1f08b4d2fc7e0e9e5a25e924cd92b54a12228525138edf52b3ec002c8a2dff8a

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
Size

282KB
MD5

09a7a3ad08908cfc605b5fbf800a6e10
SHA1

7a53cd3ec208e0c0f0a17dbe183e5558a1773ef6
SHA256

1f08b4d2fc7e0e9e5a25e924cd92b54a12228525138edf52b3ec002c8a2dff8a
SHA512

1d4499d10d48a9c48d18fc44961b0d7e514940cb3363ca52a2e56b4776001af2817c75150a3fafddd05bf991d6fa70607288e9bf3c8e4606abf1733c10c2bf28
SSDEEP

6144:hwDXrJ1ryPClC+Vog84RkEjiPISUOgW9X+hOGzC/:hSd1ryPgFag8akmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 20 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\System\JRQDEG.exe	family_berbew
C:\Windows\System\AAS.exe	family_berbew
C:\Windows\CIU.exe	family_berbew
C:\windows\LRCOSBS.exe	family_berbew
C:\Windows\System\TEBVD.exe	family_berbew
C:\windows\system\SPED.exe	family_berbew
C:\Windows\QAPTVF.exe	family_berbew
C:\Windows\MFBX.exe	family_berbew
C:\windows\LQKYUP.exe	family_berbew
C:\Windows\System\MOKHWZY.exe	family_berbew
C:\Windows\OMMZYYK.exe	family_berbew
C:\windows\system\WVUT.exe	family_berbew
C:\windows\system\PNKD.exe	family_berbew
C:\windows\MOM.exe	family_berbew
C:\Windows\FGB.exe	family_berbew
C:\Windows\BHRIS.exe	family_berbew
C:\Windows\LXXCZPD.exe	family_berbew
C:\windows\SPMKR.exe	family_berbew
C:\Windows\System\OQWN.exe	family_berbew
C:\Windows\QOCH.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MOUFXD.exeIYIQ.exeVSS.exeLJZR.exeBATJKOD.exeMOM.exeQWDFQ.exeNHYH.exeSPED.exeOMMZYYK.exeOGOIIZ.exeMOKHWZY.exeQEERI.exeMFUYMYQ.exeZVEZBV.exeGTSIYPI.exeLPXRZQ.exeUUP.exeJKQP.exePNKD.exeFGB.exeYBDL.exeTKQ.exeTCYLVTK.exeWJICHHK.exeCHYZAM.exeVTNBOQ.exeGSLIZ.exeTLEN.exeLXXCZPD.exeZVIYMIM.exeSTN.exeTIYI.exeZOYDPC.exePZOYL.exeGPT.exeOMP.exeLVQF.exeRMWZ.exeIBECMU.exeTEBVD.exeWVUT.exeESP.exeTGP.exeSPMKR.exeOQWN.exeHDVESID.exeHEZRQQM.exeXUJZIUX.exeEQUUSV.exeGBNN.exeBHRIS.exeOMHAF.exeZIPDDM.exeJRQDEG.exeODW.exeHJMJKTR.exeYBWP.exeZUEK.exeTAFOUF.exeZGF.exeBOIAWQ.exeXUYKDZG.exeODEHIQB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	MOUFXD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	IYIQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	VSS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	LJZR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	BATJKOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	MOM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	QWDFQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	NHYH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SPED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	OMMZYYK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	OGOIIZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	MOKHWZY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	QEERI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	MFUYMYQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ZVEZBV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	GTSIYPI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	LPXRZQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	UUP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	JKQP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	PNKD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	FGB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	YBDL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TKQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TCYLVTK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WJICHHK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	CHYZAM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	VTNBOQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	GSLIZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TLEN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	LXXCZPD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ZVIYMIM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	STN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TIYI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ZOYDPC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	PZOYL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	GPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	OMP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	LVQF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	RMWZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	IBECMU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TEBVD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WVUT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ESP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TGP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SPMKR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	OQWN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	HDVESID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	HEZRQQM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	XUJZIUX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	EQUUSV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	GBNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	BHRIS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	OMHAF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ZIPDDM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	JRQDEG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ODW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	HJMJKTR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	YBWP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ZUEK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	TAFOUF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ZGF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	BOIAWQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	XUYKDZG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ODEHIQB.exe

Executes dropped EXE 64 IoCs

Processes:

JRQDEG.exeAAS.exeCIU.exeNBPW.exeLRCOSBS.exeTEBVD.exeSPED.exeQAPTVF.exeMFBX.exeLQKYUP.exeMOKHWZY.exeEWYEIQB.exeOMMZYYK.exeWVUT.exePNKD.exeMOM.exeFGB.exeBHRIS.exeLXXCZPD.exeSPMKR.exeOQWN.exeQOCH.exeBWXW.exeYBDL.exeNRQDPX.exeBPQO.exeNFJONM.exeJGTRQ.exeMOUFXD.exeOMHAF.exeTRSP.exeXUYKDZG.exeODEHIQB.exeUQQI.exeZVIYMIM.exeMBIJNU.exeAMQACX.exeNKYM.exeMSNR.exeDDQ.exeULEE.exeQONDAHI.exeQWDFQ.exeBMQ.exeZIPDDM.exeTAFOUF.exeMTUZ.exeDOSJM.exeHEZRQQM.exeKRQ.exeINPTOE.exeZVEZBV.exeRVSWNM.exeGLTVM.exeQJZQBQE.exeRHTRNMV.exeESP.exeNQJ.exeSTN.exeODW.exeWJICHHK.exeGCSC.exeCHYZAM.exeGKIMJY.exe

pid	process
3020	JRQDEG.exe
1636	AAS.exe
3116	CIU.exe
4684	NBPW.exe
764	LRCOSBS.exe
3860	TEBVD.exe
2372	SPED.exe
4952	QAPTVF.exe
2284	MFBX.exe
1132	LQKYUP.exe
2360	MOKHWZY.exe
1868	EWYEIQB.exe
2428	OMMZYYK.exe
2280	WVUT.exe
1232	PNKD.exe
924	MOM.exe
4612	FGB.exe
4808	BHRIS.exe
3696	LXXCZPD.exe
2996	SPMKR.exe
4996	OQWN.exe
888	QOCH.exe
4068	BWXW.exe
3832	YBDL.exe
1580	NRQDPX.exe
2372	BPQO.exe
4000	NFJONM.exe
2852	JGTRQ.exe
1180	MOUFXD.exe
1760	OMHAF.exe
4028	TRSP.exe
2796	XUYKDZG.exe
2572	ODEHIQB.exe
2996	UQQI.exe
4348	ZVIYMIM.exe
2852	MBIJNU.exe
4160	AMQACX.exe
3832	NKYM.exe
3580	MSNR.exe
4684	DDQ.exe
3348	ULEE.exe
1448	QONDAHI.exe
5064	QWDFQ.exe
740	BMQ.exe
2880	ZIPDDM.exe
4512	TAFOUF.exe
1896	MTUZ.exe
3312	DOSJM.exe
2216	HEZRQQM.exe
556	KRQ.exe
3076	INPTOE.exe
1444	ZVEZBV.exe
4804	RVSWNM.exe
232	GLTVM.exe
372	QJZQBQE.exe
3920	RHTRNMV.exe
1780	ESP.exe
3112	NQJ.exe
2284	STN.exe
1728	ODW.exe
1392	WJICHHK.exe
4568	GCSC.exe
1820	CHYZAM.exe
4448	GKIMJY.exe

Drops file in System32 directory 64 IoCs

Processes:

LVQF.exeIBECMU.exeGBNN.exeRHTRNMV.exeGSLIZ.exeYBWP.exeNRQDPX.exeTUWXW.exeGPT.exeEEHG.exeLJZR.exeZVIYMIM.exeXUJZIUX.exeZHPHP.exeODW.exeVSS.exeGTSIYPI.exeUEGQQ.exeUQQI.exeZVEZBV.exeGLTVM.exeTIYI.exeBOIAWQ.exeNRVW.exeWTTR.exeQWDFQ.exeEQUUSV.exeYQELVDT.exeIOMEZAZ.exeDBHI.exeRVSWNM.exeTCYLVTK.exeHJMJKTR.exeJKQP.exeKZP.exeXFGFI.exeSAPMW.exePMKPYOE.exeMOUFXD.exeQJZQBQE.exeNQJ.exeZYLP.exeVFITAQ.exeBSXEI.exe

description	ioc	process
File created	C:\windows\SysWOW64\QVMINTJ.exe	LVQF.exe
File created	C:\windows\SysWOW64\LJZR.exe	IBECMU.exe
File created	C:\windows\SysWOW64\ZOYDPC.exe	GBNN.exe
File created	C:\windows\SysWOW64\ESP.exe	RHTRNMV.exe
File opened for modification	C:\windows\SysWOW64\ZGF.exe	GSLIZ.exe
File created	C:\windows\SysWOW64\TLEN.exe.bat	YBWP.exe
File opened for modification	C:\windows\SysWOW64\BPQO.exe	NRQDPX.exe
File opened for modification	C:\windows\SysWOW64\VSPRD.exe	TUWXW.exe
File created	C:\windows\SysWOW64\GKXIK.exe.bat	GPT.exe
File created	C:\windows\SysWOW64\MJGFATW.exe	EEHG.exe
File opened for modification	C:\windows\SysWOW64\SEW.exe	LJZR.exe
File opened for modification	C:\windows\SysWOW64\MBIJNU.exe	ZVIYMIM.exe
File created	C:\windows\SysWOW64\UKWRY.exe.bat	XUJZIUX.exe
File created	C:\windows\SysWOW64\TUUZ.exe	ZHPHP.exe
File opened for modification	C:\windows\SysWOW64\WJICHHK.exe	ODW.exe
File created	C:\windows\SysWOW64\VSPRD.exe	TUWXW.exe
File created	C:\windows\SysWOW64\ZYLP.exe	VSS.exe
File created	C:\windows\SysWOW64\HJMJKTR.exe	GTSIYPI.exe
File created	C:\windows\SysWOW64\KRXO.exe	UEGQQ.exe
File created	C:\windows\SysWOW64\ZVIYMIM.exe	UQQI.exe
File created	C:\windows\SysWOW64\RVSWNM.exe	ZVEZBV.exe
File created	C:\windows\SysWOW64\QJZQBQE.exe.bat	GLTVM.exe
File created	C:\windows\SysWOW64\NGZSC.exe.bat	TIYI.exe
File created	C:\windows\SysWOW64\WYRR.exe.bat	BOIAWQ.exe
File created	C:\windows\SysWOW64\JRF.exe	NRVW.exe
File created	C:\windows\SysWOW64\SEW.exe.bat	LJZR.exe
File created	C:\windows\SysWOW64\WYTFV.exe.bat	WTTR.exe
File created	C:\windows\SysWOW64\BMQ.exe	QWDFQ.exe
File created	C:\windows\SysWOW64\BVA.exe	EQUUSV.exe
File created	C:\windows\SysWOW64\GKXIK.exe	GPT.exe
File created	C:\windows\SysWOW64\GBNN.exe.bat	YQELVDT.exe
File created	C:\windows\SysWOW64\TGP.exe.bat	IOMEZAZ.exe
File created	C:\windows\SysWOW64\BPQO.exe	NRQDPX.exe
File created	C:\windows\SysWOW64\OTKBL.exe.bat	DBHI.exe
File created	C:\windows\SysWOW64\JRF.exe.bat	NRVW.exe
File opened for modification	C:\windows\SysWOW64\ZVIYMIM.exe	UQQI.exe
File created	C:\windows\SysWOW64\GLTVM.exe.bat	RVSWNM.exe
File opened for modification	C:\windows\SysWOW64\LJZR.exe	IBECMU.exe
File created	C:\windows\SysWOW64\MBIJNU.exe	ZVIYMIM.exe
File opened for modification	C:\windows\SysWOW64\IYIQ.exe	TCYLVTK.exe
File opened for modification	C:\windows\SysWOW64\KERS.exe	HJMJKTR.exe
File opened for modification	C:\windows\SysWOW64\KNGDXNW.exe	JKQP.exe
File created	C:\windows\SysWOW64\APQXEJ.exe	KZP.exe
File created	C:\windows\SysWOW64\TKQ.exe.bat	XFGFI.exe
File created	C:\windows\SysWOW64\ZOYDPC.exe.bat	GBNN.exe
File created	C:\windows\SysWOW64\OGOIIZ.exe.bat	SAPMW.exe
File created	C:\windows\SysWOW64\PSC.exe	PMKPYOE.exe
File created	C:\windows\SysWOW64\PSC.exe.bat	PMKPYOE.exe
File created	C:\windows\SysWOW64\OMHAF.exe	MOUFXD.exe
File opened for modification	C:\windows\SysWOW64\RHTRNMV.exe	QJZQBQE.exe
File opened for modification	C:\windows\SysWOW64\STN.exe	NQJ.exe
File created	C:\windows\SysWOW64\LDK.exe.bat	ZYLP.exe
File opened for modification	C:\windows\SysWOW64\JLV.exe	VFITAQ.exe
File created	C:\windows\SysWOW64\JLV.exe.bat	VFITAQ.exe
File opened for modification	C:\windows\SysWOW64\LPXRZQ.exe	BSXEI.exe
File created	C:\windows\SysWOW64\TKQ.exe	XFGFI.exe
File created	C:\windows\SysWOW64\ESP.exe.bat	RHTRNMV.exe
File created	C:\windows\SysWOW64\STN.exe.bat	NQJ.exe
File created	C:\windows\SysWOW64\WJICHHK.exe.bat	ODW.exe
File created	C:\windows\SysWOW64\KNGDXNW.exe.bat	JKQP.exe
File created	C:\windows\SysWOW64\ZVIYMIM.exe.bat	UQQI.exe
File opened for modification	C:\windows\SysWOW64\OGOIIZ.exe	SAPMW.exe
File created	C:\windows\SysWOW64\KNGDXNW.exe	JKQP.exe
File created	C:\windows\SysWOW64\OGOIIZ.exe	SAPMW.exe

Drops file in Windows directory 64 IoCs

Processes:

BAHOY.exeEVZQS.exeADP.exeLXXCZPD.exeODEHIQB.exeBMQ.exeINPTOE.exeWUGNRE.exeTLEN.exeMJGFATW.exeUUP.exeTEBVD.exeJGTRQ.exeNKYM.exeMTUZ.exeEWYEIQB.exePFBAIB.exeMOKHWZY.exeMOM.exeNHYH.exeLPXRZQ.exeBHRIS.exeZEKM.exeMFUYMYQ.exeOHZ.exeQCPVA.exeWVUT.exeFGB.exeULEE.exeGKXIK.exeOMP.exeUGY.exeLDK.exePKQ.exeYEZT.exeXJKEWU.exeJOPVPH.exe09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exeLRCOSBS.exeTAFOUF.exeVSPRD.exeUSZ.exeJRF.exeSEW.exeZUEK.exeAPQXEJ.exeMFBX.exeDOP.exeYWCTLBA.exeVALVB.exeBATJKOD.exeMSNR.exeZCWUXBD.exeMYJDMPP.exe

description	ioc	process
File created	C:\windows\system\EVZQS.exe	BAHOY.exe
File created	C:\windows\system\BOIAWQ.exe.bat	EVZQS.exe
File created	C:\windows\system\RMWZ.exe	ADP.exe
File opened for modification	C:\windows\SPMKR.exe	LXXCZPD.exe
File opened for modification	C:\windows\system\UQQI.exe	ODEHIQB.exe
File created	C:\windows\system\ZIPDDM.exe	BMQ.exe
File opened for modification	C:\windows\ZVEZBV.exe	INPTOE.exe
File created	C:\windows\system\GSLIZ.exe	WUGNRE.exe
File opened for modification	C:\windows\EEHG.exe	TLEN.exe
File created	C:\windows\system\OHZ.exe	MJGFATW.exe
File opened for modification	C:\windows\JKQP.exe	UUP.exe
File created	C:\windows\system\SPED.exe	TEBVD.exe
File created	C:\windows\MOUFXD.exe.bat	JGTRQ.exe
File created	C:\windows\MSNR.exe	NKYM.exe
File created	C:\windows\DOSJM.exe	MTUZ.exe
File created	C:\windows\ZVEZBV.exe.bat	INPTOE.exe
File opened for modification	C:\windows\OMMZYYK.exe	EWYEIQB.exe
File created	C:\windows\system\UQQI.exe	ODEHIQB.exe
File opened for modification	C:\windows\system\VTNBOQ.exe	PFBAIB.exe
File created	C:\windows\system\EWYEIQB.exe	MOKHWZY.exe
File opened for modification	C:\windows\FGB.exe	MOM.exe
File created	C:\windows\XUJZIUX.exe	NHYH.exe
File created	C:\windows\system\LVQF.exe	LPXRZQ.exe
File created	C:\windows\LXXCZPD.exe	BHRIS.exe
File created	C:\windows\system\UQQI.exe.bat	ODEHIQB.exe
File opened for modification	C:\windows\system\ICENV.exe	ZEKM.exe
File created	C:\windows\system\YQELVDT.exe.bat	MFUYMYQ.exe
File opened for modification	C:\windows\PKQ.exe	OHZ.exe
File created	C:\windows\system\PZOYL.exe	QCPVA.exe
File opened for modification	C:\windows\system\PNKD.exe	WVUT.exe
File opened for modification	C:\windows\BHRIS.exe	FGB.exe
File opened for modification	C:\windows\system\QONDAHI.exe	ULEE.exe
File opened for modification	C:\windows\YTLNX.exe	GKXIK.exe
File created	C:\windows\system\ZEKM.exe	OMP.exe
File created	C:\windows\QEERI.exe.bat	UGY.exe
File created	C:\windows\system\VBXIIUD.exe	LDK.exe
File created	C:\windows\GTSIYPI.exe	PKQ.exe
File opened for modification	C:\windows\XUJZIUX.exe	NHYH.exe
File created	C:\windows\system\VTNBOQ.exe.bat	PFBAIB.exe
File opened for modification	C:\windows\ZHPHP.exe	YEZT.exe
File opened for modification	C:\windows\MECI.exe	XJKEWU.exe
File created	C:\windows\system\UGY.exe	JOPVPH.exe
File created	C:\windows\system\JRQDEG.exe.bat	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
File opened for modification	C:\windows\system\TEBVD.exe	LRCOSBS.exe
File created	C:\windows\system\MTUZ.exe	TAFOUF.exe
File created	C:\windows\WUGNRE.exe	VSPRD.exe
File created	C:\windows\FGB.exe.bat	MOM.exe
File opened for modification	C:\windows\HDVESID.exe	USZ.exe
File opened for modification	C:\windows\system\GKPJ.exe	JRF.exe
File opened for modification	C:\windows\XFGFI.exe	SEW.exe
File created	C:\windows\system\BSXEI.exe	ZUEK.exe
File created	C:\windows\TIYI.exe.bat	APQXEJ.exe
File created	C:\windows\XFGFI.exe.bat	SEW.exe
File opened for modification	C:\windows\system\SPED.exe	TEBVD.exe
File created	C:\windows\LQKYUP.exe.bat	MFBX.exe
File opened for modification	C:\windows\NHYH.exe	DOP.exe
File created	C:\windows\system\TUWXW.exe.bat	YWCTLBA.exe
File created	C:\windows\system\VBXIIUD.exe.bat	LDK.exe
File created	C:\windows\BATJKOD.exe	VALVB.exe
File created	C:\windows\system\IOMEZAZ.exe.bat	BATJKOD.exe
File created	C:\windows\DDQ.exe	MSNR.exe
File created	C:\windows\XUJZIUX.exe.bat	NHYH.exe
File created	C:\windows\EDTOK.exe.bat	ZCWUXBD.exe
File created	C:\windows\system\OMP.exe	MYJDMPP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4064	652	WerFault.exe	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
3848	3020	WerFault.exe	JRQDEG.exe
4516	1636	WerFault.exe	AAS.exe
1048	3116	WerFault.exe	CIU.exe
468	4684	WerFault.exe	NBPW.exe
1180	764	WerFault.exe	LRCOSBS.exe
3492	3860	WerFault.exe	TEBVD.exe
1384	2372	WerFault.exe	SPED.exe
4164	4952	WerFault.exe	QAPTVF.exe
1996	2284	WerFault.exe	MFBX.exe
4592	1132	WerFault.exe	LQKYUP.exe
1332	2360	WerFault.exe	MOKHWZY.exe
3096	1868	WerFault.exe	EWYEIQB.exe
3076	2428	WerFault.exe	OMMZYYK.exe
4996	2280	WerFault.exe	WVUT.exe
4908	1232	WerFault.exe	PNKD.exe
1340	924	WerFault.exe	MOM.exe
2792	4612	WerFault.exe	FGB.exe
3156	4808	WerFault.exe	BHRIS.exe
2144	3696	WerFault.exe	LXXCZPD.exe
4684	2996	WerFault.exe	SPMKR.exe
1996	4996	WerFault.exe	OQWN.exe
8	888	WerFault.exe	QOCH.exe
4888	4068	WerFault.exe	BWXW.exe
1868	3832	WerFault.exe	YBDL.exe
3948	1580	WerFault.exe	NRQDPX.exe
4576	2372	WerFault.exe	BPQO.exe
4676	4000	WerFault.exe	NFJONM.exe
2268	2852	WerFault.exe	JGTRQ.exe
4812	1180	WerFault.exe	MOUFXD.exe
4508	1760	WerFault.exe	OMHAF.exe
1692	4028	WerFault.exe	TRSP.exe
2144	2796	WerFault.exe	XUYKDZG.exe
1128	2572	WerFault.exe	ODEHIQB.exe
1960	2996	WerFault.exe	UQQI.exe
2560	4348	WerFault.exe	ZVIYMIM.exe
2540	2852	WerFault.exe	MBIJNU.exe
560	4160	WerFault.exe	AMQACX.exe
1868	3832	WerFault.exe	NKYM.exe
4552	3580	WerFault.exe	MSNR.exe
228	4684	WerFault.exe	DDQ.exe
4644	3348	WerFault.exe	ULEE.exe
3948	1448	WerFault.exe	QONDAHI.exe
3016	3996	WerFault.exe	MOWFDL.exe
3836	5064	WerFault.exe	QWDFQ.exe
2156	740	WerFault.exe	BMQ.exe
3204	2880	WerFault.exe	ZIPDDM.exe
4996	4512	WerFault.exe	TAFOUF.exe
4204	1896	WerFault.exe	MTUZ.exe
3332	3312	WerFault.exe	DOSJM.exe
4004	2216	WerFault.exe	HEZRQQM.exe
1952	556	WerFault.exe	KRQ.exe
1132	3076	WerFault.exe	INPTOE.exe
3120	1444	WerFault.exe	ZVEZBV.exe
3916	4804	WerFault.exe	RVSWNM.exe
4592	232	WerFault.exe	GLTVM.exe
1356	372	WerFault.exe	QJZQBQE.exe
1756	3920	WerFault.exe	RHTRNMV.exe
4320	1780	WerFault.exe	ESP.exe
1952	3112	WerFault.exe	NQJ.exe
1580	2284	WerFault.exe	STN.exe
2988	1728	WerFault.exe	ODW.exe
4552	1392	WerFault.exe	WJICHHK.exe
5088	4568	WerFault.exe	GCSC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exeJRQDEG.exeAAS.exeCIU.exeNBPW.exeLRCOSBS.exeTEBVD.exeSPED.exeQAPTVF.exeMFBX.exeLQKYUP.exeMOKHWZY.exeEWYEIQB.exeOMMZYYK.exeWVUT.exePNKD.exeMOM.exeFGB.exeBHRIS.exeLXXCZPD.exeSPMKR.exeOQWN.exeQOCH.exeBWXW.exeYBDL.exeNRQDPX.exeBPQO.exeNFJONM.exeJGTRQ.exeMOUFXD.exeOMHAF.exeTRSP.exe

pid	process
652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
3020	JRQDEG.exe
3020	JRQDEG.exe
1636	AAS.exe
1636	AAS.exe
3116	CIU.exe
3116	CIU.exe
4684	NBPW.exe
4684	NBPW.exe
764	LRCOSBS.exe
764	LRCOSBS.exe
3860	TEBVD.exe
3860	TEBVD.exe
2372	SPED.exe
2372	SPED.exe
4952	QAPTVF.exe
4952	QAPTVF.exe
2284	MFBX.exe
2284	MFBX.exe
1132	LQKYUP.exe
1132	LQKYUP.exe
2360	MOKHWZY.exe
2360	MOKHWZY.exe
1868	EWYEIQB.exe
1868	EWYEIQB.exe
2428	OMMZYYK.exe
2428	OMMZYYK.exe
2280	WVUT.exe
2280	WVUT.exe
1232	PNKD.exe
1232	PNKD.exe
924	MOM.exe
924	MOM.exe
4612	FGB.exe
4612	FGB.exe
4808	BHRIS.exe
4808	BHRIS.exe
3696	LXXCZPD.exe
3696	LXXCZPD.exe
2996	SPMKR.exe
2996	SPMKR.exe
4996	OQWN.exe
4996	OQWN.exe
888	QOCH.exe
888	QOCH.exe
4068	BWXW.exe
4068	BWXW.exe
3832	YBDL.exe
3832	YBDL.exe
1580	NRQDPX.exe
1580	NRQDPX.exe
2372	BPQO.exe
2372	BPQO.exe
4000	NFJONM.exe
4000	NFJONM.exe
2852	JGTRQ.exe
2852	JGTRQ.exe
1180	MOUFXD.exe
1180	MOUFXD.exe
1760	OMHAF.exe
1760	OMHAF.exe
4028	TRSP.exe
4028	TRSP.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
3020	JRQDEG.exe
3020	JRQDEG.exe
1636	AAS.exe
1636	AAS.exe
3116	CIU.exe
3116	CIU.exe
4684	NBPW.exe
4684	NBPW.exe
764	LRCOSBS.exe
764	LRCOSBS.exe
3860	TEBVD.exe
3860	TEBVD.exe
2372	SPED.exe
2372	SPED.exe
4952	QAPTVF.exe
4952	QAPTVF.exe
2284	MFBX.exe
2284	MFBX.exe
1132	LQKYUP.exe
1132	LQKYUP.exe
2360	MOKHWZY.exe
2360	MOKHWZY.exe
1868	EWYEIQB.exe
1868	EWYEIQB.exe
2428	OMMZYYK.exe
2428	OMMZYYK.exe
2280	WVUT.exe
2280	WVUT.exe
1232	PNKD.exe
1232	PNKD.exe
924	MOM.exe
924	MOM.exe
4612	FGB.exe
4612	FGB.exe
4808	BHRIS.exe
4808	BHRIS.exe
3696	LXXCZPD.exe
3696	LXXCZPD.exe
2996	SPMKR.exe
2996	SPMKR.exe
4996	OQWN.exe
4996	OQWN.exe
888	QOCH.exe
888	QOCH.exe
4068	BWXW.exe
4068	BWXW.exe
3832	YBDL.exe
3832	YBDL.exe
1580	NRQDPX.exe
1580	NRQDPX.exe
2372	BPQO.exe
2372	BPQO.exe
4000	NFJONM.exe
4000	NFJONM.exe
2852	JGTRQ.exe
2852	JGTRQ.exe
1180	MOUFXD.exe
1180	MOUFXD.exe
1760	OMHAF.exe
1760	OMHAF.exe
4028	TRSP.exe
4028	TRSP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.execmd.exeJRQDEG.execmd.exeAAS.execmd.exeCIU.execmd.exeNBPW.execmd.exeLRCOSBS.execmd.exeTEBVD.execmd.exeSPED.execmd.exeQAPTVF.execmd.exeMFBX.execmd.exeLQKYUP.execmd.exe

description	pid	process	target process
PID 652 wrote to memory of 1076	652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 652 wrote to memory of 1076	652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 652 wrote to memory of 1076	652	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 1076 wrote to memory of 3020	1076	cmd.exe	JRQDEG.exe
PID 1076 wrote to memory of 3020	1076	cmd.exe	JRQDEG.exe
PID 1076 wrote to memory of 3020	1076	cmd.exe	JRQDEG.exe
PID 3020 wrote to memory of 4244	3020	JRQDEG.exe	cmd.exe
PID 3020 wrote to memory of 4244	3020	JRQDEG.exe	cmd.exe
PID 3020 wrote to memory of 4244	3020	JRQDEG.exe	cmd.exe
PID 4244 wrote to memory of 1636	4244	cmd.exe	AAS.exe
PID 4244 wrote to memory of 1636	4244	cmd.exe	AAS.exe
PID 4244 wrote to memory of 1636	4244	cmd.exe	AAS.exe
PID 1636 wrote to memory of 1896	1636	AAS.exe	cmd.exe
PID 1636 wrote to memory of 1896	1636	AAS.exe	cmd.exe
PID 1636 wrote to memory of 1896	1636	AAS.exe	cmd.exe
PID 1896 wrote to memory of 3116	1896	cmd.exe	CIU.exe
PID 1896 wrote to memory of 3116	1896	cmd.exe	CIU.exe
PID 1896 wrote to memory of 3116	1896	cmd.exe	CIU.exe
PID 3116 wrote to memory of 4720	3116	CIU.exe	cmd.exe
PID 3116 wrote to memory of 4720	3116	CIU.exe	cmd.exe
PID 3116 wrote to memory of 4720	3116	CIU.exe	cmd.exe
PID 4720 wrote to memory of 4684	4720	cmd.exe	NBPW.exe
PID 4720 wrote to memory of 4684	4720	cmd.exe	NBPW.exe
PID 4720 wrote to memory of 4684	4720	cmd.exe	NBPW.exe
PID 4684 wrote to memory of 5048	4684	NBPW.exe	cmd.exe
PID 4684 wrote to memory of 5048	4684	NBPW.exe	cmd.exe
PID 4684 wrote to memory of 5048	4684	NBPW.exe	cmd.exe
PID 5048 wrote to memory of 764	5048	cmd.exe	LRCOSBS.exe
PID 5048 wrote to memory of 764	5048	cmd.exe	LRCOSBS.exe
PID 5048 wrote to memory of 764	5048	cmd.exe	LRCOSBS.exe
PID 764 wrote to memory of 372	764	LRCOSBS.exe	cmd.exe
PID 764 wrote to memory of 372	764	LRCOSBS.exe	cmd.exe
PID 764 wrote to memory of 372	764	LRCOSBS.exe	cmd.exe
PID 372 wrote to memory of 3860	372	cmd.exe	TEBVD.exe
PID 372 wrote to memory of 3860	372	cmd.exe	TEBVD.exe
PID 372 wrote to memory of 3860	372	cmd.exe	TEBVD.exe
PID 3860 wrote to memory of 1704	3860	TEBVD.exe	cmd.exe
PID 3860 wrote to memory of 1704	3860	TEBVD.exe	cmd.exe
PID 3860 wrote to memory of 1704	3860	TEBVD.exe	cmd.exe
PID 1704 wrote to memory of 2372	1704	cmd.exe	SPED.exe
PID 1704 wrote to memory of 2372	1704	cmd.exe	SPED.exe
PID 1704 wrote to memory of 2372	1704	cmd.exe	SPED.exe
PID 2372 wrote to memory of 2800	2372	SPED.exe	cmd.exe
PID 2372 wrote to memory of 2800	2372	SPED.exe	cmd.exe
PID 2372 wrote to memory of 2800	2372	SPED.exe	cmd.exe
PID 2800 wrote to memory of 4952	2800	cmd.exe	QAPTVF.exe
PID 2800 wrote to memory of 4952	2800	cmd.exe	QAPTVF.exe
PID 2800 wrote to memory of 4952	2800	cmd.exe	QAPTVF.exe
PID 4952 wrote to memory of 1520	4952	QAPTVF.exe	cmd.exe
PID 4952 wrote to memory of 1520	4952	QAPTVF.exe	cmd.exe
PID 4952 wrote to memory of 1520	4952	QAPTVF.exe	cmd.exe
PID 1520 wrote to memory of 2284	1520	cmd.exe	MFBX.exe
PID 1520 wrote to memory of 2284	1520	cmd.exe	MFBX.exe
PID 1520 wrote to memory of 2284	1520	cmd.exe	MFBX.exe
PID 2284 wrote to memory of 3912	2284	MFBX.exe	cmd.exe
PID 2284 wrote to memory of 3912	2284	MFBX.exe	cmd.exe
PID 2284 wrote to memory of 3912	2284	MFBX.exe	cmd.exe
PID 3912 wrote to memory of 1132	3912	cmd.exe	LQKYUP.exe
PID 3912 wrote to memory of 1132	3912	cmd.exe	LQKYUP.exe
PID 3912 wrote to memory of 1132	3912	cmd.exe	LQKYUP.exe
PID 1132 wrote to memory of 2848	1132	LQKYUP.exe	cmd.exe
PID 1132 wrote to memory of 2848	1132	LQKYUP.exe	cmd.exe
PID 1132 wrote to memory of 2848	1132	LQKYUP.exe	cmd.exe
PID 2848 wrote to memory of 2360	2848	cmd.exe	MOKHWZY.exe

C:\Users\Admin\AppData\Local\Temp\09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JRQDEG.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\windows\system\JRQDEG.exe
C:\windows\system\JRQDEG.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AAS.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\windows\system\AAS.exe
C:\windows\system\AAS.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CIU.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\windows\CIU.exe
C:\windows\CIU.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NBPW.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\windows\system\NBPW.exe
C:\windows\system\NBPW.exe
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LRCOSBS.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\windows\LRCOSBS.exe
C:\windows\LRCOSBS.exe
11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TEBVD.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\windows\system\TEBVD.exe
C:\windows\system\TEBVD.exe
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SPED.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\windows\system\SPED.exe
C:\windows\system\SPED.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QAPTVF.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\windows\QAPTVF.exe
C:\windows\QAPTVF.exe
17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MFBX.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\windows\MFBX.exe
C:\windows\MFBX.exe
19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LQKYUP.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\windows\LQKYUP.exe
C:\windows\LQKYUP.exe
21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOKHWZY.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\windows\system\MOKHWZY.exe
C:\windows\system\MOKHWZY.exe
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EWYEIQB.exe.bat" "
24⤵
PID:1424

C:\windows\system\EWYEIQB.exe
C:\windows\system\EWYEIQB.exe
25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OMMZYYK.exe.bat" "
26⤵
PID:4408

C:\windows\OMMZYYK.exe
C:\windows\OMMZYYK.exe
27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUT.exe.bat" "
28⤵
PID:2796

C:\windows\system\WVUT.exe
C:\windows\system\WVUT.exe
29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNKD.exe.bat" "
30⤵
PID:400

C:\windows\system\PNKD.exe
C:\windows\system\PNKD.exe
31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MOM.exe.bat" "
32⤵
PID:1248

C:\windows\MOM.exe
C:\windows\MOM.exe
33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FGB.exe.bat" "
34⤵
PID:1852

C:\windows\FGB.exe
C:\windows\FGB.exe
35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BHRIS.exe.bat" "
36⤵
PID:1384

C:\windows\BHRIS.exe
C:\windows\BHRIS.exe
37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LXXCZPD.exe.bat" "
38⤵
PID:312

C:\windows\LXXCZPD.exe
C:\windows\LXXCZPD.exe
39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SPMKR.exe.bat" "
40⤵
PID:1184

C:\windows\SPMKR.exe
C:\windows\SPMKR.exe
41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OQWN.exe.bat" "
42⤵
PID:1764

C:\windows\system\OQWN.exe
C:\windows\system\OQWN.exe
43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QOCH.exe.bat" "
44⤵
PID:1448

C:\windows\QOCH.exe
C:\windows\QOCH.exe
45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BWXW.exe.bat" "
46⤵
PID:2508

C:\windows\system\BWXW.exe
C:\windows\system\BWXW.exe
47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YBDL.exe.bat" "
48⤵
PID:1760

C:\windows\YBDL.exe
C:\windows\YBDL.exe
49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NRQDPX.exe.bat" "
50⤵
PID:544

C:\windows\system\NRQDPX.exe
C:\windows\system\NRQDPX.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BPQO.exe.bat" "
52⤵
PID:400

C:\windows\SysWOW64\BPQO.exe
C:\windows\system32\BPQO.exe
53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFJONM.exe.bat" "
54⤵
PID:1248

C:\windows\system\NFJONM.exe
C:\windows\system\NFJONM.exe
55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JGTRQ.exe.bat" "
56⤵
PID:1440

C:\windows\JGTRQ.exe
C:\windows\JGTRQ.exe
57⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MOUFXD.exe.bat" "
58⤵
PID:4048

C:\windows\MOUFXD.exe
C:\windows\MOUFXD.exe
59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMHAF.exe.bat" "
60⤵
PID:1204

C:\windows\SysWOW64\OMHAF.exe
C:\windows\system32\OMHAF.exe
61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TRSP.exe.bat" "
62⤵
PID:868

C:\windows\system\TRSP.exe
C:\windows\system\TRSP.exe
63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XUYKDZG.exe.bat" "
64⤵
PID:2464

C:\windows\XUYKDZG.exe
C:\windows\XUYKDZG.exe
65⤵
- Checks computer location settings
- Executes dropped EXE
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ODEHIQB.exe.bat" "
66⤵
PID:3640

C:\windows\ODEHIQB.exe
C:\windows\ODEHIQB.exe
67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UQQI.exe.bat" "
68⤵
PID:2384

C:\windows\system\UQQI.exe
C:\windows\system\UQQI.exe
69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZVIYMIM.exe.bat" "
70⤵
PID:4280

C:\windows\SysWOW64\ZVIYMIM.exe
C:\windows\system32\ZVIYMIM.exe
71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBIJNU.exe.bat" "
72⤵
PID:4592

C:\windows\SysWOW64\MBIJNU.exe
C:\windows\system32\MBIJNU.exe
73⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AMQACX.exe.bat" "
74⤵
PID:2712

C:\windows\AMQACX.exe
C:\windows\AMQACX.exe
75⤵
- Executes dropped EXE
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NKYM.exe.bat" "
76⤵
PID:4672

C:\windows\NKYM.exe
C:\windows\NKYM.exe
77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MSNR.exe.bat" "
78⤵
PID:2296

C:\windows\MSNR.exe
C:\windows\MSNR.exe
79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DDQ.exe.bat" "
80⤵
PID:1628

C:\windows\DDQ.exe
C:\windows\DDQ.exe
81⤵
- Executes dropped EXE
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ULEE.exe.bat" "
82⤵
PID:4676

C:\windows\system\ULEE.exe
C:\windows\system\ULEE.exe
83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QONDAHI.exe.bat" "
84⤵
PID:2936

C:\windows\system\QONDAHI.exe
C:\windows\system\QONDAHI.exe
85⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOWFDL.exe.bat" "
86⤵
PID:1996

C:\windows\system\MOWFDL.exe
C:\windows\system\MOWFDL.exe
87⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QWDFQ.exe.bat" "
88⤵
PID:4812

C:\windows\system\QWDFQ.exe
C:\windows\system\QWDFQ.exe
89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BMQ.exe.bat" "
90⤵
PID:4060

C:\windows\SysWOW64\BMQ.exe
C:\windows\system32\BMQ.exe
91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZIPDDM.exe.bat" "
92⤵
PID:560

C:\windows\system\ZIPDDM.exe
C:\windows\system\ZIPDDM.exe
93⤵
- Checks computer location settings
- Executes dropped EXE
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TAFOUF.exe.bat" "
94⤵
PID:2096

C:\windows\system\TAFOUF.exe
C:\windows\system\TAFOUF.exe
95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MTUZ.exe.bat" "
96⤵
PID:3916

C:\windows\system\MTUZ.exe
C:\windows\system\MTUZ.exe
97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DOSJM.exe.bat" "
98⤵
PID:1520

C:\windows\DOSJM.exe
C:\windows\DOSJM.exe
99⤵
- Executes dropped EXE
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HEZRQQM.exe.bat" "
100⤵
PID:1468

C:\windows\HEZRQQM.exe
C:\windows\HEZRQQM.exe
101⤵
- Checks computer location settings
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KRQ.exe.bat" "
102⤵
PID:4812

C:\windows\system\KRQ.exe
C:\windows\system\KRQ.exe
103⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\INPTOE.exe.bat" "
104⤵
PID:2852

C:\windows\system\INPTOE.exe
C:\windows\system\INPTOE.exe
105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZVEZBV.exe.bat" "
106⤵
PID:560

C:\windows\ZVEZBV.exe
C:\windows\ZVEZBV.exe
107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVSWNM.exe.bat" "
108⤵
PID:3488

C:\windows\SysWOW64\RVSWNM.exe
C:\windows\system32\RVSWNM.exe
109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GLTVM.exe.bat" "
110⤵
PID:1560

C:\windows\SysWOW64\GLTVM.exe
C:\windows\system32\GLTVM.exe
111⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJZQBQE.exe.bat" "
112⤵
PID:4736

C:\windows\SysWOW64\QJZQBQE.exe
C:\windows\system32\QJZQBQE.exe
113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RHTRNMV.exe.bat" "
114⤵
PID:5052

C:\windows\SysWOW64\RHTRNMV.exe
C:\windows\system32\RHTRNMV.exe
115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESP.exe.bat" "
116⤵
PID:868

C:\windows\SysWOW64\ESP.exe
C:\windows\system32\ESP.exe
117⤵
- Checks computer location settings
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NQJ.exe.bat" "
118⤵
PID:4308

C:\windows\NQJ.exe
C:\windows\NQJ.exe
119⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\STN.exe.bat" "
120⤵
PID:560

C:\windows\SysWOW64\STN.exe
C:\windows\system32\STN.exe
121⤵
- Checks computer location settings
- Executes dropped EXE
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ODW.exe.bat" "
122⤵
PID:3488

C:\windows\SysWOW64\ODW.exe
C:\windows\system32\ODW.exe
123⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WJICHHK.exe.bat" "
124⤵
PID:3224

C:\windows\SysWOW64\WJICHHK.exe
C:\windows\system32\WJICHHK.exe
125⤵
- Checks computer location settings
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GCSC.exe.bat" "
126⤵
PID:2340

C:\windows\system\GCSC.exe
C:\windows\system\GCSC.exe
127⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CHYZAM.exe.bat" "
128⤵
PID:4860

C:\windows\system\CHYZAM.exe
C:\windows\system\CHYZAM.exe
129⤵
- Checks computer location settings
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "
130⤵
PID:2408

C:\windows\GKIMJY.exe
C:\windows\GKIMJY.exe
131⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SAPMW.exe.bat" "
132⤵
PID:3064

C:\windows\SAPMW.exe
C:\windows\SAPMW.exe
133⤵
- Drops file in System32 directory
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGOIIZ.exe.bat" "
134⤵
PID:2676

C:\windows\SysWOW64\OGOIIZ.exe
C:\windows\system32\OGOIIZ.exe
135⤵
- Checks computer location settings
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DOP.exe.bat" "
136⤵
PID:4000

C:\windows\DOP.exe
C:\windows\DOP.exe
137⤵
- Drops file in Windows directory
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NHYH.exe.bat" "
138⤵
PID:4256

C:\windows\NHYH.exe
C:\windows\NHYH.exe
139⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XUJZIUX.exe.bat" "
140⤵
PID:3916

C:\windows\XUJZIUX.exe
C:\windows\XUJZIUX.exe
141⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKWRY.exe.bat" "
142⤵
PID:4804

C:\windows\SysWOW64\UKWRY.exe
C:\windows\system32\UKWRY.exe
143⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PFBAIB.exe.bat" "
144⤵
PID:3284

C:\windows\PFBAIB.exe
C:\windows\PFBAIB.exe
145⤵
- Drops file in Windows directory
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VTNBOQ.exe.bat" "
146⤵
PID:5052

C:\windows\system\VTNBOQ.exe
C:\windows\system\VTNBOQ.exe
147⤵
- Checks computer location settings
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TLPRX.exe.bat" "
148⤵
PID:4628

C:\windows\system\TLPRX.exe
C:\windows\system\TLPRX.exe
149⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YEZT.exe.bat" "
150⤵
PID:1736

C:\windows\YEZT.exe
C:\windows\YEZT.exe
151⤵
- Drops file in Windows directory
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZHPHP.exe.bat" "
152⤵
PID:2504

C:\windows\ZHPHP.exe
C:\windows\ZHPHP.exe
153⤵
- Drops file in System32 directory
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUUZ.exe.bat" "
154⤵
PID:320

C:\windows\SysWOW64\TUUZ.exe
C:\windows\system32\TUUZ.exe
155⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HAUKBVH.exe.bat" "
156⤵
PID:3660

C:\windows\system\HAUKBVH.exe
C:\windows\system\HAUKBVH.exe
157⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EQUUSV.exe.bat" "
158⤵
PID:2408

C:\windows\system\EQUUSV.exe
C:\windows\system\EQUUSV.exe
159⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVA.exe.bat" "
160⤵
PID:2152

C:\windows\SysWOW64\BVA.exe
C:\windows\system32\BVA.exe
161⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YWCTLBA.exe.bat" "
162⤵
PID:3920

C:\windows\SysWOW64\YWCTLBA.exe
C:\windows\system32\YWCTLBA.exe
163⤵
- Drops file in Windows directory
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TUWXW.exe.bat" "
164⤵
PID:4924

C:\windows\system\TUWXW.exe
C:\windows\system\TUWXW.exe
165⤵
- Drops file in System32 directory
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VSPRD.exe.bat" "
166⤵
PID:4308

C:\windows\SysWOW64\VSPRD.exe
C:\windows\system32\VSPRD.exe
167⤵
- Drops file in Windows directory
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WUGNRE.exe.bat" "
168⤵
PID:1476

C:\windows\WUGNRE.exe
C:\windows\WUGNRE.exe
169⤵
- Drops file in Windows directory
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GSLIZ.exe.bat" "
170⤵
PID:4844

C:\windows\system\GSLIZ.exe
C:\windows\system\GSLIZ.exe
171⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZGF.exe.bat" "
172⤵
PID:3356

C:\windows\SysWOW64\ZGF.exe
C:\windows\system32\ZGF.exe
173⤵
- Checks computer location settings
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYIR.exe.bat" "
174⤵
PID:520

C:\windows\system\KYIR.exe
C:\windows\system\KYIR.exe
175⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJKEWU.exe.bat" "
176⤵
PID:4012

C:\windows\system\XJKEWU.exe
C:\windows\system\XJKEWU.exe
177⤵
- Drops file in Windows directory
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MECI.exe.bat" "
178⤵
PID:4672

C:\windows\MECI.exe
C:\windows\MECI.exe
179⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZCCURSN.exe.bat" "
180⤵
PID:1668

C:\windows\ZCCURSN.exe
C:\windows\ZCCURSN.exe
181⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BAHOY.exe.bat" "
182⤵
PID:468

C:\windows\BAHOY.exe
C:\windows\BAHOY.exe
183⤵
- Drops file in Windows directory
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EVZQS.exe.bat" "
184⤵
PID:1884

C:\windows\system\EVZQS.exe
C:\windows\system\EVZQS.exe
185⤵
- Drops file in Windows directory
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BOIAWQ.exe.bat" "
186⤵
PID:3640

C:\windows\system\BOIAWQ.exe
C:\windows\system\BOIAWQ.exe
187⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYRR.exe.bat" "
188⤵
PID:4604

C:\windows\SysWOW64\WYRR.exe
C:\windows\system32\WYRR.exe
189⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PMKPYOE.exe.bat" "
190⤵
PID:1184

C:\windows\PMKPYOE.exe
C:\windows\PMKPYOE.exe
191⤵
- Drops file in System32 directory
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSC.exe.bat" "
192⤵
PID:2152

C:\windows\SysWOW64\PSC.exe
C:\windows\system32\PSC.exe
193⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\USZ.exe.bat" "
194⤵
PID:3348

C:\windows\USZ.exe
C:\windows\USZ.exe
195⤵
- Drops file in Windows directory
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HDVESID.exe.bat" "
196⤵
PID:1816

C:\windows\HDVESID.exe
C:\windows\HDVESID.exe
197⤵
- Checks computer location settings
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DBHI.exe.bat" "
198⤵
PID:2848

C:\windows\system\DBHI.exe
C:\windows\system\DBHI.exe
199⤵
- Drops file in System32 directory
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OTKBL.exe.bat" "
200⤵
PID:664

C:\windows\SysWOW64\OTKBL.exe
C:\windows\system32\OTKBL.exe
201⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NRVW.exe.bat" "
202⤵
PID:1672

C:\windows\SysWOW64\NRVW.exe
C:\windows\system32\NRVW.exe
203⤵
- Drops file in System32 directory
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JRF.exe.bat" "
204⤵
PID:4592

C:\windows\SysWOW64\JRF.exe
C:\windows\system32\JRF.exe
205⤵
- Drops file in Windows directory
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKPJ.exe.bat" "
206⤵
PID:1128

C:\windows\system\GKPJ.exe
C:\windows\system\GKPJ.exe
207⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZCWUXBD.exe.bat" "
208⤵
PID:408

C:\windows\SysWOW64\ZCWUXBD.exe
C:\windows\system32\ZCWUXBD.exe
209⤵
- Drops file in Windows directory
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EDTOK.exe.bat" "
210⤵
PID:4084

C:\windows\EDTOK.exe
C:\windows\EDTOK.exe
211⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JOPVPH.exe.bat" "
212⤵
PID:2760

C:\windows\JOPVPH.exe
C:\windows\JOPVPH.exe
213⤵
- Drops file in Windows directory
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGY.exe.bat" "
214⤵
PID:5064

C:\windows\system\UGY.exe
C:\windows\system\UGY.exe
215⤵
- Drops file in Windows directory
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QEERI.exe.bat" "
216⤵
PID:1884

C:\windows\QEERI.exe
C:\windows\QEERI.exe
217⤵
- Checks computer location settings
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KPBXB.exe.bat" "
218⤵
PID:3492

C:\windows\KPBXB.exe
C:\windows\KPBXB.exe
219⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VSS.exe.bat" "
220⤵
PID:2076

C:\windows\VSS.exe
C:\windows\VSS.exe
221⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZYLP.exe.bat" "
222⤵
PID:1468

C:\windows\SysWOW64\ZYLP.exe
C:\windows\system32\ZYLP.exe
223⤵
- Drops file in System32 directory
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDK.exe.bat" "
224⤵
PID:4116

C:\windows\SysWOW64\LDK.exe
C:\windows\system32\LDK.exe
225⤵
- Drops file in Windows directory
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBXIIUD.exe.bat" "
226⤵
PID:4820

C:\windows\system\VBXIIUD.exe
C:\windows\system\VBXIIUD.exe
227⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OBFTR.exe.bat" "
228⤵
PID:4596

C:\windows\system\OBFTR.exe
C:\windows\system\OBFTR.exe
229⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AUUEA.exe.bat" "
230⤵
PID:2868

C:\windows\system\AUUEA.exe
C:\windows\system\AUUEA.exe
231⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GPT.exe.bat" "
232⤵
PID:5064

C:\windows\system\GPT.exe
C:\windows\system\GPT.exe
233⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GKXIK.exe.bat" "
234⤵
PID:4692

C:\windows\SysWOW64\GKXIK.exe
C:\windows\system32\GKXIK.exe
235⤵
- Drops file in Windows directory
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YTLNX.exe.bat" "
236⤵
PID:4676

C:\windows\YTLNX.exe
C:\windows\YTLNX.exe
237⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MYJDMPP.exe.bat" "
238⤵
PID:3828

C:\windows\MYJDMPP.exe
C:\windows\MYJDMPP.exe
239⤵
- Drops file in Windows directory
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OMP.exe.bat" "
240⤵
PID:1820

C:\windows\system\OMP.exe
C:\windows\system\OMP.exe
241⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZEKM.exe.bat" "
242⤵
PID:1712

C:\windows\system\ZEKM.exe
C:\windows\system\ZEKM.exe
243⤵
- Drops file in Windows directory
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICENV.exe.bat" "
244⤵
PID:1520

C:\windows\system\ICENV.exe
C:\windows\system\ICENV.exe
245⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFITAQ.exe.bat" "
246⤵
PID:3136

C:\windows\system\VFITAQ.exe
C:\windows\system\VFITAQ.exe
247⤵
- Drops file in System32 directory
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLV.exe.bat" "
248⤵
PID:4848

C:\windows\SysWOW64\JLV.exe
C:\windows\system32\JLV.exe
249⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YBWP.exe.bat" "
250⤵
PID:3360

C:\windows\YBWP.exe
C:\windows\YBWP.exe
251⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TLEN.exe.bat" "
252⤵
PID:2948

C:\windows\SysWOW64\TLEN.exe
C:\windows\system32\TLEN.exe
253⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EEHG.exe.bat" "
254⤵
PID:4572

C:\windows\EEHG.exe
C:\windows\EEHG.exe
255⤵
- Drops file in System32 directory
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MJGFATW.exe.bat" "
256⤵
PID:924

C:\windows\SysWOW64\MJGFATW.exe
C:\windows\system32\MJGFATW.exe
257⤵
- Drops file in Windows directory
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OHZ.exe.bat" "
258⤵
PID:4644

C:\windows\system\OHZ.exe
C:\windows\system\OHZ.exe
259⤵
- Drops file in Windows directory
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PKQ.exe.bat" "
260⤵
PID:4568

C:\windows\PKQ.exe
C:\windows\PKQ.exe
261⤵
- Drops file in Windows directory
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GTSIYPI.exe.bat" "
262⤵
PID:2868

C:\windows\GTSIYPI.exe
C:\windows\GTSIYPI.exe
263⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HJMJKTR.exe.bat" "
264⤵
PID:4588

C:\windows\SysWOW64\HJMJKTR.exe
C:\windows\system32\HJMJKTR.exe
265⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KERS.exe.bat" "
266⤵
PID:664

C:\windows\SysWOW64\KERS.exe
C:\windows\system32\KERS.exe
267⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUEK.exe.bat" "
268⤵
PID:3472

C:\windows\system\ZUEK.exe
C:\windows\system\ZUEK.exe
269⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSXEI.exe.bat" "
270⤵
PID:4812

C:\windows\system\BSXEI.exe
C:\windows\system\BSXEI.exe
271⤵
- Drops file in System32 directory
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LPXRZQ.exe.bat" "
272⤵
PID:4064

C:\windows\SysWOW64\LPXRZQ.exe
C:\windows\system32\LPXRZQ.exe
273⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LVQF.exe.bat" "
274⤵
PID:2148

C:\windows\system\LVQF.exe
C:\windows\system\LVQF.exe
275⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVMINTJ.exe.bat" "
276⤵
PID:4524

C:\windows\SysWOW64\QVMINTJ.exe
C:\windows\system32\QVMINTJ.exe
277⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UEGQQ.exe.bat" "
278⤵
PID:1852

C:\windows\UEGQQ.exe
C:\windows\UEGQQ.exe
279⤵
- Drops file in System32 directory
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRXO.exe.bat" "
280⤵
PID:3524

C:\windows\SysWOW64\KRXO.exe
C:\windows\system32\KRXO.exe
281⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZPDLR.exe.bat" "
282⤵
PID:3508

C:\windows\ZPDLR.exe
C:\windows\ZPDLR.exe
283⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UUP.exe.bat" "
284⤵
PID:4056

C:\windows\UUP.exe
C:\windows\UUP.exe
285⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JKQP.exe.bat" "
286⤵
PID:4604

C:\windows\JKQP.exe
C:\windows\JKQP.exe
287⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNGDXNW.exe.bat" "
288⤵
PID:4480

C:\windows\SysWOW64\KNGDXNW.exe
C:\windows\system32\KNGDXNW.exe
289⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ADP.exe.bat" "
290⤵
PID:1848

C:\windows\system\ADP.exe
C:\windows\system\ADP.exe
291⤵
- Drops file in Windows directory
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RMWZ.exe.bat" "
292⤵
PID:2548

C:\windows\system\RMWZ.exe
C:\windows\system\RMWZ.exe
293⤵
- Checks computer location settings
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KZP.exe.bat" "
294⤵
PID:4576

C:\windows\system\KZP.exe
C:\windows\system\KZP.exe
295⤵
- Drops file in System32 directory
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\APQXEJ.exe.bat" "
296⤵
PID:1356

C:\windows\SysWOW64\APQXEJ.exe
C:\windows\system32\APQXEJ.exe
297⤵
- Drops file in Windows directory
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TIYI.exe.bat" "
298⤵
PID:1332

C:\windows\TIYI.exe
C:\windows\TIYI.exe
299⤵
- Checks computer location settings
- Drops file in System32 directory
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGZSC.exe.bat" "
300⤵
PID:2880

C:\windows\SysWOW64\NGZSC.exe
C:\windows\system32\NGZSC.exe
301⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBECMU.exe.bat" "
302⤵
PID:3284

C:\windows\system\IBECMU.exe
C:\windows\system\IBECMU.exe
303⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJZR.exe.bat" "
304⤵
PID:1984

C:\windows\SysWOW64\LJZR.exe
C:\windows\system32\LJZR.exe
305⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEW.exe.bat" "
306⤵
PID:1868

C:\windows\SysWOW64\SEW.exe
C:\windows\system32\SEW.exe
307⤵
- Drops file in Windows directory
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XFGFI.exe.bat" "
308⤵
PID:2204

C:\windows\XFGFI.exe
C:\windows\XFGFI.exe
309⤵
- Drops file in System32 directory
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKQ.exe.bat" "
310⤵
PID:1524

C:\windows\SysWOW64\TKQ.exe
C:\windows\system32\TKQ.exe
311⤵
- Checks computer location settings
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MFUYMYQ.exe.bat" "
312⤵
PID:1764

C:\windows\MFUYMYQ.exe
C:\windows\MFUYMYQ.exe
313⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQELVDT.exe.bat" "
314⤵
PID:3524

C:\windows\system\YQELVDT.exe
C:\windows\system\YQELVDT.exe
315⤵
- Drops file in System32 directory
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GBNN.exe.bat" "
316⤵
PID:4684

C:\windows\SysWOW64\GBNN.exe
C:\windows\system32\GBNN.exe
317⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZOYDPC.exe.bat" "
318⤵
PID:868

C:\windows\SysWOW64\ZOYDPC.exe
C:\windows\system32\ZOYDPC.exe
319⤵
- Checks computer location settings
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LHB.exe.bat" "
320⤵
PID:4908

C:\windows\LHB.exe
C:\windows\LHB.exe
321⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VALVB.exe.bat" "
322⤵
PID:1128

C:\windows\VALVB.exe
C:\windows\VALVB.exe
323⤵
- Drops file in Windows directory
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BATJKOD.exe.bat" "
324⤵
PID:3288

C:\windows\BATJKOD.exe
C:\windows\BATJKOD.exe
325⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOMEZAZ.exe.bat" "
326⤵
PID:4996

C:\windows\system\IOMEZAZ.exe
C:\windows\system\IOMEZAZ.exe
327⤵
- Drops file in System32 directory
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGP.exe.bat" "
328⤵
PID:4568

C:\windows\SysWOW64\TGP.exe
C:\windows\system32\TGP.exe
329⤵
- Checks computer location settings
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WTGZ.exe.bat" "
330⤵
PID:4736

C:\windows\SysWOW64\WTGZ.exe
C:\windows\system32\WTGZ.exe
331⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCPVA.exe.bat" "
332⤵
PID:4840

C:\windows\system\QCPVA.exe
C:\windows\system\QCPVA.exe
333⤵
- Drops file in Windows directory
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PZOYL.exe.bat" "
334⤵
PID:3292

C:\windows\system\PZOYL.exe
C:\windows\system\PZOYL.exe
335⤵
- Checks computer location settings
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TCYLVTK.exe.bat" "
336⤵
PID:3284

C:\windows\system\TCYLVTK.exe
C:\windows\system\TCYLVTK.exe
337⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IYIQ.exe.bat" "
338⤵
PID:4724

C:\windows\SysWOW64\IYIQ.exe
C:\windows\system32\IYIQ.exe
339⤵
- Checks computer location settings
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WTTR.exe.bat" "
340⤵
PID:2704

C:\windows\WTTR.exe
C:\windows\WTTR.exe
341⤵
- Drops file in System32 directory
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYTFV.exe.bat" "
342⤵
PID:3776

C:\windows\SysWOW64\WYTFV.exe
C:\windows\system32\WYTFV.exe
343⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1308
342⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 960
340⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1012
338⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1316
336⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1308
334⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 960
332⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 988
330⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 960
328⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1312
326⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1296
324⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 960
322⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1304
320⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 960
318⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1328
316⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1012
314⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1324
312⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1296
310⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 988
308⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1308
306⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1268
304⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1300
302⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 1292
300⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1004
298⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1308
296⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1308
294⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1268
292⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 960
290⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 872
288⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 960
286⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1296
284⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1304
282⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 960
280⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1296
278⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 960
276⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 960
274⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 960
272⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1248
270⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1008
268⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1308
266⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 960
264⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1296
262⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1324
260⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1312
258⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 980
256⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 960
254⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 960
252⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1304
250⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1328
248⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 960
246⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 964
244⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1280
242⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1336
240⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 988
238⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1304
236⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1328
234⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 960
232⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1336
230⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 976
228⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1308
226⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1328
224⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1308
222⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1304
220⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 964
218⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1252
216⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1336
214⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1324
212⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 988
210⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960
208⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1336
206⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1328
204⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1004
202⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1240
200⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1336
198⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 960
196⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1208
194⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 964
192⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1296
190⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1328
188⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 960
186⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1312
184⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1324
182⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1304
180⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 988
178⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1316
176⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1312
174⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1308
172⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 960
170⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1324
168⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1328
166⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1304
164⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1308
162⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 960
160⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 988
158⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 960
156⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1004
154⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1324
152⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1324
150⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1336
148⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1268
146⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1304
144⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 960
142⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1324
140⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1268
138⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1304
136⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1008
134⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1324
132⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1324
130⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1336
128⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 960
126⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 960
124⤵
- Program crash
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1328
122⤵
- Program crash
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1308
120⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1180
118⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 960
116⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1012
114⤵
- Program crash
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1328
112⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1240
110⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1328
108⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1324
106⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1004
104⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 960
102⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1292
100⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 976
98⤵
- Program crash
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1000
96⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1304
94⤵
- Program crash
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1336
92⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1328
90⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 960
88⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 960
86⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1268
84⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1248
82⤵
- Program crash
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1324
80⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1236
78⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1324
76⤵
- Program crash
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 988
74⤵
- Program crash
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1328
72⤵
- Program crash
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1300
70⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 988
68⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1324
66⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1324
64⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1336
62⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 960
60⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1324
58⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 960
56⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 988
54⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1324
52⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1336
50⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1324
48⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1332
46⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1324
44⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1308
42⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1304
40⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1324
38⤵
- Program crash
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 988
36⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1324
34⤵
- Program crash
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1324
32⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 960
30⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1316
28⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 960
26⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1336
24⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 960
22⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
20⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1256
18⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1312
16⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 1336
14⤵
- Program crash
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 960
12⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 588
10⤵
- Program crash
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1336
8⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 960
6⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1008
4⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 992
2⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 652 -ip 652
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3020 -ip 3020
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1636 -ip 1636
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3116 -ip 3116
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4684 -ip 4684
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 764 -ip 764
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3860 -ip 3860
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2372 -ip 2372
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4952 -ip 4952
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1132 -ip 1132
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2360 -ip 2360
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1868 -ip 1868
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2428 -ip 2428
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2280 -ip 2280
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1232 -ip 1232
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 924 -ip 924
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4612 -ip 4612
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4808 -ip 4808
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3696 -ip 3696
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2996 -ip 2996
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4996 -ip 4996
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 888 -ip 888
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4068 -ip 4068
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3832 -ip 3832
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1580 -ip 1580
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2372 -ip 2372
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4000 -ip 4000
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2852 -ip 2852
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1180 -ip 1180
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1760 -ip 1760
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4028 -ip 4028
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2796 -ip 2796
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2572 -ip 2572
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2996 -ip 2996
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4348 -ip 4348
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4160 -ip 4160
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3832 -ip 3832
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3580 -ip 3580
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4684 -ip 4684
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3348 -ip 3348
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1448 -ip 1448
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3996 -ip 3996
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5064 -ip 5064
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 740 -ip 740
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2880 -ip 2880
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4512 -ip 4512
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1896 -ip 1896
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3312 -ip 3312
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2216 -ip 2216
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 556 -ip 556
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3076 -ip 3076
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1444 -ip 1444
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4804 -ip 4804
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 232 -ip 232
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 372 -ip 372
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3920 -ip 3920
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1780 -ip 1780
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3112 -ip 3112
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2284 -ip 2284
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1728 -ip 1728
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1392 -ip 1392
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4568 -ip 4568
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1820 -ip 1820
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4448 -ip 4448
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4308 -ip 4308
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4612 -ip 4612
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3508 -ip 3508
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2028 -ip 2028
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4364 -ip 4364
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1312 -ip 1312
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3912 -ip 3912
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2024 -ip 2024
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4228 -ip 4228
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1524 -ip 1524
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4612 -ip 4612
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4644 -ip 4644
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4552 -ip 4552
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4048 -ip 4048
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3524 -ip 3524
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 560 -ip 560
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4112 -ip 4112
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4588 -ip 4588
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4676 -ip 4676
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1128 -ip 1128
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1468 -ip 1468
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4520 -ip 4520
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1356 -ip 1356
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3352 -ip 3352
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2388 -ip 2388
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1704 -ip 1704
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5056 -ip 5056
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4836 -ip 4836
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3016 -ip 3016
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4012 -ip 4012
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1736 -ip 1736
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3360 -ip 3360
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3828 -ip 3828
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2556 -ip 2556
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3996 -ip 3996
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 628 -ip 628
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3332 -ip 3332
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1184 -ip 1184
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1612 -ip 1612
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2852 -ip 2852
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 468 -ip 468
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3204 -ip 3204
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2936 -ip 2936
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3740 -ip 3740
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2880 -ip 2880
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3920 -ip 3920
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2348 -ip 2348
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 316 -ip 316
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3524 -ip 3524
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4716 -ip 4716
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2164 -ip 2164
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4460 -ip 4460
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 904 -ip 904
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4908 -ip 4908
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4064 -ip 4064
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1196 -ip 1196
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1848 -ip 1848
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3836 -ip 3836
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2872 -ip 2872
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3508 -ip 3508
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2996 -ip 2996
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4160 -ip 4160
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5052 -ip 5052
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3812 -ip 3812
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4552 -ip 4552
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4652 -ip 4652
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4676 -ip 4676
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2540 -ip 2540
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2028 -ip 2028
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 544 -ip 544
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2204 -ip 2204
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2372 -ip 2372
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1864 -ip 1864
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1628 -ip 1628
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3348 -ip 3348
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2996 -ip 2996
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4204 -ip 4204
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4420 -ip 4420
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2712 -ip 2712
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2664 -ip 2664
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3104 -ip 3104
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1852 -ip 1852
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 228 -ip 228
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 664 -ip 664
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5016 -ip 5016
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3776 -ip 3776
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2184 -ip 2184
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4568 -ip 4568
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 740 -ip 740
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1540 -ip 1540
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3360 -ip 3360
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4980 -ip 4980
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4028 -ip 4028
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2912 -ip 2912
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4644 -ip 4644
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3024 -ip 3024
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3932 -ip 3932
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4708 -ip 4708
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4620 -ip 4620
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3096 -ip 3096
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2076 -ip 2076
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5076 -ip 5076
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4728 -ip 4728
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4572 -ip 4572
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4644 -ip 4644
1⤵
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BHRIS.exe
Filesize
282KB

MD5
cea1e8d5a5bd9fb16977543526bad9fe

SHA1
6480fe1e2a1363e9b78613570c3594654bc3ff04

SHA256
3b5584477d07d602e1068590f6717229257932cb57b5e1c9db5538ca66c470be

SHA512
67c1d446fbfe3bd1d22faff212a82712b467a4f71a17556d0ccdf549f788c46ad48b915b0bfd893a5420dc72abd7d58273c0e4cc7b5c19792469c2e491ea3243

Download Submit
C:\Windows\CIU.exe
Filesize
282KB

MD5
c63409480d6d31c66786fdade56d80f3

SHA1
aced6aa85b2f20f716bde0544dd0845e0d9db16f

SHA256
40d5ed0ce239e5480bad9a84a884613ebb6bace797ddaae878b4c93c9223d457

SHA512
8baac151c7cf49428e2547b43bcc68726bf41b995872452d18a75e941c8aa7391bee9e6803727a157b822da99fbc4785828cec0f4693b65b01f90f28c002b051

Download Submit
C:\Windows\FGB.exe
Filesize
282KB

MD5
e8a0f622ce6ee407da27366939be6882

SHA1
0ee06b10d68e9899a1363e48edcad33c905c7dd3

SHA256
94026075afdad827bf83527256e5c0a6044a685b9ca8b6da99a5efac5fb2e379

SHA512
39a72727366b5f1a9721f553790ba8e7987d7008ad93d713167df97ed2c18b74637596fd64c1a33c91617f2be99f31665a0e35f189c3f0e5acdc526f8f6eed14

Download Submit
C:\Windows\LXXCZPD.exe
Filesize
282KB

MD5
49137d31d52aeba5ad6ff3d142945eea

SHA1
96f72a51da9d02a9c6d208be6b120da4bcd805b7

SHA256
28645d461b881a82d78f867885d65a38b9cbf62664c28eb8822d20762dec71a4

SHA512
e6ee7007c2ec67d53bd78fb20b6d741dac56ea78861cd82f3d3e063e1dab50a8ede26a873b6fb8472ce103b604caae9ffcb71631ca5628cb402171f7a8bf9c99

Download Submit
C:\Windows\MFBX.exe
Filesize
282KB

MD5
6a98f694af46b7cf89ea6473c92c444f

SHA1
192bc2780e05bdccb9300f2cac931485a446f4bf

SHA256
4d3d9d0eb488d9bb3887ad7cdf9795dea358c2284c4e18aa53c933070d14fa0c

SHA512
7d48a4c47f218a0106b9aefe22b2d14efa83424ef285cd6be85cf059c2a9b58a131562cd368331d88f63774417095b2431dc11a0c842da5c42a810ef8b938fe6

Download Submit
C:\Windows\OMMZYYK.exe
Filesize
282KB

MD5
062dc81803d742108b87fad6b7350702

SHA1
9853760a627f006117ce9a82e7a6adfeafe4e7f2

SHA256
b853c7cf71208b7c0a9ae930310c171245e6784e6b6995da83d106131b438451

SHA512
8360cbdc344aee84769bc69a4928486047075d83fa0f3d3aca82d44e09cb4766461d9f1956915a09b0e62f60d5a96eb6d441bf3824ebf8c78c136876435bb3e3

Download Submit
C:\Windows\QAPTVF.exe
Filesize
282KB

MD5
c4934e9ee337fd7da26e9de630a0ae6a

SHA1
7e013910620e9250b7fe1af3a08f67211acb02c1

SHA256
fe7587292b937fe7a4c945f405c1cc8b255e3ead63500c5aa654a683a5953a97

SHA512
87df5e7d8a938912c74a743011e44c8c41c4a47b2b921d10b6a017a72b36b4a3cbf0f06f75c99107b9ac5dd934a7773efb2be1bf974e8bf0a1bf3e4f59ca3910

Download Submit
C:\Windows\QOCH.exe
Filesize
282KB

MD5
1a70dfb6d5b783fee97669e29ca11042

SHA1
7f814aa936019ad170ee1de09800051c54d8a1a1

SHA256
9f4e35a1f0aa1aab7863233f9ea22be630baea51e0b3eed32777ad4accffaa15

SHA512
2a5e92ce2831afcf8ded89cf1802f545a7b6f38561cc952bb67f84462087b3f74bc7f58b5498ed625106d71206a22d034c3bcbefba1bd51b500eb87a8c7b3b8e

Download Submit
C:\Windows\System\AAS.exe
Filesize
282KB

MD5
a2491c99a6423f72d6d1cb4bb40ba72b

SHA1
81461d0af4f0e0d42fd0e86498d169b078efbf19

SHA256
0d9869d043a75392cc2de15020521d9474fa63e9476b81b3ba6c76d0dfc77a8e

SHA512
7c3fe065b6b31c4b926896d72a0b5d127b3c77fce5863125c6f33288de437456d8ba40e87f4b8dc84e5ab4040d4ecc94f288d1cd8ab96c7178139ce0b904bde1

Download Submit
C:\Windows\System\JRQDEG.exe
Filesize
282KB

MD5
50f04ada701427c2dce4f17a3d600af6

SHA1
3f65e7cdb2a67757c932f91ee3d3992bc9e6ced4

SHA256
73dbf12c69d2a234291a8f235e169de272fae547c2a82ef233bccb5c98c53ce6

SHA512
040b2269943ff8083078db278c3d031041616a2ae8591424f101c38185392016b0787a97573662a946ddd06fc209908744f2138578118a749839de91ad2cdb52

Download Submit
C:\Windows\System\MOKHWZY.exe
Filesize
282KB

MD5
786e1b9ccdef47f1e35c7607062803a9

SHA1
a19d060cab703b8dad335849549132ad82608fd0

SHA256
a3b29e4fd14c772dae5bb9ea56bb7a328c70174612f25f06637d37faa6252c3a

SHA512
913fdbe9f42bfdbacf59679ccbaee764a5bcdaa644b17152d7c856ba61f9d0bedb3833ddce5b01cd00b91316cade6ab6cc19365e8ef9a7ee621155d048ca366a

Download Submit
C:\Windows\System\OQWN.exe
Filesize
282KB

MD5
7bd65dc7d6664b40ae5d32d5d16d21e1

SHA1
f6d47b5c2b3845035f55f471a17262fe40bd1ad5

SHA256
ad614cfc2d0ff21baa9e5dbb33974379293657f8cf38bc9e1b98de332c0178a3

SHA512
278a531bcae34680c222806b7bc87b3bbb736597d2b892795de179dbf2730730cec9031a0d7b332daa725b4383eff48bbc3b64a0652b34877d207fa9d64aa69b

Download Submit
C:\Windows\System\TEBVD.exe
Filesize
282KB

MD5
10c543412d01f09aa7ff6612e08357a7

SHA1
206fbecaf70065d45f311ca0187b07fdefc883ee

SHA256
f138563d5e4c7ed5ddb2f278087fcc80a3d57dfcbf10f52e535237a02aa04c70

SHA512
77254b64de3c2382f5d4fa33384c1b5b23db1e2ee98d760b826a3ac8adef96537a806011eb7f95b7cb6fada77de276ef4dfed92b3e35f12fe9b869d844c8fc28

Download Submit
C:\windows\BHRIS.exe.bat
Filesize
56B

MD5
1f234c0c3efa23a898153c6df7a69c26

SHA1
30e7c89f6ea121f49fb8895bce39d6e7660d0ad4

SHA256
07f97524cdd16f549e4af36b4ed7f486ee228fc8f37cc751f21e27466d7c7cc4

SHA512
5b9cf5cb3884139847fa2ac6c6d63f9a10d8bea4d3e956a86bc6a02463cbb44f95c1e3340449d62daff758089c0b63449b24376f398b49b2d41421a4a2b8186b

Download Submit
C:\windows\CIU.exe.bat
Filesize
52B

MD5
f200867e1d2323f45040c12b39ed7781

SHA1
5a6af403a3e79926d01f0f85237e40a20e62243b

SHA256
4b8dae373e8f651f67c8e0cdc9e9b1d2984caea54a50480055fdcad7e11bdf31

SHA512
a9a3a6c7932335a033355a1916404cbdc7e6c46fad20b7a7e9f1e888e2ce38ca45a9181fbeec25f4d634c0540d3b91661b7d71c67f5bd33165e9fcc51bb51e59

Download Submit
C:\windows\FGB.exe.bat
Filesize
52B

MD5
0310494986a5066b2d686961ab7905ab

SHA1
87fa751c3f630e60a63055b6ec7058bbe2711dbd

SHA256
8aae95045f3c206566bcede0339d2a13742b05ce482a5626d4618ebff9ec638d

SHA512
b2991dc8c3ddecef548b374219faf25a9054da0a896650c4134d26bad7d7c52e6d72245b5a100c310f16b90f16e5630c0e1c48bf9931d49606b5406c90bdfef1

Download Submit
C:\windows\LQKYUP.exe
Filesize
282KB

MD5
c2902e93050552871299412cd2dca7b7

SHA1
84827d4683e58946c7a5caf58941af08b138617e

SHA256
b84e39ce5cef6779dc514844b9cd362377ab0e3138720e8b72569c92d09ca17e

SHA512
616196e2b4f8eb930d0b2eb1e55119b8e1f49d2dfa0e8a236fc95fd333a73ae6f0fe0f1462f0e2259c8eb3ac2835462b7b8a9def7cb5b76dc22ee866d2dda9bb

Download Submit
C:\windows\LQKYUP.exe.bat
Filesize
58B

MD5
7d063d09f85a85481fcf8b0288fd912c

SHA1
b59cf37d347049b58dadf7dacbf46d440cc18c21

SHA256
d140ea0ebf8ce5c5c29eab67ee639d91afa8dcba5a433520be4cd3a246dba114

SHA512
b0ba63403c19cea7e41465a9a3dfd22e074c784264e2e9d7d7c62937b7e842a485263567b7427287a0db9776a28b781260a1be27254b8c99574943a12cb54ad5

Download Submit
C:\windows\LRCOSBS.exe
Filesize
282KB

MD5
6a0f7cf1814aa96509e4d3bc6e704a0d

SHA1
ff560a6627e64bec1e1f953da0f65e3b59852f01

SHA256
d88d1bf4acfeb8ab849e06eca22c96f07ef1f47c222ab2d6bcf6538fdd2c3546

SHA512
73f027d0e5b0747fa4e1023cbe735ff80f3ce61f63079e73208a18c8d347f9816016bc2aac5d8abd3844521e9db56ce7935caa21a96170991a556b470c5ca00c

Download Submit
C:\windows\LRCOSBS.exe.bat
Filesize
60B

MD5
240425a26e019aee635759f389b34f21

SHA1
da278d12addb3827a2670eb2fecd3e80fd35bcc4

SHA256
94bbf6ae110f5a85a6d3d056939a660d13ada07491f6802192f0d9a3e1665317

SHA512
827357ca7d5b8ceae734a5672eae3a997a7a5e9e0a81a9d95e48eb4c443f35a01e53b96ac7306b25cad7d0637ac4a208c785399c73e774b49f4601c2ef1cb5e8

Download Submit
C:\windows\LXXCZPD.exe.bat
Filesize
60B

MD5
67be3ed0ce8af21c890728553a23be35

SHA1
32716fc4c0419bca475fa5f19f7cb3fdf8215a9f

SHA256
f4a076b787781c3cfde2972b4354d0bd1e4e566fae6831d7f6b1cf0ba9237d51

SHA512
0191ed1f5ccd23099c1881af1ed16f4281bb1aee75263bbf8cddb78d2141c8da01fad56a5e31c7cf3b82121c9892babd2a8be2772acfdb9313d576cff9164a72

Download Submit
C:\windows\MFBX.exe.bat
Filesize
54B

MD5
dd16c42202efc40963fa0f6fad695431

SHA1
33a0d814aca325ff8c3ac13976ac4ccf0a8fd00f

SHA256
05c8b671e36a06495dce8191369fa43276804ec1250ee4c9e49fc78c2bf462c8

SHA512
542a19e59847cea18a039fb79560ecd2cf3e552808e79568d97c858db44c18240a8e85fd3d4a67de5e7e573350034d7e3ee03d2e65776b433fb69d7a4b179852

Download Submit
C:\windows\MOM.exe
Filesize
282KB

MD5
bba53319f17d5357e76530899c92e8e4

SHA1
d5c83c9941f08128a4486c9e8d100045ba5c5858

SHA256
e60de3d75b86597e490c94acc2d6c128818c36bed95e05b105546799e3eaa079

SHA512
7802fc3c4fc340b2740cd9091ee1365134ae1117847242a2d65de76efa3680b35a666e85fbf6532a9533f3f1bdfc846abfa0b72aa05ee53d8e4b70156b003e23

Download Submit
C:\windows\MOM.exe.bat
Filesize
52B

MD5
e8770795a77f5989832d9d1f6eacb1c5

SHA1
78ed7b6ac717a745a5815743d6abd4aedc639303

SHA256
bbf28a75c101d2df0cc6a210ce71b60376fdf257d105c8cac592d5d2b379c4ae

SHA512
f4881efb6c63f7cb1328455e4c2950b0db2fd49b1a93dd685b635d6c669e94cf11c26648764b83d3f980437728d931fac5073bbd2d95131df3a6514cc48a08cf

Download Submit
C:\windows\OMMZYYK.exe.bat
Filesize
60B

MD5
182f21c0b9716491e388fd4d0587036e

SHA1
6df52130b2e71ed15f891e9253bc771b7f663545

SHA256
a29b297296c16233086b2127473cdbee6a19872fc2c3be56e088012094ec817e

SHA512
54c9a498db098843be93ec20244ba87a2f3c149673f5b75efdf36f64f57708540169cf3b46ba1226737d36c3aa901e935110ba054b701bc0fe7db98d75f87741

Download Submit
C:\windows\QAPTVF.exe.bat
Filesize
58B

MD5
992a415fbc34cae7f6a32ecf05751e6a

SHA1
cbbfc6973fc4226ec3799b94861d76b0d35735c5

SHA256
fa9e9502af2c9c5bce485ce8a3752f6e8d754c337c3fd71f29b9c66697520b49

SHA512
d1c2330627d015a6672ca8ce2469ca24fcca80b00796dd067b830768eee0e49452a750df2ce38aa3960efbd00f59280785bea09441927f1c5b50d3ed639d838c

Download Submit
C:\windows\SPMKR.exe
Filesize
282KB

MD5
5e2a1b5454d21e396fd8572ca5cfbdba

SHA1
8f9665797f626c5bbc80a95cc1f6b0af688b2699

SHA256
fa85f5ffd82e34daccd2f7ad36c25a329d602aadfc0bb1b0d1bd91d98f541cc4

SHA512
7044b657d84bd841fab8b8246f9d2e81606a89e49aea43e590638a0eb28243c83cf9c6fa52fa632df021097c5ad2bcc974a63886527dbc7107eda9cc6934f188

Download Submit
C:\windows\SPMKR.exe.bat
Filesize
56B

MD5
290c2aa3c580f3f552f2bf6b8f632e8a

SHA1
b86b60db448ffd09c55eaed8e7234d1cfb5ae49e

SHA256
c0d11cbec09c7f8d0f013acd6e7bc858f90f7fe840fd66584928e54515e2fd3a

SHA512
2200faf48e8e0d9d118ccc4e33366d98240947517df5c38bb3ab30058239c2a72ed452c8d59fe7f23a8bf89b8854561c728414171e784ffcc3b0215954f256da

Download Submit
C:\windows\system\AAS.exe.bat
Filesize
66B

MD5
6cf727c9ba8e343ef805a506dd5c09d0

SHA1
a133064f32f8e48d2e4cfc77d161f67797f4a201

SHA256
a2528ca25a9550e30b17c80cb88e9f24fc6998a65e1b046d01d81e3b964556b5

SHA512
618d9997bc9855bdab2d31e401851ff0aa4716a748b0351cd93b85a7487e1395c6e9c813c69ec0a46c35ec401f4b41fd2f703580ce51e2bf968e5c5801fd1b2f

Download Submit
C:\windows\system\EWYEIQB.exe.bat
Filesize
74B

MD5
78090cfd814593a6bec33fc1b1fcf8f7

SHA1
dc91b59fe8db672b8776b9d6619de92a8a6f5626

SHA256
9091ec264a7fc702a52d8e1b4b3bb49a63d26bc20293c39c8735531df8c4c970

SHA512
6314a9ce113d6f4858cf06d0b60a697d3f6228098b22f5e734bdcab3e1be2364b4ed22102a9d04ad2d171e3edc4531e672c542485b0b3a8fab890a04a3355af7

Download Submit
C:\windows\system\JRQDEG.exe.bat
Filesize
72B

MD5
9027c717c0d890483f9ca167921ae8d5

SHA1
f37a1f0494af7eaeb0795c9d3bf3118c96a8c65c

SHA256
e5433295498fbc9b5c0be8562b4c4e2d201e083f9a9d8ffc1b34733df9c97e3d

SHA512
34c78e6c1893cda3420c2ac5ba71bc2bd33a04bf41034d615a277d81533327c6e38835f706ec3409e60c71fb273111830250690895168410c11be5fbaebb27c2

Download Submit
C:\windows\system\MOKHWZY.exe.bat
Filesize
74B

MD5
ae2982cf8a32aea331704546e8eae2d1

SHA1
6357a67194cd510813bf7945019d8965cc43d641

SHA256
e1cf638a55b4123876c2836f2f9c91871c3154d88be6a284a9bb2909c8dbc308

SHA512
39a9720cbd7bfb84aa771f4c87ed2dac7b429aedf383626b6c5820e3639d670657f477b247767a2aef45ae7b5d8d242387bd2eb5db9738bb7806d26cd2c1a30a

Download Submit
C:\windows\system\NBPW.exe.bat
Filesize
68B

MD5
83e5bd495cf30936d375e1d76cf9629b

SHA1
7dd4d35d008f4e3a5d01bf2c2b325544de2aa814

SHA256
4bc79b1cbb83e01656b3770d6ad973f0601a540994cb9a6f16a0ddbb6310770c

SHA512
52887ade63bf3d1ea50cadbe14bb75fb00b334e4e860d67e35c406114dc02681b23b3d93a3b72edda3b6fbbaa9b144b318e720f58ac50cd92537c74314b61557

Download Submit
C:\windows\system\OQWN.exe.bat
Filesize
68B

MD5
625833b1db5074cfe4d8ad6ade587ed5

SHA1
f7397ee9a4e0321b48f952480793c4261e3d08ed

SHA256
b0603ad463ef384a5beda1b3f124d9950793e8783c17400711683793f7425c86

SHA512
398ba25506d41dfa32073de845b6bca8e3b992efda7258a3c74d83530e877540be538a4cea7bf0d9655574716ce967692984e1232fa207b2ec9cec03fa5f4b20

Download Submit
C:\windows\system\PNKD.exe
Filesize
282KB

MD5
c56ab22082e7cda77286bc7dde35d326

SHA1
39f2b17647fdf89b489033d6f4970ddbdd33a86a

SHA256
6bfe3f19c7117c830ea3f04d885d1b515858a4f79ceabf84ef1a8f62c41b7c93

SHA512
c4d2276c1ec7265baf4ceeea02a6403cb004431cb3fa68e0186a3e83dc2c5976735f94bcd4e1f022d895593bf217ab41832df67be28bfb4091a146be7af24b68

Download Submit
C:\windows\system\PNKD.exe.bat
Filesize
68B

MD5
eb704129b3d7ee9caf6db2d833797566

SHA1
a752b6dacdfc2ae2050b2dbb0136676fb68e4642

SHA256
89c7d5b5bca69f8a069b4361ef254881fa8437c2a95e886524f0faa27f601be0

SHA512
71ca2c923ca04f06cf3f44f6f607e6f20c07a824713c49ba9ab2a8ae0ff7fe2b572ebfc413339bc0b014f159cb92b86aa72593eec5592c3c0c34ba33760f5fcb

Download Submit
C:\windows\system\SPED.exe
Filesize
282KB

MD5
4449e4f63e816fd7de86e01dfafd5ef7

SHA1
69ee747fc6bf47fa30b24a1a967796f1cbb97d7a

SHA256
b5f06362e9825d67e9da5c74e35f7b9561c41ffc9873caa40298d4cad7a2d301

SHA512
55587dfe3e7c32cf59c29444a4c50d27871518f9ebd529815b644e541119704e00f59a119abc709d6a41a59ca3c9ee9eea5f9f175a735fd7235ef25b44ed38cc

Download Submit
C:\windows\system\SPED.exe.bat
Filesize
68B

MD5
5687255134def3de1a8f429ab087018e

SHA1
f42d14d717d3a10dab2baaa0f66291a80b00f680

SHA256
a0008e2138880dd343a5b1241618146009a2a8a184730e721ed37baa39e9c6a7

SHA512
3a44ab14d85ecf5c39e905aec7fb4494aeb9a7727fb5567bf3dd7d7f447bdf16930ce3b60f694299ec803d5ed68a25ccd1fbc187c04d9f69dd9ffa51b81b9a4f

Download Submit
C:\windows\system\TEBVD.exe.bat
Filesize
70B

MD5
f8484bbbacdbca73b8b53f99ae02de3d

SHA1
f03f60ffd05000b0725ee9e4bba1219783721ab2

SHA256
031a486aac2c917043779d188204e24685f47bfb9653613d5e316ba121d39018

SHA512
b7190e8917ec77548b057df950f7b0dd752d3b8092fff8e33c4c2dbeaa7808ea5114e1e518245a54c11437407654bde46773580dc0737c96a22a2d61709af88a

Download Submit
C:\windows\system\WVUT.exe
Filesize
282KB

MD5
d89c32a845c75dbdb981eafebb22c1e8

SHA1
1783734ec4db36a4fc9ef0fbb7a44065d3302b9f

SHA256
1c14333fcd72c2f52fbc96a2c744f6d1247818ca8f6417375d3d6e53cff47c1f

SHA512
955a9f4d1685233b93f8ac107325f48bef1fa00029700528e75f6667d6aea6aac6063a31e55bbe579829983dc5a5641729085b910de52027ad2f25ede398b81a

Download Submit
C:\windows\system\WVUT.exe.bat
Filesize
68B

MD5
2297125ba243c1bdd1652019c1ccf942

SHA1
562ccaa6ca8a02fb748fafc7124730ffe743b8a1

SHA256
47a80c15c59fade3754e4ee606abb20583ee978d8f9a12194368e27ddb5d2384

SHA512
fe15701db372717197cbc52f650cbad7a2399e2b391f2789bee41f21027b4c6d6d0b87dd1df38eb545187567b58f639c1a92f6ca67f68535ec39407cb0207d75

Download Submit
memory/652-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-460-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/764-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/764-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/888-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/888-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1132-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1132-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1448-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1580-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1580-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1636-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1636-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1760-331-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1760-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1868-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1868-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1896-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2280-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2280-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2284-105-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2284-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-366-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3348-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3348-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3860-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3860-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4000-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4000-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4028-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4028-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4160-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4160-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4684-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4684-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4684-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4684-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4952-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4952-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-469-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download