0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246

Analysis

max time kernel
150s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
Size

282KB
MD5

1dddabcb33a8af52dbd5d14a31f8bfa0
SHA1

af44bc450e24fa311d34cf1016396e4da3987509
SHA256

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246
SHA512

f27c767a50c9629c4ef66e0a6a2e337a6b8d40503bd596ac4c1f83e4ae30774b23f00c5e4a57199c3b155d339b13caf8fcebe6cff469444600af84188b07cbf6
SSDEEP

6144:iXu/YXoz+PglGhhx9ebK7mOoS3C+kEjiPISUOgW9X+hOGzC/:GmYXoqPgl+9eaNv3C+kmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 17 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\windows\system\IBLL.exe	family_berbew
C:\Windows\ZRSOL.exe	family_berbew
C:\windows\MNKWV.exe	family_berbew
C:\Windows\SysWOW64\TIHI.exe	family_berbew
C:\windows\SysWOW64\RFBLS.exe	family_berbew
C:\Windows\DTZ.exe	family_berbew
C:\windows\SysWOW64\ZJCPJUR.exe	family_berbew
C:\windows\TCJASVH.exe	family_berbew
C:\Windows\DFPBJIL.exe	family_berbew
C:\Windows\SysWOW64\BVIEW.exe	family_berbew
C:\Windows\System\QLJDDJI.exe	family_berbew
C:\Windows\PEMLLP.exe	family_berbew
C:\Windows\XCZTCZO.exe	family_berbew
C:\windows\KZHFML.exe	family_berbew
C:\windows\SysWOW64\BNSXCIM.exe	family_berbew
C:\Windows\KSWEEG.exe	family_berbew
C:\Windows\System\NODA.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CWFLDSZ.exeINUQ.exeFCMD.exeRNZO.exeRKTL.exeVELEIV.exeFOH.exeWVZR.exeHEFO.exeUPWM.exeGRH.exeJNCQGQT.exeXJN.exeVMHIVDX.exeEGE.exeHVQB.exeAWN.exeFHXCVL.exeUAQP.exeKZLZPBS.exeKRPPFV.exeFPO.exeXGL.exeJCQN.exeTGESJEC.exeTDBOV.exeRVHAOC.exeUTNRMCM.exeZFWYI.exeZFUPCR.exeIAP.exeIBLL.exePHVUM.exeDXRR.exeMMHTUGD.exeGTSIYPI.exeWFEUPLX.exeABFRSMZ.exeAVM.exeZPG.exeYOURJ.exeXCZTCZO.exeUIGZ.exeZVIYMIM.exeDRPMZ.exeQNIEP.exeLBVNW.exeDFPBJIL.exeBVIEW.exeJZMR.exeQMZUEBW.exeCVP.exeNOV.exeMGQJMK.exeRZKDH.exeVKONKE.exePNGCRHP.exeZKONEFV.exeJPTHVPQ.exeHXWEAQ.exeXQWFTPM.exeIJOMCG.exeMZUM.exeNHIMZS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	CWFLDSZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	INUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	FCMD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	RNZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	RKTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VELEIV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	FOH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WVZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HEFO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	UPWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	GRH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	JNCQGQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XJN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VMHIVDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	EGE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HVQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	AWN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	FHXCVL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	UAQP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	KZLZPBS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	KRPPFV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	FPO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XGL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	JCQN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	TGESJEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	TDBOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	RVHAOC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	UTNRMCM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ZFWYI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ZFUPCR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	IAP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	IBLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	PHVUM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DXRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MMHTUGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	GTSIYPI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WFEUPLX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ABFRSMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	AVM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ZPG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	YOURJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XCZTCZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	UIGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ZVIYMIM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DRPMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	QNIEP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	LBVNW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DFPBJIL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	BVIEW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	JZMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	QMZUEBW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	CVP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	NOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MGQJMK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	RZKDH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VKONKE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	PNGCRHP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ZKONEFV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	JPTHVPQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HXWEAQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XQWFTPM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	IJOMCG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MZUM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	NHIMZS.exe

Executes dropped EXE 64 IoCs

Processes:

IBLL.exeZRSOL.exeMNKWV.exeTIHI.exeRFBLS.exeKAS.exeDTZ.exeZJCPJUR.exeTCJASVH.exeLFNW.exeDFPBJIL.exeBVIEW.exeQLJDDJI.exePEMLLP.exeCGUKAA.exeXCZTCZO.exeKZHFML.exeBNSXCIM.exeKSWEEG.exeCVOPIL.exeNODA.exeJZMR.exeSZOESM.exeHPPV.exeJNCQGQT.exeGSA.exeHVQB.exeYWSOFGZ.exeATGAU.exeGUNODJB.exeVKONKE.exeXHU.exeIAXA.exeSYDN.exeWOJVTV.exeXJN.exeQMZUEBW.exeVMHIVDX.exeJPD.exeUIGZ.exeHSOYPMD.exeCGGPY.exeGWN.exeCEH.exeWRMGP.exeJCQN.exeRNZO.exePNGCRHP.exeCYC.exeZVIYMIM.exeEGE.exeDRPMZ.exePHVUM.exeYHYZPD.exeZKONEFV.exeDSIDH.exeZTKFLI.exeQJRIWB.exeZHLJIX.exeDXRR.exeNUX.exeWVZR.exeXYDMST.exeVJOCB.exe

pid	process
3604	IBLL.exe
880	ZRSOL.exe
552	MNKWV.exe
3636	TIHI.exe
4836	RFBLS.exe
1116	KAS.exe
1124	DTZ.exe
4500	ZJCPJUR.exe
4808	TCJASVH.exe
2168	LFNW.exe
3580	DFPBJIL.exe
3008	BVIEW.exe
3832	QLJDDJI.exe
1584	PEMLLP.exe
376	CGUKAA.exe
5104	XCZTCZO.exe
4968	KZHFML.exe
2888	BNSXCIM.exe
5116	KSWEEG.exe
4044	CVOPIL.exe
1184	NODA.exe
3916	JZMR.exe
3612	SZOESM.exe
456	HPPV.exe
4460	JNCQGQT.exe
4788	GSA.exe
2040	HVQB.exe
5088	YWSOFGZ.exe
1184	ATGAU.exe
4368	GUNODJB.exe
220	VKONKE.exe
4796	XHU.exe
3376	IAXA.exe
4224	SYDN.exe
3788	WOJVTV.exe
400	XJN.exe
2080	QMZUEBW.exe
3008	VMHIVDX.exe
3136	JPD.exe
848	UIGZ.exe
1960	HSOYPMD.exe
2008	CGGPY.exe
408	GWN.exe
4808	CEH.exe
1404	WRMGP.exe
4556	JCQN.exe
2400	RNZO.exe
4516	PNGCRHP.exe
812	CYC.exe
1440	ZVIYMIM.exe
2936	EGE.exe
1612	DRPMZ.exe
1924	PHVUM.exe
1844	YHYZPD.exe
2928	ZKONEFV.exe
4028	DSIDH.exe
2912	ZTKFLI.exe
4560	QJRIWB.exe
3948	ZHLJIX.exe
1940	DXRR.exe
4460	NUX.exe
4604	WVZR.exe
4792	XYDMST.exe
5060	VJOCB.exe

Drops file in System32 directory 64 IoCs

Processes:

JOWVX.exeHEFO.exeFXKLI.exeCWFLDSZ.exeZTA.exeJCQN.exeDXRR.exeZHLJIX.exeGBXMHP.exeWVEPU.exeLPZ.exeUTSOR.exeKZHFML.exeYWSOFGZ.exeUAQP.exeTGESJEC.exeJRF.exeOUSI.exeATGAU.exeVMHIVDX.exeUAP.exeTIHI.exeTCJASVH.exeXHU.exeWVZR.exeUWANDVU.exeQNIEP.exeRKTL.exeRQZ.exeGSA.exeVKONKE.exeJKVQG.exeUUP.exeHSHHG.exeCYC.exeYHYZPD.exeWDWYHTR.exeFHXCVL.exeNHIMZS.exeDTZ.exeHXWEAQ.exeJPTHVPQ.exeHBABS.exeGAGFNIP.exeDFPBJIL.exePHVUM.exeIJOMCG.exeNOV.exe

description	ioc	process
File opened for modification	C:\windows\SysWOW64\EKBFIXJ.exe	JOWVX.exe
File created	C:\windows\SysWOW64\UPWM.exe.bat	HEFO.exe
File created	C:\windows\SysWOW64\NLOA.exe	FXKLI.exe
File created	C:\windows\SysWOW64\ZPG.exe	CWFLDSZ.exe
File created	C:\windows\SysWOW64\VLKKHIG.exe.bat	ZTA.exe
File created	C:\windows\SysWOW64\RNZO.exe	JCQN.exe
File opened for modification	C:\windows\SysWOW64\NUX.exe	DXRR.exe
File created	C:\windows\SysWOW64\DXRR.exe	ZHLJIX.exe
File created	C:\windows\SysWOW64\CLFLVA.exe	GBXMHP.exe
File created	C:\windows\SysWOW64\TAKMC.exe	WVEPU.exe
File created	C:\windows\SysWOW64\HYTGHU.exe.bat	LPZ.exe
File created	C:\windows\SysWOW64\RZKDH.exe.bat	UTSOR.exe
File created	C:\windows\SysWOW64\BNSXCIM.exe	KZHFML.exe
File opened for modification	C:\windows\SysWOW64\ATGAU.exe	YWSOFGZ.exe
File opened for modification	C:\windows\SysWOW64\MVOHZ.exe	UAQP.exe
File created	C:\windows\SysWOW64\KPTXWVF.exe	TGESJEC.exe
File created	C:\windows\SysWOW64\PSNUT.exe	JRF.exe
File created	C:\windows\SysWOW64\HXWEAQ.exe.bat	OUSI.exe
File opened for modification	C:\windows\SysWOW64\GUNODJB.exe	ATGAU.exe
File created	C:\windows\SysWOW64\JPD.exe.bat	VMHIVDX.exe
File created	C:\windows\SysWOW64\MVOHZ.exe.bat	UAQP.exe
File opened for modification	C:\windows\SysWOW64\NLOA.exe	FXKLI.exe
File created	C:\windows\SysWOW64\NLOA.exe.bat	FXKLI.exe
File opened for modification	C:\windows\SysWOW64\CNU.exe	UAP.exe
File created	C:\windows\SysWOW64\RFBLS.exe	TIHI.exe
File created	C:\windows\SysWOW64\LFNW.exe.bat	TCJASVH.exe
File created	C:\windows\SysWOW64\IAXA.exe.bat	XHU.exe
File opened for modification	C:\windows\SysWOW64\XYDMST.exe	WVZR.exe
File created	C:\windows\SysWOW64\UZMR.exe.bat	UWANDVU.exe
File created	C:\windows\SysWOW64\CVP.exe	QNIEP.exe
File created	C:\windows\SysWOW64\JKVQG.exe	RKTL.exe
File created	C:\windows\SysWOW64\KRPPFV.exe	RQZ.exe
File created	C:\windows\SysWOW64\HVQB.exe	GSA.exe
File created	C:\windows\SysWOW64\XHU.exe.bat	VKONKE.exe
File created	C:\windows\SysWOW64\JKVQG.exe.bat	RKTL.exe
File created	C:\windows\SysWOW64\WVEPU.exe	JKVQG.exe
File created	C:\windows\SysWOW64\KPTXWVF.exe.bat	TGESJEC.exe
File created	C:\windows\SysWOW64\HYTGHU.exe	LPZ.exe
File created	C:\windows\SysWOW64\UAP.exe	UUP.exe
File created	C:\windows\SysWOW64\VDQ.exe.bat	HSHHG.exe
File created	C:\windows\SysWOW64\ATGAU.exe	YWSOFGZ.exe
File created	C:\windows\SysWOW64\ZVIYMIM.exe.bat	CYC.exe
File created	C:\windows\SysWOW64\ZKONEFV.exe.bat	YHYZPD.exe
File created	C:\windows\SysWOW64\DXRR.exe.bat	ZHLJIX.exe
File created	C:\windows\SysWOW64\OLYDLQ.exe	WDWYHTR.exe
File created	C:\windows\SysWOW64\NMKJGJ.exe.bat	FHXCVL.exe
File created	C:\windows\SysWOW64\INUQ.exe	NHIMZS.exe
File created	C:\windows\SysWOW64\CNU.exe.bat	UAP.exe
File opened for modification	C:\windows\SysWOW64\ZJCPJUR.exe	DTZ.exe
File created	C:\windows\SysWOW64\HVQB.exe.bat	GSA.exe
File created	C:\windows\SysWOW64\HSHHG.exe.bat	HXWEAQ.exe
File opened for modification	C:\windows\SysWOW64\IAXA.exe	XHU.exe
File opened for modification	C:\windows\SysWOW64\KSXDBF.exe	JPTHVPQ.exe
File created	C:\windows\SysWOW64\EKBFIXJ.exe	JOWVX.exe
File created	C:\windows\SysWOW64\EKBFIXJ.exe.bat	JOWVX.exe
File created	C:\windows\SysWOW64\MVOHZ.exe	UAQP.exe
File created	C:\windows\SysWOW64\CWFLDSZ.exe	HBABS.exe
File created	C:\windows\SysWOW64\ULOWCLK.exe.bat	GAGFNIP.exe
File created	C:\windows\SysWOW64\BVIEW.exe.bat	DFPBJIL.exe
File created	C:\windows\SysWOW64\YHYZPD.exe	PHVUM.exe
File created	C:\windows\SysWOW64\MZUM.exe.bat	IJOMCG.exe
File opened for modification	C:\windows\SysWOW64\HBABS.exe	NOV.exe
File created	C:\windows\SysWOW64\CNU.exe	UAP.exe
File opened for modification	C:\windows\SysWOW64\RZKDH.exe	UTSOR.exe

Drops file in Windows directory 64 IoCs

Processes:

XYDMST.exeNKAIWS.exeZPG.exeLKNJCT.exeWKXMDS.exeVDQ.exeNODA.exeQJRIWB.exeEDE.exeTAKMC.exeDAZIU.exeYOURJ.exeONYD.exeIBLL.exeMMHTUGD.exeZDE.exeBVIEW.exeUZMR.exeCGYEDXU.exeNMU.exeTACEO.exeMCG.exeWOJVTV.exeEKBFIXJ.exeKYRRQT.exeUPWM.exeABFRSMZ.exeIAXA.exeJBG.exeZGIHC.exeKOQXQV.exeZDJCEZG.exeSTN.exeDRPMZ.exeDSIDH.exeAVM.exeLBVNW.exeKAS.exeJPD.exeHSOYPMD.exeWRMGP.exeTDBOV.exePSNUT.exeXQWFTPM.exeNLOA.exeCVOPIL.exeEGE.exeCLFLVA.exeNMKJGJ.exeCPV.exePJPSM.exeLFNW.exeKPTXWVF.exe

description	ioc	process
File opened for modification	C:\windows\system\VJOCB.exe	XYDMST.exe
File created	C:\windows\XHFCD.exe	NKAIWS.exe
File created	C:\windows\system\FPO.exe.bat	ZPG.exe
File created	C:\windows\system\AABTKA.exe	LKNJCT.exe
File created	C:\windows\UAQP.exe.bat	WKXMDS.exe
File opened for modification	C:\windows\XBJA.exe	VDQ.exe
File opened for modification	C:\windows\JZMR.exe	NODA.exe
File created	C:\windows\ZHLJIX.exe	QJRIWB.exe
File created	C:\windows\system\GBXMHP.exe.bat	EDE.exe
File opened for modification	C:\windows\ARL.exe	TAKMC.exe
File opened for modification	C:\windows\SVR.exe	DAZIU.exe
File opened for modification	C:\windows\system\UTSOR.exe	YOURJ.exe
File created	C:\windows\DID.exe.bat	ONYD.exe
File created	C:\windows\ZRSOL.exe.bat	IBLL.exe
File opened for modification	C:\windows\system\GBXMHP.exe	EDE.exe
File created	C:\windows\HPQSJ.exe	MMHTUGD.exe
File created	C:\windows\system\ZGIHC.exe.bat	ZDE.exe
File created	C:\windows\system\QLJDDJI.exe	BVIEW.exe
File created	C:\windows\system\NDPNWJF.exe	UZMR.exe
File opened for modification	C:\windows\system\FOH.exe	CGYEDXU.exe
File created	C:\windows\IZZKL.exe	NMU.exe
File opened for modification	C:\windows\system\QLJDDJI.exe	BVIEW.exe
File created	C:\windows\system\VJOCB.exe	XYDMST.exe
File opened for modification	C:\windows\system\AVM.exe	TACEO.exe
File opened for modification	C:\windows\system\FXKLI.exe	MCG.exe
File created	C:\windows\system\XJN.exe.bat	WOJVTV.exe
File created	C:\windows\system\TACEO.exe.bat	EKBFIXJ.exe
File opened for modification	C:\windows\LBVNW.exe	KYRRQT.exe
File opened for modification	C:\windows\NKAIWS.exe	UPWM.exe
File opened for modification	C:\windows\XGL.exe	ABFRSMZ.exe
File opened for modification	C:\windows\SYDN.exe	IAXA.exe
File created	C:\windows\system\XJN.exe	WOJVTV.exe
File created	C:\windows\MPLT.exe	JBG.exe
File opened for modification	C:\windows\system\TACEO.exe	EKBFIXJ.exe
File created	C:\windows\system\UTNRMCM.exe.bat	ZGIHC.exe
File created	C:\windows\system\QPY.exe	KOQXQV.exe
File created	C:\windows\VELEIV.exe	ZDJCEZG.exe
File opened for modification	C:\windows\system\IJOMCG.exe	STN.exe
File created	C:\windows\system\PHVUM.exe	DRPMZ.exe
File created	C:\windows\ZTKFLI.exe	DSIDH.exe
File created	C:\windows\system\ZFWYI.exe	AVM.exe
File opened for modification	C:\windows\AWN.exe	LBVNW.exe
File opened for modification	C:\windows\DTZ.exe	KAS.exe
File opened for modification	C:\windows\UIGZ.exe	JPD.exe
File created	C:\windows\system\CGGPY.exe	HSOYPMD.exe
File created	C:\windows\system\JCQN.exe	WRMGP.exe
File opened for modification	C:\windows\ZDJCEZG.exe	TDBOV.exe
File created	C:\windows\system\QLJDDJI.exe.bat	BVIEW.exe
File created	C:\windows\system\LPZ.exe	PSNUT.exe
File created	C:\windows\system\PYYSX.exe.bat	XQWFTPM.exe
File opened for modification	C:\windows\CGYEDXU.exe	NLOA.exe
File created	C:\windows\system\FOH.exe.bat	CGYEDXU.exe
File created	C:\windows\SVR.exe.bat	DAZIU.exe
File created	C:\windows\system\NODA.exe	CVOPIL.exe
File created	C:\windows\system\DRPMZ.exe	EGE.exe
File opened for modification	C:\windows\ZTKFLI.exe	DSIDH.exe
File created	C:\windows\system\JBG.exe.bat	CLFLVA.exe
File created	C:\windows\system\IAP.exe.bat	NMKJGJ.exe
File opened for modification	C:\windows\system\FCMD.exe	CPV.exe
File created	C:\windows\OUSI.exe.bat	PJPSM.exe
File created	C:\windows\DFPBJIL.exe.bat	LFNW.exe
File created	C:\windows\SYDN.exe	IAXA.exe
File created	C:\windows\ZTKFLI.exe.bat	DSIDH.exe
File created	C:\windows\ZFUPCR.exe	KPTXWVF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4196	3732	WerFault.exe	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
4176	3604	WerFault.exe	IBLL.exe
4496	880	WerFault.exe	ZRSOL.exe
2200	552	WerFault.exe	MNKWV.exe
4268	3636	WerFault.exe	TIHI.exe
1832	4836	WerFault.exe	RFBLS.exe
2504	1116	WerFault.exe	KAS.exe
5008	1124	WerFault.exe	DTZ.exe
3776	4500	WerFault.exe	ZJCPJUR.exe
552	4808	WerFault.exe	TCJASVH.exe
4080	2168	WerFault.exe	LFNW.exe
4024	3580	WerFault.exe	DFPBJIL.exe
4732	3008	WerFault.exe	BVIEW.exe
524	3832	WerFault.exe	QLJDDJI.exe
1544	1584	WerFault.exe	PEMLLP.exe
2400	376	WerFault.exe	CGUKAA.exe
220	5104	WerFault.exe	XCZTCZO.exe
3188	4968	WerFault.exe	KZHFML.exe
844	2888	WerFault.exe	BNSXCIM.exe
3948	5116	WerFault.exe	KSWEEG.exe
552	4044	WerFault.exe	CVOPIL.exe
4752	1184	WerFault.exe	NODA.exe
344	3916	WerFault.exe	JZMR.exe
3248	3612	WerFault.exe	SZOESM.exe
3008	456	WerFault.exe	HPPV.exe
4824	4460	WerFault.exe	JNCQGQT.exe
2972	4788	WerFault.exe	GSA.exe
2948	2040	WerFault.exe	HVQB.exe
4808	5088	WerFault.exe	YWSOFGZ.exe
2080	1184	WerFault.exe	ATGAU.exe
1656	4368	WerFault.exe	GUNODJB.exe
4836	220	WerFault.exe	VKONKE.exe
5016	4796	WerFault.exe	XHU.exe
2616	3376	WerFault.exe	IAXA.exe
1128	4224	WerFault.exe	SYDN.exe
1240	3788	WerFault.exe	WOJVTV.exe
3980	400	WerFault.exe	XJN.exe
4724	2080	WerFault.exe	QMZUEBW.exe
3612	3008	WerFault.exe	VMHIVDX.exe
4060	3136	WerFault.exe	JPD.exe
684	848	WerFault.exe	UIGZ.exe
5084	1960	WerFault.exe	HSOYPMD.exe
1208	2008	WerFault.exe	CGGPY.exe
3280	408	WerFault.exe	GWN.exe
4368	4808	WerFault.exe	CEH.exe
4444	1404	WerFault.exe	WRMGP.exe
1928	4556	WerFault.exe	JCQN.exe
3372	2400	WerFault.exe	RNZO.exe
404	4516	WerFault.exe	PNGCRHP.exe
2084	812	WerFault.exe	CYC.exe
4008	1440	WerFault.exe	ZVIYMIM.exe
2992	2936	WerFault.exe	EGE.exe
4080	1612	WerFault.exe	DRPMZ.exe
4336	1924	WerFault.exe	PHVUM.exe
2328	1844	WerFault.exe	YHYZPD.exe
4364	2928	WerFault.exe	ZKONEFV.exe
3256	4028	WerFault.exe	DSIDH.exe
2276	2912	WerFault.exe	ZTKFLI.exe
2052	4560	WerFault.exe	QJRIWB.exe
2032	3948	WerFault.exe	ZHLJIX.exe
4556	1940	WerFault.exe	DXRR.exe
3408	4460	WerFault.exe	NUX.exe
1960	4604	WerFault.exe	WVZR.exe
1092	4792	WerFault.exe	XYDMST.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exeIBLL.exeZRSOL.exeMNKWV.exeTIHI.exeRFBLS.exeKAS.exeDTZ.exeZJCPJUR.exeTCJASVH.exeLFNW.exeDFPBJIL.exeBVIEW.exeQLJDDJI.exePEMLLP.exeCGUKAA.exeXCZTCZO.exeKZHFML.exeBNSXCIM.exeKSWEEG.exeCVOPIL.exeNODA.exeJZMR.exeSZOESM.exeHPPV.exeJNCQGQT.exeGSA.exeHVQB.exeYWSOFGZ.exeATGAU.exeGUNODJB.exeVKONKE.exe

pid	process
3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
3604	IBLL.exe
3604	IBLL.exe
880	ZRSOL.exe
880	ZRSOL.exe
552	MNKWV.exe
552	MNKWV.exe
3636	TIHI.exe
3636	TIHI.exe
4836	RFBLS.exe
4836	RFBLS.exe
1116	KAS.exe
1116	KAS.exe
1124	DTZ.exe
1124	DTZ.exe
4500	ZJCPJUR.exe
4500	ZJCPJUR.exe
4808	TCJASVH.exe
4808	TCJASVH.exe
2168	LFNW.exe
2168	LFNW.exe
3580	DFPBJIL.exe
3580	DFPBJIL.exe
3008	BVIEW.exe
3008	BVIEW.exe
3832	QLJDDJI.exe
3832	QLJDDJI.exe
1584	PEMLLP.exe
1584	PEMLLP.exe
376	CGUKAA.exe
376	CGUKAA.exe
5104	XCZTCZO.exe
5104	XCZTCZO.exe
4968	KZHFML.exe
4968	KZHFML.exe
2888	BNSXCIM.exe
2888	BNSXCIM.exe
5116	KSWEEG.exe
5116	KSWEEG.exe
4044	CVOPIL.exe
4044	CVOPIL.exe
1184	NODA.exe
1184	NODA.exe
3916	JZMR.exe
3916	JZMR.exe
3612	SZOESM.exe
3612	SZOESM.exe
456	HPPV.exe
456	HPPV.exe
4460	JNCQGQT.exe
4460	JNCQGQT.exe
4788	GSA.exe
4788	GSA.exe
2040	HVQB.exe
2040	HVQB.exe
5088	YWSOFGZ.exe
5088	YWSOFGZ.exe
1184	ATGAU.exe
1184	ATGAU.exe
4368	GUNODJB.exe
4368	GUNODJB.exe
220	VKONKE.exe
220	VKONKE.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
3604	IBLL.exe
3604	IBLL.exe
880	ZRSOL.exe
880	ZRSOL.exe
552	MNKWV.exe
552	MNKWV.exe
3636	TIHI.exe
3636	TIHI.exe
4836	RFBLS.exe
4836	RFBLS.exe
1116	KAS.exe
1116	KAS.exe
1124	DTZ.exe
1124	DTZ.exe
4500	ZJCPJUR.exe
4500	ZJCPJUR.exe
4808	TCJASVH.exe
4808	TCJASVH.exe
2168	LFNW.exe
2168	LFNW.exe
3580	DFPBJIL.exe
3580	DFPBJIL.exe
3008	BVIEW.exe
3008	BVIEW.exe
3832	QLJDDJI.exe
3832	QLJDDJI.exe
1584	PEMLLP.exe
1584	PEMLLP.exe
376	CGUKAA.exe
376	CGUKAA.exe
5104	XCZTCZO.exe
5104	XCZTCZO.exe
4968	KZHFML.exe
4968	KZHFML.exe
2888	BNSXCIM.exe
2888	BNSXCIM.exe
5116	KSWEEG.exe
5116	KSWEEG.exe
4044	CVOPIL.exe
4044	CVOPIL.exe
1184	NODA.exe
1184	NODA.exe
3916	JZMR.exe
3916	JZMR.exe
3612	SZOESM.exe
3612	SZOESM.exe
456	HPPV.exe
456	HPPV.exe
4460	JNCQGQT.exe
4460	JNCQGQT.exe
4788	GSA.exe
4788	GSA.exe
2040	HVQB.exe
2040	HVQB.exe
5088	YWSOFGZ.exe
5088	YWSOFGZ.exe
1184	ATGAU.exe
1184	ATGAU.exe
4368	GUNODJB.exe
4368	GUNODJB.exe
220	VKONKE.exe
220	VKONKE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.execmd.exeIBLL.execmd.exeZRSOL.execmd.exeMNKWV.execmd.exeTIHI.execmd.exeRFBLS.execmd.exeKAS.execmd.exeDTZ.execmd.exeZJCPJUR.execmd.exeTCJASVH.execmd.exeLFNW.execmd.exe

description	pid	process	target process
PID 3732 wrote to memory of 5068	3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 3732 wrote to memory of 5068	3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 3732 wrote to memory of 5068	3732	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 5068 wrote to memory of 3604	5068	cmd.exe	IBLL.exe
PID 5068 wrote to memory of 3604	5068	cmd.exe	IBLL.exe
PID 5068 wrote to memory of 3604	5068	cmd.exe	IBLL.exe
PID 3604 wrote to memory of 4716	3604	IBLL.exe	cmd.exe
PID 3604 wrote to memory of 4716	3604	IBLL.exe	cmd.exe
PID 3604 wrote to memory of 4716	3604	IBLL.exe	cmd.exe
PID 4716 wrote to memory of 880	4716	cmd.exe	ZRSOL.exe
PID 4716 wrote to memory of 880	4716	cmd.exe	ZRSOL.exe
PID 4716 wrote to memory of 880	4716	cmd.exe	ZRSOL.exe
PID 880 wrote to memory of 1240	880	ZRSOL.exe	Conhost.exe
PID 880 wrote to memory of 1240	880	ZRSOL.exe	Conhost.exe
PID 880 wrote to memory of 1240	880	ZRSOL.exe	Conhost.exe
PID 1240 wrote to memory of 552	1240	cmd.exe	MNKWV.exe
PID 1240 wrote to memory of 552	1240	cmd.exe	MNKWV.exe
PID 1240 wrote to memory of 552	1240	cmd.exe	MNKWV.exe
PID 552 wrote to memory of 4044	552	MNKWV.exe	cmd.exe
PID 552 wrote to memory of 4044	552	MNKWV.exe	cmd.exe
PID 552 wrote to memory of 4044	552	MNKWV.exe	cmd.exe
PID 4044 wrote to memory of 3636	4044	cmd.exe	TIHI.exe
PID 4044 wrote to memory of 3636	4044	cmd.exe	TIHI.exe
PID 4044 wrote to memory of 3636	4044	cmd.exe	TIHI.exe
PID 3636 wrote to memory of 1468	3636	TIHI.exe	cmd.exe
PID 3636 wrote to memory of 1468	3636	TIHI.exe	cmd.exe
PID 3636 wrote to memory of 1468	3636	TIHI.exe	cmd.exe
PID 1468 wrote to memory of 4836	1468	cmd.exe	RFBLS.exe
PID 1468 wrote to memory of 4836	1468	cmd.exe	RFBLS.exe
PID 1468 wrote to memory of 4836	1468	cmd.exe	RFBLS.exe
PID 4836 wrote to memory of 4620	4836	RFBLS.exe	cmd.exe
PID 4836 wrote to memory of 4620	4836	RFBLS.exe	cmd.exe
PID 4836 wrote to memory of 4620	4836	RFBLS.exe	cmd.exe
PID 4620 wrote to memory of 1116	4620	cmd.exe	KAS.exe
PID 4620 wrote to memory of 1116	4620	cmd.exe	KAS.exe
PID 4620 wrote to memory of 1116	4620	cmd.exe	KAS.exe
PID 1116 wrote to memory of 3788	1116	KAS.exe	cmd.exe
PID 1116 wrote to memory of 3788	1116	KAS.exe	cmd.exe
PID 1116 wrote to memory of 3788	1116	KAS.exe	cmd.exe
PID 3788 wrote to memory of 1124	3788	cmd.exe	DTZ.exe
PID 3788 wrote to memory of 1124	3788	cmd.exe	DTZ.exe
PID 3788 wrote to memory of 1124	3788	cmd.exe	DTZ.exe
PID 1124 wrote to memory of 4008	1124	DTZ.exe	cmd.exe
PID 1124 wrote to memory of 4008	1124	DTZ.exe	cmd.exe
PID 1124 wrote to memory of 4008	1124	DTZ.exe	cmd.exe
PID 4008 wrote to memory of 4500	4008	cmd.exe	ZJCPJUR.exe
PID 4008 wrote to memory of 4500	4008	cmd.exe	ZJCPJUR.exe
PID 4008 wrote to memory of 4500	4008	cmd.exe	ZJCPJUR.exe
PID 4500 wrote to memory of 4496	4500	ZJCPJUR.exe	cmd.exe
PID 4500 wrote to memory of 4496	4500	ZJCPJUR.exe	cmd.exe
PID 4500 wrote to memory of 4496	4500	ZJCPJUR.exe	cmd.exe
PID 4496 wrote to memory of 4808	4496	cmd.exe	TCJASVH.exe
PID 4496 wrote to memory of 4808	4496	cmd.exe	TCJASVH.exe
PID 4496 wrote to memory of 4808	4496	cmd.exe	TCJASVH.exe
PID 4808 wrote to memory of 376	4808	TCJASVH.exe	cmd.exe
PID 4808 wrote to memory of 376	4808	TCJASVH.exe	cmd.exe
PID 4808 wrote to memory of 376	4808	TCJASVH.exe	cmd.exe
PID 376 wrote to memory of 2168	376	cmd.exe	LFNW.exe
PID 376 wrote to memory of 2168	376	cmd.exe	LFNW.exe
PID 376 wrote to memory of 2168	376	cmd.exe	LFNW.exe
PID 2168 wrote to memory of 3612	2168	LFNW.exe	cmd.exe
PID 2168 wrote to memory of 3612	2168	LFNW.exe	cmd.exe
PID 2168 wrote to memory of 3612	2168	LFNW.exe	cmd.exe
PID 3612 wrote to memory of 3580	3612	cmd.exe	DFPBJIL.exe

C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBLL.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\windows\system\IBLL.exe
C:\windows\system\IBLL.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZRSOL.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\windows\ZRSOL.exe
C:\windows\ZRSOL.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MNKWV.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\windows\MNKWV.exe
C:\windows\MNKWV.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TIHI.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\windows\SysWOW64\TIHI.exe
C:\windows\system32\TIHI.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFBLS.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\windows\SysWOW64\RFBLS.exe
C:\windows\system32\RFBLS.exe
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KAS.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\windows\KAS.exe
C:\windows\KAS.exe
13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DTZ.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\windows\DTZ.exe
C:\windows\DTZ.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZJCPJUR.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:1240

C:\windows\SysWOW64\ZJCPJUR.exe
C:\windows\system32\ZJCPJUR.exe
17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TCJASVH.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\windows\TCJASVH.exe
C:\windows\TCJASVH.exe
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFNW.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\windows\SysWOW64\LFNW.exe
C:\windows\system32\LFNW.exe
21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DFPBJIL.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\windows\DFPBJIL.exe
C:\windows\DFPBJIL.exe
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVIEW.exe.bat" "
24⤵
PID:5088

C:\windows\SysWOW64\BVIEW.exe
C:\windows\system32\BVIEW.exe
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLJDDJI.exe.bat" "
26⤵
PID:4460

C:\windows\system\QLJDDJI.exe
C:\windows\system\QLJDDJI.exe
27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PEMLLP.exe.bat" "
28⤵
PID:2148

C:\windows\PEMLLP.exe
C:\windows\PEMLLP.exe
29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGUKAA.exe.bat" "
30⤵
PID:4584

C:\windows\SysWOW64\CGUKAA.exe
C:\windows\system32\CGUKAA.exe
31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XCZTCZO.exe.bat" "
32⤵
PID:4100

C:\windows\XCZTCZO.exe
C:\windows\XCZTCZO.exe
33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KZHFML.exe.bat" "
34⤵
PID:1372

C:\windows\KZHFML.exe
C:\windows\KZHFML.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BNSXCIM.exe.bat" "
36⤵
PID:4172

C:\windows\SysWOW64\BNSXCIM.exe
C:\windows\system32\BNSXCIM.exe
37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KSWEEG.exe.bat" "
38⤵
PID:4776

C:\windows\KSWEEG.exe
C:\windows\KSWEEG.exe
39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CVOPIL.exe.bat" "
40⤵
PID:2812

C:\windows\system\CVOPIL.exe
C:\windows\system\CVOPIL.exe
41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NODA.exe.bat" "
42⤵
PID:4920

C:\windows\system\NODA.exe
C:\windows\system\NODA.exe
43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JZMR.exe.bat" "
44⤵
PID:2008

C:\windows\JZMR.exe
C:\windows\JZMR.exe
45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SZOESM.exe.bat" "
46⤵
PID:3788

C:\windows\SZOESM.exe
C:\windows\SZOESM.exe
47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HPPV.exe.bat" "
48⤵
PID:812

C:\windows\system\HPPV.exe
C:\windows\system\HPPV.exe
49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "
50⤵
PID:2548

C:\windows\JNCQGQT.exe
C:\windows\JNCQGQT.exe
51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GSA.exe.bat" "
52⤵
PID:1956

C:\windows\GSA.exe
C:\windows\GSA.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVQB.exe.bat" "
54⤵
PID:1068

C:\windows\SysWOW64\HVQB.exe
C:\windows\system32\HVQB.exe
55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YWSOFGZ.exe.bat" "
56⤵
PID:1832

C:\windows\YWSOFGZ.exe
C:\windows\YWSOFGZ.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATGAU.exe.bat" "
58⤵
PID:404

C:\windows\SysWOW64\ATGAU.exe
C:\windows\system32\ATGAU.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GUNODJB.exe.bat" "
60⤵
PID:2928

C:\windows\SysWOW64\GUNODJB.exe
C:\windows\system32\GUNODJB.exe
61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKONKE.exe.bat" "
62⤵
PID:3184

C:\windows\system\VKONKE.exe
C:\windows\system\VKONKE.exe
63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XHU.exe.bat" "
64⤵
PID:228

C:\windows\SysWOW64\XHU.exe
C:\windows\system32\XHU.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAXA.exe.bat" "
66⤵
PID:1496

C:\windows\SysWOW64\IAXA.exe
C:\windows\system32\IAXA.exe
67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SYDN.exe.bat" "
68⤵
PID:552

C:\windows\SYDN.exe
C:\windows\SYDN.exe
69⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WOJVTV.exe.bat" "
70⤵
PID:3468

C:\windows\WOJVTV.exe
C:\windows\WOJVTV.exe
71⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJN.exe.bat" "
72⤵
PID:4436

C:\windows\system\XJN.exe
C:\windows\system\XJN.exe
73⤵
- Checks computer location settings
- Executes dropped EXE
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMZUEBW.exe.bat" "
74⤵
PID:4148

C:\windows\system\QMZUEBW.exe
C:\windows\system\QMZUEBW.exe
75⤵
- Checks computer location settings
- Executes dropped EXE
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VMHIVDX.exe.bat" "
76⤵
PID:2548

C:\windows\system\VMHIVDX.exe
C:\windows\system\VMHIVDX.exe
77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPD.exe.bat" "
78⤵
PID:844

C:\windows\SysWOW64\JPD.exe
C:\windows\system32\JPD.exe
79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UIGZ.exe.bat" "
80⤵
PID:4588

C:\windows\UIGZ.exe
C:\windows\UIGZ.exe
81⤵
- Checks computer location settings
- Executes dropped EXE
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HSOYPMD.exe.bat" "
82⤵
PID:2032

C:\windows\HSOYPMD.exe
C:\windows\HSOYPMD.exe
83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGGPY.exe.bat" "
84⤵
PID:1196

C:\windows\system\CGGPY.exe
C:\windows\system\CGGPY.exe
85⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GWN.exe.bat" "
86⤵
PID:812

C:\windows\GWN.exe
C:\windows\GWN.exe
87⤵
- Executes dropped EXE
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CEH.exe.bat" "
88⤵
PID:3300

C:\windows\CEH.exe
C:\windows\CEH.exe
89⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "
90⤵
PID:3256

C:\windows\WRMGP.exe
C:\windows\WRMGP.exe
91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JCQN.exe.bat" "
92⤵
PID:1956

C:\windows\system\JCQN.exe
C:\windows\system\JCQN.exe
93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "
94⤵
PID:2920

C:\windows\SysWOW64\RNZO.exe
C:\windows\system32\RNZO.exe
95⤵
- Checks computer location settings
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNGCRHP.exe.bat" "
96⤵
PID:4272

C:\windows\system\PNGCRHP.exe
C:\windows\system\PNGCRHP.exe
97⤵
- Checks computer location settings
- Executes dropped EXE
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYC.exe.bat" "
98⤵
PID:2440

C:\windows\system\CYC.exe
C:\windows\system\CYC.exe
99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZVIYMIM.exe.bat" "
100⤵
PID:736

C:\windows\SysWOW64\ZVIYMIM.exe
C:\windows\system32\ZVIYMIM.exe
101⤵
- Checks computer location settings
- Executes dropped EXE
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EGE.exe.bat" "
102⤵
PID:3848

C:\windows\EGE.exe
C:\windows\EGE.exe
103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRPMZ.exe.bat" "
104⤵
PID:3604

C:\windows\system\DRPMZ.exe
C:\windows\system\DRPMZ.exe
105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVUM.exe.bat" "
106⤵
PID:3324

C:\windows\system\PHVUM.exe
C:\windows\system\PHVUM.exe
107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHYZPD.exe.bat" "
108⤵
PID:4064

C:\windows\SysWOW64\YHYZPD.exe
C:\windows\system32\YHYZPD.exe
109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZKONEFV.exe.bat" "
110⤵
PID:4888

C:\windows\SysWOW64\ZKONEFV.exe
C:\windows\system32\ZKONEFV.exe
111⤵
- Checks computer location settings
- Executes dropped EXE
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DSIDH.exe.bat" "
112⤵
PID:3136

C:\windows\DSIDH.exe
C:\windows\DSIDH.exe
113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZTKFLI.exe.bat" "
114⤵
PID:4932

C:\windows\ZTKFLI.exe
C:\windows\ZTKFLI.exe
115⤵
- Executes dropped EXE
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "
116⤵
PID:844

C:\windows\system\QJRIWB.exe
C:\windows\system\QJRIWB.exe
117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZHLJIX.exe.bat" "
118⤵
PID:116

C:\windows\ZHLJIX.exe
C:\windows\ZHLJIX.exe
119⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DXRR.exe.bat" "
120⤵
PID:408

C:\windows\SysWOW64\DXRR.exe
C:\windows\system32\DXRR.exe
121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NUX.exe.bat" "
122⤵
PID:4048

C:\windows\SysWOW64\NUX.exe
C:\windows\system32\NUX.exe
123⤵
- Executes dropped EXE
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVZR.exe.bat" "
124⤵
PID:4740

C:\windows\system\WVZR.exe
C:\windows\system\WVZR.exe
125⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYDMST.exe.bat" "
126⤵
PID:3980

C:\windows\SysWOW64\XYDMST.exe
C:\windows\system32\XYDMST.exe
127⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VJOCB.exe.bat" "
128⤵
PID:1556

C:\windows\system\VJOCB.exe
C:\windows\system\VJOCB.exe
129⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KOLZIJW.exe.bat" "
130⤵
PID:3776

C:\windows\SysWOW64\KOLZIJW.exe
C:\windows\system32\KOLZIJW.exe
131⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "
132⤵
PID:4808

C:\windows\EBQJ.exe
C:\windows\EBQJ.exe
133⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UWANDVU.exe.bat" "
134⤵
PID:376

C:\windows\system\UWANDVU.exe
C:\windows\system\UWANDVU.exe
135⤵
- Drops file in System32 directory
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZMR.exe.bat" "
136⤵
PID:2032

C:\windows\SysWOW64\UZMR.exe
C:\windows\system32\UZMR.exe
137⤵
- Drops file in Windows directory
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "
138⤵
PID:3208

C:\windows\system\NDPNWJF.exe
C:\windows\system\NDPNWJF.exe
139⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDE.exe.bat" "
140⤵
PID:1788

C:\windows\system\EDE.exe
C:\windows\system\EDE.exe
141⤵
- Drops file in Windows directory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "
142⤵
PID:2368

C:\windows\system\GBXMHP.exe
C:\windows\system\GBXMHP.exe
143⤵
- Drops file in System32 directory
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CLFLVA.exe.bat" "
144⤵
PID:2132

C:\windows\SysWOW64\CLFLVA.exe
C:\windows\system32\CLFLVA.exe
145⤵
- Drops file in Windows directory
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBG.exe.bat" "
146⤵
PID:2100

C:\windows\system\JBG.exe
C:\windows\system\JBG.exe
147⤵
- Drops file in Windows directory
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MPLT.exe.bat" "
148⤵
PID:4324

C:\windows\MPLT.exe
C:\windows\MPLT.exe
149⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "
150⤵
PID:4468

C:\windows\system\JPTHVPQ.exe
C:\windows\system\JPTHVPQ.exe
151⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "
152⤵
PID:4172

C:\windows\SysWOW64\KSXDBF.exe
C:\windows\system32\KSXDBF.exe
153⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNIEP.exe.bat" "
154⤵
PID:1028

C:\windows\system\QNIEP.exe
C:\windows\system\QNIEP.exe
155⤵
- Checks computer location settings
- Drops file in System32 directory
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVP.exe.bat" "
156⤵
PID:2256

C:\windows\SysWOW64\CVP.exe
C:\windows\system32\CVP.exe
157⤵
- Checks computer location settings
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VYBIGCX.exe.bat" "
158⤵
PID:2912

C:\windows\VYBIGCX.exe
C:\windows\VYBIGCX.exe
159⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOC.exe.bat" "
160⤵
PID:2232

C:\windows\system\KOC.exe
C:\windows\system\KOC.exe
161⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMHTUGD.exe.bat" "
162⤵
PID:116

C:\windows\SysWOW64\MMHTUGD.exe
C:\windows\system32\MMHTUGD.exe
163⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HPQSJ.exe.bat" "
164⤵
PID:524

C:\windows\HPQSJ.exe
C:\windows\HPQSJ.exe
165⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFESV.exe.bat" "
166⤵
PID:1940

C:\windows\SysWOW64\LFESV.exe
C:\windows\system32\LFESV.exe
167⤵
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZDE.exe.bat" "
168⤵
PID:4968

C:\windows\SysWOW64\ZDE.exe
C:\windows\system32\ZDE.exe
169⤵
- Drops file in Windows directory
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGIHC.exe.bat" "
170⤵
PID:848

C:\windows\system\ZGIHC.exe
C:\windows\system\ZGIHC.exe
171⤵
- Drops file in Windows directory
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTNRMCM.exe.bat" "
172⤵
PID:3044

C:\windows\system\UTNRMCM.exe
C:\windows\system\UTNRMCM.exe
173⤵
- Checks computer location settings
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOWVX.exe.bat" "
174⤵
PID:3744

C:\windows\SysWOW64\JOWVX.exe
C:\windows\system32\JOWVX.exe
175⤵
- Drops file in System32 directory
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EKBFIXJ.exe.bat" "
176⤵
PID:1440

C:\windows\SysWOW64\EKBFIXJ.exe
C:\windows\system32\EKBFIXJ.exe
177⤵
- Drops file in Windows directory
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TACEO.exe.bat" "
178⤵
PID:4928

C:\windows\system\TACEO.exe
C:\windows\system\TACEO.exe
179⤵
- Drops file in Windows directory
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AVM.exe.bat" "
180⤵
PID:1128

C:\windows\system\AVM.exe
C:\windows\system\AVM.exe
181⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFWYI.exe.bat" "
182⤵
PID:1240

C:\windows\system\ZFWYI.exe
C:\windows\system\ZFWYI.exe
183⤵
- Checks computer location settings
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KYRRQT.exe.bat" "
184⤵
PID:4800

C:\windows\KYRRQT.exe
C:\windows\KYRRQT.exe
185⤵
- Drops file in Windows directory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LBVNW.exe.bat" "
186⤵
PID:4700

C:\windows\LBVNW.exe
C:\windows\LBVNW.exe
187⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AWN.exe.bat" "
188⤵
PID:3396

C:\windows\AWN.exe
C:\windows\AWN.exe
189⤵
- Checks computer location settings
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICRGRCQ.exe.bat" "
190⤵
PID:3772

C:\windows\SysWOW64\ICRGRCQ.exe
C:\windows\system32\ICRGRCQ.exe
191⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKTL.exe.bat" "
192⤵
PID:4928

C:\windows\system\RKTL.exe
C:\windows\system\RKTL.exe
193⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKVQG.exe.bat" "
194⤵
PID:4148

C:\windows\SysWOW64\JKVQG.exe
C:\windows\system32\JKVQG.exe
195⤵
- Drops file in System32 directory
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVEPU.exe.bat" "
196⤵
PID:1556

C:\windows\SysWOW64\WVEPU.exe
C:\windows\system32\WVEPU.exe
197⤵
- Drops file in System32 directory
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAKMC.exe.bat" "
198⤵
PID:4588

C:\windows\SysWOW64\TAKMC.exe
C:\windows\system32\TAKMC.exe
199⤵
- Drops file in Windows directory
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ARL.exe.bat" "
200⤵
PID:1584

C:\windows\ARL.exe
C:\windows\ARL.exe
201⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOQXQV.exe.bat" "
202⤵
PID:5104

C:\windows\system\KOQXQV.exe
C:\windows\system\KOQXQV.exe
203⤵
- Drops file in Windows directory
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPY.exe.bat" "
204⤵
PID:2100

C:\windows\system\QPY.exe
C:\windows\system\QPY.exe
205⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WKXMDS.exe.bat" "
206⤵
PID:2900

C:\windows\SysWOW64\WKXMDS.exe
C:\windows\system32\WKXMDS.exe
207⤵
- Drops file in Windows directory
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UAQP.exe.bat" "
208⤵
PID:5088

C:\windows\UAQP.exe
C:\windows\UAQP.exe
209⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "
210⤵
PID:1216

C:\windows\SysWOW64\MVOHZ.exe
C:\windows\system32\MVOHZ.exe
211⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WDWYHTR.exe.bat" "
212⤵
PID:4388

C:\windows\WDWYHTR.exe
C:\windows\WDWYHTR.exe
213⤵
- Drops file in System32 directory
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLYDLQ.exe.bat" "
214⤵
PID:4480

C:\windows\SysWOW64\OLYDLQ.exe
C:\windows\system32\OLYDLQ.exe
215⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HEFO.exe.bat" "
216⤵
PID:5084

C:\windows\system\HEFO.exe
C:\windows\system\HEFO.exe
217⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPWM.exe.bat" "
218⤵
PID:2232

C:\windows\SysWOW64\UPWM.exe
C:\windows\system32\UPWM.exe
219⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NKAIWS.exe.bat" "
220⤵
PID:2732

C:\windows\NKAIWS.exe
C:\windows\NKAIWS.exe
221⤵
- Drops file in Windows directory
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XHFCD.exe.bat" "
222⤵
PID:4008

C:\windows\XHFCD.exe
C:\windows\XHFCD.exe
223⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GQHHHY.exe.bat" "
224⤵
PID:472

C:\windows\GQHHHY.exe
C:\windows\GQHHHY.exe
225⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQWFTPM.exe.bat" "
226⤵
PID:1224

C:\windows\system\XQWFTPM.exe
C:\windows\system\XQWFTPM.exe
227⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PYYSX.exe.bat" "
228⤵
PID:4408

C:\windows\system\PYYSX.exe
C:\windows\system\PYYSX.exe
229⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGESJEC.exe.bat" "
230⤵
PID:1688

C:\windows\SysWOW64\TGESJEC.exe
C:\windows\system32\TGESJEC.exe
231⤵
- Checks computer location settings
- Drops file in System32 directory
PID:416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPTXWVF.exe.bat" "
232⤵
PID:1056

C:\windows\SysWOW64\KPTXWVF.exe
C:\windows\system32\KPTXWVF.exe
233⤵
- Drops file in Windows directory
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "
234⤵
PID:1092

C:\windows\ZFUPCR.exe
C:\windows\ZFUPCR.exe
235⤵
- Checks computer location settings
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\USZ.exe.bat" "
236⤵
PID:4476

C:\windows\USZ.exe
C:\windows\USZ.exe
237⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TDBOV.exe.bat" "
238⤵
PID:3388

C:\windows\system\TDBOV.exe
C:\windows\system\TDBOV.exe
239⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZDJCEZG.exe.bat" "
240⤵
PID:636

C:\windows\ZDJCEZG.exe
C:\windows\ZDJCEZG.exe
241⤵
- Drops file in Windows directory
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VELEIV.exe.bat" "
242⤵
PID:4500

C:\windows\VELEIV.exe
C:\windows\VELEIV.exe
243⤵
- Checks computer location settings
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "
244⤵
PID:1996

C:\windows\system\BES.exe
C:\windows\system\BES.exe
245⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JRF.exe.bat" "
246⤵
PID:3060

C:\windows\SysWOW64\JRF.exe
C:\windows\system32\JRF.exe
247⤵
- Drops file in System32 directory
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSNUT.exe.bat" "
248⤵
PID:1492

C:\windows\SysWOW64\PSNUT.exe
C:\windows\system32\PSNUT.exe
249⤵
- Drops file in Windows directory
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPZ.exe.bat" "
250⤵
PID:3636

C:\windows\system\LPZ.exe
C:\windows\system\LPZ.exe
251⤵
- Drops file in System32 directory
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HYTGHU.exe.bat" "
252⤵
PID:2812

C:\windows\SysWOW64\HYTGHU.exe
C:\windows\system32\HYTGHU.exe
253⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RVHAOC.exe.bat" "
254⤵
PID:4612

C:\windows\RVHAOC.exe
C:\windows\RVHAOC.exe
255⤵
- Checks computer location settings
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\STN.exe.bat" "
256⤵
PID:4824

C:\windows\system\STN.exe
C:\windows\system\STN.exe
257⤵
- Drops file in Windows directory
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IJOMCG.exe.bat" "
258⤵
PID:3208

C:\windows\system\IJOMCG.exe
C:\windows\system\IJOMCG.exe
259⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZUM.exe.bat" "
260⤵
PID:4916

C:\windows\SysWOW64\MZUM.exe
C:\windows\system32\MZUM.exe
261⤵
- Checks computer location settings
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MCG.exe.bat" "
262⤵
PID:4668

C:\windows\MCG.exe
C:\windows\MCG.exe
263⤵
- Drops file in Windows directory
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FXKLI.exe.bat" "
264⤵
PID:3576

C:\windows\system\FXKLI.exe
C:\windows\system\FXKLI.exe
265⤵
- Drops file in System32 directory
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NLOA.exe.bat" "
266⤵
PID:3172

C:\windows\SysWOW64\NLOA.exe
C:\windows\system32\NLOA.exe
267⤵
- Drops file in Windows directory
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CGYEDXU.exe.bat" "
268⤵
PID:4080

C:\windows\CGYEDXU.exe
C:\windows\CGYEDXU.exe
269⤵
- Drops file in Windows directory
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOH.exe.bat" "
270⤵
PID:3904

C:\windows\system\FOH.exe
C:\windows\system\FOH.exe
271⤵
- Checks computer location settings
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KZLZPBS.exe.bat" "
272⤵
PID:2676

C:\windows\KZLZPBS.exe
C:\windows\KZLZPBS.exe
273⤵
- Checks computer location settings
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NMU.exe.bat" "
274⤵
PID:4452

C:\windows\system\NMU.exe
C:\windows\system\NMU.exe
275⤵
- Drops file in Windows directory
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IZZKL.exe.bat" "
276⤵
PID:3988

C:\windows\IZZKL.exe
C:\windows\IZZKL.exe
277⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKJA.exe.bat" "
278⤵
PID:5024

C:\windows\system\GKJA.exe
C:\windows\system\GKJA.exe
279⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BGOKEA.exe.bat" "
280⤵
PID:3848

C:\windows\system\BGOKEA.exe
C:\windows\system\BGOKEA.exe
281⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NOV.exe.bat" "
282⤵
PID:2440

C:\windows\NOV.exe
C:\windows\NOV.exe
283⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HBABS.exe.bat" "
284⤵
PID:4528

C:\windows\SysWOW64\HBABS.exe
C:\windows\system32\HBABS.exe
285⤵
- Drops file in System32 directory
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWFLDSZ.exe.bat" "
286⤵
PID:1140

C:\windows\SysWOW64\CWFLDSZ.exe
C:\windows\system32\CWFLDSZ.exe
287⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPG.exe.bat" "
288⤵
PID:3176

C:\windows\SysWOW64\ZPG.exe
C:\windows\system32\ZPG.exe
289⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FPO.exe.bat" "
290⤵
PID:552

C:\windows\system\FPO.exe
C:\windows\system\FPO.exe
291⤵
- Checks computer location settings
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LKNJCT.exe.bat" "
292⤵
PID:2284

C:\windows\LKNJCT.exe
C:\windows\LKNJCT.exe
293⤵
- Drops file in Windows directory
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AABTKA.exe.bat" "
294⤵
PID:3980

C:\windows\system\AABTKA.exe
C:\windows\system\AABTKA.exe
295⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQZ.exe.bat" "
296⤵
PID:416

C:\windows\system\RQZ.exe
C:\windows\system\RQZ.exe
297⤵
- Drops file in System32 directory
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRPPFV.exe.bat" "
298⤵
PID:1412

C:\windows\SysWOW64\KRPPFV.exe
C:\windows\system32\KRPPFV.exe
299⤵
- Checks computer location settings
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "
300⤵
PID:1644

C:\windows\MGQJMK.exe
C:\windows\MGQJMK.exe
301⤵
- Checks computer location settings
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FHXCVL.exe.bat" "
302⤵
PID:880

C:\windows\FHXCVL.exe
C:\windows\FHXCVL.exe
303⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NMKJGJ.exe.bat" "
304⤵
PID:1820

C:\windows\SysWOW64\NMKJGJ.exe
C:\windows\system32\NMKJGJ.exe
305⤵
- Drops file in Windows directory
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IAP.exe.bat" "
306⤵
PID:5060

C:\windows\system\IAP.exe
C:\windows\system\IAP.exe
307⤵
- Checks computer location settings
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GTSIYPI.exe.bat" "
308⤵
PID:2036

C:\windows\GTSIYPI.exe
C:\windows\GTSIYPI.exe
309⤵
- Checks computer location settings
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLZWIRJ.exe.bat" "
310⤵
PID:460

C:\windows\system\MLZWIRJ.exe
C:\windows\system\MLZWIRJ.exe
311⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "
312⤵
PID:4988

C:\windows\system\DECMQX.exe
C:\windows\system\DECMQX.exe
313⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRH.exe.bat" "
314⤵
PID:3896

C:\windows\system\GRH.exe
C:\windows\system\GRH.exe
315⤵
- Checks computer location settings
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NHIMZS.exe.bat" "
316⤵
PID:4480

C:\windows\NHIMZS.exe
C:\windows\NHIMZS.exe
317⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INUQ.exe.bat" "
318⤵
PID:4680

C:\windows\SysWOW64\INUQ.exe
C:\windows\system32\INUQ.exe
319⤵
- Checks computer location settings
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DAZIU.exe.bat" "
320⤵
PID:3008

C:\windows\DAZIU.exe
C:\windows\DAZIU.exe
321⤵
- Drops file in Windows directory
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SVR.exe.bat" "
322⤵
PID:4776

C:\windows\SVR.exe
C:\windows\SVR.exe
323⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GQU.exe.bat" "
324⤵
PID:812

C:\windows\GQU.exe
C:\windows\GQU.exe
325⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOVH.exe.bat" "
326⤵
PID:1068

C:\windows\SysWOW64\IOVH.exe
C:\windows\system32\IOVH.exe
327⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KMB.exe.bat" "
328⤵
PID:2656

C:\windows\KMB.exe
C:\windows\KMB.exe
329⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WFEUPLX.exe.bat" "
330⤵
PID:4008

C:\windows\WFEUPLX.exe
C:\windows\WFEUPLX.exe
331⤵
- Checks computer location settings
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UUP.exe.bat" "
332⤵
PID:4888

C:\windows\UUP.exe
C:\windows\UUP.exe
333⤵
- Drops file in System32 directory
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAP.exe.bat" "
334⤵
PID:4508

C:\windows\SysWOW64\UAP.exe
C:\windows\system32\UAP.exe
335⤵
- Drops file in System32 directory
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CNU.exe.bat" "
336⤵
PID:3904

C:\windows\SysWOW64\CNU.exe
C:\windows\system32\CNU.exe
337⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZTA.exe.bat" "
338⤵
PID:3104

C:\windows\SysWOW64\ZTA.exe
C:\windows\system32\ZTA.exe
339⤵
- Drops file in System32 directory
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VLKKHIG.exe.bat" "
340⤵
PID:4580

C:\windows\SysWOW64\VLKKHIG.exe
C:\windows\system32\VLKKHIG.exe
341⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HCQSLA.exe.bat" "
342⤵
PID:3224

C:\windows\HCQSLA.exe
C:\windows\HCQSLA.exe
343⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPV.exe.bat" "
344⤵
PID:536

C:\windows\system\CPV.exe
C:\windows\system\CPV.exe
345⤵
- Drops file in Windows directory
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCMD.exe.bat" "
346⤵
PID:2720

C:\windows\system\FCMD.exe
C:\windows\system\FCMD.exe
347⤵
- Checks computer location settings
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GAGFNIP.exe.bat" "
348⤵
PID:1376

C:\windows\GAGFNIP.exe
C:\windows\GAGFNIP.exe
349⤵
- Drops file in System32 directory
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ULOWCLK.exe.bat" "
350⤵
PID:3908

C:\windows\SysWOW64\ULOWCLK.exe
C:\windows\system32\ULOWCLK.exe
351⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOURJ.exe.bat" "
352⤵
PID:2100

C:\windows\system\YOURJ.exe
C:\windows\system\YOURJ.exe
353⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTSOR.exe.bat" "
354⤵
PID:4776

C:\windows\system\UTSOR.exe
C:\windows\system\UTSOR.exe
355⤵
- Drops file in System32 directory
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZKDH.exe.bat" "
356⤵
PID:1028

C:\windows\SysWOW64\RZKDH.exe
C:\windows\system32\RZKDH.exe
357⤵
- Checks computer location settings
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CRNWHYY.exe.bat" "
358⤵
PID:3344

C:\windows\system\CRNWHYY.exe
C:\windows\system\CRNWHYY.exe
359⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXFKQDT.exe.bat" "
360⤵
PID:5068

C:\windows\SysWOW64\CXFKQDT.exe
C:\windows\system32\CXFKQDT.exe
361⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONYD.exe.bat" "
362⤵
PID:4844

C:\windows\system\ONYD.exe
C:\windows\system\ONYD.exe
363⤵
- Drops file in Windows directory
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DID.exe.bat" "
364⤵
PID:1644

C:\windows\DID.exe
C:\windows\DID.exe
365⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABFRSMZ.exe.bat" "
366⤵
PID:3908

C:\windows\SysWOW64\ABFRSMZ.exe
C:\windows\system32\ABFRSMZ.exe
367⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XGL.exe.bat" "
368⤵
PID:2100

C:\windows\XGL.exe
C:\windows\XGL.exe
369⤵
- Checks computer location settings
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJPSM.exe.bat" "
370⤵
PID:2436

C:\windows\system\PJPSM.exe
C:\windows\system\PJPSM.exe
371⤵
- Drops file in Windows directory
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OUSI.exe.bat" "
372⤵
PID:4460

C:\windows\OUSI.exe
C:\windows\OUSI.exe
373⤵
- Drops file in System32 directory
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXWEAQ.exe.bat" "
374⤵
PID:4296

C:\windows\SysWOW64\HXWEAQ.exe
C:\windows\system32\HXWEAQ.exe
375⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "
376⤵
PID:4440

C:\windows\SysWOW64\HSHHG.exe
C:\windows\system32\HSHHG.exe
377⤵
- Drops file in System32 directory
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDQ.exe.bat" "
378⤵
PID:648

C:\windows\SysWOW64\VDQ.exe
C:\windows\system32\VDQ.exe
379⤵
- Drops file in Windows directory
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XBJA.exe.bat" "
380⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 960
378⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1300
376⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1332
374⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1324
372⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 960
370⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 988
368⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1328
366⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1324
364⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 960
362⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1004
360⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1336
358⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 988
356⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1336
354⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1280
352⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1292
350⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1268
348⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 960
346⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1336
344⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1236
342⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1332
340⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1328
338⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 960
336⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1328
334⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1296
332⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1324
330⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 988
328⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1260
326⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 960
324⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 960
322⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1324
320⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1328
318⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1324
316⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 960
314⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1308
312⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 988
310⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1004
308⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1336
306⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 960
304⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960
302⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1324
300⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1256
298⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 988
296⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 960
294⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1304
292⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1248
290⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1240
288⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1328
286⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 872
284⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 988
282⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 960
280⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1300
278⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 960
276⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1336
274⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1304
272⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1336
270⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1256
268⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1328
266⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 988
264⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1304
262⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1328
260⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1280
258⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1316
256⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 960
254⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1328
252⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 960
250⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1328
248⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1008
246⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 988
244⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1324
242⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 960
240⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 960
238⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1324
236⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960
234⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1300
232⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1296
230⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1308
228⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 988
226⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 988
224⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1324
222⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1324
220⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 960
218⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1004
216⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1328
214⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1000
212⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1260
210⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1352
208⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 960
206⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1336
204⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1004
202⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1236
200⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 988
198⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1256
196⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1260
194⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 960
192⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 872
190⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1324
188⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1324
186⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 872
184⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1336
182⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988
180⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1336
178⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1308
176⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960
174⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1336
172⤵
PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1336
170⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1260
168⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 976
166⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 960
164⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1264
162⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1008
160⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960
158⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1240
156⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1336
154⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1220
152⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 988
150⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1256
148⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1316
146⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1328
144⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 976
142⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1264
140⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1336
138⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1300
136⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1280
134⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1324
132⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1304
130⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1308
128⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 988
126⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 988
124⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1328
122⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1328
120⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1324
118⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1312
116⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1008
114⤵
- Program crash
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 960
112⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960
110⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 960
108⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1316
106⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1336
104⤵
- Program crash
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1252
102⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1300
100⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1304
98⤵
- Program crash
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1336
96⤵
- Program crash
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960
94⤵
- Program crash
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1336
92⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1296
90⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1296
88⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 960
86⤵
- Program crash
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 960
84⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 968
82⤵
- Program crash
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1236
80⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1328
78⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1316
76⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1308
74⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1336
72⤵
- Program crash
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1296
70⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1304
68⤵
- Program crash
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 976
66⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1328
64⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1316
62⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960
60⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 988
58⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1260
56⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 960
54⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1324
52⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1324
50⤵
- Program crash
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1336
48⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1304
46⤵
- Program crash
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1000
44⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1004
42⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1008
40⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1260
38⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1328
36⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1316
34⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1236
32⤵
- Program crash
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1292
30⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1324
28⤵
- Program crash
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 960
26⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1300
24⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 960
22⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1272
20⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1296
18⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1264
16⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1324
14⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1304
12⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1304
10⤵
- Program crash
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1328
8⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1304
6⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 960
4⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1292
2⤵
- Program crash
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3732 -ip 3732
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3604 -ip 3604
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 880 -ip 880
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 552 -ip 552
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3636 -ip 3636
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 4836
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1116 -ip 1116
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1124 -ip 1124
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4500 -ip 4500
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4808 -ip 4808
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 2168
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3580 -ip 3580
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3008 -ip 3008
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3832 -ip 3832
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1584 -ip 1584
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 376 -ip 376
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5104 -ip 5104
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4968 -ip 4968
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2888 -ip 2888
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5116 -ip 5116
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4044 -ip 4044
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1184 -ip 1184
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3916 -ip 3916
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3612 -ip 3612
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 456 -ip 456
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4460 -ip 4460
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4788 -ip 4788
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2040 -ip 2040
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5088 -ip 5088
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1184 -ip 1184
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 220 -ip 220
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4796 -ip 4796
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3376 -ip 3376
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4224 -ip 4224
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3788 -ip 3788
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 400 -ip 400
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2080 -ip 2080
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3008 -ip 3008
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3136 -ip 3136
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 848 -ip 848
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1960 -ip 1960
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2008 -ip 2008
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 408 -ip 408
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4808 -ip 4808
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1404 -ip 1404
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2400 -ip 2400
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4516 -ip 4516
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 812 -ip 812
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1440 -ip 1440
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2936 -ip 2936
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1612 -ip 1612
1⤵
PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1924 -ip 1924
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1844 -ip 1844
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2928 -ip 2928
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4028 -ip 4028
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2912 -ip 2912
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4560 -ip 4560
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3948 -ip 3948
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1940 -ip 1940
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4460 -ip 4460
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4604 -ip 4604
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4792 -ip 4792
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5060 -ip 5060
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2536 -ip 2536
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3756 -ip 3756
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3188 -ip 3188
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4804 -ip 4804
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4364 -ip 4364
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1592 -ip 1592
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4340 -ip 4340
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 844 -ip 844
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3376 -ip 3376
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4588 -ip 4588
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3220 -ip 3220
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 404 -ip 404
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1664 -ip 1664
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1068 -ip 1068
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4328 -ip 4328
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3756 -ip 3756
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4452 -ip 4452
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 220 -ip 220
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2500 -ip 2500
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1524 -ip 1524
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4428 -ip 4428
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3720 -ip 3720
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4336 -ip 4336
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4652 -ip 4652
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4708 -ip 4708
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1592 -ip 1592
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3328 -ip 3328
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2584 -ip 2584
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1216 -ip 1216
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 3372
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 524 -ip 524
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2336 -ip 2336
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4492 -ip 4492
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4956 -ip 4956
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4380 -ip 4380
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4268 -ip 4268
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3332 -ip 3332
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4428 -ip 4428
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2972 -ip 2972
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 220 -ip 220
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2220 -ip 2220
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3308 -ip 3308
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4176 -ip 4176
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4812 -ip 4812
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4500 -ip 4500
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3756 -ip 3756
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3996 -ip 3996
1⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 416 -ip 416
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3948 -ip 3948
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4032 -ip 4032
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4892 -ip 4892
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4620 -ip 4620
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3736 -ip 3736
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4020 -ip 4020
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 848 -ip 848
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4776 -ip 4776
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4444 -ip 4444
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4252 -ip 4252
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 456 -ip 456
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2900 -ip 2900
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2936 -ip 2936
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1116 -ip 1116
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1996 -ip 1996
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2656 -ip 2656
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3948 -ip 3948
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 440 -ip 440
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3092 -ip 3092
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1216 -ip 1216
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4028 -ip 4028
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2908 -ip 2908
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4480 -ip 4480
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 8 -ip 8
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4048 -ip 4048
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2360 -ip 2360
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4252 -ip 4252
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4536 -ip 4536
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2948 -ip 2948
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4604 -ip 4604
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2120 -ip 2120
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1496 -ip 1496
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3948 -ip 3948
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1584 -ip 1584
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1116 -ip 1116
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3708 -ip 3708
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1240 -ip 1240
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2732 -ip 2732
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2912 -ip 2912
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 636 -ip 636
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4972 -ip 4972
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3272 -ip 3272
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2420 -ip 2420
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5044 -ip 5044
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3252 -ip 3252
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2976 -ip 2976
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2256 -ip 2256
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3424 -ip 3424
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3092 -ip 3092
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2052 -ip 2052
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3388 -ip 3388
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4816 -ip 4816
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2284 -ip 2284
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8 -ip 8
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4584 -ip 4584
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1468 -ip 1468
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4516 -ip 4516
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3672 -ip 3672
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5072 -ip 5072
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3968 -ip 3968
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4632 -ip 4632
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4676 -ip 4676
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4788 -ip 4788
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3760 -ip 3760
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 552 -ip 552
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1216 -ip 1216
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1208 -ip 1208
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3548 -ip 3548
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4920 -ip 4920
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1184 -ip 1184
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DFPBJIL.exe

Filesize
282KB

MD5
2ff7d9deadfe9369b3e3288667caa448

SHA1
7a2014f86c8c718a34269f88355ca676fe84cc3e

SHA256
4f145e84f61823ff86586225cb92b36396f3919639ee940fd09c45f36ed95ac1

SHA512
96a8661b0afd29e091cb53a8e8acaa748c3304b3a38680928be7d33da651f24d7e75cdb056f7613d9e57bb33ba02a8e1d6c354dc778374f7cf5507645cd07e9d

Download Submit
C:\Windows\DTZ.exe

Filesize
282KB

MD5
6218d2c5b6d48f96e55b65c49df8e00c

SHA1
12989e653bc7702fba132956b371a61d0b690fd2

SHA256
dfd49c4dcc4379ff92af56977706db0419694e82a0ee527e6cc55703f0a5f111

SHA512
8aff20cb01cd5ad66070dd795ddc43545c5697b091647c5f12a14bbc4777e2d856b2a950cd3c10692488e38fc685736e8d6f4ea6dcb28cc32984b7d362cb8acf

Download Submit
C:\Windows\KSWEEG.exe

Filesize
282KB

MD5
054c64e6d3413221fb037fe25cd1c2c2

SHA1
1d864d68cf384beee2f8b54e3ac23a6b6ac7623a

SHA256
dd5a9b4ce315dd4ed7115b0573e8b4af841d3a5fbae0f49bbc95155ee6fe29d5

SHA512
64ad8fc8bc8b707b991049fc870542180fd3b167f3ec394b6789355f8ebe4b1ec0b4e221f98b9a028e57fd7ee0bf0d896ddf6c5c7454472ed93365e2a8e5f818

Download Submit
C:\Windows\PEMLLP.exe

Filesize
282KB

MD5
c661cfe098001d9527f9257cdd00550a

SHA1
c5893b7130c8a2ec1ac92685fb3af5c8fb3883c4

SHA256
a2a7f95a95b66c7c95c8c4c28bc9733284c06aec0085c6abdf89a6d031365e39

SHA512
3868e215da4d770e1d28c5ea1d262af9eb21ffd6c51dde3e0e2db15a545963c5e91c62f868e8f73dbc0b2fb56bb85e9369c16ea68b841d01f17fc8d15129d0d2

Download Submit
C:\Windows\SysWOW64\BVIEW.exe

Filesize
282KB

MD5
6cf2e898dbc0e2fd87721f967b316a37

SHA1
eb57640e95b0eac8ca160d6f7b6a9e29b4457ef8

SHA256
fdc7fe40fb3f459262efd6d13edc776aa06afb0a992cd4ba71b0d642e2a452c1

SHA512
495edbba6431b4d6df12b9f1985bdfb1949088be0bc65dd8e606d069a634eafa8345ec491f734a77853abf58abe19dee9785a8f02bd41eb661796ae8ee0f14e4

Download Submit
C:\Windows\SysWOW64\TIHI.exe

Filesize
282KB

MD5
b862aa81b3a6ec3a300395dace1c8478

SHA1
ab8c72d6f94bded666aa27cee995148cc545d875

SHA256
94f6e49c7c8afb173a81326c1e4c8a8f89c416aafbfd873643dca4551637140e

SHA512
8ca21290e5e4a3f12dce7ae011ff739de7d61e0497720e28c3466c80837d0c9eb448f87b5b44fee5a9757ef55fc18cc36badeb39e6c2ecaf2d820a86311986b2

Download Submit
C:\Windows\System\NODA.exe

Filesize
282KB

MD5
832b54c8af7f1522a8a4a32f12cc4c18

SHA1
eacae944e1ffe285fc16b0d7db0c1ef5fa381853

SHA256
ddd35632fa1a2c5d38e9de0899989172582f6970cd0d4b0f2835b726997f9bed

SHA512
4c51dbf31e0fc6aee6e6a5355e445b29a0b93b742a75b968a9a0353a80aa43bed19d253c1bf2d4cf4185356fab10a4ef055d359f4bebb5cc560ae53dcb11ad17

Download Submit
C:\Windows\System\QLJDDJI.exe

Filesize
282KB

MD5
a790e9709a97b6433809120301f1dc11

SHA1
e725b081ae12ced2295a3a4403815002a0e53d20

SHA256
8a5f53f2a4889c0a670eb41d7ab599f06526cec6c52d4d5b9411d8d301fde5c7

SHA512
e062197839fbf161007654c63384dff99943db07f2888a42b96d1555341d2c92713faad76c900e9935da73555d3339220579eea51cc4abf05820714498f8ce2d

Download Submit
C:\Windows\XCZTCZO.exe

Filesize
282KB

MD5
9e7f1a57141927ca584e207400152624

SHA1
81a43ff33445b71f580abb5c20f1560c46a95548

SHA256
827c9a9f6c6c8000f510724ddbac4bc6281c612a3d717525c3953b8d0292e567

SHA512
862be1fbba6c5954f39a3e09b27b7dbffb489bd5040311425b13406df1a77585131efece0f4fc120e857857979fab6ce38ccf7deab0422334c2c61385774aed5

Download Submit
C:\Windows\ZRSOL.exe

Filesize
282KB

MD5
53d161b63ebbdfbed69ae40a81a37109

SHA1
41a75455f9b519ff6dd517d8183774685f2f7ce1

SHA256
bc08410d6b1655220a8bd0313e89dd4dac55cee11ba0c97848e20d80806e9624

SHA512
aae607f0e633ee853b8bfb7d8ec00fecf6ba7c2ab2f06db9d6366fb3e7256eed5e43c4ab8df5b3288c1cac53665303672235f5602c580e0fdddc2b9e64627e23

Download Submit
C:\windows\DFPBJIL.exe.bat

Filesize
60B

MD5
6f7d0da4f112e3a0f2e794e297c8995f

SHA1
69cff315af8076a40777c9f3b942fc44d51c5061

SHA256
f3ec88724dc8936985a804a2883f6e4eb128a76c8f270fd8d5270e43b1bec074

SHA512
837dabeaece9dfae81ade85c6433e6031cfcea526004d5cfd3aea177778e82e399602b3830d6a898b85649288b067f4b5f117b4e1b6a8d9f4058f159da486cdb

Download Submit
C:\windows\DTZ.exe.bat

Filesize
52B

MD5
1d56abef9ea06041a780706a18d27bb6

SHA1
e8d984f4e67787fb3fe7afd849be764933b271f3

SHA256
3694760db436b324bff908f087db17414ba8c8f7f27d3d9bc34822abbeed11cb

SHA512
576d5f951098961c84363b871111bb88033fb03d7ff5ea7b228b346391200cbbb10ba05bdaa8402e4e2578cd823b35887ed8fb878794629a114780c8610e7ff4

Download Submit
C:\windows\JZMR.exe.bat

Filesize
54B

MD5
e5ef7f7977ec6e45641a11c12a31ccdf

SHA1
e1bf1f5933d66e651f5d5f6d73eee5cfb95b6607

SHA256
8308453b97aef9fbd9c67efba13e688da93d4a4ce276db861d09da1eccec0103

SHA512
e33de41a2e95bc0fce2d0d7fa1b88b7b65443a0bac9eb7f26d790787ed89614d4d0116a2f31408770a02f550fb2427ead0d5488c42c696ca939c110654f94610

Download Submit
C:\windows\KAS.exe.bat

Filesize
52B

MD5
d38bc76c67b8c0068b0bcc87909e17a8

SHA1
9a3025b50534a2ea263f656cb139c3fab2855edc

SHA256
e37402e6b0a7c4527c5e1be632a335e91acfdbdc6494f24973487c34e4b170be

SHA512
aa62bd47d87bff50195fe753fa0f8457219d106d56b1c760dd2d3e3f72fb7f68b388346afb35bf5a3aa7a1b3e6fcfb539964fd50dd96c4817a0bfee86b3dce18

Download Submit
C:\windows\KSWEEG.exe.bat

Filesize
58B

MD5
fd7575e508ce29059e6d166a918f2da9

SHA1
bb79a048192abc491f50522de5f974deb241c208

SHA256
96794bb514a30827c9ed3880277ae751262770df7c110c9f483b408b4460d6ed

SHA512
0422754a054d65d4a5e3b8868261a254f95b14587078fad082898c4b65a1df551e98dcf9f360d1d3f1c9202d7a7649ca7ef92fa0b4c68924c6d9aa17a5fd413d

Download Submit
C:\windows\KZHFML.exe

Filesize
282KB

MD5
156f7756d655b53fbe69e703fcdef2c2

SHA1
2f2d22dd16500bde788a8256049d123fa218cda2

SHA256
aa8ce448421182aabaa96858f3f49bede660ca656514d8c6c016254f77deecf6

SHA512
8af535353cc4e6f9a12bdea2feb922d800ff9e11cd814066a34592486c0e2e91eb7a0971fd5a3e4aa29df471c2af39c8aceed85686005f1a70aee1f1223f77d8

Download Submit
C:\windows\KZHFML.exe.bat

Filesize
58B

MD5
c2de9f9f9720b18c00f4563818b0e711

SHA1
7de1083774cdf36f60d96be77d5fd580bba45fbe

SHA256
e5cd502ba80b35f7b9b0a617c5d267b50cf08f0e16aeaa1c6c3efa786e17b81b

SHA512
440629ffe94f00d32909ef59a48245586aba6aa75b3bd8a50da177039ed13ae1ae4ec1f203dafa3e914f56d56dc1a868f81bc04310104317df74b8a3f21edf6e

Download Submit
C:\windows\MNKWV.exe

Filesize
282KB

MD5
59553510740d9fcb11bba4c78a68bdac

SHA1
7ba065b8a7da6844dfb2e77e4adfdefc395dbaa3

SHA256
fb9b4b96a0d86fa016836a46f71876813f3dc9633d1262970c9eabbf8a1a288b

SHA512
892e61cd23cde80cbe677dabb99607c8529790cc9beccd86cc94b5ccd6adb49c98b4c6b2517f1381774f093b529fb8ccacc8c9efa33f44bea7bf70450e4dc2ed

Download Submit
C:\windows\MNKWV.exe.bat

Filesize
56B

MD5
ef771ebf66f62ab2f2760180363bf427

SHA1
5a761f552e6c88d339a18277237ec5605ad8b5a6

SHA256
55231d59520ec32be05995d09c2b1c061bbff7641979a4e4bf9a8803942e952d

SHA512
98f4d0cb8882913c956191473ec8f4aa997208363f7352f5e51493620889abc87d93ab93e87ced8e317f15cc14cb0aaf6b0f2936b81462239dfbb1bb8a546d90

Download Submit
C:\windows\PEMLLP.exe.bat

Filesize
58B

MD5
b8106c3ceba551793df05356f66d2ece

SHA1
44b954a41033f57604383ec5e51ed9e1cb257928

SHA256
7eb080d0dfb87053bf3c6e2fd4d141b43d642efe1a0d3928e8c9d0cce6d8ccac

SHA512
d760936d91aa2bb8bad3a55f1ee051268b3cd1a42879f4ebbdb1ea0c77ee672b0caa0c1f6f74cad37453e87a5aca49f48804872f074b8ad46caf5c3fe154b52d

Download Submit
C:\windows\SysWOW64\BNSXCIM.exe

Filesize
282KB

MD5
39e7dcd7264e81398759ecfc7d2bf11c

SHA1
2fe26d06ec121fb39f051414c09f13e7f145046d

SHA256
1a1bb0a376d1599aceb84f2f4f05ee181938c5d7b430dcd9e7ee7963d253f59e

SHA512
d8a325da6d433619caba0949112813f570d139251ee57f22e7204367c8ca247f37a9e2bb4f7b8fe4da019a0736313c63479b25a0f8a2d24d03853bd68b178570

Download Submit
C:\windows\SysWOW64\BNSXCIM.exe.bat

Filesize
78B

MD5
1d41af64a3962a7156b2ea9366ea8090

SHA1
852b7398bb2f8cd06f5eb38e2b9917b5d4f0d3f9

SHA256
e7bb91cf45fa93afc103e19bd9825f85d338a8b7877818ea9d379a2c0c03538c

SHA512
134e87248d2bac5799c2cd69dae4e6d165071a41eec553a66577aae27a8b7b2963e2b1169f2786075242c71fb35daeb7b30d53db34016801973f8ada124de435

Download Submit
C:\windows\SysWOW64\BVIEW.exe.bat

Filesize
74B

MD5
72a8fa12fe2b74194c3d146c9fe2153d

SHA1
042acd4ff9f0e0eab3e6717efc3ceb2842a6587c

SHA256
9314e2ff5dc8ff00e100ed0de7f5c4b6a7765c46d32ea98b01a5a88c38af2a35

SHA512
118db61e07ea548d6d13cb52f691b2c4f3b121f25c64c6da9f8576904f316380c405d086a875e9261336086254fb4963e9c82a12cdb8b65a956689494b09dcae

Download Submit
C:\windows\SysWOW64\CGUKAA.exe.bat

Filesize
76B

MD5
1221bfb8095b97880b08b585c75c9caa

SHA1
4430ad871d37bb52d26a012c1116cf0a9e9ea9d3

SHA256
01c9a1740f8e93603420e8b8d6e76d22cbf65a5b9ba68fa5147764a19985bd1b

SHA512
b5ff45c05553f0a63e618c916a6e399ff90faa91640e51083a2f073f57f8dda385bf450a273688d14a72022979c8791d9948d23b1eafa9ea86e727ef48563629

Download Submit
C:\windows\SysWOW64\LFNW.exe.bat

Filesize
72B

MD5
6ae15ec63cec9ccfb6d5b10097f163fe

SHA1
119afbf06c929802bf0c3fcff7b7aedda807f393

SHA256
48c2e5b7fcf1728ae75e277d834829c8f53617ce0ec9c0e13129bd9a1b877b95

SHA512
61f075bce441facbaf54501c26ef8588781eeb6ac731a46b5d97b4ffda5da06abe12cf3a8ea5651c571361a83d92c383048e227f023d6d678af0d33d5a1b3e69

Download Submit
C:\windows\SysWOW64\RFBLS.exe

Filesize
282KB

MD5
ef7f3917e14f676e965b73ff34c5b9a0

SHA1
70293b6c54afcada727fd3f91a20d3b2567b6a17

SHA256
13724d13034d8f2bbbf168aa77728338a5798f405392f01ca0ec1f0b10add178

SHA512
63b1de084539185c062a2820be43a740d2a8816de32cd172b9589ea44e4c71a61cd554eed6f900231a41e594a04c27014eaf9b938a1c83581a23a1e4d11e1124

Download Submit
C:\windows\SysWOW64\RFBLS.exe.bat

Filesize
74B

MD5
46a7771b6f61cc21c90634ec67d347e2

SHA1
0d48369aa035215e7e79b0bb1200f865bddcc758

SHA256
48ff637e90c84e7ae23ff789b41096d3f3ed8efc912b99be9e3ff4c5682a42c0

SHA512
ac17a63d9ea81fadb3041e5570847d99fea8d6ab0b980e5da408623105aced36b678fb51fbd5443860537f86e1e170860540c702367293b60451382f7c860ae2

Download Submit
C:\windows\SysWOW64\TIHI.exe.bat

Filesize
72B

MD5
e6f1ad8c5d7ad44b3b0e90e2a6e35258

SHA1
c5fbe41b97a3de5c78900d42717b60b5a9647640

SHA256
20f608f2ecb39233e48eadfcc47d78f34310dfc67f394b71f0a8fc0aabf0a53a

SHA512
1619a7bacbaa00f4ed0b91be6216b68b0913710fe657f30e8bddf2bf6c298086ada1aad1f2b7a91c9cce15e46485c1d915821aeecf153b0d885a2d2cd07e3000

Download Submit
C:\windows\SysWOW64\ZJCPJUR.exe

Filesize
282KB

MD5
ff9cd4ae921ec9eecd53a436fbf4a9d1

SHA1
45395d28292e140e6180554bbc3c833694c4c3ff

SHA256
97a513d112128180d1e6c7f908c8fa6d2d98f267ca1808ce9938c45e0b454302

SHA512
842bcc8744bafdfd275e59d69321c181846b5ff31bb7d163a91da4780d1de81becb7498c6d4120dda642e817f14ce65625ac26166f91de9c18f852cc6abee7d6

Download Submit
C:\windows\SysWOW64\ZJCPJUR.exe.bat

Filesize
78B

MD5
bf1ca2c8a130f61825a40f4d58e2ea10

SHA1
cbd83b536e02559ee10b94af5c122d165c50a8ee

SHA256
d82a489bb3517f78a9f73f05b95b16b7584b5a249555d84df2f09b2b9f46b034

SHA512
f4f1d3a80b84167e5a8a81fa83604b6905e5f36ba2496b3519a4a8209222f540634da3baa7ee787b0231de9753d423a63791274c1c1012347843635bb555c0d7

Download Submit
C:\windows\TCJASVH.exe

Filesize
282KB

MD5
8a1a7328a500ac9a815829ccec2b137a

SHA1
0bc74be71df02a110a8d834ef157502281a1035e

SHA256
55fa4027d17481ddc75469f61b82eea9a103afdaa8f2961ef6476e1df1d5ed4e

SHA512
c48989ef1d7bb590c690d3e4c078d349f737f22557dede791604c445d360053075f27b17a5938d1e44d7ce5c2f8c3b26f9c5d71279fb2712891527247422c986

Download Submit
C:\windows\TCJASVH.exe.bat

Filesize
60B

MD5
7dc0704f3766d8f50ffbc8a666932f9e

SHA1
60092e15ba9fb3d8136fa4ba2325f3293a48c699

SHA256
6ce7118d64ad6cdf702c67bed5c9559c6d471d9aaabba8785710939684710075

SHA512
6462f2213fc0440185e64c9f0d956486415a0e6ee650f9ffb9f2f16be0cee958062a6269e6283f606c21cedda39996da4a9d1d8bed0af326fbab94f219300717

Download Submit
C:\windows\XCZTCZO.exe.bat

Filesize
60B

MD5
09ec7ef89c3556f5691c667786a98603

SHA1
919206bde831cf17158f2e6619923dc974ad0155

SHA256
35b325c7e79d38bb460fd3ccf523fe4d3e6f7fb663e5adfaccabfe99fca28c94

SHA512
14d4a0ce4bcfd0b95e11b265e185c2a0668077374973424a93722320599b854b08e9c5ff37cf2a2efceba7626a52e39f3a5cb4847458653227b4b0faf1b8fd73

Download Submit
C:\windows\ZRSOL.exe.bat

Filesize
56B

MD5
c4e55d1c98fe97df5f2b464485e6c806

SHA1
ab16054b11752d41cf795e4be301b80424cb91db

SHA256
84dd500ffa93ab601affaec35b6a980d7f2024289f24e4b9835dc2605ca6169a

SHA512
7e331af53fc35995fae75f4595d100a305dde64c7499842cfc996f7374ca79e48545282fcf5f4d07d070ee2993f07c672a33bdbc47bf8613fda5177d89fbc3a1

Download Submit
C:\windows\system\CVOPIL.exe.bat

Filesize
72B

MD5
3b107942880ce69704d7b22bc400ba91

SHA1
6fa0009801cf11a794abf8852c4c37b75d370c41

SHA256
ae5e7f9a966f12c941dd0213e0e2ac08edd866e1dab7dbe7f1a6826615db0927

SHA512
35f2633c31f800cc37697fc9a61eb5eb255adc4c3ab37445272b8c5e865a1236d240a57f281fd4971c0040ffe9f0ac56bb1c0b5d3967cf00bab6747744c4f614

Download Submit
C:\windows\system\IBLL.exe

Filesize
282KB

MD5
027d898f7d07f5732eeba3c92255d8b6

SHA1
e1baecf51b2dd7fffabceb76038fa90228d8f35c

SHA256
a57aa248e241effc35b532154a4ba095175d0dc0c204cde96157142dfea7ce34

SHA512
c739b92dc718843b2513b885ff514e0e36c5fe9bbd5aabfe4a520239c082f07467e09b3eb13521344acb387bafb7e3b7f364f89d6a43561aa08c7a5d0d12ec3e

Download Submit
C:\windows\system\IBLL.exe.bat

Filesize
68B

MD5
5c3c010d3a2a8f695d748350608cb2b7

SHA1
21624967e3b4857b17204e4dc8862954f32bc581

SHA256
154785748311478640d21803068a7c0d1fa80e91673b50e048e64719271f1f34

SHA512
a4fa3d41410e0e58812fa702f5c78b93a1d4b32527e79b79a4c85c09dd84c2c28d5b4a1c91f0b1d4ebcb190aaea69c4c0de2702421e80ec12e9c7f4525893b27

Download Submit
C:\windows\system\NODA.exe.bat

Filesize
68B

MD5
dd7e7eba6832922c76f508399d513ed8

SHA1
2dd0c70d6fa1e7e50e3c0deeec0a3f74ddf87e9a

SHA256
b219a02c11d74d4835395d25308e9438948d6898fd0876046387d8e69793cb48

SHA512
459a2ebf6baf0141c62f469c71c5467d07d0d068f4427eaa07a2eab66849b4dc6afbf21a8d97823d52b153ef9c13310d5d1661e848bac915ca3bc03679546e05

Download Submit
C:\windows\system\QLJDDJI.exe.bat

Filesize
74B

MD5
ac193dc4f896809041e4714df10f20de

SHA1
fea507f4d90d45d6886a2e3fd95e9717dff322e5

SHA256
1f204497df237e4e5adfc7c7ec05700b400a7336acbad08ecd149005feb00fdd

SHA512
0f82f2eccbdd5614e2f83cfb1cfc5cfb5531a53d0109922cf771a4b55732c071e31e01b4952e02efbb1463999a665e125d63e7218acff00fac6f0e1493097bf1

Download Submit
memory/220-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/220-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/376-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/400-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/400-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/456-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/456-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/812-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/848-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/848-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1116-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1116-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1184-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1184-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1184-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1184-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1584-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1584-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1960-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1960-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2168-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2168-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2400-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3136-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3136-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3376-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3376-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3604-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3604-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3612-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3612-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3732-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3732-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-257-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4224-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4224-384-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-331-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4460-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4460-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4500-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4500-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4556-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4556-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4788-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4788-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4796-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4796-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-78-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4968-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4968-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5104-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5104-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5116-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5116-245-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download