163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
Size

448KB
MD5

411d99f96aeb1b8a9045ecfd09934500
SHA1

c3498c5574510934a229ef799caa4424a39a364d
SHA256

163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea
SHA512

639dbd6ff08c993f87b4263cd14c591e3de896be2df20dfc7b0664e15b998457191ead30eb424e0a91e465fee3cfd5db9ec2c8043a7c6560879c5e3044cdad86
SSDEEP

6144:ltO9U78I7Zqa+f+57Yl8nSC27+kEjWbjcSbcY+CaQdaFOY4iGFYtR:ltB893qFnSC27+kFbz+xt4vF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QVMA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	JFTCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SUJB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	OKD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BKUCW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ULIDW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QGM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QMRCNP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RKD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MAGGVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	OMHXAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CWWTGKQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ELJUJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YTWGG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CZXN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ICJLD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HSHHG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YXDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QXCVOSU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	XJAODW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WJTAOWI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UYMAKDU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	TRJF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KKE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BPLO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YKVURI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PPCUB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ELPCVV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UUFWQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YBANZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HFFCTN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CTLNMG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BMNVV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FXYYNUL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MOBDLP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ZYXYUQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KCN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	OBAWNJQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DRRS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GNME.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ISOXLLV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MLYZXH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GDWDXP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CUM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AAZQRNG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PBYI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MPVHTWE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AOXW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BVIEW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FPGPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CONPNBW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	UFIDA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	CUA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LOG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	YFXKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PKYQKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RPAWJN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EIXSJH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	QGA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	VWS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SJC.exe

Executes dropped EXE 64 IoCs

pid	Process
2088	AJNAFZ.exe
5096	VWS.exe
4676	CZXN.exe
3724	RFVKPF.exe
2620	BVIEW.exe
2168	UYMAKDU.exe
1680	SJPQKR.exe
2940	EBSISZG.exe
1928	QRYQF.exe
2540	YXDX.exe
1284	HFFCTN.exe
2260	WAWH.exe
404	SGJKPF.exe
1220	YBU.exe
1748	AROGBQ.exe
2104	PUXS.exe
1236	HPB.exe
372	ZXDB.exe
2496	BKUCW.exe
3208	YLEF.exe
1952	CTLNMG.exe
4188	BMNVV.exe
3180	LKTPC.exe
4556	FXYYNUL.exe
3424	NCKFXT.exe
2392	RSRN.exe
1512	QDU.exe
1840	ULIDW.exe
864	AHAEBM.exe
644	JUKW.exe
4280	NXIRRCT.exe
932	XVWL.exe
2104	ZSCG.exe
4524	UDSWCE.exe
2356	TRJF.exe
1888	OBAWNJQ.exe
4508	SRGEZ.exe
4336	FPGPB.exe
1144	JXN.exe
3956	CYC.exe
8	ILB.exe
3808	YOLOUO.exe
3724	LMLZW.exe
1652	KKE.exe
1388	ONCPRY.exe
4404	BPLO.exe
2532	QGM.exe
4540	YTYMODI.exe
4872	IREGELR.exe
3100	KPSB.exe
1960	YKVURI.exe
4820	NHBRGS.exe
2680	GIQCQT.exe
2444	BVVLATG.exe
1468	FDCTE.exe
4404	SJC.exe
3728	NUS.exe
4328	PKYQKI.exe
3368	HSAV.exe
4248	YAOA.exe
4916	YGHPB.exe
1952	CONPNBW.exe
3524	DRRS.exe
4088	NPFF.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\EBSISZG.exe	SJPQKR.exe
File created	C:\windows\SysWOW64\SJC.exe	FDCTE.exe
File created	C:\windows\SysWOW64\QSGP.exe	PPCUB.exe
File created	C:\windows\SysWOW64\JTG.exe.bat	AFVRD.exe
File created	C:\windows\SysWOW64\RLLRKKF.exe	LPZ.exe
File created	C:\windows\SysWOW64\BVIEW.exe.bat	RFVKPF.exe
File created	C:\windows\SysWOW64\QGM.exe.bat	BPLO.exe
File created	C:\windows\SysWOW64\QSGP.exe.bat	PPCUB.exe
File opened for modification	C:\windows\SysWOW64\NWEETU.exe	JTG.exe
File created	C:\windows\SysWOW64\ZHGIK.exe.bat	XJAODW.exe
File created	C:\windows\SysWOW64\VZNUYBZ.exe.bat	IWCHPW.exe
File opened for modification	C:\windows\SysWOW64\RSRN.exe	NCKFXT.exe
File opened for modification	C:\windows\SysWOW64\OBAWNJQ.exe	TRJF.exe
File created	C:\windows\SysWOW64\YKVURI.exe	KPSB.exe
File opened for modification	C:\windows\SysWOW64\NHBRGS.exe	YKVURI.exe
File created	C:\windows\SysWOW64\GIQCQT.exe	NHBRGS.exe
File created	C:\windows\SysWOW64\MOBDLP.exe	IGUD.exe
File created	C:\windows\SysWOW64\OMHXAY.exe.bat	MOBDLP.exe
File created	C:\windows\SysWOW64\QXCVOSU.exe	SMZ.exe
File opened for modification	C:\windows\SysWOW64\XSCDFS.exe	TCV.exe
File created	C:\windows\SysWOW64\YVG.exe	XSCDFS.exe
File created	C:\windows\SysWOW64\UYMAKDU.exe.bat	BVIEW.exe
File created	C:\windows\SysWOW64\BMNVV.exe	CTLNMG.exe
File created	C:\windows\SysWOW64\RSRN.exe.bat	NCKFXT.exe
File created	C:\windows\SysWOW64\BPLO.exe.bat	ONCPRY.exe
File created	C:\windows\SysWOW64\KPSB.exe	IREGELR.exe
File created	C:\windows\SysWOW64\CUA.exe	IHWKRBD.exe
File opened for modification	C:\windows\SysWOW64\BVIEW.exe	RFVKPF.exe
File opened for modification	C:\windows\SysWOW64\YKVURI.exe	KPSB.exe
File opened for modification	C:\windows\SysWOW64\GIQCQT.exe	NHBRGS.exe
File created	C:\windows\SysWOW64\ISOXLLV.exe.bat	ECIPZTZ.exe
File created	C:\windows\SysWOW64\IHWKRBD.exe.bat	OOOZZA.exe
File opened for modification	C:\windows\SysWOW64\GFNVP.exe	RKD.exe
File created	C:\windows\SysWOW64\SJDTYYJ.exe	LOG.exe
File created	C:\windows\SysWOW64\ZHGIK.exe	XJAODW.exe
File created	C:\windows\SysWOW64\AAZQRNG.exe	JPO.exe
File created	C:\windows\SysWOW64\CZXN.exe	VWS.exe
File opened for modification	C:\windows\SysWOW64\CZXN.exe	VWS.exe
File created	C:\windows\SysWOW64\BPLO.exe	ONCPRY.exe
File created	C:\windows\SysWOW64\SOEOVWM.exe	OYYOJ.exe
File created	C:\windows\SysWOW64\BBFNFH.exe.bat	DRWIAO.exe
File created	C:\windows\SysWOW64\AAZQRNG.exe.bat	JPO.exe
File created	C:\windows\SysWOW64\EBSISZG.exe.bat	SJPQKR.exe
File created	C:\windows\SysWOW64\QYGE.exe.bat	QSGP.exe
File opened for modification	C:\windows\SysWOW64\UYMAKDU.exe	BVIEW.exe
File created	C:\windows\SysWOW64\PPCUB.exe.bat	RPVGS.exe
File created	C:\windows\SysWOW64\QYGE.exe	QSGP.exe
File created	C:\windows\SysWOW64\GFNVP.exe.bat	RKD.exe
File opened for modification	C:\windows\SysWOW64\SJDTYYJ.exe	LOG.exe
File opened for modification	C:\windows\SysWOW64\GLWQ.exe	YFXKH.exe
File opened for modification	C:\windows\SysWOW64\PBYI.exe	VARX.exe
File created	C:\windows\SysWOW64\NWEETU.exe	JTG.exe
File created	C:\windows\SysWOW64\ECIPZTZ.exe.bat	OMHXAY.exe
File opened for modification	C:\windows\SysWOW64\MLYZXH.exe	ISOXLLV.exe
File created	C:\windows\SysWOW64\SOEOVWM.exe.bat	OYYOJ.exe
File created	C:\windows\SysWOW64\FLFL.exe	OKD.exe
File opened for modification	C:\windows\SysWOW64\ZSCG.exe	XVWL.exe
File opened for modification	C:\windows\SysWOW64\DBI.exe	MAGGVG.exe
File created	C:\windows\SysWOW64\XCT.exe.bat	JFTCA.exe
File created	C:\windows\SysWOW64\CTLNMG.exe.bat	YLEF.exe
File created	C:\windows\SysWOW64\NXIRRCT.exe	JUKW.exe
File created	C:\windows\SysWOW64\KKE.exe	LMLZW.exe
File opened for modification	C:\windows\SysWOW64\QXCVOSU.exe	SMZ.exe
File created	C:\windows\SysWOW64\LOG.exe.bat	BQOV.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\YBANZ.exe.bat	PBYI.exe
File created	C:\windows\YTWGG.exe.bat	GQTC.exe
File created	C:\windows\system\DUXDAOR.exe	FHXCVL.exe
File created	C:\windows\QGA.exe	AQZSL.exe
File created	C:\windows\system\TCV.exe	WJTAOWI.exe
File created	C:\windows\system\OYYOJ.exe.bat	UFIDA.exe
File opened for modification	C:\windows\NCJB.exe	HBCOKKP.exe
File created	C:\windows\system\YUVXHZ.exe	JEUYBDB.exe
File opened for modification	C:\windows\system\JXN.exe	FPGPB.exe
File opened for modification	C:\windows\BVVLATG.exe	GIQCQT.exe
File opened for modification	C:\windows\system\UFIDA.exe	QXCVOSU.exe
File created	C:\windows\system\GQTC.exe.bat	HSHHG.exe
File created	C:\windows\system\ZXDB.exe	HPB.exe
File created	C:\windows\system\JXN.exe	FPGPB.exe
File created	C:\windows\JEUYBDB.exe.bat	IBQCV.exe
File opened for modification	C:\windows\WAWH.exe	HFFCTN.exe
File created	C:\windows\ULT.exe.bat	QVMA.exe
File created	C:\windows\system\OKD.exe.bat	RFTRFLB.exe
File created	C:\windows\UDSWCE.exe.bat	ZSCG.exe
File created	C:\windows\system\MAIV.exe.bat	RPAWJN.exe
File created	C:\windows\system\FAEMUHZ.exe.bat	MHXBDGJ.exe
File opened for modification	C:\windows\FSIIOQ.exe	NPFF.exe
File created	C:\windows\NHYH.exe.bat	EGW.exe
File opened for modification	C:\windows\system\IPTT.exe	SZK.exe
File created	C:\windows\system\BQOV.exe	GDWDXP.exe
File opened for modification	C:\windows\NNI.exe	PXXHW.exe
File created	C:\windows\system\AJNAFZ.exe.bat	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
File created	C:\windows\system\SJPQKR.exe.bat	UYMAKDU.exe
File opened for modification	C:\windows\AROGBQ.exe	YBU.exe
File created	C:\windows\system\ZMVTV.exe.bat	MPVHTWE.exe
File created	C:\windows\XEZW.exe.bat	YTWGG.exe
File created	C:\windows\BBAXGJ.exe	VGPESU.exe
File created	C:\windows\system\FAEMUHZ.exe	MHXBDGJ.exe
File opened for modification	C:\windows\system\HOCO.exe	QGA.exe
File opened for modification	C:\windows\SKBKAOH.exe	CUA.exe
File created	C:\windows\KCN.exe.bat	SJDTYYJ.exe
File created	C:\windows\system\YAOA.exe.bat	HSAV.exe
File created	C:\windows\system\RXFP.exe.bat	NHYH.exe
File created	C:\windows\system\UFIDA.exe.bat	QXCVOSU.exe
File created	C:\windows\system\LPZ.exe.bat	EAOV.exe
File created	C:\windows\system\XJAODW.exe	ZYXYUQB.exe
File created	C:\windows\system\CNHD.exe.bat	GFNVP.exe
File created	C:\windows\ZYXYUQB.exe	RLLRKKF.exe
File opened for modification	C:\windows\ZYXYUQB.exe	RLLRKKF.exe
File opened for modification	C:\windows\system\LKTPC.exe	BMNVV.exe
File created	C:\windows\YTYMODI.exe	QGM.exe
File created	C:\windows\system\RPVGS.exe	QMRCNP.exe
File created	C:\windows\system\LKTPC.exe	BMNVV.exe
File opened for modification	C:\windows\system\CYC.exe	JXN.exe
File created	C:\windows\system\SZK.exe	FOC.exe
File created	C:\windows\PKYQKI.exe	NUS.exe
File opened for modification	C:\windows\system\GNME.exe	FSIIOQ.exe
File opened for modification	C:\windows\FOC.exe	MLYZXH.exe
File created	C:\windows\system\UFIDA.exe	QXCVOSU.exe
File opened for modification	C:\windows\system\OOOZZA.exe	SOEOVWM.exe
File created	C:\windows\PUXS.exe.bat	AROGBQ.exe
File created	C:\windows\HPB.exe.bat	PUXS.exe
File opened for modification	C:\windows\TRJF.exe	UDSWCE.exe
File created	C:\windows\RPAWJN.exe.bat	NMPJ.exe
File created	C:\windows\system\PKDDM.exe	DUXDAOR.exe
File opened for modification	C:\windows\ICJLD.exe	CCB.exe
File created	C:\windows\system\NUS.exe.bat	SJC.exe
File opened for modification	C:\windows\JFTCA.exe	ZHGIK.exe
File opened for modification	C:\windows\YFXKH.exe	XCT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4420	3788	WerFault.exe	80
4788	2088	WerFault.exe	85
1232	5096	WerFault.exe	91
2592	4676	WerFault.exe	96
2860	3724	WerFault.exe	103
1396	2620	WerFault.exe	108
4992	2168	WerFault.exe	115
212	1680	WerFault.exe	120
884	2940	WerFault.exe	125
1488	1928	WerFault.exe	131
1640	2540	WerFault.exe	136
3108	1284	WerFault.exe	141
5004	2260	WerFault.exe	146
4756	404	WerFault.exe	153
2524	1220	WerFault.exe	158
3576	1748	WerFault.exe	163
884	2104	WerFault.exe	168
3624	1236	WerFault.exe	173
4004	372	WerFault.exe	178
2292	2496	WerFault.exe	183
5088	3208	WerFault.exe	188
540	1952	WerFault.exe	193
4000	4188	WerFault.exe	198
1728	3180	WerFault.exe	203
4116	4556	WerFault.exe	208
2356	3424	WerFault.exe	213
1888	2392	WerFault.exe	218
4908	1512	WerFault.exe	223
4540	1840	WerFault.exe	228
2252	864	WerFault.exe	232
2484	644	WerFault.exe	238
1464	4280	WerFault.exe	243
4032	932	WerFault.exe	248
2968	2104	WerFault.exe	253
4412	4524	WerFault.exe	258
3380	2356	WerFault.exe	263
4484	1888	WerFault.exe	268
4560	4508	WerFault.exe	274
4376	4336	WerFault.exe	279
456	1144	WerFault.exe	285
4296	3956	WerFault.exe	290
4248	8	WerFault.exe	295
4988	3808	WerFault.exe	300
4524	3724	WerFault.exe	305
3380	1652	WerFault.exe	310
2536	1388	WerFault.exe	315
2576	4404	WerFault.exe	320
4040	2532	WerFault.exe	325
4176	4540	WerFault.exe	330
3632	4872	WerFault.exe	335
2540	3100	WerFault.exe	340
1592	1960	WerFault.exe	345
3172	4820	WerFault.exe	350
3384	2680	WerFault.exe	355
2168	2444	WerFault.exe	360
2576	1468	WerFault.exe	365
1744	4404	WerFault.exe	370
4368	3728	WerFault.exe	375
1236	4328	WerFault.exe	380
2408	3368	WerFault.exe	385
4756	4248	WerFault.exe	390
1172	4916	WerFault.exe	395
208	1952	WerFault.exe	400
2804	3524	WerFault.exe	405

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
2088	AJNAFZ.exe
2088	AJNAFZ.exe
5096	VWS.exe
5096	VWS.exe
4676	CZXN.exe
4676	CZXN.exe
3724	RFVKPF.exe
3724	RFVKPF.exe
2620	BVIEW.exe
2620	BVIEW.exe
2168	UYMAKDU.exe
2168	UYMAKDU.exe
1680	SJPQKR.exe
1680	SJPQKR.exe
2940	EBSISZG.exe
2940	EBSISZG.exe
1928	QRYQF.exe
1928	QRYQF.exe
2540	YXDX.exe
2540	YXDX.exe
1284	HFFCTN.exe
1284	HFFCTN.exe
2260	WAWH.exe
2260	WAWH.exe
404	SGJKPF.exe
404	SGJKPF.exe
1220	YBU.exe
1220	YBU.exe
1748	AROGBQ.exe
1748	AROGBQ.exe
2104	PUXS.exe
2104	PUXS.exe
1236	HPB.exe
1236	HPB.exe
372	ZXDB.exe
372	ZXDB.exe
2496	BKUCW.exe
2496	BKUCW.exe
3208	YLEF.exe
3208	YLEF.exe
1952	CTLNMG.exe
1952	CTLNMG.exe
4188	BMNVV.exe
4188	BMNVV.exe
3180	LKTPC.exe
3180	LKTPC.exe
4556	FXYYNUL.exe
4556	FXYYNUL.exe
3424	NCKFXT.exe
3424	NCKFXT.exe
2392	RSRN.exe
2392	RSRN.exe
1512	QDU.exe
1512	QDU.exe
1840	ULIDW.exe
1840	ULIDW.exe
864	AHAEBM.exe
864	AHAEBM.exe
644	JUKW.exe
644	JUKW.exe
4280	NXIRRCT.exe
4280	NXIRRCT.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
2088	AJNAFZ.exe
2088	AJNAFZ.exe
5096	VWS.exe
5096	VWS.exe
4676	CZXN.exe
4676	CZXN.exe
3724	RFVKPF.exe
3724	RFVKPF.exe
2620	BVIEW.exe
2620	BVIEW.exe
2168	UYMAKDU.exe
2168	UYMAKDU.exe
1680	SJPQKR.exe
1680	SJPQKR.exe
2940	EBSISZG.exe
2940	EBSISZG.exe
1928	QRYQF.exe
1928	QRYQF.exe
2540	YXDX.exe
2540	YXDX.exe
1284	HFFCTN.exe
1284	HFFCTN.exe
2260	WAWH.exe
2260	WAWH.exe
404	SGJKPF.exe
404	SGJKPF.exe
1220	YBU.exe
1220	YBU.exe
1748	AROGBQ.exe
1748	AROGBQ.exe
2104	PUXS.exe
2104	PUXS.exe
1236	HPB.exe
1236	HPB.exe
372	ZXDB.exe
372	ZXDB.exe
2496	BKUCW.exe
2496	BKUCW.exe
3208	YLEF.exe
3208	YLEF.exe
1952	CTLNMG.exe
1952	CTLNMG.exe
4188	BMNVV.exe
4188	BMNVV.exe
3180	LKTPC.exe
3180	LKTPC.exe
4556	FXYYNUL.exe
4556	FXYYNUL.exe
3424	NCKFXT.exe
3424	NCKFXT.exe
2392	RSRN.exe
2392	RSRN.exe
1512	QDU.exe
1512	QDU.exe
1840	ULIDW.exe
1840	ULIDW.exe
864	AHAEBM.exe
864	AHAEBM.exe
644	JUKW.exe
644	JUKW.exe
4280	NXIRRCT.exe
4280	NXIRRCT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4800	3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe	81
PID 3788 wrote to memory of 4800	3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe	81
PID 3788 wrote to memory of 4800	3788	163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe	81
PID 4800 wrote to memory of 2088	4800	cmd.exe	85
PID 4800 wrote to memory of 2088	4800	cmd.exe	85
PID 4800 wrote to memory of 2088	4800	cmd.exe	85
PID 2088 wrote to memory of 3952	2088	AJNAFZ.exe	87
PID 2088 wrote to memory of 3952	2088	AJNAFZ.exe	87
PID 2088 wrote to memory of 3952	2088	AJNAFZ.exe	87
PID 3952 wrote to memory of 5096	3952	cmd.exe	91
PID 3952 wrote to memory of 5096	3952	cmd.exe	91
PID 3952 wrote to memory of 5096	3952	cmd.exe	91
PID 5096 wrote to memory of 2232	5096	VWS.exe	92
PID 5096 wrote to memory of 2232	5096	VWS.exe	92
PID 5096 wrote to memory of 2232	5096	VWS.exe	92
PID 2232 wrote to memory of 4676	2232	cmd.exe	96
PID 2232 wrote to memory of 4676	2232	cmd.exe	96
PID 2232 wrote to memory of 4676	2232	cmd.exe	96
PID 4676 wrote to memory of 1836	4676	CZXN.exe	99
PID 4676 wrote to memory of 1836	4676	CZXN.exe	99
PID 4676 wrote to memory of 1836	4676	CZXN.exe	99
PID 1836 wrote to memory of 3724	1836	cmd.exe	103
PID 1836 wrote to memory of 3724	1836	cmd.exe	103
PID 1836 wrote to memory of 3724	1836	cmd.exe	103
PID 3724 wrote to memory of 436	3724	RFVKPF.exe	104
PID 3724 wrote to memory of 436	3724	RFVKPF.exe	104
PID 3724 wrote to memory of 436	3724	RFVKPF.exe	104
PID 436 wrote to memory of 2620	436	cmd.exe	108
PID 436 wrote to memory of 2620	436	cmd.exe	108
PID 436 wrote to memory of 2620	436	cmd.exe	108
PID 2620 wrote to memory of 2292	2620	BVIEW.exe	111
PID 2620 wrote to memory of 2292	2620	BVIEW.exe	111
PID 2620 wrote to memory of 2292	2620	BVIEW.exe	111
PID 2292 wrote to memory of 2168	2292	cmd.exe	115
PID 2292 wrote to memory of 2168	2292	cmd.exe	115
PID 2292 wrote to memory of 2168	2292	cmd.exe	115
PID 2168 wrote to memory of 1272	2168	UYMAKDU.exe	116
PID 2168 wrote to memory of 1272	2168	UYMAKDU.exe	116
PID 2168 wrote to memory of 1272	2168	UYMAKDU.exe	116
PID 1272 wrote to memory of 1680	1272	cmd.exe	120
PID 1272 wrote to memory of 1680	1272	cmd.exe	120
PID 1272 wrote to memory of 1680	1272	cmd.exe	120
PID 1680 wrote to memory of 4052	1680	SJPQKR.exe	121
PID 1680 wrote to memory of 4052	1680	SJPQKR.exe	121
PID 1680 wrote to memory of 4052	1680	SJPQKR.exe	121
PID 4052 wrote to memory of 2940	4052	cmd.exe	125
PID 4052 wrote to memory of 2940	4052	cmd.exe	125
PID 4052 wrote to memory of 2940	4052	cmd.exe	125
PID 2940 wrote to memory of 1524	2940	EBSISZG.exe	126
PID 2940 wrote to memory of 1524	2940	EBSISZG.exe	126
PID 2940 wrote to memory of 1524	2940	EBSISZG.exe	126
PID 1524 wrote to memory of 1928	1524	cmd.exe	131
PID 1524 wrote to memory of 1928	1524	cmd.exe	131
PID 1524 wrote to memory of 1928	1524	cmd.exe	131
PID 1928 wrote to memory of 3700	1928	QRYQF.exe	132
PID 1928 wrote to memory of 3700	1928	QRYQF.exe	132
PID 1928 wrote to memory of 3700	1928	QRYQF.exe	132
PID 3700 wrote to memory of 2540	3700	cmd.exe	136
PID 3700 wrote to memory of 2540	3700	cmd.exe	136
PID 3700 wrote to memory of 2540	3700	cmd.exe	136
PID 2540 wrote to memory of 1656	2540	YXDX.exe	137
PID 2540 wrote to memory of 1656	2540	YXDX.exe	137
PID 2540 wrote to memory of 1656	2540	YXDX.exe	137
PID 1656 wrote to memory of 1284	1656	cmd.exe	141

C:\Users\Admin\AppData\Local\Temp\163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\163efdf04e0a8cdb8993116f150bdcdd5762934d7437d759189ea1329fb7c9ea_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\AJNAFZ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\windows\system\AJNAFZ.exe
    C:\windows\system\AJNAFZ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWS.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\windows\SysWOW64\VWS.exe
        
        C:\windows\system32\VWS.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CZXN.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\windows\SysWOW64\CZXN.exe
        
        C:\windows\system32\CZXN.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RFVKPF.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\windows\RFVKPF.exe
        
        C:\windows\RFVKPF.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVIEW.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\windows\SysWOW64\BVIEW.exe
        
        C:\windows\system32\BVIEW.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UYMAKDU.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\windows\SysWOW64\UYMAKDU.exe
        
        C:\windows\system32\UYMAKDU.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SJPQKR.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\windows\system\SJPQKR.exe
        
        C:\windows\system\SJPQKR.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBSISZG.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\windows\SysWOW64\EBSISZG.exe
        
        C:\windows\system32\EBSISZG.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QRYQF.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\windows\QRYQF.exe
        
        C:\windows\QRYQF.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YXDX.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\windows\system\YXDX.exe
        
        C:\windows\system\YXDX.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HFFCTN.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\windows\SysWOW64\HFFCTN.exe
        
        C:\windows\system32\HFFCTN.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WAWH.exe.bat" "
        24⤵
        
        PID:2348
        
        C:\windows\WAWH.exe
        
        C:\windows\WAWH.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGJKPF.exe.bat" "
        26⤵
        
        PID:2880
        
        C:\windows\system\SGJKPF.exe
        
        C:\windows\system\SGJKPF.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBU.exe.bat" "
        28⤵
        
        PID:4392
        
        C:\windows\SysWOW64\YBU.exe
        
        C:\windows\system32\YBU.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AROGBQ.exe.bat" "
        30⤵
        
        PID:3964
        
        C:\windows\AROGBQ.exe
        
        C:\windows\AROGBQ.exe
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PUXS.exe.bat" "
        32⤵
        
        PID:1468
        
        C:\windows\PUXS.exe
        
        C:\windows\PUXS.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HPB.exe.bat" "
        34⤵
        
        PID:4712
        
        C:\windows\HPB.exe
        
        C:\windows\HPB.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZXDB.exe.bat" "
        36⤵
        
        PID:4872
        
        C:\windows\system\ZXDB.exe
        
        C:\windows\system\ZXDB.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BKUCW.exe.bat" "
        38⤵
        
        PID:1640
        
        C:\windows\BKUCW.exe
        
        C:\windows\BKUCW.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLEF.exe.bat" "
        40⤵
        
        PID:4488
        
        C:\windows\SysWOW64\YLEF.exe
        
        C:\windows\system32\YLEF.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CTLNMG.exe.bat" "
        42⤵
        
        PID:5004
        
        C:\windows\SysWOW64\CTLNMG.exe
        
        C:\windows\system32\CTLNMG.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BMNVV.exe.bat" "
        44⤵
        
        PID:2468
        
        C:\windows\SysWOW64\BMNVV.exe
        
        C:\windows\system32\BMNVV.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LKTPC.exe.bat" "
        46⤵
        
        PID:1564
        
        C:\windows\system\LKTPC.exe
        
        C:\windows\system\LKTPC.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FXYYNUL.exe.bat" "
        48⤵
        
        PID:220
        
        C:\windows\system\FXYYNUL.exe
        
        C:\windows\system\FXYYNUL.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKFXT.exe.bat" "
        50⤵
        
        PID:2440
        
        C:\windows\SysWOW64\NCKFXT.exe
        
        C:\windows\system32\NCKFXT.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSRN.exe.bat" "
        52⤵
        
        PID:3700
        
        C:\windows\SysWOW64\RSRN.exe
        
        C:\windows\system32\RSRN.exe
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QDU.exe.bat" "
        54⤵
        
        PID:2680
        
        C:\windows\SysWOW64\QDU.exe
        
        C:\windows\system32\QDU.exe
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ULIDW.exe.bat" "
        56⤵
        
        PID:3252
        
        C:\windows\ULIDW.exe
        
        C:\windows\ULIDW.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AHAEBM.exe.bat" "
        58⤵
        
        PID:4424
        
        C:\windows\AHAEBM.exe
        
        C:\windows\AHAEBM.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JUKW.exe.bat" "
        60⤵
        
        PID:2900
        
        C:\windows\system\JUKW.exe
        
        C:\windows\system\JUKW.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NXIRRCT.exe.bat" "
        62⤵
        
        PID:380
        
        C:\windows\SysWOW64\NXIRRCT.exe
        
        C:\windows\system32\NXIRRCT.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVWL.exe.bat" "
        64⤵
        
        PID:4040
        
        C:\windows\system\XVWL.exe
        
        C:\windows\system\XVWL.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSCG.exe.bat" "
        66⤵
        
        PID:4296
        
        C:\windows\SysWOW64\ZSCG.exe
        
        C:\windows\system32\ZSCG.exe
        67⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UDSWCE.exe.bat" "
        68⤵
        
        PID:2408
        
        C:\windows\UDSWCE.exe
        
        C:\windows\UDSWCE.exe
        69⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TRJF.exe.bat" "
        70⤵
        
        PID:4532
        
        C:\windows\TRJF.exe
        
        C:\windows\TRJF.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OBAWNJQ.exe.bat" "
        72⤵
        
        PID:3188
        
        C:\windows\SysWOW64\OBAWNJQ.exe
        
        C:\windows\system32\OBAWNJQ.exe
        73⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SRGEZ.exe.bat" "
        74⤵
        
        PID:3524
        
        C:\windows\SRGEZ.exe
        
        C:\windows\SRGEZ.exe
        75⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FPGPB.exe.bat" "
        76⤵
        
        PID:760
        
        C:\windows\FPGPB.exe
        
        C:\windows\FPGPB.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JXN.exe.bat" "
        78⤵
        
        PID:864
        
        C:\windows\system\JXN.exe
        
        C:\windows\system\JXN.exe
        79⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYC.exe.bat" "
        80⤵
        
        PID:540
        
        C:\windows\system\CYC.exe
        
        C:\windows\system\CYC.exe
        81⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILB.exe.bat" "
        82⤵
        
        PID:4860
        
        C:\windows\system\ILB.exe
        
        C:\windows\system\ILB.exe
        83⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOLOUO.exe.bat" "
        84⤵
        
        PID:1892
        
        C:\windows\system\YOLOUO.exe
        
        C:\windows\system\YOLOUO.exe
        85⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LMLZW.exe.bat" "
        86⤵
        
        PID:624
        
        C:\windows\LMLZW.exe
        
        C:\windows\LMLZW.exe
        87⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKE.exe.bat" "
        88⤵
        
        PID:3224
        
        C:\windows\SysWOW64\KKE.exe
        
        C:\windows\system32\KKE.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONCPRY.exe.bat" "
        90⤵
        
        PID:1556
        
        C:\windows\system\ONCPRY.exe
        
        C:\windows\system\ONCPRY.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BPLO.exe.bat" "
        92⤵
        
        PID:3996
        
        C:\windows\SysWOW64\BPLO.exe
        
        C:\windows\system32\BPLO.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGM.exe.bat" "
        94⤵
        
        PID:3112
        
        C:\windows\SysWOW64\QGM.exe
        
        C:\windows\system32\QGM.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTYMODI.exe.bat" "
        96⤵
        
        PID:2692
        
        C:\windows\YTYMODI.exe
        
        C:\windows\YTYMODI.exe
        97⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IREGELR.exe.bat" "
        98⤵
        
        PID:3464
        
        C:\windows\system\IREGELR.exe
        
        C:\windows\system\IREGELR.exe
        99⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPSB.exe.bat" "
        100⤵
        
        PID:4420
        
        C:\windows\SysWOW64\KPSB.exe
        
        C:\windows\system32\KPSB.exe
        101⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKVURI.exe.bat" "
        102⤵
        
        PID:1108
        
        C:\windows\SysWOW64\YKVURI.exe
        
        C:\windows\system32\YKVURI.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NHBRGS.exe.bat" "
        104⤵
        
        PID:1912
        
        C:\windows\SysWOW64\NHBRGS.exe
        
        C:\windows\system32\NHBRGS.exe
        105⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GIQCQT.exe.bat" "
        106⤵
        
        PID:3448
        
        C:\windows\SysWOW64\GIQCQT.exe
        
        C:\windows\system32\GIQCQT.exe
        107⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BVVLATG.exe.bat" "
        108⤵
        
        PID:4276
        
        C:\windows\BVVLATG.exe
        
        C:\windows\BVVLATG.exe
        109⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FDCTE.exe.bat" "
        110⤵
        
        PID:628
        
        C:\windows\FDCTE.exe
        
        C:\windows\FDCTE.exe
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SJC.exe.bat" "
        112⤵
        
        PID:3912
        
        C:\windows\SysWOW64\SJC.exe
        
        C:\windows\system32\SJC.exe
        113⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NUS.exe.bat" "
        114⤵
        
        PID:4336
        
        C:\windows\system\NUS.exe
        
        C:\windows\system\NUS.exe
        115⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PKYQKI.exe.bat" "
        116⤵
        
        PID:1656
        
        C:\windows\PKYQKI.exe
        
        C:\windows\PKYQKI.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HSAV.exe.bat" "
        118⤵
        
        PID:4020
        
        C:\windows\system\HSAV.exe
        
        C:\windows\system\HSAV.exe
        119⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YAOA.exe.bat" "
        120⤵
        
        PID:4608
        
        C:\windows\system\YAOA.exe
        
        C:\windows\system\YAOA.exe
        121⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YGHPB.exe.bat" "
        122⤵
        
        PID:5096
        
        C:\windows\system\YGHPB.exe
        
        C:\windows\system\YGHPB.exe
        123⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CONPNBW.exe.bat" "
        124⤵
        
        PID:1304
        
        C:\windows\CONPNBW.exe
        
        C:\windows\CONPNBW.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRRS.exe.bat" "
        126⤵
        
        PID:4820
        
        C:\windows\SysWOW64\DRRS.exe
        
        C:\windows\system32\DRRS.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NPFF.exe.bat" "
        128⤵
        
        PID:4800
        
        C:\windows\NPFF.exe
        
        C:\windows\NPFF.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FSIIOQ.exe.bat" "
        130⤵
        
        PID:2704
        
        C:\windows\FSIIOQ.exe
        
        C:\windows\FSIIOQ.exe
        131⤵
        Drops file in Windows directory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GNME.exe.bat" "
        132⤵
        
        PID:4336
        
        C:\windows\system\GNME.exe
        
        C:\windows\system\GNME.exe
        133⤵
        Checks computer location settings
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CSE.exe.bat" "
        134⤵
        
        PID:3748
        
        C:\windows\CSE.exe
        
        C:\windows\CSE.exe
        135⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MAGGVG.exe.bat" "
        136⤵
        
        PID:4020
        
        C:\windows\system\MAGGVG.exe
        
        C:\windows\system\MAGGVG.exe
        137⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBI.exe.bat" "
        138⤵
        
        PID:2032
        
        C:\windows\SysWOW64\DBI.exe
        
        C:\windows\system32\DBI.exe
        139⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QMRCNP.exe.bat" "
        140⤵
        
        PID:1800
        
        C:\windows\QMRCNP.exe
        
        C:\windows\QMRCNP.exe
        141⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RPVGS.exe.bat" "
        142⤵
        
        PID:964
        
        C:\windows\system\RPVGS.exe
        
        C:\windows\system\RPVGS.exe
        143⤵
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PPCUB.exe.bat" "
        144⤵
        
        PID:4916
        
        C:\windows\SysWOW64\PPCUB.exe
        
        C:\windows\system32\PPCUB.exe
        145⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSGP.exe.bat" "
        146⤵
        
        PID:1388
        
        C:\windows\SysWOW64\QSGP.exe
        
        C:\windows\system32\QSGP.exe
        147⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QYGE.exe.bat" "
        148⤵
        
        PID:2704
        
        C:\windows\SysWOW64\QYGE.exe
        
        C:\windows\system32\QYGE.exe
        149⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LAPCEMW.exe.bat" "
        150⤵
        
        PID:4404
        
        C:\windows\LAPCEMW.exe
        
        C:\windows\LAPCEMW.exe
        151⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJRIIK.exe.bat" "
        152⤵
        
        PID:4972
        
        C:\windows\system\UJRIIK.exe
        
        C:\windows\system\UJRIIK.exe
        153⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EGW.exe.bat" "
        154⤵
        
        PID:1548
        
        C:\windows\system\EGW.exe
        
        C:\windows\system\EGW.exe
        155⤵
        Drops file in Windows directory
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NHYH.exe.bat" "
        156⤵
        
        PID:4724
        
        C:\windows\NHYH.exe
        
        C:\windows\NHYH.exe
        157⤵
        Drops file in Windows directory
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RXFP.exe.bat" "
        158⤵
        
        PID:4428
        
        C:\windows\system\RXFP.exe
        
        C:\windows\system\RXFP.exe
        159⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FHVGTTS.exe.bat" "
        160⤵
        
        PID:1724
        
        C:\windows\system\FHVGTTS.exe
        
        C:\windows\system\FHVGTTS.exe
        161⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AFVRD.exe.bat" "
        162⤵
        
        PID:2996
        
        C:\windows\AFVRD.exe
        
        C:\windows\AFVRD.exe
        163⤵
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTG.exe.bat" "
        164⤵
        
        PID:1200
        
        C:\windows\SysWOW64\JTG.exe
        
        C:\windows\system32\JTG.exe
        165⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NWEETU.exe.bat" "
        166⤵
        
        PID:1336
        
        C:\windows\SysWOW64\NWEETU.exe
        
        C:\windows\system32\NWEETU.exe
        167⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IGUD.exe.bat" "
        168⤵
        
        PID:2252
        
        C:\windows\IGUD.exe
        
        C:\windows\IGUD.exe
        169⤵
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MOBDLP.exe.bat" "
        170⤵
        
        PID:4088
        
        C:\windows\SysWOW64\MOBDLP.exe
        
        C:\windows\system32\MOBDLP.exe
        171⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMHXAY.exe.bat" "
        172⤵
        
        PID:4444
        
        C:\windows\SysWOW64\OMHXAY.exe
        
        C:\windows\system32\OMHXAY.exe
        173⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ECIPZTZ.exe.bat" "
        174⤵
        
        PID:3244
        
        C:\windows\SysWOW64\ECIPZTZ.exe
        
        C:\windows\system32\ECIPZTZ.exe
        175⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ISOXLLV.exe.bat" "
        176⤵
        
        PID:2520
        
        C:\windows\SysWOW64\ISOXLLV.exe
        
        C:\windows\system32\ISOXLLV.exe
        177⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLYZXH.exe.bat" "
        178⤵
        
        PID:764
        
        C:\windows\SysWOW64\MLYZXH.exe
        
        C:\windows\system32\MLYZXH.exe
        179⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FOC.exe.bat" "
        180⤵
        
        PID:4032
        
        C:\windows\FOC.exe
        
        C:\windows\FOC.exe
        181⤵
        Drops file in Windows directory
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZK.exe.bat" "
        182⤵
        
        PID:648
        
        C:\windows\system\SZK.exe
        
        C:\windows\system\SZK.exe
        183⤵
        Drops file in Windows directory
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IPTT.exe.bat" "
        184⤵
        
        PID:4824
        
        C:\windows\system\IPTT.exe
        
        C:\windows\system\IPTT.exe
        185⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SMZ.exe.bat" "
        186⤵
        
        PID:1504
        
        C:\windows\SMZ.exe
        
        C:\windows\SMZ.exe
        187⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QXCVOSU.exe.bat" "
        188⤵
        
        PID:1236
        
        C:\windows\SysWOW64\QXCVOSU.exe
        
        C:\windows\system32\QXCVOSU.exe
        189⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UFIDA.exe.bat" "
        190⤵
        
        PID:1508
        
        C:\windows\system\UFIDA.exe
        
        C:\windows\system\UFIDA.exe
        191⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYYOJ.exe.bat" "
        192⤵
        
        PID:4952
        
        C:\windows\system\OYYOJ.exe
        
        C:\windows\system\OYYOJ.exe
        193⤵
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOEOVWM.exe.bat" "
        194⤵
        
        PID:4860
        
        C:\windows\SysWOW64\SOEOVWM.exe
        
        C:\windows\system32\SOEOVWM.exe
        195⤵
        Drops file in Windows directory
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOOZZA.exe.bat" "
        196⤵
        
        PID:3624
        
        C:\windows\system\OOOZZA.exe
        
        C:\windows\system\OOOZZA.exe
        197⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IHWKRBD.exe.bat" "
        198⤵
        
        PID:2688
        
        C:\windows\SysWOW64\IHWKRBD.exe
        
        C:\windows\system32\IHWKRBD.exe
        199⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CUA.exe.bat" "
        200⤵
        
        PID:2804
        
        C:\windows\SysWOW64\CUA.exe
        
        C:\windows\system32\CUA.exe
        201⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SKBKAOH.exe.bat" "
        202⤵
        
        PID:1456
        
        C:\windows\SKBKAOH.exe
        
        C:\windows\SKBKAOH.exe
        203⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QVMA.exe.bat" "
        204⤵
        
        PID:1488
        
        C:\windows\QVMA.exe
        
        C:\windows\QVMA.exe
        205⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ULT.exe.bat" "
        206⤵
        
        PID:4684
        
        C:\windows\ULT.exe
        
        C:\windows\ULT.exe
        207⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GEATEN.exe.bat" "
        208⤵
        
        PID:3076
        
        C:\windows\system\GEATEN.exe
        
        C:\windows\system\GEATEN.exe
        209⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBCOKKP.exe.bat" "
        210⤵
        
        PID:2968
        
        C:\windows\system\HBCOKKP.exe
        
        C:\windows\system\HBCOKKP.exe
        211⤵
        Drops file in Windows directory
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NCJB.exe.bat" "
        212⤵
        
        PID:396
        
        C:\windows\NCJB.exe
        
        C:\windows\NCJB.exe
        213⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKD.exe.bat" "
        214⤵
        
        PID:4268
        
        C:\windows\RKD.exe
        
        C:\windows\RKD.exe
        215⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFNVP.exe.bat" "
        216⤵
        
        PID:3448
        
        C:\windows\SysWOW64\GFNVP.exe
        
        C:\windows\system32\GFNVP.exe
        217⤵
        Drops file in Windows directory
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CNHD.exe.bat" "
        218⤵
        
        PID:2688
        
        C:\windows\system\CNHD.exe
        
        C:\windows\system\CNHD.exe
        219⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDWDXP.exe.bat" "
        220⤵
        
        PID:1784
        
        C:\windows\SysWOW64\GDWDXP.exe
        
        C:\windows\system32\GDWDXP.exe
        221⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BQOV.exe.bat" "
        222⤵
        
        PID:4592
        
        C:\windows\system\BQOV.exe
        
        C:\windows\system\BQOV.exe
        223⤵
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LOG.exe.bat" "
        224⤵
        
        PID:4108
        
        C:\windows\SysWOW64\LOG.exe
        
        C:\windows\system32\LOG.exe
        225⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SJDTYYJ.exe.bat" "
        226⤵
        
        PID:2952
        
        C:\windows\SysWOW64\SJDTYYJ.exe
        
        C:\windows\system32\SJDTYYJ.exe
        227⤵
        Drops file in Windows directory
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KCN.exe.bat" "
        228⤵
        
        PID:2268
        
        C:\windows\KCN.exe
        
        C:\windows\KCN.exe
        229⤵
        Checks computer location settings
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EAOV.exe.bat" "
        230⤵
        
        PID:4940
        
        C:\windows\EAOV.exe
        
        C:\windows\EAOV.exe
        231⤵
        Drops file in Windows directory
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPZ.exe.bat" "
        232⤵
        
        PID:780
        
        C:\windows\system\LPZ.exe
        
        C:\windows\system\LPZ.exe
        233⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RLLRKKF.exe.bat" "
        234⤵
        
        PID:1108
        
        C:\windows\SysWOW64\RLLRKKF.exe
        
        C:\windows\system32\RLLRKKF.exe
        235⤵
        Drops file in Windows directory
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZYXYUQB.exe.bat" "
        236⤵
        
        PID:4936
        
        C:\windows\ZYXYUQB.exe
        
        C:\windows\ZYXYUQB.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJAODW.exe.bat" "
        238⤵
        
        PID:3452
        
        C:\windows\system\XJAODW.exe
        
        C:\windows\system\XJAODW.exe
        239⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZHGIK.exe.bat" "
        240⤵
        
        PID:2996
        
        C:\windows\SysWOW64\ZHGIK.exe
        
        C:\windows\system32\ZHGIK.exe
        241⤵
        Drops file in Windows directory
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JFTCA.exe.bat" "
        242⤵
        
        PID:3236
        
        C:\windows\JFTCA.exe
        
        C:\windows\JFTCA.exe
        243⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XCT.exe.bat" "
        244⤵
        
        PID:4772
        
        C:\windows\SysWOW64\XCT.exe
        
        C:\windows\system32\XCT.exe
        245⤵
        Drops file in Windows directory
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YFXKH.exe.bat" "
        246⤵
        
        PID:4684
        
        C:\windows\YFXKH.exe
        
        C:\windows\YFXKH.exe
        247⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GLWQ.exe.bat" "
        248⤵
        
        PID:4824
        
        C:\windows\SysWOW64\GLWQ.exe
        
        C:\windows\system32\GLWQ.exe
        249⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XTQWE.exe.bat" "
        250⤵
        
        PID:1836
        
        C:\windows\system\XTQWE.exe
        
        C:\windows\system\XTQWE.exe
        251⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CUM.exe.bat" "
        252⤵
        
        PID:3940
        
        C:\windows\system\CUM.exe
        
        C:\windows\system\CUM.exe
        253⤵
        Checks computer location settings
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NMPJ.exe.bat" "
        254⤵
        
        PID:1440
        
        C:\windows\NMPJ.exe
        
        C:\windows\NMPJ.exe
        255⤵
        Drops file in Windows directory
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RPAWJN.exe.bat" "
        256⤵
        
        PID:3996
        
        C:\windows\RPAWJN.exe
        
        C:\windows\RPAWJN.exe
        257⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MAIV.exe.bat" "
        258⤵
        
        PID:464
        
        C:\windows\system\MAIV.exe
        
        C:\windows\system\MAIV.exe
        259⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EIXSJH.exe.bat" "
        260⤵
        
        PID:1676
        
        C:\windows\EIXSJH.exe
        
        C:\windows\EIXSJH.exe
        261⤵
        Checks computer location settings
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CWWTGKQ.exe.bat" "
        262⤵
        
        PID:4800
        
        C:\windows\system\CWWTGKQ.exe
        
        C:\windows\system\CWWTGKQ.exe
        263⤵
        Checks computer location settings
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZGFZ.exe.bat" "
        264⤵
        
        PID:4108
        
        C:\windows\system\RZGFZ.exe
        
        C:\windows\system\RZGFZ.exe
        265⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SUJB.exe.bat" "
        266⤵
        
        PID:5072
        
        C:\windows\system\SUJB.exe
        
        C:\windows\system\SUJB.exe
        267⤵
        Checks computer location settings
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OUL.exe.bat" "
        268⤵
        
        PID:4460
        
        C:\windows\OUL.exe
        
        C:\windows\OUL.exe
        269⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXHW.exe.bat" "
        270⤵
        
        PID:4420
        
        C:\windows\SysWOW64\PXXHW.exe
        
        C:\windows\system32\PXXHW.exe
        271⤵
        Drops file in Windows directory
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NNI.exe.bat" "
        272⤵
        
        PID:2800
        
        C:\windows\NNI.exe
        
        C:\windows\NNI.exe
        273⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIUDP.exe.bat" "
        274⤵
        
        PID:3800
        
        C:\windows\SysWOW64\UIUDP.exe
        
        C:\windows\system32\UIUDP.exe
        275⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRWIAO.exe.bat" "
        276⤵
        
        PID:2928
        
        C:\windows\SysWOW64\DRWIAO.exe
        
        C:\windows\system32\DRWIAO.exe
        277⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BBFNFH.exe.bat" "
        278⤵
        
        PID:4084
        
        C:\windows\SysWOW64\BBFNFH.exe
        
        C:\windows\system32\BBFNFH.exe
        279⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FHXCVL.exe.bat" "
        280⤵
        
        PID:1988
        
        C:\windows\FHXCVL.exe
        
        C:\windows\FHXCVL.exe
        281⤵
        Drops file in Windows directory
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DUXDAOR.exe.bat" "
        282⤵
        
        PID:4532
        
        C:\windows\system\DUXDAOR.exe
        
        C:\windows\system\DUXDAOR.exe
        283⤵
        Drops file in Windows directory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKDDM.exe.bat" "
        284⤵
        
        PID:220
        
        C:\windows\system\PKDDM.exe
        
        C:\windows\system\PKDDM.exe
        285⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VGPESU.exe.bat" "
        286⤵
        
        PID:4028
        
        C:\windows\system\VGPESU.exe
        
        C:\windows\system\VGPESU.exe
        287⤵
        Drops file in Windows directory
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BBAXGJ.exe.bat" "
        288⤵
        
        PID:212
        
        C:\windows\BBAXGJ.exe
        
        C:\windows\BBAXGJ.exe
        289⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VTIIPK.exe.bat" "
        290⤵
        
        PID:620
        
        C:\windows\VTIIPK.exe
        
        C:\windows\VTIIPK.exe
        291⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FRWCWS.exe.bat" "
        292⤵
        
        PID:1508
        
        C:\windows\FRWCWS.exe
        
        C:\windows\FRWCWS.exe
        293⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MHXBDGJ.exe.bat" "
        294⤵
        
        PID:2468
        
        C:\windows\SysWOW64\MHXBDGJ.exe
        
        C:\windows\system32\MHXBDGJ.exe
        295⤵
        Drops file in Windows directory
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FAEMUHZ.exe.bat" "
        296⤵
        
        PID:4524
        
        C:\windows\system\FAEMUHZ.exe
        
        C:\windows\system\FAEMUHZ.exe
        297⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ELPCVV.exe.bat" "
        298⤵
        
        PID:4744
        
        C:\windows\ELPCVV.exe
        
        C:\windows\ELPCVV.exe
        299⤵
        Checks computer location settings
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AQZSL.exe.bat" "
        300⤵
        
        PID:2688
        
        C:\windows\system\AQZSL.exe
        
        C:\windows\system\AQZSL.exe
        301⤵
        Drops file in Windows directory
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QGA.exe.bat" "
        302⤵
        
        PID:4408
        
        C:\windows\QGA.exe
        
        C:\windows\QGA.exe
        303⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOCO.exe.bat" "
        304⤵
        
        PID:1784
        
        C:\windows\system\HOCO.exe
        
        C:\windows\system\HOCO.exe
        305⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WJTAOWI.exe.bat" "
        306⤵
        
        PID:704
        
        C:\windows\WJTAOWI.exe
        
        C:\windows\WJTAOWI.exe
        307⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TCV.exe.bat" "
        308⤵
        
        PID:2064
        
        C:\windows\system\TCV.exe
        
        C:\windows\system\TCV.exe
        309⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSCDFS.exe.bat" "
        310⤵
        
        PID:2104
        
        C:\windows\SysWOW64\XSCDFS.exe
        
        C:\windows\system32\XSCDFS.exe
        311⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YVG.exe.bat" "
        312⤵
        
        PID:1100
        
        C:\windows\SysWOW64\YVG.exe
        
        C:\windows\system32\YVG.exe
        313⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EQRZ.exe.bat" "
        314⤵
        
        PID:380
        
        C:\windows\SysWOW64\EQRZ.exe
        
        C:\windows\system32\EQRZ.exe
        315⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOXW.exe.bat" "
        316⤵
        
        PID:3700
        
        C:\windows\system\AOXW.exe
        
        C:\windows\system\AOXW.exe
        317⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GJJXLV.exe.bat" "
        318⤵
        
        PID:4444
        
        C:\windows\SysWOW64\GJJXLV.exe
        
        C:\windows\system32\GJJXLV.exe
        319⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UUFWQ.exe.bat" "
        320⤵
        
        PID:404
        
        C:\windows\UUFWQ.exe
        
        C:\windows\UUFWQ.exe
        321⤵
        Checks computer location settings
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JPO.exe.bat" "
        322⤵
        
        PID:2596
        
        C:\windows\JPO.exe
        
        C:\windows\JPO.exe
        323⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAZQRNG.exe.bat" "
        324⤵
        
        PID:2476
        
        C:\windows\SysWOW64\AAZQRNG.exe
        
        C:\windows\system32\AAZQRNG.exe
        325⤵
        Checks computer location settings
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KXFL.exe.bat" "
        326⤵
        
        PID:3132
        
        C:\windows\KXFL.exe
        
        C:\windows\KXFL.exe
        327⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELJUJV.exe.bat" "
        328⤵
        
        PID:3156
        
        C:\windows\system\ELJUJV.exe
        
        C:\windows\system\ELJUJV.exe
        329⤵
        Checks computer location settings
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBQCV.exe.bat" "
        330⤵
        
        PID:2144
        
        C:\windows\system\IBQCV.exe
        
        C:\windows\system\IBQCV.exe
        331⤵
        Drops file in Windows directory
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JEUYBDB.exe.bat" "
        332⤵
        
        PID:536
        
        C:\windows\JEUYBDB.exe
        
        C:\windows\JEUYBDB.exe
        333⤵
        Drops file in Windows directory
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YUVXHZ.exe.bat" "
        334⤵
        
        PID:644
        
        C:\windows\system\YUVXHZ.exe
        
        C:\windows\system\YUVXHZ.exe
        335⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCB.exe.bat" "
        336⤵
        
        PID:4160
        
        C:\windows\system\CCB.exe
        
        C:\windows\system\CCB.exe
        337⤵
        Drops file in Windows directory
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ICJLD.exe.bat" "
        338⤵
        
        PID:2408
        
        C:\windows\ICJLD.exe
        
        C:\windows\ICJLD.exe
        339⤵
        Checks computer location settings
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VARX.exe.bat" "
        340⤵
        
        PID:5096
        
        C:\windows\system\VARX.exe
        
        C:\windows\system\VARX.exe
        341⤵
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PBYI.exe.bat" "
        342⤵
        
        PID:1492
        
        C:\windows\SysWOW64\PBYI.exe
        
        C:\windows\system32\PBYI.exe
        343⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YBANZ.exe.bat" "
        344⤵
        
        PID:1784
        
        C:\windows\system\YBANZ.exe
        
        C:\windows\system\YBANZ.exe
        345⤵
        Checks computer location settings
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XMDD.exe.bat" "
        346⤵
        
        PID:1128
        
        C:\windows\XMDD.exe
        
        C:\windows\XMDD.exe
        347⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPVHTWE.exe.bat" "
        348⤵
        
        PID:3528
        
        C:\windows\system\MPVHTWE.exe
        
        C:\windows\system\MPVHTWE.exe
        349⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZMVTV.exe.bat" "
        350⤵
        
        PID:4688
        
        C:\windows\system\ZMVTV.exe
        
        C:\windows\system\ZMVTV.exe
        351⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "
        352⤵
        
        PID:2968
        
        C:\windows\SysWOW64\HSHHG.exe
        
        C:\windows\system32\HSHHG.exe
        353⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GQTC.exe.bat" "
        354⤵
        
        PID:4316
        
        C:\windows\system\GQTC.exe
        
        C:\windows\system\GQTC.exe
        355⤵
        Drops file in Windows directory
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTWGG.exe.bat" "
        356⤵
        
        PID:736
        
        C:\windows\YTWGG.exe
        
        C:\windows\YTWGG.exe
        357⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XEZW.exe.bat" "
        358⤵
        
        PID:2208
        
        C:\windows\XEZW.exe
        
        C:\windows\XEZW.exe
        359⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IWCHPW.exe.bat" "
        360⤵
        
        PID:1800
        
        C:\windows\IWCHPW.exe
        
        C:\windows\IWCHPW.exe
        361⤵
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VZNUYBZ.exe.bat" "
        362⤵
        
        PID:4084
        
        C:\windows\SysWOW64\VZNUYBZ.exe
        
        C:\windows\system32\VZNUYBZ.exe
        363⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFTRFLB.exe.bat" "
        364⤵
        
        PID:3956
        
        C:\windows\SysWOW64\RFTRFLB.exe
        
        C:\windows\system32\RFTRFLB.exe
        365⤵
        Drops file in Windows directory
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKD.exe.bat" "
        366⤵
        
        PID:1920
        
        C:\windows\system\OKD.exe
        
        C:\windows\system\OKD.exe
        367⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FLFL.exe.bat" "
        368⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1336
        366⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 960
        364⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1328
        362⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1292
        360⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1324
        358⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1324
        356⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 988
        354⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960
        352⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1248
        350⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 960
        348⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1256
        346⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 960
        344⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 988
        342⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1300
        340⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 960
        338⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 960
        336⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 1336
        334⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1304
        332⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1304
        330⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1336
        328⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1304
        326⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 988
        324⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 988
        322⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1296
        320⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 960
        318⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1264
        316⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1328
        314⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1292
        312⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1256
        310⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1304
        308⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 888
        306⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1268
        304⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 960
        302⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
        300⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 988
        298⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 1336
        296⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1328
        294⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 960
        292⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 960
        290⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1324
        288⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 960
        286⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 976
        284⤵
        
        PID:704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1336
        282⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1324
        280⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 960
        278⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1308
        276⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1004
        274⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 960
        272⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1308
        270⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 960
        268⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1280
        266⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 960
        264⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 960
        262⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 960
        260⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1328
        258⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 988
        256⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1296
        254⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1336
        252⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1228
        250⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 960
        248⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 872
        246⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 988
        244⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 988
        242⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1300
        240⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1336
        238⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1324
        236⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 988
        234⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1336
        232⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1288
        230⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1324
        228⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960
        226⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1296
        224⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1248
        222⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 988
        220⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 988
        218⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1328
        216⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1296
        214⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1324
        212⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1336
        210⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1336
        208⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 960
        206⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1252
        204⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1260
        202⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1240
        200⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 960
        198⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1316
        196⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1004
        194⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 960
        192⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 876
        190⤵
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 988
        188⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1260
        186⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 988
        184⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1336
        182⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 988
        180⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1240
        178⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 960
        176⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 960
        174⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 996
        172⤵
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1004
        170⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1304
        168⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1308
        166⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1328
        164⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1004
        162⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 960
        160⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1008
        158⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1324
        156⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1304
        154⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1336
        152⤵
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 960
        150⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1300
        148⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1308
        146⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1300
        144⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 960
        142⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1296
        140⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1308
        138⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1336
        136⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1292
        134⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 1336
        132⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 960
        130⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1228
        128⤵
        Program crash
        
        PID:2804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1308
        126⤵
        Program crash
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 960
        124⤵
        Program crash
        
        PID:1172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1304
        122⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1336
        120⤵
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1272
        118⤵
        Program crash
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 960
        116⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 960
        114⤵
        Program crash
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 988
        112⤵
        Program crash
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1304
        110⤵
        Program crash
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 960
        108⤵
        Program crash
        
        PID:3384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1292
        106⤵
        Program crash
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 988
        104⤵
        Program crash
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1264
        102⤵
        Program crash
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1004
        100⤵
        Program crash
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 960
        98⤵
        Program crash
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 960
        96⤵
        Program crash
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 976
        94⤵
        Program crash
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1328
        92⤵
        Program crash
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 960
        90⤵
        Program crash
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 976
        88⤵
        Program crash
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1324
        86⤵
        Program crash
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 960
        84⤵
        Program crash
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1336
        82⤵
        Program crash
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1316
        80⤵
        Program crash
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1248
        78⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1324
        76⤵
        Program crash
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 988
        74⤵
        Program crash
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1308
        72⤵
        Program crash
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1324
        70⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 960
        68⤵
        Program crash
        
        PID:2968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1292
        66⤵
        Program crash
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1272
        64⤵
        Program crash
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1328
        62⤵
        Program crash
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1316
        60⤵
        Program crash
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1304
        58⤵
        Program crash
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1008
        56⤵
        Program crash
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1328
        54⤵
        Program crash
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1328
        52⤵
        Program crash
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1264
        50⤵
        Program crash
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 960
        48⤵
        Program crash
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 988
        46⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 988
        44⤵
        Program crash
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1328
        42⤵
        Program crash
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1208
        40⤵
        Program crash
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1304
        38⤵
        Program crash
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1264
        36⤵
        Program crash
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1252
        34⤵
        Program crash
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1304
        32⤵
        Program crash
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1324
        30⤵
        Program crash
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 960
        28⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1248
        26⤵
        Program crash
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1324
        24⤵
        Program crash
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1328
        22⤵
        Program crash
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1316
        20⤵
        Program crash
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 1324
        18⤵
        Program crash
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1260
        16⤵
        Program crash
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1316
        14⤵
        Program crash
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 960
        12⤵
        Program crash
        
        PID:1396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1328
        10⤵
        Program crash
        
        PID:2860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1296
        8⤵
        Program crash
        
        PID:2592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 976
        6⤵
        Program crash
        
        PID:1232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1304
      4⤵
      Program crash
      PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 996
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3788 -ip 3788
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2088 -ip 2088
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5096 -ip 5096
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3724 -ip 3724
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2620 -ip 2620
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2168 -ip 2168
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1680 -ip 1680
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2940 -ip 2940
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1928 -ip 1928
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2540 -ip 2540
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1284 -ip 1284
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2260 -ip 2260
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 404 -ip 404
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1220 -ip 1220
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1748 -ip 1748
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2104 -ip 2104
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1236 -ip 1236
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 372 -ip 372
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2496 -ip 2496
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3208 -ip 3208
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1952 -ip 1952
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4188 -ip 4188
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3180 -ip 3180
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4556 -ip 4556
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3424 -ip 3424
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2392 -ip 2392
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1512 -ip 1512
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1840 -ip 1840
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 864 -ip 864
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 644 -ip 644
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4280 -ip 4280
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 932 -ip 932
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2104 -ip 2104
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4524 -ip 4524
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2356 -ip 2356
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1888 -ip 1888
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4508 -ip 4508
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4336 -ip 4336
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1144 -ip 1144
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3956 -ip 3956
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8 -ip 8
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3808 -ip 3808
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3724 -ip 3724
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1652 -ip 1652
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1388 -ip 1388
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4404 -ip 4404
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2532 -ip 2532
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4540 -ip 4540
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4872 -ip 4872
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3100 -ip 3100
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1960 -ip 1960
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4820 -ip 4820
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2680 -ip 2680
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2444 -ip 2444
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1468 -ip 1468
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4404 -ip 4404
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3728 -ip 3728
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4328 -ip 4328
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3368 -ip 3368
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4248 -ip 4248
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4916 -ip 4916
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1952 -ip 1952
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3524 -ip 3524
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4088 -ip 4088
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2476 -ip 2476
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3940 -ip 3940
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 644 -ip 644
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1464 -ip 1464
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2408 -ip 2408
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3448 -ip 3448
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4820 -ip 4820
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4516 -ip 4516
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2268 -ip 2268
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3212 -ip 3212
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1832 -ip 1832
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4180 -ip 4180
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4620 -ip 4620
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3896 -ip 3896
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4696 -ip 4696
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2680 -ip 2680
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4004 -ip 4004
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4868 -ip 4868
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1524 -ip 1524
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3200 -ip 3200
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1048 -ip 1048
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4936 -ip 4936
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2292 -ip 2292
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2356 -ip 2356
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2420 -ip 2420
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3360 -ip 3360
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4000 -ip 4000
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3748 -ip 3748
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4992 -ip 4992
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2028 -ip 2028
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4432 -ip 4432
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3788 -ip 3788
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1692 -ip 1692
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2988 -ip 2988
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4296 -ip 4296
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3404 -ip 3404
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1556 -ip 1556
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4540 -ip 4540
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4332 -ip 4332
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4992 -ip 4992
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3180 -ip 3180
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3996 -ip 3996
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 228 -ip 228
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4944 -ip 4944
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1724 -ip 1724
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1828 -ip 1828
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4844 -ip 4844
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1524 -ip 1524
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3868 -ip 3868
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 372 -ip 372
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1864 -ip 1864
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1284 -ip 1284
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3368 -ip 3368
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2280 -ip 2280
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4392 -ip 4392
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4600 -ip 4600
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2880 -ip 2880
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3176 -ip 3176
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1840 -ip 1840
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2268 -ip 2268
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4388 -ip 4388
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4848 -ip 4848
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3084 -ip 3084
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2068 -ip 2068
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2960 -ip 2960
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2280 -ip 2280
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2704 -ip 2704
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3132 -ip 3132
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5040 -ip 5040
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1660 -ip 1660
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1912 -ip 1912
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1276 -ip 1276
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 916 -ip 916
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4848 -ip 4848
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3980 -ip 3980
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1672 -ip 1672
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3404 -ip 3404
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2384 -ip 2384
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5072 -ip 5072
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2952 -ip 2952
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1836 -ip 1836
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4500 -ip 4500
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1888 -ip 1888
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4944 -ip 4944
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3240 -ip 3240
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4868 -ip 4868
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3332 -ip 3332
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2972 -ip 2972
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2452 -ip 2452
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3384 -ip 3384
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2548 -ip 2548
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1440 -ip 1440
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4524 -ip 4524
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2404 -ip 2404
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2996 -ip 2996
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1224 -ip 1224
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 452 -ip 452
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3520 -ip 3520
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4468 -ip 4468
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3252 -ip 3252
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3860 -ip 3860
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 380 -ip 380
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3108 -ip 3108
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5068 -ip 5068
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 916 -ip 916
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 4376
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3512 -ip 3512
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4532 -ip 4532
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1692 -ip 1692
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1524 -ip 1524
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 828 -ip 828
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1836 -ip 1836
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2548 -ip 2548
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4428 -ip 4428
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1332 -ip 1332
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3632 -ip 3632
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2552 -ip 2552
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2620 -ip 2620
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AROGBQ.exe

Filesize
448KB

MD5
824e5f7484a1c5f722a7c3bd97288156

SHA1
002f05d2c6c13887763d0777051ec0860e4cccc9

SHA256
573ee173551e1f1fc18cefd4e9f9ad25a3bf8177860790700350d56a13ee0a3c

SHA512
6a0ede34c2be9fe2b89a8c3ede0c775290557343c84836fbf79ce58975095a69438e95c39ea7e1c59892bf151b30286cd2e4c7515da7c5e752f4d079bbd2ee59

Download Submit
C:\Windows\BKUCW.exe

Filesize
448KB

MD5
e2a90fa5c11742cb366492e108437097

SHA1
7c38fa5c7d75f77a93718e9287aac4348dfa613a

SHA256
3cc449ae6e6d1076bae5292982ba70edc65a9b21ebff473fc02aa450ab3c84f8

SHA512
b9d5db7660d72581c1686fd5fa9938577be9da5d6676a9907969f5bebdc50ad766808007c3df5a7377bdb4b4f5f9c52743a03617c2201a5d600a4dd62e09a003

Download Submit
C:\Windows\PUXS.exe

Filesize
448KB

MD5
216de2e0881095161713c402430c7588

SHA1
0181b1edeead949731f8d46838be84863564eb82

SHA256
bf9cdcd2cead167c0b6f44a3e467b4b592479d73aebf5f541a366f141f75128c

SHA512
5c88ec87c4a70b9462a361ff5718970f70adad189e2dbcceeff1056f449b09de03f8bafc9fa423ddd1b9d56c395ac2e307367361f5f5750c8687405670da2684

Download Submit
C:\Windows\SysWOW64\BVIEW.exe

Filesize
448KB

MD5
d6411647c158977d6e6b1ee2429b22be

SHA1
4de90db20d0242a947a466aefbced3f43678a1fa

SHA256
7d9b221d057e4ad27d92f74f7bbdbaff52dab5330f5a08ecf56d4ca9e50265e0

SHA512
a31464c642cbd0f0e30c1b712e0ffdc2e46b6d2942fe4ce25fc705579c8d2226e000d2e6df0a8efd92242889acf326e48254d3c7575844c5c85e296c7a13d931

Download Submit
C:\Windows\SysWOW64\HFFCTN.exe

Filesize
448KB

MD5
6864697b49dce65e16705badf4271c32

SHA1
8cba685a132e8c2a3d1440632e987beb5f0a3584

SHA256
2854cb78bac66de798717a00c17fee18b060107e3c21cd50d4c49331f3cbb170

SHA512
fa3b915d5bbbe3a4bc9fc70bf2720117029576bc954bd6214d907d73dfc20bdd031e105c82fc0f0de9fddf5508dfa95cb09dd0dceddeda5b006520281662a028

Download Submit
C:\Windows\SysWOW64\UYMAKDU.exe

Filesize
448KB

MD5
7399ddfde9adc7490df4f2330bfe5d0b

SHA1
b713ebe3b7b87fdfb2bf1d7dc054c2c3fe26dab0

SHA256
c3f5e8e4a35517eb2edce0c63312010926a4f8e147fbfb3eba7ab42a2097903b

SHA512
56fb8038f7847cbf521d447843befbf2de844675667ab12897903b1571f1d580e67f07b2c8cf0af6446067f8950e52dfe7118349111c725e8d2be0e9834e2b04

Download Submit
C:\Windows\SysWOW64\VWS.exe

Filesize
448KB

MD5
259512fbdd9fedc851dd2556bc669919

SHA1
d8316215e0025ccaea16686a355e50f2187c494c

SHA256
b352d839e1d13f9819ac914ef4f2c319664150da32cf75a638757ec618a6dfde

SHA512
9d7d6b890987971c6966522f80640c2c84b0f1ad8dee697dcef6a2d105c7b47e953f1297d3448208fb75c19089463e2b901aad325cb69ef0cd8a8025b2b5c088

Download Submit
C:\Windows\System\AJNAFZ.exe

Filesize
448KB

MD5
024ce77bc927119fefad6598bc2e909d

SHA1
bdc9d26bc2a7f1495b97ec823797689c39f37b04

SHA256
b539a1d573c9536337d019856b91826fe77d928edb6efbdaf9cfe66d7b159ab9

SHA512
beac314b82d533b624472425dc6ec2162c536560551902f276219b5bbb474b5e1a3442aede281a444355d0aa5f50b2290e459b786f94df4d124bdbbd85dd1472

Download Submit
C:\Windows\System\YXDX.exe

Filesize
448KB

MD5
6f78b3159b3565415f3b41412031e939

SHA1
3501a62d58310ebd71a8684e59c2caca279fe280

SHA256
d2346a8d217b37ebb4b8b5e54f7557d4fcb35c804e759a2e792d8c326c472365

SHA512
1609ea4717602e19362be41a9c07737643de373e819a9ffcf36430dbb8636e706f86643028ef86efef24cfa099742c080ca97800bd6e4b75259d1cd495ddefe6

Download Submit
C:\windows\AROGBQ.exe.bat

Filesize
58B

MD5
05b1851d9bf7cf9184cea24464286d6d

SHA1
831ab34a4d9af4e21a8e1e0dd3290b113aa7fc4f

SHA256
5a82a9008bc0eaa8c1a18c0612d2b59bb55d6040452900c21632688b56d0b2ad

SHA512
a6fdd1b489eb070d9f5edf1b26f67346f867e111910ed6e3c569d598ed08761118d6242cb3faa2357b88a2b7304ba50919931d0ebf75acc643fb9e69772149f2

Download Submit
C:\windows\BKUCW.exe.bat

Filesize
56B

MD5
57178f4505f0e983f75219847b4ae84e

SHA1
dafb97d0087e3e6b2172f35fd34202ec2ee8b061

SHA256
24f12ba845a1dfecebee40f160309e86cd73b97667ac00498584da24c8e1a363

SHA512
72effccd42110d4277c8ebf7c97740f51f2a04d4f38a66fd51a3c590c596de13b3c8aa341795bf3a8ce86f54f5d5f2ebc5aaf320d0c15f0e9e0abc123f1e373b

Download Submit
C:\windows\HPB.exe

Filesize
448KB

MD5
d96f63ad24962b532f342e12398dd799

SHA1
e1d364f94703fb7875ab939b9a0579dd911ec65f

SHA256
0be77c69ee2e2923b3e8101315e8c1fcb8e8158040208391948f8af4ae7c8a5b

SHA512
02dcca48658521557a8caf2a42076f236ebadf972bc2aa30fb4211e3e79fc6a032f3471f4b82922586b745abe9913bc5d7ee58e9eecc275e89a6e3d3b6800353

Download Submit
C:\windows\HPB.exe.bat

Filesize
52B

MD5
67952481d55d7ff327e10b37f5420378

SHA1
5965cd93a7f12dfb0d8a137074fc2499a94a0374

SHA256
01d0725109a14f4292bdb580805b4cd4c8a326d65de42469477748c91d833181

SHA512
587cbaa764d02c1689a140bc1dc92b218cfad6c16abe04ff84ad066c6a962235ce9d2c11d690650372538f7247fcb248b6d8517ddb5d3569f61b3112468ff41f

Download Submit
C:\windows\PUXS.exe.bat

Filesize
54B

MD5
97bedd62a879a924f0740ccc6b411bbf

SHA1
c07b54e4edc59e922778b63366e3c100fb0800b2

SHA256
55f953a9f5b268c0d2f4b88fd24db744482b9eb1123e76306536f99d742a1d7d

SHA512
0c6509ccfb4efe0c289cab5a7b51f553f6aa37cee079ccda17cdcc55bfd50e251ea7a78d9f5578824dc95ff620859c8fdb6fbe8094e6beacc8912cb5824fc964

Download Submit
C:\windows\QRYQF.exe

Filesize
448KB

MD5
0a9936927aff8c0e3cb697f88ed28ad4

SHA1
0e96430a9d8e0dcb253dfedde830917185ac583e

SHA256
05e4c281173d09ec7a7b6d1a95b94433314d7d31691e0248ce9b175bb8c6427c

SHA512
f2572876d693fe37e12ebbe89ab53ffe5a8036e44feed8df07ef314b42f4b462bc909d0e2ea6cb20fb6991420f388a97d4c504c60472b8d76b05493cfce3c5b6

Download Submit
C:\windows\QRYQF.exe.bat

Filesize
56B

MD5
f07d50e57c5962b2f197d8303cdd9f15

SHA1
42c9d00f969b3711d91b891071962ee9563aad7f

SHA256
e32c7460d59b1bac4983962d49b9b768606a26b583c96e8fa23505159520e690

SHA512
65c21aaeed3f3b1987402b6ad0ca7b1d0a62525cb8ea82eabd0ad4fda8c52ff03cb1003d4f3d2647b771ea1b9c020eafb946e28ecc3ea225e84ebc0d5d73a9e1

Download Submit
C:\windows\RFVKPF.exe

Filesize
448KB

MD5
e6035ac2d2cc30667e8e387e33f98355

SHA1
9e46cc7eaed12230b623c9c41fe4c8a9b335a437

SHA256
105dde883cba31a6ff89e284a629a96e4f67a50d16af6578c86c649835edba57

SHA512
065746fced22fb31cad866f1d3e74717fc01e6168dfec49d074c25f2e605981c6428aaf3291f42a65730625f6a023a99b093a775d7a174810c793803e2c1494f

Download Submit
C:\windows\RFVKPF.exe.bat

Filesize
58B

MD5
e04525bf02b1e009398ca5687297f407

SHA1
2a90840aad405baceaf43ac33f8b8ec71b2da882

SHA256
1d90b164110f26d9ef1329e8dec1e5210c7281583bf3a43b09cfcebc19f03d88

SHA512
c45df3fe5ff15d96d04088dc88dbf0c6d5fbb0b9a2502be749e7c5c7d71c6ac29d4047f8a9da2b2a8c69f2dc016a384edefdb37a92ae85454120753a63653146

Download Submit
C:\windows\SysWOW64\BMNVV.exe.bat

Filesize
74B

MD5
c83435f0d018b770b7d5b5bb1743eb0f

SHA1
6f0eeb66bad205bb875b5d86c65f84089bddfb32

SHA256
508ebd8e245a2738301f8eefc4f07701d69bc6cbe57b130584dc7065514c0e56

SHA512
8956f8b327e12542f0a0508c2faf7520f856a620ae7af78cc0a8806ba480752e50df9cb2e65d30e761f9f9e01b0cc0ef2ba59a2d0dcdde9d95851c59c3199859

Download Submit
C:\windows\SysWOW64\BVIEW.exe.bat

Filesize
74B

MD5
72a8fa12fe2b74194c3d146c9fe2153d

SHA1
042acd4ff9f0e0eab3e6717efc3ceb2842a6587c

SHA256
9314e2ff5dc8ff00e100ed0de7f5c4b6a7765c46d32ea98b01a5a88c38af2a35

SHA512
118db61e07ea548d6d13cb52f691b2c4f3b121f25c64c6da9f8576904f316380c405d086a875e9261336086254fb4963e9c82a12cdb8b65a956689494b09dcae

Download Submit
C:\windows\SysWOW64\CTLNMG.exe

Filesize
448KB

MD5
15cd8fd2ccca923c2ea01f9b249578f6

SHA1
53467e81640676050dbb3deac9bedd4ceb2908ae

SHA256
f6d7a595c55e21fd362d31321119ac0c75d19383a171f92c14eddaa3792f4265

SHA512
f75dc523e324d261f2ea6563a0fbbfb4b9cc85b614c751a27ea84b868cdd2130ee62e4692aa0d1444bc12b16bada4257d92279e860f51f10ef618e23ae29026c

Download Submit
C:\windows\SysWOW64\CTLNMG.exe.bat

Filesize
76B

MD5
16bd55f087d901ffccc3e576aa42bb95

SHA1
7af3840d875e40f5e303bc9ce395c307b6808cc0

SHA256
d3a3829d3f0d9f08a8dcba5d09445b2142279ec1fc77bfaaf44f096e90e24d8b

SHA512
fcc5815df2330c6fca7a7e87a5e702664cd13bbcc6a94f00eae196b12c1a7c99ab314ecbc94c8356feaf260275d99cd951c3549c9a7f75684f81db2e300f67b1

Download Submit
C:\windows\SysWOW64\CZXN.exe

Filesize
448KB

MD5
d69968fba63564eabdf6481f474c2e78

SHA1
ffd79a2ee44cb16a83caf45892e2ea98605ee726

SHA256
308c31e1380e46274aa11f5bbebd9f6d011e1854464aea31b54cebd072b756e3

SHA512
f67da845b27f8a94d11b260a0cf18cd5a96966d7131ae2186fe60589eb15353ebe95641b7a77a0ac0f989281388583c10f8d618b63eb4cda5b538ec084d2d655

Download Submit
C:\windows\SysWOW64\CZXN.exe.bat

Filesize
72B

MD5
b622e0b476f5d6f56e340ef7409fe75b

SHA1
da9b66ecca4f0cca3aef6f00dafb7da7a7f0daee

SHA256
2f2447135579704c970910a4e31a08d72763c0dcbc8be59c909b778d858891db

SHA512
805c3784e207386064af2fe6127096f1cc10c4452caaefe4b898cfed0ec4e53b698e5622ba1d79d00942090b10448b64021e7522dfbe48a66c37f1e8d9c8e3bd

Download Submit
C:\windows\SysWOW64\EBSISZG.exe

Filesize
448KB

MD5
ebc47580c9405c8aec159acb7d3eca2b

SHA1
c353c8f917803f971f16c88c1587ee4acb9cf410

SHA256
d129281c85099f1428a14860857a0d42aab452ef1a6996dc4acb7cf3156099ac

SHA512
3af88399fd9f303e3ff3d57e945454e5652d41236be9c2c74b9bdbb0818fd2f776e69a30d94abcbe07f2e776635ac094678a9a11d40c885d4c2fadf685a116a9

Download Submit
C:\windows\SysWOW64\EBSISZG.exe.bat

Filesize
78B

MD5
5ebb91de874c46e635e21b5cfb646820

SHA1
a92b83de2dd96778c228b9082f087c9dafcc24e0

SHA256
5d97a98e47d3b1a1061d15c2f1d9af3411fc43da15e92b8f7a44246fa18117c9

SHA512
8f41753cf07901ac51dbc6f8c381bd479cdd2d70fd6f04c141d5cf1029375dc6b885ba6be3bdaf85ad93d0206d0372925fad76dba35487a7564597984ca2e84b

Download Submit
C:\windows\SysWOW64\HFFCTN.exe.bat

Filesize
76B

MD5
33e10da097b929d2372c19b7e33be3a8

SHA1
210ccf60f5798408864ab69ad7ca6b7a5ffca235

SHA256
85e5b6cf35a83fdf3fd6578ca075c3c8e4f7cd4115f5477a536a8d1ccf8a6d02

SHA512
13a14f82b386cb50b8e4c00834a1be3b262eccf3de6a6072b5c9a44b3962419f0c1f390937b080196c01c5d39120d18baba7f9eb33738fed12e20df7b26f4295

Download Submit
C:\windows\SysWOW64\UYMAKDU.exe.bat

Filesize
78B

MD5
dce06fe9f29f66a5e4f17737f2577b50

SHA1
ea15efe48a800b9dc92eedef468a987033fac957

SHA256
614e776f821e5ee3373671f4d616b508c622a09ca52c9a32ddd31c0cc891356e

SHA512
78f4986424b94ed9af38a029000493c54e16fa0af4f44d66edb34141423af662ac9d22f528c9b7ca28e18dee95b75dd0f6d5f9919691484736bcec0f3e95b0f4

Download Submit
C:\windows\SysWOW64\VWS.exe.bat

Filesize
70B

MD5
001101e4d8574f61298347eaf7378b76

SHA1
39b567279ad41fdf0ef43ac59c3dcdcab16d69ee

SHA256
d68ae9f61be107950abbca8935031aaf3c63534d19cf44e4c4d88e654bac3a3f

SHA512
a5fd5a3f2537d1d699348b08614bb73f1c86275fb2af163a0e1c462c9fb1e49eb54d90a1080f65191a2dbaeade648ab580c6dfb786e9d56b2bf95fd39f435073

Download Submit
C:\windows\SysWOW64\YBU.exe

Filesize
448KB

MD5
d9736f0e597f405f22149b2ed4b3fcf8

SHA1
bd57938a0d714d9b0a42b472f81d6716b2eb0b20

SHA256
fc8512bf2d1db5886af12302020fd306c3e316bcfe1eedc1756f756025bd7762

SHA512
931375ac8f69d8d7120f769f0462558562def0f6a45ce6c63c91055c44293862f1729d4d7f0a9a8dbc45ccc1bb4dd583278b9fdcd287aa20a895e22d5f797917

Download Submit
C:\windows\SysWOW64\YBU.exe.bat

Filesize
70B

MD5
536ae8dea4b9b05ef5a8ecb444973c47

SHA1
72a4192edde99c5c02ab8112dfe06ee9b8f3c497

SHA256
31686b5c013a5c10c2dc8d9736e37177058c962f1e9658fb3e1d2cbac002cb16

SHA512
0267f599efbc396053f89c8c1cf962b877843a80784807aadef43368b3bfa1dc71b85b9705e088b8050b2fa2d0fc23283a54ab7ddb4d10f5c9740b1a6d6571c0

Download Submit
C:\windows\SysWOW64\YLEF.exe

Filesize
448KB

MD5
8812acf4c90680625798b429036ee902

SHA1
9d8801b6637302720e41723af80f7caa7ae0d004

SHA256
d59021a4b0aa6c3642a190a5b784a51226c0c63765a1c5146e21504c859ad0ce

SHA512
5ee4fd65488fb586773324336a3a743a72aa2e1ea5708786760ed47ea5b584b76c6e4523b365bba4b63cfc0d76b18671364c7f05d34aa081e6cf2e19f3cb1eb0

Download Submit
C:\windows\SysWOW64\YLEF.exe.bat

Filesize
72B

MD5
c0bd583cb1f0ba64cf1c8c581a559b2e

SHA1
46994f3c854527208ac92c2118e10d472e7b96b8

SHA256
57ef7c2b786164431c8f480beaf6440fca20040b37c0d5b86ec9a10d835e0ff3

SHA512
87d86de10760b62c666207b9fde839598a4b30670929e5d8ead6e7379382e671dd296397afa85a1d4d970db4ca2e8537f957a97a5dca9dafd055b71dcfc5f5ae

Download Submit
C:\windows\WAWH.exe.bat

Filesize
54B

MD5
7d8a0dafe6f2794a5bf6239cedd91d0b

SHA1
f72749af5229e26c9265a39bd42af0efe9c5e8ae

SHA256
52bec8dbae7265cad16096ffb24ff9a1e00311a7cd118fcd4db98e3977fb1332

SHA512
95972efb045ecd8bab9189c19b6cb0fd276588502a03678e68a9c12a7543e7075c7238adb8dd330556a381f2b3d97ee27a1178cc5666ca519b48e7dc6c804b7e

Download Submit
C:\windows\system\AJNAFZ.exe.bat

Filesize
72B

MD5
002baa612e5949109860d02e0a24759a

SHA1
ffe2cae3bb05f966b398dd0e748387b63d6e2eac

SHA256
b388e89c1e6261ace1bcc01b233d4295041b67805bcf5c184637a9e7206192c2

SHA512
0e284cea9a37d6176e9ea75a6723cdddacf58446aaddaebfed2bfd887d5806b0a605bb0bf22f6f19c4b4be63be7dccfa8fbc2f3d6bd8cc4cbb1a0e2a5098c4f0

Download Submit
C:\windows\system\SGJKPF.exe

Filesize
448KB

MD5
21326de1d0b964f9e860a12e79b21826

SHA1
2a7ed0201b8238ccf89b86efaaa9c72b919749ee

SHA256
950d92e716ce1236d8b0cba9baf6da87a7c7fd216b26bf193f8ca12f2e4d3bc0

SHA512
724d4e40ee535a99efb8d9b2699e4465d6556df713dd31b775c984eb1dcf266d6214b5b5cc045e5984ef6c6a33c39dd94e40e48802c7cb6d9ee4cc3ebf4f18e9

Download Submit
C:\windows\system\SGJKPF.exe.bat

Filesize
72B

MD5
551d52291e92010a199fd12ceaaaca7d

SHA1
719a25c8ffaed0504cb8d416f46a340bd90c3498

SHA256
7cc22a0c398410ee8101e189d7de389d72164c45c9a2933724525fa12563eaf2

SHA512
44f6e3d6342835147dd0d91f0f7f61cc7e28bbcbd1e41e9b7b93e0a1b3028bc2a331671665ea53256b31fba095b6e179cc1a8a8d1c115221f7cd4564f9a2e2d4

Download Submit
C:\windows\system\SJPQKR.exe.bat

Filesize
72B

MD5
a76763cd6d366342e5a2ae0461ed743b

SHA1
bac2ae6f82b9d036ab7c9cab679c222116ce9d30

SHA256
eb609eaa83eeea21450f9eb28d6837592551432cf78a5fa14389de20411757c1

SHA512
20bcdd45928cc4de771b2ddb16b5d889fef8f7611fab90e9af2725b10062d57bdda46cb122cacbbf99e78e42d2b74b109822128f44bb78af4ca31b16e320245f

Download Submit
C:\windows\system\YXDX.exe.bat

Filesize
68B

MD5
af9ce2f9e15a371c724a6d06636c9e4e

SHA1
62550e5c4e679b16f2bc31329b951ddc608c75a8

SHA256
17c3810561e7e74b44efa635b631bb33ba1c3efab5863b6307c71ecce703d886

SHA512
7c21fcf67edf2279bdbc7cab14f584bd8745807fe1334358c8b6f209612f8cc69f14cd6c7641a51ca02bf8ef82cc5115f412ae47ae0e41899fd276967ca57ed1

Download Submit
C:\windows\system\ZXDB.exe.bat

Filesize
68B

MD5
aeb5964c05fac3d30938ae1dd7dae1e6

SHA1
88dca3715f180afaff8d2b96d422dfcfef9240c0

SHA256
157749894204cfa5eeea03764f7c2e9676eda256c10412bfe40c789f4ce58f7c

SHA512
c8ecd64c21fd5e5b31960263077092bdfb44a0b326d2b608029eb84fab2a4927d4910ddf22877490966f0e62a996b2b0859c5ffe964fd0affbc8a5db2e9541d6

Download Submit
memory/8-449-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/372-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/372-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/644-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/644-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-339-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/932-349-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/932-366-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1144-412-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1144-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1220-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1220-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1236-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1236-201-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-129-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1388-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1388-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1512-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1512-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-457-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1652-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1840-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1928-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1928-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1952-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1952-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2088-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2088-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-189-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2356-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2356-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2392-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2392-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2496-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2496-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2532-484-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2532-502-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2620-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2620-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2940-93-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2940-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3180-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3180-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3208-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3208-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-303-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3724-465-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3724-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3724-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3724-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3788-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3788-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3808-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3808-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3956-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3956-438-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4188-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4188-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4280-357-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4280-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4336-421-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4336-403-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4404-475-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4404-492-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4508-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4508-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4524-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4524-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4540-494-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4556-294-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4556-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4676-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4676-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5096-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5096-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download