a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
Size

289KB
MD5

6b174efad313abd4df83a766dcc23985
SHA1

e8149b99798ed214d522ad2225ce47e1ea3e81b4
SHA256

a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed
SHA512

88629ff0558658c9b5b6675ac45eab33180f16b09567fecc7073dd9f86eb4e428cf17418bf9740ee68f447ef8344c283948ed8999f9830911a3b151cdc705198
SSDEEP

3072:5A0EIRXX1P2UgAFxY3m5OZjSg9Z4hNeND55N4pLthECQT68VMJLaQljVvzUpz:5AzIdFuUgAFxm7SizNkECzJLaQVbU5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	IAH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	UGGKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MAGGVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	FBQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HPVZHZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	PIO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	FCIEWGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	UIGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	QISHTQU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	XEWCDR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SEQDK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ONCFFTD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NKGJWS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MMKOBFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	IONIVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MTYM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	CTJGQR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NCKFXT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	GSKLODP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	UJVNUNO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	EFKQM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HKKAL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	OMMZYYK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	PIUDL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HRWIPXB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	VZDH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ZFQN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	PLBE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	LHFXM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	JBJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	XIPPVA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	JPF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	TWPU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DNA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	YBKXS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ESPQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MBIJNU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	VKTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	INUR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	FUHADP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	BTY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	GAN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	RWWK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	PMT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	KPMSRU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MLLHWO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	VWPAJEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DTGEK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	LFIBKMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	OYR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	XUMJG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MFBX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	BVPOWR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ICDR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	LRMKZCI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	TYUIT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	IGEWCQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MOT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	HRZS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	QKIS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	LXFBJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	EMQF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NVM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	VGJVYV.exe

Executes dropped EXE 64 IoCs

pid	Process
212	LHM.exe
4636	AMSDXVU.exe
1976	FFGGKTD.exe
2992	SPKEPK.exe
1304	LDJKUMU.exe
4948	ZOSBJ.exe
5084	XYCR.exe
2016	SMHAUC.exe
1568	WCO.exe
4404	JFKHLER.exe
4332	ESPQ.exe
1308	MFBX.exe
4460	BVPOWR.exe
2204	CYS.exe
1940	CTJGQR.exe
376	OMMZYYK.exe
2120	WAQFAX.exe
2432	ODU.exe
4228	ETVAVIW.exe
3628	OQJV.exe
4488	PTKK.exe
1812	OEV.exe
3088	YEXFZ.exe
3484	ICDR.exe
2652	NCKFXT.exe
3884	KDMPB.exe
3468	VWPAJEF.exe
3788	ULIDW.exe
2276	JBJ.exe
4292	CENYJ.exe
2808	KKSFT.exe
3848	UIGZ.exe
624	PDKJLB.exe
3924	XIPPVA.exe
1864	PMT.exe
3008	BUZTN.exe
3596	WPECXIM.exe
2372	HHUNPJU.exe
4868	GSKLODP.exe
1068	OYXSZCL.exe
2852	DTGEK.exe
3716	MBIJNU.exe
3768	AMQACX.exe
372	GZQJGAZ.exe
3980	ONCPRY.exe
4512	IAH.exe
2544	VLQXHJ.exe
4784	NLSC.exe
3036	AWABZRC.exe
736	EEPBL.exe
4920	JEQD.exe
3296	QURDWBV.exe
1496	LFIBKMR.exe
2068	QISHTQU.exe
4048	OYR.exe
1564	FGGP.exe
1584	HEZRQQM.exe
5072	XUMJG.exe
1604	VKTL.exe
4520	XIZG.exe
3552	WSK.exe
4964	PTRHRG.exe
2828	TWPU.exe
2204	XEWCDR.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\GZQJGAZ.exe.bat	AMQACX.exe
File opened for modification	C:\windows\SysWOW64\DDDEL.exe	ONCFFTD.exe
File created	C:\windows\SysWOW64\EMQF.exe	LRMKZCI.exe
File created	C:\windows\SysWOW64\WCO.exe	SMHAUC.exe
File opened for modification	C:\windows\SysWOW64\GSKLODP.exe	HHUNPJU.exe
File created	C:\windows\SysWOW64\SVMPGO.exe	MDEBXL.exe
File opened for modification	C:\windows\SysWOW64\EMQF.exe	LRMKZCI.exe
File opened for modification	C:\windows\SysWOW64\SMTUC.exe	IONIVZ.exe
File created	C:\windows\SysWOW64\YBKXS.exe.bat	JGFDQH.exe
File opened for modification	C:\windows\SysWOW64\IMTEAGG.exe	JMMHOP.exe
File created	C:\windows\SysWOW64\NCKFXT.exe.bat	ICDR.exe
File opened for modification	C:\windows\SysWOW64\XEWCDR.exe	TWPU.exe
File created	C:\windows\SysWOW64\DDDEL.exe.bat	ONCFFTD.exe
File opened for modification	C:\windows\SysWOW64\CRY.exe	POCJSBS.exe
File created	C:\windows\SysWOW64\HPVZHZO.exe.bat	ZCQTXBS.exe
File created	C:\windows\SysWOW64\PIO.exe.bat	ASFI.exe
File created	C:\windows\SysWOW64\JXGJWKU.exe	BSUDLMZ.exe
File created	C:\windows\SysWOW64\JMMHOP.exe.bat	UGGKH.exe
File created	C:\windows\SysWOW64\ICDR.exe	YEXFZ.exe
File created	C:\windows\SysWOW64\GSKLODP.exe.bat	HHUNPJU.exe
File created	C:\windows\SysWOW64\OYXSZCL.exe.bat	GSKLODP.exe
File created	C:\windows\SysWOW64\IKAXFN.exe.bat	BUZ.exe
File opened for modification	C:\windows\SysWOW64\JGFDQH.exe	YTGFLGD.exe
File created	C:\windows\SysWOW64\JBJ.exe	ULIDW.exe
File opened for modification	C:\windows\SysWOW64\GZQJGAZ.exe	AMQACX.exe
File opened for modification	C:\windows\SysWOW64\IPM.exe	EZFMVX.exe
File created	C:\windows\SysWOW64\XEWCDR.exe	TWPU.exe
File created	C:\windows\SysWOW64\EGLTV.exe.bat	CIFGO.exe
File opened for modification	C:\windows\SysWOW64\IKAXFN.exe	BUZ.exe
File created	C:\windows\SysWOW64\UFNB.exe.bat	NVM.exe
File created	C:\windows\SysWOW64\BBIFG.exe	CRY.exe
File created	C:\windows\SysWOW64\IONIVZ.exe.bat	PLBE.exe
File opened for modification	C:\windows\SysWOW64\MTYM.exe	TYUIT.exe
File opened for modification	C:\windows\SysWOW64\LDJKUMU.exe	SPKEPK.exe
File created	C:\windows\SysWOW64\ZOSBJ.exe	LDJKUMU.exe
File created	C:\windows\SysWOW64\BVPOWR.exe.bat	MFBX.exe
File created	C:\windows\SysWOW64\IPM.exe	EZFMVX.exe
File created	C:\windows\SysWOW64\IPM.exe.bat	EZFMVX.exe
File created	C:\windows\SysWOW64\XDTE.exe.bat	EKLT.exe
File created	C:\windows\SysWOW64\PTKK.exe	OQJV.exe
File created	C:\windows\SysWOW64\ICDR.exe.bat	YEXFZ.exe
File created	C:\windows\SysWOW64\JEQD.exe.bat	EEPBL.exe
File opened for modification	C:\windows\SysWOW64\AFNS.exe	KPMSRU.exe
File created	C:\windows\SysWOW64\INUR.exe	YPOFGIT.exe
File opened for modification	C:\windows\SysWOW64\MDEBXL.exe	MPMMW.exe
File opened for modification	C:\windows\SysWOW64\UTZJVW.exe	SVMPGO.exe
File created	C:\windows\SysWOW64\UFNB.exe	NVM.exe
File opened for modification	C:\windows\SysWOW64\BVPOWR.exe	MFBX.exe
File created	C:\windows\SysWOW64\OQJV.exe	ETVAVIW.exe
File opened for modification	C:\windows\SysWOW64\JBJ.exe	ULIDW.exe
File created	C:\windows\SysWOW64\AFNS.exe	KPMSRU.exe
File created	C:\windows\SysWOW64\MDEBXL.exe	MPMMW.exe
File created	C:\windows\SysWOW64\AKGCB.exe.bat	RWWK.exe
File created	C:\windows\SysWOW64\ASFI.exe	VNVTKR.exe
File created	C:\windows\SysWOW64\IMTEAGG.exe.bat	JMMHOP.exe
File created	C:\windows\SysWOW64\SDLTUR.exe	SYLFSM.exe
File created	C:\windows\SysWOW64\XEWCDR.exe.bat	TWPU.exe
File created	C:\windows\SysWOW64\UTZJVW.exe.bat	SVMPGO.exe
File created	C:\windows\SysWOW64\SMTUC.exe	IONIVZ.exe
File created	C:\windows\SysWOW64\SMTUC.exe.bat	IONIVZ.exe
File created	C:\windows\SysWOW64\HIGOF.exe.bat	PNAV.exe
File created	C:\windows\SysWOW64\CKUGGUO.exe.bat	IMTEAGG.exe
File created	C:\windows\SysWOW64\MZE.exe	KLZZGII.exe
File created	C:\windows\SysWOW64\GZQJGAZ.exe	AMQACX.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\HDWTC.exe	BDO.exe
File opened for modification	C:\windows\ODU.exe	WAQFAX.exe
File created	C:\windows\system\QURDWBV.exe	JEQD.exe
File opened for modification	C:\windows\system\SJKELD.exe	MOT.exe
File created	C:\windows\SKRMYK.exe	OCLE.exe
File opened for modification	C:\windows\system\ZFQN.exe	ZCARQF.exe
File created	C:\windows\RFJ.exe.bat	PHVYWY.exe
File created	C:\windows\ULIDW.exe.bat	VWPAJEF.exe
File opened for modification	C:\windows\system\DTGEK.exe	OYXSZCL.exe
File created	C:\windows\EEPBL.exe.bat	AWABZRC.exe
File created	C:\windows\system\CIFGO.exe.bat	SKRMYK.exe
File opened for modification	C:\windows\system\OLK.exe	LXFBJU.exe
File created	C:\windows\system\EJV.exe	POMPU.exe
File opened for modification	C:\windows\XYCR.exe	ZOSBJ.exe
File created	C:\windows\ABDSVX.exe.bat	FYVCHN.exe
File opened for modification	C:\windows\system\CYS.exe	BVPOWR.exe
File opened for modification	C:\windows\HHUNPJU.exe	WPECXIM.exe
File created	C:\windows\system\ZCQTXBS.exe.bat	BBIFG.exe
File opened for modification	C:\windows\GAN.exe	ZFQN.exe
File created	C:\windows\system\VGJVYV.exe.bat	NAFPVWQ.exe
File created	C:\windows\system\PHVYWY.exe.bat	UJVNUNO.exe
File created	C:\windows\system\LRMKZCI.exe	BTY.exe
File created	C:\windows\PLBE.exe	NXFVFJL.exe
File created	C:\windows\system\RWWK.exe.bat	SMTUC.exe
File opened for modification	C:\windows\system\FCIEWGY.exe	MZE.exe
File opened for modification	C:\windows\system\CTJGQR.exe	CYS.exe
File created	C:\windows\system\AIRNDF.exe.bat	AFNS.exe
File created	C:\windows\FMUCWDU.exe	UTZJVW.exe
File created	C:\windows\VZDH.exe	JRXZFHW.exe
File created	C:\windows\JYXB.exe.bat	ZAJHL.exe
File created	C:\windows\AMQACX.exe.bat	MBIJNU.exe
File opened for modification	C:\windows\VKTL.exe	XUMJG.exe
File created	C:\windows\system\QKIS.exe	ZCTU.exe
File created	C:\windows\system\FKSOUKQ.exe	HKKAL.exe
File opened for modification	C:\windows\VAVMVJI.exe	SEQDK.exe
File created	C:\windows\system\CTJGQR.exe.bat	CYS.exe
File opened for modification	C:\windows\system\VNVTKR.exe	QKRVFAK.exe
File created	C:\windows\ABDSVX.exe	FYVCHN.exe
File opened for modification	C:\windows\system\BSUDLMZ.exe	CZR.exe
File created	C:\windows\system\TWPU.exe.bat	PTRHRG.exe
File opened for modification	C:\windows\system\LXFBJU.exe	QKIS.exe
File created	C:\windows\system\RZGFZ.exe	PBSLK.exe
File created	C:\windows\system\BDO.exe.bat	RFJ.exe
File created	C:\windows\system\LHFXM.exe.bat	WREGGYU.exe
File created	C:\windows\FYVCHN.exe.bat	HDWTC.exe
File created	C:\windows\system\DTGEK.exe.bat	OYXSZCL.exe
File created	C:\windows\PTRHRG.exe.bat	WSK.exe
File created	C:\windows\system\QKIS.exe.bat	ZCTU.exe
File created	C:\windows\system\USHF.exe	IKAXFN.exe
File opened for modification	C:\windows\system\RWWK.exe	SMTUC.exe
File created	C:\windows\system\GXF.exe.bat	AKGCB.exe
File created	C:\windows\VAVMVJI.exe.bat	SEQDK.exe
File created	C:\windows\KDMPB.exe.bat	NCKFXT.exe
File created	C:\windows\VLQXHJ.exe	IAH.exe
File created	C:\windows\system\AHFMJO.exe.bat	PPCUB.exe
File created	C:\windows\ZWTG.exe.bat	MLLHWO.exe
File created	C:\windows\LHM.exe	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
File created	C:\windows\GAN.exe	ZFQN.exe
File opened for modification	C:\windows\system\FKSOUKQ.exe	HKKAL.exe
File created	C:\windows\SYLFSM.exe	CKUGGUO.exe
File created	C:\windows\VAVMVJI.exe	SEQDK.exe
File opened for modification	C:\windows\VWPAJEF.exe	KDMPB.exe
File opened for modification	C:\windows\ZWTG.exe	MLLHWO.exe
File opened for modification	C:\windows\VZDH.exe	JRXZFHW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2792	4576	WerFault.exe	80
4216	212	WerFault.exe	84
2040	4636	WerFault.exe	91
3804	1976	WerFault.exe	96
1940	2992	WerFault.exe	101
3656	1304	WerFault.exe	106
4940	4948	WerFault.exe	111
2432	5084	WerFault.exe	116
2276	2016	WerFault.exe	121
4472	1568	WerFault.exe	126
3772	4404	WerFault.exe	131
1244	4332	WerFault.exe	136
3716	1308	WerFault.exe	141
1928	4460	WerFault.exe	146
4140	2204	WerFault.exe	151
4768	1940	WerFault.exe	156
2564	376	WerFault.exe	161
2220	2120	WerFault.exe	166
4516	2432	WerFault.exe	171
1300	4228	WerFault.exe	176
4376	3628	WerFault.exe	181
4400	4488	WerFault.exe	186
3828	1812	WerFault.exe	191
1416	3088	WerFault.exe	196
3324	3484	WerFault.exe	201
3684	2652	WerFault.exe	206
2796	3884	WerFault.exe	211
3576	3468	WerFault.exe	216
4992	3788	WerFault.exe	221
1312	2276	WerFault.exe	226
3772	4292	WerFault.exe	231
1568	2808	WerFault.exe	236
2444	3848	WerFault.exe	241
3108	624	WerFault.exe	246
2296	3924	WerFault.exe	251
3964	1864	WerFault.exe	256
3396	3008	WerFault.exe	261
2392	3596	WerFault.exe	267
3316	2372	WerFault.exe	273
748	4868	WerFault.exe	278
2892	1068	WerFault.exe	283
4792	2852	WerFault.exe	288
3952	3716	WerFault.exe	293
4440	3768	WerFault.exe	298
1760	372	WerFault.exe	303
1308	3980	WerFault.exe	308
3964	4512	WerFault.exe	313
1692	2544	WerFault.exe	318
4516	4784	WerFault.exe	323
2372	3036	WerFault.exe	328
1476	736	WerFault.exe	333
2116	4920	WerFault.exe	338
4176	3296	WerFault.exe	343
1856	1496	WerFault.exe	348
1880	2068	WerFault.exe	353
3104	4048	WerFault.exe	358
2220	1564	WerFault.exe	365
3128	1584	WerFault.exe	371
656	5072	WerFault.exe	376
1872	1604	WerFault.exe	381
4692	4520	WerFault.exe	386
2264	3552	WerFault.exe	392
2236	4964	WerFault.exe	397
3324	2828	WerFault.exe	402

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
212	LHM.exe
212	LHM.exe
4636	AMSDXVU.exe
4636	AMSDXVU.exe
1976	FFGGKTD.exe
1976	FFGGKTD.exe
2992	SPKEPK.exe
2992	SPKEPK.exe
1304	LDJKUMU.exe
1304	LDJKUMU.exe
4948	ZOSBJ.exe
4948	ZOSBJ.exe
5084	XYCR.exe
5084	XYCR.exe
2016	SMHAUC.exe
2016	SMHAUC.exe
1568	WCO.exe
1568	WCO.exe
4404	JFKHLER.exe
4404	JFKHLER.exe
4332	ESPQ.exe
4332	ESPQ.exe
1308	MFBX.exe
1308	MFBX.exe
4460	BVPOWR.exe
4460	BVPOWR.exe
2204	CYS.exe
2204	CYS.exe
1940	CTJGQR.exe
1940	CTJGQR.exe
376	OMMZYYK.exe
376	OMMZYYK.exe
2120	WAQFAX.exe
2120	WAQFAX.exe
2432	ODU.exe
2432	ODU.exe
4228	ETVAVIW.exe
4228	ETVAVIW.exe
3628	OQJV.exe
3628	OQJV.exe
4488	PTKK.exe
4488	PTKK.exe
1812	OEV.exe
1812	OEV.exe
3088	YEXFZ.exe
3088	YEXFZ.exe
3484	ICDR.exe
3484	ICDR.exe
2652	NCKFXT.exe
2652	NCKFXT.exe
3884	KDMPB.exe
3884	KDMPB.exe
3468	VWPAJEF.exe
3468	VWPAJEF.exe
3788	ULIDW.exe
3788	ULIDW.exe
2276	JBJ.exe
2276	JBJ.exe
4292	CENYJ.exe
4292	CENYJ.exe
2808	KKSFT.exe
2808	KKSFT.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
212	LHM.exe
212	LHM.exe
4636	AMSDXVU.exe
4636	AMSDXVU.exe
1976	FFGGKTD.exe
1976	FFGGKTD.exe
2992	SPKEPK.exe
2992	SPKEPK.exe
1304	LDJKUMU.exe
1304	LDJKUMU.exe
4948	ZOSBJ.exe
4948	ZOSBJ.exe
5084	XYCR.exe
5084	XYCR.exe
2016	SMHAUC.exe
2016	SMHAUC.exe
1568	WCO.exe
1568	WCO.exe
4404	JFKHLER.exe
4404	JFKHLER.exe
4332	ESPQ.exe
4332	ESPQ.exe
1308	MFBX.exe
1308	MFBX.exe
4460	BVPOWR.exe
4460	BVPOWR.exe
2204	CYS.exe
2204	CYS.exe
1940	CTJGQR.exe
1940	CTJGQR.exe
376	OMMZYYK.exe
376	OMMZYYK.exe
2120	WAQFAX.exe
2120	WAQFAX.exe
2432	ODU.exe
2432	ODU.exe
4228	ETVAVIW.exe
4228	ETVAVIW.exe
3628	OQJV.exe
3628	OQJV.exe
4488	PTKK.exe
4488	PTKK.exe
1812	OEV.exe
1812	OEV.exe
3088	YEXFZ.exe
3088	YEXFZ.exe
3484	ICDR.exe
3484	ICDR.exe
2652	NCKFXT.exe
2652	NCKFXT.exe
3884	KDMPB.exe
3884	KDMPB.exe
3468	VWPAJEF.exe
3468	VWPAJEF.exe
3788	ULIDW.exe
3788	ULIDW.exe
2276	JBJ.exe
2276	JBJ.exe
4292	CENYJ.exe
4292	CENYJ.exe
2808	KKSFT.exe
2808	KKSFT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4760	4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe	81
PID 4576 wrote to memory of 4760	4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe	81
PID 4576 wrote to memory of 4760	4576	a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe	81
PID 4760 wrote to memory of 212	4760	cmd.exe	84
PID 4760 wrote to memory of 212	4760	cmd.exe	84
PID 4760 wrote to memory of 212	4760	cmd.exe	84
PID 212 wrote to memory of 1328	212	LHM.exe	87
PID 212 wrote to memory of 1328	212	LHM.exe	87
PID 212 wrote to memory of 1328	212	LHM.exe	87
PID 1328 wrote to memory of 4636	1328	cmd.exe	91
PID 1328 wrote to memory of 4636	1328	cmd.exe	91
PID 1328 wrote to memory of 4636	1328	cmd.exe	91
PID 4636 wrote to memory of 1864	4636	AMSDXVU.exe	92
PID 4636 wrote to memory of 1864	4636	AMSDXVU.exe	92
PID 4636 wrote to memory of 1864	4636	AMSDXVU.exe	92
PID 1864 wrote to memory of 1976	1864	cmd.exe	96
PID 1864 wrote to memory of 1976	1864	cmd.exe	96
PID 1864 wrote to memory of 1976	1864	cmd.exe	96
PID 1976 wrote to memory of 2244	1976	FFGGKTD.exe	97
PID 1976 wrote to memory of 2244	1976	FFGGKTD.exe	97
PID 1976 wrote to memory of 2244	1976	FFGGKTD.exe	97
PID 2244 wrote to memory of 2992	2244	cmd.exe	101
PID 2244 wrote to memory of 2992	2244	cmd.exe	101
PID 2244 wrote to memory of 2992	2244	cmd.exe	101
PID 2992 wrote to memory of 3088	2992	SPKEPK.exe	102
PID 2992 wrote to memory of 3088	2992	SPKEPK.exe	102
PID 2992 wrote to memory of 3088	2992	SPKEPK.exe	102
PID 3088 wrote to memory of 1304	3088	cmd.exe	106
PID 3088 wrote to memory of 1304	3088	cmd.exe	106
PID 3088 wrote to memory of 1304	3088	cmd.exe	106
PID 1304 wrote to memory of 920	1304	LDJKUMU.exe	107
PID 1304 wrote to memory of 920	1304	LDJKUMU.exe	107
PID 1304 wrote to memory of 920	1304	LDJKUMU.exe	107
PID 920 wrote to memory of 4948	920	cmd.exe	111
PID 920 wrote to memory of 4948	920	cmd.exe	111
PID 920 wrote to memory of 4948	920	cmd.exe	111
PID 4948 wrote to memory of 992	4948	ZOSBJ.exe	112
PID 4948 wrote to memory of 992	4948	ZOSBJ.exe	112
PID 4948 wrote to memory of 992	4948	ZOSBJ.exe	112
PID 992 wrote to memory of 5084	992	cmd.exe	116
PID 992 wrote to memory of 5084	992	cmd.exe	116
PID 992 wrote to memory of 5084	992	cmd.exe	116
PID 5084 wrote to memory of 1688	5084	XYCR.exe	117
PID 5084 wrote to memory of 1688	5084	XYCR.exe	117
PID 5084 wrote to memory of 1688	5084	XYCR.exe	117
PID 1688 wrote to memory of 2016	1688	cmd.exe	121
PID 1688 wrote to memory of 2016	1688	cmd.exe	121
PID 1688 wrote to memory of 2016	1688	cmd.exe	121
PID 2016 wrote to memory of 4544	2016	SMHAUC.exe	122
PID 2016 wrote to memory of 4544	2016	SMHAUC.exe	122
PID 2016 wrote to memory of 4544	2016	SMHAUC.exe	122
PID 4544 wrote to memory of 1568	4544	cmd.exe	126
PID 4544 wrote to memory of 1568	4544	cmd.exe	126
PID 4544 wrote to memory of 1568	4544	cmd.exe	126
PID 1568 wrote to memory of 2752	1568	WCO.exe	127
PID 1568 wrote to memory of 2752	1568	WCO.exe	127
PID 1568 wrote to memory of 2752	1568	WCO.exe	127
PID 2752 wrote to memory of 4404	2752	cmd.exe	131
PID 2752 wrote to memory of 4404	2752	cmd.exe	131
PID 2752 wrote to memory of 4404	2752	cmd.exe	131
PID 4404 wrote to memory of 4760	4404	JFKHLER.exe	132
PID 4404 wrote to memory of 4760	4404	JFKHLER.exe	132
PID 4404 wrote to memory of 4760	4404	JFKHLER.exe	132
PID 4760 wrote to memory of 4332	4760	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe
"C:\Users\Admin\AppData\Local\Temp\a3451057977e34cb4163bc3a5ff2a24bfaeb21e06113e9952ebfe76e3ec3a6ed.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\LHM.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\windows\LHM.exe
    C:\windows\LHM.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\AMSDXVU.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\windows\AMSDXVU.exe
        
        C:\windows\AMSDXVU.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FFGGKTD.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\windows\FFGGKTD.exe
        
        C:\windows\FFGGKTD.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SPKEPK.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\windows\SPKEPK.exe
        
        C:\windows\SPKEPK.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDJKUMU.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\windows\SysWOW64\LDJKUMU.exe
        
        C:\windows\system32\LDJKUMU.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZOSBJ.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\windows\SysWOW64\ZOSBJ.exe
        
        C:\windows\system32\ZOSBJ.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XYCR.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\windows\XYCR.exe
        
        C:\windows\XYCR.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SMHAUC.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\windows\system\SMHAUC.exe
        
        C:\windows\system\SMHAUC.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WCO.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\windows\SysWOW64\WCO.exe
        
        C:\windows\system32\WCO.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFKHLER.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\windows\SysWOW64\JFKHLER.exe
        
        C:\windows\system32\JFKHLER.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ESPQ.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\windows\ESPQ.exe
        
        C:\windows\ESPQ.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MFBX.exe.bat" "
        24⤵
        
        PID:3372
        
        C:\windows\MFBX.exe
        
        C:\windows\MFBX.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVPOWR.exe.bat" "
        26⤵
        
        PID:2068
        
        C:\windows\SysWOW64\BVPOWR.exe
        
        C:\windows\system32\BVPOWR.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYS.exe.bat" "
        28⤵
        
        PID:856
        
        C:\windows\system\CYS.exe
        
        C:\windows\system\CYS.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTJGQR.exe.bat" "
        30⤵
        
        PID:5080
        
        C:\windows\system\CTJGQR.exe
        
        C:\windows\system\CTJGQR.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OMMZYYK.exe.bat" "
        32⤵
        
        PID:4728
        
        C:\windows\OMMZYYK.exe
        
        C:\windows\OMMZYYK.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WAQFAX.exe.bat" "
        34⤵
        
        PID:4384
        
        C:\windows\system\WAQFAX.exe
        
        C:\windows\system\WAQFAX.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ODU.exe.bat" "
        36⤵
        
        PID:4948
        
        C:\windows\ODU.exe
        
        C:\windows\ODU.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ETVAVIW.exe.bat" "
        38⤵
        
        PID:1604
        
        C:\windows\SysWOW64\ETVAVIW.exe
        
        C:\windows\system32\ETVAVIW.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OQJV.exe.bat" "
        40⤵
        
        PID:2016
        
        C:\windows\SysWOW64\OQJV.exe
        
        C:\windows\system32\OQJV.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PTKK.exe.bat" "
        42⤵
        
        PID:1740
        
        C:\windows\SysWOW64\PTKK.exe
        
        C:\windows\system32\PTKK.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OEV.exe.bat" "
        44⤵
        
        PID:3620
        
        C:\windows\system\OEV.exe
        
        C:\windows\system\OEV.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YEXFZ.exe.bat" "
        46⤵
        
        PID:2664
        
        C:\windows\YEXFZ.exe
        
        C:\windows\YEXFZ.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICDR.exe.bat" "
        48⤵
        
        PID:4480
        
        C:\windows\SysWOW64\ICDR.exe
        
        C:\windows\system32\ICDR.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKFXT.exe.bat" "
        50⤵
        
        PID:5080
        
        C:\windows\SysWOW64\NCKFXT.exe
        
        C:\windows\system32\NCKFXT.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KDMPB.exe.bat" "
        52⤵
        
        PID:1816
        
        C:\windows\KDMPB.exe
        
        C:\windows\KDMPB.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VWPAJEF.exe.bat" "
        54⤵
        
        PID:1688
        
        C:\windows\VWPAJEF.exe
        
        C:\windows\VWPAJEF.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ULIDW.exe.bat" "
        56⤵
        
        PID:3104
        
        C:\windows\ULIDW.exe
        
        C:\windows\ULIDW.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBJ.exe.bat" "
        58⤵
        
        PID:2120
        
        C:\windows\SysWOW64\JBJ.exe
        
        C:\windows\system32\JBJ.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CENYJ.exe.bat" "
        60⤵
        
        PID:656
        
        C:\windows\SysWOW64\CENYJ.exe
        
        C:\windows\system32\CENYJ.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KKSFT.exe.bat" "
        62⤵
        
        PID:5072
        
        C:\windows\system\KKSFT.exe
        
        C:\windows\system\KKSFT.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UIGZ.exe.bat" "
        64⤵
        
        PID:4672
        
        C:\windows\UIGZ.exe
        
        C:\windows\UIGZ.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PDKJLB.exe.bat" "
        66⤵
        
        PID:3888
        
        C:\windows\PDKJLB.exe
        
        C:\windows\PDKJLB.exe
        67⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XIPPVA.exe.bat" "
        68⤵
        
        PID:4440
        
        C:\windows\system\XIPPVA.exe
        
        C:\windows\system\XIPPVA.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PMT.exe.bat" "
        70⤵
        
        PID:2784
        
        C:\windows\PMT.exe
        
        C:\windows\PMT.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BUZTN.exe.bat" "
        72⤵
        
        PID:3012
        
        C:\windows\BUZTN.exe
        
        C:\windows\BUZTN.exe
        73⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WPECXIM.exe.bat" "
        74⤵
        
        PID:1948
        
        C:\windows\SysWOW64\WPECXIM.exe
        
        C:\windows\system32\WPECXIM.exe
        75⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HHUNPJU.exe.bat" "
        76⤵
        
        PID:4940
        
        C:\windows\HHUNPJU.exe
        
        C:\windows\HHUNPJU.exe
        77⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GSKLODP.exe.bat" "
        78⤵
        
        PID:2748
        
        C:\windows\SysWOW64\GSKLODP.exe
        
        C:\windows\system32\GSKLODP.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYXSZCL.exe.bat" "
        80⤵
        
        PID:4160
        
        C:\windows\SysWOW64\OYXSZCL.exe
        
        C:\windows\system32\OYXSZCL.exe
        81⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DTGEK.exe.bat" "
        82⤵
        
        PID:316
        
        C:\windows\system\DTGEK.exe
        
        C:\windows\system\DTGEK.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBIJNU.exe.bat" "
        84⤵
        
        PID:5040
        
        C:\windows\SysWOW64\MBIJNU.exe
        
        C:\windows\system32\MBIJNU.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AMQACX.exe.bat" "
        86⤵
        
        PID:4772
        
        C:\windows\AMQACX.exe
        
        C:\windows\AMQACX.exe
        87⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GZQJGAZ.exe.bat" "
        88⤵
        
        PID:2320
        
        C:\windows\SysWOW64\GZQJGAZ.exe
        
        C:\windows\system32\GZQJGAZ.exe
        89⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONCPRY.exe.bat" "
        90⤵
        
        PID:4204
        
        C:\windows\system\ONCPRY.exe
        
        C:\windows\system\ONCPRY.exe
        91⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAH.exe.bat" "
        92⤵
        
        PID:952
        
        C:\windows\SysWOW64\IAH.exe
        
        C:\windows\system32\IAH.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VLQXHJ.exe.bat" "
        94⤵
        
        PID:1688
        
        C:\windows\VLQXHJ.exe
        
        C:\windows\VLQXHJ.exe
        95⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NLSC.exe.bat" "
        96⤵
        
        PID:5056
        
        C:\windows\system\NLSC.exe
        
        C:\windows\system\NLSC.exe
        97⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWABZRC.exe.bat" "
        98⤵
        
        PID:5052
        
        C:\windows\SysWOW64\AWABZRC.exe
        
        C:\windows\system32\AWABZRC.exe
        99⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EEPBL.exe.bat" "
        100⤵
        
        PID:4896
        
        C:\windows\EEPBL.exe
        
        C:\windows\EEPBL.exe
        101⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JEQD.exe.bat" "
        102⤵
        
        PID:1312
        
        C:\windows\SysWOW64\JEQD.exe
        
        C:\windows\system32\JEQD.exe
        103⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QURDWBV.exe.bat" "
        104⤵
        
        PID:1740
        
        C:\windows\system\QURDWBV.exe
        
        C:\windows\system\QURDWBV.exe
        105⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LFIBKMR.exe.bat" "
        106⤵
        
        PID:2788
        
        C:\windows\LFIBKMR.exe
        
        C:\windows\LFIBKMR.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QISHTQU.exe.bat" "
        108⤵
        
        PID:2760
        
        C:\windows\SysWOW64\QISHTQU.exe
        
        C:\windows\system32\QISHTQU.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OYR.exe.bat" "
        110⤵
        
        PID:5076
        
        C:\windows\OYR.exe
        
        C:\windows\OYR.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGGP.exe.bat" "
        112⤵
        
        PID:1876
        
        C:\windows\SysWOW64\FGGP.exe
        
        C:\windows\system32\FGGP.exe
        113⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HEZRQQM.exe.bat" "
        114⤵
        
        PID:1304
        
        C:\windows\HEZRQQM.exe
        
        C:\windows\HEZRQQM.exe
        115⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XUMJG.exe.bat" "
        116⤵
        
        PID:1988
        
        C:\windows\system\XUMJG.exe
        
        C:\windows\system\XUMJG.exe
        117⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VKTL.exe.bat" "
        118⤵
        
        PID:4924
        
        C:\windows\VKTL.exe
        
        C:\windows\VKTL.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XIZG.exe.bat" "
        120⤵
        
        PID:2836
        
        C:\windows\system\XIZG.exe
        
        C:\windows\system\XIZG.exe
        121⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WSK.exe.bat" "
        122⤵
        
        PID:3764
        
        C:\windows\system\WSK.exe
        
        C:\windows\system\WSK.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTRHRG.exe.bat" "
        124⤵
        
        PID:4612
        
        C:\windows\PTRHRG.exe
        
        C:\windows\PTRHRG.exe
        125⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TWPU.exe.bat" "
        126⤵
        
        PID:1928
        
        C:\windows\system\TWPU.exe
        
        C:\windows\system\TWPU.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XEWCDR.exe.bat" "
        128⤵
        
        PID:1364
        
        C:\windows\SysWOW64\XEWCDR.exe
        
        C:\windows\system32\XEWCDR.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KPMSRU.exe.bat" "
        130⤵
        
        PID:1948
        
        C:\windows\KPMSRU.exe
        
        C:\windows\KPMSRU.exe
        131⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFNS.exe.bat" "
        132⤵
        
        PID:2640
        
        C:\windows\SysWOW64\AFNS.exe
        
        C:\windows\system32\AFNS.exe
        133⤵
        Drops file in Windows directory
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AIRNDF.exe.bat" "
        134⤵
        
        PID:4524
        
        C:\windows\system\AIRNDF.exe
        
        C:\windows\system\AIRNDF.exe
        135⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MAGGVG.exe.bat" "
        136⤵
        
        PID:2912
        
        C:\windows\system\MAGGVG.exe
        
        C:\windows\system\MAGGVG.exe
        137⤵
        Checks computer location settings
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IGEWCQ.exe.bat" "
        138⤵
        
        PID:3772
        
        C:\windows\system\IGEWCQ.exe
        
        C:\windows\system\IGEWCQ.exe
        139⤵
        Checks computer location settings
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MOT.exe.bat" "
        140⤵
        
        PID:1332
        
        C:\windows\SysWOW64\MOT.exe
        
        C:\windows\system32\MOT.exe
        141⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SJKELD.exe.bat" "
        142⤵
        
        PID:2324
        
        C:\windows\system\SJKELD.exe
        
        C:\windows\system\SJKELD.exe
        143⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PPCUB.exe.bat" "
        144⤵
        
        PID:4532
        
        C:\windows\SysWOW64\PPCUB.exe
        
        C:\windows\system32\PPCUB.exe
        145⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AHFMJO.exe.bat" "
        146⤵
        
        PID:2068
        
        C:\windows\system\AHFMJO.exe
        
        C:\windows\system\AHFMJO.exe
        147⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MPMMW.exe.bat" "
        148⤵
        
        PID:4876
        
        C:\windows\MPMMW.exe
        
        C:\windows\MPMMW.exe
        149⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDEBXL.exe.bat" "
        150⤵
        
        PID:2488
        
        C:\windows\SysWOW64\MDEBXL.exe
        
        C:\windows\system32\MDEBXL.exe
        151⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVMPGO.exe.bat" "
        152⤵
        
        PID:2208
        
        C:\windows\SysWOW64\SVMPGO.exe
        
        C:\windows\system32\SVMPGO.exe
        153⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UTZJVW.exe.bat" "
        154⤵
        
        PID:4084
        
        C:\windows\SysWOW64\UTZJVW.exe
        
        C:\windows\system32\UTZJVW.exe
        155⤵
        Drops file in Windows directory
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMUCWDU.exe.bat" "
        156⤵
        
        PID:1104
        
        C:\windows\FMUCWDU.exe
        
        C:\windows\FMUCWDU.exe
        157⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NZHIGCP.exe.bat" "
        158⤵
        
        PID:2216
        
        C:\windows\system\NZHIGCP.exe
        
        C:\windows\system\NZHIGCP.exe
        159⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OCLE.exe.bat" "
        160⤵
        
        PID:3764
        
        C:\windows\system\OCLE.exe
        
        C:\windows\system\OCLE.exe
        161⤵
        Drops file in Windows directory
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SKRMYK.exe.bat" "
        162⤵
        
        PID:744
        
        C:\windows\SKRMYK.exe
        
        C:\windows\SKRMYK.exe
        163⤵
        Drops file in Windows directory
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CIFGO.exe.bat" "
        164⤵
        
        PID:2656
        
        C:\windows\system\CIFGO.exe
        
        C:\windows\system\CIFGO.exe
        165⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGLTV.exe.bat" "
        166⤵
        
        PID:4876
        
        C:\windows\SysWOW64\EGLTV.exe
        
        C:\windows\system32\EGLTV.exe
        167⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MLLHWO.exe.bat" "
        168⤵
        
        PID:3828
        
        C:\windows\MLLHWO.exe
        
        C:\windows\MLLHWO.exe
        169⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZWTG.exe.bat" "
        170⤵
        
        PID:4004
        
        C:\windows\ZWTG.exe
        
        C:\windows\ZWTG.exe
        171⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCTU.exe.bat" "
        172⤵
        
        PID:3856
        
        C:\windows\system\ZCTU.exe
        
        C:\windows\system\ZCTU.exe
        173⤵
        Drops file in Windows directory
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QKIS.exe.bat" "
        174⤵
        
        PID:4796
        
        C:\windows\system\QKIS.exe
        
        C:\windows\system\QKIS.exe
        175⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXFBJU.exe.bat" "
        176⤵
        
        PID:2116
        
        C:\windows\system\LXFBJU.exe
        
        C:\windows\system\LXFBJU.exe
        177⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OLK.exe.bat" "
        178⤵
        
        PID:1496
        
        C:\windows\system\OLK.exe
        
        C:\windows\system\OLK.exe
        179⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IGOCD.exe.bat" "
        180⤵
        
        PID:1040
        
        C:\windows\system\IGOCD.exe
        
        C:\windows\system\IGOCD.exe
        181⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HRZS.exe.bat" "
        182⤵
        
        PID:920
        
        C:\windows\HRZS.exe
        
        C:\windows\HRZS.exe
        183⤵
        Checks computer location settings
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPF.exe.bat" "
        184⤵
        
        PID:4384
        
        C:\windows\system\JPF.exe
        
        C:\windows\system\JPF.exe
        185⤵
        Checks computer location settings
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKORFD.exe.bat" "
        186⤵
        
        PID:4444
        
        C:\windows\SysWOW64\YKORFD.exe
        
        C:\windows\system32\YKORFD.exe
        187⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YPOFGIT.exe.bat" "
        188⤵
        
        PID:1564
        
        C:\windows\system\YPOFGIT.exe
        
        C:\windows\system\YPOFGIT.exe
        189⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INUR.exe.bat" "
        190⤵
        
        PID:4508
        
        C:\windows\SysWOW64\INUR.exe
        
        C:\windows\system32\INUR.exe
        191⤵
        Checks computer location settings
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ONCFFTD.exe.bat" "
        192⤵
        
        PID:1208
        
        C:\windows\ONCFFTD.exe
        
        C:\windows\ONCFFTD.exe
        193⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DDDEL.exe.bat" "
        194⤵
        
        PID:4792
        
        C:\windows\SysWOW64\DDDEL.exe
        
        C:\windows\system32\DDDEL.exe
        195⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FBQ.exe.bat" "
        196⤵
        
        PID:5072
        
        C:\windows\FBQ.exe
        
        C:\windows\FBQ.exe
        197⤵
        Checks computer location settings
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JRXZFHW.exe.bat" "
        198⤵
        
        PID:3044
        
        C:\windows\system\JRXZFHW.exe
        
        C:\windows\system\JRXZFHW.exe
        199⤵
        Drops file in Windows directory
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VZDH.exe.bat" "
        200⤵
        
        PID:4228
        
        C:\windows\VZDH.exe
        
        C:\windows\VZDH.exe
        201⤵
        Checks computer location settings
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EZFMVX.exe.bat" "
        202⤵
        
        PID:4432
        
        C:\windows\system\EZFMVX.exe
        
        C:\windows\system\EZFMVX.exe
        203⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPM.exe.bat" "
        204⤵
        
        PID:1644
        
        C:\windows\SysWOW64\IPM.exe
        
        C:\windows\system32\IPM.exe
        205⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UIPF.exe.bat" "
        206⤵
        
        PID:2088
        
        C:\windows\UIPF.exe
        
        C:\windows\UIPF.exe
        207⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\POCJSBS.exe.bat" "
        208⤵
        
        PID:4472
        
        C:\windows\POCJSBS.exe
        
        C:\windows\POCJSBS.exe
        209⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRY.exe.bat" "
        210⤵
        
        PID:4524
        
        C:\windows\SysWOW64\CRY.exe
        
        C:\windows\system32\CRY.exe
        211⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BBIFG.exe.bat" "
        212⤵
        
        PID:4556
        
        C:\windows\SysWOW64\BBIFG.exe
        
        C:\windows\system32\BBIFG.exe
        213⤵
        Drops file in Windows directory
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCQTXBS.exe.bat" "
        214⤵
        
        PID:3372
        
        C:\windows\system\ZCQTXBS.exe
        
        C:\windows\system\ZCQTXBS.exe
        215⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPVZHZO.exe.bat" "
        216⤵
        
        PID:3044
        
        C:\windows\SysWOW64\HPVZHZO.exe
        
        C:\windows\system32\HPVZHZO.exe
        217⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNA.exe.bat" "
        218⤵
        
        PID:3296
        
        C:\windows\SysWOW64\DNA.exe
        
        C:\windows\system32\DNA.exe
        219⤵
        Checks computer location settings
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NKGJWS.exe.bat" "
        220⤵
        
        PID:2828
        
        C:\windows\system\NKGJWS.exe
        
        C:\windows\system\NKGJWS.exe
        221⤵
        Checks computer location settings
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PIUDL.exe.bat" "
        222⤵
        
        PID:5112
        
        C:\windows\PIUDL.exe
        
        C:\windows\PIUDL.exe
        223⤵
        Checks computer location settings
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HRWIPXB.exe.bat" "
        224⤵
        
        PID:860
        
        C:\windows\HRWIPXB.exe
        
        C:\windows\HRWIPXB.exe
        225⤵
        Checks computer location settings
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUZMU.exe.bat" "
        226⤵
        
        PID:1864
        
        C:\windows\SysWOW64\ZUZMU.exe
        
        C:\windows\system32\ZUZMU.exe
        227⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FUHADP.exe.bat" "
        228⤵
        
        PID:3116
        
        C:\windows\system\FUHADP.exe
        
        C:\windows\system\FUHADP.exe
        229⤵
        Checks computer location settings
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EFKQM.exe.bat" "
        230⤵
        
        PID:4428
        
        C:\windows\system\EFKQM.exe
        
        C:\windows\system\EFKQM.exe
        231⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KFRDVYC.exe.bat" "
        232⤵
        
        PID:1104
        
        C:\windows\system\KFRDVYC.exe
        
        C:\windows\system\KFRDVYC.exe
        233⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VTQ.exe.bat" "
        234⤵
        
        PID:2696
        
        C:\windows\system\VTQ.exe
        
        C:\windows\system\VTQ.exe
        235⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BTY.exe.bat" "
        236⤵
        
        PID:1660
        
        C:\windows\BTY.exe
        
        C:\windows\BTY.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LRMKZCI.exe.bat" "
        238⤵
        
        PID:3552
        
        C:\windows\system\LRMKZCI.exe
        
        C:\windows\system\LRMKZCI.exe
        239⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EMQF.exe.bat" "
        240⤵
        
        PID:2360
        
        C:\windows\SysWOW64\EMQF.exe
        
        C:\windows\system32\EMQF.exe
        241⤵
        Checks computer location settings
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YHUPOA.exe.bat" "
        242⤵
        
        PID:4956
        
        C:\windows\YHUPOA.exe
        
        C:\windows\YHUPOA.exe
        243⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "
        244⤵
        
        PID:1948
        
        C:\windows\SysWOW64\BUZ.exe
        
        C:\windows\system32\BUZ.exe
        245⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKAXFN.exe.bat" "
        246⤵
        
        PID:2600
        
        C:\windows\SysWOW64\IKAXFN.exe
        
        C:\windows\system32\IKAXFN.exe
        247⤵
        Drops file in Windows directory
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\USHF.exe.bat" "
        248⤵
        
        PID:3628
        
        C:\windows\system\USHF.exe
        
        C:\windows\system\USHF.exe
        249⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\POMPU.exe.bat" "
        250⤵
        
        PID:1312
        
        C:\windows\POMPU.exe
        
        C:\windows\POMPU.exe
        251⤵
        Drops file in Windows directory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EJV.exe.bat" "
        252⤵
        
        PID:1584
        
        C:\windows\system\EJV.exe
        
        C:\windows\system\EJV.exe
        253⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XEZXSIF.exe.bat" "
        254⤵
        
        PID:1040
        
        C:\windows\XEZXSIF.exe
        
        C:\windows\XEZXSIF.exe
        255⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZCARQF.exe.bat" "
        256⤵
        
        PID:3020
        
        C:\windows\ZCARQF.exe
        
        C:\windows\ZCARQF.exe
        257⤵
        Drops file in Windows directory
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFQN.exe.bat" "
        258⤵
        
        PID:1496
        
        C:\windows\system\ZFQN.exe
        
        C:\windows\system\ZFQN.exe
        259⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GAN.exe.bat" "
        260⤵
        
        PID:1476
        
        C:\windows\GAN.exe
        
        C:\windows\GAN.exe
        261⤵
        Checks computer location settings
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NVM.exe.bat" "
        262⤵
        
        PID:4964
        
        C:\windows\NVM.exe
        
        C:\windows\NVM.exe
        263⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFNB.exe.bat" "
        264⤵
        
        PID:3880
        
        C:\windows\SysWOW64\UFNB.exe
        
        C:\windows\system32\UFNB.exe
        265⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PBSLK.exe.bat" "
        266⤵
        
        PID:4508
        
        C:\windows\PBSLK.exe
        
        C:\windows\PBSLK.exe
        267⤵
        Drops file in Windows directory
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZGFZ.exe.bat" "
        268⤵
        
        PID:1276
        
        C:\windows\system\RZGFZ.exe
        
        C:\windows\system\RZGFZ.exe
        269⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MMKOBFN.exe.bat" "
        270⤵
        
        PID:2440
        
        C:\windows\system\MMKOBFN.exe
        
        C:\windows\system\MMKOBFN.exe
        271⤵
        Checks computer location settings
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HKKAL.exe.bat" "
        272⤵
        
        PID:3140
        
        C:\windows\HKKAL.exe
        
        C:\windows\HKKAL.exe
        273⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKSOUKQ.exe.bat" "
        274⤵
        
        PID:1264
        
        C:\windows\system\FKSOUKQ.exe
        
        C:\windows\system\FKSOUKQ.exe
        275⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NXFVFJL.exe.bat" "
        276⤵
        
        PID:1364
        
        C:\windows\SysWOW64\NXFVFJL.exe
        
        C:\windows\system32\NXFVFJL.exe
        277⤵
        Drops file in Windows directory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PLBE.exe.bat" "
        278⤵
        
        PID:1372
        
        C:\windows\PLBE.exe
        
        C:\windows\PLBE.exe
        279⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IONIVZ.exe.bat" "
        280⤵
        
        PID:1792
        
        C:\windows\SysWOW64\IONIVZ.exe
        
        C:\windows\system32\IONIVZ.exe
        281⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMTUC.exe.bat" "
        282⤵
        
        PID:4584
        
        C:\windows\SysWOW64\SMTUC.exe
        
        C:\windows\system32\SMTUC.exe
        283⤵
        Drops file in Windows directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWWK.exe.bat" "
        284⤵
        
        PID:4924
        
        C:\windows\system\RWWK.exe
        
        C:\windows\system\RWWK.exe
        285⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AKGCB.exe.bat" "
        286⤵
        
        PID:4616
        
        C:\windows\SysWOW64\AKGCB.exe
        
        C:\windows\system32\AKGCB.exe
        287⤵
        Drops file in Windows directory
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GXF.exe.bat" "
        288⤵
        
        PID:4180
        
        C:\windows\system\GXF.exe
        
        C:\windows\system\GXF.exe
        289⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZAJHL.exe.bat" "
        290⤵
        
        PID:4796
        
        C:\windows\ZAJHL.exe
        
        C:\windows\ZAJHL.exe
        291⤵
        Drops file in Windows directory
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JYXB.exe.bat" "
        292⤵
        
        PID:4208
        
        C:\windows\JYXB.exe
        
        C:\windows\JYXB.exe
        293⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YTGFLGD.exe.bat" "
        294⤵
        
        PID:872
        
        C:\windows\system\YTGFLGD.exe
        
        C:\windows\system\YTGFLGD.exe
        295⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JGFDQH.exe.bat" "
        296⤵
        
        PID:3668
        
        C:\windows\SysWOW64\JGFDQH.exe
        
        C:\windows\system32\JGFDQH.exe
        297⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBKXS.exe.bat" "
        298⤵
        
        PID:3424
        
        C:\windows\SysWOW64\YBKXS.exe
        
        C:\windows\system32\YBKXS.exe
        299⤵
        Checks computer location settings
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QKRVFAK.exe.bat" "
        300⤵
        
        PID:4804
        
        C:\windows\SysWOW64\QKRVFAK.exe
        
        C:\windows\system32\QKRVFAK.exe
        301⤵
        Drops file in Windows directory
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VNVTKR.exe.bat" "
        302⤵
        
        PID:4408
        
        C:\windows\system\VNVTKR.exe
        
        C:\windows\system\VNVTKR.exe
        303⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASFI.exe.bat" "
        304⤵
        
        PID:4520
        
        C:\windows\SysWOW64\ASFI.exe
        
        C:\windows\system32\ASFI.exe
        305⤵
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PIO.exe.bat" "
        306⤵
        
        PID:4440
        
        C:\windows\SysWOW64\PIO.exe
        
        C:\windows\system32\PIO.exe
        307⤵
        Checks computer location settings
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TYUIT.exe.bat" "
        308⤵
        
        PID:1416
        
        C:\windows\TYUIT.exe
        
        C:\windows\TYUIT.exe
        309⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MTYM.exe.bat" "
        310⤵
        
        PID:3712
        
        C:\windows\SysWOW64\MTYM.exe
        
        C:\windows\system32\MTYM.exe
        311⤵
        Checks computer location settings
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WREGGYU.exe.bat" "
        312⤵
        
        PID:2024
        
        C:\windows\system\WREGGYU.exe
        
        C:\windows\system\WREGGYU.exe
        313⤵
        Drops file in Windows directory
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LHFXM.exe.bat" "
        314⤵
        
        PID:1656
        
        C:\windows\system\LHFXM.exe
        
        C:\windows\system\LHFXM.exe
        315⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YSV.exe.bat" "
        316⤵
        
        PID:1532
        
        C:\windows\SysWOW64\YSV.exe
        
        C:\windows\system32\YSV.exe
        317⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IAXBEC.exe.bat" "
        318⤵
        
        PID:4072
        
        C:\windows\IAXBEC.exe
        
        C:\windows\IAXBEC.exe
        319⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NAFPVWQ.exe.bat" "
        320⤵
        
        PID:4448
        
        C:\windows\NAFPVWQ.exe
        
        C:\windows\NAFPVWQ.exe
        321⤵
        Drops file in Windows directory
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VGJVYV.exe.bat" "
        322⤵
        
        PID:1688
        
        C:\windows\system\VGJVYV.exe
        
        C:\windows\system\VGJVYV.exe
        323⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NGLI.exe.bat" "
        324⤵
        
        PID:2736
        
        C:\windows\NGLI.exe
        
        C:\windows\NGLI.exe
        325⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UJVNUNO.exe.bat" "
        326⤵
        
        PID:1376
        
        C:\windows\UJVNUNO.exe
        
        C:\windows\UJVNUNO.exe
        327⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVYWY.exe.bat" "
        328⤵
        
        PID:4920
        
        C:\windows\system\PHVYWY.exe
        
        C:\windows\system\PHVYWY.exe
        329⤵
        Drops file in Windows directory
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RFJ.exe.bat" "
        330⤵
        
        PID:3096
        
        C:\windows\RFJ.exe
        
        C:\windows\RFJ.exe
        331⤵
        Drops file in Windows directory
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDO.exe.bat" "
        332⤵
        
        PID:3980
        
        C:\windows\system\BDO.exe
        
        C:\windows\system\BDO.exe
        333⤵
        Drops file in Windows directory
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HDWTC.exe.bat" "
        334⤵
        
        PID:5084
        
        C:\windows\system\HDWTC.exe
        
        C:\windows\system\HDWTC.exe
        335⤵
        Drops file in Windows directory
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FYVCHN.exe.bat" "
        336⤵
        
        PID:4976
        
        C:\windows\FYVCHN.exe
        
        C:\windows\FYVCHN.exe
        337⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ABDSVX.exe.bat" "
        338⤵
        
        PID:3588
        
        C:\windows\ABDSVX.exe
        
        C:\windows\ABDSVX.exe
        339⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CZR.exe.bat" "
        340⤵
        
        PID:1564
        
        C:\windows\system\CZR.exe
        
        C:\windows\system\CZR.exe
        341⤵
        Drops file in Windows directory
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSUDLMZ.exe.bat" "
        342⤵
        
        PID:952
        
        C:\windows\system\BSUDLMZ.exe
        
        C:\windows\system\BSUDLMZ.exe
        343⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JXGJWKU.exe.bat" "
        344⤵
        
        PID:3540
        
        C:\windows\SysWOW64\JXGJWKU.exe
        
        C:\windows\system32\JXGJWKU.exe
        345⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EKLT.exe.bat" "
        346⤵
        
        PID:4924
        
        C:\windows\system\EKLT.exe
        
        C:\windows\system\EKLT.exe
        347⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XDTE.exe.bat" "
        348⤵
        
        PID:4084
        
        C:\windows\SysWOW64\XDTE.exe
        
        C:\windows\system32\XDTE.exe
        349⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYSMU.exe.bat" "
        350⤵
        
        PID:4312
        
        C:\windows\system\DYSMU.exe
        
        C:\windows\system\DYSMU.exe
        351⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGGKH.exe.bat" "
        352⤵
        
        PID:220
        
        C:\windows\system\UGGKH.exe
        
        C:\windows\system\UGGKH.exe
        353⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JMMHOP.exe.bat" "
        354⤵
        
        PID:3092
        
        C:\windows\SysWOW64\JMMHOP.exe
        
        C:\windows\system32\JMMHOP.exe
        355⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IMTEAGG.exe.bat" "
        356⤵
        
        PID:5064
        
        C:\windows\SysWOW64\IMTEAGG.exe
        
        C:\windows\system32\IMTEAGG.exe
        357⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CKUGGUO.exe.bat" "
        358⤵
        
        PID:4764
        
        C:\windows\SysWOW64\CKUGGUO.exe
        
        C:\windows\system32\CKUGGUO.exe
        359⤵
        Drops file in Windows directory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SYLFSM.exe.bat" "
        360⤵
        
        PID:4868
        
        C:\windows\SYLFSM.exe
        
        C:\windows\SYLFSM.exe
        361⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SDLTUR.exe.bat" "
        362⤵
        
        PID:764
        
        C:\windows\SysWOW64\SDLTUR.exe
        
        C:\windows\system32\SDLTUR.exe
        363⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLZZGII.exe.bat" "
        364⤵
        
        PID:4888
        
        C:\windows\SysWOW64\KLZZGII.exe
        
        C:\windows\system32\KLZZGII.exe
        365⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZE.exe.bat" "
        366⤵
        
        PID:4496
        
        C:\windows\SysWOW64\MZE.exe
        
        C:\windows\system32\MZE.exe
        367⤵
        Drops file in Windows directory
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCIEWGY.exe.bat" "
        368⤵
        
        PID:1516
        
        C:\windows\system\FCIEWGY.exe
        
        C:\windows\system\FCIEWGY.exe
        369⤵
        Checks computer location settings
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEQDK.exe.bat" "
        370⤵
        
        PID:1240
        
        C:\windows\SysWOW64\SEQDK.exe
        
        C:\windows\system32\SEQDK.exe
        371⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VAVMVJI.exe.bat" "
        372⤵
        
        PID:1872
        
        C:\windows\VAVMVJI.exe
        
        C:\windows\VAVMVJI.exe
        373⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNAV.exe.bat" "
        374⤵
        
        PID:4632
        
        C:\windows\SysWOW64\PNAV.exe
        
        C:\windows\system32\PNAV.exe
        375⤵
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1328
        374⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1324
        372⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1240
        370⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1308
        368⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1260
        366⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 960
        364⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1328
        362⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1324
        360⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1328
        358⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1300
        356⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1328
        354⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 960
        352⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1316
        350⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1320
        348⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1260
        346⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1328
        344⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1224
        342⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1012
        340⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1324
        338⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1292
        336⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1336
        334⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1336
        332⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1296
        330⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1336
        328⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1268
        326⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1304
        324⤵
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1316
        322⤵
        
        PID:992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 960
        320⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1324
        318⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1308
        316⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1260
        314⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1308
        312⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 960
        310⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 988
        308⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1328
        306⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1240
        304⤵
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1316
        302⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1328
        300⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 960
        298⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1308
        296⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1336
        294⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 988
        292⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 960
        290⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 988
        288⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1240
        286⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1336
        284⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1328
        282⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1272
        280⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 876
        278⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1328
        276⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1336
        274⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 988
        272⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 960
        270⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 960
        268⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1252
        266⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1208
        264⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1252
        262⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1324
        260⤵
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1280
        258⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 988
        256⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1304
        254⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 960
        252⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1204
        250⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 960
        248⤵
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 1252
        246⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960
        244⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1248
        242⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1328
        240⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1336
        238⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1296
        236⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1336
        234⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 960
        232⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1308
        230⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1268
        228⤵
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 876
        226⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 960
        224⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1324
        222⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 988
        220⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 960
        218⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1328
        216⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1300
        214⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1328
        212⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1296
        210⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1324
        208⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 960
        206⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1300
        204⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1300
        202⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 960
        200⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1260
        198⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1296
        196⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 960
        194⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1324
        192⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1300
        190⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 960
        188⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1308
        186⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 872
        184⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1236
        182⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 960
        180⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1336
        178⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 988
        176⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 988
        174⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 872
        172⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 960
        170⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 960
        168⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1328
        166⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 960
        164⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1216
        162⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 960
        160⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1336
        158⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1292
        156⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1328
        154⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 960
        152⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1292
        150⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1304
        148⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 988
        146⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1308
        144⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1308
        142⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 960
        140⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 960
        138⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 960
        136⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1336
        134⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 976
        132⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1324
        130⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 988
        128⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1316
        126⤵
        Program crash
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1236
        124⤵
        Program crash
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 960
        122⤵
        Program crash
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1336
        120⤵
        Program crash
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1236
        118⤵
        Program crash
        
        PID:656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1336
        116⤵
        Program crash
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 968
        114⤵
        Program crash
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1328
        112⤵
        Program crash
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 960
        110⤵
        Program crash
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 964
        108⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 960
        106⤵
        Program crash
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 876
        104⤵
        Program crash
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 960
        102⤵
        Program crash
        
        PID:1476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1304
        100⤵
        Program crash
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1328
        98⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1336
        96⤵
        Program crash
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1292
        94⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 964
        92⤵
        Program crash
        
        PID:1308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 960
        90⤵
        Program crash
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1240
        88⤵
        Program crash
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1256
        86⤵
        Program crash
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1324
        84⤵
        Program crash
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 960
        82⤵
        Program crash
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1240
        80⤵
        Program crash
        
        PID:748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1220
        78⤵
        Program crash
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 960
        76⤵
        Program crash
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 988
        74⤵
        Program crash
        
        PID:3396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 960
        72⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 960
        70⤵
        Program crash
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1308
        68⤵
        Program crash
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 960
        66⤵
        Program crash
        
        PID:2444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1324
        64⤵
        Program crash
        
        PID:1568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1336
        62⤵
        Program crash
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1308
        60⤵
        Program crash
        
        PID:1312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1328
        58⤵
        Program crash
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1304
        56⤵
        Program crash
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 960
        54⤵
        Program crash
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 988
        52⤵
        Program crash
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1300
        50⤵
        Program crash
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 960
        48⤵
        Program crash
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1324
        46⤵
        Program crash
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1308
        44⤵
        Program crash
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1328
        42⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1316
        40⤵
        Program crash
        
        PID:1300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1328
        38⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1204
        36⤵
        Program crash
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 960
        34⤵
        Program crash
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1304
        32⤵
        Program crash
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 960
        30⤵
        Program crash
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1316
        28⤵
        Program crash
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1328
        26⤵
        Program crash
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1324
        24⤵
        Program crash
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1324
        22⤵
        Program crash
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1300
        20⤵
        Program crash
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 960
        18⤵
        Program crash
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1248
        16⤵
        Program crash
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1324
        14⤵
        Program crash
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1328
        12⤵
        Program crash
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1328
        10⤵
        Program crash
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 960
        8⤵
        Program crash
        
        PID:3804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 960
        6⤵
        Program crash
        
        PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 988
      4⤵
      Program crash
      PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 940
  2⤵
  - Program crash
  PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4576 -ip 4576
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 212 -ip 212
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4636 -ip 4636
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1976 -ip 1976
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2992 -ip 2992
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1304 -ip 1304
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4948 -ip 4948
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2016 -ip 2016
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1568 -ip 1568
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4404 -ip 4404
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4332 -ip 4332
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1308 -ip 1308
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4460 -ip 4460
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2204 -ip 2204
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1940 -ip 1940
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 376 -ip 376
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2120 -ip 2120
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2432 -ip 2432
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4228 -ip 4228
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3628 -ip 3628
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4488 -ip 4488
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1812 -ip 1812
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3088 -ip 3088
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3484 -ip 3484
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2652 -ip 2652
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3884 -ip 3884
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3468 -ip 3468
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3788 -ip 3788
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2276 -ip 2276
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4292 -ip 4292
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2808 -ip 2808
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3848 -ip 3848
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 624 -ip 624
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3924 -ip 3924
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1864 -ip 1864
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3008 -ip 3008
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3596 -ip 3596
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2372 -ip 2372
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4868 -ip 4868
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1068 -ip 1068
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2852 -ip 2852
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3716 -ip 3716
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3768 -ip 3768
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 372 -ip 372
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3980 -ip 3980
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4512 -ip 4512
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2544 -ip 2544
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4784 -ip 4784
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3036 -ip 3036
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 736 -ip 736
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4920 -ip 4920
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3296 -ip 3296
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1496 -ip 1496
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2068 -ip 2068
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4048 -ip 4048
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1564 -ip 1564
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1584 -ip 1584
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5072 -ip 5072
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1604 -ip 1604
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4520 -ip 4520
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3552 -ip 3552
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4964 -ip 4964
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2828 -ip 2828
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2204 -ip 2204
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4488 -ip 4488
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4076 -ip 4076
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4428 -ip 4428
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1312 -ip 1312
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3288 -ip 3288
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2788 -ip 2788
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 684 -ip 684
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2236 -ip 2236
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4048 -ip 4048
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2564 -ip 2564
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3564 -ip 3564
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4556 -ip 4556
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3532 -ip 3532
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2232 -ip 2232
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4608 -ip 4608
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 408 -ip 408
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2320 -ip 2320
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1948 -ip 1948
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2136 -ip 2136
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4940 -ip 4940
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3960 -ip 3960
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1968 -ip 1968
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1104 -ip 1104
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4216 -ip 4216
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3056 -ip 3056
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1164 -ip 1164
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4544 -ip 4544
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2432 -ip 2432
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3828 -ip 3828
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2136 -ip 2136
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 912 -ip 912
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3952 -ip 3952
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 872 -ip 872
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 380 -ip 380
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 920 -ip 920
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4964 -ip 4964
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5056 -ip 5056
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5044 -ip 5044
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 372 -ip 372
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5036 -ip 5036
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2664 -ip 2664
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3036 -ip 3036
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1928 -ip 1928
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2236 -ip 2236
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4432 -ip 4432
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4384 -ip 4384
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4180 -ip 4180
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3884 -ip 3884
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4452 -ip 4452
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4104 -ip 4104
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5036 -ip 5036
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1496 -ip 1496
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1740 -ip 1740
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4492 -ip 4492
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3104 -ip 3104
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1524 -ip 1524
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2640 -ip 2640
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1656 -ip 1656
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4436 -ip 4436
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2444 -ip 2444
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1052 -ip 1052
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3648 -ip 3648
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4804 -ip 4804
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4392 -ip 4392
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2068 -ip 2068
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3000 -ip 3000
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4444 -ip 4444
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4632 -ip 4632
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1764 -ip 1764
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3896 -ip 3896
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2992 -ip 2992
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2324 -ip 2324
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3056 -ip 3056
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4576 -ip 4576
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1344 -ip 1344
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4548 -ip 4548
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3212 -ip 3212
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3712 -ip 3712
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4304 -ip 4304
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2232 -ip 2232
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5076 -ip 5076
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3552 -ip 3552
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2832 -ip 2832
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4460 -ip 4460
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 888 -ip 888
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3880 -ip 3880
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4544 -ip 4544
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3564 -ip 3564
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 864 -ip 864
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2760 -ip 2760
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3200 -ip 3200
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4104 -ip 4104
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2324 -ip 2324
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1880 -ip 1880
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1516 -ip 1516
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4408 -ip 4408
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2136 -ip 2136
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1740 -ip 1740
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2116 -ip 2116
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4900 -ip 4900
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4524 -ip 4524
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 5020 -ip 5020
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1508 -ip 1508
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1792 -ip 1792
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1132 -ip 1132
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4536 -ip 4536
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1516 -ip 1516
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3972 -ip 3972
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1820 -ip 1820
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2336 -ip 2336
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4672 -ip 4672
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2400 -ip 2400
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4444 -ip 4444
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3968 -ip 3968
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3424 -ip 3424
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2828 -ip 2828
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3540 -ip 3540
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3276 -ip 3276
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 384 -ip 384
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4792 -ip 4792
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4436 -ip 4436
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AMSDXVU.exe

Filesize
289KB

MD5
9bd7bd323c5b68587d02eaa48a0bd860

SHA1
d7e302546310e1464a2899605d1ce67b7c40182d

SHA256
970c0db88fc0a53b065af42c54632eff6e15da04cacc9b6e0c3a0a06c29ab9f7

SHA512
433b6d744f1d7f3945b7ece6d5d76ae9bc92794aac7595164d2790a1c7b5d5a3c62723c1281f5cf792169d8157a27771de0b0476d21beb0eb98ba89f96af5c69

Download Submit
C:\Windows\MFBX.exe

Filesize
289KB

MD5
d74ccef5b4737eb95c2ab555d7a977f5

SHA1
9c7aaa4aa1176c5574ae8f5e68a30c828edff4fd

SHA256
3939ce6bda6227f044942942b048b1e1912fffa2bb60821239a36953f92f6840

SHA512
f29ecc6e9c3c7d78c05d12d5d48959f94f31663eaff1bfdb78f2a21089a644781f898e610fb0275d9e9867c6a7b9a6f6856274e0406072c24eec9a0cad6158a8

Download Submit
C:\Windows\ODU.exe

Filesize
289KB

MD5
14b0b983af1525bdcb85493156ff932a

SHA1
48c364e23a7aef32790447cbc1cd7ec5ccdd3599

SHA256
010c083c49aafe1abb19344e04c0785940bf469e601ef8882030cc563ec19bc1

SHA512
33d5215abe12a9e43ec75b7f7377126bf935e7c5e17a33209da773a19b360f189d1592879da16dd75eb3dd55b178c4eee9bcfcc28279976562d72ad567b95dfb

Download Submit
C:\Windows\SPKEPK.exe

Filesize
289KB

MD5
e5f8bf15ab6a21d6598e086f4d996e48

SHA1
7c2f9a003d7449122f40d13708a4c9ff9b5af096

SHA256
f4346d62047fbc7a16247d96383d0f795352175db0c07d8a5ccd5bfdf90fe192

SHA512
de1d4062cc112aa33e47902e4deae4f31a509f55da0efd3b807094c54bbb60bd7659954b7c5746a404e74719a0e81e56b7d9d400a2e7045c2b60a65c3339039b

Download Submit
C:\Windows\SysWOW64\BVPOWR.exe

Filesize
289KB

MD5
c7932b4aaea69c978690dc068f866bbd

SHA1
3d6dfeba6e630b9b1942177090f9f53546809184

SHA256
070cdc38803e900794f2c78f6f0fac0cbdf0915d1cfa290e64c6683de844e879

SHA512
65c9fcee210e2a8bd1506f0de4a5d067ca8c95668dffd5bbccc16196cb5ca053eb543ba5f1d8ec1cd9d13f8427073f6cc26b3db47771c58d2683be95dd467c24

Download Submit
C:\Windows\SysWOW64\ETVAVIW.exe

Filesize
289KB

MD5
f75affeaef1af00d7b0e8a1069113b83

SHA1
33b823b4ca051d8275362c8d2268dd6f3a4a29d4

SHA256
93a036545771f500eef0680ab61835a7a3df23be663febfb9d038d49b1900739

SHA512
7f4514ff0aa660b005e97051ea6502d83c969359912a921550f156312f65816a267d792883f8fe94c4c28c2ade90199879f89ae59e50b6be06e82e9b4c2599cd

Download Submit
C:\Windows\SysWOW64\WCO.exe

Filesize
289KB

MD5
27d67eda5bbde862b46e76eebf822482

SHA1
aa6a43324eb5f8c911d7208831a7d71911e93845

SHA256
46a0a3d5190ef341d213ff0ba4f25a18363e01f89603e96c066370fe1cdcff55

SHA512
623a420284296d1768151838198b50c31904676261fd7abd5b82e268b00b59c7111fb0a8e8cc625be93c46c0e4f4dcc165d1929209c2327fb0d398f4cae4c8ad

Download Submit
C:\Windows\System\CTJGQR.exe

Filesize
289KB

MD5
eb001f20e866607b7a03a4abbb7a28b4

SHA1
3a09954679807e164e2a37d547792097e4219a51

SHA256
f85f29dd8cb9e9b4ade012e12a1e30cff7e1749c97988bf4c941d752f9c845ec

SHA512
4a5a0bf3dcc70028382ea4f108f7d52180a98546d6a3f64a5d7838eda697263145e447796b05bbb56fe3b89553c4a53107ec80104bedbac4718274ffa94c2d45

Download Submit
C:\Windows\System\SMHAUC.exe

Filesize
289KB

MD5
178fcff9ad1fbff63e3fce2025c3c75a

SHA1
e654c34408776cd45be70c427cdcc5c5b1f5aa8b

SHA256
a759ffe61eb042eb8a916f254c13bc7e2c9c3fed6b30be704d16790cf2ae4107

SHA512
63b9ca0ddd6878f12547aa94d2d2d0e38eb98fd139f8661c088adef7486f6b1e747a0063d7c233e734630f35be3b8944360a38ac3c54a7d02b690dbd66ffb6e5

Download Submit
C:\Windows\System\WAQFAX.exe

Filesize
289KB

MD5
38c3128a623569b3a00b74ac5a7d968a

SHA1
9478f1ec99a9ddb2214e6e205f92c8ba7f121beb

SHA256
dfd1a9516e43d4313b0ba36ce08a4fac84fd0d60338edba0df4b4d7ce18069f8

SHA512
4e6b6fe5bda937ff825526668df77bca32f64d554e9d4891d6b97039fecf52a1076a8abe1531784b91c2e356dd1a7a1cd9afa7a0c77f9db273adcb34ba482c68

Download Submit
C:\Windows\XYCR.exe

Filesize
289KB

MD5
106351d6ffc823a7c91963d00ca73f8c

SHA1
1707f6b5c3dd06c72c6244ad9aa0a3de9eed61e5

SHA256
596c17befac8a629e2a74f1ed5ab58b68f893319e3eda94bf11de3f4d6a4f697

SHA512
5d87311828e504ce4a9a37e3739353617a42027130d01dc2ad8fe6cca3294d0a6bca5670f21b2170e35573f0d2b13185a9a03c47f6e79c7fc6cee6af5aaff91b

Download Submit
C:\windows\AMSDXVU.exe.bat

Filesize
60B

MD5
0abfb62c46707239b8f4b15b2cd6b850

SHA1
94001969cc4450148392dc70a36311f8e9b09b18

SHA256
c1c23dd41b1e02b53d850ebc8d8380d2a03a5c56f30f7fd98da97ff4de59b289

SHA512
c500db4f4cb05bb4336ec5f6b8afd577bb96c22077af668a0be8a6f2c5711b02c4db9d4a48e9160d945534df88d1bd10d6db17a08ae3849144cd95db8e5ae55b

Download Submit
C:\windows\ESPQ.exe

Filesize
289KB

MD5
d2ab788d16a019496590dec86f71c240

SHA1
cb882653909ab14c2ef77049bd3add8bdc0cb40b

SHA256
f87cbad11a9a3fa36a7228e072036668316acbce9c30ffc5cb3ed96d364293eb

SHA512
10c360ea587145c2c35bb43fdd809992f9e1039bb84a2ebae57e279dc43f019e7ea84222aeea6c1e64a28e1f0f0e14552e65bc5fff33c5acc21a37914a6a5311

Download Submit
C:\windows\ESPQ.exe.bat

Filesize
54B

MD5
f187f259f79f84b99be041d870910b11

SHA1
53d348f4da98870535877968f59b06d6c4ae2ffe

SHA256
304bc53314e6335c0578100e947a133285bcd9d7e037316e8e0ba0c0b0771ca3

SHA512
a22412b37437c5c2ae9b855487c9b55642823953bc4009e872cf41f6bdf4de345d443126116520317e7fdcd8a1122240ffff437476dcbc492855a0872e1f7d3a

Download Submit
C:\windows\FFGGKTD.exe

Filesize
289KB

MD5
61e8e7402f2a373e90885dc65b043632

SHA1
2cfc7bb0f1c0e9aade8fd52573a80857efe11ad6

SHA256
a0598549f0dc462c4c968eb8aa1b9557dc550a8b3bb35d8cd82f7fe88f885154

SHA512
f8a1617b1be58630e48fe6f6a4dcbb9df2d1102397109bac906c11137cdbfdee0d732b9ebc776136f07305b7a2250e9ef942e6c73584062b71972da4fd6bcbbd

Download Submit
C:\windows\FFGGKTD.exe.bat

Filesize
60B

MD5
5bb5dd76230bdbac595d3c452a876a31

SHA1
2806ea30f1d6d7a580dff0624c6bd2e55f0d9c0d

SHA256
ed5793cd98969bf4f1f3ddc1447fa4995962c2111a637cf6a32cb2001965cf99

SHA512
1363193aebba8f077a5b54083466ca330a31fddd7699bfcb49ea3e922038f1ea753b4c6ba9aa591b0f4de6cf861c5522f253015ec0656c09b015383cd38c4e9c

Download Submit
C:\windows\LHM.exe

Filesize
289KB

MD5
f05a1aaf6b8ac5652786709bd217d44a

SHA1
4c0b7249ffd8dfd1f0898716d720d6998fbc0248

SHA256
38f01cc0a899952b123444d7975e0196a18bd48f92a321ae9d56c1eb243767c5

SHA512
cb71060ae0142fc27d5052598db6532fe16fd73b0fdaa08f461396e872d0b94ff5ee8652db62b54cc82176f1d89a03f26695b80f9745e98269dc4295373ded55

Download Submit
C:\windows\LHM.exe.bat

Filesize
52B

MD5
bc12491a4ccbc4f3f29b69941e4b158a

SHA1
d8efda0309b09a3d7ac9cafeee480acbcf4b7b96

SHA256
9e8a54c945f334a6a6b1e1f6ce2f44f6d6cd06a68be8e6f8a33ec9ae6607d06c

SHA512
c22f3babdfa2ff58ee68cfa4cf47762fc55bf5fb858813be238f2f6bbbb885f9991b203cbb0dd5c7fb23ae423b88956aff751ac6ed9806be0f42184a14db5a91

Download Submit
C:\windows\MFBX.exe.bat

Filesize
54B

MD5
dd16c42202efc40963fa0f6fad695431

SHA1
33a0d814aca325ff8c3ac13976ac4ccf0a8fd00f

SHA256
05c8b671e36a06495dce8191369fa43276804ec1250ee4c9e49fc78c2bf462c8

SHA512
542a19e59847cea18a039fb79560ecd2cf3e552808e79568d97c858db44c18240a8e85fd3d4a67de5e7e573350034d7e3ee03d2e65776b433fb69d7a4b179852

Download Submit
C:\windows\ODU.exe.bat

Filesize
52B

MD5
26592dfc4d956828af6e07928ab593d0

SHA1
8bca5cf7772ab46bcf190cb0f12c4443f59dace7

SHA256
bfc7279032998138a7b0971b5a976fdc9ea0f776422cc3ba196c6934237af181

SHA512
cd76741c842ca0357fc646de07f15a2e1c5b0703876b9445ea51f067c7f3c1b78d36b1b709b1f0e9c24e0c33808368fd03a756f11eef2ec5932d9067f6cfb18e

Download Submit
C:\windows\OMMZYYK.exe.bat

Filesize
60B

MD5
182f21c0b9716491e388fd4d0587036e

SHA1
6df52130b2e71ed15f891e9253bc771b7f663545

SHA256
a29b297296c16233086b2127473cdbee6a19872fc2c3be56e088012094ec817e

SHA512
54c9a498db098843be93ec20244ba87a2f3c149673f5b75efdf36f64f57708540169cf3b46ba1226737d36c3aa901e935110ba054b701bc0fe7db98d75f87741

Download Submit
C:\windows\SPKEPK.exe.bat

Filesize
58B

MD5
fc410642331e1f9fb4aa7d7b84dd09a8

SHA1
4d5011620bdcc943a8a3bb1c04a4aa62cfc03283

SHA256
dbbcce172e51ec4e00ee9555daee908074dd51d82f04b4db545bcbd086584cb9

SHA512
7c2301dc92b03a2d5f737968d2cb61fec7cc59b3d901d6edbf54bb9822daf8126ccc181cba35c1fc4b959dce87867cae9d3656e5242c31537faaefa5c4f8bacc

Download Submit
C:\windows\SysWOW64\BVPOWR.exe.bat

Filesize
76B

MD5
de23e8455303f647fad4443b29771b78

SHA1
14f542078f04c2471425c947338096a6c811ae5f

SHA256
ea66a68bc4044f043213dd74dfa7ab5c582c61995070d757353dd7765fc10d7c

SHA512
e191276ccb8c5e8a1bf65cd1ef22f9e45b752db34ac00b5a7b918d93c263c261b45e33cafae035e0bcbb0af4402796219452d894f5feeccb198fd33dd115a072

Download Submit
C:\windows\SysWOW64\ETVAVIW.exe.bat

Filesize
78B

MD5
345a7fca04d4576124cbefe17970916d

SHA1
bd26f182de3ee3bf0a87d0b702f3e8d3fa453b6c

SHA256
48cdb888abdd540a761e5d16d2e54dd836ff4246eb3d258a723e068c34b951d1

SHA512
667e06fa843931729746df12c4e29ff2df1fe5b5e5086e2e78a849fcff5c06edbbfd2567857d20b67f5940638ae4ef08dded20d243f3954b36a1d8dca0abef7a

Download Submit
C:\windows\SysWOW64\JFKHLER.exe.bat

Filesize
78B

MD5
18e5c3bd122aab7908d1ad325916eaf4

SHA1
d2b300b5abf921be14ca60172a274749cdc8c36d

SHA256
7d39ba90d58ed1ed4f13f016861d3c937d7d988d4e9caf2e537a2d1c2add3a5f

SHA512
51e49158fb555f9ed693af7fe56cc6debb94aaaae1003b7e17a70df1401136532562509adb86160f83e780838188737593c816f4c5f8f2a32de1e78e86f1707d

Download Submit
C:\windows\SysWOW64\LDJKUMU.exe

Filesize
289KB

MD5
2ec8eaa45a43ee7a39cdd9c33a7f5a8d

SHA1
98ce68b4226e283ca0334af4aea2972ed3bf9720

SHA256
174a9418326faf22cda5220361c2a4c61bbc4b8311b0e9e786c4d9e83eec9843

SHA512
b670d3b762e130467bf16a0dd57d68f912080271c3b54242e104b47b5c0cede4012501dc99486acff62d9c62ea6d70ab820f7eff8ef1c7b69d1e20767786464b

Download Submit
C:\windows\SysWOW64\LDJKUMU.exe.bat

Filesize
78B

MD5
413cc89e72807f162aa9d4dc1cc9fb79

SHA1
1fe768757240dc99c43fa0a5d778ee7d4ae72a30

SHA256
9f8261fb438172f83f32b9eadbfc6c12615a26362e3ea626355600e666834b5d

SHA512
ecf3d9169a2c6fc07aab96f320e8d4b89cdeaf92c3cc5db48a0f14ae512e74093f1082d14961dabd2fc1bba40561dda8279939621222032fa2def2683a63dd3b

Download Submit
C:\windows\SysWOW64\OQJV.exe

Filesize
289KB

MD5
aa84f0cb4e29dc8c77755957f47661e9

SHA1
b5ebfc4b59c668227ea4ab65105ccf46d92cfaac

SHA256
83e37f4a71137807fd9500f59e06bbb59b725092edd765127d2e5c1ef26d779c

SHA512
9daf810d7d5d474f64c73c9e573f84cadff321f99dfac2a8a566d303e669d671c4dad3c1609659042d0159d113242d852161160b865329beb0f41ff02721c52f

Download Submit
C:\windows\SysWOW64\OQJV.exe.bat

Filesize
72B

MD5
3a56b50ae8fb6a4eaebd1bef05e67044

SHA1
92d0c4f388ddd1b076ffe88ddc16c75d5544e98d

SHA256
7b529524c2650ef8a127497099bf4d1e8e688fbfe8dab972ac77414aa6a87faa

SHA512
d65316c7267ad497781e5e8fccaf2a28da51940d5bd72df2f07c603f226d99c3a7ad99724989143e5202816d00bfef97212ecb390dc58acab00e064777dbe92b

Download Submit
C:\windows\SysWOW64\PTKK.exe.bat

Filesize
72B

MD5
b67221df7e39bbf6849f3d3f5939eeec

SHA1
b0a1e8cce903e2851c211f75e1a265f87681f14c

SHA256
3606afefc041d138e6416e8f632e937641356e0c0b25525677bfe356a45f3cdd

SHA512
ee8fb796e215cac8c498b5f3165aa9ee9730bbdd4bef5848c84d95d6f2701aee1a0a870fb36abde9cb969c183ef011e24539234a929d65e1a7f3fff38a1ba092

Download Submit
C:\windows\SysWOW64\WCO.exe.bat

Filesize
70B

MD5
84ee2d59c2bc669ef45e7e5c324e4e49

SHA1
bb973c850cea8b8d8e468bbc7a138aa31d39ba63

SHA256
a838771fa1ec0e3807525a84792da24f3aa10025dc61dc73021467f6bd847248

SHA512
16f3544ea5418af1f1901b8d5f47743e4f2db35aa2d1c9a9e3ca2b26744e42cdebaf82c49d0dd655ef2d1ff9ab358b01d9b8e528780613c24cc27e01fbb59ad6

Download Submit
C:\windows\SysWOW64\ZOSBJ.exe.bat

Filesize
74B

MD5
f41551712781f313599d48359017a0cc

SHA1
d798f55b5fad5c79e1cfbeba12f98abf81cf9155

SHA256
8b39d68ccd579ffaea92078bed61af05d74cb469b9eaacfa688cb4f88743fcd5

SHA512
b4bdf5d8626647ba14823ba64558f28ae9a7b27d1fdc640198ae917db398b680229572f7bc61075ade2e1e51037465baccce6b42f5fa622166e742dac97170e3

Download Submit
C:\windows\XYCR.exe.bat

Filesize
54B

MD5
b75253c0e80a3095a0e10c9c74af377d

SHA1
3fb192d981f3e5510b74192573129a82cef85473

SHA256
83bb971c74e369b0368938bfbfb62fabbb06bdd13020db097fee045645466661

SHA512
3e1e541c42c6fef21ddded15ee7cf7934cb5953105605f43ee63f872af20a591c954464bdf1b57459b1948fc09e4419f120fd7ed55b93f840de627ca88455f60

Download Submit
C:\windows\system\CTJGQR.exe.bat

Filesize
72B

MD5
52e865dc184144f3a791c06932a36e01

SHA1
bb5bc8052845ff2c8fca4dd2a1331b31f1eedfdb

SHA256
dfb3885791327be46a94aa198dd6893c519d1fd75b967ef90bc21c95abd1aa9e

SHA512
32c8574e2f002bf111ad9d55c738159d02bf31793a44d0e17e46d01a418c3968f5e41ddda1e3a9a759e39753abb07bf5f3744440d72b9b05bbc62075d04ee350

Download Submit
C:\windows\system\CYS.exe

Filesize
289KB

MD5
44f73dd2260ab16a6183b2cee0daee24

SHA1
03dc115cd4810cd57dae132f0f55b2e2f1739bf4

SHA256
2284a157a9bdc353e8be81d4928c4b104cfb75b5a6a09956e84983596bc3942a

SHA512
b451f5bd85c84c4e4a5380003edae875bf9cea5cbd9b3dbfd52db49174abcb91ce52d4c3f500df7c889df4ba75114304ce4382333abc65e32efc45ab758482b0

Download Submit
C:\windows\system\CYS.exe.bat

Filesize
66B

MD5
ad45d35654d2c7830b510fe8b82ae8b1

SHA1
719cb87c9d1214fed8745b68ac386b0d28b356f6

SHA256
edbc87998f72eabf4ad386e93f31ba7fcf7826f53fa870e290700e250d5c1523

SHA512
8f843852e979f10510197bc5f5cdddbc19dd86015b450a9458c9c32fd61481eaf8ebddaf21e633afc517a3b80d2399320b022ef599d459e1b01d05b46230ec64

Download Submit
C:\windows\system\OEV.exe.bat

Filesize
66B

MD5
c530d3bfb069d30bd79d7d59f131ed01

SHA1
aea5f0a894c47619ce9f3db8d1ebae1bda935de0

SHA256
ddb0866c7613e60787b6287042ce35488124dbf16ce80750fd4eed6be21c50ec

SHA512
f3fb75880b6d4cb03afe33e51fb76bbbd44a2b6a8d07cd145aec3009f3cd8e151b668aedc5e184312281084d1c5fa2709a6a646f8dd2225a08441a237e58aac1

Download Submit
C:\windows\system\SMHAUC.exe.bat

Filesize
72B

MD5
9259c0c0be24a9270a8afdef76a11e12

SHA1
94204528801c8b0b74e7ceaa5224ff3e2c80cfec

SHA256
8f216b6812903ec6725aed4291133005a44887455935e5be18de30317f3bd936

SHA512
b2dad8e247244490cad9bfb3c7ccf7591574cd0a1fb601e532e11c3848cd39b373a410600c2c5c18deeae7541025550d75e0d1e01666dc470b4ae6f1c7081f49

Download Submit
C:\windows\system\WAQFAX.exe.bat

Filesize
72B

MD5
cf23a7f1c36de536b6a203cde37b0523

SHA1
d730df312c039f874d2a45f448ef3da0408f970a

SHA256
6b26ca43d73a16975c4d28b02a42ed34d2b0e20775c875d72511f87301c7c303

SHA512
c3aacfdc692ddae0204c12d9039b13354757f268b4ca29eeae73e1fe35cd9b0d3d3ef411a9b446b3372ed582d9bbc5d523ee8980476bccfdcb054cd946e9ab8b

Download Submit
memory/212-30-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/212-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/372-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/372-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/376-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/376-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-58-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1568-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1568-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-35-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2276-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2276-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2852-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2852-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3768-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3768-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3884-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3884-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-385-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4228-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4228-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download