dc46d1d0564c7a9f7791aa49670282ac4085c5f487bc56becf5fbfc46e66f080

Analysis

max time kernel
149s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 19:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
Size

256KB
MD5

78ccb45bd7267130e27d5afe998eab92
SHA1

b45b2804e73e62dbe1577e7f1c4bc1d993c8456f
SHA256

dc46d1d0564c7a9f7791aa49670282ac4085c5f487bc56becf5fbfc46e66f080
SHA512

cb7026ce526a086fa378a3aaf25c54da594af556711e0e3a6e15c0e2656686cafad6a612de20d819df64f271673c686109ef388b594fe217979dbc1607cdf43e
SSDEEP

6144:N5MwggJf+HW7zWnsMdqkEjiPISUOgW9X+h8:N5MElOW2ZMkmZzcui

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 18 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000e000000023b9d-10.dat	family_berbew
behavioral2/files/0x000c000000023b9e-12.dat	family_berbew
behavioral2/files/0x0002000000022ab5-32.dat	family_berbew
behavioral2/files/0x000d000000023bb3-45.dat	family_berbew
behavioral2/files/0x003800000001b530-57.dat	family_berbew
behavioral2/files/0x0007000000022ab7-71.dat	family_berbew
behavioral2/files/0x000f000000023a76-82.dat	family_berbew
behavioral2/files/0x001c000000023af6-105.dat	family_berbew
behavioral2/files/0x0012000000023a53-117.dat	family_berbew
behavioral2/files/0x001c000000023a52-128.dat	family_berbew
behavioral2/files/0x0017000000023aec-141.dat	family_berbew
behavioral2/files/0x0019000000023b0e-152.dat	family_berbew
behavioral2/files/0x001b000000023a54-178.dat	family_berbew
behavioral2/files/0x0018000000023a6f-189.dat	family_berbew
behavioral2/files/0x0017000000023bb7-201.dat	family_berbew
behavioral2/files/0x0024000000023ae9-214.dat	family_berbew
behavioral2/files/0x000a000000023bc5-224.dat	family_berbew
behavioral2/files/0x000f000000023bc7-250.dat	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	CHOSZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	GDBMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ZJQMSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HNJGRMC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	DCG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	MLZWIRJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	NSS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	DHEM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	IAP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	VJFSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ONHNZKN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	LZGSQS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	SXVPK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ZBNJRG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ARZHJD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	LJPSBW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UGGKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	MDU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	TCOYA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HQEMAZZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	VZPDI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XGWS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	TCZXHVP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HSV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	DBY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YYWCZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	OBVY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BYTOF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	KIADZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BZW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	SESQJY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	PDA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	MGQJMK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WKQQC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	YDGPC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	AJIALH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	SKKFWEJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	SXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	FBYYYD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	HNPD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UWZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	GRQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BAKOMBL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BTP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	VDIGJH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XHGFQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	KQFJZS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ICIOKKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	PVBL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ZHMFPGV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	JBSNO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	TBBIBBP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	BYZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	QKATKVI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	LDGBX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	PVELDZZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	IXLDTXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	VERX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	FXESETV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	VABXAI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	KXMJD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	GDGKY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	UOS.exe

Executes dropped EXE 64 IoCs

pid	Process
528	WKQQC.exe
4580	VDZRQ.exe
4924	MDU.exe
3936	OBVY.exe
2732	UWZ.exe
3788	DUTA.exe
1264	ZSZXL.exe
3924	CNQYXT.exe
2604	BYTOF.exe
4620	KGVURW.exe
4144	DBY.exe
4800	YMP.exe
1196	QPTSQ.exe
3340	KIADZ.exe
3852	ISLT.exe
4180	POOM.exe
1860	NDV.exe
2732	AJIALH.exe
2320	SKKFWEJ.exe
4944	PKU.exe
1268	IDBTKJ.exe
920	VNRRYM.exe
4408	PBQPD.exe
632	HEUT.exe
3456	WZEXBYC.exe
3192	KXMJD.exe
1032	OCWY.exe
4316	LDGBX.exe
1776	VDIGJH.exe
384	DRMUTF.exe
3640	XEREWFC.exe
2188	JUKW.exe
1008	IFV.exe
3172	QKATKVI.exe
3524	WFLTQKQ.exe
3648	SLRR.exe
384	BZW.exe
4168	DHEM.exe
3980	TCOYA.exe
1204	ISB.exe
2616	JVFLVE.exe
748	HQEMAZZ.exe
3972	ROSHHHH.exe
1668	TBBIBBP.exe
1304	VZPDI.exe
1564	ZCN.exe
4212	PXWCBP.exe
1204	PVELDZZ.exe
4116	OLLWPTG.exe
748	FTRTCKJ.exe
2880	PTTYF.exe
4708	XHGFQ.exe
2772	CHOSZ.exe
920	SXP.exe
4880	HSYWQQ.exe
2044	GDBMZ.exe
924	PLDRCC.exe
3260	ZJQMSK.exe
4868	HPVSVI.exe
4572	UZMR.exe
1892	IXLDTXF.exe
2472	XAVHE.exe
2640	DOHIJGW.exe
2352	JOOWAIX.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\DBY.exe.bat	KGVURW.exe
File created	C:\windows\SysWOW64\POOM.exe	ISLT.exe
File created	C:\windows\SysWOW64\IDBTKJ.exe	PKU.exe
File opened for modification	C:\windows\SysWOW64\PBQPD.exe	VNRRYM.exe
File created	C:\windows\SysWOW64\OLLWPTG.exe	PVELDZZ.exe
File opened for modification	C:\windows\SysWOW64\OLLWPTG.exe	PVELDZZ.exe
File created	C:\windows\SysWOW64\HPVSVI.exe.bat	ZJQMSK.exe
File created	C:\windows\SysWOW64\UWZ.exe.bat	OBVY.exe
File created	C:\windows\SysWOW64\LZGSQS.exe.bat	VJFSK.exe
File opened for modification	C:\windows\SysWOW64\YDGPC.exe	BTP.exe
File created	C:\windows\SysWOW64\UZMR.exe	HPVSVI.exe
File created	C:\windows\SysWOW64\OLLWPTG.exe.bat	PVELDZZ.exe
File created	C:\windows\SysWOW64\JFY.exe	ICIOKKI.exe
File opened for modification	C:\windows\SysWOW64\ZHDW.exe	THVICMU.exe
File opened for modification	C:\windows\SysWOW64\OVGT.exe	IAP.exe
File created	C:\windows\SysWOW64\ARZHJD.exe	MLZWIRJ.exe
File opened for modification	C:\windows\SysWOW64\ARZHJD.exe	MLZWIRJ.exe
File created	C:\windows\SysWOW64\UWZ.exe	OBVY.exe
File created	C:\windows\SysWOW64\LZGSQS.exe	VJFSK.exe
File created	C:\windows\SysWOW64\PITKUH.exe	QXQUTBS.exe
File created	C:\windows\SysWOW64\LJPSBW.exe.bat	ARZHJD.exe
File created	C:\windows\SysWOW64\VDZRQ.exe	WKQQC.exe
File opened for modification	C:\windows\SysWOW64\IDBTKJ.exe	PKU.exe
File created	C:\windows\SysWOW64\SXVPK.exe.bat	WRNDIT.exe
File created	C:\windows\SysWOW64\XQJ.exe.bat	BYZK.exe
File opened for modification	C:\windows\SysWOW64\BGQVWNH.exe	XQJ.exe
File created	C:\windows\SysWOW64\FXESETV.exe	DZY.exe
File created	C:\windows\SysWOW64\PVBL.exe	AZQK.exe
File created	C:\windows\SysWOW64\PVBL.exe.bat	AZQK.exe
File created	C:\windows\SysWOW64\ISLT.exe.bat	KIADZ.exe
File created	C:\windows\SysWOW64\AJIALH.exe	NDV.exe
File created	C:\windows\SysWOW64\WRNDIT.exe	LZGSQS.exe
File created	C:\windows\SysWOW64\MPG.exe	ZEQMW.exe
File created	C:\windows\SysWOW64\LJPSBW.exe	ARZHJD.exe
File created	C:\windows\SysWOW64\NDV.exe.bat	POOM.exe
File created	C:\windows\SysWOW64\DRMUTF.exe	VDIGJH.exe
File created	C:\windows\SysWOW64\GDBMZ.exe.bat	HSYWQQ.exe
File opened for modification	C:\windows\SysWOW64\ZBNJRG.exe	PDA.exe
File created	C:\windows\SysWOW64\XDTE.exe.bat	GDEG.exe
File created	C:\windows\SysWOW64\KGVURW.exe.bat	BYTOF.exe
File created	C:\windows\SysWOW64\PBQPD.exe	VNRRYM.exe
File opened for modification	C:\windows\SysWOW64\ROSHHHH.exe	HQEMAZZ.exe
File created	C:\windows\SysWOW64\IPWTM.exe	FCFK.exe
File created	C:\windows\SysWOW64\SXVPK.exe	WRNDIT.exe
File opened for modification	C:\windows\SysWOW64\OXNFZC.exe	GRAYOW.exe
File opened for modification	C:\windows\SysWOW64\JFY.exe	ICIOKKI.exe
File created	C:\windows\SysWOW64\YCB.exe.bat	UUVYWI.exe
File created	C:\windows\SysWOW64\NDV.exe	POOM.exe
File created	C:\windows\SysWOW64\ZHDW.exe	THVICMU.exe
File opened for modification	C:\windows\SysWOW64\YCB.exe	UUVYWI.exe
File opened for modification	C:\windows\SysWOW64\BYTOF.exe	CNQYXT.exe
File created	C:\windows\SysWOW64\IDBTKJ.exe.bat	PKU.exe
File created	C:\windows\SysWOW64\DHEM.exe	BZW.exe
File created	C:\windows\SysWOW64\FTRTCKJ.exe.bat	OLLWPTG.exe
File created	C:\windows\SysWOW64\IPWTM.exe.bat	FCFK.exe
File created	C:\windows\SysWOW64\QXQUTBS.exe.bat	VJLLJ.exe
File created	C:\windows\SysWOW64\MPG.exe.bat	ZEQMW.exe
File created	C:\windows\SysWOW64\BNE.exe	KNCFQB.exe
File created	C:\windows\SysWOW64\KGVURW.exe	BYTOF.exe
File created	C:\windows\SysWOW64\NECAXTS.exe	JBSNO.exe
File created	C:\windows\SysWOW64\OVGT.exe	IAP.exe
File opened for modification	C:\windows\SysWOW64\POOM.exe	ISLT.exe
File opened for modification	C:\windows\SysWOW64\HPVSVI.exe	ZJQMSK.exe
File created	C:\windows\SysWOW64\EKBFIXJ.exe	ZEJPRU.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\QIOYR.exe.bat	DFSAMQ.exe
File opened for modification	C:\windows\system\VLUVPVX.exe	DIQSK.exe
File created	C:\windows\system\TCZXHVP.exe	XXT.exe
File created	C:\windows\system\NEMQZ.exe.bat	ZHMFPGV.exe
File created	C:\windows\system\APEHWCW.exe	CEB.exe
File created	C:\windows\system\GDEG.exe	RIVCSH.exe
File created	C:\windows\BCSLMT.exe.bat	UGGKH.exe
File created	C:\windows\VZPDI.exe.bat	TBBIBBP.exe
File opened for modification	C:\windows\FBYYYD.exe	VJPZ.exe
File created	C:\windows\XXT.exe.bat	MPG.exe
File opened for modification	C:\windows\system\CEB.exe	DLQJ.exe
File created	C:\windows\system\UGGKH.exe	DYSMU.exe
File created	C:\windows\HSYWQQ.exe.bat	SXP.exe
File created	C:\windows\system\GNQJOJ.exe.bat	EQLPYAH.exe
File created	C:\windows\system\LGS.exe.bat	BGQVWNH.exe
File created	C:\windows\system\KIADZ.exe	QPTSQ.exe
File opened for modification	C:\windows\PTTYF.exe	FTRTCKJ.exe
File opened for modification	C:\windows\system\RREJHV.exe	MOAKCEQ.exe
File opened for modification	C:\windows\DUTA.exe	UWZ.exe
File created	C:\windows\CHOSZ.exe.bat	XHGFQ.exe
File created	C:\windows\system\KJWAS.exe.bat	KOS.exe
File created	C:\windows\DCG.exe	FBYYYD.exe
File created	C:\windows\GDGKY.exe.bat	HSV.exe
File created	C:\windows\EQLPYAH.exe.bat	PVBL.exe
File opened for modification	C:\windows\system\OCWY.exe	KXMJD.exe
File created	C:\windows\PWUSV.exe	SESQJY.exe
File created	C:\windows\system\DIQSK.exe	ONHNZKN.exe
File created	C:\windows\GRQ.exe.bat	NOMWHC.exe
File opened for modification	C:\windows\SNU.exe	OXNFZC.exe
File created	C:\windows\FBYYYD.exe	VJPZ.exe
File opened for modification	C:\windows\system\GDEG.exe	RIVCSH.exe
File opened for modification	C:\windows\HSYWQQ.exe	SXP.exe
File created	C:\windows\system\KXMJD.exe	WZEXBYC.exe
File created	C:\windows\VZPDI.exe	TBBIBBP.exe
File created	C:\windows\system\XHGFQ.exe.bat	PTTYF.exe
File created	C:\windows\JOOWAIX.exe.bat	DOHIJGW.exe
File created	C:\windows\KQFJZS.exe.bat	KNBGTCU.exe
File created	C:\windows\system\OLC.exe	QVJIH.exe
File created	C:\windows\system\DLQJ.exe	SSJ.exe
File created	C:\windows\system\ZSZXL.exe.bat	DUTA.exe
File created	C:\windows\system\UGGKH.exe.bat	DYSMU.exe
File created	C:\windows\XGWS.exe.bat	BAKOMBL.exe
File created	C:\windows\ZEJPRU.exe.bat	RREJHV.exe
File created	C:\windows\system\OXDZFQY.exe	GRQ.exe
File created	C:\windows\ZPG.exe.bat	OXDZFQY.exe
File opened for modification	C:\windows\EQLPYAH.exe	PVBL.exe
File created	C:\windows\system\TBBIBBP.exe.bat	ROSHHHH.exe
File opened for modification	C:\windows\system\ZSZXL.exe	DUTA.exe
File created	C:\windows\LDGBX.exe.bat	OCWY.exe
File created	C:\windows\system\HQEMAZZ.exe.bat	JVFLVE.exe
File created	C:\windows\KNBGTCU.exe.bat	IPWTM.exe
File opened for modification	C:\windows\system\OXDZFQY.exe	GRQ.exe
File created	C:\windows\MGQJMK.exe.bat	IYBJ.exe
File created	C:\windows\system\WKQQC.exe.bat	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
File created	C:\windows\ISB.exe	TCOYA.exe
File created	C:\windows\PTTYF.exe.bat	FTRTCKJ.exe
File opened for modification	C:\windows\ZPG.exe	OXDZFQY.exe
File opened for modification	C:\windows\system\DZY.exe	CWUUJV.exe
File opened for modification	C:\windows\system\VDIGJH.exe	LDGBX.exe
File created	C:\windows\system\ZCN.exe	VZPDI.exe
File opened for modification	C:\windows\system\YFWFZA.exe	PWUSV.exe
File created	C:\windows\NOMWHC.exe.bat	JJCHZ.exe
File opened for modification	C:\windows\system\LGS.exe	BGQVWNH.exe
File created	C:\windows\system\VDIGJH.exe.bat	LDGBX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1824	396	WerFault.exe	82
1200	528	WerFault.exe	90
1496	4580	WerFault.exe	96
1304	4924	WerFault.exe	101
872	3936	WerFault.exe	106
4160	2732	WerFault.exe	111
4232	3788	WerFault.exe	118
4708	1264	WerFault.exe	125
3580	3924	WerFault.exe	132
2164	2604	WerFault.exe	137
1204	4620	WerFault.exe	143
2732	4144	WerFault.exe	148
4332	4800	WerFault.exe	154
548	1196	WerFault.exe	159
3016	3340	WerFault.exe	164
4568	3852	WerFault.exe	170
4948	4180	WerFault.exe	176
4884	1860	WerFault.exe	181
4416	2732	WerFault.exe	186
408	2320	WerFault.exe	191
752	4944	WerFault.exe	196
1788	1268	WerFault.exe	201
3932	920	WerFault.exe	206
5048	4408	WerFault.exe	211
4412	632	WerFault.exe	216
1556	3456	WerFault.exe	221
3712	3192	WerFault.exe	226
2124	1032	WerFault.exe	231
4208	4316	WerFault.exe	236
4480	1776	WerFault.exe	241
4116	384	WerFault.exe	246
3508	3640	WerFault.exe	251
4716	2188	WerFault.exe	256
3576	1008	WerFault.exe	261
2384	3172	WerFault.exe	266
4472	3524	WerFault.exe	271
1284	3648	WerFault.exe	277
2148	384	WerFault.exe	282
3528	4168	WerFault.exe	287
4944	3980	WerFault.exe	292
4020	1204	WerFault.exe	297
4416	2616	WerFault.exe	302
3336	748	WerFault.exe	307
1656	3972	WerFault.exe	312
4316	1668	WerFault.exe	317
1972	1304	WerFault.exe	322
4572	1564	WerFault.exe	328
1728	4212	WerFault.exe	333
1136	1204	WerFault.exe	338
4544	4116	WerFault.exe	343
400	748	WerFault.exe	348
1920	2880	WerFault.exe	353
3104	4708	WerFault.exe	358
3520	2772	WerFault.exe	363
2788	920	WerFault.exe	368
2724	4880	WerFault.exe	373
3968	2044	WerFault.exe	378
2392	924	WerFault.exe	383
1972	3260	WerFault.exe	388
4524	4868	WerFault.exe	393
4952	4572	WerFault.exe	398
3620	1892	WerFault.exe	403
1556	2472	WerFault.exe	408
3640	2640	WerFault.exe	413

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
528	WKQQC.exe
528	WKQQC.exe
4580	VDZRQ.exe
4580	VDZRQ.exe
4924	MDU.exe
4924	MDU.exe
3936	OBVY.exe
3936	OBVY.exe
2732	UWZ.exe
2732	UWZ.exe
3788	DUTA.exe
3788	DUTA.exe
1264	ZSZXL.exe
1264	ZSZXL.exe
3924	CNQYXT.exe
3924	CNQYXT.exe
2604	BYTOF.exe
2604	BYTOF.exe
4620	KGVURW.exe
4620	KGVURW.exe
4144	DBY.exe
4144	DBY.exe
4800	YMP.exe
4800	YMP.exe
1196	QPTSQ.exe
1196	QPTSQ.exe
3340	KIADZ.exe
3340	KIADZ.exe
3852	ISLT.exe
3852	ISLT.exe
4180	POOM.exe
4180	POOM.exe
1860	NDV.exe
1860	NDV.exe
2732	AJIALH.exe
2732	AJIALH.exe
2320	SKKFWEJ.exe
2320	SKKFWEJ.exe
4944	PKU.exe
4944	PKU.exe
1268	IDBTKJ.exe
1268	IDBTKJ.exe
920	VNRRYM.exe
920	VNRRYM.exe
4408	PBQPD.exe
4408	PBQPD.exe
632	HEUT.exe
632	HEUT.exe
3456	WZEXBYC.exe
3456	WZEXBYC.exe
3192	KXMJD.exe
3192	KXMJD.exe
1032	OCWY.exe
1032	OCWY.exe
4316	LDGBX.exe
4316	LDGBX.exe
1776	VDIGJH.exe
1776	VDIGJH.exe
384	DRMUTF.exe
384	DRMUTF.exe
3640	XEREWFC.exe
3640	XEREWFC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
528	WKQQC.exe
528	WKQQC.exe
4580	VDZRQ.exe
4580	VDZRQ.exe
4924	MDU.exe
4924	MDU.exe
3936	OBVY.exe
3936	OBVY.exe
2732	UWZ.exe
2732	UWZ.exe
3788	DUTA.exe
3788	DUTA.exe
1264	ZSZXL.exe
1264	ZSZXL.exe
3924	CNQYXT.exe
3924	CNQYXT.exe
2604	BYTOF.exe
2604	BYTOF.exe
4620	KGVURW.exe
4620	KGVURW.exe
4144	DBY.exe
4144	DBY.exe
4800	YMP.exe
4800	YMP.exe
1196	QPTSQ.exe
1196	QPTSQ.exe
3340	KIADZ.exe
3340	KIADZ.exe
3852	ISLT.exe
3852	ISLT.exe
4180	POOM.exe
4180	POOM.exe
1860	NDV.exe
1860	NDV.exe
2732	AJIALH.exe
2732	AJIALH.exe
2320	SKKFWEJ.exe
2320	SKKFWEJ.exe
4944	PKU.exe
4944	PKU.exe
1268	IDBTKJ.exe
1268	IDBTKJ.exe
920	VNRRYM.exe
920	VNRRYM.exe
4408	PBQPD.exe
4408	PBQPD.exe
632	HEUT.exe
632	HEUT.exe
3456	WZEXBYC.exe
3456	WZEXBYC.exe
3192	KXMJD.exe
3192	KXMJD.exe
1032	OCWY.exe
1032	OCWY.exe
4316	LDGBX.exe
4316	LDGBX.exe
1776	VDIGJH.exe
1776	VDIGJH.exe
384	DRMUTF.exe
384	DRMUTF.exe
3640	XEREWFC.exe
3640	XEREWFC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3320	396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe	86
PID 396 wrote to memory of 3320	396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe	86
PID 396 wrote to memory of 3320	396	78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe	86
PID 3320 wrote to memory of 528	3320	cmd.exe	90
PID 3320 wrote to memory of 528	3320	cmd.exe	90
PID 3320 wrote to memory of 528	3320	cmd.exe	90
PID 528 wrote to memory of 392	528	WKQQC.exe	92
PID 528 wrote to memory of 392	528	WKQQC.exe	92
PID 528 wrote to memory of 392	528	WKQQC.exe	92
PID 392 wrote to memory of 4580	392	cmd.exe	96
PID 392 wrote to memory of 4580	392	cmd.exe	96
PID 392 wrote to memory of 4580	392	cmd.exe	96
PID 4580 wrote to memory of 436	4580	VDZRQ.exe	97
PID 4580 wrote to memory of 436	4580	VDZRQ.exe	97
PID 4580 wrote to memory of 436	4580	VDZRQ.exe	97
PID 436 wrote to memory of 4924	436	cmd.exe	101
PID 436 wrote to memory of 4924	436	cmd.exe	101
PID 436 wrote to memory of 4924	436	cmd.exe	101
PID 4924 wrote to memory of 2188	4924	MDU.exe	102
PID 4924 wrote to memory of 2188	4924	MDU.exe	102
PID 4924 wrote to memory of 2188	4924	MDU.exe	102
PID 2188 wrote to memory of 3936	2188	cmd.exe	106
PID 2188 wrote to memory of 3936	2188	cmd.exe	106
PID 2188 wrote to memory of 3936	2188	cmd.exe	106
PID 3936 wrote to memory of 4508	3936	OBVY.exe	107
PID 3936 wrote to memory of 4508	3936	OBVY.exe	107
PID 3936 wrote to memory of 4508	3936	OBVY.exe	107
PID 4508 wrote to memory of 2732	4508	cmd.exe	111
PID 4508 wrote to memory of 2732	4508	cmd.exe	111
PID 4508 wrote to memory of 2732	4508	cmd.exe	111
PID 2732 wrote to memory of 1788	2732	UWZ.exe	114
PID 2732 wrote to memory of 1788	2732	UWZ.exe	114
PID 2732 wrote to memory of 1788	2732	UWZ.exe	114
PID 1788 wrote to memory of 3788	1788	cmd.exe	118
PID 1788 wrote to memory of 3788	1788	cmd.exe	118
PID 1788 wrote to memory of 3788	1788	cmd.exe	118
PID 3788 wrote to memory of 468	3788	DUTA.exe	121
PID 3788 wrote to memory of 468	3788	DUTA.exe	121
PID 3788 wrote to memory of 468	3788	DUTA.exe	121
PID 468 wrote to memory of 1264	468	cmd.exe	125
PID 468 wrote to memory of 1264	468	cmd.exe	125
PID 468 wrote to memory of 1264	468	cmd.exe	125
PID 1264 wrote to memory of 3892	1264	ZSZXL.exe	128
PID 1264 wrote to memory of 3892	1264	ZSZXL.exe	128
PID 1264 wrote to memory of 3892	1264	ZSZXL.exe	128
PID 3892 wrote to memory of 3924	3892	cmd.exe	132
PID 3892 wrote to memory of 3924	3892	cmd.exe	132
PID 3892 wrote to memory of 3924	3892	cmd.exe	132
PID 3924 wrote to memory of 1728	3924	CNQYXT.exe	133
PID 3924 wrote to memory of 1728	3924	CNQYXT.exe	133
PID 3924 wrote to memory of 1728	3924	CNQYXT.exe	133
PID 1728 wrote to memory of 2604	1728	cmd.exe	137
PID 1728 wrote to memory of 2604	1728	cmd.exe	137
PID 1728 wrote to memory of 2604	1728	cmd.exe	137
PID 2604 wrote to memory of 2868	2604	BYTOF.exe	139
PID 2604 wrote to memory of 2868	2604	BYTOF.exe	139
PID 2604 wrote to memory of 2868	2604	BYTOF.exe	139
PID 2868 wrote to memory of 4620	2868	cmd.exe	143
PID 2868 wrote to memory of 4620	2868	cmd.exe	143
PID 2868 wrote to memory of 4620	2868	cmd.exe	143
PID 4620 wrote to memory of 3936	4620	KGVURW.exe	144
PID 4620 wrote to memory of 3936	4620	KGVURW.exe	144
PID 4620 wrote to memory of 3936	4620	KGVURW.exe	144
PID 3936 wrote to memory of 4144	3936	cmd.exe	148

C:\Users\Admin\AppData\Local\Temp\78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78ccb45bd7267130e27d5afe998eab92_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKQQC.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\windows\system\WKQQC.exe
    C:\windows\system\WKQQC.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDZRQ.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\windows\SysWOW64\VDZRQ.exe
        
        C:\windows\system32\VDZRQ.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MDU.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\windows\MDU.exe
        
        C:\windows\MDU.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OBVY.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\windows\SysWOW64\OBVY.exe
        
        C:\windows\system32\OBVY.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UWZ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\windows\SysWOW64\UWZ.exe
        
        C:\windows\system32\UWZ.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DUTA.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\windows\DUTA.exe
        
        C:\windows\DUTA.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSZXL.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\windows\system\ZSZXL.exe
        
        C:\windows\system\ZSZXL.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CNQYXT.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\windows\CNQYXT.exe
        
        C:\windows\CNQYXT.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BYTOF.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\windows\SysWOW64\BYTOF.exe
        
        C:\windows\system32\BYTOF.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KGVURW.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\windows\SysWOW64\KGVURW.exe
        
        C:\windows\system32\KGVURW.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBY.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\windows\SysWOW64\DBY.exe
        
        C:\windows\system32\DBY.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YMP.exe.bat" "
        24⤵
        
        PID:3296
        
        C:\windows\YMP.exe
        
        C:\windows\YMP.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPTSQ.exe.bat" "
        26⤵
        
        PID:4376
        
        C:\windows\system\QPTSQ.exe
        
        C:\windows\system\QPTSQ.exe
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KIADZ.exe.bat" "
        28⤵
        
        PID:1284
        
        C:\windows\system\KIADZ.exe
        
        C:\windows\system\KIADZ.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ISLT.exe.bat" "
        30⤵
        
        PID:1556
        
        C:\windows\SysWOW64\ISLT.exe
        
        C:\windows\system32\ISLT.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\POOM.exe.bat" "
        32⤵
        
        PID:1776
        
        C:\windows\SysWOW64\POOM.exe
        
        C:\windows\system32\POOM.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NDV.exe.bat" "
        34⤵
        
        PID:412
        
        C:\windows\SysWOW64\NDV.exe
        
        C:\windows\system32\NDV.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJIALH.exe.bat" "
        36⤵
        
        PID:4620
        
        C:\windows\SysWOW64\AJIALH.exe
        
        C:\windows\system32\AJIALH.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKKFWEJ.exe.bat" "
        38⤵
        
        PID:3124
        
        C:\windows\system\SKKFWEJ.exe
        
        C:\windows\system\SKKFWEJ.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKU.exe.bat" "
        40⤵
        
        PID:1920
        
        C:\windows\system\PKU.exe
        
        C:\windows\system\PKU.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IDBTKJ.exe.bat" "
        42⤵
        
        PID:1304
        
        C:\windows\SysWOW64\IDBTKJ.exe
        
        C:\windows\system32\IDBTKJ.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VNRRYM.exe.bat" "
        44⤵
        
        PID:4320
        
        C:\windows\VNRRYM.exe
        
        C:\windows\VNRRYM.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PBQPD.exe.bat" "
        46⤵
        
        PID:5044
        
        C:\windows\SysWOW64\PBQPD.exe
        
        C:\windows\system32\PBQPD.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HEUT.exe.bat" "
        48⤵
        
        PID:5112
        
        C:\windows\HEUT.exe
        
        C:\windows\HEUT.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WZEXBYC.exe.bat" "
        50⤵
        
        PID:2472
        
        C:\windows\SysWOW64\WZEXBYC.exe
        
        C:\windows\system32\WZEXBYC.exe
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KXMJD.exe.bat" "
        52⤵
        
        PID:2460
        
        C:\windows\system\KXMJD.exe
        
        C:\windows\system\KXMJD.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OCWY.exe.bat" "
        54⤵
        
        PID:4716
        
        C:\windows\system\OCWY.exe
        
        C:\windows\system\OCWY.exe
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LDGBX.exe.bat" "
        56⤵
        
        PID:3296
        
        C:\windows\LDGBX.exe
        
        C:\windows\LDGBX.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VDIGJH.exe.bat" "
        58⤵
        
        PID:4668
        
        C:\windows\system\VDIGJH.exe
        
        C:\windows\system\VDIGJH.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRMUTF.exe.bat" "
        60⤵
        
        PID:3584
        
        C:\windows\SysWOW64\DRMUTF.exe
        
        C:\windows\system32\DRMUTF.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XEREWFC.exe.bat" "
        62⤵
        
        PID:2424
        
        C:\windows\system\XEREWFC.exe
        
        C:\windows\system\XEREWFC.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JUKW.exe.bat" "
        64⤵
        
        PID:4580
        
        C:\windows\system\JUKW.exe
        
        C:\windows\system\JUKW.exe
        65⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IFV.exe.bat" "
        66⤵
        
        PID:1556
        
        C:\windows\IFV.exe
        
        C:\windows\IFV.exe
        67⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QKATKVI.exe.bat" "
        68⤵
        
        PID:984
        
        C:\windows\QKATKVI.exe
        
        C:\windows\QKATKVI.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WFLTQKQ.exe.bat" "
        70⤵
        
        PID:4668
        
        C:\windows\WFLTQKQ.exe
        
        C:\windows\WFLTQKQ.exe
        71⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SLRR.exe.bat" "
        72⤵
        
        PID:4444
        
        C:\windows\SLRR.exe
        
        C:\windows\SLRR.exe
        73⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BZW.exe.bat" "
        74⤵
        
        PID:4508
        
        C:\windows\system\BZW.exe
        
        C:\windows\system\BZW.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DHEM.exe.bat" "
        76⤵
        
        PID:2732
        
        C:\windows\SysWOW64\DHEM.exe
        
        C:\windows\system32\DHEM.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TCOYA.exe.bat" "
        78⤵
        
        PID:3788
        
        C:\windows\TCOYA.exe
        
        C:\windows\TCOYA.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ISB.exe.bat" "
        80⤵
        
        PID:3468
        
        C:\windows\ISB.exe
        
        C:\windows\ISB.exe
        81⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JVFLVE.exe.bat" "
        82⤵
        
        PID:2996
        
        C:\windows\system\JVFLVE.exe
        
        C:\windows\system\JVFLVE.exe
        83⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HQEMAZZ.exe.bat" "
        84⤵
        
        PID:2036
        
        C:\windows\system\HQEMAZZ.exe
        
        C:\windows\system\HQEMAZZ.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ROSHHHH.exe.bat" "
        86⤵
        
        PID:2564
        
        C:\windows\SysWOW64\ROSHHHH.exe
        
        C:\windows\system32\ROSHHHH.exe
        87⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TBBIBBP.exe.bat" "
        88⤵
        
        PID:2320
        
        C:\windows\system\TBBIBBP.exe
        
        C:\windows\system\TBBIBBP.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VZPDI.exe.bat" "
        90⤵
        
        PID:4656
        
        C:\windows\VZPDI.exe
        
        C:\windows\VZPDI.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCN.exe.bat" "
        92⤵
        
        PID:2400
        
        C:\windows\system\ZCN.exe
        
        C:\windows\system\ZCN.exe
        93⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PXWCBP.exe.bat" "
        94⤵
        
        PID:4788
        
        C:\windows\PXWCBP.exe
        
        C:\windows\PXWCBP.exe
        95⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PVELDZZ.exe.bat" "
        96⤵
        
        PID:1892
        
        C:\windows\PVELDZZ.exe
        
        C:\windows\PVELDZZ.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLLWPTG.exe.bat" "
        98⤵
        
        PID:4580
        
        C:\windows\SysWOW64\OLLWPTG.exe
        
        C:\windows\system32\OLLWPTG.exe
        99⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTRTCKJ.exe.bat" "
        100⤵
        
        PID:1376
        
        C:\windows\SysWOW64\FTRTCKJ.exe
        
        C:\windows\system32\FTRTCKJ.exe
        101⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTTYF.exe.bat" "
        102⤵
        
        PID:4456
        
        C:\windows\PTTYF.exe
        
        C:\windows\PTTYF.exe
        103⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XHGFQ.exe.bat" "
        104⤵
        
        PID:752
        
        C:\windows\system\XHGFQ.exe
        
        C:\windows\system\XHGFQ.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CHOSZ.exe.bat" "
        106⤵
        
        PID:3344
        
        C:\windows\CHOSZ.exe
        
        C:\windows\CHOSZ.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SXP.exe.bat" "
        108⤵
        
        PID:3788
        
        C:\windows\SXP.exe
        
        C:\windows\SXP.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HSYWQQ.exe.bat" "
        110⤵
        
        PID:5040
        
        C:\windows\HSYWQQ.exe
        
        C:\windows\HSYWQQ.exe
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDBMZ.exe.bat" "
        112⤵
        
        PID:1860
        
        C:\windows\SysWOW64\GDBMZ.exe
        
        C:\windows\system32\GDBMZ.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PLDRCC.exe.bat" "
        114⤵
        
        PID:3032
        
        C:\windows\PLDRCC.exe
        
        C:\windows\PLDRCC.exe
        115⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJQMSK.exe.bat" "
        116⤵
        
        PID:4456
        
        C:\windows\system\ZJQMSK.exe
        
        C:\windows\system\ZJQMSK.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPVSVI.exe.bat" "
        118⤵
        
        PID:3296
        
        C:\windows\SysWOW64\HPVSVI.exe
        
        C:\windows\system32\HPVSVI.exe
        119⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZMR.exe.bat" "
        120⤵
        
        PID:4092
        
        C:\windows\SysWOW64\UZMR.exe
        
        C:\windows\system32\UZMR.exe
        121⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IXLDTXF.exe.bat" "
        122⤵
        
        PID:4232
        
        C:\windows\IXLDTXF.exe
        
        C:\windows\IXLDTXF.exe
        123⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XAVHE.exe.bat" "
        124⤵
        
        PID:2132
        
        C:\windows\XAVHE.exe
        
        C:\windows\XAVHE.exe
        125⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DOHIJGW.exe.bat" "
        126⤵
        
        PID:4412
        
        C:\windows\SysWOW64\DOHIJGW.exe
        
        C:\windows\system32\DOHIJGW.exe
        127⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JOOWAIX.exe.bat" "
        128⤵
        
        PID:4636
        
        C:\windows\JOOWAIX.exe
        
        C:\windows\JOOWAIX.exe
        129⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IHRMJO.exe.bat" "
        130⤵
        
        PID:3016
        
        C:\windows\IHRMJO.exe
        
        C:\windows\IHRMJO.exe
        131⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VERX.exe.bat" "
        132⤵
        
        PID:2256
        
        C:\windows\VERX.exe
        
        C:\windows\VERX.exe
        133⤵
        Checks computer location settings
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCFK.exe.bat" "
        134⤵
        
        PID:5020
        
        C:\windows\system\FCFK.exe
        
        C:\windows\system\FCFK.exe
        135⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPWTM.exe.bat" "
        136⤵
        
        PID:3656
        
        C:\windows\SysWOW64\IPWTM.exe
        
        C:\windows\system32\IPWTM.exe
        137⤵
        Drops file in Windows directory
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KNBGTCU.exe.bat" "
        138⤵
        
        PID:4580
        
        C:\windows\KNBGTCU.exe
        
        C:\windows\KNBGTCU.exe
        139⤵
        Drops file in Windows directory
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KQFJZS.exe.bat" "
        140⤵
        
        PID:1284
        
        C:\windows\KQFJZS.exe
        
        C:\windows\KQFJZS.exe
        141⤵
        Checks computer location settings
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SESQJY.exe.bat" "
        142⤵
        
        PID:2524
        
        C:\windows\system\SESQJY.exe
        
        C:\windows\system\SESQJY.exe
        143⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PWUSV.exe.bat" "
        144⤵
        
        PID:3624
        
        C:\windows\PWUSV.exe
        
        C:\windows\PWUSV.exe
        145⤵
        Drops file in Windows directory
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YFWFZA.exe.bat" "
        146⤵
        
        PID:2196
        
        C:\windows\system\YFWFZA.exe
        
        C:\windows\system\YFWFZA.exe
        147⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFSAMQ.exe.bat" "
        148⤵
        
        PID:2496
        
        C:\windows\DFSAMQ.exe
        
        C:\windows\DFSAMQ.exe
        149⤵
        Drops file in Windows directory
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QIOYR.exe.bat" "
        150⤵
        
        PID:1824
        
        C:\windows\QIOYR.exe
        
        C:\windows\QIOYR.exe
        151⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "
        152⤵
        
        PID:2616
        
        C:\windows\system\MOAKCEQ.exe
        
        C:\windows\system\MOAKCEQ.exe
        153⤵
        Drops file in Windows directory
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RREJHV.exe.bat" "
        154⤵
        
        PID:3740
        
        C:\windows\system\RREJHV.exe
        
        C:\windows\system\RREJHV.exe
        155⤵
        Drops file in Windows directory
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZEJPRU.exe.bat" "
        156⤵
        
        PID:1892
        
        C:\windows\ZEJPRU.exe
        
        C:\windows\ZEJPRU.exe
        157⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EKBFIXJ.exe.bat" "
        158⤵
        
        PID:3848
        
        C:\windows\SysWOW64\EKBFIXJ.exe
        
        C:\windows\system32\EKBFIXJ.exe
        159⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WFFI.exe.bat" "
        160⤵
        
        PID:3784
        
        C:\windows\WFFI.exe
        
        C:\windows\WFFI.exe
        161⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ONHNZKN.exe.bat" "
        162⤵
        
        PID:1188
        
        C:\windows\SysWOW64\ONHNZKN.exe
        
        C:\windows\system32\ONHNZKN.exe
        163⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DIQSK.exe.bat" "
        164⤵
        
        PID:3892
        
        C:\windows\system\DIQSK.exe
        
        C:\windows\system\DIQSK.exe
        165⤵
        Drops file in Windows directory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VLUVPVX.exe.bat" "
        166⤵
        
        PID:1412
        
        C:\windows\system\VLUVPVX.exe
        
        C:\windows\system\VLUVPVX.exe
        167⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JJCHZ.exe.bat" "
        168⤵
        
        PID:3428
        
        C:\windows\JJCHZ.exe
        
        C:\windows\JJCHZ.exe
        169⤵
        Drops file in Windows directory
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NOMWHC.exe.bat" "
        170⤵
        
        PID:1284
        
        C:\windows\NOMWHC.exe
        
        C:\windows\NOMWHC.exe
        171⤵
        Drops file in Windows directory
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GRQ.exe.bat" "
        172⤵
        
        PID:720
        
        C:\windows\GRQ.exe
        
        C:\windows\GRQ.exe
        173⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXDZFQY.exe.bat" "
        174⤵
        
        PID:4112
        
        C:\windows\system\OXDZFQY.exe
        
        C:\windows\system\OXDZFQY.exe
        175⤵
        Drops file in Windows directory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZPG.exe.bat" "
        176⤵
        
        PID:2268
        
        C:\windows\ZPG.exe
        
        C:\windows\ZPG.exe
        177⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFHRMTC.exe.bat" "
        178⤵
        
        PID:1264
        
        C:\windows\SysWOW64\PFHRMTC.exe
        
        C:\windows\system32\PFHRMTC.exe
        179⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LLRGC.exe.bat" "
        180⤵
        
        PID:3428
        
        C:\windows\SysWOW64\LLRGC.exe
        
        C:\windows\system32\LLRGC.exe
        181⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VJFSK.exe.bat" "
        182⤵
        
        PID:2332
        
        C:\windows\VJFSK.exe
        
        C:\windows\VJFSK.exe
        183⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZGSQS.exe.bat" "
        184⤵
        
        PID:548
        
        C:\windows\SysWOW64\LZGSQS.exe
        
        C:\windows\system32\LZGSQS.exe
        185⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRNDIT.exe.bat" "
        186⤵
        
        PID:2880
        
        C:\windows\SysWOW64\WRNDIT.exe
        
        C:\windows\system32\WRNDIT.exe
        187⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SXVPK.exe.bat" "
        188⤵
        
        PID:4024
        
        C:\windows\SysWOW64\SXVPK.exe
        
        C:\windows\system32\SXVPK.exe
        189⤵
        Checks computer location settings
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HNJGRMC.exe.bat" "
        190⤵
        
        PID:3784
        
        C:\windows\HNJGRMC.exe
        
        C:\windows\HNJGRMC.exe
        191⤵
        Checks computer location settings
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JQKNKAD.exe.bat" "
        192⤵
        
        PID:4348
        
        C:\windows\JQKNKAD.exe
        
        C:\windows\JQKNKAD.exe
        193⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOS.exe.bat" "
        194⤵
        
        PID:1752
        
        C:\windows\system\KOS.exe
        
        C:\windows\system\KOS.exe
        195⤵
        Drops file in Windows directory
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KJWAS.exe.bat" "
        196⤵
        
        PID:2188
        
        C:\windows\system\KJWAS.exe
        
        C:\windows\system\KJWAS.exe
        197⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VJLLJ.exe.bat" "
        198⤵
        
        PID:1256
        
        C:\windows\system\VJLLJ.exe
        
        C:\windows\system\VJLLJ.exe
        199⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QXQUTBS.exe.bat" "
        200⤵
        
        PID:920
        
        C:\windows\SysWOW64\QXQUTBS.exe
        
        C:\windows\system32\QXQUTBS.exe
        201⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PITKUH.exe.bat" "
        202⤵
        
        PID:2392
        
        C:\windows\SysWOW64\PITKUH.exe
        
        C:\windows\system32\PITKUH.exe
        203⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BYZK.exe.bat" "
        204⤵
        
        PID:4956
        
        C:\windows\BYZK.exe
        
        C:\windows\BYZK.exe
        205⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XQJ.exe.bat" "
        206⤵
        
        PID:2904
        
        C:\windows\SysWOW64\XQJ.exe
        
        C:\windows\system32\XQJ.exe
        207⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BGQVWNH.exe.bat" "
        208⤵
        
        PID:2388
        
        C:\windows\SysWOW64\BGQVWNH.exe
        
        C:\windows\system32\BGQVWNH.exe
        209⤵
        Drops file in Windows directory
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LGS.exe.bat" "
        210⤵
        
        PID:3444
        
        C:\windows\system\LGS.exe
        
        C:\windows\system\LGS.exe
        211⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GRAYOW.exe.bat" "
        212⤵
        
        PID:3904
        
        C:\windows\GRAYOW.exe
        
        C:\windows\GRAYOW.exe
        213⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXNFZC.exe.bat" "
        214⤵
        
        PID:2068
        
        C:\windows\SysWOW64\OXNFZC.exe
        
        C:\windows\system32\OXNFZC.exe
        215⤵
        Drops file in Windows directory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SNU.exe.bat" "
        216⤵
        
        PID:3344
        
        C:\windows\SNU.exe
        
        C:\windows\SNU.exe
        217⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQXJQCQ.exe.bat" "
        218⤵
        
        PID:3384
        
        C:\windows\system\LQXJQCQ.exe
        
        C:\windows\system\LQXJQCQ.exe
        219⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GOKNJ.exe.bat" "
        220⤵
        
        PID:4800
        
        C:\windows\SysWOW64\GOKNJ.exe
        
        C:\windows\system32\GOKNJ.exe
        221⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJPZ.exe.bat" "
        222⤵
        
        PID:3876
        
        C:\windows\SysWOW64\VJPZ.exe
        
        C:\windows\system32\VJPZ.exe
        223⤵
        Drops file in Windows directory
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FBYYYD.exe.bat" "
        224⤵
        
        PID:1204
        
        C:\windows\FBYYYD.exe
        
        C:\windows\FBYYYD.exe
        225⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCG.exe.bat" "
        226⤵
        
        PID:2036
        
        C:\windows\DCG.exe
        
        C:\windows\DCG.exe
        227⤵
        Checks computer location settings
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICIOKKI.exe.bat" "
        228⤵
        
        PID:4572
        
        C:\windows\SysWOW64\ICIOKKI.exe
        
        C:\windows\system32\ICIOKKI.exe
        229⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFY.exe.bat" "
        230⤵
        
        PID:208
        
        C:\windows\SysWOW64\JFY.exe
        
        C:\windows\system32\JFY.exe
        231⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BAKOMBL.exe.bat" "
        232⤵
        
        PID:3124
        
        C:\windows\BAKOMBL.exe
        
        C:\windows\BAKOMBL.exe
        233⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XGWS.exe.bat" "
        234⤵
        
        PID:3916
        
        C:\windows\XGWS.exe
        
        C:\windows\XGWS.exe
        235⤵
        Checks computer location settings
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZEQMW.exe.bat" "
        236⤵
        
        PID:744
        
        C:\windows\ZEQMW.exe
        
        C:\windows\ZEQMW.exe
        237⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MPG.exe.bat" "
        238⤵
        
        PID:4800
        
        C:\windows\SysWOW64\MPG.exe
        
        C:\windows\system32\MPG.exe
        239⤵
        Drops file in Windows directory
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XXT.exe.bat" "
        240⤵
        
        PID:3328
        
        C:\windows\XXT.exe
        
        C:\windows\XXT.exe
        241⤵
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TCZXHVP.exe.bat" "
        242⤵
        
        PID:100
        
        C:\windows\system\TCZXHVP.exe
        
        C:\windows\system\TCZXHVP.exe
        243⤵
        Checks computer location settings
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNCFQB.exe.bat" "
        244⤵
        
        PID:4416
        
        C:\windows\SysWOW64\KNCFQB.exe
        
        C:\windows\system32\KNCFQB.exe
        245⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BNE.exe.bat" "
        246⤵
        
        PID:736
        
        C:\windows\SysWOW64\BNE.exe
        
        C:\windows\system32\BNE.exe
        247⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FDKSG.exe.bat" "
        248⤵
        
        PID:4068
        
        C:\windows\FDKSG.exe
        
        C:\windows\FDKSG.exe
        249⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CWUUJV.exe.bat" "
        250⤵
        
        PID:1268
        
        C:\windows\CWUUJV.exe
        
        C:\windows\CWUUJV.exe
        251⤵
        Drops file in Windows directory
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DZY.exe.bat" "
        252⤵
        
        PID:2848
        
        C:\windows\system\DZY.exe
        
        C:\windows\system\DZY.exe
        253⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FXESETV.exe.bat" "
        254⤵
        
        PID:4044
        
        C:\windows\SysWOW64\FXESETV.exe
        
        C:\windows\system32\FXESETV.exe
        255⤵
        Checks computer location settings
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HSV.exe.bat" "
        256⤵
        
        PID:5060
        
        C:\windows\system\HSV.exe
        
        C:\windows\system\HSV.exe
        257⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GDGKY.exe.bat" "
        258⤵
        
        PID:1376
        
        C:\windows\GDGKY.exe
        
        C:\windows\GDGKY.exe
        259⤵
        Checks computer location settings
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PDA.exe.bat" "
        260⤵
        
        PID:464
        
        C:\windows\PDA.exe
        
        C:\windows\PDA.exe
        261⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZBNJRG.exe.bat" "
        262⤵
        
        PID:4784
        
        C:\windows\SysWOW64\ZBNJRG.exe
        
        C:\windows\system32\ZBNJRG.exe
        263⤵
        Checks computer location settings
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UOS.exe.bat" "
        264⤵
        
        PID:3904
        
        C:\windows\system\UOS.exe
        
        C:\windows\system\UOS.exe
        265⤵
        Checks computer location settings
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\THVICMU.exe.bat" "
        266⤵
        
        PID:3876
        
        C:\windows\system\THVICMU.exe
        
        C:\windows\system\THVICMU.exe
        267⤵
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZHDW.exe.bat" "
        268⤵
        
        PID:4344
        
        C:\windows\SysWOW64\ZHDW.exe
        
        C:\windows\system32\ZHDW.exe
        269⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HNPD.exe.bat" "
        270⤵
        
        PID:392
        
        C:\windows\SysWOW64\HNPD.exe
        
        C:\windows\system32\HNPD.exe
        271⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QVJIH.exe.bat" "
        272⤵
        
        PID:2096
        
        C:\windows\system\QVJIH.exe
        
        C:\windows\system\QVJIH.exe
        273⤵
        Drops file in Windows directory
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OLC.exe.bat" "
        274⤵
        
        PID:4416
        
        C:\windows\system\OLC.exe
        
        C:\windows\system\OLC.exe
        275⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IYBJ.exe.bat" "
        276⤵
        
        PID:3224
        
        C:\windows\system\IYBJ.exe
        
        C:\windows\system\IYBJ.exe
        277⤵
        Drops file in Windows directory
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "
        278⤵
        
        PID:208
        
        C:\windows\MGQJMK.exe
        
        C:\windows\MGQJMK.exe
        279⤵
        Checks computer location settings
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUVYWI.exe.bat" "
        280⤵
        
        PID:4496
        
        C:\windows\SysWOW64\UUVYWI.exe
        
        C:\windows\system32\UUVYWI.exe
        281⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YCB.exe.bat" "
        282⤵
        
        PID:3656
        
        C:\windows\SysWOW64\YCB.exe
        
        C:\windows\system32\YCB.exe
        283⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IAP.exe.bat" "
        284⤵
        
        PID:3564
        
        C:\windows\system\IAP.exe
        
        C:\windows\system\IAP.exe
        285⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVGT.exe.bat" "
        286⤵
        
        PID:1944
        
        C:\windows\SysWOW64\OVGT.exe
        
        C:\windows\system32\OVGT.exe
        287⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLZWIRJ.exe.bat" "
        288⤵
        
        PID:3576
        
        C:\windows\system\MLZWIRJ.exe
        
        C:\windows\system\MLZWIRJ.exe
        289⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARZHJD.exe.bat" "
        290⤵
        
        PID:1304
        
        C:\windows\SysWOW64\ARZHJD.exe
        
        C:\windows\system32\ARZHJD.exe
        291⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJPSBW.exe.bat" "
        292⤵
        
        PID:2460
        
        C:\windows\SysWOW64\LJPSBW.exe
        
        C:\windows\system32\LJPSBW.exe
        293⤵
        Checks computer location settings
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AZQK.exe.bat" "
        294⤵
        
        PID:1072
        
        C:\windows\SysWOW64\AZQK.exe
        
        C:\windows\system32\AZQK.exe
        295⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PVBL.exe.bat" "
        296⤵
        
        PID:2640
        
        C:\windows\SysWOW64\PVBL.exe
        
        C:\windows\system32\PVBL.exe
        297⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EQLPYAH.exe.bat" "
        298⤵
        
        PID:4932
        
        C:\windows\EQLPYAH.exe
        
        C:\windows\EQLPYAH.exe
        299⤵
        Drops file in Windows directory
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GNQJOJ.exe.bat" "
        300⤵
        
        PID:1948
        
        C:\windows\system\GNQJOJ.exe
        
        C:\windows\system\GNQJOJ.exe
        301⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYB.exe.bat" "
        302⤵
        
        PID:4836
        
        C:\windows\SysWOW64\SYB.exe
        
        C:\windows\system32\SYB.exe
        303⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XBFVCFN.exe.bat" "
        304⤵
        
        PID:2188
        
        C:\windows\XBFVCFN.exe
        
        C:\windows\XBFVCFN.exe
        305⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CCTYP.exe.bat" "
        306⤵
        
        PID:4744
        
        C:\windows\CCTYP.exe
        
        C:\windows\CCTYP.exe
        307⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKNFS.exe.bat" "
        308⤵
        
        PID:984
        
        C:\windows\system\GKNFS.exe
        
        C:\windows\system\GKNFS.exe
        309⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VABXAI.exe.bat" "
        310⤵
        
        PID:2388
        
        C:\windows\VABXAI.exe
        
        C:\windows\VABXAI.exe
        311⤵
        Checks computer location settings
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NSS.exe.bat" "
        312⤵
        
        PID:4740
        
        C:\windows\SysWOW64\NSS.exe
        
        C:\windows\system32\NSS.exe
        313⤵
        Checks computer location settings
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YYWCZ.exe.bat" "
        314⤵
        
        PID:4708
        
        C:\windows\YYWCZ.exe
        
        C:\windows\YYWCZ.exe
        315⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QTCN.exe.bat" "
        316⤵
        
        PID:3252
        
        C:\windows\system\QTCN.exe
        
        C:\windows\system\QTCN.exe
        317⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZHMFPGV.exe.bat" "
        318⤵
        
        PID:3240
        
        C:\windows\ZHMFPGV.exe
        
        C:\windows\ZHMFPGV.exe
        319⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NEMQZ.exe.bat" "
        320⤵
        
        PID:1824
        
        C:\windows\system\NEMQZ.exe
        
        C:\windows\system\NEMQZ.exe
        321⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSRABRM.exe.bat" "
        322⤵
        
        PID:628
        
        C:\windows\SysWOW64\HSRABRM.exe
        
        C:\windows\system32\HSRABRM.exe
        323⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MXJ.exe.bat" "
        324⤵
        
        PID:2124
        
        C:\windows\MXJ.exe
        
        C:\windows\MXJ.exe
        325⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SSJ.exe.bat" "
        326⤵
        
        PID:1072
        
        C:\windows\system\SSJ.exe
        
        C:\windows\system\SSJ.exe
        327⤵
        Drops file in Windows directory
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DLQJ.exe.bat" "
        328⤵
        
        PID:4620
        
        C:\windows\system\DLQJ.exe
        
        C:\windows\system\DLQJ.exe
        329⤵
        Drops file in Windows directory
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CEB.exe.bat" "
        330⤵
        
        PID:2868
        
        C:\windows\system\CEB.exe
        
        C:\windows\system\CEB.exe
        331⤵
        Drops file in Windows directory
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\APEHWCW.exe.bat" "
        332⤵
        
        PID:440
        
        C:\windows\system\APEHWCW.exe
        
        C:\windows\system\APEHWCW.exe
        333⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ORMFL.exe.bat" "
        334⤵
        
        PID:924
        
        C:\windows\ORMFL.exe
        
        C:\windows\ORMFL.exe
        335⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIVCSH.exe.bat" "
        336⤵
        
        PID:1728
        
        C:\windows\system\RIVCSH.exe
        
        C:\windows\system\RIVCSH.exe
        337⤵
        Drops file in Windows directory
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GDEG.exe.bat" "
        338⤵
        
        PID:872
        
        C:\windows\system\GDEG.exe
        
        C:\windows\system\GDEG.exe
        339⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XDTE.exe.bat" "
        340⤵
        
        PID:3276
        
        C:\windows\SysWOW64\XDTE.exe
        
        C:\windows\system32\XDTE.exe
        341⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYSMU.exe.bat" "
        342⤵
        
        PID:2448
        
        C:\windows\system\DYSMU.exe
        
        C:\windows\system\DYSMU.exe
        343⤵
        Drops file in Windows directory
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGGKH.exe.bat" "
        344⤵
        
        PID:4932
        
        C:\windows\system\UGGKH.exe
        
        C:\windows\system\UGGKH.exe
        345⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BCSLMT.exe.bat" "
        346⤵
        
        PID:264
        
        C:\windows\BCSLMT.exe
        
        C:\windows\BCSLMT.exe
        347⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DPBMGNH.exe.bat" "
        348⤵
        
        PID:4048
        
        C:\windows\SysWOW64\DPBMGNH.exe
        
        C:\windows\system32\DPBMGNH.exe
        349⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAMCOT.exe.bat" "
        350⤵
        
        PID:924
        
        C:\windows\system\CAMCOT.exe
        
        C:\windows\system\CAMCOT.exe
        351⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTP.exe.bat" "
        352⤵
        
        PID:1344
        
        C:\windows\system\BTP.exe
        
        C:\windows\system\BTP.exe
        353⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDGPC.exe.bat" "
        354⤵
        
        PID:4088
        
        C:\windows\SysWOW64\YDGPC.exe
        
        C:\windows\system32\YDGPC.exe
        355⤵
        Checks computer location settings
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBSNO.exe.bat" "
        356⤵
        
        PID:3276
        
        C:\windows\system\JBSNO.exe
        
        C:\windows\system\JBSNO.exe
        357⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NECAXTS.exe.bat" "
        358⤵
        
        PID:4568
        
        C:\windows\SysWOW64\NECAXTS.exe
        
        C:\windows\system32\NECAXTS.exe
        359⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1296
        358⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1336
        356⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1328
        354⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 960
        352⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 960
        350⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1300
        348⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 960
        346⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1308
        344⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1336
        342⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 988
        340⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1336
        338⤵
        
        PID:464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1336
        336⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 988
        334⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1004
        332⤵
        
        PID:820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 960
        330⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1304
        328⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 960
        326⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1316
        324⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 960
        322⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 988
        320⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 988
        318⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1336
        316⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 988
        314⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1308
        312⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1288
        310⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1336
        308⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1324
        306⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1304
        304⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1268
        302⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1336
        300⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 988
        298⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1328
        296⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1296
        294⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 960
        292⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1328
        290⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1268
        288⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1328
        286⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 960
        284⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 960
        282⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1328
        280⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1292
        278⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 960
        276⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 960
        274⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 960
        272⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1308
        270⤵
        
        PID:516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1300
        268⤵
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1336
        266⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 960
        264⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1328
        262⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 960
        260⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1236
        258⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1304
        256⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1328
        254⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 960
        252⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1252
        250⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 960
        248⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1328
        246⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1328
        244⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1336
        242⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1324
        240⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1252
        238⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1236
        236⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 960
        234⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1324
        232⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1328
        230⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1300
        228⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1324
        226⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 960
        224⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 960
        222⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1320
        220⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1316
        218⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1296
        216⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 988
        214⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 960
        212⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1336
        210⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1300
        208⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 960
        206⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 988
        204⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1328
        202⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1328
        200⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1308
        198⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1212
        196⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 988
        194⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1252
        192⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 988
        190⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1240
        188⤵
        
        PID:516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1328
        186⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1328
        184⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 876
        182⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1328
        180⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1328
        178⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 960
        176⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1336
        174⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 960
        172⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 872
        170⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 960
        168⤵
        
        PID:940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 872
        166⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1336
        164⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 960
        162⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 1324
        160⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 960
        158⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 960
        156⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1336
        154⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1336
        152⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1260
        150⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 960
        148⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1336
        146⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1292
        144⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1328
        142⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1324
        140⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1324
        138⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1240
        136⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 960
        134⤵
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 988
        132⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1216
        130⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 1000
        128⤵
        Program crash
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1264
        126⤵
        Program crash
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1324
        124⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1248
        122⤵
        Program crash
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1328
        120⤵
        Program crash
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 988
        118⤵
        Program crash
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1004
        116⤵
        Program crash
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1292
        114⤵
        Program crash
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1328
        112⤵
        Program crash
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1004
        110⤵
        Program crash
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1324
        108⤵
        Program crash
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1324
        106⤵
        Program crash
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 960
        104⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1304
        102⤵
        Program crash
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 976
        100⤵
        Program crash
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1328
        98⤵
        Program crash
        
        PID:1136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1288
        96⤵
        Program crash
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1320
        94⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1308
        92⤵
        Program crash
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1324
        90⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1336
        88⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 960
        86⤵
        Program crash
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1316
        84⤵
        Program crash
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1336
        82⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 988
        80⤵
        Program crash
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1304
        78⤵
        Program crash
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 960
        76⤵
        Program crash
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1268
        74⤵
        Program crash
        
        PID:1284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1304
        72⤵
        Program crash
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1304
        70⤵
        Program crash
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1324
        68⤵
        Program crash
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1292
        66⤵
        Program crash
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1300
        64⤵
        Program crash
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1316
        62⤵
        Program crash
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1328
        60⤵
        Program crash
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1336
        58⤵
        Program crash
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 976
        56⤵
        Program crash
        
        PID:2124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1336
        54⤵
        Program crash
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 976
        52⤵
        Program crash
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1328
        50⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1324
        48⤵
        Program crash
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 988
        46⤵
        Program crash
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1304
        44⤵
        Program crash
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1328
        42⤵
        Program crash
        
        PID:752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 960
        40⤵
        Program crash
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 988
        38⤵
        Program crash
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1264
        36⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1328
        34⤵
        Program crash
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1328
        32⤵
        Program crash
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1260
        30⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1336
        28⤵
        Program crash
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1336
        26⤵
        Program crash
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1260
        24⤵
        Program crash
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1328
        22⤵
        Program crash
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1328
        20⤵
        Program crash
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1240
        18⤵
        Program crash
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1324
        16⤵
        Program crash
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1316
        14⤵
        Program crash
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 960
        12⤵
        Program crash
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1328
        10⤵
        Program crash
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1328
        8⤵
        Program crash
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 976
        6⤵
        Program crash
        
        PID:1496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1296
      4⤵
      Program crash
      PID:1200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 948
  2⤵
  - Program crash
  PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 396 -ip 396
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 528 -ip 528
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4580 -ip 4580
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4924 -ip 4924
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3936 -ip 3936
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2732 -ip 2732
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3788 -ip 3788
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1264 -ip 1264
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3924 -ip 3924
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2604 -ip 2604
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4620 -ip 4620
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4144 -ip 4144
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4800 -ip 4800
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1196 -ip 1196
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3340 -ip 3340
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3852 -ip 3852
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4180 -ip 4180
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1860 -ip 1860
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2732 -ip 2732
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2320 -ip 2320
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4944 -ip 4944
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1268 -ip 1268
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 920 -ip 920
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4408 -ip 4408
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 632 -ip 632
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3456 -ip 3456
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3192 -ip 3192
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1032 -ip 1032
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4316 -ip 4316
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1776 -ip 1776
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 384 -ip 384
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3640 -ip 3640
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2188 -ip 2188
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1008 -ip 1008
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3172 -ip 3172
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3524 -ip 3524
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3648 -ip 3648
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 384 -ip 384
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4168 -ip 4168
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3980 -ip 3980
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1204 -ip 1204
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2616 -ip 2616
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 748 -ip 748
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3972 -ip 3972
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1668 -ip 1668
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1304 -ip 1304
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1564 -ip 1564
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 4212 -ip 4212
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1204 -ip 1204
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4116 -ip 4116
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 748 -ip 748
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2880 -ip 2880
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 4708 -ip 4708
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 2772 -ip 2772
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 920 -ip 920
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4880 -ip 4880
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 2044 -ip 2044
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 924 -ip 924
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3260 -ip 3260
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4868 -ip 4868
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4572 -ip 4572
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1892 -ip 1892
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2472 -ip 2472
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2640 -ip 2640
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2352 -ip 2352
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 2800 -ip 2800
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4272 -ip 4272
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1056 -ip 1056
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4724 -ip 4724
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3932 -ip 3932
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3268 -ip 3268
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 752 -ip 752
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 748 -ip 748
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 2396 -ip 2396
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4876 -ip 4876
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 696 -ip 696
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4744 -ip 4744
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3744 -ip 3744
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2356 -ip 2356
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3296 -ip 3296
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5072 -ip 5072
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5088 -ip 5088
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4968 -ip 4968
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3008 -ip 3008
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3492 -ip 3492
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4408 -ip 4408
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2808 -ip 2808
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5072 -ip 5072
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4508 -ip 4508
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 920 -ip 920
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2392 -ip 2392
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3500 -ip 3500
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4320 -ip 4320
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 872 -ip 872
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4960 -ip 4960
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3052 -ip 3052
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1268 -ip 1268
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4428 -ip 4428
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1656 -ip 1656
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4796 -ip 4796
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3340 -ip 3340
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4628 -ip 4628
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3976 -ip 3976
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 940 -ip 940
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1284 -ip 1284
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2348 -ip 2348
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 2164 -ip 2164
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5024 -ip 5024
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2124 -ip 2124
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1152 -ip 1152
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4488 -ip 4488
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1072 -ip 1072
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 408 -ip 408
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5012 -ip 5012
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1728 -ip 1728
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3188 -ip 3188
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1944 -ip 1944
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3040 -ip 3040
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2792 -ip 2792
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2788 -ip 2788
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3528 -ip 3528
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 820 -ip 820
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2352 -ip 2352
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1556 -ip 1556
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1304 -ip 1304
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 2148 -ip 2148
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4248 -ip 4248
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2840 -ip 2840
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2468 -ip 2468
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2256 -ip 2256
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 3336 -ip 3336
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1824 -ip 1824
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4576 -ip 4576
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2064 -ip 2064
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1008 -ip 1008
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1032 -ip 1032
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4068 -ip 4068
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4480 -ip 4480
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4976 -ip 4976
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4092 -ip 4092
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1708 -ip 1708
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4252 -ip 4252
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4608 -ip 4608
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2068 -ip 2068
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4904 -ip 4904
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4504 -ip 4504
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2488 -ip 2488
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3564 -ip 3564
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1944 -ip 1944
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1204 -ip 1204
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4628 -ip 4628
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4844 -ip 4844
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1792 -ip 1792
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3976 -ip 3976
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4956 -ip 4956
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1948 -ip 1948
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5116 -ip 5116
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3576 -ip 3576
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1708 -ip 1708
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 100 -ip 100
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1304 -ip 1304
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4564 -ip 4564
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3656 -ip 3656
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1724 -ip 1724
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3784 -ip 3784
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 752 -ip 752
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3136 -ip 3136
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2332 -ip 2332
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4844 -ip 4844
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4628 -ip 4628
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4740 -ip 4740
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 228 -ip 228
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1556 -ip 1556
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1892 -ip 1892
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 392 -ip 392
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2808 -ip 2808
1⤵
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MDU.exe

Filesize
256KB

MD5
9b9c6e40b1b6391ca47c51e947ba36f1

SHA1
1d413db98ee6e7c271f0715cb853bbf895163139

SHA256
ae732cefd8ba549c85cff54b98efa063ae25a96e5196153fcc75980c3e8b65bf

SHA512
7f2429cc120803f04cfc85b005c76afd78811ba6e27ee11f6641505f35e7464c8560e32f81e034360ed007409da0ad31a7a38bf499c82a4f6ceec5dd03931c7a

Download Submit
C:\Windows\SysWOW64\BYTOF.exe

Filesize
256KB

MD5
4b4ed044c9b3092f41dbd66ebee1e05b

SHA1
5fcb22c3babfb37dcc70bb1f5a722641e500436c

SHA256
d2009f0c168e607f67799e5542dabfb19b91e51ae8cd012d60b40c7dc9515033

SHA512
417a06bdaf631020e940d83f5065fbde1e39c482b5a7d637d89fba6f3a8817391100fcc7764a95e36ecce9bceff2548ccc6e5f60d59f1cc761f97ba55c18d974

Download Submit
C:\Windows\SysWOW64\DBY.exe

Filesize
256KB

MD5
d89ae8bdffcc39c389624c49330b40f5

SHA1
7f14051e8ecfd0583c990dbd03a5cf6448c1df41

SHA256
ed2c436ee46328fe7b16d9fa57e1f72f54dac8c6705a4b9879a3363dffe8ce2e

SHA512
ae0038f94b4d8e8c2d0a0146865757a1e92938ae890350317b28e1dcfbd7cb6d98d823a2a234e2545dde9167c1756810c79516dd382373e311ecb1f825210c99

Download Submit
C:\Windows\SysWOW64\POOM.exe

Filesize
256KB

MD5
fba8e7c135faa3ddbe7134f74c1ba08c

SHA1
2575542c8ac97d43e870de066a43af7ece3fbab5

SHA256
2c49e3bdf4baf6932a8535b300130aaf3c5e029fe5faca9c34e9c62eff5e176f

SHA512
f26a8d7d9e6ceb609b5c166cffac803843284e16e35a8f6e2f6d3af03ccd351e1e9fefa8659f08e63d13db553aecff582eda70a31aac2f71420127f56ea4fab8

Download Submit
C:\Windows\SysWOW64\UWZ.exe

Filesize
256KB

MD5
20543f50ce2e993f4e0460925ef59f19

SHA1
8192f966bbe81a9a21f15668163d1655a07ceda1

SHA256
febb2ed171c4aebc0fdc0053fceb9bbd65629a61924ac4bd01ca3b9bee2abb87

SHA512
d5b576362f02816c9c311df004385d5a8ccc5983c37f308b3aa9a8e2957b21928411949b3de24180d4c2531fa6b20aad299ea3c498ddb41f04e9f529a5e4b4f7

Download Submit
C:\Windows\SysWOW64\VDZRQ.exe

Filesize
256KB

MD5
a877ff88dd38801d844dbd6fbb03b016

SHA1
ae261a2d10bb3791e7f420b62ddc58d94ebd6e16

SHA256
d0b904b64131fd93d546481d0bda2f4a8952d637a330a28eea872c644f211c2a

SHA512
8d7eec81d3793765b424b6fad13fd734499ed54d8646e9f2fb558b7cb73702f0d04668b98bf6b09478c437dcf4851a3d72e884a1b382dbd912397ec9998c4d20

Download Submit
C:\Windows\System\QPTSQ.exe

Filesize
256KB

MD5
2b3b14dc84f51ddd61014eec232e7e4b

SHA1
90b1343e80fb973048b596ea28b7c730d641c063

SHA256
81c7fc387c173e2b22e19ebbe2d8cbfe47a444ae4a6a29dd99a2a2db28f9af92

SHA512
7c75b90076e617da8e25f3404e4b952aa8619fa99000a798f9f61f5af7bf55a181dc36b3d15de7b431bc5736b92de4b27477fb3d9a617dff1c1c4449ac0a6321

Download Submit
C:\Windows\System\SKKFWEJ.exe

Filesize
256KB

MD5
e77cf5c8d06278d5ad185ffa49d7be95

SHA1
e89a95a9f604ec18251d4ce6a85265993dc9633a

SHA256
792037c29585ca134226d20020d804c0862d0f0026e1d37d37c85107f8344af8

SHA512
e90e0026c16d9f25065419057064a445d42a78d711389bf66bd0ad2e58f273c363adb554369ca6fc6ecabf90c95d8d7e7d57a42d1488d3045bee3ea4c9d49d4b

Download Submit
C:\windows\CNQYXT.exe.bat

Filesize
58B

MD5
bd4b5546daf59f3e9f2519243d46e379

SHA1
6e1cf4dbbfaa56867f4dba9e0c7547911228236b

SHA256
753fae491e32f1658d72e41882a4b171a21bb2fe3ab271af9d35897bd7fd0fe1

SHA512
0a6ea06e5fce33c9939069d862f58be1b31434b81ba696691e514813fac671b971feb82b7486acf2d1ec457beb0d51f899b7d80ca4a74882139b7f75b5d77298

Download Submit
C:\windows\DUTA.exe

Filesize
256KB

MD5
23aa0bb3830e00f46372755be13c13a5

SHA1
6239dcce33383f3e1562ee64be4c014338b489d9

SHA256
538690af36342119e2876a2071fe1a708e35e79173bcdb2e8c82217d37cf1862

SHA512
0adae80f9c5eb1f3fd61c57f6da1e92886b0f2715bad0ae8e1ed5536af5e0d162020db2def128b980a9215654994d47d69d4a2780be7d5c84f3c5395f00bd8e3

Download Submit
C:\windows\DUTA.exe.bat

Filesize
54B

MD5
8aa6687e65bb995048d45f51d4df76de

SHA1
d743db9bc4136144189dc3dbb57ea5c9be3424ce

SHA256
35407e5d988570b683f68c42b00b0b32972dd31cdf37e3b08453e8e87a2d1816

SHA512
14339c68aa765463d7745ad27b3a8cf23dbb0c8b85f96afa7a152c89642d71603dcc497e4eaaffcc2de3968a4cd6dbf8a46b4c2dad5ac5992a2905ba772326e6

Download Submit
C:\windows\MDU.exe.bat

Filesize
52B

MD5
04e5a28ed0638f1fdc0138befa582f81

SHA1
eee2302b542d004ccaf9b3bea4d99ca1d3be1fd8

SHA256
928f5f8eb028e12878a790009dd2b2e80ddb4aaec3cdb842f5dd094aae28d6b6

SHA512
017b7a0eaf47693833d2bdb47fc18a89545a67d72c2f698129b3725b5a59cb3c2b4319f3b041e3800279b06dd07a45a8c133105b86616b7691f027b1e5dfc673

Download Submit
C:\windows\SysWOW64\AJIALH.exe

Filesize
256KB

MD5
67bd2a79ba0e9963eb95e1fff0adad2e

SHA1
50258b371a92f4b5adadc22cd8826af91142b54c

SHA256
a2318ff48adddf71bd04b4f6264e8c81ad063bcfc0c08bbf5bbada712d294aaa

SHA512
82acf846e5359d72c7c86ebbebee9c3b73d60649dadd5de5ac339ac3a234ad4b5d7d7a62b345334aa3c11cb446df4aedff2bbdd736fd8a3b93e4d49ef08a44f0

Download Submit
C:\windows\SysWOW64\AJIALH.exe.bat

Filesize
76B

MD5
a5eddf17c934bac86c14cf230ae9bcd2

SHA1
0f138342b4c690296004fcfcd0fe4e71338f2c04

SHA256
33021edd4d7c0c24f28c933e89a26a8d0ce8588fdc19768cff5cd134898f1790

SHA512
9a15873239f9b9ff09f7000ede7673d3f2eb1807a3c44549da0c87f9a38a1b316aaaa6e9e377080520c0f843f0c5b9442dd25377744ecb1badfc67ac770c2cb6

Download Submit
C:\windows\SysWOW64\BYTOF.exe.bat

Filesize
74B

MD5
fabc53804881a94847d6cf06ab12e18b

SHA1
3f314b25baef2c3c57f8ee54b98e6f631ebbe688

SHA256
0bd9d613b0b006a7e1a7904b1ecf3c6eafb0405d67fbac1bd2994558ba5011e6

SHA512
1d4b7eca30a5a4e87a48bf872ef56562cb0911196da9d24f462aaf9bc3bef36f4ad15f7b3c7f010e79df0d53945ecfe7a518e1faf6dc3b6ba821e73d1bccf811

Download Submit
C:\windows\SysWOW64\DBY.exe.bat

Filesize
70B

MD5
60e50279e74f230fa6dd41e3dacfa069

SHA1
dd7a46490a5118b94150cf8bf0da3512a6b6ca85

SHA256
8acab04cf4964b84d993bbade2847af98745f7fa24ca498908eac52360294cd4

SHA512
92eff81bceb01c30b6f0f188f97aff58bca28d5b84793d3339e0c252307685648ac57bdb665ae72d6a6cbd850da82b8760ac7c9a685abb33301234989b7f7e08

Download Submit
C:\windows\SysWOW64\IDBTKJ.exe

Filesize
256KB

MD5
6d458db074290e74339ffd562d44e9f3

SHA1
aef880ab002f00570074aa66d841b28912f153d8

SHA256
c44a1fbe8c482b8b424520824eedf727bb06d8a1c49028934c01711d38f7829b

SHA512
49d17cd70589850825d1a5d47ca0a03a40e660a2ec033a7f2a50a2de3a03c290c418cc40d50a609c5f3d56b18792b8416037cbbf0f3a837d021f5a82e4230359

Download Submit
C:\windows\SysWOW64\IDBTKJ.exe.bat

Filesize
76B

MD5
88d78ab4dfb9827380575f4f258a98cf

SHA1
ee9b2cf21d815a74c3b12a094f452ccd41e1b98d

SHA256
a1701cfd4ba10f75d0f6b55693b2cbd084b5b321a7a0d20a33ee100f6adf82d3

SHA512
ca16662b31f4ba30f349ad340aca71e6f9d6c02ce8638482a55dd6c8b7ea646a4c156a4386a1bfd928faf53b09f74ef32615fe094ca5f80c4e049fb5ea933413

Download Submit
C:\windows\SysWOW64\ISLT.exe

Filesize
256KB

MD5
fbba68ba0171a7e0af711414db8f97ee

SHA1
68c0885571f6c2ff4c2b034685b3929c34837a78

SHA256
ee543a67954a85fdcad862af51aaf8083c8ee11be69623a394f7df3062376e06

SHA512
bb7ce98f3644dda575622842cbc0202e5dcf1edf8c38e6a7c7e39a395173eaf9f0c656414fde9ec38e8126ce6fbba428c3da98bd4c45371532a9e9a663f422d8

Download Submit
C:\windows\SysWOW64\ISLT.exe.bat

Filesize
72B

MD5
8def13c4959fcbaf79faaa940d9f5374

SHA1
e770f2f848796168cd7600b739adb9ba0ed0e439

SHA256
563ffeec3c195359da970569463e4ddd1190910d993a9c7880752f03abe81150

SHA512
601ed4d7da2daf7632532e48ef397010f1e21a1dcfd6c440598ed43ef44b89f788d6920b973f1e08704f0b85641cae91459dc0c293c100bd428b23fb39c0fa8c

Download Submit
C:\windows\SysWOW64\KGVURW.exe

Filesize
256KB

MD5
a5110fa1f9b31598ac376ce4fb281df6

SHA1
62bf5692a171541a063904c0576cad4663121f68

SHA256
a23e1f718c74560f1ec46881a8dbce8f28705876a2cf4c7b917bd565ab855a43

SHA512
0b6253ea078eb6156fd0e89da3b73d656001ee8dc79064322e3cd9ca982fe3c032b0005b68edab84d6ad128c6feb26dd551d1e7e7125d59867cc0699dade2db1

Download Submit
C:\windows\SysWOW64\KGVURW.exe.bat

Filesize
76B

MD5
16f177b478e947164a904df515fee845

SHA1
fccb0cc74aff2655dd88a646894f3a2c6dc78362

SHA256
2dbe59931a0ccbfe193b5edbed82419b80c7a5ff838897ba61f643ad545e2cfd

SHA512
752b8807d4499842bffa792792859ad51cfc29e5994eaf31940803fd4c8ca5986aa9282d6cdf1eb24aa7620343b311e69058e170813cd3e9fdb51d8cbfcc1ff5

Download Submit
C:\windows\SysWOW64\NDV.exe

Filesize
256KB

MD5
66d5080016912e13deb0ff497639fa5f

SHA1
685f9a886309430d660332f51a9d81b6e757b0f2

SHA256
548421b4eed4ca0489a5899b3b7b83ec9e5c0f32146a0d11601ad8db734819aa

SHA512
f60ce82092a376441e7113c80ab30a7947843dd0adada913171e88da5f7956668a4a7c56e4f99aa246d02cdb9753312e24d12055e771d8691561e0eaef95d457

Download Submit
C:\windows\SysWOW64\NDV.exe.bat

Filesize
70B

MD5
83cf796bfcd510e165912221bd55cb4a

SHA1
9965b2e71941ab8a9b4c4e2354beddb28d6156f9

SHA256
bb9e28e7de0514f3438ba0756f6614c7936e048e490f175ff9ddb01ff4a03d3c

SHA512
971f438a0ba496ec2b3cae796bc8a517bbeeb8059b042346993a3e8deab52f8e475b00f6fcb6c89ac9bb472094fe20040f2dcaf15cd38cb14a7f5205e099df12

Download Submit
C:\windows\SysWOW64\OBVY.exe

Filesize
256KB

MD5
3ada5b6820a138220b1be1b1735ee8b0

SHA1
ef244b0d576627140a6a31b99e3018f5c9ed9268

SHA256
0799b5418663076d214b2018e9c81b02424c83fec7a8f543655edef1ff869fd4

SHA512
d01699504e38e80774b6a9be4365bf2a9eec4a4dd034766c239e1c080307d2eaa6ed2414d735ad8e1131ab049e0e2f74caa465231eb72d859cda6172834d5f16

Download Submit
C:\windows\SysWOW64\OBVY.exe.bat

Filesize
72B

MD5
5abe5dc556cbc1f93f7fcc6b3ef17476

SHA1
6db7f5eda312f16751077eb185310563ad3fcd7c

SHA256
ebfae95d7c2784528c9c095b4b60e6990186de6de7b1288e05d3dcddbaa96d56

SHA512
567e8f24d3d3ccb92f7b03c16077a9353463d5d003f519572111f501e18b9de00f22cd1bdffa00ae6794079b6fe2a6f927f1e3f71de3d6452362a4a4209138ff

Download Submit
C:\windows\SysWOW64\POOM.exe.bat

Filesize
72B

MD5
63e8c2a1b09d3f4effea15fb030fc7c1

SHA1
93568866e06275c0536397ddeb45b9b72bb77a01

SHA256
fa2f7efaae2cd3e72e4d2daea48c3ca263bea6c9ae63f48e150698e57fb22545

SHA512
a3ace9ce326444d847ef03f9ec4194ea581776585fe387dff0e90c5269011a0bea895de5233c4d68697482874e5bd540d05e28ddf65a561b9ebe4876c12a4d11

Download Submit
C:\windows\SysWOW64\UWZ.exe.bat

Filesize
70B

MD5
74bc8e3e9ba76697dfe1b6be9eb9ec2a

SHA1
16eb0af50bdd965f35853bd7f4405a152820a5c2

SHA256
ad622d47d12908594d45f63a685e96e679f96a545c0d56ca459c44e50aa9481c

SHA512
df08eca970409542cab48f54e9881982f08a8792124503f0ee16952c59130aa05842d5b8b089bd07bbb74901561507026fad740b83b651353705bacebdecc002

Download Submit
C:\windows\SysWOW64\VDZRQ.exe.bat

Filesize
74B

MD5
9e72f8199b9bf45662cf16d5f1955d64

SHA1
4ce5dfaf8aa9cc992d76c715c3872cdd513df553

SHA256
3e9ce561af39e4eceec5d39b784d0b7133a23c7639c462cc31a2cc0039eb97b8

SHA512
292a134a5d11eaa4b649153d05d3a1d960bf8b32e374463ab182bab34492f5c9e02b6522f2a2b507f1349156d8147c9628cd3e5fde6567db505b1d57cc0cf106

Download Submit
C:\windows\VNRRYM.exe.bat

Filesize
58B

MD5
fa5e48701db1c16b6e9bee97f58ff15e

SHA1
c2173b2fce4c162a1a53331f2b711ad5fc0d6446

SHA256
4e24e0d8624d14a8971ef4ea12a3821fc34431e5b74a4f07e56ecf9e834f54f9

SHA512
e23ef3f91f21565fcb49a56b0de2b76b4b93d3eb258484082a7f26ea974b8702b97e37425dadc5762cc966593a2606c3aba9ed9bdf92b777aaff05fe9759a486

Download Submit
C:\windows\YMP.exe

Filesize
256KB

MD5
6d857203240ffad90dde0fa0ee33894f

SHA1
b50124216de8f091667d2b5fbe44581ecb8bca7f

SHA256
cde84fce1d7069bf94a1b8c6aa8774d3802367c489a524739a063425b7f6d457

SHA512
d7c555a589d0406e872aa3f8ce2c5e34e3d6fdd5a0b9b7d7e5d339d568dfb0d1b0eca3e3697a624306b780314c84367a98f4184523b15cf5d60ba31f6d6c7559

Download Submit
C:\windows\YMP.exe.bat

Filesize
52B

MD5
47631f449c01fc796a8af8469bbf07a1

SHA1
3ea659772f95d9bfb349a9814f37d9de961c5388

SHA256
e2af43fdff5b4afbfec9bddef80ff8a36149688b6f3d9b484a486053e86ac3f5

SHA512
3cbbde0c22d82491599d46ffb777aad097dfe72faefcf49c43a193c245c9e23888ffb113983d697ab6477654103b7107afd8e8b20a8049beaadab8ea918d6ba0

Download Submit
C:\windows\system\KIADZ.exe.bat

Filesize
70B

MD5
26e1c32de4b811c69e23d5b9579ba7c1

SHA1
a733826794d68de3ddea99bf44f9af397ff86a72

SHA256
89957cd6ef67bab66609bdb56ff3be76843abb4abfe79f89e84e8976684dc883

SHA512
030e09fe45ac765b33c33be2716f0213533488f2f02cc08a1247ddf05a67798e301ce92f77f7c59e4b1bd220ebe68898e2d2e0629daff69f31db0cb2834a9748

Download Submit
C:\windows\system\PKU.exe.bat

Filesize
66B

MD5
047a5925a0f442924b3c8ea8b1a2a594

SHA1
2d03bffb5f11e57f9f7cdf47132b7188ce985aa0

SHA256
b155dc9d7780b467b1caf3300d789b4b544b58ee7ec0622d6c0caaa350e65b0e

SHA512
297dda1ba4b8805643b68f4076812fd1692b30d681aa102dacb873a22b6f11944263bfcc9ad14f58642addf683d010ac4cf131080d9f2791500db975d6b7c9ff

Download Submit
C:\windows\system\QPTSQ.exe.bat

Filesize
70B

MD5
33cbb1022f9f80bb15f76ac8f89e5a23

SHA1
68078bea5dbe427eadf5ce463ea5dbf2657359a2

SHA256
ef87e00af8bc32967e9a4464ccb227e654d737165daf876340e862a353eb47f9

SHA512
4a021bdc60d42f1c186db1a57457fae84512ea0ffab7476ee3f7e42ac9a6b9b013c9c6e148aedbd7ce2312da118911739c57e94293f4ee0a3c5dbe5f6e3956dd

Download Submit
C:\windows\system\SKKFWEJ.exe.bat

Filesize
74B

MD5
f268760ec2ac18b00e89c097fb259c75

SHA1
75d455760f88b5686ad37bf74e838af1fd0c63be

SHA256
7497f87c821e342739119ebf47568df6dfef25235a699833aa63adaebe35bc1a

SHA512
6bbb8447b94e4364ce12ac6d8a31fbf5b7c7bcccab571d357fda72d16b9351fe64c5808735c610f198e0eeb1c159da1005c60a8f42e74f605c98f4184f0efa65

Download Submit
C:\windows\system\WKQQC.exe

Filesize
256KB

MD5
56b1c355138f7ca229e14c592f47ac70

SHA1
3ed7b4798fc6f2a80ffeeac8ea262a403f89d95e

SHA256
318b8541e9267f239cda31306cb6707ad782b5cc82dda7584df17d1191ba3e35

SHA512
b180430a3df72564d812a2c2ef50bfb2da9f201dd8ff6f6c5a2ee2e5915bb47c98612c6bb0d8344b81348732cf44a9e9f8ca1540dc734821ea7ab137ff6a1f23

Download Submit
C:\windows\system\WKQQC.exe.bat

Filesize
70B

MD5
ea174f079c325da060bdd3d970a398e0

SHA1
7d82e76f71e955cf2853d96af1fc169720f31f62

SHA256
285ae4788810d89636f13fb63cabb7c17b3aa91f22ab5b16fdc2ddb37c5bbca2

SHA512
1ee5be65465a2a97bbecf8cd4829e76df39c0a1fba7e95e1dfdf22cb70e73cf3201163c53a129648d2a7ea5f072299764d420d09542234a115642f6999f2ff48

Download Submit
C:\windows\system\ZSZXL.exe

Filesize
256KB

MD5
ee4eb77c488bf4921d9784d6c6802a0a

SHA1
2ca4efb2facfbbe1836aeccb1996d14d77aa1372

SHA256
b2b6390c817455ab60c7b1836cef47beb6872db4def615116c58ca813b475990

SHA512
12af1da0555218469acf7987fbad062fa23453c958a5f517768d1ea1d6d89bc9227be87f196f1251438e44d9c6e62233ddea30a53aebb28a791dfe0a3785ef01

Download Submit
C:\windows\system\ZSZXL.exe.bat

Filesize
70B

MD5
d7f83cbb576cbdb79a3f0416c5864d70

SHA1
f4e2d316e1d353716cb5f59ac6c11675f26d09c1

SHA256
d7c9a375d897b911d966d0ddb310492121a7d0755de6ef12245ad6de16a2d903

SHA512
f914c2049d4ce285bbbb8e2fecbe14e4e300358a5e587bf27538d1204bef64824e014bfddafad081d33e61d907c16ed7ef57336225e476fed4ccc9f0d37a8185

Download Submit
memory/384-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/384-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/528-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/528-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/748-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/748-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/920-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/920-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1196-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1196-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1264-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1264-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1268-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1268-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1304-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1304-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1668-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1668-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1860-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1860-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2188-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2188-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-78-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3172-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3172-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3192-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3192-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3456-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3524-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3524-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3640-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3640-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3648-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3648-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3852-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3852-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3924-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3924-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3936-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3936-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3980-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3980-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4168-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4168-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4180-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4180-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4212-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4800-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4800-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4924-34-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4924-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4944-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4944-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download