8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
Size

448KB
MD5

832a45c68255355a4afda0c7634295ed
SHA1

3c91743c3f36a1d4295a6a4ca0ffa59181a937c5
SHA256

8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c
SHA512

14a3d7d6813c26b72e147134d8a1a130d352dcd4847d05d19660e6dfbf609af8cdf61bf025436c9d85fdf6380dee26dd864cfb07786ea689653ea538b6ee01f3
SSDEEP

6144:Cc1I07FfYYRv0tjdA5qBdpWiFokEjWbjcSbcY+CaQdaFOY4iGFYtR:F6sZYYRv0tjdTdzFokFbz+xt4vF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	JCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XVZVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IGL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BTNUSKM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZGSNJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	RTVPZN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	NDY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BEKSUIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	UHM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CEZSR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VGBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VLMEQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	AKZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	UZRKZOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	GCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XLIVWO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZUEUC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	EOF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SUQL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IRESCLQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	UVRDLKM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HCB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OFNG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	JGIN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MRC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VSUXPQJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	MXX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	THB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ATVE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QYZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	GOAMGW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KAPHXHO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CPITFLK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	IKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KQWNKCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	XPYWTU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DPNG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	COCTXSJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DMQAQO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SHPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	NRVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SIMPRXI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	EREHTVI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	USSBIP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZOPHALU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PPWY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	HAIFDC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CUYUID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	SZZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QLYGNP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	GXKK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	AMALU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	BUKCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	YVXZNTZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ADGVMN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	AQZVBEY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ARTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	OZJXIU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZVKVFWB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	QHGKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	DVT.exe

Executes dropped EXE 64 IoCs

pid	Process
3136	LHZWPSV.exe
1844	QHGKH.exe
456	KQWNKCA.exe
3868	OYCN.exe
492	MWQF.exe
4284	XOTYMI.exe
1048	PKXT.exe
4976	JCE.exe
1700	UVHX.exe
3972	RTVPZN.exe
2968	XVZVE.exe
4004	VGBD.exe
4572	AMUSD.exe
2564	ARMHE.exe
2304	PPZYUI.exe
4832	KDEIEIA.exe
2972	DVT.exe
3168	AWVDSFR.exe
4184	BRZZF.exe
4900	DMQAQO.exe
1184	AMALU.exe
5116	ZXDB.exe
5092	RAHWQO.exe
4828	JBV.exe
2824	PBDH.exe
4880	EREHTVI.exe
2980	PJH.exe
3608	FZUR.exe
3600	UVRDLKM.exe
3988	JYBIE.exe
5064	JDBWFK.exe
1656	MQSYQDF.exe
4536	IGMOCCB.exe
4704	WUYGHZR.exe
3100	QPDQ.exe
4956	YVH.exe
4768	VANUJ.exe
3804	SBXW.exe
3304	WJEEZV.exe
4836	NRKBMMV.exe
2392	XPYWTU.exe
4168	BXEW.exe
4660	HSDEKI.exe
316	FSLSTKQ.exe
2736	RVW.exe
2468	PTU.exe
2316	GEFYXWX.exe
776	THB.exe
3908	DFHRJW.exe
3716	SAY.exe
4084	AQZVBEY.exe
3992	ATDQ.exe
2976	IGI.exe
5060	WJY.exe
3344	HCB.exe
952	JZU.exe
1568	OFNG.exe
1428	ISRPMV.exe
2280	GNJQRY.exe
5108	BYZPFJ.exe
4132	ZZHCODJ.exe
4456	HELJZJ.exe
3348	GPKHYW.exe
4228	BCBJSPP.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\UQB.exe	HSBQU.exe
File opened for modification	C:\windows\SysWOW64\XVZVE.exe	RTVPZN.exe
File created	C:\windows\SysWOW64\RVW.exe.bat	FSLSTKQ.exe
File created	C:\windows\SysWOW64\FREG.exe	PBD.exe
File opened for modification	C:\windows\SysWOW64\CXAFMSR.exe	YUCSMZO.exe
File opened for modification	C:\windows\SysWOW64\NQKNVIE.exe	JAENJYQ.exe
File created	C:\windows\SysWOW64\FEPQND.exe	HOQNBR.exe
File created	C:\windows\SysWOW64\BCC.exe	AMURZNL.exe
File created	C:\windows\SysWOW64\IPR.exe	JEHE.exe
File created	C:\windows\SysWOW64\HKDEPZV.exe.bat	DCWED.exe
File opened for modification	C:\windows\SysWOW64\IGL.exe	BNWKOSQ.exe
File created	C:\windows\SysWOW64\JWPATR.exe	MDFXHVI.exe
File opened for modification	C:\windows\SysWOW64\JBV.exe	RAHWQO.exe
File created	C:\windows\SysWOW64\IWX.exe	TGKAD.exe
File created	C:\windows\SysWOW64\NRVW.exe.bat	EOF.exe
File opened for modification	C:\windows\SysWOW64\HKDEPZV.exe	DCWED.exe
File created	C:\windows\SysWOW64\KAPHXHO.exe	KMXTVUT.exe
File created	C:\windows\SysWOW64\RVW.exe	FSLSTKQ.exe
File created	C:\windows\SysWOW64\ZZHCODJ.exe	BYZPFJ.exe
File created	C:\windows\SysWOW64\HDDORU.exe.bat	USSBIP.exe
File opened for modification	C:\windows\SysWOW64\IPR.exe	JEHE.exe
File created	C:\windows\SysWOW64\HKDEPZV.exe	DCWED.exe
File opened for modification	C:\windows\SysWOW64\PBDH.exe	JBV.exe
File created	C:\windows\SysWOW64\EREHTVI.exe	PBDH.exe
File opened for modification	C:\windows\SysWOW64\YVH.exe	QPDQ.exe
File created	C:\windows\SysWOW64\NFUU.exe	VKDRQL.exe
File opened for modification	C:\windows\SysWOW64\RAHWQO.exe	ZXDB.exe
File opened for modification	C:\windows\SysWOW64\GPKHYW.exe	HELJZJ.exe
File created	C:\windows\SysWOW64\CXAFMSR.exe.bat	YUCSMZO.exe
File created	C:\windows\SysWOW64\NQKNVIE.exe	JAENJYQ.exe
File created	C:\windows\SysWOW64\UPASYV.exe	FHZBSAH.exe
File opened for modification	C:\windows\SysWOW64\AWVDSFR.exe	DVT.exe
File created	C:\windows\SysWOW64\JBV.exe.bat	RAHWQO.exe
File opened for modification	C:\windows\SysWOW64\JEHE.exe	YMM.exe
File created	C:\windows\SysWOW64\IPR.exe.bat	JEHE.exe
File created	C:\windows\SysWOW64\NFUU.exe.bat	VKDRQL.exe
File created	C:\windows\SysWOW64\AWVDSFR.exe.bat	DVT.exe
File opened for modification	C:\windows\SysWOW64\GEFYXWX.exe	PTU.exe
File created	C:\windows\SysWOW64\QLNI.exe.bat	ESFXXS.exe
File created	C:\windows\SysWOW64\HDPW.exe	NQKNVIE.exe
File opened for modification	C:\windows\SysWOW64\ZGSNJ.exe	RTFYY.exe
File opened for modification	C:\windows\SysWOW64\RMGKJ.exe	PWXN.exe
File created	C:\windows\SysWOW64\ARMHE.exe.bat	AMUSD.exe
File opened for modification	C:\windows\SysWOW64\AMALU.exe	DMQAQO.exe
File created	C:\windows\SysWOW64\JBV.exe	RAHWQO.exe
File created	C:\windows\SysWOW64\OATK.exe	QLNI.exe
File created	C:\windows\SysWOW64\MDFXHVI.exe	NFUU.exe
File created	C:\windows\SysWOW64\BRZZF.exe.bat	AWVDSFR.exe
File created	C:\windows\SysWOW64\RMGKJ.exe	PWXN.exe
File created	C:\windows\SysWOW64\FHZBSAH.exe.bat	ZGSNJ.exe
File created	C:\windows\SysWOW64\SHPB.exe.bat	FFLDO.exe
File opened for modification	C:\windows\SysWOW64\ABUWG.exe	CFVW.exe
File opened for modification	C:\windows\SysWOW64\KAPHXHO.exe	KMXTVUT.exe
File opened for modification	C:\windows\SysWOW64\ZZHCODJ.exe	BYZPFJ.exe
File created	C:\windows\SysWOW64\ZZHCODJ.exe.bat	BYZPFJ.exe
File created	C:\windows\SysWOW64\GPKHYW.exe	HELJZJ.exe
File created	C:\windows\SysWOW64\KLJOW.exe	HDDORU.exe
File created	C:\windows\SysWOW64\QLNI.exe	ESFXXS.exe
File opened for modification	C:\windows\SysWOW64\CEZSR.exe	FEPQND.exe
File created	C:\windows\SysWOW64\SIMPRXI.exe.bat	IKH.exe
File created	C:\windows\SysWOW64\MDFXHVI.exe.bat	NFUU.exe
File created	C:\windows\SysWOW64\SUQL.exe.bat	UZRKZOI.exe
File created	C:\windows\SysWOW64\AMALU.exe	DMQAQO.exe
File created	C:\windows\SysWOW64\PBDH.exe.bat	JBV.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\HCB.exe.bat	WJY.exe
File created	C:\windows\UZRKZOI.exe.bat	OZJXIU.exe
File created	C:\windows\RTFYY.exe	ADGVMN.exe
File created	C:\windows\BAWT.exe.bat	KAC.exe
File created	C:\windows\FZDB.exe.bat	FWZFY.exe
File created	C:\windows\YUCSMZO.exe.bat	ATVE.exe
File opened for modification	C:\windows\JGIN.exe	HKDEPZV.exe
File created	C:\windows\system\PJH.exe	EREHTVI.exe
File opened for modification	C:\windows\system\BXEW.exe	XPYWTU.exe
File created	C:\windows\KNFO.exe	ZVKVFWB.exe
File created	C:\windows\system\VSUXPQJ.exe	GXKK.exe
File opened for modification	C:\windows\PWXN.exe	JWPATR.exe
File created	C:\windows\system\OYCN.exe.bat	KQWNKCA.exe
File created	C:\windows\MQSYQDF.exe	JDBWFK.exe
File opened for modification	C:\windows\MVW.exe	BCBJSPP.exe
File created	C:\windows\MVW.exe.bat	BCBJSPP.exe
File created	C:\windows\system\AMURZNL.exe	VLMEQ.exe
File created	C:\windows\TGKAD.exe	JGIN.exe
File opened for modification	C:\windows\system\KOI.exe	IQUTEE.exe
File created	C:\windows\DYGDAX.exe	VSUXPQJ.exe
File created	C:\windows\PNNYSIP.exe	RMGKJ.exe
File created	C:\windows\system\BXEW.exe.bat	XPYWTU.exe
File created	C:\windows\BCBJSPP.exe.bat	GPKHYW.exe
File created	C:\windows\SNPHD.exe.bat	GCSC.exe
File created	C:\windows\PBD.exe	NDY.exe
File created	C:\windows\system\YMM.exe	QYZ.exe
File opened for modification	C:\windows\system\BEKSUIT.exe	ABUWG.exe
File created	C:\windows\system\IQUTEE.exe.bat	DPNG.exe
File opened for modification	C:\windows\XLIVWO.exe	SIMPRXI.exe
File opened for modification	C:\windows\LHZWPSV.exe	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
File created	C:\windows\system\BUKCP.exe.bat	BCC.exe
File opened for modification	C:\windows\system\LCFBUET.exe	MRC.exe
File created	C:\windows\WJEEZV.exe	SBXW.exe
File created	C:\windows\DCT.exe	ZUEUC.exe
File created	C:\windows\system\KOI.exe	IQUTEE.exe
File created	C:\windows\system\GCSC.exe	CUYUID.exe
File created	C:\windows\XLIVWO.exe	SIMPRXI.exe
File created	C:\windows\system\DVT.exe.bat	KDEIEIA.exe
File created	C:\windows\system\AMURZNL.exe.bat	VLMEQ.exe
File created	C:\windows\system\NDY.exe	DFSAMQ.exe
File created	C:\windows\system\ATVE.exe	FREG.exe
File created	C:\windows\KMXTVUT.exe.bat	IOKHGMK.exe
File opened for modification	C:\windows\BYZPFJ.exe	GNJQRY.exe
File created	C:\windows\system\QYZ.exe	OATK.exe
File created	C:\windows\system\UBBXX.exe.bat	AFXO.exe
File opened for modification	C:\windows\system\ADGVMN.exe	YVXZNTZ.exe
File created	C:\windows\HOQNBR.exe	KNGDXNW.exe
File created	C:\windows\system\LCFBUET.exe.bat	MRC.exe
File opened for modification	C:\windows\AKZ.exe	ARZ.exe
File opened for modification	C:\windows\KNFO.exe	ZVKVFWB.exe
File created	C:\windows\system\ARTL.exe.bat	ZOPHALU.exe
File created	C:\windows\system\GOAMGW.exe	HDPW.exe
File opened for modification	C:\windows\FZDB.exe	FWZFY.exe
File created	C:\windows\system\AMUSD.exe.bat	VGBD.exe
File created	C:\windows\PBD.exe.bat	NDY.exe
File created	C:\windows\TGKAD.exe.bat	JGIN.exe
File created	C:\windows\system\PPWY.exe.bat	NRVW.exe
File created	C:\windows\DYGDAX.exe.bat	VSUXPQJ.exe
File created	C:\windows\LHZWPSV.exe	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
File created	C:\windows\FZUR.exe	PJH.exe
File created	C:\windows\system\ECLYW.exe	BUKCP.exe
File opened for modification	C:\windows\system\COCTXSJ.exe	KOI.exe
File created	C:\windows\system\FWZFY.exe.bat	DYGDAX.exe
File created	C:\windows\system\OVUORW.exe	KNFO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2280	1736	WerFault.exe	80
2812	3136	WerFault.exe	88
788	1844	WerFault.exe	94
2604	456	WerFault.exe	99
4616	3868	WerFault.exe	104
4852	492	WerFault.exe	111
1860	4284	WerFault.exe	116
4704	1048	WerFault.exe	123
4516	4976	WerFault.exe	128
1676	1700	WerFault.exe	133
1364	3972	WerFault.exe	139
2568	2968	WerFault.exe	144
488	4004	WerFault.exe	149
2980	4572	WerFault.exe	154
544	2564	WerFault.exe	161
924	2304	WerFault.exe	166
4828	4832	WerFault.exe	171
4580	2972	WerFault.exe	176
1744	3168	WerFault.exe	181
4220	4184	WerFault.exe	186
2412	4900	WerFault.exe	191
1276	1184	WerFault.exe	196
388	5116	WerFault.exe	201
2892	5092	WerFault.exe	206
456	4828	WerFault.exe	211
896	2824	WerFault.exe	216
3468	4880	WerFault.exe	221
2916	2980	WerFault.exe	226
544	3608	WerFault.exe	231
4372	3600	WerFault.exe	236
2904	3988	WerFault.exe	241
752	5064	WerFault.exe	246
4828	1656	WerFault.exe	251
4572	4536	WerFault.exe	256
4880	4704	WerFault.exe	261
4364	3100	WerFault.exe	266
3816	4956	WerFault.exe	271
4376	4768	WerFault.exe	277
5096	3804	WerFault.exe	282
3956	3304	WerFault.exe	287
5032	4836	WerFault.exe	292
8	2392	WerFault.exe	297
668	4168	WerFault.exe	302
3992	4660	WerFault.exe	307
3896	316	WerFault.exe	312
5100	2736	WerFault.exe	317
3332	2468	WerFault.exe	322
4004	2316	WerFault.exe	327
3640	776	WerFault.exe	332
2080	3908	WerFault.exe	337
3800	3716	WerFault.exe	342
544	4084	WerFault.exe	347
1640	3992	WerFault.exe	352
2192	2976	WerFault.exe	357
1596	5060	WerFault.exe	362
3340	3344	WerFault.exe	367
4988	952	WerFault.exe	372
2784	1568	WerFault.exe	377
1064	1428	WerFault.exe	382
4864	2280	WerFault.exe	387
820	5108	WerFault.exe	392
4368	4132	WerFault.exe	397
4336	4456	WerFault.exe	402
3056	3348	WerFault.exe	407

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
3136	LHZWPSV.exe
3136	LHZWPSV.exe
1844	QHGKH.exe
1844	QHGKH.exe
456	KQWNKCA.exe
456	KQWNKCA.exe
3868	OYCN.exe
3868	OYCN.exe
492	MWQF.exe
492	MWQF.exe
4284	XOTYMI.exe
4284	XOTYMI.exe
1048	PKXT.exe
1048	PKXT.exe
4976	JCE.exe
4976	JCE.exe
1700	UVHX.exe
1700	UVHX.exe
3972	RTVPZN.exe
3972	RTVPZN.exe
2968	XVZVE.exe
2968	XVZVE.exe
4004	VGBD.exe
4004	VGBD.exe
4572	AMUSD.exe
4572	AMUSD.exe
2564	ARMHE.exe
2564	ARMHE.exe
2304	PPZYUI.exe
2304	PPZYUI.exe
4832	KDEIEIA.exe
4832	KDEIEIA.exe
2972	DVT.exe
2972	DVT.exe
3168	AWVDSFR.exe
3168	AWVDSFR.exe
4184	BRZZF.exe
4184	BRZZF.exe
4900	DMQAQO.exe
4900	DMQAQO.exe
1184	AMALU.exe
1184	AMALU.exe
5116	ZXDB.exe
5116	ZXDB.exe
5092	RAHWQO.exe
5092	RAHWQO.exe
4828	JBV.exe
4828	JBV.exe
2824	PBDH.exe
2824	PBDH.exe
4880	EREHTVI.exe
4880	EREHTVI.exe
2980	PJH.exe
2980	PJH.exe
3608	FZUR.exe
3608	FZUR.exe
3600	UVRDLKM.exe
3600	UVRDLKM.exe
3988	JYBIE.exe
3988	JYBIE.exe
5064	JDBWFK.exe
5064	JDBWFK.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
3136	LHZWPSV.exe
3136	LHZWPSV.exe
1844	QHGKH.exe
1844	QHGKH.exe
456	KQWNKCA.exe
456	KQWNKCA.exe
3868	OYCN.exe
3868	OYCN.exe
492	MWQF.exe
492	MWQF.exe
4284	XOTYMI.exe
4284	XOTYMI.exe
1048	PKXT.exe
1048	PKXT.exe
4976	JCE.exe
4976	JCE.exe
1700	UVHX.exe
1700	UVHX.exe
3972	RTVPZN.exe
3972	RTVPZN.exe
2968	XVZVE.exe
2968	XVZVE.exe
4004	VGBD.exe
4004	VGBD.exe
4572	AMUSD.exe
4572	AMUSD.exe
2564	ARMHE.exe
2564	ARMHE.exe
2304	PPZYUI.exe
2304	PPZYUI.exe
4832	KDEIEIA.exe
4832	KDEIEIA.exe
2972	DVT.exe
2972	DVT.exe
3168	AWVDSFR.exe
3168	AWVDSFR.exe
4184	BRZZF.exe
4184	BRZZF.exe
4900	DMQAQO.exe
4900	DMQAQO.exe
1184	AMALU.exe
1184	AMALU.exe
5116	ZXDB.exe
5116	ZXDB.exe
5092	RAHWQO.exe
5092	RAHWQO.exe
4828	JBV.exe
4828	JBV.exe
2824	PBDH.exe
2824	PBDH.exe
4880	EREHTVI.exe
4880	EREHTVI.exe
2980	PJH.exe
2980	PJH.exe
3608	FZUR.exe
3608	FZUR.exe
3600	UVRDLKM.exe
3600	UVRDLKM.exe
3988	JYBIE.exe
3988	JYBIE.exe
5064	JDBWFK.exe
5064	JDBWFK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4784	1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe	84
PID 1736 wrote to memory of 4784	1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe	84
PID 1736 wrote to memory of 4784	1736	8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe	84
PID 4784 wrote to memory of 3136	4784	cmd.exe	88
PID 4784 wrote to memory of 3136	4784	cmd.exe	88
PID 4784 wrote to memory of 3136	4784	cmd.exe	88
PID 3136 wrote to memory of 2108	3136	LHZWPSV.exe	90
PID 3136 wrote to memory of 2108	3136	LHZWPSV.exe	90
PID 3136 wrote to memory of 2108	3136	LHZWPSV.exe	90
PID 2108 wrote to memory of 1844	2108	cmd.exe	94
PID 2108 wrote to memory of 1844	2108	cmd.exe	94
PID 2108 wrote to memory of 1844	2108	cmd.exe	94
PID 1844 wrote to memory of 4904	1844	QHGKH.exe	95
PID 1844 wrote to memory of 4904	1844	QHGKH.exe	95
PID 1844 wrote to memory of 4904	1844	QHGKH.exe	95
PID 4904 wrote to memory of 456	4904	cmd.exe	99
PID 4904 wrote to memory of 456	4904	cmd.exe	99
PID 4904 wrote to memory of 456	4904	cmd.exe	99
PID 456 wrote to memory of 3400	456	KQWNKCA.exe	100
PID 456 wrote to memory of 3400	456	KQWNKCA.exe	100
PID 456 wrote to memory of 3400	456	KQWNKCA.exe	100
PID 3400 wrote to memory of 3868	3400	cmd.exe	104
PID 3400 wrote to memory of 3868	3400	cmd.exe	104
PID 3400 wrote to memory of 3868	3400	cmd.exe	104
PID 3868 wrote to memory of 4584	3868	OYCN.exe	107
PID 3868 wrote to memory of 4584	3868	OYCN.exe	107
PID 3868 wrote to memory of 4584	3868	OYCN.exe	107
PID 4584 wrote to memory of 492	4584	cmd.exe	111
PID 4584 wrote to memory of 492	4584	cmd.exe	111
PID 4584 wrote to memory of 492	4584	cmd.exe	111
PID 492 wrote to memory of 4576	492	MWQF.exe	112
PID 492 wrote to memory of 4576	492	MWQF.exe	112
PID 492 wrote to memory of 4576	492	MWQF.exe	112
PID 4576 wrote to memory of 4284	4576	cmd.exe	116
PID 4576 wrote to memory of 4284	4576	cmd.exe	116
PID 4576 wrote to memory of 4284	4576	cmd.exe	116
PID 4284 wrote to memory of 1644	4284	XOTYMI.exe	119
PID 4284 wrote to memory of 1644	4284	XOTYMI.exe	119
PID 4284 wrote to memory of 1644	4284	XOTYMI.exe	119
PID 1644 wrote to memory of 1048	1644	cmd.exe	123
PID 1644 wrote to memory of 1048	1644	cmd.exe	123
PID 1644 wrote to memory of 1048	1644	cmd.exe	123
PID 1048 wrote to memory of 2124	1048	PKXT.exe	124
PID 1048 wrote to memory of 2124	1048	PKXT.exe	124
PID 1048 wrote to memory of 2124	1048	PKXT.exe	124
PID 2124 wrote to memory of 4976	2124	cmd.exe	128
PID 2124 wrote to memory of 4976	2124	cmd.exe	128
PID 2124 wrote to memory of 4976	2124	cmd.exe	128
PID 4976 wrote to memory of 3360	4976	JCE.exe	129
PID 4976 wrote to memory of 3360	4976	JCE.exe	129
PID 4976 wrote to memory of 3360	4976	JCE.exe	129
PID 3360 wrote to memory of 1700	3360	cmd.exe	133
PID 3360 wrote to memory of 1700	3360	cmd.exe	133
PID 3360 wrote to memory of 1700	3360	cmd.exe	133
PID 1700 wrote to memory of 3648	1700	UVHX.exe	134
PID 1700 wrote to memory of 3648	1700	UVHX.exe	134
PID 1700 wrote to memory of 3648	1700	UVHX.exe	134
PID 3648 wrote to memory of 3972	3648	cmd.exe	139
PID 3648 wrote to memory of 3972	3648	cmd.exe	139
PID 3648 wrote to memory of 3972	3648	cmd.exe	139
PID 3972 wrote to memory of 3988	3972	RTVPZN.exe	140
PID 3972 wrote to memory of 3988	3972	RTVPZN.exe	140
PID 3972 wrote to memory of 3988	3972	RTVPZN.exe	140
PID 3988 wrote to memory of 2968	3988	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe
"C:\Users\Admin\AppData\Local\Temp\8261e9f4b828aff9ac6e8671686e62582d2a6ac736c24ae8c5dc0d126510594c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\LHZWPSV.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\windows\LHZWPSV.exe
    C:\windows\LHZWPSV.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\QHGKH.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\windows\system\QHGKH.exe
        
        C:\windows\system\QHGKH.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KQWNKCA.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\windows\KQWNKCA.exe
        
        C:\windows\KQWNKCA.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYCN.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\windows\system\OYCN.exe
        
        C:\windows\system\OYCN.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MWQF.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\windows\system\MWQF.exe
        
        C:\windows\system\MWQF.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XOTYMI.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\windows\system\XOTYMI.exe
        
        C:\windows\system\XOTYMI.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKXT.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\windows\system\PKXT.exe
        
        C:\windows\system\PKXT.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCE.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\windows\SysWOW64\JCE.exe
        
        C:\windows\system32\JCE.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UVHX.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\windows\UVHX.exe
        
        C:\windows\UVHX.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RTVPZN.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\windows\SysWOW64\RTVPZN.exe
        
        C:\windows\system32\RTVPZN.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XVZVE.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\windows\SysWOW64\XVZVE.exe
        
        C:\windows\system32\XVZVE.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VGBD.exe.bat" "
        24⤵
        
        PID:3620
        
        C:\windows\system\VGBD.exe
        
        C:\windows\system\VGBD.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMUSD.exe.bat" "
        26⤵
        
        PID:3840
        
        C:\windows\system\AMUSD.exe
        
        C:\windows\system\AMUSD.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARMHE.exe.bat" "
        28⤵
        
        PID:4308
        
        C:\windows\SysWOW64\ARMHE.exe
        
        C:\windows\system32\ARMHE.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PPZYUI.exe.bat" "
        30⤵
        
        PID:1096
        
        C:\windows\PPZYUI.exe
        
        C:\windows\PPZYUI.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDEIEIA.exe.bat" "
        32⤵
        
        PID:4504
        
        C:\windows\system\KDEIEIA.exe
        
        C:\windows\system\KDEIEIA.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DVT.exe.bat" "
        34⤵
        
        PID:3284
        
        C:\windows\system\DVT.exe
        
        C:\windows\system\DVT.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWVDSFR.exe.bat" "
        36⤵
        
        PID:4964
        
        C:\windows\SysWOW64\AWVDSFR.exe
        
        C:\windows\system32\AWVDSFR.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BRZZF.exe.bat" "
        38⤵
        
        PID:4336
        
        C:\windows\SysWOW64\BRZZF.exe
        
        C:\windows\system32\BRZZF.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DMQAQO.exe.bat" "
        40⤵
        
        PID:1888
        
        C:\windows\system\DMQAQO.exe
        
        C:\windows\system\DMQAQO.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AMALU.exe.bat" "
        42⤵
        
        PID:2916
        
        C:\windows\SysWOW64\AMALU.exe
        
        C:\windows\system32\AMALU.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZXDB.exe.bat" "
        44⤵
        
        PID:4976
        
        C:\windows\system\ZXDB.exe
        
        C:\windows\system\ZXDB.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAHWQO.exe.bat" "
        46⤵
        
        PID:3132
        
        C:\windows\SysWOW64\RAHWQO.exe
        
        C:\windows\system32\RAHWQO.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBV.exe.bat" "
        48⤵
        
        PID:1836
        
        C:\windows\SysWOW64\JBV.exe
        
        C:\windows\system32\JBV.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PBDH.exe.bat" "
        50⤵
        
        PID:4608
        
        C:\windows\SysWOW64\PBDH.exe
        
        C:\windows\system32\PBDH.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EREHTVI.exe.bat" "
        52⤵
        
        PID:1796
        
        C:\windows\SysWOW64\EREHTVI.exe
        
        C:\windows\system32\EREHTVI.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJH.exe.bat" "
        54⤵
        
        PID:4988
        
        C:\windows\system\PJH.exe
        
        C:\windows\system\PJH.exe
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FZUR.exe.bat" "
        56⤵
        
        PID:4328
        
        C:\windows\FZUR.exe
        
        C:\windows\FZUR.exe
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UVRDLKM.exe.bat" "
        58⤵
        
        PID:2564
        
        C:\windows\UVRDLKM.exe
        
        C:\windows\UVRDLKM.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JYBIE.exe.bat" "
        60⤵
        
        PID:5084
        
        C:\windows\JYBIE.exe
        
        C:\windows\JYBIE.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JDBWFK.exe.bat" "
        62⤵
        
        PID:2352
        
        C:\windows\SysWOW64\JDBWFK.exe
        
        C:\windows\system32\JDBWFK.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MQSYQDF.exe.bat" "
        64⤵
        
        PID:5096
        
        C:\windows\MQSYQDF.exe
        
        C:\windows\MQSYQDF.exe
        65⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IGMOCCB.exe.bat" "
        66⤵
        
        PID:456
        
        C:\windows\IGMOCCB.exe
        
        C:\windows\IGMOCCB.exe
        67⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WUYGHZR.exe.bat" "
        68⤵
        
        PID:2964
        
        C:\windows\WUYGHZR.exe
        
        C:\windows\WUYGHZR.exe
        69⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPDQ.exe.bat" "
        70⤵
        
        PID:1912
        
        C:\windows\system\QPDQ.exe
        
        C:\windows\system\QPDQ.exe
        71⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YVH.exe.bat" "
        72⤵
        
        PID:2080
        
        C:\windows\SysWOW64\YVH.exe
        
        C:\windows\system32\YVH.exe
        73⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VANUJ.exe.bat" "
        74⤵
        
        PID:4420
        
        C:\windows\VANUJ.exe
        
        C:\windows\VANUJ.exe
        75⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SBXW.exe.bat" "
        76⤵
        
        PID:4000
        
        C:\windows\SBXW.exe
        
        C:\windows\SBXW.exe
        77⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WJEEZV.exe.bat" "
        78⤵
        
        PID:3988
        
        C:\windows\WJEEZV.exe
        
        C:\windows\WJEEZV.exe
        79⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NRKBMMV.exe.bat" "
        80⤵
        
        PID:4236
        
        C:\windows\NRKBMMV.exe
        
        C:\windows\NRKBMMV.exe
        81⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XPYWTU.exe.bat" "
        82⤵
        
        PID:4544
        
        C:\windows\system\XPYWTU.exe
        
        C:\windows\system\XPYWTU.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BXEW.exe.bat" "
        84⤵
        
        PID:5080
        
        C:\windows\system\BXEW.exe
        
        C:\windows\system\BXEW.exe
        85⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSDEKI.exe.bat" "
        86⤵
        
        PID:1092
        
        C:\windows\SysWOW64\HSDEKI.exe
        
        C:\windows\system32\HSDEKI.exe
        87⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FSLSTKQ.exe.bat" "
        88⤵
        
        PID:3172
        
        C:\windows\SysWOW64\FSLSTKQ.exe
        
        C:\windows\system32\FSLSTKQ.exe
        89⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVW.exe.bat" "
        90⤵
        
        PID:3672
        
        C:\windows\SysWOW64\RVW.exe
        
        C:\windows\system32\RVW.exe
        91⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTU.exe.bat" "
        92⤵
        
        PID:3088
        
        C:\windows\system\PTU.exe
        
        C:\windows\system\PTU.exe
        93⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GEFYXWX.exe.bat" "
        94⤵
        
        PID:1364
        
        C:\windows\SysWOW64\GEFYXWX.exe
        
        C:\windows\system32\GEFYXWX.exe
        95⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\THB.exe.bat" "
        96⤵
        
        PID:4456
        
        C:\windows\THB.exe
        
        C:\windows\THB.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFHRJW.exe.bat" "
        98⤵
        
        PID:1472
        
        C:\windows\DFHRJW.exe
        
        C:\windows\DFHRJW.exe
        99⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SAY.exe.bat" "
        100⤵
        
        PID:1568
        
        C:\windows\SAY.exe
        
        C:\windows\SAY.exe
        101⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AQZVBEY.exe.bat" "
        102⤵
        
        PID:5020
        
        C:\windows\SysWOW64\AQZVBEY.exe
        
        C:\windows\system32\AQZVBEY.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATDQ.exe.bat" "
        104⤵
        
        PID:4784
        
        C:\windows\ATDQ.exe
        
        C:\windows\ATDQ.exe
        105⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IGI.exe.bat" "
        106⤵
        
        PID:4584
        
        C:\windows\SysWOW64\IGI.exe
        
        C:\windows\system32\IGI.exe
        107⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WJY.exe.bat" "
        108⤵
        
        PID:388
        
        C:\windows\WJY.exe
        
        C:\windows\WJY.exe
        109⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HCB.exe.bat" "
        110⤵
        
        PID:2064
        
        C:\windows\system\HCB.exe
        
        C:\windows\system\HCB.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JZU.exe.bat" "
        112⤵
        
        PID:4280
        
        C:\windows\SysWOW64\JZU.exe
        
        C:\windows\system32\JZU.exe
        113⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OFNG.exe.bat" "
        114⤵
        
        PID:4424
        
        C:\windows\system\OFNG.exe
        
        C:\windows\system\OFNG.exe
        115⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ISRPMV.exe.bat" "
        116⤵
        
        PID:864
        
        C:\windows\ISRPMV.exe
        
        C:\windows\ISRPMV.exe
        117⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNJQRY.exe.bat" "
        118⤵
        
        PID:5020
        
        C:\windows\SysWOW64\GNJQRY.exe
        
        C:\windows\system32\GNJQRY.exe
        119⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BYZPFJ.exe.bat" "
        120⤵
        
        PID:4080
        
        C:\windows\BYZPFJ.exe
        
        C:\windows\BYZPFJ.exe
        121⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZHCODJ.exe.bat" "
        122⤵
        
        PID:940
        
        C:\windows\SysWOW64\ZZHCODJ.exe
        
        C:\windows\system32\ZZHCODJ.exe
        123⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HELJZJ.exe.bat" "
        124⤵
        
        PID:4928
        
        C:\windows\system\HELJZJ.exe
        
        C:\windows\system\HELJZJ.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPKHYW.exe.bat" "
        126⤵
        
        PID:2976
        
        C:\windows\SysWOW64\GPKHYW.exe
        
        C:\windows\system32\GPKHYW.exe
        127⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BCBJSPP.exe.bat" "
        128⤵
        
        PID:5060
        
        C:\windows\BCBJSPP.exe
        
        C:\windows\BCBJSPP.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MVW.exe.bat" "
        130⤵
        
        PID:3772
        
        C:\windows\MVW.exe
        
        C:\windows\MVW.exe
        131⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HAIFDC.exe.bat" "
        132⤵
        
        PID:952
        
        C:\windows\SysWOW64\HAIFDC.exe
        
        C:\windows\system32\HAIFDC.exe
        133⤵
        Checks computer location settings
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VLMEQ.exe.bat" "
        134⤵
        
        PID:2784
        
        C:\windows\system\VLMEQ.exe
        
        C:\windows\system\VLMEQ.exe
        135⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMURZNL.exe.bat" "
        136⤵
        
        PID:1616
        
        C:\windows\system\AMURZNL.exe
        
        C:\windows\system\AMURZNL.exe
        137⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCC.exe.bat" "
        138⤵
        
        PID:940
        
        C:\windows\SysWOW64\BCC.exe
        
        C:\windows\system32\BCC.exe
        139⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BUKCP.exe.bat" "
        140⤵
        
        PID:4920
        
        C:\windows\system\BUKCP.exe
        
        C:\windows\system\BUKCP.exe
        141⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ECLYW.exe.bat" "
        142⤵
        
        PID:4344
        
        C:\windows\system\ECLYW.exe
        
        C:\windows\system\ECLYW.exe
        143⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\USSBIP.exe.bat" "
        144⤵
        
        PID:3044
        
        C:\windows\USSBIP.exe
        
        C:\windows\USSBIP.exe
        145⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDDORU.exe.bat" "
        146⤵
        
        PID:4564
        
        C:\windows\SysWOW64\HDDORU.exe
        
        C:\windows\system32\HDDORU.exe
        147⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLJOW.exe.bat" "
        148⤵
        
        PID:4440
        
        C:\windows\SysWOW64\KLJOW.exe
        
        C:\windows\system32\KLJOW.exe
        149⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CUYUID.exe.bat" "
        150⤵
        
        PID:3640
        
        C:\windows\system\CUYUID.exe
        
        C:\windows\system\CUYUID.exe
        151⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GCSC.exe.bat" "
        152⤵
        
        PID:4364
        
        C:\windows\system\GCSC.exe
        
        C:\windows\system\GCSC.exe
        153⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SNPHD.exe.bat" "
        154⤵
        
        PID:4292
        
        C:\windows\SNPHD.exe
        
        C:\windows\SNPHD.exe
        155⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFSAMQ.exe.bat" "
        156⤵
        
        PID:3660
        
        C:\windows\DFSAMQ.exe
        
        C:\windows\DFSAMQ.exe
        157⤵
        Drops file in Windows directory
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDY.exe.bat" "
        158⤵
        
        PID:2648
        
        C:\windows\system\NDY.exe
        
        C:\windows\system\NDY.exe
        159⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PBD.exe.bat" "
        160⤵
        
        PID:3868
        
        C:\windows\PBD.exe
        
        C:\windows\PBD.exe
        161⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FREG.exe.bat" "
        162⤵
        
        PID:1432
        
        C:\windows\SysWOW64\FREG.exe
        
        C:\windows\system32\FREG.exe
        163⤵
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ATVE.exe.bat" "
        164⤵
        
        PID:4392
        
        C:\windows\system\ATVE.exe
        
        C:\windows\system\ATVE.exe
        165⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUCSMZO.exe.bat" "
        166⤵
        
        PID:4860
        
        C:\windows\YUCSMZO.exe
        
        C:\windows\YUCSMZO.exe
        167⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXAFMSR.exe.bat" "
        168⤵
        
        PID:3488
        
        C:\windows\SysWOW64\CXAFMSR.exe
        
        C:\windows\system32\CXAFMSR.exe
        169⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESFXXS.exe.bat" "
        170⤵
        
        PID:5084
        
        C:\windows\SysWOW64\ESFXXS.exe
        
        C:\windows\system32\ESFXXS.exe
        171⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QLNI.exe.bat" "
        172⤵
        
        PID:820
        
        C:\windows\SysWOW64\QLNI.exe
        
        C:\windows\system32\QLNI.exe
        173⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OATK.exe.bat" "
        174⤵
        
        PID:4000
        
        C:\windows\SysWOW64\OATK.exe
        
        C:\windows\system32\OATK.exe
        175⤵
        Drops file in Windows directory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QYZ.exe.bat" "
        176⤵
        
        PID:4060
        
        C:\windows\system\QYZ.exe
        
        C:\windows\system\QYZ.exe
        177⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YMM.exe.bat" "
        178⤵
        
        PID:4184
        
        C:\windows\system\YMM.exe
        
        C:\windows\system\YMM.exe
        179⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JEHE.exe.bat" "
        180⤵
        
        PID:4772
        
        C:\windows\SysWOW64\JEHE.exe
        
        C:\windows\system32\JEHE.exe
        181⤵
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPR.exe.bat" "
        182⤵
        
        PID:4544
        
        C:\windows\SysWOW64\IPR.exe
        
        C:\windows\system32\IPR.exe
        183⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCWED.exe.bat" "
        184⤵
        
        PID:3648
        
        C:\windows\DCWED.exe
        
        C:\windows\DCWED.exe
        185⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HKDEPZV.exe.bat" "
        186⤵
        
        PID:3488
        
        C:\windows\SysWOW64\HKDEPZV.exe
        
        C:\windows\system32\HKDEPZV.exe
        187⤵
        Drops file in Windows directory
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JGIN.exe.bat" "
        188⤵
        
        PID:4372
        
        C:\windows\JGIN.exe
        
        C:\windows\JGIN.exe
        189⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TGKAD.exe.bat" "
        190⤵
        
        PID:820
        
        C:\windows\TGKAD.exe
        
        C:\windows\TGKAD.exe
        191⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IWX.exe.bat" "
        192⤵
        
        PID:2648
        
        C:\windows\SysWOW64\IWX.exe
        
        C:\windows\system32\IWX.exe
        193⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SZZ.exe.bat" "
        194⤵
        
        PID:2720
        
        C:\windows\SZZ.exe
        
        C:\windows\SZZ.exe
        195⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FFLDO.exe.bat" "
        196⤵
        
        PID:4276
        
        C:\windows\system\FFLDO.exe
        
        C:\windows\system\FFLDO.exe
        197⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHPB.exe.bat" "
        198⤵
        
        PID:1884
        
        C:\windows\SysWOW64\SHPB.exe
        
        C:\windows\system32\SHPB.exe
        199⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CFVW.exe.bat" "
        200⤵
        
        PID:2728
        
        C:\windows\CFVW.exe
        
        C:\windows\CFVW.exe
        201⤵
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABUWG.exe.bat" "
        202⤵
        
        PID:1204
        
        C:\windows\SysWOW64\ABUWG.exe
        
        C:\windows\system32\ABUWG.exe
        203⤵
        Drops file in Windows directory
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BEKSUIT.exe.bat" "
        204⤵
        
        PID:400
        
        C:\windows\system\BEKSUIT.exe
        
        C:\windows\system\BEKSUIT.exe
        205⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOOZZA.exe.bat" "
        206⤵
        
        PID:952
        
        C:\windows\system\OOOZZA.exe
        
        C:\windows\system\OOOZZA.exe
        207⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARZ.exe.bat" "
        208⤵
        
        PID:4592
        
        C:\windows\system\ARZ.exe
        
        C:\windows\system\ARZ.exe
        209⤵
        Drops file in Windows directory
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AKZ.exe.bat" "
        210⤵
        
        PID:3716
        
        C:\windows\AKZ.exe
        
        C:\windows\AKZ.exe
        211⤵
        Checks computer location settings
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZVKVFWB.exe.bat" "
        212⤵
        
        PID:3168
        
        C:\windows\system\ZVKVFWB.exe
        
        C:\windows\system\ZVKVFWB.exe
        213⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KNFO.exe.bat" "
        214⤵
        
        PID:2812
        
        C:\windows\KNFO.exe
        
        C:\windows\KNFO.exe
        215⤵
        Drops file in Windows directory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVUORW.exe.bat" "
        216⤵
        
        PID:1432
        
        C:\windows\system\OVUORW.exe
        
        C:\windows\system\OVUORW.exe
        217⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZOPHALU.exe.bat" "
        218⤵
        
        PID:1700
        
        C:\windows\system\ZOPHALU.exe
        
        C:\windows\system\ZOPHALU.exe
        219⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARTL.exe.bat" "
        220⤵
        
        PID:4516
        
        C:\windows\system\ARTL.exe
        
        C:\windows\system\ARTL.exe
        221⤵
        Checks computer location settings
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PMKPYOE.exe.bat" "
        222⤵
        
        PID:2192
        
        C:\windows\PMKPYOE.exe
        
        C:\windows\PMKPYOE.exe
        223⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUEUC.exe.bat" "
        224⤵
        
        PID:2904
        
        C:\windows\system\ZUEUC.exe
        
        C:\windows\system\ZUEUC.exe
        225⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCT.exe.bat" "
        226⤵
        
        PID:2456
        
        C:\windows\DCT.exe
        
        C:\windows\DCT.exe
        227⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BNWKOSQ.exe.bat" "
        228⤵
        
        PID:1772
        
        C:\windows\system\BNWKOSQ.exe
        
        C:\windows\system\BNWKOSQ.exe
        229⤵
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IGL.exe.bat" "
        230⤵
        
        PID:1744
        
        C:\windows\SysWOW64\IGL.exe
        
        C:\windows\system32\IGL.exe
        231⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EOF.exe.bat" "
        232⤵
        
        PID:5028
        
        C:\windows\EOF.exe
        
        C:\windows\EOF.exe
        233⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NRVW.exe.bat" "
        234⤵
        
        PID:5100
        
        C:\windows\SysWOW64\NRVW.exe
        
        C:\windows\system32\NRVW.exe
        235⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PPWY.exe.bat" "
        236⤵
        
        PID:3420
        
        C:\windows\system\PPWY.exe
        
        C:\windows\system\PPWY.exe
        237⤵
        Checks computer location settings
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CRFXSZG.exe.bat" "
        238⤵
        
        PID:3596
        
        C:\windows\CRFXSZG.exe
        
        C:\windows\CRFXSZG.exe
        239⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DPNG.exe.bat" "
        240⤵
        
        PID:1776
        
        C:\windows\DPNG.exe
        
        C:\windows\DPNG.exe
        241⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IQUTEE.exe.bat" "
        242⤵
        
        PID:3572
        
        C:\windows\system\IQUTEE.exe
        
        C:\windows\system\IQUTEE.exe
        243⤵
        Drops file in Windows directory
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOI.exe.bat" "
        244⤵
        
        PID:4600
        
        C:\windows\system\KOI.exe
        
        C:\windows\system\KOI.exe
        245⤵
        Drops file in Windows directory
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\COCTXSJ.exe.bat" "
        246⤵
        
        PID:2648
        
        C:\windows\system\COCTXSJ.exe
        
        C:\windows\system\COCTXSJ.exe
        247⤵
        Checks computer location settings
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOKHGMK.exe.bat" "
        248⤵
        
        PID:4124
        
        C:\windows\SysWOW64\IOKHGMK.exe
        
        C:\windows\system32\IOKHGMK.exe
        249⤵
        Drops file in Windows directory
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KMXTVUT.exe.bat" "
        250⤵
        
        PID:4972
        
        C:\windows\KMXTVUT.exe
        
        C:\windows\KMXTVUT.exe
        251⤵
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAPHXHO.exe.bat" "
        252⤵
        
        PID:4324
        
        C:\windows\SysWOW64\KAPHXHO.exe
        
        C:\windows\system32\KAPHXHO.exe
        253⤵
        Checks computer location settings
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAENJYQ.exe.bat" "
        254⤵
        
        PID:784
        
        C:\windows\SysWOW64\JAENJYQ.exe
        
        C:\windows\system32\JAENJYQ.exe
        255⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NQKNVIE.exe.bat" "
        256⤵
        
        PID:4788
        
        C:\windows\SysWOW64\NQKNVIE.exe
        
        C:\windows\system32\NQKNVIE.exe
        257⤵
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDPW.exe.bat" "
        258⤵
        
        PID:3060
        
        C:\windows\SysWOW64\HDPW.exe
        
        C:\windows\system32\HDPW.exe
        259⤵
        Drops file in Windows directory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GOAMGW.exe.bat" "
        260⤵
        
        PID:1420
        
        C:\windows\system\GOAMGW.exe
        
        C:\windows\system\GOAMGW.exe
        261⤵
        Checks computer location settings
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IMGGO.exe.bat" "
        262⤵
        
        PID:464
        
        C:\windows\system\IMGGO.exe
        
        C:\windows\system\IMGGO.exe
        263⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UCMHAXM.exe.bat" "
        264⤵
        
        PID:5032
        
        C:\windows\UCMHAXM.exe
        
        C:\windows\UCMHAXM.exe
        265⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UHM.exe.bat" "
        266⤵
        
        PID:1904
        
        C:\windows\SysWOW64\UHM.exe
        
        C:\windows\system32\UHM.exe
        267⤵
        Checks computer location settings
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKDRQL.exe.bat" "
        268⤵
        
        PID:3600
        
        C:\windows\system\VKDRQL.exe
        
        C:\windows\system\VKDRQL.exe
        269⤵
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NFUU.exe.bat" "
        270⤵
        
        PID:1048
        
        C:\windows\SysWOW64\NFUU.exe
        
        C:\windows\system32\NFUU.exe
        271⤵
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDFXHVI.exe.bat" "
        272⤵
        
        PID:2972
        
        C:\windows\SysWOW64\MDFXHVI.exe
        
        C:\windows\system32\MDFXHVI.exe
        273⤵
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JWPATR.exe.bat" "
        274⤵
        
        PID:4884
        
        C:\windows\SysWOW64\JWPATR.exe
        
        C:\windows\system32\JWPATR.exe
        275⤵
        Drops file in Windows directory
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PWXN.exe.bat" "
        276⤵
        
        PID:3044
        
        C:\windows\PWXN.exe
        
        C:\windows\PWXN.exe
        277⤵
        Drops file in System32 directory
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RMGKJ.exe.bat" "
        278⤵
        
        PID:2912
        
        C:\windows\SysWOW64\RMGKJ.exe
        
        C:\windows\system32\RMGKJ.exe
        279⤵
        Drops file in Windows directory
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PNNYSIP.exe.bat" "
        280⤵
        
        PID:4580
        
        C:\windows\PNNYSIP.exe
        
        C:\windows\PNNYSIP.exe
        281⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VAM.exe.bat" "
        282⤵
        
        PID:1360
        
        C:\windows\SysWOW64\VAM.exe
        
        C:\windows\system32\VAM.exe
        283⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AFXO.exe.bat" "
        284⤵
        
        PID:1876
        
        C:\windows\AFXO.exe
        
        C:\windows\AFXO.exe
        285⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UBBXX.exe.bat" "
        286⤵
        
        PID:2292
        
        C:\windows\system\UBBXX.exe
        
        C:\windows\system\UBBXX.exe
        287⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBDCBLY.exe.bat" "
        288⤵
        
        PID:1080
        
        C:\windows\SysWOW64\EBDCBLY.exe
        
        C:\windows\system32\EBDCBLY.exe
        289⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OZJXIU.exe.bat" "
        290⤵
        
        PID:3716
        
        C:\windows\system\OZJXIU.exe
        
        C:\windows\system\OZJXIU.exe
        291⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZRKZOI.exe.bat" "
        292⤵
        
        PID:3820
        
        C:\windows\UZRKZOI.exe
        
        C:\windows\UZRKZOI.exe
        293⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUQL.exe.bat" "
        294⤵
        
        PID:728
        
        C:\windows\SysWOW64\SUQL.exe
        
        C:\windows\system32\SUQL.exe
        295⤵
        Checks computer location settings
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YVXZNTZ.exe.bat" "
        296⤵
        
        PID:4428
        
        C:\windows\system\YVXZNTZ.exe
        
        C:\windows\system\YVXZNTZ.exe
        297⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ADGVMN.exe.bat" "
        298⤵
        
        PID:3160
        
        C:\windows\system\ADGVMN.exe
        
        C:\windows\system\ADGVMN.exe
        299⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RTFYY.exe.bat" "
        300⤵
        
        PID:1788
        
        C:\windows\RTFYY.exe
        
        C:\windows\RTFYY.exe
        301⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZGSNJ.exe.bat" "
        302⤵
        
        PID:2380
        
        C:\windows\SysWOW64\ZGSNJ.exe
        
        C:\windows\system32\ZGSNJ.exe
        303⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHZBSAH.exe.bat" "
        304⤵
        
        PID:4628
        
        C:\windows\SysWOW64\FHZBSAH.exe
        
        C:\windows\system32\FHZBSAH.exe
        305⤵
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPASYV.exe.bat" "
        306⤵
        
        PID:2740
        
        C:\windows\SysWOW64\UPASYV.exe
        
        C:\windows\system32\UPASYV.exe
        307⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JUGPFXY.exe.bat" "
        308⤵
        
        PID:3780
        
        C:\windows\system\JUGPFXY.exe
        
        C:\windows\system\JUGPFXY.exe
        309⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PUO.exe.bat" "
        310⤵
        
        PID:2816
        
        C:\windows\system\PUO.exe
        
        C:\windows\system\PUO.exe
        311⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ELPCVV.exe.bat" "
        312⤵
        
        PID:3360
        
        C:\windows\ELPCVV.exe
        
        C:\windows\ELPCVV.exe
        313⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AQZSL.exe.bat" "
        314⤵
        
        PID:4852
        
        C:\windows\system\AQZSL.exe
        
        C:\windows\system\AQZSL.exe
        315⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZBXHL.exe.bat" "
        316⤵
        
        PID:2908
        
        C:\windows\system\ZBXHL.exe
        
        C:\windows\system\ZBXHL.exe
        317⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WGIXB.exe.bat" "
        318⤵
        
        PID:3956
        
        C:\windows\system\WGIXB.exe
        
        C:\windows\system\WGIXB.exe
        319⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QUMGLFV.exe.bat" "
        320⤵
        
        PID:1204
        
        C:\windows\system\QUMGLFV.exe
        
        C:\windows\system\QUMGLFV.exe
        321⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ICO.exe.bat" "
        322⤵
        
        PID:940
        
        C:\windows\ICO.exe
        
        C:\windows\ICO.exe
        323⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAC.exe.bat" "
        324⤵
        
        PID:4340
        
        C:\windows\system\KAC.exe
        
        C:\windows\system\KAC.exe
        325⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BAWT.exe.bat" "
        326⤵
        
        PID:3192
        
        C:\windows\BAWT.exe
        
        C:\windows\BAWT.exe
        327⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNGDXNW.exe.bat" "
        328⤵
        
        PID:4672
        
        C:\windows\SysWOW64\KNGDXNW.exe
        
        C:\windows\system32\KNGDXNW.exe
        329⤵
        Drops file in Windows directory
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HOQNBR.exe.bat" "
        330⤵
        
        PID:1640
        
        C:\windows\HOQNBR.exe
        
        C:\windows\HOQNBR.exe
        331⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEPQND.exe.bat" "
        332⤵
        
        PID:3332
        
        C:\windows\SysWOW64\FEPQND.exe
        
        C:\windows\system32\FEPQND.exe
        333⤵
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CEZSR.exe.bat" "
        334⤵
        
        PID:3952
        
        C:\windows\SysWOW64\CEZSR.exe
        
        C:\windows\system32\CEZSR.exe
        335⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CPITFLK.exe.bat" "
        336⤵
        
        PID:4168
        
        C:\windows\CPITFLK.exe
        
        C:\windows\CPITFLK.exe
        337⤵
        Checks computer location settings
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IKH.exe.bat" "
        338⤵
        
        PID:1304
        
        C:\windows\system\IKH.exe
        
        C:\windows\system\IKH.exe
        339⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIMPRXI.exe.bat" "
        340⤵
        
        PID:2708
        
        C:\windows\SysWOW64\SIMPRXI.exe
        
        C:\windows\system32\SIMPRXI.exe
        341⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XLIVWO.exe.bat" "
        342⤵
        
        PID:1360
        
        C:\windows\XLIVWO.exe
        
        C:\windows\XLIVWO.exe
        343⤵
        Checks computer location settings
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLYGNP.exe.bat" "
        344⤵
        
        PID:2428
        
        C:\windows\system\QLYGNP.exe
        
        C:\windows\system\QLYGNP.exe
        345⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AMA.exe.bat" "
        346⤵
        
        PID:3068
        
        C:\windows\AMA.exe
        
        C:\windows\AMA.exe
        347⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IRESCLQ.exe.bat" "
        348⤵
        
        PID:3192
        
        C:\windows\IRESCLQ.exe
        
        C:\windows\IRESCLQ.exe
        349⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MXX.exe.bat" "
        350⤵
        
        PID:4992
        
        C:\windows\MXX.exe
        
        C:\windows\MXX.exe
        351⤵
        Checks computer location settings
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HSBQU.exe.bat" "
        352⤵
        
        PID:1392
        
        C:\windows\HSBQU.exe
        
        C:\windows\HSBQU.exe
        353⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UQB.exe.bat" "
        354⤵
        
        PID:3920
        
        C:\windows\SysWOW64\UQB.exe
        
        C:\windows\system32\UQB.exe
        355⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AQJQN.exe.bat" "
        356⤵
        
        PID:2240
        
        C:\windows\AQJQN.exe
        
        C:\windows\AQJQN.exe
        357⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTNUSKM.exe.bat" "
        358⤵
        
        PID:4600
        
        C:\windows\system\BTNUSKM.exe
        
        C:\windows\system\BTNUSKM.exe
        359⤵
        Checks computer location settings
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEYCBY.exe.bat" "
        360⤵
        
        PID:4784
        
        C:\windows\system\SEYCBY.exe
        
        C:\windows\system\SEYCBY.exe
        361⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MRC.exe.bat" "
        362⤵
        
        PID:3400
        
        C:\windows\system\MRC.exe
        
        C:\windows\system\MRC.exe
        363⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LCFBUET.exe.bat" "
        364⤵
        
        PID:1772
        
        C:\windows\system\LCFBUET.exe
        
        C:\windows\system\LCFBUET.exe
        365⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GXKK.exe.bat" "
        366⤵
        
        PID:4952
        
        C:\windows\SysWOW64\GXKK.exe
        
        C:\windows\system32\GXKK.exe
        367⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VSUXPQJ.exe.bat" "
        368⤵
        
        PID:2704
        
        C:\windows\system\VSUXPQJ.exe
        
        C:\windows\system\VSUXPQJ.exe
        369⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DYGDAX.exe.bat" "
        370⤵
        
        PID:456
        
        C:\windows\DYGDAX.exe
        
        C:\windows\DYGDAX.exe
        371⤵
        Drops file in Windows directory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FWZFY.exe.bat" "
        372⤵
        
        PID:3720
        
        C:\windows\system\FWZFY.exe
        
        C:\windows\system\FWZFY.exe
        373⤵
        Drops file in Windows directory
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FZDB.exe.bat" "
        374⤵
        
        PID:2976
        
        C:\windows\FZDB.exe
        
        C:\windows\FZDB.exe
        375⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1324
        374⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1336
        372⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 960
        370⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 960
        368⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1304
        366⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1004
        364⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1316
        362⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1308
        360⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1316
        358⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1324
        356⤵
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1328
        354⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1324
        352⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1324
        350⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1324
        348⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1008
        346⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1308
        344⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1324
        342⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1328
        340⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1336
        338⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1260
        336⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1328
        334⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1296
        332⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1324
        330⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 964
        328⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 988
        326⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1336
        324⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1324
        322⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1336
        320⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1312
        318⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1336
        316⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1336
        314⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1324
        312⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1308
        310⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1336
        308⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1296
        306⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1328
        304⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1328
        302⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1324
        300⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1308
        298⤵
        
        PID:784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1336
        296⤵
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 960
        294⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1324
        292⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1316
        290⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 960
        288⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1308
        286⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 960
        284⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1328
        282⤵
        
        PID:412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1304
        280⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 1328
        278⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1328
        276⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 960
        274⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 960
        272⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 960
        270⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1308
        268⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1328
        266⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1296
        264⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1308
        262⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1336
        260⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1328
        258⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1308
        256⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 960
        254⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1316
        252⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960
        250⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1240
        248⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1316
        246⤵
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 960
        244⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1316
        242⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 960
        240⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1324
        238⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1316
        236⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 960
        234⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1324
        232⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 988
        230⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1336
        228⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1308
        226⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1336
        224⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1324
        222⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1336
        220⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 960
        218⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1304
        216⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 988
        214⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 988
        212⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 960
        210⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1328
        208⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1336
        206⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1336
        204⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1232
        202⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 988
        200⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1240
        198⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 968
        196⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 960
        194⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 988
        192⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1264
        190⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1256
        188⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 872
        186⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1324
        184⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 988
        182⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1328
        180⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 988
        178⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1336
        176⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1256
        174⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 988
        172⤵
        
        PID:988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1300
        170⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 960
        168⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1256
        166⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1316
        164⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1308
        162⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1324
        160⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1336
        158⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1252
        156⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1292
        154⤵
        
        PID:988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1336
        152⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1308
        150⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 960
        148⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 960
        146⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1304
        144⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 960
        142⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 960
        140⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1328
        138⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 960
        136⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1316
        134⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1256
        132⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1324
        130⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1236
        128⤵
        Program crash
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 988
        126⤵
        Program crash
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 988
        124⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1328
        122⤵
        Program crash
        
        PID:820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1324
        120⤵
        Program crash
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1220
        118⤵
        Program crash
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1324
        116⤵
        Program crash
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1316
        114⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 960
        112⤵
        Program crash
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 960
        110⤵
        Program crash
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1324
        108⤵
        Program crash
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1300
        106⤵
        Program crash
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1324
        104⤵
        Program crash
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1004
        102⤵
        Program crash
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1324
        100⤵
        Program crash
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1324
        98⤵
        Program crash
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 872
        96⤵
        Program crash
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1308
        94⤵
        Program crash
        
        PID:3332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 960
        92⤵
        Program crash
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 960
        90⤵
        Program crash
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 988
        88⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1308
        86⤵
        Program crash
        
        PID:668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1228
        84⤵
        Program crash
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1336
        82⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1324
        80⤵
        Program crash
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 960
        78⤵
        Program crash
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1324
        76⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1304
        74⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1328
        72⤵
        Program crash
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1312
        70⤵
        Program crash
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 960
        68⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 988
        66⤵
        Program crash
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1300
        64⤵
        Program crash
        
        PID:752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 960
        62⤵
        Program crash
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 960
        60⤵
        Program crash
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1304
        58⤵
        Program crash
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 960
        56⤵
        Program crash
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 960
        54⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 960
        52⤵
        Program crash
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 988
        50⤵
        Program crash
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1240
        48⤵
        Program crash
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1328
        46⤵
        Program crash
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1316
        44⤵
        Program crash
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 988
        42⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 960
        40⤵
        Program crash
        
        PID:4220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1328
        38⤵
        Program crash
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1328
        36⤵
        Program crash
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1316
        34⤵
        Program crash
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 960
        32⤵
        Program crash
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1256
        30⤵
        Program crash
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1208
        28⤵
        Program crash
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1004
        26⤵
        Program crash
        
        PID:488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1316
        24⤵
        Program crash
        
        PID:2568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 960
        22⤵
        Program crash
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 960
        20⤵
        Program crash
        
        PID:1676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1292
        18⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1328
        16⤵
        Program crash
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1316
        14⤵
        Program crash
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1248
        12⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1316
        10⤵
        Program crash
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1272
        8⤵
        Program crash
        
        PID:2604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 976
        6⤵
        Program crash
        
        PID:788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 996
      4⤵
      Program crash
      PID:2812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1312
  2⤵
  - Program crash
  PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1736 -ip 1736
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3136 -ip 3136
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1844 -ip 1844
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 456 -ip 456
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3868 -ip 3868
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 492 -ip 492
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4284 -ip 4284
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1048 -ip 1048
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4976 -ip 4976
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1700 -ip 1700
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3972 -ip 3972
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2968 -ip 2968
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4004 -ip 4004
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4572 -ip 4572
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2564 -ip 2564
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2304 -ip 2304
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4832 -ip 4832
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2972 -ip 2972
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3168 -ip 3168
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4184 -ip 4184
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4900 -ip 4900
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1184 -ip 1184
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5116 -ip 5116
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5092 -ip 5092
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4828 -ip 4828
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2824 -ip 2824
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4880 -ip 4880
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2980 -ip 2980
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 3608
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3600 -ip 3600
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3988 -ip 3988
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5064 -ip 5064
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1656 -ip 1656
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4536 -ip 4536
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4704 -ip 4704
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3100 -ip 3100
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4956 -ip 4956
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4768 -ip 4768
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3804 -ip 3804
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3304 -ip 3304
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4836 -ip 4836
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2392 -ip 2392
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4168 -ip 4168
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4660 -ip 4660
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 316 -ip 316
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2736 -ip 2736
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2468 -ip 2468
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2316 -ip 2316
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 776 -ip 776
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3716 -ip 3716
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4084 -ip 4084
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3992 -ip 3992
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2976 -ip 2976
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5060 -ip 5060
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3344 -ip 3344
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 952 -ip 952
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1568 -ip 1568
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1428 -ip 1428
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2280 -ip 2280
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5108 -ip 5108
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4132 -ip 4132
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4456 -ip 4456
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3348 -ip 3348
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4228 -ip 4228
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1420 -ip 1420
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3780 -ip 3780
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3876 -ip 3876
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2428 -ip 2428
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2280 -ip 2280
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2484 -ip 2484
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1640 -ip 1640
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4616 -ip 4616
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5100 -ip 5100
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 952 -ip 952
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1420 -ip 1420
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1844 -ip 1844
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3992 -ip 3992
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3804 -ip 3804
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3560 -ip 3560
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4424 -ip 4424
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 760 -ip 760
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 492 -ip 492
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1632 -ip 1632
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5080 -ip 5080
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2588 -ip 2588
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2812 -ip 2812
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4940 -ip 4940
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4572 -ip 4572
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4900 -ip 4900
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3180 -ip 3180
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4828 -ip 4828
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5032 -ip 5032
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2740 -ip 2740
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1080 -ip 1080
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2972 -ip 2972
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3360 -ip 3360
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1252 -ip 1252
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4336 -ip 4336
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4832 -ip 4832
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3640 -ip 3640
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4956 -ip 4956
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4444 -ip 4444
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4000 -ip 4000
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4972 -ip 4972
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4324 -ip 4324
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3120 -ip 3120
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4276 -ip 4276
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4540 -ip 4540
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1876 -ip 1876
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4032 -ip 4032
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3156 -ip 3156
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4284 -ip 4284
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3884 -ip 3884
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 384 -ip 384
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4892 -ip 4892
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1252 -ip 1252
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3404 -ip 3404
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2968 -ip 2968
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4832 -ip 4832
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4672 -ip 4672
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 752 -ip 752
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4712 -ip 4712
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 184 -ip 184
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 1184 -ip 1184
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3352 -ip 3352
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5108 -ip 5108
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1432 -ip 1432
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 4504 -ip 4504
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4252 -ip 4252
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 2020 -ip 2020
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 4416 -ip 4416
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1396 -ip 1396
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4704 -ip 4704
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 3196 -ip 3196
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3884 -ip 3884
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3624 -ip 3624
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 776 -ip 776
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 488 -ip 488
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3060 -ip 3060
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 3180 -ip 3180
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 1884 -ip 1884
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2280 -ip 2280
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4232 -ip 4232
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 3904 -ip 3904
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 212 -ip 212
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3196 -ip 3196
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 184 -ip 184
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 544 -ip 544
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 760 -ip 760
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 1964 -ip 1964
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4700 -ip 4700
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 412 -ip 412
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4024 -ip 4024
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4600 -ip 4600
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3556 -ip 3556
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3820 -ip 3820
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2484 -ip 2484
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4768 -ip 4768
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3516 -ip 3516
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 776 -ip 776
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4964 -ip 4964
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4828 -ip 4828
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 4700 -ip 4700
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4484 -ip 4484
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2896 -ip 2896
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1676 -ip 1676
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3400 -ip 3400
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1772 -ip 1772
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 184 -ip 184
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3136 -ip 3136
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4536 -ip 4536
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3344 -ip 3344
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4372 -ip 4372
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3700 -ip 3700
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1620 -ip 1620
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 2364 -ip 2364
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3648 -ip 3648
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2812 -ip 2812
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3352 -ip 3352
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2668 -ip 2668
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 876 -ip 876
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2480 -ip 2480
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1952 -ip 1952
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4396 -ip 4396
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\KQWNKCA.exe

Filesize
448KB

MD5
0f3ec0d6daa7b16eab783fd7a8651bc5

SHA1
01830dfdf4fdb71577a5bc85fdaaa97ce74e3b6f

SHA256
1b95ef467cb168096231023606e219a32fd74de22a3154518a33b67e3a495239

SHA512
11e3c8c043b87dbed5a32436d847f93dc952b7f40201773ad5c6c07fcde107d9727c3ad91b4d5581cf872ba5d3ac3b47d7db0b9199fce81088087ff6941ed1b3

Download Submit
C:\Windows\LHZWPSV.exe

Filesize
448KB

MD5
b813f862382ef5c2967e0106c1d74fa3

SHA1
e623f4304611a82f7eabaa23b4531b88053bbc33

SHA256
035b530e499d39cb65535ab8ba92df0b0e6eeac4b4982abab7c00ccd70cf0193

SHA512
9377b0904d9625605cbd4b51dbdeecc4b9e6c0bb6153222c79ca05bb9061814dc7c18d95d4cdf53ee34719744914fe7634391d1ca81f86d86d7c6268adfdb113

Download Submit
C:\Windows\PPZYUI.exe

Filesize
448KB

MD5
74e919eb9280bd31f9d62e33c2008853

SHA1
bdcf1343712ae923ae3619430386e596ddb71b4e

SHA256
d4cd35fc05e99524933396f009cd87cdc9f8dc8fdca9a667ab8c839d702275b5

SHA512
8ac76fb8fdc42f5b88040b4237dbe9d316065458675711c715888f9015f39ab757adb15bb36a253c951483de1221c523dc3d5340a001bc8ea42cf7a444917576

Download Submit
C:\Windows\SysWOW64\AMALU.exe

Filesize
448KB

MD5
ec5d6a1eb264165172e70fbf58d83276

SHA1
a368da62eb981b726f45e4f21c1f6f23eef82906

SHA256
fa50ccfad0c7f6a923f687fa134fc5a77545af65945553c827779f61a692a4be

SHA512
39b4e114c742154882bd57fd2b9e42b91c0a1eeab6c0299898cce02a25fb54be53feedb7ceb099c54050fc885e6d352669213ee3c1e1f796c7d4b9f786378eeb

Download Submit
C:\Windows\SysWOW64\AWVDSFR.exe

Filesize
448KB

MD5
957fe0a577b2bf5e95a5123e0483895b

SHA1
27d85afd2dcb36bc8f9b7f53baca4a000dbe2002

SHA256
346e4a1d9eb1a9475f38010aee571c8da26c78497951c59feda0625747643738

SHA512
aa4b5d415d3751c32f4ef8e87b481f22bce5a36eef99861370786f992e3fd67fa362ac83e568f94ce7efce1a3953850a0656cba442d897d16850b4f8c6761f3c

Download Submit
C:\Windows\System\DMQAQO.exe

Filesize
448KB

MD5
d55f09fdcb60f631593e5b80b773937f

SHA1
9d24a633d9c24ee462ce2cd4dd503995ce15e583

SHA256
fe08ccee4978acc3f1377a1e7ed24acdfac363bbac5234fa33f37db476aaa162

SHA512
dc48f6651f5f7dcaecaa6efd1e3840cb6c30a7f608d1e7015359f90b4a0de514b9eefa18ab16e072aca36729b57da574edbc171ae73134a0ece501e84f4aecae

Download Submit
C:\Windows\System\DVT.exe

Filesize
448KB

MD5
0a4ecb323a8c25a9fa4483ad64a3b74f

SHA1
27420b5ba9006d20fbdbd719a425b1aec6cc37ef

SHA256
723a0cddc224c75bb13aa70df464e0a85d44ca19675c062a43afd3b2ba62878d

SHA512
7f0871669f61945e0fcf5ef7414f61952c6f4c6f894fe6bd7330426f2834d300a552c3229d40faea4a4a96c1aaa7bf94600fa2dec9b1c4027a207bbc99a67900

Download Submit
C:\Windows\System\MWQF.exe

Filesize
448KB

MD5
194efc3f628838d6ccce1259df9221de

SHA1
30dad5f1265650660c59a36c7929a4d4a682edd7

SHA256
358bc043a7d9018b681b090b488fb3e816d89271e2fafe56a6855a32075aed5b

SHA512
22229d12995046c9a5d25adab40abc97c135b157373fcf33dc504f8ee031327b9c7d0c22f06287a76e8bffe1e6f88bf9f4b38dd00ca07a187b5397cc886121de

Download Submit
C:\Windows\System\QHGKH.exe

Filesize
448KB

MD5
7e7f60cbf8eab2734b533c12da078ea3

SHA1
be8ecce09cdfde243d343e34c669dc4024581559

SHA256
927b78c8fda7871b5ec1a8dcebdefe6191082c581441319c46f23911c9443ae9

SHA512
9baa85e99b62d21e43cb961b806f4a7e64fcab27ab3b318a4d2ce500c2a761b5a65c2ded54bceb97b97261436b50edd32425d172c38bddea77c35b6c906f2ca2

Download Submit
C:\Windows\System\VGBD.exe

Filesize
448KB

MD5
6d88738495228812f4e77d789314545d

SHA1
79db6902e489b8a1090299e780cc71f54d047cf7

SHA256
7de5fe3b4d2ef4753fb5ce27bc071ecc8a3afcc76d45cc00ceb83947898914e3

SHA512
24999cb0bd68b6ab80141812a12bb0d5ee7f2a3ebbc218d11665c4c2e3d16b89747633b73ed8a49bcdd46118ddf01a4a82e426df735d5ed5d67bedb985c9a69c

Download Submit
C:\Windows\System\XOTYMI.exe

Filesize
448KB

MD5
f6ea8501f299e1de5203b2bbc1d87584

SHA1
09b9c9a169925284c2d6c8828ee30506b81ba9f7

SHA256
148b1e43f6933d607562ff419b3302a6965da716aeee074ac57eed1a1ac4983f

SHA512
a6b183d56911c707c7747cf15cbded49e79219772d08e060decd28813728e2d039b8d77f1c1ad7019b4c9e0d6239138f50a1ce64028fcd0332eb8106e7a675ee

Download Submit
C:\windows\KQWNKCA.exe.bat

Filesize
60B

MD5
137e28e46ca0364fe539ae240c9a49a7

SHA1
6602519679d013c8e4d556c655e4974f47eb1c9d

SHA256
8d0f2335330c0011fbe6722376066b4a4f9347b834ac20641af587889f27ca14

SHA512
a8d7fd238a935b49e82bd8cef96052601b3089a29baa67f0691904d326b5c0bc631d0fa0197800890c2d3bd75ec4d6ffb274be55e52f4df241c20083f97d7089

Download Submit
C:\windows\LHZWPSV.exe.bat

Filesize
60B

MD5
1465c79e7d3ee6270e69ec9ce28c6b53

SHA1
fd34a67f08cccef2d549728e9e5a766f88ae9b2b

SHA256
9b90e743e21fb7d5cf9ca14e927502d5002c3b72e869cd81e03f40987486ca8f

SHA512
21ae2234489bc7f4fbda43ce4b2dce28b7b18c6c1837538d3d323a8fb635855a54da8a5830dd5fa7095570cbc01764b24bbd12076881fa50ae6d1967775b6e22

Download Submit
C:\windows\PPZYUI.exe.bat

Filesize
58B

MD5
0e1d7c87836ea4b4e536a6fe35203614

SHA1
beb09f123d1511a3987038a74cf7d83135a1f9b4

SHA256
19e8ccd89712c50a4e006232f1088b8850fdfa18e2ecd5bbf746b838a41df848

SHA512
64787061e6e1fa83b2ce7d63a0e9cb62a5f43a081a68ef258de1f1b36a1c88abbfa375dad3862690de1b9ecbe99f539e33cc3c41afe23f18243eaca50392e8e6

Download Submit
C:\windows\SysWOW64\AMALU.exe.bat

Filesize
74B

MD5
331e3952c9ddf898e5adb87456c566b4

SHA1
de099f6a133da56be183ec65027001c33560c062

SHA256
36a2b11aca9f59e7a4c66e6e47c15227f0f78eb8417a4d467c80955c8d7e01b7

SHA512
fdbe7d36d80cf21a657e53428e042e69a7f6f7818c6190e0bd8c1db72070b5eeca9e0a0fd78663684c869236cf16c5608e7655539191f08024ea35ad3d80e2e7

Download Submit
C:\windows\SysWOW64\ARMHE.exe

Filesize
448KB

MD5
45000921059ea86f876bb7b48cf6a500

SHA1
a2d2b7bc46c1bd0619a5a5d83b91c186ad619270

SHA256
13cb7d05d545eefb7300c22c64b403f702a77eb10612665dfce6ae09d450b345

SHA512
41b5dca685f77a585f0977313060a51a8fb2de2c448ab15a08aa680b91fa28da3f8c4be2fb437f53207405c17d5160f7bac8f5ec8596913a96aabfeaad206a69

Download Submit
C:\windows\SysWOW64\ARMHE.exe.bat

Filesize
74B

MD5
23cae0a7ecdc6442aa05a4284239b203

SHA1
9af71a7badefc95a11572bc226a4579471c7dd48

SHA256
9e9113b39f50768b3b02b0ddf9fb624e1f801a763d2686252c07e32524420df6

SHA512
c9910812672122efb113150f21158b3507ac9547b6a95cebcd7f3e93653fd8c39f2dfe1ff838d9f3af480b43ed7f4e6034716f1ca7159af9332f50ff39881393

Download Submit
C:\windows\SysWOW64\AWVDSFR.exe.bat

Filesize
78B

MD5
e95b5367285142cbf0d159b3daa5b463

SHA1
6dc68613451ce4a79144f3ac232d7a8524838859

SHA256
b6aa73844e295c254ad65bcb125ecb57c4a7c65da789a2a0a551b4528567ff2a

SHA512
579250b382ec9219eba31293b3396d39f0305ac0637a6e260a33a8dc013e68490ec9a547be0178023fee7ff1ac2a2753bbf037ffc5dd1cc52b31f303d50bff6c

Download Submit
C:\windows\SysWOW64\BRZZF.exe.bat

Filesize
74B

MD5
cc8a53ce03c899d945f8b7c2fbc89e4c

SHA1
f55bdf6de4caddc7ce225db774747969b91f972c

SHA256
227062bd5c418860400abb93c85ad378873a4f1bd1fc4fa9b21093e826e78b74

SHA512
da7a57b60b1ec92dfec2d40a3b31528f0c04b582c0f88f822ccbac55ef095a00d61c70c219bccdca764344ea51ee4fd1a6e29095a486d1630659a12b26261d5c

Download Submit
C:\windows\SysWOW64\JCE.exe

Filesize
448KB

MD5
55be0bf99b6c23e2b60b0beef35f6131

SHA1
31ac8ebfc8edf085264931233e0d4a8890b3e3a1

SHA256
82369ad14d3c9930d2f96e9a5fcf29136637c158f24ffa6fcf2c08f17c49baf8

SHA512
2781c82a1f1543854300cc78401cfd580ec3606859585affde47c00ad8815d1f1a931a8303c203cfdeed18edf3c144b400fccb1a60e50701a6f5bc93a74851ab

Download Submit
C:\windows\SysWOW64\JCE.exe.bat

Filesize
70B

MD5
9ac0916a4fa22de6b2c8f6acc8b481b7

SHA1
46d1536c04db8822b2f6dce6040a832aa04bda3e

SHA256
78f8dd0d0bc210eea68cc225bf6c2678bdd5a9ad91f5b4e4079caa21088e5446

SHA512
958c55daca3baabf41d956f2db0d1548c37039f1c09a7dffff1746d523c50769bb1d5781f0504306e45efc87bb04a13336269cb26f12486e55ac5d2ed873fdfb

Download Submit
C:\windows\SysWOW64\RTVPZN.exe

Filesize
448KB

MD5
830e907a6cc8057351684901b12bdf08

SHA1
9c87f5ace45ac053cb1ce2fe42d1bb71e6825410

SHA256
6eb61db3a35cd84d7264d00343adbb4b02960c79b251ee9e24bb83aa65cdb944

SHA512
1f041bb5e4a282aa18dc6f3d10263965c60b62a011b37c6c5c688a88eec37c6244bb0a16c869d540f73fc227a854375cfb0362987195f91a27349f78e8f90aca

Download Submit
C:\windows\SysWOW64\RTVPZN.exe.bat

Filesize
76B

MD5
2e63900f1cea71b70df04f386808ec5e

SHA1
31eae6a24fe5df655e66471fe916b08cd7616c5b

SHA256
488930989209be08b23d89c3124ba8afcc205250242f29fe1e5dec9d81b0d8b5

SHA512
0ee7ea28c86b7d2e689e7f21dac8c3c5993ac2ce691a6968c57ea927fd3275bedb7bce7015e3ab54301ebd831577c7327d6b273d0fd87487a6078f118270ea72

Download Submit
C:\windows\SysWOW64\XVZVE.exe

Filesize
448KB

MD5
4dac720201480e565c168db00841c384

SHA1
f30ebceafb55fe5a5ad7916c08b1ab0129e386ab

SHA256
909635305761bfc4d5457c79ffcb27ece69d228db051869de038987f35cfceb2

SHA512
13eb3500ca84592908c43d85a136c63e2186ba1b38fc4db9fc587638400f337b7b53b7508c4061eec82b22c5a5835e9d6585537b2c8c9d48eb200f968c66d99a

Download Submit
C:\windows\SysWOW64\XVZVE.exe.bat

Filesize
74B

MD5
73468d36865f3be31f2fbb3f1299a06d

SHA1
6f66a7faa711eba3194035826eb8d23ccb383e67

SHA256
ed8768e030a6533de21426a65d11c0ed39edd1a688a19292d75b9e6f3d432cc3

SHA512
8ef6cb5c40f7b74877ac6dfdc222866f803557a7948bbf5548a5e90a4b0ad2f9aeccabadd6fcb1b996f47ac1abd76f2a335d790b228b303fe425ca3f5e325878

Download Submit
C:\windows\UVHX.exe

Filesize
448KB

MD5
c75e09e8005528b1943d83f962f3e3ee

SHA1
ad7a1999d8b9adcc057bb7df7c5a11e4fb2afd60

SHA256
35e87908f85fe0a0e001a4fbdb37245ceacbf2bd77cdb2fe5152bf0fffbd97e9

SHA512
b4ded49800514ba2dcccfa0dacc21387c0bb07533f9eec23403ab3585770e033004293691f13be9561f4ceff2274567ffb1322af71e2fea35d7b18c2b2525bc5

Download Submit
C:\windows\UVHX.exe.bat

Filesize
54B

MD5
ab58b4d02a1aed4775d850ef9750d1ab

SHA1
35fd7fc4d27d7a902aa98b1005816adce036b0bf

SHA256
3ae85383ff92dfb226ff5fd33eb26b262f93db192401ab90189633c33cb3be1d

SHA512
8b5dee442448430369d98a7152b3b76dad747bd9ffcdb2f26c1a223bd73a50b60486d90f7630eabcb6a12f57dfbf15274a32d9c5670c6c541c1a4f3c64da1f40

Download Submit
C:\windows\system\AMUSD.exe.bat

Filesize
70B

MD5
1682b3ca86b954245f6951cf66980b47

SHA1
9954b40c23a1044f15551a4eb002c30d47318e6a

SHA256
538cb1166e798524b83c6b66240f2bbe6e0f479f7e5372ca4db668f04280283d

SHA512
4d5f3d3e426b3299f46ae1a2f3a5b612fa76d5108238cfadb16d91b329f735bb11bdf544c740cc687f91b1c7590167d9467fabf901df95755bdaa875b0c27c92

Download Submit
C:\windows\system\DMQAQO.exe.bat

Filesize
72B

MD5
a22d164fd671c30b59af4fb37811c666

SHA1
1cb7910bc27750bb9e0a2221f3f168ed252c53b3

SHA256
13de6babb0054ed67be23aedc2840245a5151d43e8992707f3d913baae54eb49

SHA512
c7e780427f026067b026b6d4356baffded016600f29747e1c682970f84ccfc4dce061ebcd29c1152a7d11097aa0e3ba93bbe86771503b44bd1b2c733983792dc

Download Submit
C:\windows\system\DVT.exe.bat

Filesize
66B

MD5
5d9411cf9a20a17bd56c09ae331f71ea

SHA1
64b6172691b6ddc43f13b6ffb52afbdda4de72a2

SHA256
ab3589a3bf186b07c9922352f9024c4a387a8ac45e9fa9185f88729b4238ceda

SHA512
cec8b4662832bef8d8a4c4456dd1190229b858bd1240e6fab16ed7dde71b07fef773391f492924ddf0440a37f0ea492c885d12c7980f8923a899eaadc049674d

Download Submit
C:\windows\system\KDEIEIA.exe

Filesize
448KB

MD5
95182e345abb8095d11c173e92ddd928

SHA1
54730d1fe550ffeeea9275774fb828f7ad730c22

SHA256
5a57eab504f1191f234cb5ea4df6e2f61d94e5c7d3e017c16f5a0f704d5c1afe

SHA512
41ad0797cbb8bd609318c16a30bf718571766b8506acb35b5d9a48eae026611071575875a28226da7d066b1fa43577de4bb4ac60434a883374f4c39962686a62

Download Submit
C:\windows\system\KDEIEIA.exe.bat

Filesize
74B

MD5
0354dfafc7b35b6b70a48a0ef0ad9de1

SHA1
b6c6c17e9db3c5b6ed84f4c055f5bbce5acd160e

SHA256
25def2a778340f2471d94325f2940947224179aa6d0d2e7b49fde568f60c10ad

SHA512
50f63f9e4d5b1789e3f7ef40642ae1148eaf2efc7b9260daa6c84930ede4199ade47d65095033825562cebb2a3220970b11949a98fbd12bd824a4b1b8c47bc72

Download Submit
C:\windows\system\MWQF.exe.bat

Filesize
68B

MD5
165afb421712c5d860296d09c2281da0

SHA1
d59c24dbf317b2375f91bdf0128e9c6edf540dc2

SHA256
4fef5e1b502c7bac196f0a4f5523824d56edb67f3bd65e1f9f8564686992ddda

SHA512
6f2b5d2b2dbb78391cfdac361fa0d0fe386eff0e76f611530e07a13cc65b351e289a1a992b874c0dc35aafd3036b0213e15f3555f1e1a9b44168b7da9aa48d7f

Download Submit
C:\windows\system\OYCN.exe

Filesize
448KB

MD5
78241dca22fbc031a89183d02245f997

SHA1
d75c7030491cff4930bc257de126d6bb3e8821f6

SHA256
87f2e0aeec3e4096415e57a1437039976ca1f9b56b69a146246e87ebdbb04f7a

SHA512
7e39acc5201cb13fb459f0ee05ca258aa6fd74648254dc080f801f849b74405f0a65eb02be4fc184f8f1ca7d107f622645ef3fd599e3fbbac399701ab1782cbe

Download Submit
C:\windows\system\OYCN.exe.bat

Filesize
68B

MD5
dea820c4c91930a7c65aa4fa069f6164

SHA1
9f9505b8c5761967e80bb29d28c00cfec79c79b4

SHA256
78febec05a727b3189cc707caf169248d4810da93fcfa071b97e51555a0a5bdc

SHA512
b2451fa8f1a7a90ec9186dfde3a89ecf3fab7fc2994e668d2023217cee5e26108998de5b7583d2b25509a8ade364c4db41cb6357c84a76df18de767d56f4c332

Download Submit
C:\windows\system\PKXT.exe.bat

Filesize
68B

MD5
b979e2e446742cec3b168cd137c1983c

SHA1
ef8418dc1365a2f59a65cff3ad2e8559d6c0f20d

SHA256
0b8ec49c5fd2c36f6cf774fbe97e3777bf6c62212e672fe7594964761510d331

SHA512
b462f1fb6933df2bc4a27e7b99f8d812a4c6e3ee4e61504c7f80de086a2fd2721d5d86a0b634e8d0e24dc32b068b9bbc8a071fa265997d72c46849bf9df1766e

Download Submit
C:\windows\system\QHGKH.exe.bat

Filesize
70B

MD5
1fb506c10fe65245c275d86e9b5ad724

SHA1
79799d6a576b660f70c0f5f5fd0db74237f22ccf

SHA256
ea5b21dcd895cf0415bc774c09084daaed733d13bf6230cc90c4271163e247ce

SHA512
8d304984d391b3253228b259d1f326bb8bf262560eae256f12cc073aa0ca75a770bb85e5e182366a959e4eaf7ad9f11ae39b8520af71576b992d0d8bb6ea0117

Download Submit
C:\windows\system\VGBD.exe.bat

Filesize
68B

MD5
8c59f35fb11828e23446156bf57e1d18

SHA1
fb3ad31a2c6c54ca3e8822579fe41f80169a70c6

SHA256
cbd97d1f7d25e380ec0650074cf2949e2e28b8a06df663ceee905faa79048ab3

SHA512
a89b2ba9ce92c4964c8585bb8cd5941eb65b924c30534ea7c575f11e663b6be8ead63f8fcca633779c78300547d03842fa801af338599dcd109e78d969af8f84

Download Submit
C:\windows\system\XOTYMI.exe.bat

Filesize
72B

MD5
3f861f3b06b4ec8dd538c88bdee8962f

SHA1
ccfe4619359f9e538a01f0c101c0221bfde1980a

SHA256
718f456865c77fb3f03e256317dd73006c7204cbe0addee90b1fe0ec487544bf

SHA512
c926678397c3d86ce8d331a5d019c2999556443931a92a450a203edefe898c7b18532e3be845dd67ed9dfd140d0b0bab2e1c1b275e75ebdc7918b6fee4b1439f

Download Submit
C:\windows\system\ZXDB.exe.bat

Filesize
68B

MD5
aeb5964c05fac3d30938ae1dd7dae1e6

SHA1
88dca3715f180afaff8d2b96d422dfcfef9240c0

SHA256
157749894204cfa5eeea03764f7c2e9676eda256c10412bfe40c789f4ce58f7c

SHA512
c8ecd64c21fd5e5b31960263077092bdfb44a0b326d2b608029eb84fab2a4927d4910ddf22877490966f0e62a996b2b0859c5ffe964fd0affbc8a5db2e9541d6

Download Submit
memory/316-475-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/316-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/456-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/456-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/492-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/492-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-492-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1184-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1184-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1656-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1656-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1700-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1700-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1844-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1844-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-484-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-502-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2392-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2392-449-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-493-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-482-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2824-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2824-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2968-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2968-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2980-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2980-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3100-393-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3100-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3136-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3136-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3168-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3168-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3304-412-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3304-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3600-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3600-339-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3804-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3804-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3868-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3868-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3908-501-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3972-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4004-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4004-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4168-457-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4168-439-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4184-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4284-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4284-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-375-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4572-153-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4572-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4660-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4660-465-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-367-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4768-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4768-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4828-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4828-294-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-311-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4900-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4900-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4956-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4956-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4976-114-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4976-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5064-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5064-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download