8e8bb101a5d4fa20b6c48d965827ff065125639ce6433105b81402cdf8e872a4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe
Size

289KB
MD5

daa0dcfa7fd4104a26897fef6ca0bf90
SHA1

bb8177e1de4cf85bc8827547d8e5ac6f41e271b2
SHA256

8e8bb101a5d4fa20b6c48d965827ff065125639ce6433105b81402cdf8e872a4
SHA512

b084c031d032f1d547f7783f8bd4553a7bb44e89029a6e8419160b1bd9e04f5e06bfbc2640b545a1766c3ba925916b06498d5676d6f770f59ac043670e2225f8
SSDEEP

6144:gblyesukYZdvrniRfBgM1HSk03Ck4YukECzJLaQVbU5:gJ7Z5rnIHSk03Ck7uklJLJbU5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CDDKHC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WRBLZAK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BAX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	GMJC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KKYXFEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	FYLOUSO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OYVTUN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DHRMYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KJFFYVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PICGJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IEPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HMXNDP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	UHTSO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	NIHC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	UPJPMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LQKYUP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OUEPYE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WHXIW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HBFCM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IOKHGMK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BPVMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	STOTAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	USVWP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VTIIPK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SLBZYSF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VKONKE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XFYLJMV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CVHEWXY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PIO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MKG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LGFS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XWMSNF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ICIOKKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZFRYAJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CPHI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IQGFBAO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ADQXTZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	AHBFXFG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PZWTAXJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VFITAQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VWACA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LXSG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	EFLD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PACED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	YUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OMUFRMJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PCVCEI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MYMNF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	NMJIWYM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OIM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	FLYPCKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SVLAW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MLQK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QBNRBUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QWRNHK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IZC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IPJDF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CDJMK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	EHEKC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ONCFFTD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	JZMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	LRDPBN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DFGZ.exe

Executes dropped EXE 64 IoCs

pid	Process
5064	TYZQJJY.exe
3012	WMWZ.exe
4952	KKYXFEC.exe
4500	DFPBJIL.exe
2452	MDH.exe
3028	NIHC.exe
1432	BETDPM.exe
3952	ZBEY.exe
2440	UPJPMR.exe
2056	OCO.exe
4060	ESPQ.exe
1268	NARVZJI.exe
2024	LQKYUP.exe
1004	SLBZYSF.exe
880	JZMR.exe
2596	BUPVUE.exe
3208	LRDPBN.exe
4904	PDBC.exe
3104	FYLOUSO.exe
3512	SVLAW.exe
1056	UTY.exe
4968	ATGAU.exe
552	TMNLE.exe
1084	VKONKE.exe
1176	UVRDLKM.exe
1540	WSXYATV.exe
4496	IILY.exe
4748	CWQHOL.exe
5108	XJN.exe
3472	WUYGHZR.exe
2588	KZWE.exe
4904	WKG.exe
1700	EFLD.exe
4540	MLQK.exe
2900	OYVTUN.exe
4688	ZRKE.exe
2400	DHRMYY.exe
4332	ZFRYAJU.exe
1464	XFYLJMV.exe
4904	DFGZ.exe
4276	BYR.exe
3820	WLOZL.exe
4672	NMQEOR.exe
4732	CPHI.exe
4376	GSFDHFM.exe
5048	WNPHS.exe
4400	MXSX.exe
2336	EGUDE.exe
4116	TWH.exe
4628	QBNRBUD.exe
4660	QWRNHK.exe
3920	SUWH.exe
3768	PACED.exe
2388	CCYDI.exe
2708	CVHEWXY.exe
2736	IQGFBAO.exe
4592	MYMNF.exe
3056	OUEPYE.exe
748	YUGU.exe
3272	BCO.exe
2624	VYTAT.exe
3752	IACYH.exe
3380	HLFGQMV.exe
2584	IOVCE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\IACYH.exe.bat	VYTAT.exe
File opened for modification	C:\windows\SysWOW64\IOKHGMK.exe	AEJFSIV.exe
File created	C:\windows\SysWOW64\ZWADP.exe	EJV.exe
File created	C:\windows\SysWOW64\QGCIPB.exe.bat	XDYMJLB.exe
File created	C:\windows\SysWOW64\FYLOUSO.exe.bat	PDBC.exe
File opened for modification	C:\windows\SysWOW64\CGDFXPE.exe	JCZ.exe
File opened for modification	C:\windows\SysWOW64\XWMSNF.exe	LGFS.exe
File created	C:\windows\SysWOW64\YETXJ.exe	XBPBVQ.exe
File opened for modification	C:\windows\SysWOW64\PXIWB.exe	WUE.exe
File opened for modification	C:\windows\SysWOW64\WRBLZAK.exe	LZGSQS.exe
File created	C:\windows\SysWOW64\WRBLZAK.exe	LZGSQS.exe
File created	C:\windows\SysWOW64\CGDFXPE.exe	JCZ.exe
File created	C:\windows\SysWOW64\OCPC.exe.bat	ICIOKKI.exe
File created	C:\windows\SysWOW64\KAPHXHO.exe.bat	TCR.exe
File created	C:\windows\SysWOW64\DYF.exe	UXDCEQW.exe
File opened for modification	C:\windows\SysWOW64\USVWP.exe	BXJTKQ.exe
File created	C:\windows\SysWOW64\FQOU.exe	OIM.exe
File created	C:\windows\SysWOW64\JNRMHG.exe	IPJDF.exe
File created	C:\windows\SysWOW64\BVFGEI.exe.bat	RYZUWA.exe
File created	C:\windows\SysWOW64\YUTBGH.exe.bat	OMRWU.exe
File created	C:\windows\SysWOW64\XWMSNF.exe	LGFS.exe
File created	C:\windows\SysWOW64\XWMSNF.exe.bat	LGFS.exe
File created	C:\windows\SysWOW64\ZWADP.exe.bat	EJV.exe
File created	C:\windows\SysWOW64\CWQHOL.exe.bat	IILY.exe
File created	C:\windows\SysWOW64\XVIFH.exe.bat	ZCFPYR.exe
File opened for modification	C:\windows\SysWOW64\OKOIT.exe	XVIFH.exe
File opened for modification	C:\windows\SysWOW64\WMWZ.exe	TYZQJJY.exe
File created	C:\windows\SysWOW64\IOKHGMK.exe.bat	AEJFSIV.exe
File created	C:\windows\SysWOW64\GMJC.exe	RWI.exe
File opened for modification	C:\windows\SysWOW64\INUQ.exe	IZC.exe
File created	C:\windows\SysWOW64\BVFGEI.exe	RYZUWA.exe
File created	C:\windows\SysWOW64\ATGAU.exe	UTY.exe
File opened for modification	C:\windows\SysWOW64\DYF.exe	UXDCEQW.exe
File created	C:\windows\SysWOW64\PIO.exe	ANJW.exe
File created	C:\windows\SysWOW64\NWEETU.exe	CDJMK.exe
File created	C:\windows\SysWOW64\SYM.exe.bat	DDDEL.exe
File created	C:\windows\SysWOW64\FQOU.exe.bat	OIM.exe
File created	C:\windows\SysWOW64\GMJC.exe.bat	RWI.exe
File opened for modification	C:\windows\SysWOW64\CWQHOL.exe	IILY.exe
File opened for modification	C:\windows\SysWOW64\VWACA.exe	EYBZO.exe
File created	C:\windows\SysWOW64\YETXJ.exe.bat	XBPBVQ.exe
File created	C:\windows\SysWOW64\PXIWB.exe.bat	WUE.exe
File created	C:\windows\SysWOW64\INUQ.exe.bat	IZC.exe
File opened for modification	C:\windows\SysWOW64\CGHOM.exe	CDDKHC.exe
File created	C:\windows\SysWOW64\ZMHDIK.exe.bat	WQQBO.exe
File opened for modification	C:\windows\SysWOW64\YETXJ.exe	XBPBVQ.exe
File created	C:\windows\SysWOW64\CGHOM.exe	CDDKHC.exe
File opened for modification	C:\windows\SysWOW64\GMJC.exe	RWI.exe
File opened for modification	C:\windows\SysWOW64\PIO.exe	ANJW.exe
File created	C:\windows\SysWOW64\PFB.exe.bat	PKXC.exe
File created	C:\windows\SysWOW64\NWEETU.exe.bat	CDJMK.exe
File opened for modification	C:\windows\SysWOW64\XWIQ.exe	IBZEFQ.exe
File opened for modification	C:\windows\SysWOW64\PFB.exe	PKXC.exe
File created	C:\windows\SysWOW64\TXZA.exe.bat	GMJC.exe
File created	C:\windows\SysWOW64\VYTAT.exe	BCO.exe
File opened for modification	C:\windows\SysWOW64\YUTBGH.exe	OMRWU.exe
File opened for modification	C:\windows\SysWOW64\OCPC.exe	ICIOKKI.exe
File created	C:\windows\SysWOW64\INUQ.exe	IZC.exe
File created	C:\windows\SysWOW64\XDYMJLB.exe	HMXNDP.exe
File created	C:\windows\SysWOW64\PICGJ.exe	JIV.exe
File created	C:\windows\SysWOW64\KZWE.exe	WUYGHZR.exe
File opened for modification	C:\windows\SysWOW64\FTOR.exe	ZTGE.exe
File created	C:\windows\SysWOW64\VTYCIP.exe	SGUT.exe
File created	C:\windows\SysWOW64\LZGSQS.exe.bat	VJFSK.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\LQKYUP.exe.bat	NARVZJI.exe
File created	C:\windows\IILY.exe.bat	WSXYATV.exe
File created	C:\windows\EGUDE.exe.bat	MXSX.exe
File created	C:\windows\PZCQ.exe	STXT.exe
File created	C:\windows\RWI.exe.bat	PZCQ.exe
File created	C:\windows\system\LXSG.exe.bat	PXIWB.exe
File created	C:\windows\LRDPBN.exe	BUPVUE.exe
File created	C:\windows\LRDPBN.exe.bat	BUPVUE.exe
File opened for modification	C:\windows\system\ZFRYAJU.exe	DHRMYY.exe
File created	C:\windows\system\ARZ.exe.bat	PZWTAXJ.exe
File opened for modification	C:\windows\JCZ.exe	YUTBGH.exe
File created	C:\windows\ZBEY.exe.bat	BETDPM.exe
File created	C:\windows\EGUDE.exe	MXSX.exe
File created	C:\windows\system\MYMNF.exe	IQGFBAO.exe
File created	C:\windows\system\LGFS.exe	CGDFXPE.exe
File created	C:\windows\YHBTTTW.exe.bat	DLWCIT.exe
File opened for modification	C:\windows\system\WQQBO.exe	FQOO.exe
File created	C:\windows\system\WHXIW.exe	XWMSNF.exe
File created	C:\windows\system\KJFFYVW.exe	PWBOO.exe
File created	C:\windows\HLOC.exe.bat	PICGJ.exe
File opened for modification	C:\windows\system\KKYXFEC.exe	WMWZ.exe
File opened for modification	C:\windows\OCO.exe	UPJPMR.exe
File opened for modification	C:\windows\system\XJN.exe	CWQHOL.exe
File created	C:\windows\YUQ.exe	IEPB.exe
File created	C:\windows\system\EDUACAS.exe.bat	CGHOM.exe
File created	C:\windows\system\STOTAA.exe.bat	DYF.exe
File opened for modification	C:\windows\HLFGQMV.exe	IACYH.exe
File created	C:\windows\VJFSK.exe	EDUACAS.exe
File opened for modification	C:\windows\BXJTKQ.exe	HBMJA.exe
File opened for modification	C:\windows\system\GWS.exe	FTOR.exe
File opened for modification	C:\windows\system\IPJDF.exe	GCE.exe
File created	C:\windows\system\EHEKC.exe.bat	OMUFRMJ.exe
File opened for modification	C:\windows\HYWFJ.exe	NKFV.exe
File opened for modification	C:\windows\UPJPMR.exe	ZBEY.exe
File created	C:\windows\system\XFYLJMV.exe	ZFRYAJU.exe
File created	C:\windows\WNPHS.exe	GSFDHFM.exe
File created	C:\windows\YUQ.exe.bat	IEPB.exe
File opened for modification	C:\windows\CSE.exe	BPVMZ.exe
File opened for modification	C:\windows\system\LGFS.exe	CGDFXPE.exe
File created	C:\windows\EOWEZHE.exe.bat	PTFS.exe
File opened for modification	C:\windows\system\MYMNF.exe	IQGFBAO.exe
File created	C:\windows\system\UPGD.exe	MKG.exe
File opened for modification	C:\windows\OMRWU.exe	ZRHRJPE.exe
File created	C:\windows\system\ZCFPYR.exe	YHBTTTW.exe
File created	C:\windows\HBFCM.exe	BAX.exe
File created	C:\windows\system\FQUTPU.exe	TXZA.exe
File created	C:\windows\OCO.exe.bat	UPJPMR.exe
File created	C:\windows\UXDCEQW.exe	KAPHXHO.exe
File created	C:\windows\system\PTFS.exe	BVFGEI.exe
File created	C:\windows\NMQEOR.exe	WLOZL.exe
File opened for modification	C:\windows\PZWTAXJ.exe	SYM.exe
File created	C:\windows\PKXC.exe.bat	NMJIWYM.exe
File opened for modification	C:\windows\system\KJFFYVW.exe	PWBOO.exe
File created	C:\windows\system\VKONKE.exe.bat	TMNLE.exe
File created	C:\windows\NMQEOR.exe.bat	WLOZL.exe
File created	C:\windows\system\HBMJA.exe	ZWADP.exe
File created	C:\windows\system\OIM.exe.bat	VFITAQ.exe
File opened for modification	C:\windows\YHBTTTW.exe	DLWCIT.exe
File opened for modification	C:\windows\DFPBJIL.exe	KKYXFEC.exe
File opened for modification	C:\windows\system\NIHC.exe	MDH.exe
File created	C:\windows\system\XJN.exe.bat	CWQHOL.exe
File created	C:\windows\system\MLQK.exe	EFLD.exe
File created	C:\windows\TCTO.exe.bat	PUNGEQ.exe
File created	C:\windows\system\WSXYATV.exe.bat	UVRDLKM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4920	1228	WerFault.exe	81
1168	5064	WerFault.exe	89
2300	3012	WerFault.exe	95
2736	4952	WerFault.exe	100
2588	4500	WerFault.exe	105
3348	2452	WerFault.exe	112
2432	3028	WerFault.exe	117
4084	1432	WerFault.exe	124
1292	3952	WerFault.exe	130
5108	2440	WerFault.exe	135
4732	2056	WerFault.exe	141
624	4060	WerFault.exe	147
1176	1268	WerFault.exe	152
532	2024	WerFault.exe	157
5036	1004	WerFault.exe	162
4628	880	WerFault.exe	168
2028	2596	WerFault.exe	173
2368	3208	WerFault.exe	178
1168	4904	WerFault.exe	183
3504	3104	WerFault.exe	189
2336	3512	WerFault.exe	194
4152	1056	WerFault.exe	199
3804	4968	WerFault.exe	204
3488	552	WerFault.exe	209
3924	1084	WerFault.exe	214
4064	1176	WerFault.exe	219
3652	1540	WerFault.exe	224
1752	4496	WerFault.exe	229
4508	4748	WerFault.exe	234
4652	5108	WerFault.exe	239
1948	3472	WerFault.exe	244
1168	2588	WerFault.exe	249
4940	4904	WerFault.exe	254
1364	1700	WerFault.exe	259
3156	4540	WerFault.exe	264
3060	2900	WerFault.exe	269
3604	4688	WerFault.exe	274
3164	2400	WerFault.exe	280
1656	4332	WerFault.exe	285
3028	1464	WerFault.exe	290
3012	4904	WerFault.exe	295
1256	4276	WerFault.exe	300
3060	3820	WerFault.exe	305
4936	4672	WerFault.exe	310
2016	4732	WerFault.exe	315
4980	4376	WerFault.exe	320
4064	5048	WerFault.exe	325
880	4400	WerFault.exe	330
3184	2336	WerFault.exe	335
408	4116	WerFault.exe	341
2716	4628	WerFault.exe	346
2016	4660	WerFault.exe	351
4900	3920	WerFault.exe	356
4416	3768	WerFault.exe	361
2120	2388	WerFault.exe	366
2020	2708	WerFault.exe	371
3168	2736	WerFault.exe	376
1168	4592	WerFault.exe	381
2636	3056	WerFault.exe	386
4376	748	WerFault.exe	391
5048	3272	WerFault.exe	396
820	2624	WerFault.exe	401
3112	3752	WerFault.exe	406
4344	3380	WerFault.exe	411

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe
1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe
5064	TYZQJJY.exe
5064	TYZQJJY.exe
3012	WMWZ.exe
3012	WMWZ.exe
4952	KKYXFEC.exe
4952	KKYXFEC.exe
4500	DFPBJIL.exe
4500	DFPBJIL.exe
2452	MDH.exe
2452	MDH.exe
3028	NIHC.exe
3028	NIHC.exe
1432	BETDPM.exe
1432	BETDPM.exe
3952	ZBEY.exe
3952	ZBEY.exe
2440	UPJPMR.exe
2440	UPJPMR.exe
2056	OCO.exe
2056	OCO.exe
4060	ESPQ.exe
4060	ESPQ.exe
1268	NARVZJI.exe
1268	NARVZJI.exe
2024	LQKYUP.exe
2024	LQKYUP.exe
1004	SLBZYSF.exe
1004	SLBZYSF.exe
880	JZMR.exe
880	JZMR.exe
2596	BUPVUE.exe
2596	BUPVUE.exe
3208	LRDPBN.exe
3208	LRDPBN.exe
4904	PDBC.exe
4904	PDBC.exe
3104	FYLOUSO.exe
3104	FYLOUSO.exe
3512	SVLAW.exe
3512	SVLAW.exe
1056	UTY.exe
1056	UTY.exe
4968	ATGAU.exe
4968	ATGAU.exe
552	TMNLE.exe
552	TMNLE.exe
1084	VKONKE.exe
1084	VKONKE.exe
1176	UVRDLKM.exe
1176	UVRDLKM.exe
1540	WSXYATV.exe
1540	WSXYATV.exe
4496	IILY.exe
4496	IILY.exe
4748	CWQHOL.exe
4748	CWQHOL.exe
5108	XJN.exe
5108	XJN.exe
3472	WUYGHZR.exe
3472	WUYGHZR.exe
2588	KZWE.exe
2588	KZWE.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe
1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe
5064	TYZQJJY.exe
5064	TYZQJJY.exe
3012	WMWZ.exe
3012	WMWZ.exe
4952	KKYXFEC.exe
4952	KKYXFEC.exe
4500	DFPBJIL.exe
4500	DFPBJIL.exe
2452	MDH.exe
2452	MDH.exe
3028	NIHC.exe
3028	NIHC.exe
1432	BETDPM.exe
1432	BETDPM.exe
3952	ZBEY.exe
3952	ZBEY.exe
2440	UPJPMR.exe
2440	UPJPMR.exe
2056	OCO.exe
2056	OCO.exe
4060	ESPQ.exe
4060	ESPQ.exe
1268	NARVZJI.exe
1268	NARVZJI.exe
2024	LQKYUP.exe
2024	LQKYUP.exe
1004	SLBZYSF.exe
1004	SLBZYSF.exe
880	JZMR.exe
880	JZMR.exe
2596	BUPVUE.exe
2596	BUPVUE.exe
3208	LRDPBN.exe
3208	LRDPBN.exe
4904	PDBC.exe
4904	PDBC.exe
3104	FYLOUSO.exe
3104	FYLOUSO.exe
3512	SVLAW.exe
3512	SVLAW.exe
1056	UTY.exe
1056	UTY.exe
4968	ATGAU.exe
4968	ATGAU.exe
552	TMNLE.exe
552	TMNLE.exe
1084	VKONKE.exe
1084	VKONKE.exe
1176	UVRDLKM.exe
1176	UVRDLKM.exe
1540	WSXYATV.exe
1540	WSXYATV.exe
4496	IILY.exe
4496	IILY.exe
4748	CWQHOL.exe
4748	CWQHOL.exe
5108	XJN.exe
5108	XJN.exe
3472	WUYGHZR.exe
3472	WUYGHZR.exe
2588	KZWE.exe
2588	KZWE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3524	1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe	85
PID 1228 wrote to memory of 3524	1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe	85
PID 1228 wrote to memory of 3524	1228	daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe	85
PID 3524 wrote to memory of 5064	3524	cmd.exe	89
PID 3524 wrote to memory of 5064	3524	cmd.exe	89
PID 3524 wrote to memory of 5064	3524	cmd.exe	89
PID 5064 wrote to memory of 2636	5064	TYZQJJY.exe	91
PID 5064 wrote to memory of 2636	5064	TYZQJJY.exe	91
PID 5064 wrote to memory of 2636	5064	TYZQJJY.exe	91
PID 2636 wrote to memory of 3012	2636	cmd.exe	95
PID 2636 wrote to memory of 3012	2636	cmd.exe	95
PID 2636 wrote to memory of 3012	2636	cmd.exe	95
PID 3012 wrote to memory of 5020	3012	WMWZ.exe	96
PID 3012 wrote to memory of 5020	3012	WMWZ.exe	96
PID 3012 wrote to memory of 5020	3012	WMWZ.exe	96
PID 5020 wrote to memory of 4952	5020	cmd.exe	100
PID 5020 wrote to memory of 4952	5020	cmd.exe	100
PID 5020 wrote to memory of 4952	5020	cmd.exe	100
PID 4952 wrote to memory of 1004	4952	KKYXFEC.exe	101
PID 4952 wrote to memory of 1004	4952	KKYXFEC.exe	101
PID 4952 wrote to memory of 1004	4952	KKYXFEC.exe	101
PID 1004 wrote to memory of 4500	1004	cmd.exe	105
PID 1004 wrote to memory of 4500	1004	cmd.exe	105
PID 1004 wrote to memory of 4500	1004	cmd.exe	105
PID 4500 wrote to memory of 4876	4500	DFPBJIL.exe	108
PID 4500 wrote to memory of 4876	4500	DFPBJIL.exe	108
PID 4500 wrote to memory of 4876	4500	DFPBJIL.exe	108
PID 4876 wrote to memory of 2452	4876	cmd.exe	112
PID 4876 wrote to memory of 2452	4876	cmd.exe	112
PID 4876 wrote to memory of 2452	4876	cmd.exe	112
PID 2452 wrote to memory of 1844	2452	MDH.exe	113
PID 2452 wrote to memory of 1844	2452	MDH.exe	113
PID 2452 wrote to memory of 1844	2452	MDH.exe	113
PID 1844 wrote to memory of 3028	1844	cmd.exe	117
PID 1844 wrote to memory of 3028	1844	cmd.exe	117
PID 1844 wrote to memory of 3028	1844	cmd.exe	117
PID 3028 wrote to memory of 1204	3028	NIHC.exe	120
PID 3028 wrote to memory of 1204	3028	NIHC.exe	120
PID 3028 wrote to memory of 1204	3028	NIHC.exe	120
PID 1204 wrote to memory of 1432	1204	cmd.exe	124
PID 1204 wrote to memory of 1432	1204	cmd.exe	124
PID 1204 wrote to memory of 1432	1204	cmd.exe	124
PID 1432 wrote to memory of 2124	1432	BETDPM.exe	126
PID 1432 wrote to memory of 2124	1432	BETDPM.exe	126
PID 1432 wrote to memory of 2124	1432	BETDPM.exe	126
PID 2124 wrote to memory of 3952	2124	cmd.exe	130
PID 2124 wrote to memory of 3952	2124	cmd.exe	130
PID 2124 wrote to memory of 3952	2124	cmd.exe	130
PID 3952 wrote to memory of 4324	3952	ZBEY.exe	131
PID 3952 wrote to memory of 4324	3952	ZBEY.exe	131
PID 3952 wrote to memory of 4324	3952	ZBEY.exe	131
PID 4324 wrote to memory of 2440	4324	cmd.exe	135
PID 4324 wrote to memory of 2440	4324	cmd.exe	135
PID 4324 wrote to memory of 2440	4324	cmd.exe	135
PID 2440 wrote to memory of 3996	2440	UPJPMR.exe	137
PID 2440 wrote to memory of 3996	2440	UPJPMR.exe	137
PID 2440 wrote to memory of 3996	2440	UPJPMR.exe	137
PID 3996 wrote to memory of 2056	3996	cmd.exe	141
PID 3996 wrote to memory of 2056	3996	cmd.exe	141
PID 3996 wrote to memory of 2056	3996	cmd.exe	141
PID 2056 wrote to memory of 3772	2056	OCO.exe	143
PID 2056 wrote to memory of 3772	2056	OCO.exe	143
PID 2056 wrote to memory of 3772	2056	OCO.exe	143
PID 3772 wrote to memory of 4060	3772	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\daa0dcfa7fd4104a26897fef6ca0bf90_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\TYZQJJY.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\windows\system\TYZQJJY.exe
    C:\windows\system\TYZQJJY.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WMWZ.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\windows\SysWOW64\WMWZ.exe
        
        C:\windows\system32\WMWZ.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KKYXFEC.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\windows\system\KKYXFEC.exe
        
        C:\windows\system\KKYXFEC.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFPBJIL.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\windows\DFPBJIL.exe
        
        C:\windows\DFPBJIL.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MDH.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\windows\MDH.exe
        
        C:\windows\MDH.exe
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NIHC.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\windows\system\NIHC.exe
        
        C:\windows\system\NIHC.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BETDPM.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\windows\system\BETDPM.exe
        
        C:\windows\system\BETDPM.exe
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZBEY.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\windows\ZBEY.exe
        
        C:\windows\ZBEY.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UPJPMR.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\windows\UPJPMR.exe
        
        C:\windows\UPJPMR.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OCO.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\windows\OCO.exe
        
        C:\windows\OCO.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ESPQ.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\windows\ESPQ.exe
        
        C:\windows\ESPQ.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NARVZJI.exe.bat" "
        24⤵
        
        PID:2616
        
        C:\windows\NARVZJI.exe
        
        C:\windows\NARVZJI.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LQKYUP.exe.bat" "
        26⤵
        
        PID:3892
        
        C:\windows\LQKYUP.exe
        
        C:\windows\LQKYUP.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SLBZYSF.exe.bat" "
        28⤵
        
        PID:2460
        
        C:\windows\system\SLBZYSF.exe
        
        C:\windows\system\SLBZYSF.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JZMR.exe.bat" "
        30⤵
        
        PID:1368
        
        C:\windows\JZMR.exe
        
        C:\windows\JZMR.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUPVUE.exe.bat" "
        32⤵
        
        PID:4952
        
        C:\windows\SysWOW64\BUPVUE.exe
        
        C:\windows\system32\BUPVUE.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LRDPBN.exe.bat" "
        34⤵
        
        PID:2492
        
        C:\windows\LRDPBN.exe
        
        C:\windows\LRDPBN.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PDBC.exe.bat" "
        36⤵
        
        PID:4336
        
        C:\windows\system\PDBC.exe
        
        C:\windows\system\PDBC.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYLOUSO.exe.bat" "
        38⤵
        
        PID:4468
        
        C:\windows\SysWOW64\FYLOUSO.exe
        
        C:\windows\system32\FYLOUSO.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVLAW.exe.bat" "
        40⤵
        
        PID:4816
        
        C:\windows\SysWOW64\SVLAW.exe
        
        C:\windows\system32\SVLAW.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UTY.exe.bat" "
        42⤵
        
        PID:4168
        
        C:\windows\UTY.exe
        
        C:\windows\UTY.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATGAU.exe.bat" "
        44⤵
        
        PID:4344
        
        C:\windows\SysWOW64\ATGAU.exe
        
        C:\windows\system32\ATGAU.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TMNLE.exe.bat" "
        46⤵
        
        PID:3264
        
        C:\windows\TMNLE.exe
        
        C:\windows\TMNLE.exe
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKONKE.exe.bat" "
        48⤵
        
        PID:224
        
        C:\windows\system\VKONKE.exe
        
        C:\windows\system\VKONKE.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UVRDLKM.exe.bat" "
        50⤵
        
        PID:4312
        
        C:\windows\UVRDLKM.exe
        
        C:\windows\UVRDLKM.exe
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WSXYATV.exe.bat" "
        52⤵
        
        PID:1520
        
        C:\windows\system\WSXYATV.exe
        
        C:\windows\system\WSXYATV.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IILY.exe.bat" "
        54⤵
        
        PID:4168
        
        C:\windows\IILY.exe
        
        C:\windows\IILY.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWQHOL.exe.bat" "
        56⤵
        
        PID:4988
        
        C:\windows\SysWOW64\CWQHOL.exe
        
        C:\windows\system32\CWQHOL.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJN.exe.bat" "
        58⤵
        
        PID:5004
        
        C:\windows\system\XJN.exe
        
        C:\windows\system\XJN.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WUYGHZR.exe.bat" "
        60⤵
        
        PID:2028
        
        C:\windows\WUYGHZR.exe
        
        C:\windows\WUYGHZR.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZWE.exe.bat" "
        62⤵
        
        PID:2492
        
        C:\windows\SysWOW64\KZWE.exe
        
        C:\windows\system32\KZWE.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKG.exe.bat" "
        64⤵
        
        PID:3700
        
        C:\windows\system\WKG.exe
        
        C:\windows\system\WKG.exe
        65⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EFLD.exe.bat" "
        66⤵
        
        PID:3924
        
        C:\windows\system\EFLD.exe
        
        C:\windows\system\EFLD.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLQK.exe.bat" "
        68⤵
        
        PID:4064
        
        C:\windows\system\MLQK.exe
        
        C:\windows\system\MLQK.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYVTUN.exe.bat" "
        70⤵
        
        PID:2116
        
        C:\windows\system\OYVTUN.exe
        
        C:\windows\system\OYVTUN.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZRKE.exe.bat" "
        72⤵
        
        PID:3184
        
        C:\windows\ZRKE.exe
        
        C:\windows\ZRKE.exe
        73⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DHRMYY.exe.bat" "
        74⤵
        
        PID:2920
        
        C:\windows\DHRMYY.exe
        
        C:\windows\DHRMYY.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFRYAJU.exe.bat" "
        76⤵
        
        PID:4968
        
        C:\windows\system\ZFRYAJU.exe
        
        C:\windows\system\ZFRYAJU.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XFYLJMV.exe.bat" "
        78⤵
        
        PID:1844
        
        C:\windows\system\XFYLJMV.exe
        
        C:\windows\system\XFYLJMV.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFGZ.exe.bat" "
        80⤵
        
        PID:4416
        
        C:\windows\DFGZ.exe
        
        C:\windows\DFGZ.exe
        81⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BYR.exe.bat" "
        82⤵
        
        PID:1836
        
        C:\windows\BYR.exe
        
        C:\windows\BYR.exe
        83⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLOZL.exe.bat" "
        84⤵
        
        PID:3188
        
        C:\windows\system\WLOZL.exe
        
        C:\windows\system\WLOZL.exe
        85⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NMQEOR.exe.bat" "
        86⤵
        
        PID:4744
        
        C:\windows\NMQEOR.exe
        
        C:\windows\NMQEOR.exe
        87⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPHI.exe.bat" "
        88⤵
        
        PID:4500
        
        C:\windows\SysWOW64\CPHI.exe
        
        C:\windows\system32\CPHI.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GSFDHFM.exe.bat" "
        90⤵
        
        PID:708
        
        C:\windows\GSFDHFM.exe
        
        C:\windows\GSFDHFM.exe
        91⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WNPHS.exe.bat" "
        92⤵
        
        PID:1292
        
        C:\windows\WNPHS.exe
        
        C:\windows\WNPHS.exe
        93⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MXSX.exe.bat" "
        94⤵
        
        PID:4332
        
        C:\windows\MXSX.exe
        
        C:\windows\MXSX.exe
        95⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EGUDE.exe.bat" "
        96⤵
        
        PID:428
        
        C:\windows\EGUDE.exe
        
        C:\windows\EGUDE.exe
        97⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TWH.exe.bat" "
        98⤵
        
        PID:4016
        
        C:\windows\SysWOW64\TWH.exe
        
        C:\windows\system32\TWH.exe
        99⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QBNRBUD.exe.bat" "
        100⤵
        
        PID:4844
        
        C:\windows\QBNRBUD.exe
        
        C:\windows\QBNRBUD.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QWRNHK.exe.bat" "
        102⤵
        
        PID:2460
        
        C:\windows\system\QWRNHK.exe
        
        C:\windows\system\QWRNHK.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUWH.exe.bat" "
        104⤵
        
        PID:1360
        
        C:\windows\SysWOW64\SUWH.exe
        
        C:\windows\system32\SUWH.exe
        105⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PACED.exe.bat" "
        106⤵
        
        PID:808
        
        C:\windows\SysWOW64\PACED.exe
        
        C:\windows\system32\PACED.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCYDI.exe.bat" "
        108⤵
        
        PID:1700
        
        C:\windows\system\CCYDI.exe
        
        C:\windows\system\CCYDI.exe
        109⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVHEWXY.exe.bat" "
        110⤵
        
        PID:3012
        
        C:\windows\SysWOW64\CVHEWXY.exe
        
        C:\windows\system32\CVHEWXY.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IQGFBAO.exe.bat" "
        112⤵
        
        PID:4016
        
        C:\windows\IQGFBAO.exe
        
        C:\windows\IQGFBAO.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYMNF.exe.bat" "
        114⤵
        
        PID:1992
        
        C:\windows\system\MYMNF.exe
        
        C:\windows\system\MYMNF.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OUEPYE.exe.bat" "
        116⤵
        
        PID:3632
        
        C:\windows\system\OUEPYE.exe
        
        C:\windows\system\OUEPYE.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUGU.exe.bat" "
        118⤵
        
        PID:384
        
        C:\windows\YUGU.exe
        
        C:\windows\YUGU.exe
        119⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BCO.exe.bat" "
        120⤵
        
        PID:2920
        
        C:\windows\BCO.exe
        
        C:\windows\BCO.exe
        121⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VYTAT.exe.bat" "
        122⤵
        
        PID:4568
        
        C:\windows\SysWOW64\VYTAT.exe
        
        C:\windows\system32\VYTAT.exe
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IACYH.exe.bat" "
        124⤵
        
        PID:2164
        
        C:\windows\SysWOW64\IACYH.exe
        
        C:\windows\system32\IACYH.exe
        125⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HLFGQMV.exe.bat" "
        126⤵
        
        PID:3184
        
        C:\windows\HLFGQMV.exe
        
        C:\windows\HLFGQMV.exe
        127⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IOVCE.exe.bat" "
        128⤵
        
        PID:1364
        
        C:\windows\IOVCE.exe
        
        C:\windows\IOVCE.exe
        129⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QCHJ.exe.bat" "
        130⤵
        
        PID:3604
        
        C:\windows\QCHJ.exe
        
        C:\windows\QCHJ.exe
        131⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WXHSM.exe.bat" "
        132⤵
        
        PID:1596
        
        C:\windows\WXHSM.exe
        
        C:\windows\WXHSM.exe
        133⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPVMZ.exe.bat" "
        134⤵
        
        PID:4936
        
        C:\windows\system\BPVMZ.exe
        
        C:\windows\system\BPVMZ.exe
        135⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CSE.exe.bat" "
        136⤵
        
        PID:2248
        
        C:\windows\CSE.exe
        
        C:\windows\CSE.exe
        137⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZTGE.exe.bat" "
        138⤵
        
        PID:4684
        
        C:\windows\ZTGE.exe
        
        C:\windows\ZTGE.exe
        139⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTOR.exe.bat" "
        140⤵
        
        PID:4416
        
        C:\windows\SysWOW64\FTOR.exe
        
        C:\windows\system32\FTOR.exe
        141⤵
        Drops file in Windows directory
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GWS.exe.bat" "
        142⤵
        
        PID:3116
        
        C:\windows\system\GWS.exe
        
        C:\windows\system\GWS.exe
        143⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GCE.exe.bat" "
        144⤵
        
        PID:3632
        
        C:\windows\GCE.exe
        
        C:\windows\GCE.exe
        145⤵
        Drops file in Windows directory
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IPJDF.exe.bat" "
        146⤵
        
        PID:4516
        
        C:\windows\system\IPJDF.exe
        
        C:\windows\system\IPJDF.exe
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNRMHG.exe.bat" "
        148⤵
        
        PID:2716
        
        C:\windows\SysWOW64\JNRMHG.exe
        
        C:\windows\system32\JNRMHG.exe
        149⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ADQXTZ.exe.bat" "
        150⤵
        
        PID:1836
        
        C:\windows\ADQXTZ.exe
        
        C:\windows\ADQXTZ.exe
        151⤵
        Checks computer location settings
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SGUT.exe.bat" "
        152⤵
        
        PID:3000
        
        C:\windows\SGUT.exe
        
        C:\windows\SGUT.exe
        153⤵
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTYCIP.exe.bat" "
        154⤵
        
        PID:2020
        
        C:\windows\SysWOW64\VTYCIP.exe
        
        C:\windows\system32\VTYCIP.exe
        155⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IEPB.exe.bat" "
        156⤵
        
        PID:844
        
        C:\windows\IEPB.exe
        
        C:\windows\IEPB.exe
        157⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUQ.exe.bat" "
        158⤵
        
        PID:3156
        
        C:\windows\YUQ.exe
        
        C:\windows\YUQ.exe
        159⤵
        Checks computer location settings
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MZWPKXY.exe.bat" "
        160⤵
        
        PID:4080
        
        C:\windows\system\MZWPKXY.exe
        
        C:\windows\system\MZWPKXY.exe
        161⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNSZ.exe.bat" "
        162⤵
        
        PID:3248
        
        C:\windows\system\PNSZ.exe
        
        C:\windows\system\PNSZ.exe
        163⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CXJX.exe.bat" "
        164⤵
        
        PID:3052
        
        C:\windows\CXJX.exe
        
        C:\windows\CXJX.exe
        165⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CDJMK.exe.bat" "
        166⤵
        
        PID:1700
        
        C:\windows\system\CDJMK.exe
        
        C:\windows\system\CDJMK.exe
        167⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NWEETU.exe.bat" "
        168⤵
        
        PID:3028
        
        C:\windows\SysWOW64\NWEETU.exe
        
        C:\windows\system32\NWEETU.exe
        169⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRNJEHS.exe.bat" "
        170⤵
        
        PID:1748
        
        C:\windows\SysWOW64\CRNJEHS.exe
        
        C:\windows\system32\CRNJEHS.exe
        171⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OJQ.exe.bat" "
        172⤵
        
        PID:1424
        
        C:\windows\system\OJQ.exe
        
        C:\windows\system\OJQ.exe
        173⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OMUFRMJ.exe.bat" "
        174⤵
        
        PID:2024
        
        C:\windows\OMUFRMJ.exe
        
        C:\windows\OMUFRMJ.exe
        175⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EHEKC.exe.bat" "
        176⤵
        
        PID:3524
        
        C:\windows\system\EHEKC.exe
        
        C:\windows\system\EHEKC.exe
        177⤵
        Checks computer location settings
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CDDKHC.exe.bat" "
        178⤵
        
        PID:3992
        
        C:\windows\SysWOW64\CDDKHC.exe
        
        C:\windows\system32\CDDKHC.exe
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGHOM.exe.bat" "
        180⤵
        
        PID:5052
        
        C:\windows\SysWOW64\CGHOM.exe
        
        C:\windows\system32\CGHOM.exe
        181⤵
        Drops file in Windows directory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDUACAS.exe.bat" "
        182⤵
        
        PID:1972
        
        C:\windows\system\EDUACAS.exe
        
        C:\windows\system\EDUACAS.exe
        183⤵
        Drops file in Windows directory
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VJFSK.exe.bat" "
        184⤵
        
        PID:820
        
        C:\windows\VJFSK.exe
        
        C:\windows\VJFSK.exe
        185⤵
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZGSQS.exe.bat" "
        186⤵
        
        PID:4912
        
        C:\windows\SysWOW64\LZGSQS.exe
        
        C:\windows\system32\LZGSQS.exe
        187⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRBLZAK.exe.bat" "
        188⤵
        
        PID:612
        
        C:\windows\SysWOW64\WRBLZAK.exe
        
        C:\windows\system32\WRBLZAK.exe
        189⤵
        Checks computer location settings
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PUNGEQ.exe.bat" "
        190⤵
        
        PID:2596
        
        C:\windows\PUNGEQ.exe
        
        C:\windows\PUNGEQ.exe
        191⤵
        Drops file in Windows directory
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TCTO.exe.bat" "
        192⤵
        
        PID:3248
        
        C:\windows\TCTO.exe
        
        C:\windows\TCTO.exe
        193⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ONCFFTD.exe.bat" "
        194⤵
        
        PID:4556
        
        C:\windows\ONCFFTD.exe
        
        C:\windows\ONCFFTD.exe
        195⤵
        Checks computer location settings
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DDDEL.exe.bat" "
        196⤵
        
        PID:5072
        
        C:\windows\SysWOW64\DDDEL.exe
        
        C:\windows\system32\DDDEL.exe
        197⤵
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYM.exe.bat" "
        198⤵
        
        PID:1036
        
        C:\windows\SysWOW64\SYM.exe
        
        C:\windows\system32\SYM.exe
        199⤵
        Drops file in Windows directory
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PZWTAXJ.exe.bat" "
        200⤵
        
        PID:1656
        
        C:\windows\PZWTAXJ.exe
        
        C:\windows\PZWTAXJ.exe
        201⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARZ.exe.bat" "
        202⤵
        
        PID:4092
        
        C:\windows\system\ARZ.exe
        
        C:\windows\system\ARZ.exe
        203⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKG.exe.bat" "
        204⤵
        
        PID:2780
        
        C:\windows\system\MKG.exe
        
        C:\windows\system\MKG.exe
        205⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UPGD.exe.bat" "
        206⤵
        
        PID:4468
        
        C:\windows\system\UPGD.exe
        
        C:\windows\system\UPGD.exe
        207⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQOO.exe.bat" "
        208⤵
        
        PID:2480
        
        C:\windows\system\FQOO.exe
        
        C:\windows\system\FQOO.exe
        209⤵
        Drops file in Windows directory
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WQQBO.exe.bat" "
        210⤵
        
        PID:3660
        
        C:\windows\system\WQQBO.exe
        
        C:\windows\system\WQQBO.exe
        211⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZMHDIK.exe.bat" "
        212⤵
        
        PID:1648
        
        C:\windows\SysWOW64\ZMHDIK.exe
        
        C:\windows\system32\ZMHDIK.exe
        213⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZRHRJPE.exe.bat" "
        214⤵
        
        PID:4456
        
        C:\windows\ZRHRJPE.exe
        
        C:\windows\ZRHRJPE.exe
        215⤵
        Drops file in Windows directory
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OMRWU.exe.bat" "
        216⤵
        
        PID:1948
        
        C:\windows\OMRWU.exe
        
        C:\windows\OMRWU.exe
        217⤵
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YUTBGH.exe.bat" "
        218⤵
        
        PID:3784
        
        C:\windows\SysWOW64\YUTBGH.exe
        
        C:\windows\system32\YUTBGH.exe
        219⤵
        Drops file in Windows directory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JCZ.exe.bat" "
        220⤵
        
        PID:2008
        
        C:\windows\JCZ.exe
        
        C:\windows\JCZ.exe
        221⤵
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGDFXPE.exe.bat" "
        222⤵
        
        PID:748
        
        C:\windows\SysWOW64\CGDFXPE.exe
        
        C:\windows\system32\CGDFXPE.exe
        223⤵
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LGFS.exe.bat" "
        224⤵
        
        PID:5104
        
        C:\windows\system\LGFS.exe
        
        C:\windows\system\LGFS.exe
        225⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWMSNF.exe.bat" "
        226⤵
        
        PID:2920
        
        C:\windows\SysWOW64\XWMSNF.exe
        
        C:\windows\system32\XWMSNF.exe
        227⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WHXIW.exe.bat" "
        228⤵
        
        PID:3976
        
        C:\windows\system\WHXIW.exe
        
        C:\windows\system\WHXIW.exe
        229⤵
        Checks computer location settings
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCG.exe.bat" "
        230⤵
        
        PID:4940
        
        C:\windows\DCG.exe
        
        C:\windows\DCG.exe
        231⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICIOKKI.exe.bat" "
        232⤵
        
        PID:2900
        
        C:\windows\SysWOW64\ICIOKKI.exe
        
        C:\windows\system32\ICIOKKI.exe
        233⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCPC.exe.bat" "
        234⤵
        
        PID:3112
        
        C:\windows\SysWOW64\OCPC.exe
        
        C:\windows\system32\OCPC.exe
        235⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BAX.exe.bat" "
        236⤵
        
        PID:5116
        
        C:\windows\system\BAX.exe
        
        C:\windows\system\BAX.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HBFCM.exe.bat" "
        238⤵
        
        PID:1016
        
        C:\windows\HBFCM.exe
        
        C:\windows\HBFCM.exe
        239⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AEJFSIV.exe.bat" "
        240⤵
        
        PID:2200
        
        C:\windows\AEJFSIV.exe
        
        C:\windows\AEJFSIV.exe
        241⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOKHGMK.exe.bat" "
        242⤵
        
        PID:4132
        
        C:\windows\SysWOW64\IOKHGMK.exe
        
        C:\windows\system32\IOKHGMK.exe
        243⤵
        Checks computer location settings
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TCR.exe.bat" "
        244⤵
        
        PID:224
        
        C:\windows\TCR.exe
        
        C:\windows\TCR.exe
        245⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAPHXHO.exe.bat" "
        246⤵
        
        PID:2504
        
        C:\windows\SysWOW64\KAPHXHO.exe
        
        C:\windows\system32\KAPHXHO.exe
        247⤵
        Drops file in Windows directory
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UXDCEQW.exe.bat" "
        248⤵
        
        PID:3332
        
        C:\windows\UXDCEQW.exe
        
        C:\windows\UXDCEQW.exe
        249⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DYF.exe.bat" "
        250⤵
        
        PID:1648
        
        C:\windows\SysWOW64\DYF.exe
        
        C:\windows\system32\DYF.exe
        251⤵
        Drops file in Windows directory
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\STOTAA.exe.bat" "
        252⤵
        
        PID:3112
        
        C:\windows\system\STOTAA.exe
        
        C:\windows\system\STOTAA.exe
        253⤵
        Checks computer location settings
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EJV.exe.bat" "
        254⤵
        
        PID:228
        
        C:\windows\system\EJV.exe
        
        C:\windows\system\EJV.exe
        255⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZWADP.exe.bat" "
        256⤵
        
        PID:2560
        
        C:\windows\SysWOW64\ZWADP.exe
        
        C:\windows\system32\ZWADP.exe
        257⤵
        Drops file in Windows directory
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBMJA.exe.bat" "
        258⤵
        
        PID:1700
        
        C:\windows\system\HBMJA.exe
        
        C:\windows\system\HBMJA.exe
        259⤵
        Drops file in Windows directory
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BXJTKQ.exe.bat" "
        260⤵
        
        PID:3056
        
        C:\windows\BXJTKQ.exe
        
        C:\windows\BXJTKQ.exe
        261⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\USVWP.exe.bat" "
        262⤵
        
        PID:2004
        
        C:\windows\SysWOW64\USVWP.exe
        
        C:\windows\system32\USVWP.exe
        263⤵
        Checks computer location settings
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQIOFV.exe.bat" "
        264⤵
        
        PID:3244
        
        C:\windows\system\RQIOFV.exe
        
        C:\windows\system\RQIOFV.exe
        265⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IBZEFQ.exe.bat" "
        266⤵
        
        PID:1656
        
        C:\windows\IBZEFQ.exe
        
        C:\windows\IBZEFQ.exe
        267⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWIQ.exe.bat" "
        268⤵
        
        PID:1964
        
        C:\windows\SysWOW64\XWIQ.exe
        
        C:\windows\system32\XWIQ.exe
        269⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NMJIWYM.exe.bat" "
        270⤵
        
        PID:3700
        
        C:\windows\system\NMJIWYM.exe
        
        C:\windows\system\NMJIWYM.exe
        271⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PKXC.exe.bat" "
        272⤵
        
        PID:3372
        
        C:\windows\PKXC.exe
        
        C:\windows\PKXC.exe
        273⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFB.exe.bat" "
        274⤵
        
        PID:2932
        
        C:\windows\SysWOW64\PFB.exe
        
        C:\windows\system32\PFB.exe
        275⤵
        Checks computer location settings
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFITAQ.exe.bat" "
        276⤵
        
        PID:2640
        
        C:\windows\system\VFITAQ.exe
        
        C:\windows\system\VFITAQ.exe
        277⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OIM.exe.bat" "
        278⤵
        
        PID:4900
        
        C:\windows\system\OIM.exe
        
        C:\windows\system\OIM.exe
        279⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQOU.exe.bat" "
        280⤵
        
        PID:3144
        
        C:\windows\SysWOW64\FQOU.exe
        
        C:\windows\system32\FQOU.exe
        281⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\STXT.exe.bat" "
        282⤵
        
        PID:668
        
        C:\windows\system\STXT.exe
        
        C:\windows\system\STXT.exe
        283⤵
        Drops file in Windows directory
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PZCQ.exe.bat" "
        284⤵
        
        PID:3920
        
        C:\windows\PZCQ.exe
        
        C:\windows\PZCQ.exe
        285⤵
        Drops file in Windows directory
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RWI.exe.bat" "
        286⤵
        
        PID:4404
        
        C:\windows\RWI.exe
        
        C:\windows\RWI.exe
        287⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GMJC.exe.bat" "
        288⤵
        
        PID:208
        
        C:\windows\SysWOW64\GMJC.exe
        
        C:\windows\system32\GMJC.exe
        289⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TXZA.exe.bat" "
        290⤵
        
        PID:3368
        
        C:\windows\SysWOW64\TXZA.exe
        
        C:\windows\system32\TXZA.exe
        291⤵
        Drops file in Windows directory
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQUTPU.exe.bat" "
        292⤵
        
        PID:4016
        
        C:\windows\system\FQUTPU.exe
        
        C:\windows\system\FQUTPU.exe
        293⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FLYPCKI.exe.bat" "
        294⤵
        
        PID:2616
        
        C:\windows\system\FLYPCKI.exe
        
        C:\windows\system\FLYPCKI.exe
        295⤵
        Checks computer location settings
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTAU.exe.bat" "
        296⤵
        
        PID:4940
        
        C:\windows\PTAU.exe
        
        C:\windows\PTAU.exe
        297⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VTIIPK.exe.bat" "
        298⤵
        
        PID:2464
        
        C:\windows\VTIIPK.exe
        
        C:\windows\VTIIPK.exe
        299⤵
        Checks computer location settings
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PHN.exe.bat" "
        300⤵
        
        PID:2868
        
        C:\windows\PHN.exe
        
        C:\windows\PHN.exe
        301⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IZC.exe.bat" "
        302⤵
        
        PID:2200
        
        C:\windows\system\IZC.exe
        
        C:\windows\system\IZC.exe
        303⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INUQ.exe.bat" "
        304⤵
        
        PID:4404
        
        C:\windows\SysWOW64\INUQ.exe
        
        C:\windows\system32\INUQ.exe
        305⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANJW.exe.bat" "
        306⤵
        
        PID:1432
        
        C:\windows\SysWOW64\ANJW.exe
        
        C:\windows\system32\ANJW.exe
        307⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PIO.exe.bat" "
        308⤵
        
        PID:1084
        
        C:\windows\SysWOW64\PIO.exe
        
        C:\windows\system32\PIO.exe
        309⤵
        Checks computer location settings
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EYBZO.exe.bat" "
        310⤵
        
        PID:884
        
        C:\windows\system\EYBZO.exe
        
        C:\windows\system\EYBZO.exe
        311⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWACA.exe.bat" "
        312⤵
        
        PID:2616
        
        C:\windows\SysWOW64\VWACA.exe
        
        C:\windows\system32\VWACA.exe
        313⤵
        Checks computer location settings
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJFMKI.exe.bat" "
        314⤵
        
        PID:2004
        
        C:\windows\system\PJFMKI.exe
        
        C:\windows\system\PJFMKI.exe
        315⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NZSD.exe.bat" "
        316⤵
        
        PID:4128
        
        C:\windows\NZSD.exe
        
        C:\windows\NZSD.exe
        317⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMXNDP.exe.bat" "
        318⤵
        
        PID:1488
        
        C:\windows\HMXNDP.exe
        
        C:\windows\HMXNDP.exe
        319⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XDYMJLB.exe.bat" "
        320⤵
        
        PID:4664
        
        C:\windows\SysWOW64\XDYMJLB.exe
        
        C:\windows\system32\XDYMJLB.exe
        321⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGCIPB.exe.bat" "
        322⤵
        
        PID:4704
        
        C:\windows\SysWOW64\QGCIPB.exe
        
        C:\windows\system32\QGCIPB.exe
        323⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBLU.exe.bat" "
        324⤵
        
        PID:3376
        
        C:\windows\SysWOW64\FBLU.exe
        
        C:\windows\system32\FBLU.exe
        325⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DLWCIT.exe.bat" "
        326⤵
        
        PID:4468
        
        C:\windows\DLWCIT.exe
        
        C:\windows\DLWCIT.exe
        327⤵
        Drops file in Windows directory
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YHBTTTW.exe.bat" "
        328⤵
        
        PID:3224
        
        C:\windows\YHBTTTW.exe
        
        C:\windows\YHBTTTW.exe
        329⤵
        Drops file in Windows directory
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCFPYR.exe.bat" "
        330⤵
        
        PID:3272
        
        C:\windows\system\ZCFPYR.exe
        
        C:\windows\system\ZCFPYR.exe
        331⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XVIFH.exe.bat" "
        332⤵
        
        PID:876
        
        C:\windows\SysWOW64\XVIFH.exe
        
        C:\windows\system32\XVIFH.exe
        333⤵
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKOIT.exe.bat" "
        334⤵
        
        PID:2708
        
        C:\windows\SysWOW64\OKOIT.exe
        
        C:\windows\system32\OKOIT.exe
        335⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WQTPD.exe.bat" "
        336⤵
        
        PID:1092
        
        C:\windows\system\WQTPD.exe
        
        C:\windows\system\WQTPD.exe
        337⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOURJ.exe.bat" "
        338⤵
        
        PID:5104
        
        C:\windows\system\YOURJ.exe
        
        C:\windows\system\YOURJ.exe
        339⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWBOO.exe.bat" "
        340⤵
        
        PID:4064
        
        C:\windows\system\PWBOO.exe
        
        C:\windows\system\PWBOO.exe
        341⤵
        Drops file in Windows directory
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KJFFYVW.exe.bat" "
        342⤵
        
        PID:2252
        
        C:\windows\system\KJFFYVW.exe
        
        C:\windows\system\KJFFYVW.exe
        343⤵
        Checks computer location settings
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UHTSO.exe.bat" "
        344⤵
        
        PID:2108
        
        C:\windows\UHTSO.exe
        
        C:\windows\UHTSO.exe
        345⤵
        Checks computer location settings
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AHBFXFG.exe.bat" "
        346⤵
        
        PID:4844
        
        C:\windows\AHBFXFG.exe
        
        C:\windows\AHBFXFG.exe
        347⤵
        Checks computer location settings
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JIV.exe.bat" "
        348⤵
        
        PID:3272
        
        C:\windows\JIV.exe
        
        C:\windows\JIV.exe
        349⤵
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PICGJ.exe.bat" "
        350⤵
        
        PID:876
        
        C:\windows\SysWOW64\PICGJ.exe
        
        C:\windows\system32\PICGJ.exe
        351⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HLOC.exe.bat" "
        352⤵
        
        PID:3488
        
        C:\windows\HLOC.exe
        
        C:\windows\HLOC.exe
        353⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XBPBVQ.exe.bat" "
        354⤵
        
        PID:3804
        
        C:\windows\system\XBPBVQ.exe
        
        C:\windows\system\XBPBVQ.exe
        355⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YETXJ.exe.bat" "
        356⤵
        
        PID:748
        
        C:\windows\SysWOW64\YETXJ.exe
        
        C:\windows\system32\YETXJ.exe
        357⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WUE.exe.bat" "
        358⤵
        
        PID:1716
        
        C:\windows\system\WUE.exe
        
        C:\windows\system\WUE.exe
        359⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXIWB.exe.bat" "
        360⤵
        
        PID:4532
        
        C:\windows\SysWOW64\PXIWB.exe
        
        C:\windows\system32\PXIWB.exe
        361⤵
        Drops file in Windows directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXSG.exe.bat" "
        362⤵
        
        PID:3752
        
        C:\windows\system\LXSG.exe
        
        C:\windows\system\LXSG.exe
        363⤵
        Checks computer location settings
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYZUWA.exe.bat" "
        364⤵
        
        PID:840
        
        C:\windows\system\RYZUWA.exe
        
        C:\windows\system\RYZUWA.exe
        365⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVFGEI.exe.bat" "
        366⤵
        
        PID:1056
        
        C:\windows\SysWOW64\BVFGEI.exe
        
        C:\windows\system32\BVFGEI.exe
        367⤵
        Drops file in Windows directory
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTFS.exe.bat" "
        368⤵
        
        PID:3648
        
        C:\windows\system\PTFS.exe
        
        C:\windows\system\PTFS.exe
        369⤵
        Drops file in Windows directory
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EOWEZHE.exe.bat" "
        370⤵
        
        PID:1152
        
        C:\windows\EOWEZHE.exe
        
        C:\windows\EOWEZHE.exe
        371⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PCVCEI.exe.bat" "
        372⤵
        
        PID:3164
        
        C:\windows\PCVCEI.exe
        
        C:\windows\PCVCEI.exe
        373⤵
        Checks computer location settings
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XUE.exe.bat" "
        374⤵
        
        PID:1716
        
        C:\windows\system\XUE.exe
        
        C:\windows\system\XUE.exe
        375⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NKFV.exe.bat" "
        376⤵
        
        PID:1700
        
        C:\windows\system\NKFV.exe
        
        C:\windows\system\NKFV.exe
        377⤵
        Drops file in Windows directory
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HYWFJ.exe.bat" "
        378⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1316
        376⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1008
        374⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 964
        372⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 988
        370⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 960
        368⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1292
        366⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 960
        364⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1308
        362⤵
        
        PID:708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1300
        360⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 960
        358⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1328
        356⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1336
        354⤵
        
        PID:956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 976
        352⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1240
        350⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1324
        348⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1304
        346⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1324
        344⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1336
        342⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 988
        340⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1336
        338⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1336
        336⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 960
        334⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 960
        332⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1336
        330⤵
        
        PID:384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1296
        328⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 1256
        326⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 960
        324⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1328
        322⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1328
        320⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1324
        318⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1324
        316⤵
        
        PID:956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1308
        314⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1232
        312⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 960
        310⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1328
        308⤵
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1244
        306⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1328
        304⤵
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 976
        302⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 960
        300⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1236
        298⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1236
        296⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 964
        294⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 960
        292⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 988
        290⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1240
        288⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1324
        286⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1324
        284⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1004
        282⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1304
        280⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 872
        278⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1336
        276⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1328
        274⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1004
        272⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 988
        270⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1308
        268⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 960
        266⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1336
        264⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 988
        262⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1324
        260⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1312
        258⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1308
        256⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1336
        254⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1004
        252⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 960
        250⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1324
        248⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 872
        246⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 960
        244⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1300
        242⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 1256
        240⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1324
        238⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1336
        236⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1308
        234⤵
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1256
        232⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 976
        230⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 960
        228⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1240
        226⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1308
        224⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1328
        222⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 988
        220⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1300
        218⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 988
        216⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 872
        214⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1300
        212⤵
        
        PID:384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 960
        210⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1336
        208⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1336
        206⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 988
        204⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 988
        202⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
        200⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1328
        198⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1008
        196⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1324
        194⤵
        
        PID:384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 960
        192⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 960
        190⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1008
        188⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 960
        186⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 988
        184⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 960
        182⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 960
        180⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1328
        178⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1268
        176⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 960
        174⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1336
        172⤵
        
        PID:468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 976
        170⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1260
        168⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 960
        166⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1324
        164⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1316
        162⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 988
        160⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1324
        158⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1324
        156⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 988
        154⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1236
        152⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1304
        150⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 960
        148⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 960
        146⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1304
        144⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1248
        142⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1328
        140⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1304
        138⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1324
        136⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 960
        134⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1324
        132⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 996
        130⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1324
        128⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 960
        126⤵
        Program crash
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 988
        124⤵
        Program crash
        
        PID:820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1328
        122⤵
        Program crash
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1324
        120⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 992
        118⤵
        Program crash
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 988
        116⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 960
        114⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 968
        112⤵
        Program crash
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1328
        110⤵
        Program crash
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1308
        108⤵
        Program crash
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1292
        106⤵
        Program crash
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1328
        104⤵
        Program crash
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 960
        102⤵
        Program crash
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1236
        100⤵
        Program crash
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 960
        98⤵
        Program crash
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 988
        96⤵
        Program crash
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1304
        94⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1324
        92⤵
        Program crash
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1256
        90⤵
        Program crash
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1328
        88⤵
        Program crash
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 960
        86⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1304
        84⤵
        Program crash
        
        PID:1256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1324
        82⤵
        Program crash
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1352
        80⤵
        Program crash
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1336
        78⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 960
        76⤵
        Program crash
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1324
        74⤵
        Program crash
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1008
        72⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 988
        70⤵
        Program crash
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 988
        68⤵
        Program crash
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 988
        66⤵
        Program crash
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 960
        64⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1292
        62⤵
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1324
        60⤵
        Program crash
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1336
        58⤵
        Program crash
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 960
        56⤵
        Program crash
        
        PID:1752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1004
        54⤵
        Program crash
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1336
        52⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1000
        50⤵
        Program crash
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1004
        48⤵
        Program crash
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 988
        46⤵
        Program crash
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 980
        44⤵
        Program crash
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1324
        42⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 988
        40⤵
        Program crash
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1004
        38⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1336
        36⤵
        Program crash
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1296
        34⤵
        Program crash
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1308
        32⤵
        Program crash
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 964
        30⤵
        Program crash
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1268
        28⤵
        Program crash
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1324
        26⤵
        Program crash
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1236
        24⤵
        Program crash
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1324
        22⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1324
        20⤵
        Program crash
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1304
        18⤵
        Program crash
        
        PID:1292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1324
        16⤵
        Program crash
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1008
        14⤵
        Program crash
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1004
        12⤵
        Program crash
        
        PID:3348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 960
        10⤵
        Program crash
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1256
        8⤵
        Program crash
        
        PID:2736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1336
        6⤵
        Program crash
        
        PID:2300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1240
      4⤵
      Program crash
      PID:1168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 964
  2⤵
  - Program crash
  PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1228 -ip 1228
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 5064
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3012 -ip 3012
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4952 -ip 4952
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4500 -ip 4500
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2452 -ip 2452
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3028 -ip 3028
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1432 -ip 1432
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3952 -ip 3952
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2440 -ip 2440
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2056 -ip 2056
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4060 -ip 4060
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1268 -ip 1268
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2024 -ip 2024
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1004 -ip 1004
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 880 -ip 880
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2596 -ip 2596
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3208 -ip 3208
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 4904
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3104 -ip 3104
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3512 -ip 3512
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1056 -ip 1056
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4968 -ip 4968
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 552 -ip 552
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1084 -ip 1084
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1176 -ip 1176
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1540 -ip 1540
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4496 -ip 4496
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4748 -ip 4748
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5108 -ip 5108
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3472 -ip 3472
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2588 -ip 2588
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4904 -ip 4904
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1700 -ip 1700
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4540 -ip 4540
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2900 -ip 2900
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4688 -ip 4688
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2400 -ip 2400
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4332 -ip 4332
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1464 -ip 1464
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4904 -ip 4904
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4276 -ip 4276
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3820 -ip 3820
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4672 -ip 4672
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4732 -ip 4732
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4376 -ip 4376
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5048 -ip 5048
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4400 -ip 4400
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2336 -ip 2336
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4116 -ip 4116
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4628 -ip 4628
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4660 -ip 4660
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3920 -ip 3920
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3768 -ip 3768
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2388 -ip 2388
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2708 -ip 2708
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2736 -ip 2736
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4592 -ip 4592
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3056 -ip 3056
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 748 -ip 748
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3272 -ip 3272
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2624 -ip 2624
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3752 -ip 3752
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3380 -ip 3380
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2584 -ip 2584
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2716 -ip 2716
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3244 -ip 3244
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3148 -ip 3148
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3012 -ip 3012
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2008 -ip 2008
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1000 -ip 1000
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4992 -ip 4992
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3248 -ip 3248
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3964 -ip 3964
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3988 -ip 3988
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3224 -ip 3224
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4684 -ip 4684
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3560 -ip 3560
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2548 -ip 2548
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2584 -ip 2584
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4312 -ip 4312
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3488 -ip 3488
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3996 -ip 3996
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1948 -ip 1948
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4416 -ip 4416
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5104 -ip 5104
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2252 -ip 2252
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2400 -ip 2400
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1648 -ip 1648
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1836 -ip 1836
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2028 -ip 2028
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3784 -ip 3784
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 428 -ip 428
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 408 -ip 408
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1264 -ip 1264
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2792 -ip 2792
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2400 -ip 2400
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 772 -ip 772
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4432 -ip 4432
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4944 -ip 4944
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4984 -ip 4984
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4540 -ip 4540
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4508 -ip 4508
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3376 -ip 3376
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4208 -ip 4208
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4276 -ip 4276
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4604 -ip 4604
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3488 -ip 3488
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3728 -ip 3728
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3056 -ip 3056
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4548 -ip 4548
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2292 -ip 2292
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4104 -ip 4104
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2904 -ip 2904
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1176 -ip 1176
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4716 -ip 4716
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5084 -ip 5084
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2664 -ip 2664
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4952 -ip 4952
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2932 -ip 2932
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1084 -ip 1084
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4156 -ip 4156
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4896 -ip 4896
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1540 -ip 1540
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1520 -ip 1520
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3504 -ip 3504
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4688 -ip 4688
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4468 -ip 4468
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1156 -ip 1156
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5052 -ip 5052
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2536 -ip 2536
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4560 -ip 4560
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5040 -ip 5040
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1152 -ip 1152
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4600 -ip 4600
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3264 -ip 3264
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4756 -ip 4756
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3136 -ip 3136
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4744 -ip 4744
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1648 -ip 1648
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1836 -ip 1836
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3208 -ip 3208
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1432 -ip 1432
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2368 -ip 2368
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5024 -ip 5024
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4756 -ip 4756
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2316 -ip 2316
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1528 -ip 1528
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4276 -ip 4276
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2392 -ip 2392
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2164 -ip 2164
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2248 -ip 2248
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1048 -ip 1048
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2636 -ip 2636
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3284 -ip 3284
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2944 -ip 2944
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5016 -ip 5016
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 456 -ip 456
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 624 -ip 624
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1648 -ip 1648
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 208 -ip 208
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4688 -ip 4688
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2640 -ip 2640
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3204 -ip 3204
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4172 -ip 4172
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1148 -ip 1148
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 688 -ip 688
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 668 -ip 668
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 408 -ip 408
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4404 -ip 4404
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3120 -ip 3120
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1104 -ip 1104
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4888 -ip 4888
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 844 -ip 844
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2212 -ip 2212
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4332 -ip 4332
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2116 -ip 2116
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1912 -ip 1912
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2508 -ip 2508
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4396 -ip 4396
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3212 -ip 3212
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3296 -ip 3296
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1544 -ip 1544
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2464 -ip 2464
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1628 -ip 1628
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2996 -ip 2996
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4992 -ip 4992
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2780 -ip 2780
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2016 -ip 2016
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ESPQ.exe

Filesize
289KB

MD5
49a4b72fe521aa4df5ac44ef0d7343e0

SHA1
19a70ba1ba35fd2a2df74870749b9d3f6fd26e34

SHA256
ff34d1aec7b8570f6e7ec863c7f1e8c8b07f6ab68ed5760828315bdeeac65099

SHA512
a0f76bf3ed2dd4946118315b1ecee8af4ad592125d2a6402e699625143f4abf0c92c2a27c6ce1546b681ab4186933782a2d8054a110c679e740ed4635339c5e4

Download Submit
C:\Windows\MDH.exe

Filesize
289KB

MD5
d7443f3a9c78090fbe85bf109f65090d

SHA1
f330b64a9bac1840c2677f416ccd810e95a57135

SHA256
7fbcac51477df493370080804063b52974d4c5002aafca83516cfdf10503b63f

SHA512
3ddd1809dc01eeb340ee6969fb2ae84823962afb08d26c12c51f90b35739a1a0f70aee25f3fb5d70a50338441c6c38be7ff4d901897a219846f3685c59eaadb5

Download Submit
C:\Windows\OCO.exe

Filesize
289KB

MD5
d5c9abd6c602a487b9f475a91a92ec2f

SHA1
e6c3350c2f47682ea6ef46c1518e50b5e9cde3bf

SHA256
6413dfad348777c6a15237385d266f9dafc79c2b827de4853911a993327194f5

SHA512
fc620c2483ff962eafdbe0fa3b6f903e3e59865d069e84e149f79a367dca9842db9966ecc95f1891554dce67882333ba071ea0b9ac6e49d55d05279b68cc4d52

Download Submit
C:\Windows\SysWOW64\BUPVUE.exe

Filesize
289KB

MD5
a3e15577dee07944fdda79b6fde6b2d6

SHA1
dbd61820ed3f7e11681b38769f4c2f38df570009

SHA256
70c1affb0792ed8ef596d705edebecdf67479830adfe16a065e69fbad2b12ae6

SHA512
e2d8c404a2df97dec30bb4c28c5acd5dea776ee15b42366574f2fe0f7a6d7a6a0c9fbbc7723e1d1957864a3e04abd81bc15ed3c4508a9cef334e14326478b885

Download Submit
C:\Windows\SysWOW64\FYLOUSO.exe

Filesize
289KB

MD5
5054e9d8e382ba4471d624855d34d27a

SHA1
98303e64dca3d43cc2ccce4ecf7d7265cd3cd7f7

SHA256
fe212abeb8b90a9af6f3fe2e76128470a92e1eca9c60c4d13969a10fd02de755

SHA512
5d8a5a37facd000218f7cdb90204f0cf3e28ff4b291bb9ae6556bd58f8dc1ea1e3e6b6fba7ea3c421cb5e2d4d0fe97b2e56391fbff8ee45f2975d3c1024286b9

Download Submit
C:\Windows\SysWOW64\SVLAW.exe

Filesize
289KB

MD5
2bf2633c4f5d1bec0a375c187c10c942

SHA1
465b95e9095b85c4cc2e9819d6ae9bdbcb3c1bbe

SHA256
923d6c969f9aacf9fca2da6c6228ae4f19ac6603f8c461422d619c268c66544d

SHA512
691763bd49395dccd3e7eefdc759d71bf4c09ddc5571249632b05d814539bad291b10a9615923870950696a0dacee0c1d9055f15b4e37ca3c18eb02cbc190708

Download Submit
C:\Windows\SysWOW64\WMWZ.exe

Filesize
289KB

MD5
a0c4a83381608de03f108e476e957368

SHA1
c74736d07643c1d05ddb1bafad1b627651e7129b

SHA256
32062df64e9349bc598bbd50af5baa25d0ec0f070edb657849c928f0900ab494

SHA512
39c2078ab0d0e566752cd10ad1f611bcf0f0c251843e9649db63c61c529b3aaf8db4c0d7b78c7aa80969911cb18dd37d42a38a74764e17184265117ae747815d

Download Submit
C:\Windows\System\BETDPM.exe

Filesize
289KB

MD5
ed9522881169f508b6ce02ceb009bf25

SHA1
1c435bf44d40550c138ca36bb4faec0ad8425ace

SHA256
b8cf405d87643357de682d135363af95f912062b89cbdb145586cb84dba9f017

SHA512
4e43eb26f61f8dc03850a2de570306ce3286d35a8f7c42b8255687389d253f73e01e4c04b85ac7ba8c26eb1c88ac8a37e6879ae3b1aee1b119b46ea2c948c29f

Download Submit
C:\Windows\System\NIHC.exe

Filesize
289KB

MD5
df9f172dff1c2847c70687c1bcc3f229

SHA1
c5907f2fbf187381722bfb98cbe91a6bdd583392

SHA256
e8bb1a870e259e40156233c7d538fa8e309a9c2bd8d5f86c0da5a70eb17c2c30

SHA512
765a7baaa810a41862057cbc05e0a22ca5b72323e9e8ca4cf2eb1b9091b635dbce4a9f594c5ccbb1e13016f51e3d612f7f30206042797e1554c3b5b2958fe7c5

Download Submit
C:\Windows\System\PDBC.exe

Filesize
289KB

MD5
7d8825b7b819646b674b02d1b7d880ed

SHA1
4ae97a07b0008283eb41114e667509632a4d7b67

SHA256
d27cf957ba9dcf5f7e10b724a5e0a12ec340b310aac492d1968f362f8158cefe

SHA512
0e0affe2bc5d1cf9db46044c5d092636028feea2468e68abed9b9cce6ef6b55ad5e985fb4f7f4c27427b905294ecf8b5fa3456247f9b57c89487326e43c31387

Download Submit
C:\Windows\System\TYZQJJY.exe

Filesize
289KB

MD5
4f35967ee25d60c7ddd9d7f14d2c7271

SHA1
0f4837e5c98571e0c72e30b633f180d6cd5d37ab

SHA256
0a73cce350b6604bcb1f28cf2517ff3461b2c949ed50233ff45c45d77c119a44

SHA512
be071ac15bf884afe6213a33f33a987fde84976d3fbc9159e3c1b94079358cc8887cfe4f1930e2ad42d5f970cac0d4d55cbd4683c81a58d349b90bfe15dda6f0

Download Submit
C:\windows\DFPBJIL.exe

Filesize
289KB

MD5
1609abaccaac82854d62e62175bd61c5

SHA1
d5b5a8619d3f85babcb1cb58abab3337bf7f6716

SHA256
8dde586ba2924ecdb2b236ca5760d4c8af4f357585e6a69e5a54b58112a81817

SHA512
e34c032d50c6dda70c6c756d3f74621c93e989ecb267767ffa7f76017e9456e44451038b93dd5e90eb2b5db7368a9d47ec49e021bcac5d5e14866f2d1a28d40c

Download Submit
C:\windows\DFPBJIL.exe.bat

Filesize
60B

MD5
6f7d0da4f112e3a0f2e794e297c8995f

SHA1
69cff315af8076a40777c9f3b942fc44d51c5061

SHA256
f3ec88724dc8936985a804a2883f6e4eb128a76c8f270fd8d5270e43b1bec074

SHA512
837dabeaece9dfae81ade85c6433e6031cfcea526004d5cfd3aea177778e82e399602b3830d6a898b85649288b067f4b5f117b4e1b6a8d9f4058f159da486cdb

Download Submit
C:\windows\ESPQ.exe.bat

Filesize
54B

MD5
f187f259f79f84b99be041d870910b11

SHA1
53d348f4da98870535877968f59b06d6c4ae2ffe

SHA256
304bc53314e6335c0578100e947a133285bcd9d7e037316e8e0ba0c0b0771ca3

SHA512
a22412b37437c5c2ae9b855487c9b55642823953bc4009e872cf41f6bdf4de345d443126116520317e7fdcd8a1122240ffff437476dcbc492855a0872e1f7d3a

Download Submit
C:\windows\JZMR.exe

Filesize
289KB

MD5
a3ff7c92e6129b97e7708b5f15ec1cae

SHA1
b66c9acef5c73964c05ebbf986c491139bee4301

SHA256
b3578c6ea6c73aaaa112bf6108d74b8e5a62ddc2e50b531a371ffd8c82dcfc56

SHA512
ebf6f535dfdf540d5d7b237d2b0ac9a1a05263f89240562e34c6ae011e7b61f5a71802eec63f149b0e64ad949e85c91ab260bc3f249185c503105169c4b774ad

Download Submit
C:\windows\JZMR.exe.bat

Filesize
54B

MD5
e5ef7f7977ec6e45641a11c12a31ccdf

SHA1
e1bf1f5933d66e651f5d5f6d73eee5cfb95b6607

SHA256
8308453b97aef9fbd9c67efba13e688da93d4a4ce276db861d09da1eccec0103

SHA512
e33de41a2e95bc0fce2d0d7fa1b88b7b65443a0bac9eb7f26d790787ed89614d4d0116a2f31408770a02f550fb2427ead0d5488c42c696ca939c110654f94610

Download Submit
C:\windows\LQKYUP.exe.bat

Filesize
58B

MD5
7d063d09f85a85481fcf8b0288fd912c

SHA1
b59cf37d347049b58dadf7dacbf46d440cc18c21

SHA256
d140ea0ebf8ce5c5c29eab67ee639d91afa8dcba5a433520be4cd3a246dba114

SHA512
b0ba63403c19cea7e41465a9a3dfd22e074c784264e2e9d7d7c62937b7e842a485263567b7427287a0db9776a28b781260a1be27254b8c99574943a12cb54ad5

Download Submit
C:\windows\LRDPBN.exe.bat

Filesize
58B

MD5
4e2f641abb3035b98c2774ec09aa312a

SHA1
5bd9802615704688f7056accfe95ee15fba97dfe

SHA256
cf02fd5827221a7026c0cac2bd1d925fe6feb38b97928664ce964aaf4e412e50

SHA512
7cdcdceedc36ac7a0455f702e1afcffc3473b4483a3f69942a6ab049c332712138a743e2fd536a4c7222a39a1e3fa3e2e81518836679d130b8e077de47cf1874

Download Submit
C:\windows\MDH.exe.bat

Filesize
52B

MD5
119668d7a4b1275e1416618952e873a2

SHA1
0a218e654a407c2ec74ef6021ca9741fce214098

SHA256
3c3b0a433f9e6e53a2491eb45baa5625fae82db0ea2977e6a1b3e18347ee9ef1

SHA512
da87c9ac87235e1b70464d3fa5049a02a54ad698c0346265b24f134cde53ac70bc727e9e45eb302e4fcd087bae02a5d079fcb211ec54c1ccf206e781adf54e3d

Download Submit
C:\windows\NARVZJI.exe

Filesize
289KB

MD5
8f2980cddf2efce28e421364dc95f4a9

SHA1
4836871c823e632259bdffa2dbf4828b7888c9bf

SHA256
552c0d95394b471aae3ad3dfc9d30e3f6821068443048f056d49f46362172eab

SHA512
a6980646e32c664b2e54b81e414be7a5978cbae479af1fdafc9f4119b5949f8539ab793f8eba38d239160882e15d537d838a815712971a9779f79c114f35ca7e

Download Submit
C:\windows\NARVZJI.exe.bat

Filesize
60B

MD5
18bb939f4dff16fdc45372a1fff7785d

SHA1
fbe1c8b2c6d3f890ede17113af4091cec4c0656e

SHA256
3b58ce944f037f234726ff09f5c9e7ee668fdeb6d1ca89845a2a1b18b2d7eb65

SHA512
56ef5b62edce20403aa13e43a5ef22aeb55048ec7231441e7921b4954fd90680674fd35f210b6477386fe3192254fc3b5c3fd56639fdc170cbe97e2699b93862

Download Submit
C:\windows\OCO.exe.bat

Filesize
52B

MD5
27196719d0d6283fa5c4debf758f1b20

SHA1
88da715a9d7338358fa4c0f65ffb1669e6f4ff7f

SHA256
902ef3ffbf1fe99d9869bccf246c97dfacb43e4da002981d8ae2254cfc8440ab

SHA512
7c14afc1354fc8ccf96844d9532c03e8294d46990001260f457ad3f1d382f3d388c3e80bb1f35931990da963b32ba0e064f1343c08ccbf69cbc0a8609abbebd5

Download Submit
C:\windows\SysWOW64\ATGAU.exe.bat

Filesize
74B

MD5
732f092b85457653434fb80aace60083

SHA1
5bc74cbfa4d780dd7728b5a4d0385a9b1c3b6446

SHA256
a763ecb5fb143f3bc6e6d4eaacb3549d276d50f11c43bf9b6426672accae1ea0

SHA512
a0ebc35168b82e321f5500c4becfd5ead8fea2120633e1a5950ad7273c2a8177b9fd7d259af137cc7598ead60c19729da5c24f317c94d75680e821c9dc92d2ac

Download Submit
C:\windows\SysWOW64\BUPVUE.exe.bat

Filesize
76B

MD5
418c1f3d01104142847a6b189feb3059

SHA1
ad22e43f0a88f07de237b3a05abc481e91a2f029

SHA256
b3b862f6602baa8f328367ec6199e549db761ea0bff5b976f56ab6a74d1860e8

SHA512
73958e02849c5468f15b24af4f26e43c573912e168f634af0cd0f6096a2d4b56e22532c0b8e3330439014786ea0537368b2e67f2b5933f98c1dfeddfb94c4d01

Download Submit
C:\windows\SysWOW64\FYLOUSO.exe.bat

Filesize
78B

MD5
0fed4a7b61a3267fa33b70175545738f

SHA1
85a9214b6a030ca16cdcc222905ed00cd6aad1cc

SHA256
e2e17b08a7173653e72cf753e841ec0ff3699fdc919a8f188e9bc293f2fd1bc9

SHA512
6dd7fa33b255adf4bc6a4967ea5e1a8ebaaea5e4d6bc51c4337fe0532805aa24d9badc80ce276902376ca202b926a3ca6321ea0bc11440a2ba4cfc9d927d5da7

Download Submit
C:\windows\SysWOW64\SVLAW.exe.bat

Filesize
74B

MD5
99684787e12fa5a3a9b90f96f39ea121

SHA1
bffe5475f66f095c08998cf4e46cdcc437bb4c0a

SHA256
892085c65ab6a1a3ebe0f883095542042a8f22db2ff15230d0162ea0b8c07460

SHA512
a3535983d5737357018ad63ca468ed5a39266f8ee8bc179a7c73d3cfe67d53a62f5fac16ba3ad55e34427b7e9cddbf3bb5f06a168b94bf0e63a76d09ffb71be8

Download Submit
C:\windows\SysWOW64\WMWZ.exe.bat

Filesize
72B

MD5
4a100a0c062562e2c81db486fdd57ea1

SHA1
2e01eab24ad03e66b44b95a29072cda63cbd77c8

SHA256
5936b021793cf26ca8de2e45edc45f7e9e0187aafe03d6cebdf226cb2c4e5f3b

SHA512
dc567e5890c01fbdec359a7bfa026d1033adad13d7d890777b82d97cb0cf65df6ad2afd5745b8eae3c20ea2186a1e2610415faf30e2c5d1a60bf57aacb1fb7c0

Download Submit
C:\windows\UPJPMR.exe

Filesize
289KB

MD5
7db6e127d1a9e39b3659f7e2291e138b

SHA1
99e37ca105227d9481b669b6a1b7badb59f75b3b

SHA256
eea929c70c291646f890d7b8ef2dce236b24dfbe902a3aaedf644131f6f8bfed

SHA512
489ffa92086503be54fbe75270f6093bcdad398b56f10f81352efd2f48ea15e7f72786a0a0bbc28040e32cbfb293a675bdd0eb13a093f58df7dd7b50fd4658f3

Download Submit
C:\windows\UPJPMR.exe.bat

Filesize
58B

MD5
7768013167616eccff73a138906fd70a

SHA1
33d66e100f03088df8df5aa0af3f8fbefeae471b

SHA256
7e3261da5957ad536d8aaec978c5e42adbbabac574e3b026821a0666f25d2336

SHA512
cce05babfb3647289ae5115eb14728f94e1891055e9d9bef9c5bd6a0143e8bd2f32e4b7e7dc17f24ef054046a492b5d95fbd05e12d88aaa9ffe6721b5b39e898

Download Submit
C:\windows\UTY.exe

Filesize
289KB

MD5
96360302c81e6372d27baf19e7c4c2ae

SHA1
bc47341d518a506376d38c2790288893b994c3c9

SHA256
be89fb396f01ef0ef50cf6d0be0dbd7ee755d595cf761cadb7ee4d09ef8ae530

SHA512
925bec4480acf47fbfbbca687ee6b1067f57c1179ca023539b90188438e6f3c3715d95a4b69f745a36aa9d48c789168dced17cc63eef367ac674dcff4c5b04dc

Download Submit
C:\windows\UTY.exe.bat

Filesize
52B

MD5
feefbdef7cc7d19b21d808d86bfb137c

SHA1
6a7fa81421a5068702b946c4c0de5bd7003115fc

SHA256
bc4bc2fbb6917f03dea8e21599424d5588a8e23298b40115c1b37c8efe9dabb8

SHA512
61015d31ca15ce700118cffcd0582d830aa96b69ff1fe1c884088c5791de5f43bfbd67cb4dbe9b2e079b41ac7aa3b854cd352960a220e863a001984bda7ebd46

Download Submit
C:\windows\ZBEY.exe.bat

Filesize
54B

MD5
66641dca112bc793c618462ea06770bc

SHA1
858dd79889d51c373331c92caa95ec9f21cba0bf

SHA256
89a7c59d29c472077a74b12941e721130f4dc804b24db8f0e71095d254afebd7

SHA512
2faccbc57184fd1eeb40dc70e7efe4d05abfc70b378f464f1b32f924275da112cd2c5a739e390fa34ba5b0f81b6b58e887818e81d74c3ccbf9c7c22e4259bbe0

Download Submit
C:\windows\system\BETDPM.exe.bat

Filesize
72B

MD5
f6a3b39762bbd784dd57fdb7d8c711c1

SHA1
9864a4752c38d100b139247855d347c193846ae8

SHA256
1b503885a269e06cf6eaf98e60c102c1786936fd4a3639450a74ff9c224bba62

SHA512
a14d50ca84ab0f80941a9f2abcbefe752e21ee223ab2ca408d29b9469474a1a765064e7fcb971a78fd3d4c5faea2c13e17ee36f9408f11dde9739b261f2b0b77

Download Submit
C:\windows\system\KKYXFEC.exe

Filesize
289KB

MD5
14162560604bcd8802b1e158c55234d6

SHA1
aacd980c75d9ea8e7ea69d25f29a4fad24fb8445

SHA256
7a72763f58f745935b0c35dd5e848e1cff25673aaadb2741b61a4ff809ea4bd9

SHA512
4e72a2a6397d0aa0d92323cb959ed20f6390aeba8265aebe7089b2340fbe5d2982d37c571355f684c009a723be510454ec3a9f672c3e69b40da0797902b2ee2f

Download Submit
C:\windows\system\KKYXFEC.exe.bat

Filesize
74B

MD5
8fb8063cf9e5ad2f9701da800a427889

SHA1
8891286672b17b920f9807f099be9ba53ceeea2c

SHA256
1c2b748d585485ebe3995745d498f2c0644a3b63f719c8fb26dbfff38a20c92b

SHA512
b0b6055a34d287af5edf5a2f63a683c6866a5c2e2bd8c63696a29d2dde44acdfa2a566191cc07de2c65f4b4e256723037076d209e4c1e09be1ffab04dfbb0d5a

Download Submit
C:\windows\system\NIHC.exe.bat

Filesize
68B

MD5
844b30454e289047630dc02fa35190a6

SHA1
45d0db4997e14c876d7995a0588092a4354c86f3

SHA256
ccd4fcc20501bbe3ab66e6950bddcd466d3a2e9a2db79b0b107518f6d24385a2

SHA512
25563a96596a8314cf025e9ae6ca75b50a2dc8b3ed91949aaee57da87a3bc4c6471b53bb0e388f67a83496d40a411819b196e74ad66e8d6bd7d8f2d09dbcd0ae

Download Submit
C:\windows\system\PDBC.exe.bat

Filesize
68B

MD5
a4d671fb68215eb5145aaf0b8db81bef

SHA1
404d6ab567b79fdc62f0b40d66292a1ce678e041

SHA256
4eff386e327f7077315639c70a7d501cb553607fb85c08644a145b4d05fe6707

SHA512
412d81d18f42da2f08029a5da9eabcc0c15919cfe6a593ad317794906da1b00a8e465a889e198c69c5a21b27bc7384d98efd424c614b7642dc7d54deb9021813

Download Submit
C:\windows\system\SLBZYSF.exe

Filesize
289KB

MD5
d572f04d1ade58ccea05333aa750c047

SHA1
07d2bd706378ea3dd858158de32dc23c1e5c33fe

SHA256
fe4b31dd05b1f2e70a0ffb9d27a5a84fd9353133c039ee0749daff5bdf9383e9

SHA512
9b2e8cc865b27ef7fdbf2864bdb4bd726fd3da15030f6e75af5e617a2b99b4a4d20d38b4be5b384aa10fb6cf09dc9e04d263284c82b8d859ef10f78273fb6fe1

Download Submit
C:\windows\system\SLBZYSF.exe.bat

Filesize
74B

MD5
b7734869846a859945c11a5cea2aec9e

SHA1
f31139c3c0c454dc60b233e131088cb7d53e9bb7

SHA256
19b8bd0f059dd56722f9270af9bd293ddbd0d28ed3acb1382ec31485a2743780

SHA512
a52904e52abea828ad55c4dc0074fbc18e87e231eb2e429d084ebbf6f501a334c56350e305efee48e3bffdaf19236cafdd9b8075d3b735a8f92302aac666cb21

Download Submit
C:\windows\system\TYZQJJY.exe.bat

Filesize
74B

MD5
686505d46ce1fa92f3e71bb4f1b3cb82

SHA1
65339aa9281841c1f6547f46b7451cd8352d4300

SHA256
2d224d16f89ab32800569f3412030e382b75750788fe6cb4cdda031e70357a4e

SHA512
89400f0d40b2763df495ca2851118a944774da49ec728d479a75257ee8dc365f79914a0fe28166ebb5b78833f17a7c27a101f426e41ccefb86a8d79909d52979

Download Submit
memory/552-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/552-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/880-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/880-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1228-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1228-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1268-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1268-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1540-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1540-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-83-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3472-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3472-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3512-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3512-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3820-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3820-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4060-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4060-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-385-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-35-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download