7a34a8374f396206511c8cb00d80a5817293afa93bfb464d50515a6597eff93c

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
Size

208KB
MD5

e4a117a0311714ea836ce7564256d9b8
SHA1

2f7b2b88ffd5b5efa9d145bcf5b0134678c9483a
SHA256

7a34a8374f396206511c8cb00d80a5817293afa93bfb464d50515a6597eff93c
SHA512

5557709ed7382b2e34f842a823b4424fa2bf504e2b0f235988aa04454ecff338ef9a484085c35eced308575f875d0bca8a969f969374a32339ff9047b124c274
SSDEEP

3072:gaJUoAbFDs6HdqpQj8u7DcYuHwTs9CLkeaqM7OBvi4NLthEjQT6:7ajFIyqpm8ukYTs9skLqMSBviQEj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	MLV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	HBABS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	JGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	LHJE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	NQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	UKYPV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	BOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	ZJW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	IYNQD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	VMKF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	MOAKCEQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	CFIYXDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	VMJGPH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	ZFRYAJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	SFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	AZQK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	MBNHVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	RIGORN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	RZX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	LMSPK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	EEAKF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	UFAEVWT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	LZRW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	EPWT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	NEIIR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	MMHTUGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	WKIFQPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	VFITAQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	WVUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	MQE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	IOO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	XQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	THVICMU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	VHSGMPF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	KTH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	GSA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	WZOEV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	KBKCAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	CHHS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	HFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	TVGKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	ZVP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	STYRU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	ASYSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	QRMAX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	FECYU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	CWOXF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	IOQHF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	HFMAGH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	SUBF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	HMGWMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	KYLVQZN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	CXBQZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	PINCIP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	IXKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	GAXXQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	YTEG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	GYXUIO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	ESV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	VLQXHJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	YDBCZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	EYOB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	OLK.exe

Executes dropped EXE 64 IoCs

pid	Process
3096	IDRUQXG.exe
4572	FIXR.exe
2148	ORZWA.exe
4184	BTVVGE.exe
4460	UWZ.exe
4356	CHHS.exe
1840	WCMJJ.exe
4328	HVPURFZ.exe
3192	ESV.exe
1856	GQOT.exe
1788	IOUGMU.exe
1572	XJDS.exe
1020	LPL.exe
5008	AKUISF.exe
548	RKWNVLN.exe
4184	ASYSH.exe
3620	ZIKV.exe
3108	QRMAX.exe
3096	ORTOGNA.exe
4328	ZJW.exe
1876	CXBQZ.exe
552	JNCQGQT.exe
2332	GSA.exe
2976	MTIBWU.exe
4672	IYNQD.exe
2376	URQILL.exe
1048	IOO.exe
2888	ZXQL.exe
3652	NZHJSDF.exe
1060	TVGKP.exe
4684	MNNVG.exe
2472	FQRZLWE.exe
5008	ZEWI.exe
4752	YWH.exe
1816	PCRQ.exe
2592	RZX.exe
2668	VCVYBA.exe
1248	UAGBO.exe
1108	WYHVV.exe
4024	AGO.exe
4064	LZRW.exe
3316	WRMGP.exe
4504	ZFRYAJU.exe
5088	BCEK.exe
3236	QFOWAMD.exe
2308	BYR.exe
4384	YVPEQ.exe
1416	QZG.exe
440	WZOEV.exe
948	EEAKF.exe
2196	CFIYXDB.exe
4148	MCOKE.exe
3540	VLQXHJ.exe
4828	LBRP.exe
1968	JRK.exe
1908	PMJSGM.exe
3992	VMJGPH.exe
1808	FMLL.exe
2568	UQCYLZC.exe
3104	JGD.exe
1036	ETIYC.exe
3220	TOR.exe
1004	VMKF.exe
1984	RJQCB.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\XQJ.exe	DDEDID.exe
File created	C:\windows\SysWOW64\ZUZMU.exe	OBWT.exe
File created	C:\windows\SysWOW64\MQE.exe.bat	NSS.exe
File created	C:\windows\SysWOW64\RKWNVLN.exe.bat	AKUISF.exe
File opened for modification	C:\windows\SysWOW64\VCVYBA.exe	RZX.exe
File created	C:\windows\SysWOW64\VMKF.exe	TOR.exe
File created	C:\windows\SysWOW64\HFMAGH.exe	NSIJ.exe
File created	C:\windows\SysWOW64\ZIKV.exe	ASYSH.exe
File created	C:\windows\SysWOW64\BCEK.exe	ZFRYAJU.exe
File created	C:\windows\SysWOW64\DTTLGUZ.exe.bat	BVA.exe
File opened for modification	C:\windows\SysWOW64\CQUGI.exe	NVLBXVH.exe
File opened for modification	C:\windows\SysWOW64\AZQK.exe	RZO.exe
File created	C:\windows\SysWOW64\UFAEVWT.exe.bat	WFTIM.exe
File created	C:\windows\SysWOW64\NWEETU.exe.bat	CDJMK.exe
File created	C:\windows\SysWOW64\RKWNVLN.exe	AKUISF.exe
File opened for modification	C:\windows\SysWOW64\GYZR.exe	CQTRYGC.exe
File created	C:\windows\SysWOW64\HWSFAKM.exe	NIVWQ.exe
File created	C:\windows\SysWOW64\UWZ.exe.bat	BTVVGE.exe
File created	C:\windows\SysWOW64\XJDS.exe.bat	IOUGMU.exe
File created	C:\windows\SysWOW64\MMHTUGD.exe	RRCKKG.exe
File created	C:\windows\SysWOW64\LRO.exe.bat	MUVQR.exe
File created	C:\windows\SysWOW64\FNO.exe	HMGWMR.exe
File opened for modification	C:\windows\SysWOW64\AAZQRNG.exe	HFN.exe
File created	C:\windows\SysWOW64\RJQCB.exe	VMKF.exe
File created	C:\windows\SysWOW64\LHJE.exe.bat	RJQCB.exe
File created	C:\windows\SysWOW64\AZQK.exe	RZO.exe
File opened for modification	C:\windows\SysWOW64\HVPURFZ.exe	WCMJJ.exe
File created	C:\windows\SysWOW64\XQJ.exe	DDEDID.exe
File opened for modification	C:\windows\SysWOW64\ZUZMU.exe	OBWT.exe
File created	C:\windows\SysWOW64\KYWPYFU.exe	EYOB.exe
File created	C:\windows\SysWOW64\HBABS.exe.bat	JLGYFN.exe
File created	C:\windows\SysWOW64\UURO.exe	FZIKOT.exe
File created	C:\windows\SysWOW64\AAZQRNG.exe	HFN.exe
File created	C:\windows\SysWOW64\BCEK.exe.bat	ZFRYAJU.exe
File created	C:\windows\SysWOW64\NWEETU.exe	CDJMK.exe
File created	C:\windows\SysWOW64\KBKCAE.exe.bat	NWEETU.exe
File created	C:\windows\SysWOW64\MDX.exe	GABH.exe
File opened for modification	C:\windows\SysWOW64\ZVP.exe	VFITAQ.exe
File opened for modification	C:\windows\SysWOW64\IYNQD.exe	MTIBWU.exe
File opened for modification	C:\windows\SysWOW64\AGO.exe	WYHVV.exe
File opened for modification	C:\windows\SysWOW64\NWEETU.exe	CDJMK.exe
File created	C:\windows\SysWOW64\DTTLGUZ.exe	BVA.exe
File created	C:\windows\SysWOW64\LMSPK.exe	LRO.exe
File opened for modification	C:\windows\SysWOW64\MDX.exe	GABH.exe
File created	C:\windows\SysWOW64\MQE.exe	NSS.exe
File created	C:\windows\SysWOW64\HVPURFZ.exe.bat	WCMJJ.exe
File opened for modification	C:\windows\SysWOW64\WZOEV.exe	QZG.exe
File created	C:\windows\SysWOW64\OBWT.exe.bat	YDQQI.exe
File created	C:\windows\SysWOW64\NSS.exe	NXHTGN.exe
File created	C:\windows\SysWOW64\GQOT.exe	ESV.exe
File created	C:\windows\SysWOW64\GQOT.exe.bat	ESV.exe
File opened for modification	C:\windows\SysWOW64\DTTLGUZ.exe	BVA.exe
File created	C:\windows\SysWOW64\BFF.exe.bat	JEDVVYR.exe
File created	C:\windows\SysWOW64\VHSGMPF.exe	IXKP.exe
File created	C:\windows\SysWOW64\SUBF.exe	UKYPV.exe
File created	C:\windows\SysWOW64\BVA.exe	OLK.exe
File opened for modification	C:\windows\SysWOW64\BVA.exe	OLK.exe
File created	C:\windows\SysWOW64\KYWPYFU.exe.bat	EYOB.exe
File created	C:\windows\SysWOW64\ZHDW.exe.bat	THVICMU.exe
File opened for modification	C:\windows\SysWOW64\IXKP.exe	YHEVQ.exe
File opened for modification	C:\windows\SysWOW64\VHSGMPF.exe	IXKP.exe
File created	C:\windows\SysWOW64\NOL.exe	ADD.exe
File created	C:\windows\SysWOW64\HVPURFZ.exe	WCMJJ.exe
File created	C:\windows\SysWOW64\MMHTUGD.exe.bat	RRCKKG.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\CJAMHW.exe.bat	AMURZNL.exe
File opened for modification	C:\windows\WCMJJ.exe	CHHS.exe
File opened for modification	C:\windows\system\UAGBO.exe	VCVYBA.exe
File opened for modification	C:\windows\VLQXHJ.exe	MCOKE.exe
File created	C:\windows\system\WVUI.exe	NQJ.exe
File opened for modification	C:\windows\system\JLRS.exe	CQUGI.exe
File opened for modification	C:\windows\system\THVICMU.exe	NMWAFJ.exe
File created	C:\windows\system\EXSX.exe	JKNFMBP.exe
File opened for modification	C:\windows\YTWGG.exe	EXSX.exe
File created	C:\windows\system\CXBQZ.exe.bat	ZJW.exe
File opened for modification	C:\windows\system\CJAMHW.exe	AMURZNL.exe
File created	C:\windows\system\KEWEZSX.exe.bat	KYWPYFU.exe
File opened for modification	C:\windows\system\VFITAQ.exe	ZHDW.exe
File opened for modification	C:\windows\WJFSGWY.exe	STYRU.exe
File opened for modification	C:\windows\HDQGKW.exe	YUOTH.exe
File created	C:\windows\system\CDJMK.exe.bat	XSFN.exe
File opened for modification	C:\windows\system\ZOPHALU.exe	XQJ.exe
File created	C:\windows\MUVQR.exe.bat	DTTLGUZ.exe
File created	C:\windows\system\ADD.exe.bat	AAZQRNG.exe
File created	C:\windows\system\URQILL.exe	IYNQD.exe
File created	C:\windows\system\OLK.exe.bat	WKIFQPT.exe
File created	C:\windows\system\JLGYFN.exe	OYCPV.exe
File created	C:\windows\system\MTIBWU.exe.bat	GSA.exe
File created	C:\windows\KTH.exe.bat	YDBCZK.exe
File created	C:\windows\AETETL.exe.bat	ZAHI.exe
File created	C:\windows\FQRZLWE.exe.bat	MNNVG.exe
File created	C:\windows\system\LBRP.exe.bat	VLQXHJ.exe
File created	C:\windows\system\NSIJ.exe.bat	SFD.exe
File created	C:\windows\FMEAXH.exe	KYIR.exe
File created	C:\windows\system\JLRS.exe	CQUGI.exe
File opened for modification	C:\windows\VRGF.exe	MQE.exe
File created	C:\windows\system\ADD.exe	AAZQRNG.exe
File opened for modification	C:\windows\AHBFXFG.exe	EXKP.exe
File opened for modification	C:\windows\system\UVFX.exe	AHBFXFG.exe
File created	C:\windows\system\BTVVGE.exe	ORZWA.exe
File created	C:\windows\ORTOGNA.exe	QRMAX.exe
File opened for modification	C:\windows\IOO.exe	URQILL.exe
File created	C:\windows\BYR.exe.bat	QFOWAMD.exe
File created	C:\windows\system\PRZUC.exe.bat	WWV.exe
File created	C:\windows\system\CHHS.exe.bat	UWZ.exe
File created	C:\windows\IOUGMU.exe.bat	GQOT.exe
File created	C:\windows\QZG.exe	YVPEQ.exe
File created	C:\windows\MUVQR.exe	DTTLGUZ.exe
File created	C:\windows\ZAHI.exe	ZVP.exe
File opened for modification	C:\windows\system\LPL.exe	XJDS.exe
File opened for modification	C:\windows\ORTOGNA.exe	QRMAX.exe
File created	C:\windows\KTH.exe	YDBCZK.exe
File opened for modification	C:\windows\FMEAXH.exe	KYIR.exe
File opened for modification	C:\windows\system\KEWEZSX.exe	KYWPYFU.exe
File opened for modification	C:\windows\TVGKP.exe	NZHJSDF.exe
File created	C:\windows\YUOTH.exe	MMHTUGD.exe
File opened for modification	C:\windows\system\SFD.exe	LHJE.exe
File created	C:\windows\system\WKIFQPT.exe.bat	SUBF.exe
File opened for modification	C:\windows\MUVQR.exe	DTTLGUZ.exe
File opened for modification	C:\windows\system\NXHTGN.exe	UUDX.exe
File created	C:\windows\system\JGD.exe	UQCYLZC.exe
File created	C:\windows\system\EYOB.exe.bat	PINCIP.exe
File created	C:\windows\GAXXQT.exe.bat	AZQK.exe
File created	C:\windows\system\UVFX.exe.bat	AHBFXFG.exe
File opened for modification	C:\windows\MBNHVG.exe	GBFU.exe
File created	C:\windows\CWOXF.exe	KBKCAE.exe
File created	C:\windows\system\FECYU.exe.bat	BOV.exe
File opened for modification	C:\windows\FZIKOT.exe	VRGF.exe
File created	C:\windows\system\GABH.exe.bat	PRZUC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2992	4892	WerFault.exe	83
2448	3096	WerFault.exe	91
4736	4572	WerFault.exe	97
2192	2148	WerFault.exe	102
3612	4184	WerFault.exe	107
4552	4460	WerFault.exe	112
392	4356	WerFault.exe	118
3844	1840	WerFault.exe	125
3992	4328	WerFault.exe	131
3628	3192	WerFault.exe	136
3540	1856	WerFault.exe	141
3984	1788	WerFault.exe	147
3140	1572	WerFault.exe	152
1196	1020	WerFault.exe	157
4376	5008	WerFault.exe	162
3172	548	WerFault.exe	169
4072	4184	WerFault.exe	174
2988	3620	WerFault.exe	179
4584	3108	WerFault.exe	184
812	3096	WerFault.exe	189
1048	4328	WerFault.exe	194
3800	1876	WerFault.exe	199
2352	552	WerFault.exe	204
1620	2332	WerFault.exe	209
4584	2976	WerFault.exe	214
3424	4672	WerFault.exe	219
4868	2376	WerFault.exe	224
3552	1048	WerFault.exe	229
1104	2888	WerFault.exe	234
2872	3652	WerFault.exe	239
3844	1060	WerFault.exe	244
1920	4684	WerFault.exe	249
3444	2472	WerFault.exe	254
676	5008	WerFault.exe	259
4896	4752	WerFault.exe	264
868	1816	WerFault.exe	269
2520	2592	WerFault.exe	274
3404	2668	WerFault.exe	279
3240	1248	WerFault.exe	284
1856	1108	WerFault.exe	289
3540	4024	WerFault.exe	295
1572	4064	WerFault.exe	300
4356	3316	WerFault.exe	305
2312	4504	WerFault.exe	310
4244	5088	WerFault.exe	315
3736	3236	WerFault.exe	320
4024	2308	WerFault.exe	326
4816	4384	WerFault.exe	331
1772	1416	WerFault.exe	336
3124	440	WerFault.exe	341
2576	948	WerFault.exe	345
4212	2196	WerFault.exe	351
3656	4148	WerFault.exe	356
4592	3540	WerFault.exe	361
1304	4828	WerFault.exe	366
4868	1968	WerFault.exe	371
3312	1908	WerFault.exe	376
948	3992	WerFault.exe	381
1080	1808	WerFault.exe	386
2472	2568	WerFault.exe	391
2464	3104	WerFault.exe	396
3652	1036	WerFault.exe	401
2316	3220	WerFault.exe	406
2916	1004	WerFault.exe	411

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
3096	IDRUQXG.exe
3096	IDRUQXG.exe
4572	FIXR.exe
4572	FIXR.exe
2148	ORZWA.exe
2148	ORZWA.exe
4184	BTVVGE.exe
4184	BTVVGE.exe
4460	UWZ.exe
4460	UWZ.exe
4356	CHHS.exe
4356	CHHS.exe
1840	WCMJJ.exe
1840	WCMJJ.exe
4328	HVPURFZ.exe
4328	HVPURFZ.exe
3192	ESV.exe
3192	ESV.exe
1856	GQOT.exe
1856	GQOT.exe
1788	IOUGMU.exe
1788	IOUGMU.exe
1572	XJDS.exe
1572	XJDS.exe
1020	LPL.exe
1020	LPL.exe
5008	AKUISF.exe
5008	AKUISF.exe
548	RKWNVLN.exe
548	RKWNVLN.exe
4184	ASYSH.exe
4184	ASYSH.exe
3620	ZIKV.exe
3620	ZIKV.exe
3108	QRMAX.exe
3108	QRMAX.exe
3096	ORTOGNA.exe
3096	ORTOGNA.exe
4328	ZJW.exe
4328	ZJW.exe
1876	CXBQZ.exe
1876	CXBQZ.exe
552	JNCQGQT.exe
552	JNCQGQT.exe
2332	GSA.exe
2332	GSA.exe
2976	MTIBWU.exe
2976	MTIBWU.exe
4672	IYNQD.exe
4672	IYNQD.exe
2376	URQILL.exe
2376	URQILL.exe
1048	IOO.exe
1048	IOO.exe
2888	ZXQL.exe
2888	ZXQL.exe
3652	NZHJSDF.exe
3652	NZHJSDF.exe
1060	TVGKP.exe
1060	TVGKP.exe
4684	MNNVG.exe
4684	MNNVG.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
3096	IDRUQXG.exe
3096	IDRUQXG.exe
4572	FIXR.exe
4572	FIXR.exe
2148	ORZWA.exe
2148	ORZWA.exe
4184	BTVVGE.exe
4184	BTVVGE.exe
4460	UWZ.exe
4460	UWZ.exe
4356	CHHS.exe
4356	CHHS.exe
1840	WCMJJ.exe
1840	WCMJJ.exe
4328	HVPURFZ.exe
4328	HVPURFZ.exe
3192	ESV.exe
3192	ESV.exe
1856	GQOT.exe
1856	GQOT.exe
1788	IOUGMU.exe
1788	IOUGMU.exe
1572	XJDS.exe
1572	XJDS.exe
1020	LPL.exe
1020	LPL.exe
5008	AKUISF.exe
5008	AKUISF.exe
548	RKWNVLN.exe
548	RKWNVLN.exe
4184	ASYSH.exe
4184	ASYSH.exe
3620	ZIKV.exe
3620	ZIKV.exe
3108	QRMAX.exe
3108	QRMAX.exe
3096	ORTOGNA.exe
3096	ORTOGNA.exe
4328	ZJW.exe
4328	ZJW.exe
1876	CXBQZ.exe
1876	CXBQZ.exe
552	JNCQGQT.exe
552	JNCQGQT.exe
2332	GSA.exe
2332	GSA.exe
2976	MTIBWU.exe
2976	MTIBWU.exe
4672	IYNQD.exe
4672	IYNQD.exe
2376	URQILL.exe
2376	URQILL.exe
1048	IOO.exe
1048	IOO.exe
2888	ZXQL.exe
2888	ZXQL.exe
3652	NZHJSDF.exe
3652	NZHJSDF.exe
1060	TVGKP.exe
1060	TVGKP.exe
4684	MNNVG.exe
4684	MNNVG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 5076	4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe	87
PID 4892 wrote to memory of 5076	4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe	87
PID 4892 wrote to memory of 5076	4892	e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe	87
PID 5076 wrote to memory of 3096	5076	cmd.exe	91
PID 5076 wrote to memory of 3096	5076	cmd.exe	91
PID 5076 wrote to memory of 3096	5076	cmd.exe	91
PID 3096 wrote to memory of 3892	3096	IDRUQXG.exe	93
PID 3096 wrote to memory of 3892	3096	IDRUQXG.exe	93
PID 3096 wrote to memory of 3892	3096	IDRUQXG.exe	93
PID 3892 wrote to memory of 4572	3892	cmd.exe	97
PID 3892 wrote to memory of 4572	3892	cmd.exe	97
PID 3892 wrote to memory of 4572	3892	cmd.exe	97
PID 4572 wrote to memory of 2568	4572	FIXR.exe	98
PID 4572 wrote to memory of 2568	4572	FIXR.exe	98
PID 4572 wrote to memory of 2568	4572	FIXR.exe	98
PID 2568 wrote to memory of 2148	2568	cmd.exe	102
PID 2568 wrote to memory of 2148	2568	cmd.exe	102
PID 2568 wrote to memory of 2148	2568	cmd.exe	102
PID 2148 wrote to memory of 4592	2148	ORZWA.exe	103
PID 2148 wrote to memory of 4592	2148	ORZWA.exe	103
PID 2148 wrote to memory of 4592	2148	ORZWA.exe	103
PID 4592 wrote to memory of 4184	4592	cmd.exe	107
PID 4592 wrote to memory of 4184	4592	cmd.exe	107
PID 4592 wrote to memory of 4184	4592	cmd.exe	107
PID 4184 wrote to memory of 2224	4184	BTVVGE.exe	108
PID 4184 wrote to memory of 2224	4184	BTVVGE.exe	108
PID 4184 wrote to memory of 2224	4184	BTVVGE.exe	108
PID 2224 wrote to memory of 4460	2224	cmd.exe	112
PID 2224 wrote to memory of 4460	2224	cmd.exe	112
PID 2224 wrote to memory of 4460	2224	cmd.exe	112
PID 4460 wrote to memory of 1572	4460	UWZ.exe	115
PID 4460 wrote to memory of 1572	4460	UWZ.exe	115
PID 4460 wrote to memory of 1572	4460	UWZ.exe	115
PID 1572 wrote to memory of 4356	1572	cmd.exe	118
PID 1572 wrote to memory of 4356	1572	cmd.exe	118
PID 1572 wrote to memory of 4356	1572	cmd.exe	118
PID 4356 wrote to memory of 3924	4356	CHHS.exe	121
PID 4356 wrote to memory of 3924	4356	CHHS.exe	121
PID 4356 wrote to memory of 3924	4356	CHHS.exe	121
PID 3924 wrote to memory of 1840	3924	cmd.exe	125
PID 3924 wrote to memory of 1840	3924	cmd.exe	125
PID 3924 wrote to memory of 1840	3924	cmd.exe	125
PID 1840 wrote to memory of 2620	1840	WCMJJ.exe	127
PID 1840 wrote to memory of 2620	1840	WCMJJ.exe	127
PID 1840 wrote to memory of 2620	1840	WCMJJ.exe	127
PID 2620 wrote to memory of 4328	2620	cmd.exe	131
PID 2620 wrote to memory of 4328	2620	cmd.exe	131
PID 2620 wrote to memory of 4328	2620	cmd.exe	131
PID 4328 wrote to memory of 2312	4328	HVPURFZ.exe	132
PID 4328 wrote to memory of 2312	4328	HVPURFZ.exe	132
PID 4328 wrote to memory of 2312	4328	HVPURFZ.exe	132
PID 2312 wrote to memory of 3192	2312	cmd.exe	136
PID 2312 wrote to memory of 3192	2312	cmd.exe	136
PID 2312 wrote to memory of 3192	2312	cmd.exe	136
PID 3192 wrote to memory of 3408	3192	ESV.exe	137
PID 3192 wrote to memory of 3408	3192	ESV.exe	137
PID 3192 wrote to memory of 3408	3192	ESV.exe	137
PID 3408 wrote to memory of 1856	3408	cmd.exe	141
PID 3408 wrote to memory of 1856	3408	cmd.exe	141
PID 3408 wrote to memory of 1856	3408	cmd.exe	141
PID 1856 wrote to memory of 1036	1856	GQOT.exe	143
PID 1856 wrote to memory of 1036	1856	GQOT.exe	143
PID 1856 wrote to memory of 1036	1856	GQOT.exe	143
PID 1036 wrote to memory of 1788	1036	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4a117a0311714ea836ce7564256d9b8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\IDRUQXG.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\windows\IDRUQXG.exe
    C:\windows\IDRUQXG.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\FIXR.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\windows\system\FIXR.exe
        
        C:\windows\system\FIXR.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ORZWA.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\windows\ORZWA.exe
        
        C:\windows\ORZWA.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTVVGE.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\windows\system\BTVVGE.exe
        
        C:\windows\system\BTVVGE.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UWZ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\windows\SysWOW64\UWZ.exe
        
        C:\windows\system32\UWZ.exe
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CHHS.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\windows\system\CHHS.exe
        
        C:\windows\system\CHHS.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WCMJJ.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\windows\WCMJJ.exe
        
        C:\windows\WCMJJ.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVPURFZ.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\windows\SysWOW64\HVPURFZ.exe
        
        C:\windows\system32\HVPURFZ.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ESV.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\windows\ESV.exe
        
        C:\windows\ESV.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQOT.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\windows\SysWOW64\GQOT.exe
        
        C:\windows\system32\GQOT.exe
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IOUGMU.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\windows\IOUGMU.exe
        
        C:\windows\IOUGMU.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJDS.exe.bat" "
        24⤵
        
        PID:4280
        
        C:\windows\SysWOW64\XJDS.exe
        
        C:\windows\system32\XJDS.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPL.exe.bat" "
        26⤵
        
        PID:2332
        
        C:\windows\system\LPL.exe
        
        C:\windows\system\LPL.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AKUISF.exe.bat" "
        28⤵
        
        PID:3940
        
        C:\windows\system\AKUISF.exe
        
        C:\windows\system\AKUISF.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKWNVLN.exe.bat" "
        30⤵
        
        PID:948
        
        C:\windows\SysWOW64\RKWNVLN.exe
        
        C:\windows\system32\RKWNVLN.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ASYSH.exe.bat" "
        32⤵
        
        PID:1876
        
        C:\windows\system\ASYSH.exe
        
        C:\windows\system\ASYSH.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIKV.exe.bat" "
        34⤵
        
        PID:2528
        
        C:\windows\SysWOW64\ZIKV.exe
        
        C:\windows\system32\ZIKV.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QRMAX.exe.bat" "
        36⤵
        
        PID:4564
        
        C:\windows\system\QRMAX.exe
        
        C:\windows\system\QRMAX.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ORTOGNA.exe.bat" "
        38⤵
        
        PID:4336
        
        C:\windows\ORTOGNA.exe
        
        C:\windows\ORTOGNA.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJW.exe.bat" "
        40⤵
        
        PID:3404
        
        C:\windows\system\ZJW.exe
        
        C:\windows\system\ZJW.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CXBQZ.exe.bat" "
        42⤵
        
        PID:3116
        
        C:\windows\system\CXBQZ.exe
        
        C:\windows\system\CXBQZ.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "
        44⤵
        
        PID:4744
        
        C:\windows\JNCQGQT.exe
        
        C:\windows\JNCQGQT.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GSA.exe.bat" "
        46⤵
        
        PID:2856
        
        C:\windows\GSA.exe
        
        C:\windows\GSA.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MTIBWU.exe.bat" "
        48⤵
        
        PID:4904
        
        C:\windows\system\MTIBWU.exe
        
        C:\windows\system\MTIBWU.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IYNQD.exe.bat" "
        50⤵
        
        PID:4788
        
        C:\windows\SysWOW64\IYNQD.exe
        
        C:\windows\system32\IYNQD.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\URQILL.exe.bat" "
        52⤵
        
        PID:2472
        
        C:\windows\system\URQILL.exe
        
        C:\windows\system\URQILL.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IOO.exe.bat" "
        54⤵
        
        PID:5008
        
        C:\windows\IOO.exe
        
        C:\windows\IOO.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZXQL.exe.bat" "
        56⤵
        
        PID:4484
        
        C:\windows\system\ZXQL.exe
        
        C:\windows\system\ZXQL.exe
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NZHJSDF.exe.bat" "
        58⤵
        
        PID:2368
        
        C:\windows\NZHJSDF.exe
        
        C:\windows\NZHJSDF.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TVGKP.exe.bat" "
        60⤵
        
        PID:3228
        
        C:\windows\TVGKP.exe
        
        C:\windows\TVGKP.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MNNVG.exe.bat" "
        62⤵
        
        PID:5000
        
        C:\windows\MNNVG.exe
        
        C:\windows\MNNVG.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FQRZLWE.exe.bat" "
        64⤵
        
        PID:1964
        
        C:\windows\FQRZLWE.exe
        
        C:\windows\FQRZLWE.exe
        65⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZEWI.exe.bat" "
        66⤵
        
        PID:4968
        
        C:\windows\ZEWI.exe
        
        C:\windows\ZEWI.exe
        67⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YWH.exe.bat" "
        68⤵
        
        PID:972
        
        C:\windows\system\YWH.exe
        
        C:\windows\system\YWH.exe
        69⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PCRQ.exe.bat" "
        70⤵
        
        PID:2524
        
        C:\windows\PCRQ.exe
        
        C:\windows\PCRQ.exe
        71⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZX.exe.bat" "
        72⤵
        
        PID:4828
        
        C:\windows\system\RZX.exe
        
        C:\windows\system\RZX.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VCVYBA.exe.bat" "
        74⤵
        
        PID:4280
        
        C:\windows\SysWOW64\VCVYBA.exe
        
        C:\windows\system32\VCVYBA.exe
        75⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UAGBO.exe.bat" "
        76⤵
        
        PID:960
        
        C:\windows\system\UAGBO.exe
        
        C:\windows\system\UAGBO.exe
        77⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYHVV.exe.bat" "
        78⤵
        
        PID:1136
        
        C:\windows\SysWOW64\WYHVV.exe
        
        C:\windows\system32\WYHVV.exe
        79⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AGO.exe.bat" "
        80⤵
        
        PID:2528
        
        C:\windows\SysWOW64\AGO.exe
        
        C:\windows\system32\AGO.exe
        81⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZRW.exe.bat" "
        82⤵
        
        PID:4184
        
        C:\windows\SysWOW64\LZRW.exe
        
        C:\windows\system32\LZRW.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "
        84⤵
        
        PID:752
        
        C:\windows\WRMGP.exe
        
        C:\windows\WRMGP.exe
        85⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFRYAJU.exe.bat" "
        86⤵
        
        PID:3968
        
        C:\windows\system\ZFRYAJU.exe
        
        C:\windows\system\ZFRYAJU.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCEK.exe.bat" "
        88⤵
        
        PID:4572
        
        C:\windows\SysWOW64\BCEK.exe
        
        C:\windows\system32\BCEK.exe
        89⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QFOWAMD.exe.bat" "
        90⤵
        
        PID:1952
        
        C:\windows\QFOWAMD.exe
        
        C:\windows\QFOWAMD.exe
        91⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BYR.exe.bat" "
        92⤵
        
        PID:4148
        
        C:\windows\BYR.exe
        
        C:\windows\BYR.exe
        93⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YVPEQ.exe.bat" "
        94⤵
        
        PID:3608
        
        C:\windows\system\YVPEQ.exe
        
        C:\windows\system\YVPEQ.exe
        95⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QZG.exe.bat" "
        96⤵
        
        PID:3228
        
        C:\windows\QZG.exe
        
        C:\windows\QZG.exe
        97⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WZOEV.exe.bat" "
        98⤵
        
        PID:3604
        
        C:\windows\SysWOW64\WZOEV.exe
        
        C:\windows\system32\WZOEV.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EEAKF.exe.bat" "
        100⤵
        
        PID:4988
        
        C:\windows\EEAKF.exe
        
        C:\windows\EEAKF.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CFIYXDB.exe.bat" "
        102⤵
        
        PID:1984
        
        C:\windows\system\CFIYXDB.exe
        
        C:\windows\system\CFIYXDB.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MCOKE.exe.bat" "
        104⤵
        
        PID:964
        
        C:\windows\system\MCOKE.exe
        
        C:\windows\system\MCOKE.exe
        105⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VLQXHJ.exe.bat" "
        106⤵
        
        PID:4808
        
        C:\windows\VLQXHJ.exe
        
        C:\windows\VLQXHJ.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LBRP.exe.bat" "
        108⤵
        
        PID:2200
        
        C:\windows\system\LBRP.exe
        
        C:\windows\system\LBRP.exe
        109⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JRK.exe.bat" "
        110⤵
        
        PID:2724
        
        C:\windows\JRK.exe
        
        C:\windows\JRK.exe
        111⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PMJSGM.exe.bat" "
        112⤵
        
        PID:3924
        
        C:\windows\system\PMJSGM.exe
        
        C:\windows\system\PMJSGM.exe
        113⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VMJGPH.exe.bat" "
        114⤵
        
        PID:3648
        
        C:\windows\VMJGPH.exe
        
        C:\windows\VMJGPH.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "
        116⤵
        
        PID:448
        
        C:\windows\system\FMLL.exe
        
        C:\windows\system\FMLL.exe
        117⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UQCYLZC.exe.bat" "
        118⤵
        
        PID:1672
        
        C:\windows\system\UQCYLZC.exe
        
        C:\windows\system\UQCYLZC.exe
        119⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JGD.exe.bat" "
        120⤵
        
        PID:1564
        
        C:\windows\system\JGD.exe
        
        C:\windows\system\JGD.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ETIYC.exe.bat" "
        122⤵
        
        PID:1816
        
        C:\windows\ETIYC.exe
        
        C:\windows\ETIYC.exe
        123⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TOR.exe.bat" "
        124⤵
        
        PID:776
        
        C:\windows\system\TOR.exe
        
        C:\windows\system\TOR.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMKF.exe.bat" "
        126⤵
        
        PID:3460
        
        C:\windows\SysWOW64\VMKF.exe
        
        C:\windows\system32\VMKF.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RJQCB.exe.bat" "
        128⤵
        
        PID:5052
        
        C:\windows\SysWOW64\RJQCB.exe
        
        C:\windows\system32\RJQCB.exe
        129⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LHJE.exe.bat" "
        130⤵
        
        PID:4768
        
        C:\windows\SysWOW64\LHJE.exe
        
        C:\windows\system32\LHJE.exe
        131⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SFD.exe.bat" "
        132⤵
        
        PID:2132
        
        C:\windows\system\SFD.exe
        
        C:\windows\system\SFD.exe
        133⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSIJ.exe.bat" "
        134⤵
        
        PID:3172
        
        C:\windows\system\NSIJ.exe
        
        C:\windows\system\NSIJ.exe
        135⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HFMAGH.exe.bat" "
        136⤵
        
        PID:2688
        
        C:\windows\SysWOW64\HFMAGH.exe
        
        C:\windows\system32\HFMAGH.exe
        137⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HLFGQMV.exe.bat" "
        138⤵
        
        PID:3228
        
        C:\windows\HLFGQMV.exe
        
        C:\windows\HLFGQMV.exe
        139⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMURZNL.exe.bat" "
        140⤵
        
        PID:2520
        
        C:\windows\system\AMURZNL.exe
        
        C:\windows\system\AMURZNL.exe
        141⤵
        Drops file in Windows directory
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CJAMHW.exe.bat" "
        142⤵
        
        PID:2020
        
        C:\windows\system\CJAMHW.exe
        
        C:\windows\system\CJAMHW.exe
        143⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FXE.exe.bat" "
        144⤵
        
        PID:4840
        
        C:\windows\system\FXE.exe
        
        C:\windows\system\FXE.exe
        145⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MNFVYRX.exe.bat" "
        146⤵
        
        PID:2148
        
        C:\windows\MNFVYRX.exe
        
        C:\windows\MNFVYRX.exe
        147⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NQJ.exe.bat" "
        148⤵
        
        PID:4288
        
        C:\windows\NQJ.exe
        
        C:\windows\NQJ.exe
        149⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUI.exe.bat" "
        150⤵
        
        PID:2612
        
        C:\windows\system\WVUI.exe
        
        C:\windows\system\WVUI.exe
        151⤵
        Checks computer location settings
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "
        152⤵
        
        PID:1668
        
        C:\windows\system\CQTRYGC.exe
        
        C:\windows\system\CQTRYGC.exe
        153⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GYZR.exe.bat" "
        154⤵
        
        PID:2316
        
        C:\windows\SysWOW64\GYZR.exe
        
        C:\windows\system32\GYZR.exe
        155⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RRCKKG.exe.bat" "
        156⤵
        
        PID:3084
        
        C:\windows\RRCKKG.exe
        
        C:\windows\RRCKKG.exe
        157⤵
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMHTUGD.exe.bat" "
        158⤵
        
        PID:1308
        
        C:\windows\SysWOW64\MMHTUGD.exe
        
        C:\windows\system32\MMHTUGD.exe
        159⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUOTH.exe.bat" "
        160⤵
        
        PID:3236
        
        C:\windows\YUOTH.exe
        
        C:\windows\YUOTH.exe
        161⤵
        Drops file in Windows directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HDQGKW.exe.bat" "
        162⤵
        
        PID:1564
        
        C:\windows\HDQGKW.exe
        
        C:\windows\HDQGKW.exe
        163⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LLXGW.exe.bat" "
        164⤵
        
        PID:2620
        
        C:\windows\LLXGW.exe
        
        C:\windows\LLXGW.exe
        165⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "
        166⤵
        
        PID:3968
        
        C:\windows\system\MOAKCEQ.exe
        
        C:\windows\system\MOAKCEQ.exe
        167⤵
        Checks computer location settings
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GBFU.exe.bat" "
        168⤵
        
        PID:4972
        
        C:\windows\GBFU.exe
        
        C:\windows\GBFU.exe
        169⤵
        Drops file in Windows directory
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MBNHVG.exe.bat" "
        170⤵
        
        PID:3084
        
        C:\windows\MBNHVG.exe
        
        C:\windows\MBNHVG.exe
        171⤵
        Checks computer location settings
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HPS.exe.bat" "
        172⤵
        
        PID:872
        
        C:\windows\system\HPS.exe
        
        C:\windows\system\HPS.exe
        173⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WFTIM.exe.bat" "
        174⤵
        
        PID:1136
        
        C:\windows\system\WFTIM.exe
        
        C:\windows\system\WFTIM.exe
        175⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFAEVWT.exe.bat" "
        176⤵
        
        PID:2996
        
        C:\windows\SysWOW64\UFAEVWT.exe
        
        C:\windows\system32\UFAEVWT.exe
        177⤵
        Checks computer location settings
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSFN.exe.bat" "
        178⤵
        
        PID:4500
        
        C:\windows\SysWOW64\XSFN.exe
        
        C:\windows\system32\XSFN.exe
        179⤵
        Drops file in Windows directory
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CDJMK.exe.bat" "
        180⤵
        
        PID:1416
        
        C:\windows\system\CDJMK.exe
        
        C:\windows\system\CDJMK.exe
        181⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NWEETU.exe.bat" "
        182⤵
        
        PID:4652
        
        C:\windows\SysWOW64\NWEETU.exe
        
        C:\windows\system32\NWEETU.exe
        183⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KBKCAE.exe.bat" "
        184⤵
        
        PID:2976
        
        C:\windows\SysWOW64\KBKCAE.exe
        
        C:\windows\system32\KBKCAE.exe
        185⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CWOXF.exe.bat" "
        186⤵
        
        PID:2388
        
        C:\windows\CWOXF.exe
        
        C:\windows\CWOXF.exe
        187⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UKYPV.exe.bat" "
        188⤵
        
        PID:4344
        
        C:\windows\UKYPV.exe
        
        C:\windows\UKYPV.exe
        189⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUBF.exe.bat" "
        190⤵
        
        PID:4328
        
        C:\windows\SysWOW64\SUBF.exe
        
        C:\windows\system32\SUBF.exe
        191⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKIFQPT.exe.bat" "
        192⤵
        
        PID:3716
        
        C:\windows\system\WKIFQPT.exe
        
        C:\windows\system\WKIFQPT.exe
        193⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OLK.exe.bat" "
        194⤵
        
        PID:2316
        
        C:\windows\system\OLK.exe
        
        C:\windows\system\OLK.exe
        195⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVA.exe.bat" "
        196⤵
        
        PID:3552
        
        C:\windows\SysWOW64\BVA.exe
        
        C:\windows\system32\BVA.exe
        197⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTTLGUZ.exe.bat" "
        198⤵
        
        PID:4684
        
        C:\windows\SysWOW64\DTTLGUZ.exe
        
        C:\windows\system32\DTTLGUZ.exe
        199⤵
        Drops file in Windows directory
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MUVQR.exe.bat" "
        200⤵
        
        PID:208
        
        C:\windows\MUVQR.exe
        
        C:\windows\MUVQR.exe
        201⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRO.exe.bat" "
        202⤵
        
        PID:880
        
        C:\windows\SysWOW64\LRO.exe
        
        C:\windows\system32\LRO.exe
        203⤵
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMSPK.exe.bat" "
        204⤵
        
        PID:4808
        
        C:\windows\SysWOW64\LMSPK.exe
        
        C:\windows\system32\LMSPK.exe
        205⤵
        Checks computer location settings
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPWT.exe.bat" "
        206⤵
        
        PID:4672
        
        C:\windows\system\EPWT.exe
        
        C:\windows\system\EPWT.exe
        207⤵
        Checks computer location settings
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YDBCZK.exe.bat" "
        208⤵
        
        PID:4492
        
        C:\windows\YDBCZK.exe
        
        C:\windows\YDBCZK.exe
        209⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KTH.exe.bat" "
        210⤵
        
        PID:2872
        
        C:\windows\KTH.exe
        
        C:\windows\KTH.exe
        211⤵
        Checks computer location settings
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYIR.exe.bat" "
        212⤵
        
        PID:4864
        
        C:\windows\system\KYIR.exe
        
        C:\windows\system\KYIR.exe
        213⤵
        Drops file in Windows directory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMEAXH.exe.bat" "
        214⤵
        
        PID:1136
        
        C:\windows\FMEAXH.exe
        
        C:\windows\FMEAXH.exe
        215⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AHJ.exe.bat" "
        216⤵
        
        PID:4648
        
        C:\windows\AHJ.exe
        
        C:\windows\AHJ.exe
        217⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ACNNN.exe.bat" "
        218⤵
        
        PID:4484
        
        C:\windows\system\ACNNN.exe
        
        C:\windows\system\ACNNN.exe
        219⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFZ.exe.bat" "
        220⤵
        
        PID:3652
        
        C:\windows\SysWOW64\TFZ.exe
        
        C:\windows\system32\TFZ.exe
        221⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDEDID.exe.bat" "
        222⤵
        
        PID:3856
        
        C:\windows\system\DDEDID.exe
        
        C:\windows\system\DDEDID.exe
        223⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XQJ.exe.bat" "
        224⤵
        
        PID:2352
        
        C:\windows\SysWOW64\XQJ.exe
        
        C:\windows\system32\XQJ.exe
        225⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZOPHALU.exe.bat" "
        226⤵
        
        PID:3752
        
        C:\windows\system\ZOPHALU.exe
        
        C:\windows\system\ZOPHALU.exe
        227⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARTL.exe.bat" "
        228⤵
        
        PID:4988
        
        C:\windows\system\ARTL.exe
        
        C:\windows\system\ARTL.exe
        229⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JEDVVYR.exe.bat" "
        230⤵
        
        PID:1564
        
        C:\windows\JEDVVYR.exe
        
        C:\windows\JEDVVYR.exe
        231⤵
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFF.exe.bat" "
        232⤵
        
        PID:3628
        
        C:\windows\SysWOW64\BFF.exe
        
        C:\windows\system32\BFF.exe
        233⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XKLXF.exe.bat" "
        234⤵
        
        PID:2268
        
        C:\windows\system\XKLXF.exe
        
        C:\windows\system\XKLXF.exe
        235⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SXQOQFC.exe.bat" "
        236⤵
        
        PID:4920
        
        C:\windows\SysWOW64\SXQOQFC.exe
        
        C:\windows\system32\SXQOQFC.exe
        237⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MLV.exe.bat" "
        238⤵
        
        PID:1416
        
        C:\windows\MLV.exe
        
        C:\windows\MLV.exe
        239⤵
        Checks computer location settings
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YDQQI.exe.bat" "
        240⤵
        
        PID:4492
        
        C:\windows\YDQQI.exe
        
        C:\windows\YDQQI.exe
        241⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OBWT.exe.bat" "
        242⤵
        
        PID:1272
        
        C:\windows\SysWOW64\OBWT.exe
        
        C:\windows\system32\OBWT.exe
        243⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUZMU.exe.bat" "
        244⤵
        
        PID:364
        
        C:\windows\SysWOW64\ZUZMU.exe
        
        C:\windows\system32\ZUZMU.exe
        245⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUBRYTF.exe.bat" "
        246⤵
        
        PID:4136
        
        C:\windows\system\RUBRYTF.exe
        
        C:\windows\system\RUBRYTF.exe
        247⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LHY.exe.bat" "
        248⤵
        
        PID:3116
        
        C:\windows\LHY.exe
        
        C:\windows\LHY.exe
        249⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RIGORN.exe.bat" "
        250⤵
        
        PID:1920
        
        C:\windows\RIGORN.exe
        
        C:\windows\RIGORN.exe
        251⤵
        Checks computer location settings
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PINCIP.exe.bat" "
        252⤵
        
        PID:2528
        
        C:\windows\PINCIP.exe
        
        C:\windows\PINCIP.exe
        253⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EYOB.exe.bat" "
        254⤵
        
        PID:776
        
        C:\windows\system\EYOB.exe
        
        C:\windows\system\EYOB.exe
        255⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYWPYFU.exe.bat" "
        256⤵
        
        PID:1704
        
        C:\windows\SysWOW64\KYWPYFU.exe
        
        C:\windows\system32\KYWPYFU.exe
        257⤵
        Drops file in Windows directory
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KEWEZSX.exe.bat" "
        258⤵
        
        PID:1924
        
        C:\windows\system\KEWEZSX.exe
        
        C:\windows\system\KEWEZSX.exe
        259⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QEERI.exe.bat" "
        260⤵
        
        PID:948
        
        C:\windows\QEERI.exe
        
        C:\windows\QEERI.exe
        261⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMGWMR.exe.bat" "
        262⤵
        
        PID:4684
        
        C:\windows\HMGWMR.exe
        
        C:\windows\HMGWMR.exe
        263⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FNO.exe.bat" "
        264⤵
        
        PID:4376
        
        C:\windows\SysWOW64\FNO.exe
        
        C:\windows\system32\FNO.exe
        265⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TPKJIDF.exe.bat" "
        266⤵
        
        PID:4024
        
        C:\windows\system\TPKJIDF.exe
        
        C:\windows\system\TPKJIDF.exe
        267⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\USTYTRY.exe.bat" "
        268⤵
        
        PID:5008
        
        C:\windows\USTYTRY.exe
        
        C:\windows\USTYTRY.exe
        269⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NVLBXVH.exe.bat" "
        270⤵
        
        PID:4500
        
        C:\windows\NVLBXVH.exe
        
        C:\windows\NVLBXVH.exe
        271⤵
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CQUGI.exe.bat" "
        272⤵
        
        PID:1708
        
        C:\windows\SysWOW64\CQUGI.exe
        
        C:\windows\system32\CQUGI.exe
        273⤵
        Drops file in Windows directory
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JLRS.exe.bat" "
        274⤵
        
        PID:4304
        
        C:\windows\system\JLRS.exe
        
        C:\windows\system\JLRS.exe
        275⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWV.exe.bat" "
        276⤵
        
        PID:372
        
        C:\windows\SysWOW64\WWV.exe
        
        C:\windows\system32\WWV.exe
        277⤵
        Drops file in Windows directory
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PRZUC.exe.bat" "
        278⤵
        
        PID:3236
        
        C:\windows\system\PRZUC.exe
        
        C:\windows\system\PRZUC.exe
        279⤵
        Drops file in Windows directory
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GABH.exe.bat" "
        280⤵
        
        PID:440
        
        C:\windows\system\GABH.exe
        
        C:\windows\system\GABH.exe
        281⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDX.exe.bat" "
        282⤵
        
        PID:4440
        
        C:\windows\SysWOW64\MDX.exe
        
        C:\windows\system32\MDX.exe
        283⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYCPV.exe.bat" "
        284⤵
        
        PID:3644
        
        C:\windows\system\OYCPV.exe
        
        C:\windows\system\OYCPV.exe
        285⤵
        Drops file in Windows directory
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JLGYFN.exe.bat" "
        286⤵
        
        PID:4972
        
        C:\windows\system\JLGYFN.exe
        
        C:\windows\system\JLGYFN.exe
        287⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HBABS.exe.bat" "
        288⤵
        
        PID:1708
        
        C:\windows\SysWOW64\HBABS.exe
        
        C:\windows\system32\HBABS.exe
        289⤵
        Checks computer location settings
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NMWAFJ.exe.bat" "
        290⤵
        
        PID:2576
        
        C:\windows\NMWAFJ.exe
        
        C:\windows\NMWAFJ.exe
        291⤵
        Drops file in Windows directory
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\THVICMU.exe.bat" "
        292⤵
        
        PID:1600
        
        C:\windows\system\THVICMU.exe
        
        C:\windows\system\THVICMU.exe
        293⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZHDW.exe.bat" "
        294⤵
        
        PID:1616
        
        C:\windows\SysWOW64\ZHDW.exe
        
        C:\windows\system32\ZHDW.exe
        295⤵
        Drops file in Windows directory
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFITAQ.exe.bat" "
        296⤵
        
        PID:1928
        
        C:\windows\system\VFITAQ.exe
        
        C:\windows\system\VFITAQ.exe
        297⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZVP.exe.bat" "
        298⤵
        
        PID:4344
        
        C:\windows\SysWOW64\ZVP.exe
        
        C:\windows\system32\ZVP.exe
        299⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZAHI.exe.bat" "
        300⤵
        
        PID:4672
        
        C:\windows\ZAHI.exe
        
        C:\windows\ZAHI.exe
        301⤵
        Drops file in Windows directory
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AETETL.exe.bat" "
        302⤵
        
        PID:4788
        
        C:\windows\AETETL.exe
        
        C:\windows\AETETL.exe
        303⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YTEG.exe.bat" "
        304⤵
        
        PID:4804
        
        C:\windows\system\YTEG.exe
        
        C:\windows\system\YTEG.exe
        305⤵
        Checks computer location settings
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YHEVQ.exe.bat" "
        306⤵
        
        PID:208
        
        C:\windows\system\YHEVQ.exe
        
        C:\windows\system\YHEVQ.exe
        307⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IXKP.exe.bat" "
        308⤵
        
        PID:3040
        
        C:\windows\SysWOW64\IXKP.exe
        
        C:\windows\system32\IXKP.exe
        309⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHSGMPF.exe.bat" "
        310⤵
        
        PID:2988
        
        C:\windows\SysWOW64\VHSGMPF.exe
        
        C:\windows\system32\VHSGMPF.exe
        311⤵
        Checks computer location settings
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JSW.exe.bat" "
        312⤵
        
        PID:964
        
        C:\windows\JSW.exe
        
        C:\windows\JSW.exe
        313⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\STYRU.exe.bat" "
        314⤵
        
        PID:4744
        
        C:\windows\STYRU.exe
        
        C:\windows\STYRU.exe
        315⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WJFSGWY.exe.bat" "
        316⤵
        
        PID:4968
        
        C:\windows\WJFSGWY.exe
        
        C:\windows\WJFSGWY.exe
        317⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ARMA.exe.bat" "
        318⤵
        
        PID:3620
        
        C:\windows\ARMA.exe
        
        C:\windows\ARMA.exe
        319⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZO.exe.bat" "
        320⤵
        
        PID:2408
        
        C:\windows\SysWOW64\RZO.exe
        
        C:\windows\system32\RZO.exe
        321⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AZQK.exe.bat" "
        322⤵
        
        PID:3552
        
        C:\windows\SysWOW64\AZQK.exe
        
        C:\windows\system32\AZQK.exe
        323⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GAXXQT.exe.bat" "
        324⤵
        
        PID:3548
        
        C:\windows\GAXXQT.exe
        
        C:\windows\GAXXQT.exe
        325⤵
        Checks computer location settings
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FKANZ.exe.bat" "
        326⤵
        
        PID:376
        
        C:\windows\FKANZ.exe
        
        C:\windows\FKANZ.exe
        327⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AGFXBZC.exe.bat" "
        328⤵
        
        PID:3460
        
        C:\windows\AGFXBZC.exe
        
        C:\windows\AGFXBZC.exe
        329⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NIVWQ.exe.bat" "
        330⤵
        
        PID:1856
        
        C:\windows\NIVWQ.exe
        
        C:\windows\NIVWQ.exe
        331⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HWSFAKM.exe.bat" "
        332⤵
        
        PID:3496
        
        C:\windows\SysWOW64\HWSFAKM.exe
        
        C:\windows\system32\HWSFAKM.exe
        333⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BOV.exe.bat" "
        334⤵
        
        PID:2316
        
        C:\windows\BOV.exe
        
        C:\windows\BOV.exe
        335⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FECYU.exe.bat" "
        336⤵
        
        PID:4904
        
        C:\windows\system\FECYU.exe
        
        C:\windows\system\FECYU.exe
        337⤵
        Checks computer location settings
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UUDX.exe.bat" "
        338⤵
        
        PID:4784
        
        C:\windows\UUDX.exe
        
        C:\windows\UUDX.exe
        339⤵
        Drops file in Windows directory
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NXHTGN.exe.bat" "
        340⤵
        
        PID:4648
        
        C:\windows\system\NXHTGN.exe
        
        C:\windows\system\NXHTGN.exe
        341⤵
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NSS.exe.bat" "
        342⤵
        
        PID:1616
        
        C:\windows\SysWOW64\NSS.exe
        
        C:\windows\system32\NSS.exe
        343⤵
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQE.exe.bat" "
        344⤵
        
        PID:3224
        
        C:\windows\SysWOW64\MQE.exe
        
        C:\windows\system32\MQE.exe
        345⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VRGF.exe.bat" "
        346⤵
        
        PID:4224
        
        C:\windows\VRGF.exe
        
        C:\windows\VRGF.exe
        347⤵
        Drops file in Windows directory
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FZIKOT.exe.bat" "
        348⤵
        
        PID:4968
        
        C:\windows\FZIKOT.exe
        
        C:\windows\FZIKOT.exe
        349⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UURO.exe.bat" "
        350⤵
        
        PID:4788
        
        C:\windows\SysWOW64\UURO.exe
        
        C:\windows\system32\UURO.exe
        351⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HFN.exe.bat" "
        352⤵
        
        PID:4560
        
        C:\windows\system\HFN.exe
        
        C:\windows\system\HFN.exe
        353⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAZQRNG.exe.bat" "
        354⤵
        
        PID:4380
        
        C:\windows\SysWOW64\AAZQRNG.exe
        
        C:\windows\system32\AAZQRNG.exe
        355⤵
        Drops file in Windows directory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ADD.exe.bat" "
        356⤵
        
        PID:3672
        
        C:\windows\system\ADD.exe
        
        C:\windows\system\ADD.exe
        357⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOL.exe.bat" "
        358⤵
        
        PID:972
        
        C:\windows\SysWOW64\NOL.exe
        
        C:\windows\system32\NOL.exe
        359⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GJDWHS.exe.bat" "
        360⤵
        
        PID:3716
        
        C:\windows\GJDWHS.exe
        
        C:\windows\GJDWHS.exe
        361⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NEIIR.exe.bat" "
        362⤵
        
        PID:3140
        
        C:\windows\system\NEIIR.exe
        
        C:\windows\system\NEIIR.exe
        363⤵
        Checks computer location settings
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOQHF.exe.bat" "
        364⤵
        
        PID:4484
        
        C:\windows\system\IOQHF.exe
        
        C:\windows\system\IOQHF.exe
        365⤵
        Checks computer location settings
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EXKP.exe.bat" "
        366⤵
        
        PID:2412
        
        C:\windows\EXKP.exe
        
        C:\windows\EXKP.exe
        367⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AHBFXFG.exe.bat" "
        368⤵
        
        PID:4816
        
        C:\windows\AHBFXFG.exe
        
        C:\windows\AHBFXFG.exe
        369⤵
        Drops file in Windows directory
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UVFX.exe.bat" "
        370⤵
        
        PID:3000
        
        C:\windows\system\UVFX.exe
        
        C:\windows\system\UVFX.exe
        371⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFI.exe.bat" "
        372⤵
        
        PID:4192
        
        C:\windows\system\TFI.exe
        
        C:\windows\system\TFI.exe
        373⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYLVQZN.exe.bat" "
        374⤵
        
        PID:1456
        
        C:\windows\system\KYLVQZN.exe
        
        C:\windows\system\KYLVQZN.exe
        375⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IJWLZF.exe.bat" "
        376⤵
        
        PID:3716
        
        C:\windows\system\IJWLZF.exe
        
        C:\windows\system\IJWLZF.exe
        377⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DWTUJFY.exe.bat" "
        378⤵
        
        PID:4152
        
        C:\windows\system\DWTUJFY.exe
        
        C:\windows\system\DWTUJFY.exe
        379⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GKYE.exe.bat" "
        380⤵
        
        PID:4676
        
        C:\windows\SysWOW64\GKYE.exe
        
        C:\windows\system32\GKYE.exe
        381⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AXCNWF.exe.bat" "
        382⤵
        
        PID:4372
        
        C:\windows\SysWOW64\AXCNWF.exe
        
        C:\windows\system32\AXCNWF.exe
        383⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JKNFMBP.exe.bat" "
        384⤵
        
        PID:3996
        
        C:\windows\system\JKNFMBP.exe
        
        C:\windows\system\JKNFMBP.exe
        385⤵
        Drops file in Windows directory
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EXSX.exe.bat" "
        386⤵
        
        PID:2724
        
        C:\windows\system\EXSX.exe
        
        C:\windows\system\EXSX.exe
        387⤵
        Drops file in Windows directory
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTWGG.exe.bat" "
        388⤵
        
        PID:3552
        
        C:\windows\YTWGG.exe
        
        C:\windows\YTWGG.exe
        389⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GYXUIO.exe.bat" "
        390⤵
        
        PID:3428
        
        C:\windows\GYXUIO.exe
        
        C:\windows\GYXUIO.exe
        391⤵
        Checks computer location settings
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WTGZ.exe.bat" "
        392⤵
        
        PID:3892
        
        C:\windows\SysWOW64\WTGZ.exe
        
        C:\windows\system32\WTGZ.exe
        393⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QHLIDB.exe.bat" "
        394⤵
        
        PID:4276
        
        C:\windows\QHLIDB.exe
        
        C:\windows\QHLIDB.exe
        395⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JKPMI.exe.bat" "
        396⤵
        
        PID:2904
        
        C:\windows\system\JKPMI.exe
        
        C:\windows\system\JKPMI.exe
        397⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1336
        396⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1324
        394⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1256
        392⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1292
        390⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1316
        388⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1336
        386⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1336
        384⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1320
        382⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1296
        380⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1336
        378⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 960
        376⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1008
        374⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1004
        372⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 960
        370⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 1292
        368⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1324
        366⤵
        
        PID:692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1336
        364⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1336
        362⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1324
        360⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1328
        358⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 960
        356⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1328
        354⤵
        
        PID:512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1336
        352⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1328
        350⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1324
        348⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1292
        346⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1256
        344⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 1328
        342⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1324
        340⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1324
        338⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1336
        336⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1324
        334⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1328
        332⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1324
        330⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1324
        328⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1292
        326⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1324
        324⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1328
        322⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 1328
        320⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1292
        318⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 960
        316⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 960
        314⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1324
        312⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1328
        310⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 960
        308⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1272
        306⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1336
        304⤵
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1288
        302⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1324
        300⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1328
        298⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1276
        296⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1328
        294⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1264
        292⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1316
        290⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1264
        288⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1272
        286⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1336
        284⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1256
        282⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1336
        280⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1336
        278⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1328
        276⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1304
        274⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 964
        272⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1324
        270⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 996
        268⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 960
        266⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960
        264⤵
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1324
        262⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1324
        260⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1332
        258⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1108
        256⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1272
        254⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1292
        252⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1308
        250⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 960
        248⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1304
        246⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1240
        244⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1296
        242⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1324
        240⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1324
        238⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1256
        236⤵
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 976
        234⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 960
        232⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1288
        230⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1000
        228⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 960
        226⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 960
        224⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1336
        222⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1328
        220⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1336
        218⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1324
        216⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1292
        214⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 960
        212⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1324
        210⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1324
        208⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1336
        206⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 960
        204⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1328
        202⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1292
        200⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1296
        198⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 960
        196⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1304
        194⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 960
        192⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1296
        190⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1324
        188⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1324
        186⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 960
        184⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 960
        182⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1304
        180⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1308
        178⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1312
        176⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 960
        174⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 988
        172⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1268
        170⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1288
        168⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 960
        166⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 976
        164⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1252
        162⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 960
        160⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1240
        158⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1320
        156⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1320
        154⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1336
        152⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1336
        150⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1324
        148⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 960
        146⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1336
        144⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1304
        142⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1312
        140⤵
        
        PID:980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1292
        138⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 960
        136⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 976
        134⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1336
        132⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1328
        130⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 960
        128⤵
        Program crash
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1328
        126⤵
        Program crash
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1304
        124⤵
        Program crash
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 960
        122⤵
        Program crash
        
        PID:2464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 960
        120⤵
        Program crash
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1272
        118⤵
        Program crash
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1324
        116⤵
        Program crash
        
        PID:948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1004
        114⤵
        Program crash
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1336
        112⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1252
        110⤵
        Program crash
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1304
        108⤵
        Program crash
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1292
        106⤵
        Program crash
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1336
        104⤵
        Program crash
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1344
        102⤵
        Program crash
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 960
        100⤵
        Program crash
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1328
        98⤵
        Program crash
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1324
        96⤵
        Program crash
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1304
        94⤵
        Program crash
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1320
        92⤵
        Program crash
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1324
        90⤵
        Program crash
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1328
        88⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1336
        86⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 960
        84⤵
        Program crash
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1328
        82⤵
        Program crash
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1320
        80⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1328
        78⤵
        Program crash
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 960
        76⤵
        Program crash
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1328
        74⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1272
        72⤵
        Program crash
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1252
        70⤵
        Program crash
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1264
        68⤵
        Program crash
        
        PID:676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 960
        66⤵
        Program crash
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1316
        64⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1324
        62⤵
        Program crash
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1324
        60⤵
        Program crash
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1324
        58⤵
        Program crash
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1336
        56⤵
        Program crash
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1304
        54⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1328
        52⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1320
        50⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1328
        48⤵
        Program crash
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1324
        46⤵
        Program crash
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1296
        44⤵
        Program crash
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1336
        42⤵
        Program crash
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 960
        40⤵
        Program crash
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 964
        38⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1336
        36⤵
        Program crash
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1328
        34⤵
        Program crash
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1304
        32⤵
        Program crash
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1296
        30⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 960
        28⤵
        Program crash
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1332
        26⤵
        Program crash
        
        PID:3140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1328
        24⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1292
        22⤵
        Program crash
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1328
        20⤵
        Program crash
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1324
        18⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1328
        16⤵
        Program crash
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1292
        14⤵
        Program crash
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 960
        12⤵
        Program crash
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1260
        10⤵
        Program crash
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 960
        8⤵
        Program crash
        
        PID:2192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 992
        6⤵
        Program crash
        
        PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1308
      4⤵
      Program crash
      PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 964
  2⤵
  - Program crash
  PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4892 -ip 4892
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3096 -ip 3096
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4572 -ip 4572
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2148 -ip 2148
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4184 -ip 4184
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4460 -ip 4460
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4356 -ip 4356
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1840 -ip 1840
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4328 -ip 4328
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3192 -ip 3192
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1856 -ip 1856
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1788 -ip 1788
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1572 -ip 1572
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1020 -ip 1020
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5008 -ip 5008
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 548 -ip 548
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4184 -ip 4184
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3620 -ip 3620
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3108 -ip 3108
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3096 -ip 3096
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4328 -ip 4328
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1876 -ip 1876
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 552 -ip 552
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2332 -ip 2332
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2976 -ip 2976
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4672 -ip 4672
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2376 -ip 2376
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1048 -ip 1048
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2888 -ip 2888
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3652 -ip 3652
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1060 -ip 1060
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4684 -ip 4684
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2472 -ip 2472
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5008 -ip 5008
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4752 -ip 4752
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1816 -ip 1816
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2592 -ip 2592
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2668 -ip 2668
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1248 -ip 1248
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1108 -ip 1108
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4024 -ip 4024
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4064 -ip 4064
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3316 -ip 3316
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4504 -ip 4504
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5088 -ip 5088
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3236 -ip 3236
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2308 -ip 2308
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4384 -ip 4384
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1416 -ip 1416
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 440 -ip 440
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 948 -ip 948
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2196 -ip 2196
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4148 -ip 4148
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3540 -ip 3540
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4828 -ip 4828
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1968 -ip 1968
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1908 -ip 1908
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3992 -ip 3992
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1808 -ip 1808
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2568 -ip 2568
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3104 -ip 3104
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1036 -ip 1036
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3220 -ip 3220
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1004 -ip 1004
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1984 -ip 1984
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3508 -ip 3508
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3736 -ip 3736
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1248 -ip 1248
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4484 -ip 4484
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4340 -ip 4340
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3316 -ip 3316
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4988 -ip 4988
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1616 -ip 1616
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4328 -ip 4328
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3436 -ip 3436
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3512 -ip 3512
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3716 -ip 3716
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1812 -ip 1812
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4308 -ip 4308
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2388 -ip 2388
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3424 -ip 3424
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3992 -ip 3992
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1572 -ip 1572
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2760 -ip 2760
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5052 -ip 5052
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3012 -ip 3012
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1160 -ip 1160
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4808 -ip 4808
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4328 -ip 4328
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2200 -ip 2200
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2760 -ip 2760
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 208 -ip 208
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1920 -ip 1920
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4320 -ip 4320
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3996 -ip 3996
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4552 -ip 4552
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3504 -ip 3504
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4680 -ip 4680
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2800 -ip 2800
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1616 -ip 1616
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1336 -ip 1336
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2472 -ip 2472
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3104 -ip 3104
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4276 -ip 4276
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3940 -ip 3940
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1340 -ip 1340
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5088 -ip 5088
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3800 -ip 3800
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3508 -ip 3508
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2464 -ip 2464
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4800 -ip 4800
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5080 -ip 5080
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 948 -ip 948
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3108 -ip 3108
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3936 -ip 3936
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1196 -ip 1196
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3992 -ip 3992
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 552 -ip 552
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2412 -ip 2412
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2088 -ip 2088
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 512 -ip 512
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4556 -ip 4556
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4848 -ip 4848
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1108 -ip 1108
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3628 -ip 3628
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2724 -ip 2724
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4336 -ip 4336
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2700 -ip 2700
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2688 -ip 2688
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3500 -ip 3500
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4200 -ip 4200
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4556 -ip 4556
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2192 -ip 2192
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4400 -ip 4400
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3220 -ip 3220
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4948 -ip 4948
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1676 -ip 1676
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4572 -ip 4572
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 964 -ip 964
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4744 -ip 4744
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1620 -ip 1620
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4420 -ip 4420
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2408 -ip 2408
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 912 -ip 912
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2556 -ip 2556
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1088 -ip 1088
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1468 -ip 1468
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3192 -ip 3192
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 868 -ip 868
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2036 -ip 2036
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4500 -ip 4500
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4584 -ip 4584
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4948 -ip 4948
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4528 -ip 4528
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1456 -ip 1456
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2324 -ip 2324
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3984 -ip 3984
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 676 -ip 676
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1000 -ip 1000
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2940 -ip 2940
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1984 -ip 1984
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5004 -ip 5004
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5084 -ip 5084
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3736 -ip 3736
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3800 -ip 3800
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2304 -ip 2304
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2224 -ip 2224
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1572 -ip 1572
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3940 -ip 3940
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 680 -ip 680
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3844 -ip 3844
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4148 -ip 4148
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2320 -ip 2320
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3656 -ip 3656
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1620 -ip 1620
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2312 -ip 2312
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3512 -ip 3512
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2368 -ip 2368
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4376 -ip 4376
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1860 -ip 1860
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2448 -ip 2448
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4072 -ip 4072
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3228 -ip 3228
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2856 -ip 2856
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2088 -ip 2088
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2948 -ip 2948
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2600 -ip 2600
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3236 -ip 3236
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 5064
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4492 -ip 4492
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3220 -ip 3220
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1048 -ip 1048
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4856 -ip 4856
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4528 -ip 4528
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5040 -ip 5040
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3172 -ip 3172
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2888 -ip 2888
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5028 -ip 5028
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ESV.exe

Filesize
208KB

MD5
576e9cbadc6e3d949f1cfb67c85a3d8e

SHA1
4852bb05f18747061f30bd7b87aa1a6775d07f48

SHA256
84936eaa299f2e2a1da6b0399031e0ac8833dadec867ca807602ee41b3260e34

SHA512
a29bb264e3f9926af7396770f288316a8b50cb5167f925a091c5a55a128d888f43463b199e80e70310119fb92f0d228a90cd4e11491d84f8ae17101d5c1c6349

Download Submit
C:\Windows\ORTOGNA.exe

Filesize
208KB

MD5
32aabdb3660d0c993d4c29920524010c

SHA1
2aad3e4e9a2225e7963f52fdd842af844155995d

SHA256
898c4e683c5109d017844f874533a8d4187e42c690f688e10354d3c841695790

SHA512
ab2b0bc49180c14ea39dcb42f54fba4c01da91cfbf7f55b2d4ed3ee4be18799f725d5eedc5bbf5a0c9e84566bd6dc189c0aaa8206e52da9ac3ee8576c48b0a36

Download Submit
C:\Windows\ORZWA.exe

Filesize
208KB

MD5
e3fcfab67129aabbdd70cfbf73ad3de8

SHA1
47deeb7dcf39c67170b7ff7be8bcac99a267e4da

SHA256
5a5e60f774815b1e82b744d063d5e0786f1b9fcd271a5b190b744bb76275249c

SHA512
a7720a770b9391f182804317ccad3763e826d971a357a4a5719a8e6ebd6c7b77d655c9349baf156a99fcadb631847a5aaf3a2cc84d48c2a851015c65ca6eb2ea

Download Submit
C:\Windows\SysWOW64\RKWNVLN.exe

Filesize
208KB

MD5
b767f453c0fff477f6b1d9d8cda5a2b9

SHA1
8f0b54a2357d0c98dac9dd491903df684049a8e7

SHA256
4ac7afb8d794685ad4e79ac5ed10c72c933c28d5ce6cbe7d89ee1eb00b910639

SHA512
e8bf12f88e330e73651bab083ac6deee5af35e634435dcf2674178b10375e67a3b9cdad6bf92c6b089c7bb1271e0a08636cdec2517c94c4f7c0c0f1a84d92180

Download Submit
C:\Windows\SysWOW64\UWZ.exe

Filesize
208KB

MD5
d928d70f0332ab050f52582f5244a0b5

SHA1
07d42639e43dabb03744223ceb6c14d72b4aca5c

SHA256
c07f8be5739ced49cb92765c2191a1ffb8849592ed5f925845ead44f89690f85

SHA512
c22a059e36eea262e6e6fcae3d47dad0110850147cfd6eeca28b7abbc721429ea330d4e73c171806339563d56236c579ec6c53100f49f1541801aacff78b219d

Download Submit
C:\Windows\System\ASYSH.exe

Filesize
208KB

MD5
12189064be7f919796836ce7d7ff9eaa

SHA1
227ffbebb9c48ed9ee9e72936658d18259cd8aba

SHA256
4f810c8a30301a6ad4ab75cba25f01b5f58fad568aaa14a8c42e74a3203a2c67

SHA512
523f25c6d752999c8af514c8352aced8110ba32b3fa4dc3aca2ce003fad2c60aa7d05d676dbf759543229be0efc27e79e312165207e94c0be024c3e1229504fb

Download Submit
C:\Windows\System\CHHS.exe

Filesize
208KB

MD5
36d53e8713139bbbe41d79e5990b8921

SHA1
38101abe0ace6e52d21ae7f3a4fc94c830825269

SHA256
3e0414b4b512b76ce223ba4c9c4c83a1a10d10a768898cc8c5e6881a9e0ee9ca

SHA512
bd3cd077e7b0295c70d8fed13ea796df053c2d9805fb5183f5fdf3795300cc64383cbf175b9feeeb00d32f6ddae5578e878318e31d3ba0e91cfafcb8c016d4f2

Download Submit
C:\Windows\System\FIXR.exe

Filesize
208KB

MD5
529aae97632482fa88d8e872f41a63fa

SHA1
9fea4ca5ec531f7bea92c27f7489277c9fe39d25

SHA256
dfd46720a293e3b44485a38d252f5e3195e9a4be8b229b030c9b102b50e818f3

SHA512
5343d1b4b37361657a7ed1a92fe46a7299cf622ef070e2ee1bbf2f2528e4d4a6722a96abde1e30112e3e3c82c1724b8bd3f8c1218a1abecc86317026d04c07a9

Download Submit
C:\Windows\System\LPL.exe

Filesize
208KB

MD5
811dbdd649a25b36ef4a4edacff0208b

SHA1
84665252d3ce0dc678ff380977b9e21f128f77fb

SHA256
7c52e481f67b8a21ed2226a7aecc1dbc36364ca6e89e8d60512e5a30dbc0913b

SHA512
54ee6d7ba535feb07bd8b121f7e7e6baf893dbd5cac6fe49bd5da082c497970d3b6e4f048b78b1b15bf30d02f251abb49e01842fe6dc222d68215b4f9f967c13

Download Submit
C:\Windows\System\ZJW.exe

Filesize
208KB

MD5
9236062f8d73d9e848ffa3eefc4d5ac6

SHA1
6802c4bbff2dc4e87bd6deca27470b457206dfe7

SHA256
e9172ae5c9cbd4fc10fbd9cd9525c9475d0b34a791c3b598c4be70e03042fe10

SHA512
62112ea3bd6b9a48d8ea9cecf27e2e241adec0b509c3a0f73d7d5525251a7880d17e2ff4d45868fbd88a02842765cc2da6978cd9e13cb600a2e1d01d21c3ef4a

Download Submit
C:\Windows\WCMJJ.exe

Filesize
208KB

MD5
f67a577af8eb45fdb949a870e8a17b7d

SHA1
6f26d254c528a86f6cd7d1c35adf81789f9cf1b1

SHA256
316760950c6168e03180aa30b44a8d9608f5d6d7a060d5d4eef25009f320d05c

SHA512
3f8aa674dc3794a9a9d645ffeac2f8e550731f775c5f86ce9b009fe4f31b8a8e1100b900743184ea56cd0494038e1966b5d7c8934ac0c680e4c9f64a74d5084a

Download Submit
C:\windows\ESV.exe.bat

Filesize
52B

MD5
780cf236acd963673a54cfa10dfc12ee

SHA1
352ad62a283ca96c2c33cdf258c8a722a466926e

SHA256
24f11a456f9c017378a744857499295a22313ed1bcb2152d786008ec4af15389

SHA512
04028f08a64e7d47abb0e3b1252901dc372326f978141e4e1e16e529a476ec26d96c3b182addff63facd18ffaf36786b67ca18cf8ca8b3f0e3ca02764598b53a

Download Submit
C:\windows\IDRUQXG.exe

Filesize
208KB

MD5
8f22c475aee0d2362f9e26660b8c538d

SHA1
c5d1f71f82b759e42a9ebb91dbc76a458c51e691

SHA256
125f0ab66701ebd00c4eb1bc0f4a1bbeb4300ad2bd7819243b626deb3f0c8f90

SHA512
2908d0b80954f25f3cadca212537c1cd24c666ec3fbe4b177affb3c0671b16f4cf6a6eb274eb93b9aa9e46b7c6d8db6834ab0e649a8833dcac4ce308727abd29

Download Submit
C:\windows\IDRUQXG.exe.bat

Filesize
60B

MD5
7f3134a7cbb38289e3bdcbc7b3faea12

SHA1
e6922325976b2082b30e8aceac5602f8146c33d6

SHA256
798b6faac4c36a0505460adb494d864a837abec899d1e879c6229139470ee236

SHA512
1ee4805519ba29832f7bcb723747d6896e96054f37398702f997b05e715502dde9e0c012f00c588f0bac74bee7977feab039026a423bd6f206a1229a9c90d714

Download Submit
C:\windows\IOUGMU.exe

Filesize
208KB

MD5
f7c4cdf0eadc3f74d9b26c71f5aec101

SHA1
de10eebb8ac2ed1383a802fe5cab6cd1b8520e4f

SHA256
e62be7182ee0545814b2f86dd0f2eac5aa82f1711c4aab9d1a545e03266c6585

SHA512
a086c4148dc183ae60591d65d21306005977a0ee301444ef5fdd75b7ba752cba68086ef2c8dc92df063150e6b52f4eadb06e3e41730eaf8b8c08020eb17186d4

Download Submit
C:\windows\IOUGMU.exe.bat

Filesize
58B

MD5
d15aecf4abddaa40caba5c3b6cd1d4ba

SHA1
e04e68dea559285d626f6f9c7fc0c22be2863509

SHA256
051f45cebf8b79b1732e3b55e65f276b353b9e99dd2e679290c098d87c4e3dee

SHA512
2f4fc5911f38e89304e85e1eaed0a2477423a62afd828aabed2209dc74d86f163a06045d0866871c8d532ee40c1a52e5e2fd322d0f8acca5b403e81494926ec1

Download Submit
C:\windows\JNCQGQT.exe.bat

Filesize
60B

MD5
54242b1ce5a6c535a0929676fda4ad69

SHA1
71076c1a5795195a1a7d7ba4b98c7b2351b6c016

SHA256
140812ebe791339dc11379b633788adeb4bb31d57a70840c155e7288e562564f

SHA512
7bdac734c5a521a06f7fdfcc82e6f06d443feab87319ca59ffb87f2c027a7d1c0afc941f86f7ba91d80f7a972e922700eb1626ab147fff63453b3f8a80d109d6

Download Submit
C:\windows\ORTOGNA.exe.bat

Filesize
60B

MD5
5ecebfa816ff91bfd6177440bf8c9b89

SHA1
27eab22c1a7dd45e5a5be20227a4ce27b54ed693

SHA256
cc96504bdaaf19eafdaac3b04d7a46bc519b68be8360721ebc940a3a5d5c9e46

SHA512
6d014ccba8a76cac331b5916e9d92121607fcac305d83632b456baaefcfbafe18cf9a943da8e5513f61f015284d0282e08dc2d108a0c6919bf27aee3e4a560f5

Download Submit
C:\windows\ORZWA.exe.bat

Filesize
56B

MD5
008a75c2385d8e42c4b2d44b37cf0b60

SHA1
3f87c841c38606b78d86096f16303bad4ffff243

SHA256
c4085a1e0029e3ed9227403d2376c0e5c8bc175f07b6c64c41b5a3f51aa57df8

SHA512
ced50e5a6f5fe810cd49debba4791b2a0c1d5f1359d5c86d2926c062154edd3a04674f39502c24059623f3c01fd591ca5edaa31954ef5017ba32339e60d9f65b

Download Submit
C:\windows\SysWOW64\GQOT.exe

Filesize
208KB

MD5
a7d7e5a900f6433505de603271ba2736

SHA1
90a792ff80bc0ae9178c07e8e13a6f56e6b78f08

SHA256
41c082cc05e3f3f0bd373186460ebafbc58fe5ecb1064663b3cc6634f2b50367

SHA512
686c58257acf908433a5afd560584dc8bc9d11f89582a3377f0dcb11993dc28d8fa5699e70637b920c07a3ec7bc7e5b0205f858a0baa0f9f96f3f3d30ba280f2

Download Submit
C:\windows\SysWOW64\GQOT.exe.bat

Filesize
72B

MD5
3f7f5268a3ebfaa4891f2d2d3baf29a9

SHA1
2e1626ac3f6a2d6208c5c40424361b9d54bba114

SHA256
76911510a0f02fc208f2e7921b224358b488f5a6d790168b8e2f99f57fa31de9

SHA512
e12e762c9712dd3974c36ca54879e492c1ff1fd2efca3c76638dc1f8ba9db89fafdf7e886e261c904f1d74eb3c32c8b349d768811a194f420023363d50f0d04c

Download Submit
C:\windows\SysWOW64\HVPURFZ.exe.bat

Filesize
78B

MD5
67c90e5d680da9d454706cbc4aa699fe

SHA1
d037ecf3e78c938ea68a2ae3a771eabe17420419

SHA256
3dbf70e37119e97b1e3cd5cc5008ffcb862b448276937e8e4763978b6ea0a21d

SHA512
03119d5560d55fec3f8045d0306eb6aa53a1b13730bd74da9f85bf27b828d15763e6bfc22452bd1b555ac72d5b9eebb16d2bc7342b58c4476a4d68dbe4e604a2

Download Submit
C:\windows\SysWOW64\RKWNVLN.exe.bat

Filesize
78B

MD5
70aff88aacff6c536f6a29c4dc9628f8

SHA1
80888e3b5da5e530fa9107455c72b434b70926c6

SHA256
1d338c5659949636afff6935db16268f99d07247f42f0cc67a25f453848b29c7

SHA512
4fa2b96b2a9faea5f1e5ad56269a2caa17a8f3d8c800e1f94da63b5847940e000c3d9d799c539531531b20bb644b31a307c8de527280476be004bea94a4f7a54

Download Submit
C:\windows\SysWOW64\UWZ.exe.bat

Filesize
70B

MD5
74bc8e3e9ba76697dfe1b6be9eb9ec2a

SHA1
16eb0af50bdd965f35853bd7f4405a152820a5c2

SHA256
ad622d47d12908594d45f63a685e96e679f96a545c0d56ca459c44e50aa9481c

SHA512
df08eca970409542cab48f54e9881982f08a8792124503f0ee16952c59130aa05842d5b8b089bd07bbb74901561507026fad740b83b651353705bacebdecc002

Download Submit
C:\windows\SysWOW64\XJDS.exe.bat

Filesize
72B

MD5
aa9e31a23da4b0ea12f44de06566e544

SHA1
3871e0979ff8b3566ac0a1fe6bc6bf7425da7191

SHA256
6bfb5f85c7b4c904538ebfe4422efeb1cdaf9912f009a9322c8ca3b1e1e910bd

SHA512
205ee646411d7c6059594522c1cfd3a7b483996449635e5c229b569bfd030c63f25498c8c9874f21029ac7350557aeefc8af9518d4a3759f7ab1246855120254

Download Submit
C:\windows\SysWOW64\ZIKV.exe.bat

Filesize
72B

MD5
82a7fc582856d855df3fb6c91f1f460d

SHA1
6d6c71a35ca77edf62819ea10c1391692d17b10a

SHA256
d4d56193e8bd506d530ea6ba05528a1db9dc613c985925fe7e39ce0dd6f62ed7

SHA512
971923a08b8a9afb8790eecb19893685164ca540533d7b77d658543b2f358c7b4de6ffa08e1e13f36849cbde13fe25f1d9d02493e5d8b4fff83bfc1064a2a8c2

Download Submit
C:\windows\WCMJJ.exe.bat

Filesize
56B

MD5
53b387dc929f08d071ef16e00a3f3981

SHA1
c762bd511811a509c15fbdf6912124dee5791383

SHA256
cefce02d17e933b794dc3329a3fb7e94665796c7414eb888edad5decc0d8cd4b

SHA512
fa4103061de8ce4a5b15b5494549700dea3b871aff0270a8017829c70e9ed88ab8e0f1b927b077df7f3d10b59ec6dc3ffdfbe7b25942f587c7a5a5d86faadf00

Download Submit
C:\windows\system\AKUISF.exe

Filesize
208KB

MD5
f61f38687af5763cbfb600d963068c20

SHA1
b596f165154e13b2cc01b1f4e5702f62ab93988f

SHA256
ac882400a638290ed7fcad6692c8e092047bce5cb572a1c4fde70fa1e4df2caf

SHA512
b503882dc0edb53791f8fa80bbd36f225f9e57e41e9d4a439ba22cf79a2dc04edddd5cc9f38a9ffcf20c880fcecae54b5c14f25c290889ff8c25b53b66763cf6

Download Submit
C:\windows\system\AKUISF.exe.bat

Filesize
72B

MD5
9ac95ca71f77bdd0ce8f078f7f598a82

SHA1
7a4a94f8779e75a308d5ca0ba205861266cb454e

SHA256
76c157826dbe60d6824bb0f976a3c38e19e2378c138a1207672ce56f24795a39

SHA512
ef3fc171a75e1a77fcd5e9d12e9fd3ddd515d2f89422ab0032c130b3ac9e5b6e79fe5aab3e4f3c514968122a8fe982586e4a84d8793857ab6ccbb6b04177e285

Download Submit
C:\windows\system\ASYSH.exe.bat

Filesize
70B

MD5
c7c756be8ce7e8407615a3722ecfb183

SHA1
cb19e79a1116150544669448466fadde1dd7d9ed

SHA256
15043da5fa1f5c0bdbb381d6fa67df0510fe59d252a8450f86d343035bc0d3a2

SHA512
030c2439dca431347ab2594464e11142189f742fafd29469a0ec54c24cc40f882032ee84b5dea342f7fe8e1b446fc67ede9f12e9915a78f8639f7bbc7d83289d

Download Submit
C:\windows\system\BTVVGE.exe.bat

Filesize
72B

MD5
a03c468683f1bc2e9b561afb17f49c09

SHA1
d0f8f5d3d14a8a4218e31c014bf1375f0db2beea

SHA256
2a9022f9cfaeea71951c0c467daa46d93dbe5cd4c59cfe36450bcebc5963498e

SHA512
79a1f94ca89707d38155d6ae84a5e5be98bbf02397354844720262a2ddc2d1d7be93056ebb2b4d93a3d41031924a6103386f5e62c3d5d9043c2f55ba4f1b92da

Download Submit
C:\windows\system\CHHS.exe.bat

Filesize
68B

MD5
ba053aadea482be848921581fe09af55

SHA1
23930adf16d644cca09b1d8d861eb4943465d5bb

SHA256
344445c96d17f5d89567169473ae6bf67857f6a8dddd9ae2e5a22eaf91006b18

SHA512
dc065577639e87dcdaf26d829200370b3cdd6766d3e4ba4502dc622d40026d69f32292b01f70147520678b91b83eaf2e85d5f1b5c5cd8cb07a59a55fd1cb2f43

Download Submit
C:\windows\system\CXBQZ.exe.bat

Filesize
70B

MD5
6ccb08242b0fe0c4cc9453317e7aa648

SHA1
d0355f31613c85033fda918ce6e97190c422f044

SHA256
df1849cd752f8590ee3526b85d45c906bdea6222488f8526e49f7781849abc41

SHA512
fa6925e6a65ece6c39c5cefa43e34958297887b2e2ecb843b201d8d4bb8881d146d853c8af3e71c223241fbbb9dfde3b7bea6dd4de22fc1b8b8950d7f1077dbc

Download Submit
C:\windows\system\FIXR.exe.bat

Filesize
68B

MD5
4ef1bbc489aaf0623a3096b5f9def7f5

SHA1
a7f390a43d36c6dd9c80effc19135ed7db0b72df

SHA256
17d4de97aa6c94651653230de4c8a466e44e8ffa99f315189f53c9169403eca8

SHA512
5470d511462a6cc8716dfe4136f6ac59de557a0ca1083141a220538a44ff8e2b7beca15d72a184d79a8d19f9dd7f0d078ba83f9de9fa6ff0198a14413b1a8f1d

Download Submit
C:\windows\system\LPL.exe.bat

Filesize
66B

MD5
1b3e155d1374db50fd612b4351b77304

SHA1
5db8c5a983dc7de25edb116c0ccb5b54f980fa9e

SHA256
541e5779a3f45cae80cf84719687b3e39e79fa72a6e9af8ceeeac161e483960d

SHA512
f6a0509a6682e5cb1b48554f25ef5fa09bb6c1c17db608ca5e5ccf1052cd2e17d5d7d4707938faae28cd2d36a8d53946591b5a08861df4a398de839c7d13be28

Download Submit
C:\windows\system\QRMAX.exe

Filesize
208KB

MD5
5c2b7edc086c6a9edc1939a1ca1b6107

SHA1
565b16d6799939d8e7571f269c49f836362dc2ce

SHA256
ebab3206ad60307dcfb8997efff66412ed381b28ddc26e94346e7f65b52e598c

SHA512
a35d16e51c1bc8dbcb79eae23e94880552326870bd7aae6dbad6b6cf380880f97c57d08f69ed50f2306d03245ee51723e234160146e60ee17d2cbf8f81336931

Download Submit
C:\windows\system\QRMAX.exe.bat

Filesize
70B

MD5
9cf57a20debabdf765100b38579ba7d8

SHA1
f035274a5b3c08a1161226085ddb3efb7a725d6a

SHA256
20e31bda5a446d388ee73b1a56a8c6e6907eef61aa92917b10a3fe0dceb10d8d

SHA512
152ba995612c16acfd4704612d9a8c7c0edf566b91af2663ac0c2a2055becc66cf093296a5c17e3abd44302916402b333120a781ffc52421e44af7a1f61add61

Download Submit
C:\windows\system\ZJW.exe.bat

Filesize
66B

MD5
aba3072fa6d0788a3aea2099fbec0227

SHA1
d52e1ae0419761925cef543eeb80d772a65d35ab

SHA256
931cc6b58ff8a02fded78f5ccd11b5e2c5d2858084e5f683b624f89a401ce37f

SHA512
2e713723d5fba5448feeeb96a0fb1dfc88a0ea0f7db9fe57a5623bee344d4130cbea35e5ed2f222d66c77ff5960bb522bf0052638b5ffe2b26ba6f8c6945dbc2

Download Submit
memory/548-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/548-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/552-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/552-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1020-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1020-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1060-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1060-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1248-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1248-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1416-494-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1572-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1572-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1856-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1856-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1876-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1876-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2148-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2148-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2308-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2308-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2472-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2472-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2592-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2592-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-405-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2976-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2976-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3096-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3096-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3096-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3096-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3108-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3108-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3236-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3236-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3316-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3316-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3620-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3620-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4024-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4024-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4064-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4064-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4184-204-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4184-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4184-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4184-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4328-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4328-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4328-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4328-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4356-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4384-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4384-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4504-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4504-449-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4572-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4572-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4672-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4672-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4684-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4684-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4752-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4752-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4892-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4892-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download