMNVV.exe
        
        C:\windows\system32\BMNVV.exe
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LKTPC.exe.bat" "
        56⤵
        
        PID:5020
        
        C:\windows\system\LKTPC.exe
        
        C:\windows\system\LKTPC.exe
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CKHUP.exe.bat" "
        58⤵
        
        PID:4872
        
        C:\windows\system\CKHUP.exe
        
        C:\windows\system\CKHUP.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AFHVUO.exe.bat" "
        60⤵
        
        PID:2060
        
        C:\windows\AFHVUO.exe
        
        C:\windows\AFHVUO.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KDMPB.exe.bat" "
        62⤵
        
        PID:2352
        
        C:\windows\KDMPB.exe
        
        C:\windows\KDMPB.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JOXF.exe.bat" "
        64⤵
        
        PID:3696
        
        C:\windows\JOXF.exe
        
        C:\windows\JOXF.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YEKPS.exe.bat" "
        66⤵
        
        PID:4592
        
        C:\windows\YEKPS.exe
        
        C:\windows\YEKPS.exe
        67⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PRVHHOP.exe.bat" "
        68⤵
        
        PID:3524
        
        C:\windows\SysWOW64\PRVHHOP.exe
        
        C:\windows\system32\PRVHHOP.exe
        69⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCYXQU.exe.bat" "
        70⤵
        
        PID:3448
        
        C:\windows\SysWOW64\OCYXQU.exe
        
        C:\windows\system32\OCYXQU.exe
        71⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NNBNZ.exe.bat" "
        72⤵
        
        PID:4432
        
        C:\windows\system\NNBNZ.exe
        
        C:\windows\system\NNBNZ.exe
        73⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AXR.exe.bat" "
        74⤵
        
        PID:4476
        
        C:\windows\AXR.exe
        
        C:\windows\AXR.exe
        75⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLQK.exe.bat" "
        76⤵
        
        PID:2120
        
        C:\windows\system\MLQK.exe
        
        C:\windows\system\MLQK.exe
        77⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQI.exe.bat" "
        78⤵
        
        PID:1428
        
        C:\windows\SysWOW64\QQI.exe
        
        C:\windows\system32\QQI.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UTGUI.exe.bat" "
        80⤵
        
        PID:4392
        
        C:\windows\SysWOW64\UTGUI.exe
        
        C:\windows\system32\UTGUI.exe
        81⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CHTBT.exe.bat" "
        82⤵
        
        PID:4600
        
        C:\windows\CHTBT.exe
        
        C:\windows\CHTBT.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BXEW.exe.bat" "
        84⤵
        
        PID:3048
        
        C:\windows\system\BXEW.exe
        
        C:\windows\system\BXEW.exe
        85⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZIH.exe.bat" "
        86⤵
        
        PID:452
        
        C:\windows\ZIH.exe
        
        C:\windows\ZIH.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYWUB.exe.bat" "
        88⤵
        
        PID:5052
        
        C:\windows\system\DYWUB.exe
        
        C:\windows\system\DYWUB.exe
        89⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WBZP.exe.bat" "
        90⤵
        
        PID:3684
        
        C:\windows\system\WBZP.exe
        
        C:\windows\system\WBZP.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VLCFPH.exe.bat" "
        92⤵
        
        PID:5000
        
        C:\windows\SysWOW64\VLCFPH.exe
        
        C:\windows\system32\VLCFPH.exe
        93⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KBDF.exe.bat" "
        94⤵
        
        PID:3228
        
        C:\windows\SysWOW64\KBDF.exe
        
        C:\windows\system32\KBDF.exe
        95⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XEMVKNS.exe.bat" "
        96⤵
        
        PID:4148
        
        C:\windows\SysWOW64\XEMVKNS.exe
        
        C:\windows\system32\XEMVKNS.exe
        97⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WXWLKT.exe.bat" "
        98⤵
        
        PID:3048
        
        C:\windows\WXWLKT.exe
        
        C:\windows\WXWLKT.exe
        99⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZKONEFV.exe.bat" "
        100⤵
        
        PID:4852
        
        C:\windows\SysWOW64\ZKONEFV.exe
        
        C:\windows\system32\ZKONEFV.exe
        101⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNMID.exe.bat" "
        102⤵
        
        PID:2344
        
        C:\windows\SysWOW64\DNMID.exe
        
        C:\windows\system32\DNMID.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HDTQQQU.exe.bat" "
        104⤵
        
        PID:1776
        
        C:\windows\system\HDTQQQU.exe
        
        C:\windows\system\HDTQQQU.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HYWMVG.exe.bat" "
        106⤵
        
        PID:2032
        
        C:\windows\SysWOW64\HYWMVG.exe
        
        C:\windows\system32\HYWMVG.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZHLJIX.exe.bat" "
        108⤵
        
        PID:4744
        
        C:\windows\ZHLJIX.exe
        
        C:\windows\ZHLJIX.exe
        109⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUQ.exe.bat" "
        110⤵
        
        PID:3784
        
        C:\windows\SysWOW64\TUQ.exe
        
        C:\windows\system32\TUQ.exe
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXTWX.exe.bat" "
        112⤵
        
        PID:4100
        
        C:\windows\SysWOW64\UXTWX.exe
        
        C:\windows\system32\UXTWX.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LFIBKMR.exe.bat" "
        114⤵
        
        PID:4072
        
        C:\windows\LFIBKMR.exe
        
        C:\windows\LFIBKMR.exe
        115⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NVBWQB.exe.bat" "
        116⤵
        
        PID:4640
        
        C:\windows\system\NVBWQB.exe
        
        C:\windows\system\NVBWQB.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BGJUFL.exe.bat" "
        118⤵
        
        PID:3312
        
        C:\windows\BGJUFL.exe
        
        C:\windows\BGJUFL.exe
        119⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KOLZIJW.exe.bat" "
        120⤵
        
        PID:2584
        
        C:\windows\SysWOW64\KOLZIJW.exe
        
        C:\windows\system32\KOLZIJW.exe
        121⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WWAZ.exe.bat" "
        122⤵
        
        PID:4000
        
        C:\windows\WWAZ.exe
        
        C:\windows\WWAZ.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUGU.exe.bat" "
        124⤵
        
        PID:4188
        
        C:\windows\YUGU.exe
        
        C:\windows\YUGU.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YXJXHZ.exe.bat" "
        126⤵
        
        PID:1268
        
        C:\windows\system\YXJXHZ.exe
        
        C:\windows\system\YXJXHZ.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQT.exe.bat" "
        128⤵
        
        PID:1528
        
        C:\windows\SysWOW64\JQT.exe
        
        C:\windows\system32\JQT.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDYG.exe.bat" "
        130⤵
        
        PID:3484
        
        C:\windows\system\DDYG.exe
        
        C:\windows\system\DDYG.exe
        131⤵
        Drops file in Windows directory
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XWNRN.exe.bat" "
        132⤵
        
        PID:1732
        
        C:\windows\XWNRN.exe
        
        C:\windows\XWNRN.exe
        133⤵
        Checks computer location settings
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RJSBXV.exe.bat" "
        134⤵
        
        PID:3696
        
        C:\windows\system\RJSBXV.exe
        
        C:\windows\system\RJSBXV.exe
        135⤵
        Checks computer location settings
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CJAMHW.exe.bat" "
        136⤵
        
        PID:4464
        
        C:\windows\system\CJAMHW.exe
        
        C:\windows\system\CJAMHW.exe
        137⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SZB.exe.bat" "
        138⤵
        
        PID:4188
        
        C:\windows\SysWOW64\SZB.exe
        
        C:\windows\system32\SZB.exe
        139⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCR.exe.bat" "
        140⤵
        
        PID:4264
        
        C:\windows\system\FCR.exe
        
        C:\windows\system\FCR.exe
        141⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFVFH.exe.bat" "
        142⤵
        
        PID:4880
        
        C:\windows\SysWOW64\GFVFH.exe
        
        C:\windows\system32\GFVFH.exe
        143⤵
        Checks computer location settings
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EQYV.exe.bat" "
        144⤵
        
        PID:1412
        
        C:\windows\system\EQYV.exe
        
        C:\windows\system\EQYV.exe
        145⤵
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBOUEBP.exe.bat" "
        146⤵
        
        PID:4708
        
        C:\windows\SysWOW64\SBOUEBP.exe
        
        C:\windows\system32\SBOUEBP.exe
        147⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QMRCNP.exe.bat" "
        148⤵
        
        PID:4604
        
        C:\windows\QMRCNP.exe
        
        C:\windows\QMRCNP.exe
        149⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKZLPZC.exe.bat" "
        150⤵
        
        PID:2368
        
        C:\windows\RKZLPZC.exe
        
        C:\windows\RKZLPZC.exe
        151⤵
        Checks computer location settings
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHEFEH.exe.bat" "
        152⤵
        
        PID:3156
        
        C:\windows\system\BHEFEH.exe
        
        C:\windows\system\BHEFEH.exe
        153⤵
        Checks computer location settings
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UCI.exe.bat" "
        154⤵
        
        PID:232
        
        C:\windows\system\UCI.exe
        
        C:\windows\system\UCI.exe
        155⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CQV.exe.bat" "
        156⤵
        
        PID:3168
        
        C:\windows\CQV.exe
        
        C:\windows\CQV.exe
        157⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TYJNH.exe.bat" "
        158⤵
        
        PID:5024
        
        C:\windows\SysWOW64\TYJNH.exe
        
        C:\windows\system32\TYJNH.exe
        159⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLOWJMZ.exe.bat" "
        160⤵
        
        PID:4592
        
        C:\windows\SysWOW64\OLOWJMZ.exe
        
        C:\windows\system32\OLOWJMZ.exe
        161⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEVHB.exe.bat" "
        162⤵
        
        PID:1732
        
        C:\windows\SysWOW64\HEVHB.exe
        
        C:\windows\system32\HEVHB.exe
        163⤵
        Drops file in Windows directory
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CRAZLNW.exe.bat" "
        164⤵
        
        PID:2644
        
        C:\windows\CRAZLNW.exe
        
        C:\windows\CRAZLNW.exe
        165⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FAJ.exe.bat" "
        166⤵
        
        PID:4720
        
        C:\windows\SysWOW64\FAJ.exe
        
        C:\windows\system32\FAJ.exe
        167⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ONTFAE.exe.bat" "
        168⤵
        
        PID:1212
        
        C:\windows\ONTFAE.exe
        
        C:\windows\ONTFAE.exe
        169⤵
        Drops file in Windows directory
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "
        170⤵
        
        PID:5040
        
        C:\windows\system\WAYMK.exe
        
        C:\windows\system\WAYMK.exe
        171⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DGNPQDE.exe.bat" "
        172⤵
        
        PID:4976
        
        C:\windows\DGNPQDE.exe
        
        C:\windows\DGNPQDE.exe
        173⤵
        Checks computer location settings
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJJ.exe.bat" "
        174⤵
        
        PID:2444
        
        C:\windows\SysWOW64\IJJ.exe
        
        C:\windows\system32\IJJ.exe
        175⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZCO.exe.bat" "
        176⤵
        
        PID:2908
        
        C:\windows\SysWOW64\UZCO.exe
        
        C:\windows\system32\UZCO.exe
        177⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPDFX.exe.bat" "
        178⤵
        
        PID:4488
        
        C:\windows\SysWOW64\JPDFX.exe
        
        C:\windows\system32\JPDFX.exe
        179⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TPFL.exe.bat" "
        180⤵
        
        PID:1868
        
        C:\windows\TPFL.exe
        
        C:\windows\TPFL.exe
        181⤵
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CNSFIZ.exe.bat" "
        182⤵
        
        PID:3632
        
        C:\windows\SysWOW64\CNSFIZ.exe
        
        C:\windows\system32\CNSFIZ.exe
        183⤵
        Checks computer location settings
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZTDUYCQ.exe.bat" "
        184⤵
        
        PID:4680
        
        C:\windows\ZTDUYCQ.exe
        
        C:\windows\ZTDUYCQ.exe
        185⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FOC.exe.bat" "
        186⤵
        
        PID:2288
        
        C:\windows\FOC.exe
        
        C:\windows\FOC.exe
        187⤵
        Checks computer location settings
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZK.exe.bat" "
        188⤵
        
        PID:2680
        
        C:\windows\system\SZK.exe
        
        C:\windows\system\SZK.exe
        189⤵
        Drops file in Windows directory
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AEXABHW.exe.bat" "
        190⤵
        
        PID:5076
        
        C:\windows\AEXABHW.exe
        
        C:\windows\AEXABHW.exe
        191⤵
        Drops file in Windows directory
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KCDVJ.exe.bat" "
        192⤵
        
        PID:4260
        
        C:\windows\system\KCDVJ.exe
        
        C:\windows\system\KCDVJ.exe
        193⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFGY.exe.bat" "
        194⤵
        
        PID:2400
        
        C:\windows\DFGY.exe
        
        C:\windows\DFGY.exe
        195⤵
        Drops file in Windows directory
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQRGXT.exe.bat" "
        196⤵
        
        PID:624
        
        C:\windows\system\CQRGXT.exe
        
        C:\windows\system\CQRGXT.exe
        197⤵
        Drops file in Windows directory
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYYOJ.exe.bat" "
        198⤵
        
        PID:2856
        
        C:\windows\system\OYYOJ.exe
        
        C:\windows\system\OYYOJ.exe
        199⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XGATNJ.exe.bat" "
        200⤵
        
        PID:4680
        
        C:\windows\system\XGATNJ.exe
        
        C:\windows\system\XGATNJ.exe
        201⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BOGB.exe.bat" "
        202⤵
        
        PID:3232
        
        C:\windows\system\BOGB.exe
        
        C:\windows\system\BOGB.exe
        203⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YPQ.exe.bat" "
        204⤵
        
        PID:4020
        
        C:\windows\system\YPQ.exe
        
        C:\windows\system\YPQ.exe
        205⤵
        Checks computer location settings
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSUZQVZ.exe.bat" "
        206⤵
        
        PID:2880
        
        C:\windows\system\YSUZQVZ.exe
        
        C:\windows\system\YSUZQVZ.exe
        207⤵
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VXEPG.exe.bat" "
        208⤵
        
        PID:4288
        
        C:\windows\VXEPG.exe
        
        C:\windows\VXEPG.exe
        209⤵
        Checks computer location settings
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UIPF.exe.bat" "
        210⤵
        
        PID:1956
        
        C:\windows\UIPF.exe
        
        C:\windows\UIPF.exe
        211⤵
        Drops file in Windows directory
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\STS.exe.bat" "
        212⤵
        
        PID:400
        
        C:\windows\STS.exe
        
        C:\windows\STS.exe
        213⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\REVLYQI.exe.bat" "
        214⤵
        
        PID:4748
        
        C:\windows\REVLYQI.exe
        
        C:\windows\REVLYQI.exe
        215⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJNAPM.exe.bat" "
        216⤵
        
        PID:2060
        
        C:\windows\SysWOW64\OJNAPM.exe
        
        C:\windows\system32\OJNAPM.exe
        217⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DZOR.exe.bat" "
        218⤵
        
        PID:4040
        
        C:\windows\DZOR.exe
        
        C:\windows\DZOR.exe
        219⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKWQJSN.exe.bat" "
        220⤵
        
        PID:2264
        
        C:\windows\SysWOW64\YKWQJSN.exe
        
        C:\windows\system32\YKWQJSN.exe
        221⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIECLV.exe.bat" "
        222⤵
        
        PID:3044
        
        C:\windows\SysWOW64\MIECLV.exe
        
        C:\windows\system32\MIECLV.exe
        223⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDWDXP.exe.bat" "
        224⤵
        
        PID:3460
        
        C:\windows\SysWOW64\GDWDXP.exe
        
        C:\windows\system32\GDWDXP.exe
        225⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IBPGDEU.exe.bat" "
        226⤵
        
        PID:3096
        
        C:\windows\SysWOW64\IBPGDEU.exe
        
        C:\windows\system32\IBPGDEU.exe
        227⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGBMOKQ.exe.bat" "
        228⤵
        
        PID:3548
        
        C:\windows\SysWOW64\QGBMOKQ.exe
        
        C:\windows\system32\QGBMOKQ.exe
        229⤵
        Checks computer location settings
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RJF.exe.bat" "
        230⤵
        
        PID:4100
        
        C:\windows\RJF.exe
        
        C:\windows\RJF.exe
        231⤵
        Checks computer location settings
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NPPF.exe.bat" "
        232⤵
        
        PID:712
        
        C:\windows\NPPF.exe
        
        C:\windows\NPPF.exe
        233⤵
        Drops file in Windows directory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EAOV.exe.bat" "
        234⤵
        
        PID:2528
        
        C:\windows\EAOV.exe
        
        C:\windows\EAOV.exe
        235⤵
        Checks computer location settings
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QIHVE.exe.bat" "
        236⤵
        
        PID:788
        
        C:\windows\QIHVE.exe
        
        C:\windows\QIHVE.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YVZKGH.exe.bat" "
        238⤵
        
        PID:4144
        
        C:\windows\YVZKGH.exe
        
        C:\windows\YVZKGH.exe
        239⤵
        Drops file in Windows directory
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LYQA.exe.bat" "
        240⤵
        
        PID:2088
        
        C:\windows\system\LYQA.exe
        
        C:\windows\system\LYQA.exe
        241⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XRTTC.exe.bat" "
        242⤵
        
        PID:3588
        
        C:\windows\XRTTC.exe
        
        C:\windows\XRTTC.exe
        243⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHZ.exe.bat" "
        244⤵
        
        PID:3436
        
        C:\windows\system\BHZ.exe
        
        C:\windows\system\BHZ.exe
        245⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FHBD.exe.bat" "
        246⤵
        
        PID:4540
        
        C:\windows\system\FHBD.exe
        
        C:\windows\system\FHBD.exe
        247⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FSKF.exe.bat" "
        248⤵
        
        PID:2920
        
        C:\windows\system\FSKF.exe
        
        C:\windows\system\FSKF.exe
        249⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JVISGKX.exe.bat" "
        250⤵
        
        PID:2288
        
        C:\windows\system\JVISGKX.exe
        
        C:\windows\system\JVISGKX.exe
        251⤵
        Drops file in Windows directory
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WGQRU.exe.bat" "
        252⤵
        
        PID:4248
        
        C:\windows\system\WGQRU.exe
        
        C:\windows\system\WGQRU.exe
        253⤵
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LBCKAK.exe.bat" "
        254⤵
        
        PID:2632
        
        C:\windows\system\LBCKAK.exe
        
        C:\windows\system\LBCKAK.exe
        255⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QBJX.exe.bat" "
        256⤵
        
        PID:2128
        
        C:\windows\QBJX.exe
        
        C:\windows\QBJX.exe
        257⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPQDOOH.exe.bat" "
        258⤵
        
        PID:3532
        
        C:\windows\SysWOW64\CPQDOOH.exe
        
        C:\windows\system32\CPQDOOH.exe
        259⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XCVN.exe.bat" "
        260⤵
        
        PID:3564
        
        C:\windows\system\XCVN.exe
        
        C:\windows\system\XCVN.exe
        261⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VSG.exe.bat" "
        262⤵
        
        PID:4728
        
        C:\windows\VSG.exe
        
        C:\windows\VSG.exe
        263⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKJYUZR.exe.bat" "
        264⤵
        
        PID:4148
        
        C:\windows\SysWOW64\UKJYUZR.exe
        
        C:\windows\system32\UKJYUZR.exe
        265⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YSYG.exe.bat" "
        266⤵
        
        PID:3920
        
        C:\windows\SysWOW64\YSYG.exe
        
        C:\windows\system32\YSYG.exe
        267⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJZXNMC.exe.bat" "
        268⤵
        
        PID:2576
        
        C:\windows\SysWOW64\NJZXNMC.exe
        
        C:\windows\system32\NJZXNMC.exe
        269⤵
        Drops file in Windows directory
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OMDB.exe.bat" "
        270⤵
        
        PID:4632
        
        C:\windows\OMDB.exe
        
        C:\windows\OMDB.exe
        271⤵
        Checks computer location settings
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SUJB.exe.bat" "
        272⤵
        
        PID:5040
        
        C:\windows\system\SUJB.exe
        
        C:\windows\system\SUJB.exe
        273⤵
        Drops file in Windows directory
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LMZMOWI.exe.bat" "
        274⤵
        
        PID:764
        
        C:\windows\system\LMZMOWI.exe
        
        C:\windows\system\LMZMOWI.exe
        275⤵
        Drops file in Windows directory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SCALV.exe.bat" "
        276⤵
        
        PID:4300
        
        C:\windows\SCALV.exe
        
        C:\windows\SCALV.exe
        277⤵
        Drops file in Windows directory
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NNI.exe.bat" "
        278⤵
        
        PID:3144
        
        C:\windows\NNI.exe
        
        C:\windows\NNI.exe
        279⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GQMGOKC.exe.bat" "
        280⤵
        
        PID:4320
        
        C:\windows\GQMGOKC.exe
        
        C:\windows\GQMGOKC.exe
        281⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGN.exe.bat" "
        282⤵
        
        PID:4204
        
        C:\windows\SysWOW64\WGN.exe
        
        C:\windows\system32\WGN.exe
        283⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GEB.exe.bat" "
        284⤵
        
        PID:4432
        
        C:\windows\GEB.exe
        
        C:\windows\GEB.exe
        285⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YHEVQ.exe.bat" "
        286⤵
        
        PID:3632
        
        C:\windows\system\YHEVQ.exe
        
        C:\windows\system\YHEVQ.exe
        287⤵
        Drops file in Windows directory
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RZMGZ.exe.bat" "
        288⤵
        
        PID:3620
        
        C:\windows\RZMGZ.exe
        
        C:\windows\RZMGZ.exe
        289⤵
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFYN.exe.bat" "
        290⤵
        
        PID:3948
        
        C:\windows\SysWOW64\ZFYN.exe
        
        C:\windows\system32\ZFYN.exe
        291⤵
        Drops file in Windows directory
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JNASNA.exe.bat" "
        292⤵
        
        PID:3312
        
        C:\windows\system\JNASNA.exe
        
        C:\windows\system\JNASNA.exe
        293⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PNI.exe.bat" "
        294⤵
        
        PID:1912
        
        C:\windows\PNI.exe
        
        C:\windows\PNI.exe
        295⤵
        Drops file in Windows directory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XTN.exe.bat" "
        296⤵
        
        PID:2132
        
        C:\windows\XTN.exe
        
        C:\windows\XTN.exe
        297⤵
        Drops file in Windows directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWRQURN.exe.bat" "
        298⤵
        
        PID:2568
        
        C:\windows\system\PWRQURN.exe
        
        C:\windows\system\PWRQURN.exe
        299⤵
        Drops file in Windows directory
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HWT.exe.bat" "
        300⤵
        
        PID:2456
        
        C:\windows\HWT.exe
        
        C:\windows\HWT.exe
        301⤵
        Checks computer location settings
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PKFBJVK.exe.bat" "
        302⤵
        
        PID:3268
        
        C:\windows\SysWOW64\PKFBJVK.exe
        
        C:\windows\system32\PKFBJVK.exe
        303⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TSMJV.exe.bat" "
        304⤵
        
        PID:5004
        
        C:\windows\system\TSMJV.exe
        
        C:\windows\system\TSMJV.exe
        305⤵
        Drops file in Windows directory
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RDPZ.exe.bat" "
        306⤵
        
        PID:4484
        
        C:\windows\system\RDPZ.exe
        
        C:\windows\system\RDPZ.exe
        307⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYTJGT.exe.bat" "
        308⤵
        
        PID:396
        
        C:\windows\SysWOW64\MYTJGT.exe
        
        C:\windows\system32\MYTJGT.exe
        309⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FRJUXU.exe.bat" "
        310⤵
        
        PID:3044
        
        C:\windows\FRJUXU.exe
        
        C:\windows\FRJUXU.exe
        311⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AEODZUO.exe.bat" "
        312⤵
        
        PID:4076
        
        C:\windows\AEODZUO.exe
        
        C:\windows\AEODZUO.exe
        313⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THRZ.exe.bat" "
        314⤵
        
        PID:1648
        
        C:\windows\SysWOW64\THRZ.exe
        
        C:\windows\system32\THRZ.exe
        315⤵
        Drops file in Windows directory
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TKIVBLS.exe.bat" "
        316⤵
        
        PID:4348
        
        C:\windows\system\TKIVBLS.exe
        
        C:\windows\system\TKIVBLS.exe
        317⤵
        Checks computer location settings
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PIIHDX.exe.bat" "
        318⤵
        
        PID:3188
        
        C:\windows\SysWOW64\PIIHDX.exe
        
        C:\windows\system32\PIIHDX.exe
        319⤵
        Checks computer location settings
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RFV.exe.bat" "
        320⤵
        
        PID:2444
        
        C:\windows\RFV.exe
        
        C:\windows\RFV.exe
        321⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BDB.exe.bat" "
        322⤵
        
        PID:2904
        
        C:\windows\SysWOW64\BDB.exe
        
        C:\windows\system32\BDB.exe
        323⤵
        Checks computer location settings
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QTCN.exe.bat" "
        324⤵
        
        PID:3404
        
        C:\windows\system\QTCN.exe
        
        C:\windows\system\QTCN.exe
        325⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UJVNUNO.exe.bat" "
        326⤵
        
        PID:764
        
        C:\windows\UJVNUNO.exe
        
        C:\windows\UJVNUNO.exe
        327⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AXU.exe.bat" "
        328⤵
        
        PID:4756
        
        C:\windows\system\AXU.exe
        
        C:\windows\system\AXU.exe
        329⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NHDMNT.exe.bat" "
        330⤵
        
        PID:904
        
        C:\windows\system\NHDMNT.exe
        
        C:\windows\system\NHDMNT.exe
        331⤵
        Drops file in Windows directory
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XFQHVB.exe.bat" "
        332⤵
        
        PID:1068
        
        C:\windows\system\XFQHVB.exe
        
        C:\windows\system\XFQHVB.exe
        333⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTVNF.exe.bat" "
        334⤵
        
        PID:2944
        
        C:\windows\SysWOW64\FTVNF.exe
        
        C:\windows\system32\FTVNF.exe
        335⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DJIFNPT.exe.bat" "
        336⤵
        
        PID:4988
        
        C:\windows\system\DJIFNPT.exe
        
        C:\windows\system\DJIFNPT.exe
        337⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTH.exe.bat" "
        338⤵
        
        PID:1864
        
        C:\windows\system\TTH.exe
        
        C:\windows\system\TTH.exe
        339⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VRMPC.exe.bat" "
        340⤵
        
        PID:4384
        
        C:\windows\system\VRMPC.exe
        
        C:\windows\system\VRMPC.exe
        341⤵
        Drops file in Windows directory
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JNYIIGG.exe.bat" "
        342⤵
        
        PID:1804
        
        C:\windows\system\JNYIIGG.exe
        
        C:\windows\system\JNYIIGG.exe
        343⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JXGJWKU.exe.bat" "
        344⤵
        
        PID:4664
        
        C:\windows\SysWOW64\JXGJWKU.exe
        
        C:\windows\system32\JXGJWKU.exe
        345⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQOUFLC.exe.bat" "
        346⤵
        
        PID:4056
        
        C:\windows\system\CQOUFLC.exe
        
        C:\windows\system\CQOUFLC.exe
        347⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YVAY.exe.bat" "
        348⤵
        
        PID:4376
        
        C:\windows\SysWOW64\YVAY.exe
        
        C:\windows\system32\YVAY.exe
        349⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UDC.exe.bat" "
        350⤵
        
        PID:4000
        
        C:\windows\UDC.exe
        
        C:\windows\UDC.exe
        351⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\REEQFLJ.exe.bat" "
        352⤵
        
        PID:5004
        
        C:\windows\SysWOW64\REEQFLJ.exe
        
        C:\windows\system32\REEQFLJ.exe
        353⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPVHTWE.exe.bat" "
        354⤵
        
        PID:2624
        
        C:\windows\system\MPVHTWE.exe
        
        C:\windows\system\MPVHTWE.exe
        355⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKYIZKU.exe.bat" "
        356⤵
        
        PID:3880
        
        C:\windows\system\SKYIZKU.exe
        
        C:\windows\system\SKYIZKU.exe
        357⤵
        Drops file in Windows directory
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RVJYIY.exe.bat" "
        358⤵
        
        PID:4076
        
        C:\windows\RVJYIY.exe
        
        C:\windows\RVJYIY.exe
        359⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTP.exe.bat" "
        360⤵
        
        PID:1592
        
        C:\windows\system\BTP.exe
        
        C:\windows\system\BTP.exe
        361⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 960
        360⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1292
        358⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1260
        356⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 960
        354⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1252
        352⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1320
        350⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 1304
        348⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1336
        346⤵
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 988
        344⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 1336
        342⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1304
        340⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 960
        338⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 960
        336⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1328
        334⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1336
        332⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 988
        330⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1248
        328⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1252
        326⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1248
        324⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1328
        322⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1324
        320⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1004
        318⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 960
        316⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1252
        314⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1324
        312⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1252
        310⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1328
        308⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1248
        306⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1316
        304⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1328
        302⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1324
        300⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1336
        298⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 960
        296⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1292
        294⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 960
        292⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1272
        290⤵
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 960
        288⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1336
        286⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 960
        284⤵
        
        PID:552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 960
        282⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 960
        280⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 988
        278⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1292
        276⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1336
        274⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 976
        272⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 988
        270⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 960
        268⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 988
        266⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 876
        264⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1324
        262⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 988
        260⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 960
        258⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1324
        256⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1336
        254⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1268
        252⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 960
        250⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1248
        248⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1308
        246⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1336
        244⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1324
        242⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1336
        240⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 960
        238⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 960
        236⤵
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1324
        234⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1324
        232⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 976
        230⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 960
        228⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1328
        226⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 960
        224⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1308
        222⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1328
        220⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1324
        218⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 960
        216⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 960
        214⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1324
        212⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 960
        210⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1324
        208⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1336
        206⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1336
        204⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1304
        202⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 960
        200⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1336
        198⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 960
        196⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1292
        194⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1268
        192⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1236
        190⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1248
        188⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 960
        186⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1324
        184⤵
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 960
        182⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1292
        180⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1264
        178⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 872
        176⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 960
        174⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1324
        172⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 960
        170⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1256
        168⤵
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 1248
        166⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1008
        164⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 988
        162⤵
        
        PID:788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 960
        160⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1308
        158⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 960
        156⤵
        
        PID:720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1228
        154⤵
        
        PID:512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1008
        152⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 960
        150⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1312
        148⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1328
        146⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1316
        144⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1328
        142⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 988
        140⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 960
        138⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1272
        136⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 960
        134⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1324
        132⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 960
        130⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1296
        128⤵
        Program crash
        
        PID:2532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 960
        126⤵
        Program crash
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1324
        124⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1324
        122⤵
        Program crash
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1328
        120⤵
        Program crash
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 960
        118⤵
        Program crash
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 976
        116⤵
        Program crash
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 988
        114⤵
        Program crash
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1264
        112⤵
        Program crash
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 960
        110⤵
        Program crash
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 976
        108⤵
        Program crash
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1260
        106⤵
        Program crash
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 960
        104⤵
        Program crash
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 960
        102⤵
        Program crash
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1328
        100⤵
        Program crash
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1304
        98⤵
        Program crash
        
        PID:1992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 960
        96⤵
        Program crash
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 988
        94⤵
        Program crash
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 960
        92⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1304
        90⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1336
        88⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1248
        86⤵
        Program crash
        
        PID:1864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1316
        84⤵
        Program crash
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1168
        82⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 988
        80⤵
        Program crash
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 960
        78⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1336
        76⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 960
        74⤵
        Program crash
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1336
        72⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 960
        70⤵
        Program crash
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1328
        68⤵
        Program crash
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 960
        66⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 960
        64⤵
        Program crash
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1304
        62⤵
        Program crash
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1292
        60⤵
        Program crash
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1336
        58⤵
        Program crash
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1004
        56⤵
        Program crash
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 960
        54⤵
        Program crash
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1328
        52⤵
        Program crash
        
        PID:3264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1336
        50⤵
        Program crash
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 988
        48⤵
        Program crash
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 976
        46⤵
        Program crash
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1296
        44⤵
        Program crash
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1324
        42⤵
        Program crash
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1288
        40⤵
        Program crash
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 960
        38⤵
        Program crash
        
        PID:2092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1324
        36⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 988
        34⤵
        Program crash
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1324
        32⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1216
        30⤵
        Program crash
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1328
        28⤵
        Program crash
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 872
        26⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 960
        24⤵
        Program crash
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1300
        22⤵
        Program crash
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 976
        20⤵
        Program crash
        
        PID:2816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1328
        18⤵
        Program crash
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1228
        16⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1336
        14⤵
        Program crash
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1328
        12⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1336
        10⤵
        Program crash
        
        PID:3808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1220
        8⤵
        Program crash
        
        PID:2644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1320
        6⤵
        Program crash
        
        PID:3700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1292
      4⤵
      Program crash
      PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 976
  2⤵
  - Program crash
  PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4644 -ip 4644
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4304 -ip 4304
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3768 -ip 3768
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2572 -ip 2572
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4856 -ip 4856
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2620 -ip 2620
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2116 -ip 2116
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3484 -ip 3484
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3312 -ip 3312
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 432 -ip 432
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 396 -ip 396
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4476 -ip 4476
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4704 -ip 4704
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 228 -ip 228
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3228 -ip 3228
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1956 -ip 1956
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3664 -ip 3664
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3968 -ip 3968
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2536 -ip 2536
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4756 -ip 4756
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5040 -ip 5040
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2712 -ip 2712
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4476 -ip 4476
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2880 -ip 2880
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2040 -ip 2040
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4152 -ip 4152
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4288 -ip 4288
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4940 -ip 4940
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4020 -ip 4020
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1428 -ip 1428
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3056 -ip 3056
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4052 -ip 4052
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3244 -ip 3244
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2012 -ip 2012
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 512 -ip 512
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2780 -ip 2780
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2036 -ip 2036
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1536 -ip 1536
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3460 -ip 3460
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 552 -ip 552
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1004 -ip 1004
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4568 -ip 4568
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4652 -ip 4652
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3920 -ip 3920
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4064 -ip 4064
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 396 -ip 396
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4376 -ip 4376
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 548 -ip 548
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2400 -ip 2400
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4156 -ip 4156
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2952 -ip 2952
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2856 -ip 2856
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4600 -ip 4600
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3116 -ip 3116
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4588 -ip 4588
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2128 -ip 2128
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2264 -ip 2264
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3956 -ip 3956
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1636 -ip 1636
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4204 -ip 4204
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3784 -ip 3784
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2008 -ip 2008
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4072 -ip 4072
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3700 -ip 3700
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1936 -ip 1936
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2448 -ip 2448
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2316 -ip 2316
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3780 -ip 3780
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3144 -ip 3144
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1528 -ip 1528
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 972 -ip 972
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2644 -ip 2644
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4492 -ip 4492
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3756 -ip 3756
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2432 -ip 2432
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3752 -ip 3752
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4828 -ip 4828
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4832 -ip 4832
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4484 -ip 4484
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 680 -ip 680
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2856 -ip 2856
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3096 -ip 3096
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3188 -ip 3188
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1932 -ip 1932
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1592 -ip 1592
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4476 -ip 4476
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 680 -ip 680
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3576 -ip 3576
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1572 -ip 1572
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1072 -ip 1072
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2256 -ip 2256
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4016 -ip 4016
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3920 -ip 3920
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3460 -ip 3460
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4392 -ip 4392
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3264 -ip 3264
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4432 -ip 4432
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3968 -ip 3968
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2988 -ip 2988
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5008 -ip 5008
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2448 -ip 2448
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2584 -ip 2584
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3616 -ip 3616
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 224 -ip 224
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4312 -ip 4312
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3808 -ip 3808
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4352 -ip 4352
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4024 -ip 4024
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3056 -ip 3056
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 220 -ip 220
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 948 -ip 948
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2640 -ip 2640
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4460 -ip 4460
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 4664
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3968 -ip 3968
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3808 -ip 3808
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2576 -ip 2576
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 636 -ip 636
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5060 -ip 5060
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2692 -ip 2692
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1268 -ip 1268
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1080 -ip 1080
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3488 -ip 3488
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3188 -ip 3188
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2448 -ip 2448
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1284 -ip 1284
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1572 -ip 1572
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3616 -ip 3616
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2324 -ip 2324
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5000 -ip 5000
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3012 -ip 3012
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3460 -ip 3460
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2940 -ip 2940
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3652 -ip 3652
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1936 -ip 1936
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4392 -ip 4392
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4580 -ip 4580
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4956 -ip 4956
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3700 -ip 3700
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3628 -ip 3628
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 812 -ip 812
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4184 -ip 4184
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5060 -ip 5060
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4764 -ip 4764
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4756 -ip 4756
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2368 -ip 2368
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4060 -ip 4060
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4144 -ip 4144
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3820 -ip 3820
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1492 -ip 1492
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5052 -ip 5052
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4300 -ip 4300
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2248 -ip 2248
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4580 -ip 4580
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5108 -ip 5108
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2116 -ip 2116
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5064 -ip 5064
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 512 -ip 512
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4448 -ip 4448
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3948 -ip 3948
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3732 -ip 3732
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3448 -ip 3448
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4704 -ip 4704
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1760 -ip 1760
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2624 -ip 2624
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2500 -ip 2500
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1956 -ip 1956
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3844 -ip 3844
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3696 -ip 3696
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1996 -ip 1996
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2476 -ip 2476
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5012 -ip 5012
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4060 -ip 4060
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4988 -ip 4988
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2452 -ip 2452
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1796 -ip 1796
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3452 -ip 3452
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EEN.exe

Filesize
448KB

MD5
25099482ab55fb6097f8c60e705c206d

SHA1
73b47318a9a807552f4504bbef6854cae0acc69e

SHA256
585f92d67834fede64f2af589789bd811bb8757bc1c32113178fb40a84501bab

SHA512
8acf2b251ed194b01739cf2edb3fc85af9f81e90223348f58276326dfae6115695838e08e80bf7694a95c1abb70bc3cfc871d4025e82edccaad95944feb38639

Download Submit
C:\Windows\OCO.exe

Filesize
448KB

MD5
b626d9279c8b07273e3192b2884601ed

SHA1
aa22996db87dfc8a571d4bb3d6bb54f31264d27c

SHA256
3f63443d60a6fc794c6306d66cb366b34577b146e12658422dda1e8754e53413

SHA512
4a33ecbbd658ee006c4af28cabb1d909798864ba0d108e49285e4e147c5d9db4c362ae9564a191f008dfad7f75872ab1ba595fd4f2003eb18b2edbc4a3025b58

Download Submit
C:\Windows\OZXDA.exe

Filesize
448KB

MD5
4ab415c32ce5f0e0706110965cd2cd51

SHA1
1eac50c3851893743807fcdcd656a84df9d972c0

SHA256
c63e295432838d6a2514175e5ac366213a233fe99f69cd6ceab71b023c4b18a2

SHA512
c0c94b8f53b98141d985420c33eebae1fcee2aaac769fe645dc4ed2cc97c7e43598538afda123c6f23d3bdef37bba5bb1f3e627160518efeb36e815e3ba99503

Download Submit
C:\Windows\SysWOW64\RGWAWD.exe

Filesize
448KB

MD5
f768459bf1567f04f33b10a50500b0d3

SHA1
cc45c34dfcca2f882c316f7ec07e9948deffcc5f

SHA256
3639be77eb01208fc635f0e6f01f521be13819fdf6bb4c9d31a92d465c73957a

SHA512
ab87f71fb199f15788333e2fbe1ec9ee1450b99472ef8147cbc1f2ac3958b1d888a0598df2137fcb63fa7514643f5e42c98df303b39cc4460334ab5443988cab

Download Submit
C:\Windows\SysWOW64\TIHI.exe

Filesize
448KB

MD5
2fad07730c85b867e253644fb9b8f1ef

SHA1
e2cc9c58260fa40ddfc53daadfa8a32cc34340cf

SHA256
5ea3793ecf8410d5617fd24bf88ce6b0893caa14d7c1f0513d5920bc5f61d420

SHA512
1176faec01ac680d0227cd1e89a50806f1c8416e8c262a5c80beb6142cf0bcf55a29ae050c7a69e2b93b898f83c330f2721d667b5dc6f7e9343bb5be6d0456c0

Download Submit
C:\Windows\System\OGEC.exe

Filesize
448KB

MD5
2ef194130fc6e56abecb91d96d3b54c3

SHA1
0ea601e2a34f92b823cac52c69a8655277218459

SHA256
13bd22e346c008571d1322ad826b3e690356cd921a609bdfc75d0a3fe546338d

SHA512
65c1dbfb981efa761574964654a16d201064b43b3b06a8a6165f63b012c661f7051e49e667d0ac0bcf87389a2818af2390607af2f7aef3983e9c7182c83e0337

Download Submit
C:\Windows\System\RKOOZW.exe

Filesize
448KB

MD5
38425521cb60bcbe1063cddfd14160a8

SHA1
1137e8fc9c1a22dde3d0345044ff51e8f10eace6

SHA256
76d1a26876cdc5ad5b38b3307b3b32dcba8feea7fd8837cad7401400f94509b9

SHA512
c01b110c5063c7e486535e1f37592370f13847ad0741691014100aa61ff03d6349dae8ce58169108e438df6aea437e113817a32403d822fd1db0d412eab6599c

Download Submit
C:\Windows\TZXRMU.exe

Filesize
448KB

MD5
3c9452ea59de09170da879be8536d992

SHA1
a962dc9041195360d7c52c3489abd22186c65bf5

SHA256
492d8d4d46ed088127cd8d9ddce6cccc0a6914e0e78193d93a7cc3d92554a434

SHA512
1f743497e4b1530d7e5d2bc2d502383294bf007f8ec9646f2493fc8a5307da2b230dc7ccf3abcc932f0ab111bfb8ee86116b1ba6dd59c404972ce44a43b3cdf0

Download Submit
C:\windows\EEN.exe.bat

Filesize
52B

MD5
5abc8d7bfbb9033b0d6de2d3212b7ea7

SHA1
c8aed50b3bc34129d7f116e011be34606ce2f6f4

SHA256
75615b02c0d9ddce05038345099a9deb17ff5c4b7f4c6b41e0f1a6b2033ce692

SHA512
254b838b077f9ad6bd779b0622187ca982f8d502030ec7e900716cc5bbe3595b68f1a28795a977b417b99afbf937d24d5766a8617a054547f5bdedd40e39f870

Download Submit
C:\windows\HRH.exe

Filesize
448KB

MD5
7d0739c4389fb4478fa9433260940936

SHA1
a547fada3714c2d181e081ca4feedbceeb3821a4

SHA256
e97ca9b2d58e1694ca5ea8764b76ebc853d190822f07ef870659e54a4d2debc8

SHA512
a6a2e2e6120236110d00987134a8d31e9edd17d400350af38fbeddcd3fc6c2412c707b383a1e467c68bab9160cb94af365cbb465b7c58432693d994b231fa0b4

Download Submit
C:\windows\HRH.exe.bat

Filesize
52B

MD5
3087a05443fc08382c3fb15fed93e886

SHA1
fba8340047ec965a0fc04d86284a7a655363cfa6

SHA256
dfe4c3abd798a76a32327d10ea451cc124c013f478902e67edcac2913c7b0da3

SHA512
3f2f65b44d893b50241ea64ef4eadf8e309a0dd5cecf601c64aa740983929eaa7872b0a547475269dbc48b18d79ea568b4845ba0818a3bcdd992f2d28c7c1b07

Download Submit
C:\windows\LOY.exe

Filesize
448KB

MD5
ccfd2ee8384b31e46d743278d1463cf1

SHA1
c1ea7c95e2c2abcd8957030f90eea4c9ebcc9c57

SHA256
504ec7c10065a89958ba27f65a5dcde4d4aabc8502df3cd3a923886a39c1d1a2

SHA512
8af33edb43650757660aecf65d37f846de403b86c32d3685c9f9c5248abdd8f349a96d532ef0ec9bdb59b0b7524076529eeb5a42a34d6188d24371944bee3a5a

Download Submit
C:\windows\LOY.exe.bat

Filesize
52B

MD5
e2cba02919efbdc902c013e04a27c7b4

SHA1
cdc560eb8c48beeb3c2628b6472469b737fb5c3e

SHA256
a56d992904e8eee6db8f476f5f4e38c6bf274daef4bac7a35ec37844ef5bb248

SHA512
ed056f8776ef0d91702a008465c6e93edd9ce4ae6409da2bbb8a3e3be3ad86cb27a2c0ae8f702ed4a754c16366ead2385b1d4d4c5f7b217ea15a73e19d0a564c

Download Submit
C:\windows\MFBX.exe

Filesize
448KB

MD5
631e4dac899606304142f271c6bb3837

SHA1
f4e00d627be28d5799d660b607d7c0f9c49b4204

SHA256
03dfed6905542345fdf1c53f27c3adf04d4b507b92c12ad06f64a9c30233364b

SHA512
570968aa3785879081141207acecaf4cc60f5f40f9b62b9fe31e382059462a9b08ce66ce8d29dcf8e57b428116056537284a1ad5a40d1ebc2a708f1a91d04ceb

Download Submit
C:\windows\MFBX.exe.bat

Filesize
54B

MD5
dd16c42202efc40963fa0f6fad695431

SHA1
33a0d814aca325ff8c3ac13976ac4ccf0a8fd00f

SHA256
05c8b671e36a06495dce8191369fa43276804ec1250ee4c9e49fc78c2bf462c8

SHA512
542a19e59847cea18a039fb79560ecd2cf3e552808e79568d97c858db44c18240a8e85fd3d4a67de5e7e573350034d7e3ee03d2e65776b433fb69d7a4b179852

Download Submit
C:\windows\OCO.exe.bat

Filesize
52B

MD5
27196719d0d6283fa5c4debf758f1b20

SHA1
88da715a9d7338358fa4c0f65ffb1669e6f4ff7f

SHA256
902ef3ffbf1fe99d9869bccf246c97dfacb43e4da002981d8ae2254cfc8440ab

SHA512
7c14afc1354fc8ccf96844d9532c03e8294d46990001260f457ad3f1d382f3d388c3e80bb1f35931990da963b32ba0e064f1343c08ccbf69cbc0a8609abbebd5

Download Submit
C:\windows\OZXDA.exe.bat

Filesize
56B

MD5
55220579d8851b3cffeac3a3e7333db9

SHA1
b746e816ffed00b746fc0265e399e3782e59314f

SHA256
814adfcb10038f5e5f96f2b2cd642d3d07eba6b01e9d015eeb7f8d65f2063e39

SHA512
7f08a0c4664d4441471e86ba53e7f5bd5deb2fdbf663416cc949bf5641eab098a52ff029425418f456b454e8a94e0e6565410bbe25f339dfc6483a44091f6ed5

Download Submit
C:\windows\SysWOW64\AKTJV.exe

Filesize
448KB

MD5
aad81a45ab4844944acf3c61a3bd4ee5

SHA1
bd3b6459e50ec4dc3a28bde9902514027380944e

SHA256
2ab9d426407ae723a5d96cfa27739040c3819e8e0aecab635cc41d40040f6157

SHA512
560e9b3f25a7e13a91ca2408313ed082b65cd6a3a3232b902dbc2302cd4bf3a1555afde26358203ad32e43c418de9ab2390f1708e7a4694f3d28ef01e7bb1452

Download Submit
C:\windows\SysWOW64\AKTJV.exe.bat

Filesize
74B

MD5
1e789df910ecfa70e7f06d0c1493ab41

SHA1
0cf5d0ffa67f6adcb07ca8abb737d112c7c15b49

SHA256
dad9a7f9da055da8005a3055989079867ead27ed531a6af13f8928ec1441ab3d

SHA512
6b38eebad6cd30af45fa0df3338366181e9269429e887682a2a0971bbe820b0d9fa8fcb4a9e540a37f37099f7daefcc24a04b8f1532b2b33fea12828abcaece5

Download Submit
C:\windows\SysWOW64\EIDYB.exe

Filesize
448KB

MD5
be7a1df9be9bd2a631bb963bb7262afc

SHA1
f64e6dedc23a09571b0df5206ee2bec8eedc3a96

SHA256
f531c564ac810ad01667ea9b70c0303c9c15f21a6c7526ba688bfa34a4d709b0

SHA512
18485360c01449527ceb0c7f4c3ab81f4ec411ffafa237a55dc3b18a69f6233e6c5e828bd5556d759aa5e4969d1e736dc40e827c5a06a50df90fdef9f41dd200

Download Submit
C:\windows\SysWOW64\EIDYB.exe.bat

Filesize
74B

MD5
d73d6dcfd41fcc3b05c860da6a808d8f

SHA1
fa9bf566d678fa010f9999131dedfc13714d77f5

SHA256
c864864bdc36369958742f4993972eec51177295d3a6e4db898dc9176707dfda

SHA512
ebbce0bee6399bc1b76e056da5d67ab648705a56e593535449e03370d111873617e06dafab2e3747ce3206f364eb94aeb2dab531c731c3f3e2a286539644bf90

Download Submit
C:\windows\SysWOW64\MBDLGID.exe.bat

Filesize
78B

MD5
e5f0faab3e55ecec3eee194ce33b80a1

SHA1
f585d3bab31f56a54367e7d19f98aa3de02ec41e

SHA256
913809ee491d4de03325c3395e373a0ec49b66815fc4def7fbd6999315fb0d70

SHA512
6c3c80ca5441d53de618dd3b43a640490d85e117b5d172551fa81dbbadc4b3830bfd27e97280754f430f4ef32ab129c5057e89312f09ad2bb1151a86f0011c91

Download Submit
C:\windows\SysWOW64\OPHVYZ.exe

Filesize
448KB

MD5
644f32780efa390778b86d7d8beb1843

SHA1
3e5472072f3b6c90abf6ca33d75d7b75c99e0393

SHA256
f2c31ce3ec5c4f0f283c417f9423ecada0b8a53b6b72a38d6fa40360eb8ef417

SHA512
2eb171573b68c5afca4a4b20eb9373ca09bf7bf2af2b54e0eb0672f49d7a7180f4eefc40be0ed320de84ad6843ae239907274ef10cbd01497e6b9553afae5fa8

Download Submit
C:\windows\SysWOW64\OPHVYZ.exe.bat

Filesize
76B

MD5
a2abdcd4f0484f8111e47c3a65755b91

SHA1
8b8f2fafbaf30a7305f59dfda2fad20a2f1c0743

SHA256
a8ce863e2faa25079d55b46a0f44e993f23c240975a96a6add00997d8b819f3f

SHA512
efab0469e9cc6591403d6bc4a191ed6e821d38b427b6b74b416f6099fe845545b6619296277b3e4f0940bd3fbe1fb3b60212b2510fba4cb80c8100b899ed1572

Download Submit
C:\windows\SysWOW64\RGWAWD.exe.bat

Filesize
76B

MD5
6c678eb4ab265a763280ed83ce3392b9

SHA1
d0f884d333b0e8fc02b125e39ef80d891f089b57

SHA256
ad68c167af6a00b5eb89cdb4958cbffe2c05ec59152657d6e77d6263029e88ec

SHA512
860c21993f889951920fe4834ec6fe71b224ecd81b100843fe6a39e403613cd953a02533c6aefd8add3be6af0540e7951ca60d961d76e2586777246e51d5b7cd

Download Submit
C:\windows\SysWOW64\TIHI.exe.bat

Filesize
72B

MD5
e6f1ad8c5d7ad44b3b0e90e2a6e35258

SHA1
c5fbe41b97a3de5c78900d42717b60b5a9647640

SHA256
20f608f2ecb39233e48eadfcc47d78f34310dfc67f394b71f0a8fc0aabf0a53a

SHA512
1619a7bacbaa00f4ed0b91be6216b68b0913710fe657f30e8bddf2bf6c298086ada1aad1f2b7a91c9cce15e46485c1d915821aeecf153b0d885a2d2cd07e3000

Download Submit
C:\windows\TZXRMU.exe.bat

Filesize
58B

MD5
68500cc0a0a356b6eebf6891717c754c

SHA1
a507f1da68fb67da51448bfed5be0f4a75a4bc49

SHA256
105519d0edf343bb26bb64ff1d6e454f61ca329bf3724a58fc52e18bdff01062

SHA512
c48227f0c0a011ec090c231193cb6cb9da854bea266ef7d037e5fd51a9e6fbf93d7ba5e6fac9c0d7690fc78af6026242d87a9160f6a3767906a5974ce754e111

Download Submit
C:\windows\UXPYQJ.exe.bat

Filesize
58B

MD5
e4f452aed2f004dcb1e22ffe4cc5043e

SHA1
0f67686f9b9600ab7fb28b1b1f1aa1d652f0996c

SHA256
c4335fa09d890c1399abc336fc14cc5f476ce8f087d8df61c3352b7f82d8103e

SHA512
5d4ecd4ebf15b8ffd1fb3c33e32001fa562d1b7d23ec8ce3402cb193a15836c1498559a5452c9612b377eb093bdecf6042d8819739735b75d3b888def90180a2

Download Submit
C:\windows\WCMJJ.exe

Filesize
448KB

MD5
32ee8bf652c19e87737909bb94523382

SHA1
b72587ec2791109fa3352a91d8dab389b7e05dad

SHA256
162ddaf985b4acfb4b6e420e5b85e59d6112b89041ac48c6e66c83eca80563c6

SHA512
1d3b52c602f36cbbec0f9a9d615ea93dccb8d7400625c26f63c17ceec4d2d981e3b66e37ee42bb957c2b68720e0d957a2435990437a27db20fd291cea0d4568f

Download Submit
C:\windows\WCMJJ.exe.bat

Filesize
56B

MD5
53b387dc929f08d071ef16e00a3f3981

SHA1
c762bd511811a509c15fbdf6912124dee5791383

SHA256
cefce02d17e933b794dc3329a3fb7e94665796c7414eb888edad5decc0d8cd4b

SHA512
fa4103061de8ce4a5b15b5494549700dea3b871aff0270a8017829c70e9ed88ab8e0f1b927b077df7f3d10b59ec6dc3ffdfbe7b25942f587c7a5a5d86faadf00

Download Submit
C:\windows\system\BER.exe

Filesize
448KB

MD5
852924c13cce19fcd6b19ae113a53d0e

SHA1
31ad567acef01f6565e43280dcedc32098d968d3

SHA256
cc11f8f640fa1e2dcab84822d1e798d89e5c6301f88fc0c4ba647ba37e75a16b

SHA512
638dab01030aedd4fb44f0f4e7fbd4bc7ad4f2d18327371d06a707de9d794384c684890faf880ce58e8d558efa80e1be58dc68ec0f3f4196df6cbd8d004edc24

Download Submit
C:\windows\system\BER.exe.bat

Filesize
66B

MD5
e1592069a207a74803e86c9cf75e91f9

SHA1
99b119b0352d3773dcf63b93bb392884337a9b2b

SHA256
53a93995e3f978914e067668b0111a31e593b7208e488944fb804258deca92a6

SHA512
a3e4b342f8b7d01e39dd2bd919cdd4a77f1c47de6648b8d193d4304fb20dea37ce94bf3dd1558049e30eccb38a63d1ec0a326730965dfe131c1c7ea7939b9d68

Download Submit
C:\windows\system\CIOKYC.exe

Filesize
448KB

MD5
340557110d60df7492a06812601277eb

SHA1
917c0d25a8d212b0ac35227529ff1eff83934328

SHA256
ff04afb070b7bf8eaa0a149ca52535fe1dd389e6a8dc4cae846b0b5e25cca9ab

SHA512
ba3c355f37f85b0a00b583763f26cb34396b0155201ec265ecb15379fcfd0e7797d14e65f2ef57d5052d8305051d89cb8f40cc2b599df03a96ca92af41c97262

Download Submit
C:\windows\system\CIOKYC.exe.bat

Filesize
72B

MD5
61ec7f3210631d3d5bd016c585521120

SHA1
dab187f6c280edda1d7b94108c45abf31a201998

SHA256
79f778caacf0d23e4c15e41de13ac8530a14a92ff86e31e100fef7528203d9f8

SHA512
e4d382e78fe0603fa6d99f72f96c94cc524f033bc9054ab2b51f10a47e16fd4f571c4c28b148d4bfdf62bad62e286905e11bbf4475b3726985bbc7151d747de9

Download Submit
C:\windows\system\CTOO.exe.bat

Filesize
68B

MD5
7de6fb7a4e157cc98062810463f5f2a5

SHA1
5a63741a7e4ba6b796fc6564bff06f62de64fc99

SHA256
4797d349aabe6d4f57a7f20969ee348a8dfc16dae4d41da2f15deca812126786

SHA512
846b3b12f63bfc5db8738b8545f6f078e9da7d945e22938c8531421e29e675cae9bdf34d8867710eba3c2fca6526c290b5ddb2c68f38743187a108c5301ea595

Download Submit
C:\windows\system\OGEC.exe.bat

Filesize
68B

MD5
de295aa75eb296697ca7a8f014cdb625

SHA1
87aa23a74bf5f6da5c54a69cdb206f360cb565a9

SHA256
b4bc02c687cf6b1177928c48bf4ca620105045acf163067a8ab430138be0e44e

SHA512
f1893c6d24ab30ebdd56c2e1d260446ad508459163a5556ee5983be1841f754ba7c9d3cfc43887bd36e19d8b0a6c7bfe77b2e8a536d17e5e78320e32178b8af1

Download Submit
C:\windows\system\ONUUIII.exe

Filesize
448KB

MD5
c6ac32a5e2149f9bc96aba3d14b51c66

SHA1
f9a7a4204b6bdf74604aeeb7d7909c808a242f9d

SHA256
f8e3d47439fe3c45f8c95bcc638a498f8031db0b31ad8a027b8ac60069dcb646

SHA512
9da06707213658146a6a29ffe05a5b3361df48e291072ef32de70d74f5eb0a8afb8d9a38cca63fcdda9a5f8b95e08d53732e3e1a389c19e129557d79c33a04d3

Download Submit
C:\windows\system\ONUUIII.exe.bat

Filesize
74B

MD5
b89d02addba85c74cfd9f38bb0deffc2

SHA1
198f103cbe60904ffd6646294fd8db8b4092966b

SHA256
2fb298d09e5fc82112a581b4ac88324414e54588f5b218ff6da046ca02614273

SHA512
ea1d6a901bc5135310660348217376af28eef1be65612e8bf95438e838c6f3cc85be8a4cae1cd285ba2c3b7b14b9b6468fe23a0eb8c271b8dea87c1f991ba15f

Download Submit
C:\windows\system\RKOOZW.exe.bat

Filesize
72B

MD5
9e917e293c7e94ab0fc18703890db395

SHA1
d9defad81a7599de978696a094d87495321f2178

SHA256
d49d594ea3addcd5b92a7fa35d68fabef7a35d9117de422835441ab46f1ef721

SHA512
ba7bda23938dcbc6761d803428d932ebac25c8d66fe085dacf14dd1a606e834045d8b03bc2947ab6f22f271b321574ce97a8630c3a4a8f624b2f7019873f9fd9

Download Submit
C:\windows\system\SBNYU.exe

Filesize
448KB

MD5
685fc9a54fa513087f249507137d445f

SHA1
10ee7ba0137603d31887f9fb2cee66a34e550713

SHA256
e377ae344bf435965f7d71052a40925398f8bec66ba0dc04760ea7a3cf2a10f8

SHA512
816a8cd10e74acf7c6ca91e181da139317f1e937dce68fb7ada41615693d372e9d35e0c8e5665bcdc0fb289707348d19e6ba822ca1883d70c7cc09b4648624ff

Download Submit
C:\windows\system\SBNYU.exe.bat

Filesize
70B

MD5
e952b373e7b661a3e5fb652e560398b9

SHA1
1d46b21214528d7d2995ca5a11e895880cfd5afa

SHA256
f7eb75356e3afaef8801ebbd53703bb958922e202d163f421525363b40fbcfd4

SHA512
cd960091b2712e3f2011618cf33c52459737b174dff3ff6e09e9837a9107335c03c846c4e692d9386edb0743e53a26ecc089f90bad37b4fecfc64fef67b27b6e

Download Submit
memory/228-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/228-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/432-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/432-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/512-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/512-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1956-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1956-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2116-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2116-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2324-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2324-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2712-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2712-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-189-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3244-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3244-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3312-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3312-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3460-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3460-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-102-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-213-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4020-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4020-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4052-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4052-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4288-331-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4288-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4304-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4568-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4568-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4644-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4644-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4704-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4704-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4856-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4856-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5020-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5020-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download