cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
Size

208KB
MD5

f855c6aeca4075998a9f52e8e0062142
SHA1

607be2097978a701e92897d69525498b042510e0
SHA256

cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8
SHA512

e07642edaa099df028516f8e5ae6ab0e76fff4cd7ac81b10f5d4a8606e1a627f1bcd3ffa9fa687baca883cd7368b074532907a3a8fae507a32fd12b8b9ff1bd5
SSDEEP

6144:vz7XlhJHu9CBoQvCY5q9IoqIEgeTwQEj9:77xDGC3geMQS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	BEPNX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	MPCXDWC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	UATIFU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	MHWJLD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	VWNSZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	NEOHF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	FVGWCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	JRPRS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	AXSRHOG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	OVZDIKU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	VFATAQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CGWQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CLXSVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	PQGTD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CHUW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CGI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	AWFJBG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	OMR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	UMY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	BWJLX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	VKOUHTE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	XPN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	FSQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	YWRANE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	YNPFNPV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	XJVPV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	KTOFYBQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	GDF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	KFJSPC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	DIPK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	SZEG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	TCNK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	QWNSO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CQUXRK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	VKEXS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	JLX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	YYPQH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	BNIR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	JAGDMH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	TWUGIGP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	REWQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	IHK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	KVX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	PBCWJWY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	TXJGRGI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	HXL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	YGLPVJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	INPALBX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	EGYHREJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	STBAO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	IOG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	MMIPFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	JOGSNUA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	AEIMX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	BRVJQQZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	TLBWW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	JABFEV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	YMA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	XARCMKV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CPC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	YLJUR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	UZAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	XSWN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	EXZ.exe

Executes dropped EXE 64 IoCs

pid	Process
1544	MEV.exe
2608	REWQ.exe
4600	WHA.exe
3812	TMYM.exe
1368	PSEJ.exe
408	KFJSPC.exe
4264	OVQST.exe
560	FWSFEAS.exe
4200	URBKP.exe
2960	EZDPTK.exe
2168	IHK.exe
4732	OCJXKF.exe
1816	SKP.exe
1872	FVGWCA.exe
2492	QOB.exe
3384	GECGRD.exe
988	ARH.exe
2244	PUYCNQ.exe
2908	KHDLXQG.exe
4584	WPJLJ.exe
4908	NAAJJ.exe
464	YGLPVJ.exe
880	AWFJBG.exe
4944	JEHOFDJ.exe
3708	ERLY.exe
1508	TMVKAQH.exe
1452	KVX.exe
5060	FICZO.exe
3664	UDL.exe
4672	NGPHM.exe
4440	EGR.exe
3996	XJVPV.exe
3012	TPAECDN.exe
5020	CPC.exe
2292	TCNK.exe
872	DLPPHCF.exe
3784	JLX.exe
560	JRPRS.exe
1588	PRWFBM.exe
400	AKZXJTA.exe
4440	WPF.exe
1816	IIAFY.exe
4244	XDS.exe
1664	ZBLMQU.exe
4304	KTOFYBQ.exe
988	ROLRAC.exe
2688	OMR.exe
3508	UMY.exe
1784	MPCXDWC.exe
3464	SPKL.exe
4016	YLJUR.exe
1364	HQT.exe
4264	KLYVR.exe
4900	IZPWOB.exe
4136	OZX.exe
544	IUCTP.exe
1924	DHHDRV.exe
3972	UIJ.exe
4076	YYPQH.exe
3024	CGWQT.exe
2032	OYZI.exe
4416	ROF.exe
2980	XPN.exe
4760	OALU.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\MEV.exe	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
File opened for modification	C:\windows\SysWOW64\ABGTKUA.exe	AWOFIHF.exe
File created	C:\windows\SysWOW64\ABGTKUA.exe.bat	AWOFIHF.exe
File opened for modification	C:\windows\SysWOW64\VKEXS.exe	PKW.exe
File opened for modification	C:\windows\SysWOW64\EGYHREJ.exe	JTTYG.exe
File created	C:\windows\SysWOW64\MEV.exe.bat	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
File created	C:\windows\SysWOW64\AKZXJTA.exe	PRWFBM.exe
File created	C:\windows\SysWOW64\KTOFYBQ.exe.bat	ZBLMQU.exe
File opened for modification	C:\windows\SysWOW64\DIPK.exe	FSQ.exe
File created	C:\windows\SysWOW64\SDGOH.exe.bat	DIPK.exe
File created	C:\windows\SysWOW64\IUKP.exe.bat	PQGTD.exe
File opened for modification	C:\windows\SysWOW64\ONWO.exe	INPALBX.exe
File created	C:\windows\SysWOW64\KGFV.exe	EGYHREJ.exe
File created	C:\windows\SysWOW64\OVZDIKU.exe.bat	FVXQFN.exe
File created	C:\windows\SysWOW64\MHWJLD.exe.bat	CHUW.exe
File created	C:\windows\SysWOW64\SKP.exe.bat	OCJXKF.exe
File opened for modification	C:\windows\SysWOW64\OMR.exe	ROLRAC.exe
File opened for modification	C:\windows\SysWOW64\CGWQT.exe	YYPQH.exe
File created	C:\windows\SysWOW64\BLLO.exe	MQC.exe
File opened for modification	C:\windows\SysWOW64\VRNWHWQ.exe	AEIMX.exe
File created	C:\windows\SysWOW64\SKP.exe	OCJXKF.exe
File created	C:\windows\SysWOW64\EGR.exe.bat	NGPHM.exe
File created	C:\windows\SysWOW64\XMFINK.exe	UZAY.exe
File opened for modification	C:\windows\SysWOW64\SWJNHLS.exe	CGI.exe
File created	C:\windows\SysWOW64\OSU.exe.bat	RMOKNO.exe
File created	C:\windows\SysWOW64\KMQ.exe	MMIPFN.exe
File created	C:\windows\SysWOW64\MHWJLD.exe	CHUW.exe
File opened for modification	C:\windows\SysWOW64\ADYDMN.exe	ZFWBOQV.exe
File created	C:\windows\SysWOW64\REWQ.exe	MEV.exe
File created	C:\windows\SysWOW64\KHDLXQG.exe	PUYCNQ.exe
File created	C:\windows\SysWOW64\JLX.exe	DLPPHCF.exe
File created	C:\windows\SysWOW64\CGWQT.exe.bat	YYPQH.exe
File created	C:\windows\SysWOW64\UFXR.exe.bat	XARCMKV.exe
File created	C:\windows\SysWOW64\TFYQ.exe	BCV.exe
File opened for modification	C:\windows\SysWOW64\BRVJQQZ.exe	VRNWHWQ.exe
File opened for modification	C:\windows\SysWOW64\KFJSPC.exe	PSEJ.exe
File created	C:\windows\SysWOW64\SWJNHLS.exe	CGI.exe
File created	C:\windows\SysWOW64\XSWN.exe	OSU.exe
File created	C:\windows\SysWOW64\REWQ.exe.bat	MEV.exe
File opened for modification	C:\windows\SysWOW64\SKP.exe	OCJXKF.exe
File opened for modification	C:\windows\SysWOW64\KHDLXQG.exe	PUYCNQ.exe
File created	C:\windows\SysWOW64\PBJ.exe.bat	JABFEV.exe
File opened for modification	C:\windows\SysWOW64\MHWJLD.exe	CHUW.exe
File created	C:\windows\SysWOW64\SQGE.exe	HXL.exe
File created	C:\windows\SysWOW64\PDUWJC.exe	XVSRG.exe
File created	C:\windows\SysWOW64\OCJXKF.exe	IHK.exe
File created	C:\windows\SysWOW64\KHDLXQG.exe.bat	PUYCNQ.exe
File created	C:\windows\SysWOW64\KVX.exe	TMVKAQH.exe
File created	C:\windows\SysWOW64\BWJLX.exe	VWBXOZO.exe
File opened for modification	C:\windows\SysWOW64\BWJLX.exe	VWBXOZO.exe
File created	C:\windows\SysWOW64\TOWS.exe	KFU.exe
File opened for modification	C:\windows\SysWOW64\LAL.exe	ZHIRIW.exe
File created	C:\windows\SysWOW64\JABFEV.exe.bat	ONWO.exe
File opened for modification	C:\windows\SysWOW64\KTOFYBQ.exe	ZBLMQU.exe
File created	C:\windows\SysWOW64\DHHDRV.exe.bat	IUCTP.exe
File created	C:\windows\SysWOW64\PDUWJC.exe.bat	XVSRG.exe
File opened for modification	C:\windows\SysWOW64\TFYQ.exe	BCV.exe
File created	C:\windows\SysWOW64\OMR.exe	ROLRAC.exe
File created	C:\windows\SysWOW64\BRVJQQZ.exe	VRNWHWQ.exe
File opened for modification	C:\windows\SysWOW64\PSEJ.exe	TMYM.exe
File created	C:\windows\SysWOW64\FWSFEAS.exe.bat	OVQST.exe
File created	C:\windows\SysWOW64\AKZXJTA.exe.bat	PRWFBM.exe
File created	C:\windows\SysWOW64\IUKP.exe	PQGTD.exe
File opened for modification	C:\windows\SysWOW64\KGFV.exe	EGYHREJ.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\UIJ.exe	DHHDRV.exe
File opened for modification	C:\windows\system\MRO.exe	SWJNHLS.exe
File created	C:\windows\LPZFBJ.exe.bat	SSVZO.exe
File created	C:\windows\system\CTOWTFC.exe	KLMRHZ.exe
File opened for modification	C:\windows\NMKPCXD.exe	WZZXVB.exe
File opened for modification	C:\windows\system\AWFJBG.exe	YGLPVJ.exe
File opened for modification	C:\windows\system\HQT.exe	YLJUR.exe
File created	C:\windows\IHESX.exe	JWOCX.exe
File created	C:\windows\YAYF.exe	NHVNY.exe
File opened for modification	C:\windows\TXJGRGI.exe	YKEXG.exe
File created	C:\windows\system\VKOUHTE.exe	BWJLX.exe
File created	C:\windows\TLBWW.exe	PDUWJC.exe
File opened for modification	C:\windows\BNIR.exe	NCMTR.exe
File created	C:\windows\system\MRO.exe	SWJNHLS.exe
File created	C:\windows\system\HZQ.exe.bat	YQOSXE.exe
File created	C:\windows\PRWFBM.exe	JRPRS.exe
File created	C:\windows\UATIFU.exe.bat	OALU.exe
File created	C:\windows\system\FSQ.exe	VKOUHTE.exe
File created	C:\windows\system\WPJLJ.exe.bat	KHDLXQG.exe
File created	C:\windows\DLPPHCF.exe	TCNK.exe
File opened for modification	C:\windows\system\WPF.exe	AKZXJTA.exe
File created	C:\windows\system\AXSRHOG.exe.bat	LCJN.exe
File created	C:\windows\FVXQFN.exe	IPRB.exe
File created	C:\windows\FVXQFN.exe.bat	IPRB.exe
File created	C:\windows\NLKYDP.exe	OVZDIKU.exe
File created	C:\windows\KLMRHZ.exe	GDF.exe
File opened for modification	C:\windows\system\QNR.exe	YNPFNPV.exe
File created	C:\windows\system\CSWR.exe.bat	WSOD.exe
File created	C:\windows\system\MRO.exe.bat	SWJNHLS.exe
File opened for modification	C:\windows\JWOCX.exe	PBJ.exe
File created	C:\windows\IUCTP.exe	OZX.exe
File created	C:\windows\system\KFU.exe	EFNZKV.exe
File created	C:\windows\SZEG.exe.bat	MYWSDLK.exe
File created	C:\windows\OSDHIJ.exe	TFYQ.exe
File created	C:\windows\system\QOB.exe.bat	FVGWCA.exe
File opened for modification	C:\windows\VOL.exe	QDHD.exe
File created	C:\windows\TXJGRGI.exe	YKEXG.exe
File created	C:\windows\PBPTN.exe	VOL.exe
File created	C:\windows\ZFWBOQV.exe.bat	BEPNX.exe
File created	C:\windows\PUYCNQ.exe	ARH.exe
File opened for modification	C:\windows\system\TPAECDN.exe	XJVPV.exe
File opened for modification	C:\windows\UATIFU.exe	OALU.exe
File created	C:\windows\WSOD.exe.bat	LAL.exe
File created	C:\windows\system\TMN.exe.bat	IUKP.exe
File created	C:\windows\system\SMVLNYZ.exe.bat	HUS.exe
File created	C:\windows\system\PKW.exe.bat	LUQJW.exe
File opened for modification	C:\windows\system\ZBLMQU.exe	XDS.exe
File created	C:\windows\system\QNR.exe.bat	YNPFNPV.exe
File created	C:\windows\LUQJW.exe.bat	CTOWTFC.exe
File created	C:\windows\JOGSNUA.exe.bat	JAGDMH.exe
File opened for modification	C:\windows\system\SMVLNYZ.exe	HUS.exe
File created	C:\windows\HXL.exe.bat	MKGCVU.exe
File opened for modification	C:\windows\system\OVQST.exe	KFJSPC.exe
File opened for modification	C:\windows\DLPPHCF.exe	TCNK.exe
File created	C:\windows\LCJN.exe.bat	BUH.exe
File created	C:\windows\system\MYWSDLK.exe.bat	ZVA.exe
File created	C:\windows\system\XDS.exe.bat	IIAFY.exe
File created	C:\windows\system\TMN.exe	IUKP.exe
File opened for modification	C:\windows\NHVNY.exe	KMQ.exe
File opened for modification	C:\windows\TLBWW.exe	PDUWJC.exe
File opened for modification	C:\windows\SZEG.exe	MYWSDLK.exe
File created	C:\windows\system\YQOSXE.exe.bat	SQGE.exe
File created	C:\windows\system\OVQST.exe.bat	KFJSPC.exe
File created	C:\windows\URBKP.exe	FWSFEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
448	3640	WerFault.exe	82
3400	1544	WerFault.exe	90
1796	2608	WerFault.exe	96
4720	4600	WerFault.exe	101
2212	3812	WerFault.exe	106
4412	1368	WerFault.exe	111
2456	408	WerFault.exe	116
812	4264	WerFault.exe	121
4512	560	WerFault.exe	126
2624	4200	WerFault.exe	131
524	2960	WerFault.exe	136
2608	2168	WerFault.exe	141
1780	4732	WerFault.exe	146
4628	1816	WerFault.exe	151
2020	1872	WerFault.exe	156
2120	2492	WerFault.exe	161
872	3384	WerFault.exe	166
3404	988	WerFault.exe	171
5072	2244	WerFault.exe	176
5084	2908	WerFault.exe	181
856	4584	WerFault.exe	186
3972	4908	WerFault.exe	191
3024	464	WerFault.exe	196
772	880	WerFault.exe	201
3692	4944	WerFault.exe	206
1428	3708	WerFault.exe	211
3920	1508	WerFault.exe	216
4360	1452	WerFault.exe	221
444	5060	WerFault.exe	226
2908	3664	WerFault.exe	231
3984	4672	WerFault.exe	236
944	4440	WerFault.exe	241
868	3996	WerFault.exe	246
880	3012	WerFault.exe	251
3136	5020	WerFault.exe	256
2456	2292	WerFault.exe	261
1880	872	WerFault.exe	266
1512	3784	WerFault.exe	271
1948	560	WerFault.exe	276
3984	1588	WerFault.exe	281
2556	400	WerFault.exe	288
3468	4440	WerFault.exe	293
3012	1816	WerFault.exe	298
640	4244	WerFault.exe	303
2508	1664	WerFault.exe	307
1704	4304	WerFault.exe	313
2752	988	WerFault.exe	319
1008	2688	WerFault.exe	324
2976	3508	WerFault.exe	329
852	1784	WerFault.exe	334
4324	3464	WerFault.exe	339
3136	4016	WerFault.exe	344
2888	1364	WerFault.exe	349
1912	4264	WerFault.exe	354
4304	4900	WerFault.exe	359
988	4136	WerFault.exe	364
4584	544	WerFault.exe	369
5040	1924	WerFault.exe	374
4588	3972	WerFault.exe	379
2712	4076	WerFault.exe	384
640	3024	WerFault.exe	389
2672	2032	WerFault.exe	394
3712	4416	WerFault.exe	399
1456	2980	WerFault.exe	404

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
1544	MEV.exe
1544	MEV.exe
2608	REWQ.exe
2608	REWQ.exe
4600	WHA.exe
4600	WHA.exe
3812	TMYM.exe
3812	TMYM.exe
1368	PSEJ.exe
1368	PSEJ.exe
408	KFJSPC.exe
408	KFJSPC.exe
4264	OVQST.exe
4264	OVQST.exe
560	FWSFEAS.exe
560	FWSFEAS.exe
4200	URBKP.exe
4200	URBKP.exe
2960	EZDPTK.exe
2960	EZDPTK.exe
2168	IHK.exe
2168	IHK.exe
4732	OCJXKF.exe
4732	OCJXKF.exe
1816	SKP.exe
1816	SKP.exe
1872	FVGWCA.exe
1872	FVGWCA.exe
2492	QOB.exe
2492	QOB.exe
3384	GECGRD.exe
3384	GECGRD.exe
988	ARH.exe
988	ARH.exe
2244	PUYCNQ.exe
2244	PUYCNQ.exe
2908	KHDLXQG.exe
2908	KHDLXQG.exe
4584	WPJLJ.exe
4584	WPJLJ.exe
4908	NAAJJ.exe
4908	NAAJJ.exe
464	YGLPVJ.exe
464	YGLPVJ.exe
880	AWFJBG.exe
880	AWFJBG.exe
4944	JEHOFDJ.exe
4944	JEHOFDJ.exe
3708	ERLY.exe
3708	ERLY.exe
1508	TMVKAQH.exe
1508	TMVKAQH.exe
1452	KVX.exe
1452	KVX.exe
5060	FICZO.exe
5060	FICZO.exe
3664	UDL.exe
3664	UDL.exe
4672	NGPHM.exe
4672	NGPHM.exe
4440	EGR.exe
4440	EGR.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
1544	MEV.exe
1544	MEV.exe
2608	REWQ.exe
2608	REWQ.exe
4600	WHA.exe
4600	WHA.exe
3812	TMYM.exe
3812	TMYM.exe
1368	PSEJ.exe
1368	PSEJ.exe
408	KFJSPC.exe
408	KFJSPC.exe
4264	OVQST.exe
4264	OVQST.exe
560	FWSFEAS.exe
560	FWSFEAS.exe
4200	URBKP.exe
4200	URBKP.exe
2960	EZDPTK.exe
2960	EZDPTK.exe
2168	IHK.exe
2168	IHK.exe
4732	OCJXKF.exe
4732	OCJXKF.exe
1816	SKP.exe
1816	SKP.exe
1872	FVGWCA.exe
1872	FVGWCA.exe
2492	QOB.exe
2492	QOB.exe
3384	GECGRD.exe
3384	GECGRD.exe
988	ARH.exe
988	ARH.exe
2244	PUYCNQ.exe
2244	PUYCNQ.exe
2908	KHDLXQG.exe
2908	KHDLXQG.exe
4584	WPJLJ.exe
4584	WPJLJ.exe
4908	NAAJJ.exe
4908	NAAJJ.exe
464	YGLPVJ.exe
464	YGLPVJ.exe
880	AWFJBG.exe
880	AWFJBG.exe
4944	JEHOFDJ.exe
4944	JEHOFDJ.exe
3708	ERLY.exe
3708	ERLY.exe
1508	TMVKAQH.exe
1508	TMVKAQH.exe
1452	KVX.exe
1452	KVX.exe
5060	FICZO.exe
5060	FICZO.exe
3664	UDL.exe
3664	UDL.exe
4672	NGPHM.exe
4672	NGPHM.exe
4440	EGR.exe
4440	EGR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 4572	3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	86
PID 3640 wrote to memory of 4572	3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	86
PID 3640 wrote to memory of 4572	3640	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	86
PID 4572 wrote to memory of 1544	4572	cmd.exe	90
PID 4572 wrote to memory of 1544	4572	cmd.exe	90
PID 4572 wrote to memory of 1544	4572	cmd.exe	90
PID 1544 wrote to memory of 1680	1544	MEV.exe	92
PID 1544 wrote to memory of 1680	1544	MEV.exe	92
PID 1544 wrote to memory of 1680	1544	MEV.exe	92
PID 1680 wrote to memory of 2608	1680	cmd.exe	96
PID 1680 wrote to memory of 2608	1680	cmd.exe	96
PID 1680 wrote to memory of 2608	1680	cmd.exe	96
PID 2608 wrote to memory of 3100	2608	REWQ.exe	97
PID 2608 wrote to memory of 3100	2608	REWQ.exe	97
PID 2608 wrote to memory of 3100	2608	REWQ.exe	97
PID 3100 wrote to memory of 4600	3100	cmd.exe	101
PID 3100 wrote to memory of 4600	3100	cmd.exe	101
PID 3100 wrote to memory of 4600	3100	cmd.exe	101
PID 4600 wrote to memory of 5052	4600	WHA.exe	102
PID 4600 wrote to memory of 5052	4600	WHA.exe	102
PID 4600 wrote to memory of 5052	4600	WHA.exe	102
PID 5052 wrote to memory of 3812	5052	cmd.exe	106
PID 5052 wrote to memory of 3812	5052	cmd.exe	106
PID 5052 wrote to memory of 3812	5052	cmd.exe	106
PID 3812 wrote to memory of 2612	3812	TMYM.exe	107
PID 3812 wrote to memory of 2612	3812	TMYM.exe	107
PID 3812 wrote to memory of 2612	3812	TMYM.exe	107
PID 2612 wrote to memory of 1368	2612	cmd.exe	111
PID 2612 wrote to memory of 1368	2612	cmd.exe	111
PID 2612 wrote to memory of 1368	2612	cmd.exe	111
PID 1368 wrote to memory of 396	1368	PSEJ.exe	112
PID 1368 wrote to memory of 396	1368	PSEJ.exe	112
PID 1368 wrote to memory of 396	1368	PSEJ.exe	112
PID 396 wrote to memory of 408	396	cmd.exe	116
PID 396 wrote to memory of 408	396	cmd.exe	116
PID 396 wrote to memory of 408	396	cmd.exe	116
PID 408 wrote to memory of 2120	408	KFJSPC.exe	117
PID 408 wrote to memory of 2120	408	KFJSPC.exe	117
PID 408 wrote to memory of 2120	408	KFJSPC.exe	117
PID 2120 wrote to memory of 4264	2120	cmd.exe	121
PID 2120 wrote to memory of 4264	2120	cmd.exe	121
PID 2120 wrote to memory of 4264	2120	cmd.exe	121
PID 4264 wrote to memory of 2528	4264	OVQST.exe	122
PID 4264 wrote to memory of 2528	4264	OVQST.exe	122
PID 4264 wrote to memory of 2528	4264	OVQST.exe	122
PID 2528 wrote to memory of 560	2528	cmd.exe	126
PID 2528 wrote to memory of 560	2528	cmd.exe	126
PID 2528 wrote to memory of 560	2528	cmd.exe	126
PID 560 wrote to memory of 1412	560	FWSFEAS.exe	127
PID 560 wrote to memory of 1412	560	FWSFEAS.exe	127
PID 560 wrote to memory of 1412	560	FWSFEAS.exe	127
PID 1412 wrote to memory of 4200	1412	cmd.exe	131
PID 1412 wrote to memory of 4200	1412	cmd.exe	131
PID 1412 wrote to memory of 4200	1412	cmd.exe	131
PID 4200 wrote to memory of 1172	4200	URBKP.exe	132
PID 4200 wrote to memory of 1172	4200	URBKP.exe	132
PID 4200 wrote to memory of 1172	4200	URBKP.exe	132
PID 1172 wrote to memory of 2960	1172	cmd.exe	136
PID 1172 wrote to memory of 2960	1172	cmd.exe	136
PID 1172 wrote to memory of 2960	1172	cmd.exe	136
PID 2960 wrote to memory of 208	2960	EZDPTK.exe	137
PID 2960 wrote to memory of 208	2960	EZDPTK.exe	137
PID 2960 wrote to memory of 208	2960	EZDPTK.exe	137
PID 208 wrote to memory of 2168	208	cmd.exe	141

C:\Users\Admin\AppData\Local\Temp\cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
"C:\Users\Admin\AppData\Local\Temp\cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MEV.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\windows\SysWOW64\MEV.exe
    C:\windows\system32\MEV.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\REWQ.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\windows\SysWOW64\REWQ.exe
        
        C:\windows\system32\REWQ.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WHA.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\windows\WHA.exe
        
        C:\windows\WHA.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TMYM.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\windows\system\TMYM.exe
        
        C:\windows\system\TMYM.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSEJ.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\windows\SysWOW64\PSEJ.exe
        
        C:\windows\system32\PSEJ.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFJSPC.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\windows\SysWOW64\KFJSPC.exe
        
        C:\windows\system32\KFJSPC.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVQST.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\windows\system\OVQST.exe
        
        C:\windows\system\OVQST.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWSFEAS.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\windows\SysWOW64\FWSFEAS.exe
        
        C:\windows\system32\FWSFEAS.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\URBKP.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\windows\URBKP.exe
        
        C:\windows\URBKP.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EZDPTK.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\windows\EZDPTK.exe
        
        C:\windows\EZDPTK.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IHK.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\windows\IHK.exe
        
        C:\windows\IHK.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCJXKF.exe.bat" "
        24⤵
        
        PID:3392
        
        C:\windows\SysWOW64\OCJXKF.exe
        
        C:\windows\system32\OCJXKF.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKP.exe.bat" "
        26⤵
        
        PID:756
        
        C:\windows\SysWOW64\SKP.exe
        
        C:\windows\system32\SKP.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FVGWCA.exe.bat" "
        28⤵
        
        PID:2196
        
        C:\windows\FVGWCA.exe
        
        C:\windows\FVGWCA.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QOB.exe.bat" "
        30⤵
        
        PID:1968
        
        C:\windows\system\QOB.exe
        
        C:\windows\system\QOB.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GECGRD.exe.bat" "
        32⤵
        
        PID:1648
        
        C:\windows\GECGRD.exe
        
        C:\windows\GECGRD.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARH.exe.bat" "
        34⤵
        
        PID:1672
        
        C:\windows\system\ARH.exe
        
        C:\windows\system\ARH.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PUYCNQ.exe.bat" "
        36⤵
        
        PID:3108
        
        C:\windows\PUYCNQ.exe
        
        C:\windows\PUYCNQ.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KHDLXQG.exe.bat" "
        38⤵
        
        PID:4340
        
        C:\windows\SysWOW64\KHDLXQG.exe
        
        C:\windows\system32\KHDLXQG.exe
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WPJLJ.exe.bat" "
        40⤵
        
        PID:4700
        
        C:\windows\system\WPJLJ.exe
        
        C:\windows\system\WPJLJ.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NAAJJ.exe.bat" "
        42⤵
        
        PID:3500
        
        C:\windows\system\NAAJJ.exe
        
        C:\windows\system\NAAJJ.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YGLPVJ.exe.bat" "
        44⤵
        
        PID:5052
        
        C:\windows\YGLPVJ.exe
        
        C:\windows\YGLPVJ.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AWFJBG.exe.bat" "
        46⤵
        
        PID:3652
        
        C:\windows\system\AWFJBG.exe
        
        C:\windows\system\AWFJBG.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JEHOFDJ.exe.bat" "
        48⤵
        
        PID:2612
        
        C:\windows\system\JEHOFDJ.exe
        
        C:\windows\system\JEHOFDJ.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERLY.exe.bat" "
        50⤵
        
        PID:404
        
        C:\windows\system\ERLY.exe
        
        C:\windows\system\ERLY.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TMVKAQH.exe.bat" "
        52⤵
        
        PID:2216
        
        C:\windows\TMVKAQH.exe
        
        C:\windows\TMVKAQH.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVX.exe.bat" "
        54⤵
        
        PID:4692
        
        C:\windows\SysWOW64\KVX.exe
        
        C:\windows\system32\KVX.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FICZO.exe.bat" "
        56⤵
        
        PID:3404
        
        C:\windows\SysWOW64\FICZO.exe
        
        C:\windows\system32\FICZO.exe
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UDL.exe.bat" "
        58⤵
        
        PID:2624
        
        C:\windows\system\UDL.exe
        
        C:\windows\system\UDL.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NGPHM.exe.bat" "
        60⤵
        
        PID:3400
        
        C:\windows\system\NGPHM.exe
        
        C:\windows\system\NGPHM.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGR.exe.bat" "
        62⤵
        
        PID:1168
        
        C:\windows\SysWOW64\EGR.exe
        
        C:\windows\system32\EGR.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJVPV.exe.bat" "
        64⤵
        
        PID:524
        
        C:\windows\system\XJVPV.exe
        
        C:\windows\system\XJVPV.exe
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TPAECDN.exe.bat" "
        66⤵
        
        PID:3028
        
        C:\windows\system\TPAECDN.exe
        
        C:\windows\system\TPAECDN.exe
        67⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPC.exe.bat" "
        68⤵
        
        PID:4380
        
        C:\windows\system\CPC.exe
        
        C:\windows\system\CPC.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TCNK.exe.bat" "
        70⤵
        
        PID:3916
        
        C:\windows\TCNK.exe
        
        C:\windows\TCNK.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DLPPHCF.exe.bat" "
        72⤵
        
        PID:4204
        
        C:\windows\DLPPHCF.exe
        
        C:\windows\DLPPHCF.exe
        73⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLX.exe.bat" "
        74⤵
        
        PID:4348
        
        C:\windows\SysWOW64\JLX.exe
        
        C:\windows\system32\JLX.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JRPRS.exe.bat" "
        76⤵
        
        PID:4360
        
        C:\windows\JRPRS.exe
        
        C:\windows\JRPRS.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PRWFBM.exe.bat" "
        78⤵
        
        PID:448
        
        C:\windows\PRWFBM.exe
        
        C:\windows\PRWFBM.exe
        79⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AKZXJTA.exe.bat" "
        80⤵
        
        PID:3396
        
        C:\windows\SysWOW64\AKZXJTA.exe
        
        C:\windows\system32\AKZXJTA.exe
        81⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WPF.exe.bat" "
        82⤵
        
        PID:4048
        
        C:\windows\system\WPF.exe
        
        C:\windows\system\WPF.exe
        83⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IIAFY.exe.bat" "
        84⤵
        
        PID:3212
        
        C:\windows\IIAFY.exe
        
        C:\windows\IIAFY.exe
        85⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XDS.exe.bat" "
        86⤵
        
        PID:3620
        
        C:\windows\system\XDS.exe
        
        C:\windows\system\XDS.exe
        87⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZBLMQU.exe.bat" "
        88⤵
        
        PID:4880
        
        C:\windows\system\ZBLMQU.exe
        
        C:\windows\system\ZBLMQU.exe
        89⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KTOFYBQ.exe.bat" "
        90⤵
        
        PID:2672
        
        C:\windows\SysWOW64\KTOFYBQ.exe
        
        C:\windows\system32\KTOFYBQ.exe
        91⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ROLRAC.exe.bat" "
        92⤵
        
        PID:3792
        
        C:\windows\ROLRAC.exe
        
        C:\windows\ROLRAC.exe
        93⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMR.exe.bat" "
        94⤵
        
        PID:652
        
        C:\windows\SysWOW64\OMR.exe
        
        C:\windows\system32\OMR.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UMY.exe.bat" "
        96⤵
        
        PID:3364
        
        C:\windows\system\UMY.exe
        
        C:\windows\system\UMY.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MPCXDWC.exe.bat" "
        98⤵
        
        PID:1908
        
        C:\windows\MPCXDWC.exe
        
        C:\windows\MPCXDWC.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SPKL.exe.bat" "
        100⤵
        
        PID:4504
        
        C:\windows\SPKL.exe
        
        C:\windows\SPKL.exe
        101⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YLJUR.exe.bat" "
        102⤵
        
        PID:4820
        
        C:\windows\system\YLJUR.exe
        
        C:\windows\system\YLJUR.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HQT.exe.bat" "
        104⤵
        
        PID:4792
        
        C:\windows\system\HQT.exe
        
        C:\windows\system\HQT.exe
        105⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KLYVR.exe.bat" "
        106⤵
        
        PID:3384
        
        C:\windows\system\KLYVR.exe
        
        C:\windows\system\KLYVR.exe
        107⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IZPWOB.exe.bat" "
        108⤵
        
        PID:408
        
        C:\windows\IZPWOB.exe
        
        C:\windows\IZPWOB.exe
        109⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OZX.exe.bat" "
        110⤵
        
        PID:228
        
        C:\windows\SysWOW64\OZX.exe
        
        C:\windows\system32\OZX.exe
        111⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IUCTP.exe.bat" "
        112⤵
        
        PID:2448
        
        C:\windows\IUCTP.exe
        
        C:\windows\IUCTP.exe
        113⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DHHDRV.exe.bat" "
        114⤵
        
        PID:5112
        
        C:\windows\SysWOW64\DHHDRV.exe
        
        C:\windows\system32\DHHDRV.exe
        115⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UIJ.exe.bat" "
        116⤵
        
        PID:2556
        
        C:\windows\UIJ.exe
        
        C:\windows\UIJ.exe
        117⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YYPQH.exe.bat" "
        118⤵
        
        PID:1692
        
        C:\windows\YYPQH.exe
        
        C:\windows\YYPQH.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGWQT.exe.bat" "
        120⤵
        
        PID:320
        
        C:\windows\SysWOW64\CGWQT.exe
        
        C:\windows\system32\CGWQT.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OYZI.exe.bat" "
        122⤵
        
        PID:5028
        
        C:\windows\system\OYZI.exe
        
        C:\windows\system\OYZI.exe
        123⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ROF.exe.bat" "
        124⤵
        
        PID:1040
        
        C:\windows\ROF.exe
        
        C:\windows\ROF.exe
        125⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XPN.exe.bat" "
        126⤵
        
        PID:2784
        
        C:\windows\SysWOW64\XPN.exe
        
        C:\windows\system32\XPN.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OALU.exe.bat" "
        128⤵
        
        PID:3400
        
        C:\windows\SysWOW64\OALU.exe
        
        C:\windows\system32\OALU.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UATIFU.exe.bat" "
        130⤵
        
        PID:3220
        
        C:\windows\UATIFU.exe
        
        C:\windows\UATIFU.exe
        131⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ONQ.exe.bat" "
        132⤵
        
        PID:2608
        
        C:\windows\ONQ.exe
        
        C:\windows\ONQ.exe
        133⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UNXFZ.exe.bat" "
        134⤵
        
        PID:2676
        
        C:\windows\UNXFZ.exe
        
        C:\windows\UNXFZ.exe
        135⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PBCWJWY.exe.bat" "
        136⤵
        
        PID:4908
        
        C:\windows\system\PBCWJWY.exe
        
        C:\windows\system\PBCWJWY.exe
        137⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWBXOZO.exe.bat" "
        138⤵
        
        PID:4892
        
        C:\windows\SysWOW64\VWBXOZO.exe
        
        C:\windows\system32\VWBXOZO.exe
        139⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BWJLX.exe.bat" "
        140⤵
        
        PID:1648
        
        C:\windows\SysWOW64\BWJLX.exe
        
        C:\windows\system32\BWJLX.exe
        141⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKOUHTE.exe.bat" "
        142⤵
        
        PID:4152
        
        C:\windows\system\VKOUHTE.exe
        
        C:\windows\system\VKOUHTE.exe
        143⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FSQ.exe.bat" "
        144⤵
        
        PID:4568
        
        C:\windows\system\FSQ.exe
        
        C:\windows\system\FSQ.exe
        145⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DIPK.exe.bat" "
        146⤵
        
        PID:2348
        
        C:\windows\SysWOW64\DIPK.exe
        
        C:\windows\system32\DIPK.exe
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SDGOH.exe.bat" "
        148⤵
        
        PID:1584
        
        C:\windows\SysWOW64\SDGOH.exe
        
        C:\windows\system32\SDGOH.exe
        149⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LGYSL.exe.bat" "
        150⤵
        
        PID:1168
        
        C:\windows\LGYSL.exe
        
        C:\windows\LGYSL.exe
        151⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ULI.exe.bat" "
        152⤵
        
        PID:3328
        
        C:\windows\system\ULI.exe
        
        C:\windows\system\ULI.exe
        153⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZAY.exe.bat" "
        154⤵
        
        PID:1404
        
        C:\windows\UZAY.exe
        
        C:\windows\UZAY.exe
        155⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XMFINK.exe.bat" "
        156⤵
        
        PID:4024
        
        C:\windows\SysWOW64\XMFINK.exe
        
        C:\windows\system32\XMFINK.exe
        157⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NCMTR.exe.bat" "
        158⤵
        
        PID:4332
        
        C:\windows\system\NCMTR.exe
        
        C:\windows\system\NCMTR.exe
        159⤵
        Drops file in Windows directory
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BNIR.exe.bat" "
        160⤵
        
        PID:4944
        
        C:\windows\BNIR.exe
        
        C:\windows\BNIR.exe
        161⤵
        Checks computer location settings
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YNPFNPV.exe.bat" "
        162⤵
        
        PID:4236
        
        C:\windows\system\YNPFNPV.exe
        
        C:\windows\system\YNPFNPV.exe
        163⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNR.exe.bat" "
        164⤵
        
        PID:1748
        
        C:\windows\system\QNR.exe
        
        C:\windows\system\QNR.exe
        165⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QGALE.exe.bat" "
        166⤵
        
        PID:652
        
        C:\windows\system\QGALE.exe
        
        C:\windows\system\QGALE.exe
        167⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HGCQIE.exe.bat" "
        168⤵
        
        PID:4584
        
        C:\windows\system\HGCQIE.exe
        
        C:\windows\system\HGCQIE.exe
        169⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUH.exe.bat" "
        170⤵
        
        PID:3764
        
        C:\windows\SysWOW64\BUH.exe
        
        C:\windows\system32\BUH.exe
        171⤵
        Drops file in Windows directory
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LCJN.exe.bat" "
        172⤵
        
        PID:1136
        
        C:\windows\LCJN.exe
        
        C:\windows\LCJN.exe
        173⤵
        Drops file in Windows directory
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AXSRHOG.exe.bat" "
        174⤵
        
        PID:1608
        
        C:\windows\system\AXSRHOG.exe
        
        C:\windows\system\AXSRHOG.exe
        175⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EFNZKV.exe.bat" "
        176⤵
        
        PID:3136
        
        C:\windows\system\EFNZKV.exe
        
        C:\windows\system\EFNZKV.exe
        177⤵
        Drops file in Windows directory
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KFU.exe.bat" "
        178⤵
        
        PID:4840
        
        C:\windows\system\KFU.exe
        
        C:\windows\system\KFU.exe
        179⤵
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TOWS.exe.bat" "
        180⤵
        
        PID:4076
        
        C:\windows\SysWOW64\TOWS.exe
        
        C:\windows\system32\TOWS.exe
        181⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XWDA.exe.bat" "
        182⤵
        
        PID:3632
        
        C:\windows\system\XWDA.exe
        
        C:\windows\system\XWDA.exe
        183⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IOG.exe.bat" "
        184⤵
        
        PID:452
        
        C:\windows\IOG.exe
        
        C:\windows\IOG.exe
        185⤵
        Checks computer location settings
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AXIYCS.exe.bat" "
        186⤵
        
        PID:4984
        
        C:\windows\system\AXIYCS.exe
        
        C:\windows\system\AXIYCS.exe
        187⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHIRIW.exe.bat" "
        188⤵
        
        PID:1008
        
        C:\windows\system\ZHIRIW.exe
        
        C:\windows\system\ZHIRIW.exe
        189⤵
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAL.exe.bat" "
        190⤵
        
        PID:2284
        
        C:\windows\SysWOW64\LAL.exe
        
        C:\windows\system32\LAL.exe
        191⤵
        Drops file in Windows directory
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WSOD.exe.bat" "
        192⤵
        
        PID:3892
        
        C:\windows\WSOD.exe
        
        C:\windows\WSOD.exe
        193⤵
        Drops file in Windows directory
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CSWR.exe.bat" "
        194⤵
        
        PID:5104
        
        C:\windows\system\CSWR.exe
        
        C:\windows\system\CSWR.exe
        195⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CLXSVZ.exe.bat" "
        196⤵
        
        PID:1800
        
        C:\windows\CLXSVZ.exe
        
        C:\windows\CLXSVZ.exe
        197⤵
        Checks computer location settings
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGI.exe.bat" "
        198⤵
        
        PID:2340
        
        C:\windows\SysWOW64\CGI.exe
        
        C:\windows\system32\CGI.exe
        199⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SWJNHLS.exe.bat" "
        200⤵
        
        PID:3792
        
        C:\windows\SysWOW64\SWJNHLS.exe
        
        C:\windows\system32\SWJNHLS.exe
        201⤵
        Drops file in Windows directory
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MRO.exe.bat" "
        202⤵
        
        PID:4620
        
        C:\windows\system\MRO.exe
        
        C:\windows\system\MRO.exe
        203⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HFLGU.exe.bat" "
        204⤵
        
        PID:2960
        
        C:\windows\system\HFLGU.exe
        
        C:\windows\system\HFLGU.exe
        205⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XVSRG.exe.bat" "
        206⤵
        
        PID:912
        
        C:\windows\XVSRG.exe
        
        C:\windows\XVSRG.exe
        207⤵
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDUWJC.exe.bat" "
        208⤵
        
        PID:2868
        
        C:\windows\SysWOW64\PDUWJC.exe
        
        C:\windows\system32\PDUWJC.exe
        209⤵
        Drops file in Windows directory
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TLBWW.exe.bat" "
        210⤵
        
        PID:4564
        
        C:\windows\TLBWW.exe
        
        C:\windows\TLBWW.exe
        211⤵
        Checks computer location settings
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PQGTD.exe.bat" "
        212⤵
        
        PID:3156
        
        C:\windows\PQGTD.exe
        
        C:\windows\PQGTD.exe
        213⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IUKP.exe.bat" "
        214⤵
        
        PID:5056
        
        C:\windows\SysWOW64\IUKP.exe
        
        C:\windows\system32\IUKP.exe
        215⤵
        Drops file in Windows directory
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TMN.exe.bat" "
        216⤵
        
        PID:808
        
        C:\windows\system\TMN.exe
        
        C:\windows\system\TMN.exe
        217⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZMNVH.exe.bat" "
        218⤵
        
        PID:2460
        
        C:\windows\system\ZMNVH.exe
        
        C:\windows\system\ZMNVH.exe
        219⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INPALBX.exe.bat" "
        220⤵
        
        PID:1544
        
        C:\windows\SysWOW64\INPALBX.exe
        
        C:\windows\system32\INPALBX.exe
        221⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ONWO.exe.bat" "
        222⤵
        
        PID:3076
        
        C:\windows\SysWOW64\ONWO.exe
        
        C:\windows\system32\ONWO.exe
        223⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JABFEV.exe.bat" "
        224⤵
        
        PID:2696
        
        C:\windows\SysWOW64\JABFEV.exe
        
        C:\windows\system32\JABFEV.exe
        225⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PBJ.exe.bat" "
        226⤵
        
        PID:448
        
        C:\windows\SysWOW64\PBJ.exe
        
        C:\windows\system32\PBJ.exe
        227⤵
        Drops file in Windows directory
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JWOCX.exe.bat" "
        228⤵
        
        PID:2868
        
        C:\windows\JWOCX.exe
        
        C:\windows\JWOCX.exe
        229⤵
        Drops file in Windows directory
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IHESX.exe.bat" "
        230⤵
        
        PID:1588
        
        C:\windows\IHESX.exe
        
        C:\windows\IHESX.exe
        231⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RMOKNO.exe.bat" "
        232⤵
        
        PID:3576
        
        C:\windows\SysWOW64\RMOKNO.exe
        
        C:\windows\system32\RMOKNO.exe
        233⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OSU.exe.bat" "
        234⤵
        
        PID:1076
        
        C:\windows\SysWOW64\OSU.exe
        
        C:\windows\system32\OSU.exe
        235⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSWN.exe.bat" "
        236⤵
        
        PID:1352
        
        C:\windows\SysWOW64\XSWN.exe
        
        C:\windows\system32\XSWN.exe
        237⤵
        Checks computer location settings
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OAYAJSS.exe.bat" "
        238⤵
        
        PID:3068
        
        C:\windows\OAYAJSS.exe
        
        C:\windows\OAYAJSS.exe
        239⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XNJ.exe.bat" "
        240⤵
        
        PID:4796
        
        C:\windows\system\XNJ.exe
        
        C:\windows\system\XNJ.exe
        241⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JGMC.exe.bat" "
        242⤵
        
        PID:3632
        
        C:\windows\system\JGMC.exe
        
        C:\windows\system\JGMC.exe
        243⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RMERA.exe.bat" "
        244⤵
        
        PID:1512
        
        C:\windows\SysWOW64\RMERA.exe
        
        C:\windows\system32\RMERA.exe
        245⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QWNSO.exe.bat" "
        246⤵
        
        PID:856
        
        C:\windows\system\QWNSO.exe
        
        C:\windows\system\QWNSO.exe
        247⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EHJRTN.exe.bat" "
        248⤵
        
        PID:3876
        
        C:\windows\system\EHJRTN.exe
        
        C:\windows\system\EHJRTN.exe
        249⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PAMKCUX.exe.bat" "
        250⤵
        
        PID:4060
        
        C:\windows\system\PAMKCUX.exe
        
        C:\windows\system\PAMKCUX.exe
        251⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TISSO.exe.bat" "
        252⤵
        
        PID:3636
        
        C:\windows\TISSO.exe
        
        C:\windows\TISSO.exe
        253⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQUXRK.exe.bat" "
        254⤵
        
        PID:1096
        
        C:\windows\system\CQUXRK.exe
        
        C:\windows\system\CQUXRK.exe
        255⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZVA.exe.bat" "
        256⤵
        
        PID:1872
        
        C:\windows\ZVA.exe
        
        C:\windows\ZVA.exe
        257⤵
        Drops file in Windows directory
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYWSDLK.exe.bat" "
        258⤵
        
        PID:2672
        
        C:\windows\system\MYWSDLK.exe
        
        C:\windows\system\MYWSDLK.exe
        259⤵
        Drops file in Windows directory
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SZEG.exe.bat" "
        260⤵
        
        PID:1876
        
        C:\windows\SZEG.exe
        
        C:\windows\SZEG.exe
        261⤵
        Checks computer location settings
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMIPFN.exe.bat" "
        262⤵
        
        PID:1976
        
        C:\windows\SysWOW64\MMIPFN.exe
        
        C:\windows\system32\MMIPFN.exe
        263⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMQ.exe.bat" "
        264⤵
        
        PID:2784
        
        C:\windows\SysWOW64\KMQ.exe
        
        C:\windows\system32\KMQ.exe
        265⤵
        Drops file in Windows directory
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NHVNY.exe.bat" "
        266⤵
        
        PID:3948
        
        C:\windows\NHVNY.exe
        
        C:\windows\NHVNY.exe
        267⤵
        Drops file in Windows directory
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YAYF.exe.bat" "
        268⤵
        
        PID:560
        
        C:\windows\YAYF.exe
        
        C:\windows\YAYF.exe
        269⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JTTYG.exe.bat" "
        270⤵
        
        PID:4760
        
        C:\windows\system\JTTYG.exe
        
        C:\windows\system\JTTYG.exe
        271⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGYHREJ.exe.bat" "
        272⤵
        
        PID:3116
        
        C:\windows\SysWOW64\EGYHREJ.exe
        
        C:\windows\system32\EGYHREJ.exe
        273⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KGFV.exe.bat" "
        274⤵
        
        PID:4912
        
        C:\windows\SysWOW64\KGFV.exe
        
        C:\windows\system32\KGFV.exe
        275⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\THHADD.exe.bat" "
        276⤵
        
        PID:2248
        
        C:\windows\THHADD.exe
        
        C:\windows\THHADD.exe
        277⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EZKTLLC.exe.bat" "
        278⤵
        
        PID:3412
        
        C:\windows\EZKTLLC.exe
        
        C:\windows\EZKTLLC.exe
        279⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IPRB.exe.bat" "
        280⤵
        
        PID:4940
        
        C:\windows\IPRB.exe
        
        C:\windows\IPRB.exe
        281⤵
        Drops file in Windows directory
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FVXQFN.exe.bat" "
        282⤵
        
        PID:3076
        
        C:\windows\FVXQFN.exe
        
        C:\windows\FVXQFN.exe
        283⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVZDIKU.exe.bat" "
        284⤵
        
        PID:4348
        
        C:\windows\SysWOW64\OVZDIKU.exe
        
        C:\windows\system32\OVZDIKU.exe
        285⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NLKYDP.exe.bat" "
        286⤵
        
        PID:3108
        
        C:\windows\NLKYDP.exe
        
        C:\windows\NLKYDP.exe
        287⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AWOFIHF.exe.bat" "
        288⤵
        
        PID:2868
        
        C:\windows\AWOFIHF.exe
        
        C:\windows\AWOFIHF.exe
        289⤵
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABGTKUA.exe.bat" "
        290⤵
        
        PID:2748
        
        C:\windows\SysWOW64\ABGTKUA.exe
        
        C:\windows\system32\ABGTKUA.exe
        291⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ROR.exe.bat" "
        292⤵
        
        PID:4400
        
        C:\windows\system\ROR.exe
        
        C:\windows\system\ROR.exe
        293⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CHUW.exe.bat" "
        294⤵
        
        PID:4444
        
        C:\windows\system\CHUW.exe
        
        C:\windows\system\CHUW.exe
        295⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MHWJLD.exe.bat" "
        296⤵
        
        PID:2216
        
        C:\windows\SysWOW64\MHWJLD.exe
        
        C:\windows\system32\MHWJLD.exe
        297⤵
        Checks computer location settings
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XARCMKV.exe.bat" "
        298⤵
        
        PID:3772
        
        C:\windows\system\XARCMKV.exe
        
        C:\windows\system\XARCMKV.exe
        299⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFXR.exe.bat" "
        300⤵
        
        PID:1808
        
        C:\windows\SysWOW64\UFXR.exe
        
        C:\windows\system32\UFXR.exe
        301⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JAGDMH.exe.bat" "
        302⤵
        
        PID:4592
        
        C:\windows\JAGDMH.exe
        
        C:\windows\JAGDMH.exe
        303⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JOGSNUA.exe.bat" "
        304⤵
        
        PID:2456
        
        C:\windows\JOGSNUA.exe
        
        C:\windows\JOGSNUA.exe
        305⤵
        Checks computer location settings
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWNSZ.exe.bat" "
        306⤵
        
        PID:1288
        
        C:\windows\SysWOW64\VWNSZ.exe
        
        C:\windows\system32\VWNSZ.exe
        307⤵
        Checks computer location settings
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TWUGIGP.exe.bat" "
        308⤵
        
        PID:5048
        
        C:\windows\system\TWUGIGP.exe
        
        C:\windows\system\TWUGIGP.exe
        309⤵
        Checks computer location settings
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCV.exe.bat" "
        310⤵
        
        PID:3684
        
        C:\windows\SysWOW64\BCV.exe
        
        C:\windows\system32\BCV.exe
        311⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFYQ.exe.bat" "
        312⤵
        
        PID:3996
        
        C:\windows\SysWOW64\TFYQ.exe
        
        C:\windows\system32\TFYQ.exe
        313⤵
        Drops file in Windows directory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OSDHIJ.exe.bat" "
        314⤵
        
        PID:1776
        
        C:\windows\OSDHIJ.exe
        
        C:\windows\OSDHIJ.exe
        315⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MQC.exe.bat" "
        316⤵
        
        PID:2768
        
        C:\windows\MQC.exe
        
        C:\windows\MQC.exe
        317⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BLLO.exe.bat" "
        318⤵
        
        PID:1164
        
        C:\windows\SysWOW64\BLLO.exe
        
        C:\windows\system32\BLLO.exe
        319⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NEOHF.exe.bat" "
        320⤵
        
        PID:4820
        
        C:\windows\NEOHF.exe
        
        C:\windows\NEOHF.exe
        321⤵
        Checks computer location settings
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YWRANE.exe.bat" "
        322⤵
        
        PID:1984
        
        C:\windows\YWRANE.exe
        
        C:\windows\YWRANE.exe
        323⤵
        Checks computer location settings
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EXZ.exe.bat" "
        324⤵
        
        PID:432
        
        C:\windows\EXZ.exe
        
        C:\windows\EXZ.exe
        325⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YKEXG.exe.bat" "
        326⤵
        
        PID:2456
        
        C:\windows\system\YKEXG.exe
        
        C:\windows\system\YKEXG.exe
        327⤵
        Drops file in Windows directory
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TXJGRGI.exe.bat" "
        328⤵
        
        PID:4784
        
        C:\windows\TXJGRGI.exe
        
        C:\windows\TXJGRGI.exe
        329⤵
        Checks computer location settings
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QDHD.exe.bat" "
        330⤵
        
        PID:2312
        
        C:\windows\QDHD.exe
        
        C:\windows\QDHD.exe
        331⤵
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VOL.exe.bat" "
        332⤵
        
        PID:3100
        
        C:\windows\VOL.exe
        
        C:\windows\VOL.exe
        333⤵
        Drops file in Windows directory
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PBPTN.exe.bat" "
        334⤵
        
        PID:3444
        
        C:\windows\PBPTN.exe
        
        C:\windows\PBPTN.exe
        335⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DELS.exe.bat" "
        336⤵
        
        PID:1776
        
        C:\windows\DELS.exe
        
        C:\windows\DELS.exe
        337⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HUS.exe.bat" "
        338⤵
        
        PID:2712
        
        C:\windows\system\HUS.exe
        
        C:\windows\system\HUS.exe
        339⤵
        Drops file in Windows directory
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SMVLNYZ.exe.bat" "
        340⤵
        
        PID:4496
        
        C:\windows\system\SMVLNYZ.exe
        
        C:\windows\system\SMVLNYZ.exe
        341⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SSVZO.exe.bat" "
        342⤵
        
        PID:1800
        
        C:\windows\SysWOW64\SSVZO.exe
        
        C:\windows\system32\SSVZO.exe
        343⤵
        Drops file in Windows directory
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LPZFBJ.exe.bat" "
        344⤵
        
        PID:4780
        
        C:\windows\LPZFBJ.exe
        
        C:\windows\LPZFBJ.exe
        345⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ESKBGZE.exe.bat" "
        346⤵
        
        PID:2268
        
        C:\windows\ESKBGZE.exe
        
        C:\windows\ESKBGZE.exe
        347⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WWCMKEN.exe.bat" "
        348⤵
        
        PID:4232
        
        C:\windows\WWCMKEN.exe
        
        C:\windows\WWCMKEN.exe
        349⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AEIMX.exe.bat" "
        350⤵
        
        PID:4712
        
        C:\windows\AEIMX.exe
        
        C:\windows\AEIMX.exe
        351⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VRNWHWQ.exe.bat" "
        352⤵
        
        PID:444
        
        C:\windows\SysWOW64\VRNWHWQ.exe
        
        C:\windows\system32\VRNWHWQ.exe
        353⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BRVJQQZ.exe.bat" "
        354⤵
        
        PID:4448
        
        C:\windows\SysWOW64\BRVJQQZ.exe
        
        C:\windows\system32\BRVJQQZ.exe
        355⤵
        Checks computer location settings
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFATAQ.exe.bat" "
        356⤵
        
        PID:968
        
        C:\windows\SysWOW64\VFATAQ.exe
        
        C:\windows\system32\VFATAQ.exe
        357⤵
        Checks computer location settings
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QAE.exe.bat" "
        358⤵
        
        PID:3576
        
        C:\windows\system\QAE.exe
        
        C:\windows\system\QAE.exe
        359⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HAGP.exe.bat" "
        360⤵
        
        PID:3328
        
        C:\windows\system\HAGP.exe
        
        C:\windows\system\HAGP.exe
        361⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\STBAO.exe.bat" "
        362⤵
        
        PID:1964
        
        C:\windows\STBAO.exe
        
        C:\windows\STBAO.exe
        363⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SLKBC.exe.bat" "
        364⤵
        
        PID:4500
        
        C:\windows\system\SLKBC.exe
        
        C:\windows\system\SLKBC.exe
        365⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NZPLMOP.exe.bat" "
        366⤵
        
        PID:1244
        
        C:\windows\system\NZPLMOP.exe
        
        C:\windows\system\NZPLMOP.exe
        367⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TZXY.exe.bat" "
        368⤵
        
        PID:4200
        
        C:\windows\TZXY.exe
        
        C:\windows\TZXY.exe
        369⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BEPNX.exe.bat" "
        370⤵
        
        PID:3620
        
        C:\windows\BEPNX.exe
        
        C:\windows\BEPNX.exe
        371⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZFWBOQV.exe.bat" "
        372⤵
        
        PID:960
        
        C:\windows\ZFWBOQV.exe
        
        C:\windows\ZFWBOQV.exe
        373⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ADYDMN.exe.bat" "
        374⤵
        
        PID:4428
        
        C:\windows\SysWOW64\ADYDMN.exe
        
        C:\windows\system32\ADYDMN.exe
        375⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GDF.exe.bat" "
        376⤵
        
        PID:2452
        
        C:\windows\system\GDF.exe
        
        C:\windows\system\GDF.exe
        377⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KLMRHZ.exe.bat" "
        378⤵
        
        PID:4416
        
        C:\windows\KLMRHZ.exe
        
        C:\windows\KLMRHZ.exe
        379⤵
        Drops file in Windows directory
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTOWTFC.exe.bat" "
        380⤵
        
        PID:2748
        
        C:\windows\system\CTOWTFC.exe
        
        C:\windows\system\CTOWTFC.exe
        381⤵
        Drops file in Windows directory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LUQJW.exe.bat" "
        382⤵
        
        PID:508
        
        C:\windows\LUQJW.exe
        
        C:\windows\LUQJW.exe
        383⤵
        Drops file in Windows directory
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKW.exe.bat" "
        384⤵
        
        PID:3944
        
        C:\windows\system\PKW.exe
        
        C:\windows\system\PKW.exe
        385⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VKEXS.exe.bat" "
        386⤵
        
        PID:2712
        
        C:\windows\SysWOW64\VKEXS.exe
        
        C:\windows\system32\VKEXS.exe
        387⤵
        Checks computer location settings
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKGCVU.exe.bat" "
        388⤵
        
        PID:3708
        
        C:\windows\system\MKGCVU.exe
        
        C:\windows\system\MKGCVU.exe
        389⤵
        Drops file in Windows directory
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HXL.exe.bat" "
        390⤵
        
        PID:2860
        
        C:\windows\HXL.exe
        
        C:\windows\HXL.exe
        391⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SQGE.exe.bat" "
        392⤵
        
        PID:1508
        
        C:\windows\SysWOW64\SQGE.exe
        
        C:\windows\system32\SQGE.exe
        393⤵
        Drops file in Windows directory
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQOSXE.exe.bat" "
        394⤵
        
        PID:812
        
        C:\windows\system\YQOSXE.exe
        
        C:\windows\system\YQOSXE.exe
        395⤵
        Drops file in Windows directory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HZQ.exe.bat" "
        396⤵
        
        PID:1920
        
        C:\windows\system\HZQ.exe
        
        C:\windows\system\HZQ.exe
        397⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YMA.exe.bat" "
        398⤵
        
        PID:4464
        
        C:\windows\YMA.exe
        
        C:\windows\YMA.exe
        399⤵
        Checks computer location settings
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WZZXVB.exe.bat" "
        400⤵
        
        PID:1500
        
        C:\windows\WZZXVB.exe
        
        C:\windows\WZZXVB.exe
        401⤵
        Drops file in Windows directory
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NMKPCXD.exe.bat" "
        402⤵
        
        PID:772
        
        C:\windows\NMKPCXD.exe
        
        C:\windows\NMKPCXD.exe
        403⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIJQH.exe.bat" "
        404⤵
        
        PID:1884
        
        C:\windows\SysWOW64\UIJQH.exe
        
        C:\windows\system32\UIJQH.exe
        405⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 988
        404⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1324
        402⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 960
        400⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 964
        398⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 976
        396⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 964
        394⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1328
        392⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1260
        390⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 960
        388⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 988
        386⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1336
        384⤵
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 988
        382⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1004
        380⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 964
        378⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 988
        376⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 960
        374⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1324
        372⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 960
        370⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 984
        368⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 960
        366⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1336
        364⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1004
        362⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1304
        360⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 960
        358⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 960
        356⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 960
        354⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 980
        352⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 988
        350⤵
        
        PID:956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 988
        348⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1296
        346⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 988
        344⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1272
        342⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 960
        340⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 964
        338⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1260
        336⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 988
        334⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1292
        332⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 960
        330⤵
        
        PID:984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1324
        328⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 960
        326⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 960
        324⤵
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1004
        322⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 988
        320⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 980
        318⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 988
        316⤵
        
        PID:852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1324
        314⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 960
        312⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1328
        310⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 988
        308⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 960
        306⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 964
        304⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1324
        302⤵
        
        PID:960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 960
        300⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 960
        298⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1264
        296⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1272
        294⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 988
        292⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 960
        290⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 976
        288⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1292
        286⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1328
        284⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1260
        282⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 960
        280⤵
        
        PID:960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1324
        278⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1324
        276⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1328
        274⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1256
        272⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 988
        270⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 960
        268⤵
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1252
        266⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 960
        264⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 968
        262⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 960
        260⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1004
        258⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 988
        256⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1304
        254⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1004
        252⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1336
        250⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1336
        248⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 960
        246⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 960
        244⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1336
        242⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1336
        240⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 960
        238⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 988
        236⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 964
        234⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1256
        232⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 960
        230⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1324
        228⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1328
        226⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1328
        224⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 960
        222⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1328
        220⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1336
        218⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1264
        216⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 976
        214⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 960
        212⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 996
        210⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 1296
        208⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 980
        206⤵
        
        PID:984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 960
        204⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1336
        202⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1256
        200⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 964
        198⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 976
        196⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1304
        194⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1324
        192⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 960
        190⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 960
        188⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 960
        186⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 960
        184⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 960
        182⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 960
        180⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1336
        178⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1304
        176⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1308
        174⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1292
        172⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 964
        170⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 988
        168⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 964
        166⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1304
        164⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 976
        162⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1292
        160⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 960
        158⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 988
        156⤵
        
        PID:320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1324
        154⤵
        
        PID:508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1336
        152⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1252
        150⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 960
        148⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 960
        146⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988
        144⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 960
        142⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960
        140⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 976
        138⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1336
        136⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1252
        134⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1324
        132⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1252
        130⤵
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1328
        128⤵
        Program crash
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1328
        126⤵
        Program crash
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1324
        124⤵
        Program crash
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1004
        122⤵
        Program crash
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1296
        120⤵
        Program crash
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 988
        118⤵
        Program crash
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1004
        116⤵
        Program crash
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1004
        114⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1292
        112⤵
        Program crash
        
        PID:988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 960
        110⤵
        Program crash
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 960
        108⤵
        Program crash
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1324
        106⤵
        Program crash
        
        PID:2888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 988
        104⤵
        Program crash
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 988
        102⤵
        Program crash
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1324
        100⤵
        Program crash
        
        PID:852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 960
        98⤵
        Program crash
        
        PID:2976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1272
        96⤵
        Program crash
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1328
        94⤵
        Program crash
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1008
        92⤵
        Program crash
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960
        90⤵
        Program crash
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1336
        88⤵
        Program crash
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 960
        86⤵
        Program crash
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 960
        84⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1264
        82⤵
        Program crash
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 988
        80⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1324
        78⤵
        Program crash
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 960
        76⤵
        Program crash
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 960
        74⤵
        Program crash
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 964
        72⤵
        Program crash
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 964
        70⤵
        Program crash
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 960
        68⤵
        Program crash
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1248
        66⤵
        Program crash
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 960
        64⤵
        Program crash
        
        PID:944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 964
        62⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 976
        60⤵
        Program crash
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 964
        58⤵
        Program crash
        
        PID:444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 960
        56⤵
        Program crash
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 960
        54⤵
        Program crash
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 960
        52⤵
        Program crash
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
        50⤵
        Program crash
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1336
        48⤵
        Program crash
        
        PID:772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1248
        46⤵
        Program crash
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 964
        44⤵
        Program crash
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 960
        42⤵
        Program crash
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 988
        40⤵
        Program crash
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1328
        38⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1324
        36⤵
        Program crash
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 960
        34⤵
        Program crash
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 960
        32⤵
        Program crash
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1004
        30⤵
        Program crash
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 988
        28⤵
        Program crash
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 988
        26⤵
        Program crash
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1292
        24⤵
        Program crash
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1312
        22⤵
        Program crash
        
        PID:524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1292
        20⤵
        Program crash
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1324
        18⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 960
        16⤵
        Program crash
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1004
        14⤵
        Program crash
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1008
        12⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 960
        10⤵
        Program crash
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1316
        8⤵
        Program crash
        
        PID:4720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1200
        6⤵
        Program crash
        
        PID:1796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1328
      4⤵
      Program crash
      PID:3400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 980
  2⤵
  - Program crash
  PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3640 -ip 3640
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1544 -ip 1544
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2608 -ip 2608
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4600 -ip 4600
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3812 -ip 3812
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1368 -ip 1368
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 408 -ip 408
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4264 -ip 4264
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 560 -ip 560
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4200 -ip 4200
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2960 -ip 2960
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2168 -ip 2168
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4732 -ip 4732
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1816 -ip 1816
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1872 -ip 1872
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2492 -ip 2492
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3384 -ip 3384
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 988 -ip 988
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2244 -ip 2244
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2908 -ip 2908
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4584 -ip 4584
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4908 -ip 4908
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 464 -ip 464
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 880 -ip 880
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4944 -ip 4944
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3708 -ip 3708
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 1508
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1452 -ip 1452
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5060 -ip 5060
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3664 -ip 3664
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4672 -ip 4672
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4440 -ip 4440
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3996 -ip 3996
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3012 -ip 3012
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5020 -ip 5020
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2292 -ip 2292
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 872 -ip 872
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3784 -ip 3784
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 560 -ip 560
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1588 -ip 1588
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 400 -ip 400
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4440 -ip 4440
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1816 -ip 1816
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4244 -ip 4244
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1664 -ip 1664
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4304 -ip 4304
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 988 -ip 988
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2688 -ip 2688
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3508 -ip 3508
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1784 -ip 1784
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3464 -ip 3464
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4016 -ip 4016
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1364 -ip 1364
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4264 -ip 4264
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4900 -ip 4900
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4136 -ip 4136
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 544 -ip 544
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1924 -ip 1924
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3972 -ip 3972
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4076 -ip 4076
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3024 -ip 3024
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2032 -ip 2032
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4416 -ip 4416
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2980 -ip 2980
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4760 -ip 4760
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4972 -ip 4972
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3396 -ip 3396
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5040 -ip 5040
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5052 -ip 5052
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3692 -ip 3692
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3376 -ip 3376
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4336 -ip 4336
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5068 -ip 5068
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3424 -ip 3424
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4608 -ip 4608
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2256 -ip 2256
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3156 -ip 3156
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2480 -ip 2480
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2692 -ip 2692
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1648 -ip 1648
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4572 -ip 4572
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1512 -ip 1512
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4580 -ip 4580
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 856 -ip 856
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3272 -ip 3272
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2272 -ip 2272
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4624 -ip 4624
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4780 -ip 4780
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2100 -ip 2100
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1364 -ip 1364
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3712 -ip 3712
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3624 -ip 3624
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 444 -ip 444
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4584 -ip 4584
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 464 -ip 464
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1176 -ip 1176
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1228 -ip 1228
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4624 -ip 4624
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3268 -ip 3268
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4796 -ip 4796
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5048 -ip 5048
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4016 -ip 4016
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2348 -ip 2348
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4260 -ip 4260
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1980 -ip 1980
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4368 -ip 4368
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 868 -ip 868
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3412 -ip 3412
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1040 -ip 1040
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2352 -ip 2352
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4536 -ip 4536
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4712 -ip 4712
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4304 -ip 4304
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 560 -ip 560
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 4584
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1660 -ip 1660
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1612 -ip 1612
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5040 -ip 5040
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3244 -ip 3244
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4408 -ip 4408
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4480 -ip 4480
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4252 -ip 4252
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5048 -ip 5048
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4956 -ip 4956
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1168 -ip 1168
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2964 -ip 2964
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1964 -ip 1964
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4780 -ip 4780
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 320 -ip 320
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3268 -ip 3268
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1920 -ip 1920
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1488 -ip 1488
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 436 -ip 436
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4708 -ip 4708
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1136 -ip 1136
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3156 -ip 3156
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1164 -ip 1164
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 396 -ip 396
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3160 -ip 3160
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4616 -ip 4616
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1912 -ip 1912
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 408 -ip 408
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3852 -ip 3852
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4136 -ip 4136
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3740 -ip 3740
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2196 -ip 2196
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4800 -ip 4800
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4908 -ip 4908
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1556 -ip 1556
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2612 -ip 2612
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4928 -ip 4928
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3244 -ip 3244
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3176 -ip 3176
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3364 -ip 3364
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5112 -ip 5112
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4848 -ip 4848
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5088 -ip 5088
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4748 -ip 4748
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4020 -ip 4020
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 808 -ip 808
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3620 -ip 3620
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3808 -ip 3808
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4756 -ip 4756
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4604 -ip 4604
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3712 -ip 3712
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2448 -ip 2448
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4216 -ip 4216
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4760 -ip 4760
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1660 -ip 1660
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4892 -ip 4892
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4968 -ip 4968
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1556 -ip 1556
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3464 -ip 3464
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2508 -ip 2508
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2560 -ip 2560
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 212 -ip 212
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3424 -ip 3424
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3100 -ip 3100
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 508 -ip 508
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4476 -ip 4476
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2712 -ip 2712
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3708 -ip 3708
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4916 -ip 4916
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4468 -ip 4468
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3268 -ip 3268
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1912 -ip 1912
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5084 -ip 5084
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4372 -ip 4372
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1484 -ip 1484
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4284 -ip 4284
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1680 -ip 1680
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4240 -ip 4240
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4368 -ip 4368
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3240 -ip 3240
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1244 -ip 1244
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 116 -ip 116
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3792 -ip 3792
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4480 -ip 4480
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4428 -ip 4428
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4260 -ip 4260
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4276 -ip 4276
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 316 -ip 316
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EZDPTK.exe

Filesize
208KB

MD5
8e056ed98cd352a2a0c16051a2d12059

SHA1
9e9bada4b54db59d57f80cb1feab40ce1010f279

SHA256
20dbf35d53ca4f542e123d10d8b9a32d23a9745909b476afca0494fb7b0f024f

SHA512
89dd3e7e870180c0da0230fd644e7af62ddf8cf9d6760d2cc469d5ee8f4892bd13359a35837e9cec4dbad2869a6fc9ef635dc8d16be6964f9ba28490cf175c5f

Download Submit
C:\Windows\GECGRD.exe

Filesize
208KB

MD5
f6166e3743e08106b66ae0cc0379b362

SHA1
4901b8d90aa6af904c86e2fd2882f70775305cea

SHA256
8e57d7a818b4092a651431282d7556f046f65337c021a6b8aa58150d4c0e045e

SHA512
ffc50c4cc2d9f3e8398443da5eea0765ff7e666e816750a90806cd739cb253b72487cb725d711cdbff0bb04ea7df3b1bc554cd7dd98263c54beadd9165d715b2

Download Submit
C:\Windows\SysWOW64\FWSFEAS.exe

Filesize
208KB

MD5
d57dbd394e2be5dd4f501f6c3d47337a

SHA1
7d71f71dd0c68cbcfa759b58057ad34c1fdea84b

SHA256
c7e150baa86d20d5ee5b31198f742113e5a6571ac0c42da0cf12ba7fb177c2d2

SHA512
443c03d6b6bf1de303651405c48ca7a1c73623c85518be83c01e75e3b0e4c019faa567e4e045854572a19ac41ba5e6df9c4928b23081ee4d96b31b8d5c938bc2

Download Submit
C:\Windows\SysWOW64\KFJSPC.exe

Filesize
208KB

MD5
6d2a20f944be48bcbab06faa3c0f4ce0

SHA1
85e7cb8abd1fc3ae4d9cdb61290f3c8fd82b1ce3

SHA256
9e0264ba72fbc9958d6f81b521577e9def534f67c85f853e2e0ac8eec948786c

SHA512
8f9abb943df53a754d4ebc5f843430e316e09785c9e7c85815a675b253faa6724100af0382a782e438d792792e768619d5e94102571be455bf2411fec0aa13d2

Download Submit
C:\Windows\SysWOW64\KHDLXQG.exe

Filesize
208KB

MD5
ca289ef4014b0fffd490410da3ec2302

SHA1
d7caf5cff146d851bf3aa5ac531c72d053632fc9

SHA256
89a899f7d3b16eac0cca012b934b7b5ab6c78e044883c3fd0ea2db470dc220bc

SHA512
b3a07d276e7a283ec79a108a38acb31604c060bbc1ce39192f53a682b1aac55a0751b1c88f7d74933c4c0156dd5b8297480f3582cc8480c696e48cc74a9b6750

Download Submit
C:\Windows\SysWOW64\MEV.exe

Filesize
208KB

MD5
bc0faf7c8c476b04bf9e1fc3d7604b67

SHA1
9a6f3a6c395ecb3ecdc32997246120ae21e50bde

SHA256
3ed9067fbf10a50b215744a8c81a6cfab7dc65a329d1e066e09d143667790481

SHA512
cefd127f17998f217e30247e3856b0342ef212939cefff1d9ba47ea4a62fc46222118953390c7e1295e700df013d8c46af4522fbb8c3f09262bb427539c13014

Download Submit
C:\Windows\SysWOW64\OCJXKF.exe

Filesize
208KB

MD5
a8d3c4610ea0a099ac1b1c1c7070ddd4

SHA1
702ea32d06a67cf05096559c11757d431a235921

SHA256
4a37f1a1abd1b40d58db6d378efb05f4b55318e3bda99c687e022a316fe1d565

SHA512
d5b10460f58eb57373d241fa8e4c0bda5122af12843f6a9d5bff486a413b00ecf8c275a9da2aad2b947341545860fb2151c8e62059f53b397f7cc6d2136b6e32

Download Submit
C:\Windows\SysWOW64\REWQ.exe

Filesize
208KB

MD5
16902fa45e809f51bc37c58a701a0851

SHA1
a9cd6312928cc770abfb79a76c9314b7b75b2659

SHA256
518e74d8aa15c7258a2658a587017bad2b3330d712f84d36ccb45632b74df13a

SHA512
1fa3da567d54bab23790a1f63a826c9da1e34d424b0461ff9f19105078f2e53c18e1a47fcb65d57eecb6bcd0ee16e29f129777100c36a3bcec0112052f6356cb

Download Submit
C:\Windows\SysWOW64\SKP.exe

Filesize
208KB

MD5
cb0bb0acf735e660e421836ec8b5c160

SHA1
85f3efe78d3621d775592321a0305355047f448a

SHA256
88b8ebbc0a8d075681c8cccc95c6065443d85298d3f54f2e13f0d78e087b046b

SHA512
133ac751fb5fd81c60ea156dae195c6628d60ee969b30a1c2ec19ce98336bbe439ae8c58069ccc1f6898463dda93696f48c52424fc93502d8d28473de193a004

Download Submit
C:\Windows\System\NAAJJ.exe

Filesize
208KB

MD5
64bfac32cc3daf8482ce77489ca54567

SHA1
cf1a9e26ec1abbc70e4b86c633c41ff08b68df9f

SHA256
807e2cf528786ae84963a5c0b816aa6bae8bc1045590a9501c7e35370e5c40f9

SHA512
16dd46de8d273fec7792fa8cd63d06c54af9b29d5cda56acef610d37b4e853fd152613e07ae8c055f7205238c065ff88a253de597868e8f37670f25e74cc3baa

Download Submit
C:\Windows\System\OVQST.exe

Filesize
208KB

MD5
39cdedd7751e80243505635ecd9d2edc

SHA1
6482b684ec12a791dced03b14209f9cb989f5e7d

SHA256
aaf8235d26dfad14f7b097d6142ce0d9057f79b256bd85c0757661e95373a054

SHA512
d4f2d0a18e40448df48afe8483bd6c7eee2f28af739c553feaea6450ae720a3f567788b821f9d51c4e25769ad91c38972c435dabaeb10c477eb71269538ce191

Download Submit
C:\Windows\System\QOB.exe

Filesize
208KB

MD5
e6c63d63b9f8677add208fe9be0e0a2b

SHA1
29dde56bc730654ed6996f020429666a181ae720

SHA256
03dc11f38a993b738f76de7d89bbe798ac5196e07ab12d404e823cdfa968e616

SHA512
7d245410e423f4f3f2805435b1b3355955907ffca759458a6976ec789c3d849655e8ca7bdf615c12126f934ff3afc2b78939e40412239e704cfb8cc0c78835cf

Download Submit
C:\Windows\System\TMYM.exe

Filesize
208KB

MD5
af6d7bf1682f713fa80ba637b357e6a4

SHA1
287230008d17cc0fdaf90a27394ce3d7191a01ed

SHA256
d78f913ec671070ee3a8ee2a6e85d311b1765274671d6b9b42a13aa437e5eea9

SHA512
1095613add057189b0836e06cb90035b33ceeab3b3e2d2a44778892f71f4037835c52528614e4fc5f4e167cfdb768fcc4f164140846682bf6e3801e680062597

Download Submit
C:\Windows\System\WPJLJ.exe

Filesize
208KB

MD5
797fd26337fdbf1ab37fe3e6541fe329

SHA1
384d81b59124c2bea62d2b0a1a81893cad4f4609

SHA256
cdb22dcdcdea48ff1d366a8404288d90a2093678094694bc5b588d2b7b6e146b

SHA512
924055c489d379515eb49b0535a50ffd2f82e2a4f1b2a9e818e603e5b2d1bbe01ee74b98b1f40d8aca9300762e20cc1cfe5a645ac39da2ea72500cc75c2b2c11

Download Submit
C:\Windows\WHA.exe

Filesize
208KB

MD5
d3c0f77ffef2cdb0f254f69f1d249b29

SHA1
49939cce58eda4e15079c5823f4c023bc55ea947

SHA256
b73d57d1cc9b7e28c90c06bb93f7158e4b818d49ea07b1d6c81ddaa12af753f8

SHA512
07527edd594e7bf45d45aa14c2ac1ffa1a30ef17241b39d7a0e947be169798bd9253a06314d268767ba3113a90268b45b1bb37383778901306ed990fedbd3cb8

Download Submit
C:\windows\EZDPTK.exe.bat

Filesize
58B

MD5
131f11c2348881016d6c6a22e8e6b7e5

SHA1
748a0edc9ec41158f6a92440edbd2f2c364175f9

SHA256
3e2a3f5f9e2d897236465783b7baab6b5fa74ac36b9b5d12687223f4c6e8cdac

SHA512
a7badd6a56e607d241a08b579094122b81c5e143f90a91e0a89a0cbb29428fb90f0b9e369a670249f5bcf3700765ac211198d267aa4c6647fe8fadded8b7404f

Download Submit
C:\windows\FVGWCA.exe.bat

Filesize
58B

MD5
0daae299743ca8dcbb30a92d818f2607

SHA1
4835986dc22b8d99714f1f024e61b707da439536

SHA256
b21b3e094693de664969af4401d4000e8f6c804058d3958901987435cd407c0d

SHA512
fce4946b92a2faeed0f691a993cb4f6d6e2d034676d9cbb8cc257024c92bb377719bf4c12f94bd3ca6a0fb7879f2e895214955a2b1349b8b4d7a9336ed2263fa

Download Submit
C:\windows\GECGRD.exe.bat

Filesize
58B

MD5
1b099c5420863ab37e5fc2f92be797d0

SHA1
c769b04eb01766eeda5b49093a835aac49de806d

SHA256
b4556420963037fbf14503ddeb8369e9b07c3528b8b6e43401ed4a5d61c0f346

SHA512
2da254fadb4f864916b2742bf319117d4ca3c6c312a2082b9ffb57f65a1ba841af3712efcd17a900c21db0e188cfc5bd23abe571be0d84a1c1807a814498227c

Download Submit
C:\windows\IHK.exe

Filesize
208KB

MD5
0b18eb74d95bef686236c1a95035ffaf

SHA1
5f38fd0ffa79e89a62ef17f1dd5c45f8929bacb4

SHA256
b2d9c7f54e49981d91a883189e310f452e4be05e626ce90368f8b2f07cb7c751

SHA512
929a5fb4717dc15ad3faca5785f7027a80ebba47cfaf3db67f881f390dd6fc2eb617352bb2af7219ef10fe3135c6c29d1181c04904fbf8e88dbec05f1be651f8

Download Submit
C:\windows\IHK.exe.bat

Filesize
52B

MD5
6651c3bbde3096cf5e66d257d1bbf169

SHA1
3a3f2ef16a50c31d4a818cd383c6c90ec13f014b

SHA256
9c39e74e5bced07706de1491fdc665a7b13288d887faa1ae9528b6f2e2dde4d1

SHA512
c91d6f4ed9c9249e76648b75177b0753450cc2434398539d842b904707772c3e9ccbd1ad7d26e69424a1bb836b8f753ac41cb8541c0277641112566cde0590b7

Download Submit
C:\windows\PUYCNQ.exe.bat

Filesize
58B

MD5
7076bb4b493ad902eed9aa286eb9ad42

SHA1
4df52253c96e6e7da29a51435cad31883b4cb618

SHA256
3192541aefccd3ea7bc38f7b0fe704ba574519291b13bfecce0379c342f70ab0

SHA512
ab4a8a972d0a32dffe32ae1dfce25aae42f8fc34ed0a4f44e8b50b5752a54510e62de4e170feeb54769ec22cb8a780e40867088d8aef33a95955dc26af274ebe

Download Submit
C:\windows\SysWOW64\FWSFEAS.exe.bat

Filesize
78B

MD5
b0762ab436b70ecd7083f273c4907971

SHA1
ced44fd50312b2a23d55c9f0e97a0ff132f0a456

SHA256
fdfdea7449b5e0a96183d2944baed57dbab3404ad755e444965e15fd6589a162

SHA512
0f548c3697e4a063820ce57789fd026f82d87735292f7f58e6b280f0b79803e5536ba4dec42431b7441ff25615e2d53a3a822bfc7b1ae3292f7a1ba505881799

Download Submit
C:\windows\SysWOW64\KFJSPC.exe.bat

Filesize
76B

MD5
d49cef2d303ba8e8b06aceb21737734c

SHA1
8c07a53e1c13586341e000ab2e452b4c04393f96

SHA256
7e7816f1e8df1aba5bbde7d0f4394feee991e3b91ab01c023032977e0526e6b2

SHA512
a89ea9711265f01f124a8844a4efe97ef3da2a37fbf20f2da33431982e8ba3190fcf72b7a43c145d45bd9ffa3954d4e1a81c925f11d40ad41ee344771c4b3bd8

Download Submit
C:\windows\SysWOW64\KHDLXQG.exe.bat

Filesize
78B

MD5
bc49f9db86ebe6911e852ee7ac658cc5

SHA1
948b192aa13d0ff6cddf7b3ffd5bd6e01568e520

SHA256
a514c73ad60b0a19f877a60c90fd16eca87cf5e81bbc9ae339428c5a586c9bd1

SHA512
210d99ef9cda64a7454e36da62ddedb11ab23c3f32b02d29f48b24839505da62ab6ff057b179a4f3dfcff2f3e44d4e89eec4692e29ade36890c6bc81d7ce4b9e

Download Submit
C:\windows\SysWOW64\MEV.exe.bat

Filesize
70B

MD5
64a9c8c5ea2b739976664d9c910d1e0c

SHA1
cca476635f7bf7a023a05644492a8d7e0bc5dff5

SHA256
56bd9b0ca64c271fa43668ea2290c80ee272fe594ecb548228cec65b96d23b65

SHA512
56cc72965fe04449a98e7e07c58eafa92eb6ddf200f004ee1a2f9fbd6c8dec9cccbf481d96abf2fc371d5eebb0b189e0fe8fa9026a8e83d43aebfcd66a0097d9

Download Submit
C:\windows\SysWOW64\OCJXKF.exe.bat

Filesize
76B

MD5
70ff39a5f84b3a320536aea0f1557e90

SHA1
9b10cbf7d71193f696d31589d8279b8b317842fe

SHA256
6affd18db45416623da1de221166950a5e8c403174327fd8d405b11c519b9bb3

SHA512
20b99315383f8414263764e97f8d4519134983b6b13bd1cfcb8cae8070fde65d33633532b7ac3dcb82cfd829cb7d1f015a2e3a1ed9dbbaedba6d4c7f97ce564e

Download Submit
C:\windows\SysWOW64\PSEJ.exe.bat

Filesize
72B

MD5
e842ab2fdb6a244e3dd89ba140311530

SHA1
7c088a3e6725db40f43449b879be91d53e21f759

SHA256
bfa00d8bcd03a61a04c7e48ca13fa55d15e3eb5a64376f0f3610dc0ee2ca5bbd

SHA512
90107df43c859dd03084e0ea5e5e3acb57e65c1a0c2caaad3a6c3a14e8c9dff5858391fe51c0ef6cf432305731f468a22d0420ed1f96b39aa7d28e2f4694acc9

Download Submit
C:\windows\SysWOW64\REWQ.exe

Filesize
208KB

MD5
bbf3fe0bae50ef5ecf3e34e1fe9b8efd

SHA1
b4982a453bc5798d1d81ba762fa6fa9fce6e1b1c

SHA256
9a0bfac2085c471dfdb1f21f16f8b758ca77f11ea93fbd36039800d94af2e12f

SHA512
3eb33572abcc12b2695965bc5d85b686ef846fc7dd96e1c5e30b12340e2a520294a52340e67f8863b09710c1aa1d6a296c1e89ccf83d6297b893cb02dcab0ce3

Download Submit
C:\windows\SysWOW64\REWQ.exe.bat

Filesize
72B

MD5
a9f9a48cbb29e861656670237921ae85

SHA1
131780e825934c18f21daebd655c56cd66decc91

SHA256
a48556beb3c6a58cb11b9afd5a2c6c8bc71c81bfb7f08152a5eb46198f6b46c3

SHA512
24a27c947e9c0d2e1293b86dde953073bc76eb4d917c052abd08674ac50b7a89cc1ab6a6bedb6942bca33b0a2d062fae2093de5274d89b5af2c56e7b94db0ea2

Download Submit
C:\windows\SysWOW64\SKP.exe.bat

Filesize
70B

MD5
5862b03860b1308d911792997d46f5d1

SHA1
428fe26748511d4a0fa94fa229c97de763573678

SHA256
e4b23ec010f3d3f4ecb2dbe326bd891e14fa5520eb2770248ab941ef8814e081

SHA512
f0d03ac0baeb8f045d344dbd139bc7290ae8cd294ac4ccfa198c7caaffa905ade7907b96059c5d8be44c28b1554e3ab3b45ce83b75f88a6ef33a189417401da5

Download Submit
C:\windows\URBKP.exe.bat

Filesize
56B

MD5
eb810d91670acfd65ae2b66e297c1faf

SHA1
c7f843c363dfd74aec3cc36c381eceea4ebc3620

SHA256
e452de7bbdbd44251ee8e0ffbfc31ef621c132ba053eaf187df4f054864320e7

SHA512
69d6f8f92e87d95f2c7dc64485c5886aea945b166fba5d79e6be72910bc59ee69dbe203b5a522054220cac5fcb8fb63d92ded04ac0ba9dd2ce3f7f08d8d832d9

Download Submit
C:\windows\WHA.exe.bat

Filesize
52B

MD5
8a864ea433f7fea1374ef74823614d50

SHA1
6bb29c98db3342cbb31d6bc4a13485f8b3cc552b

SHA256
3d16e5cc6da3a516991060c497b74cc6b16c9be7129e5de7533918bc681fba80

SHA512
87970a8041c9b818528e5c2b648bcf3d437e5272fc1fd6c9335024584722a7d8d6767fff0e8a9409be7148ce31a65522cbace5eef77f903f09efc0c9bf440e3e

Download Submit
C:\windows\YGLPVJ.exe.bat

Filesize
58B

MD5
230ec5fc1ea7491c5bed2142167ff45f

SHA1
8bb932bc8ba5510dd76d2feaf5ad234a9cf8ba3c

SHA256
c76c697a90872b8f50b0ffbbba5813d2d22d86849a58c72139e59c142052011e

SHA512
26c17ee431be4af500fe87abab28933119dc715851614958ba92331cc1b182bbbc150cb8d43f636d1dde73e2c42a89aeec6710e43474f84a5e10bfb47204801c

Download Submit
C:\windows\system\ARH.exe

Filesize
208KB

MD5
9e677ccb4a7be987426e04dedae4fcf1

SHA1
d388ff8caf6af4fbcc10436af73b5ef3d46e74d6

SHA256
721509caa2284b3781b27ed74bc48d34f949be443fb0650d8fd6e9c3d977fb06

SHA512
25387790dd3c42790d01ce3616b0aff3943ddf3311f1d6165fa3090e6ef59e44cf04fa8ceadc6ae8bd24663ad84bf2139a9ece58694c0bbf7b057320f4b972a4

Download Submit
C:\windows\system\ARH.exe.bat

Filesize
66B

MD5
ad524aaf56d29732df570937fbacaa0b

SHA1
fc8e8ca97f6994aa2937003987a283bff2c9f964

SHA256
0f38f7410ac8465dd169ba70ddfad6f83f09c7c9fd86e0f9723bb4e3e84bca6e

SHA512
a1b8da22b3fac7b8572391a78b209f41c3556fbb9fdc9658361e5ceb5a8d60e18f2b5d534be22dc0f6df14cdc6ec21250fb42ba749ffdf1a583cc853f13168cc

Download Submit
C:\windows\system\NAAJJ.exe.bat

Filesize
70B

MD5
ab3c49eb25790ea3a088343e0e7d022d

SHA1
98da8bd3c8fb6b212c74fcd73d1baa08c046f086

SHA256
3179278ad9d5e44e6c19e31c92662bdea70f030c8d22c1212cf1d7ef88757e66

SHA512
ea2c342249c8ba67e4d41143e32bcdae1d04a304d1a2fd62ee8b9136332559c2e1db35af82c3d47315853803fb9486e977c920a26de3ff4f2ef63e06b7850cd3

Download Submit
C:\windows\system\OVQST.exe.bat

Filesize
70B

MD5
912a5355c0e7d738fa8eb98bd7989981

SHA1
544b29bde8e059c22cc1ea89290e3a688b1817e0

SHA256
b4f0c5fd878547e7ac58235cb1197d2baa8d0ad2c70cbe1be6a4ab00efdd5d8d

SHA512
bafbc20335b8070243a6d9c1faf72652d015f8ce4b9151991a3c4d45f2df254d65f5154c3f51a8f095714114dc25919accf377e9ba8f05bd642d6e27180340c4

Download Submit
C:\windows\system\QOB.exe.bat

Filesize
66B

MD5
bb2347317d1d3ea2e53accb178b37f4d

SHA1
ee5854674692caa380015c47df37339d9c8ff35a

SHA256
287cfcfe684f18d11f60a89154dc9ce78705b7c1884c775843c3da8e0841fd6e

SHA512
35127fe2fea583359a908d32cd931a792f2b01b74625c46db753a4f1cd73ca653666673b1edb2b40916d5851355453ff287c14269d38c4d6f92ae45beb031852

Download Submit
C:\windows\system\TMYM.exe.bat

Filesize
68B

MD5
7e3da8f9b4501319049ef837d4fb4ce6

SHA1
0d3ad0b69ee001b93053f8d4aa7a4a82c9619984

SHA256
c8e2ce5e78d34ed0397960a85ba6ea806b69f20cb73a3306841b649bd949401c

SHA512
6033e6ee4389334efdfe98f99e7a64e9aac11d52d5050b650d595b822a8c26e9de71bf3803b1026711b4bdb26060c2450eb0898a9325e9980de52b0df926b21b

Download Submit
C:\windows\system\WPJLJ.exe.bat

Filesize
70B

MD5
8f67d44ede91e05fc10a2bcbbf14e3a1

SHA1
4579512b2996ebaf81a100cd5cfa7d77a63c56ad

SHA256
f249aec46a50dc70a9778488593c56949a2a4afb829d692ba1d892b90b25aa85

SHA512
2b0182d3dee6bf7716900ff713093cde26b2eebd3d0d1b00b1317ebf495d090fffdd6de069512fe1e9b4022198b1e171472319d7bee94785ad9be2e5a8eee117

Download Submit
memory/400-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/400-433-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/408-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/408-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/464-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/464-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/560-405-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/560-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/560-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/560-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/872-397-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/872-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/880-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/880-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/988-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/988-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/988-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/988-487-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1368-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1368-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1452-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1452-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1508-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1508-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1588-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1588-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1664-469-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1664-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-451-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2168-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2244-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2292-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2292-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2492-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2492-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2608-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2608-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2688-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2960-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2960-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3012-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3012-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-204-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3384-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3508-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3664-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3664-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3708-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3708-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3784-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3784-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3812-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3812-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3996-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3996-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4200-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4200-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-460-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4264-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4264-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4304-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4304-478-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4440-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4440-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4440-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4440-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4584-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4584-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4600-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4600-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4672-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4672-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4908-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4908-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4944-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4944-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5020-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5020-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download