81b02e400c3f13cf7a0d225fb7606239cef329fbf78adb9050b25ce36f6356f1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0506f2c306f1eb3760e3931573bda550N.exe
Size

208KB
MD5

0506f2c306f1eb3760e3931573bda550
SHA1

f16af8370c4ee038d839b5dbe7baaa61edc3d8bb
SHA256

81b02e400c3f13cf7a0d225fb7606239cef329fbf78adb9050b25ce36f6356f1
SHA512

dcc95e89c9df99376a3a5186642fb7072a0173c8995151ab31a30a4f7c5cd374effd969b73ce09be209f17eeaa0370b468d128eaac8b40e9e905bda7d9588ba3
SSDEEP

6144:7AS6gyCdizgZu8u/yVfkbf+efjnnuI66RNQEj:7A9CdizgZu8u/b7+efjnnu16RNQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	MBQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	KMJMHQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	CLLMNF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	OTAVJIA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	YHEVQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	ZNSCHC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	QSCIZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	CZDGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	IIW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	OVDZYPM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	PLGMSA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EBNJCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	NRBMP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	XRAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	AEJFSIV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	URYNELN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	UJTRN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SSA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DYKEMY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SLJH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	XIP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WBSHKB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DCBN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SEI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	TMAAZNV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	ZHSQS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	HQOYPDR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DCTVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	LOG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	ZXIZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WGNN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	LZB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	RVTWXUL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	FHNL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	CKEFAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	PFTLVG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	XVEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	TFQHJT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	BNAIW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	CFXT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	JHKBYU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	NYCXMVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	UHMWND.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	ARW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	ERFDD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SWVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	AUUEA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	PXALNZF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	UVVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	RZO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	MEK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	UYZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SXQOQFC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DDBC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WUYGEY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	ARUZXDJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	LVGI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	SHYERL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	HHMUCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	LOQNQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	OSCFPCH.exe

Executes dropped EXE 64 IoCs

pid	Process
2628	PQREJS.exe
3404	BTB.exe
4632	BMK.exe
2564	ZWNJGPF.exe
1464	IPLXONV.exe
3780	QAURCRJ.exe
4884	NAVTGW.exe
5012	ALMSUY.exe
636	QBNRBUD.exe
3528	UJTRN.exe
2100	OXYBYMN.exe
3848	YUEVFM.exe
1352	ZXIZK.exe
3800	DFOZXVM.exe
3780	MOQE.exe
3628	LZB.exe
3424	HELJZJ.exe
1076	DCTVB.exe
1092	SFD.exe
604	QSCIZ.exe
3784	WSK.exe
3816	FBEB.exe
336	SEI.exe
1660	IHRMJO.exe
1436	EEX.exe
4172	JPTHVPQ.exe
3352	RVTWXUL.exe
3948	MIYF.exe
1108	SIFTQW.exe
3000	MEK.exe
336	AGTBPH.exe
4596	UCX.exe
3004	TMAAZNV.exe
4712	UHMWND.exe
3248	RIM.exe
4876	QAXAF.exe
4448	NYCXMVW.exe
336	NBGS.exe
3936	ERFDD.exe
2944	PJIWL.exe
4660	PXALNZF.exe
4452	KKFU.exe
492	DDUFGRC.exe
3116	NBAROAL.exe
2212	EQHCAT.exe
3228	WUYGEY.exe
448	FHJYUUP.exe
1552	CEOV.exe
3660	NXJNB.exe
1476	KDPDQ.exe
4144	XIP.exe
2792	BQEWE.exe
3708	OTAVJIA.exe
1768	LZGSQS.exe
3352	UHIXU.exe
4232	JCRJNKF.exe
2628	ZSSB.exe
3076	TFXKWY.exe
2496	IAG.exe
4592	PWGXLV.exe
3624	JJK.exe
2928	SWVZ.exe
3000	KFXEPPM.exe
4896	XHFCD.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\VRO.exe.bat	VDOZXUZ.exe
File created	C:\windows\SysWOW64\WBSHKB.exe.bat	MBQ.exe
File created	C:\windows\SysWOW64\ERFDD.exe	NBGS.exe
File opened for modification	C:\windows\SysWOW64\CZDGZ.exe	RHANRN.exe
File created	C:\windows\SysWOW64\WJJB.exe	HTI.exe
File created	C:\windows\SysWOW64\VDOZXUZ.exe.bat	IASBSC.exe
File opened for modification	C:\windows\SysWOW64\IPLXONV.exe	ZWNJGPF.exe
File opened for modification	C:\windows\SysWOW64\ERFDD.exe	NBGS.exe
File created	C:\windows\SysWOW64\NGF.exe.bat	AEJFSIV.exe
File created	C:\windows\SysWOW64\AAH.exe.bat	JKA.exe
File created	C:\windows\SysWOW64\KUSIJ.exe.bat	RZO.exe
File created	C:\windows\SysWOW64\BMAFVZF.exe	MWZG.exe
File created	C:\windows\SysWOW64\BMAFVZF.exe.bat	MWZG.exe
File created	C:\windows\SysWOW64\WGNN.exe	AAH.exe
File created	C:\windows\SysWOW64\XJEAYG.exe.bat	OJCV.exe
File created	C:\windows\SysWOW64\ALMSUY.exe.bat	NAVTGW.exe
File opened for modification	C:\windows\SysWOW64\UJTRN.exe	QBNRBUD.exe
File created	C:\windows\SysWOW64\WJJB.exe.bat	HTI.exe
File opened for modification	C:\windows\SysWOW64\RCIR.exe	YHEVQ.exe
File created	C:\windows\SysWOW64\BTB.exe	PQREJS.exe
File created	C:\windows\SysWOW64\TPNIG.exe	RCIR.exe
File created	C:\windows\SysWOW64\NVW.exe.bat	KIRNZJ.exe
File created	C:\windows\SysWOW64\COPQB.exe.bat	CLLMNF.exe
File created	C:\windows\SysWOW64\VRO.exe	VDOZXUZ.exe
File opened for modification	C:\windows\SysWOW64\SHYERL.exe	WBSHKB.exe
File opened for modification	C:\windows\SysWOW64\VFFJZN.exe	DCBN.exe
File created	C:\windows\SysWOW64\TMAAZNV.exe	UCX.exe
File created	C:\windows\SysWOW64\FHJYUUP.exe	WUYGEY.exe
File opened for modification	C:\windows\SysWOW64\FHJYUUP.exe	WUYGEY.exe
File created	C:\windows\SysWOW64\VDOZXUZ.exe	IASBSC.exe
File opened for modification	C:\windows\SysWOW64\PQREJS.exe	0506f2c306f1eb3760e3931573bda550N.exe
File opened for modification	C:\windows\SysWOW64\RZO.exe	GGLMWEY.exe
File created	C:\windows\SysWOW64\KHAJ.exe	SHYERL.exe
File created	C:\windows\SysWOW64\COXA.exe.bat	ARW.exe
File created	C:\windows\SysWOW64\KHAJ.exe.bat	SHYERL.exe
File created	C:\windows\SysWOW64\NBAROAL.exe	DDUFGRC.exe
File created	C:\windows\SysWOW64\IAMSKB.exe.bat	AUUEA.exe
File created	C:\windows\SysWOW64\KLMKL.exe.bat	GDGKY.exe
File created	C:\windows\SysWOW64\COXA.exe	ARW.exe
File opened for modification	C:\windows\SysWOW64\EBNJCP.exe	SIKQ.exe
File opened for modification	C:\windows\SysWOW64\WGNN.exe	AAH.exe
File created	C:\windows\SysWOW64\CWLXPA.exe.bat	AGKVJL.exe
File opened for modification	C:\windows\SysWOW64\BTB.exe	PQREJS.exe
File created	C:\windows\SysWOW64\PWGXLV.exe.bat	IAG.exe
File created	C:\windows\SysWOW64\SXQOQFC.exe.bat	RUM.exe
File created	C:\windows\SysWOW64\RZO.exe.bat	GGLMWEY.exe
File opened for modification	C:\windows\SysWOW64\EEX.exe	IHRMJO.exe
File created	C:\windows\SysWOW64\EEX.exe.bat	IHRMJO.exe
File created	C:\windows\SysWOW64\TMAAZNV.exe.bat	UCX.exe
File created	C:\windows\SysWOW64\PWGXLV.exe	IAG.exe
File opened for modification	C:\windows\SysWOW64\LOG.exe	UYZ.exe
File created	C:\windows\SysWOW64\VHWLFB.exe	HWG.exe
File created	C:\windows\SysWOW64\NVW.exe	KIRNZJ.exe
File opened for modification	C:\windows\SysWOW64\LZB.exe	MOQE.exe
File created	C:\windows\SysWOW64\FBEB.exe.bat	WSK.exe
File created	C:\windows\SysWOW64\ZSSB.exe	JCRJNKF.exe
File opened for modification	C:\windows\SysWOW64\SXQOQFC.exe	RUM.exe
File opened for modification	C:\windows\SysWOW64\IAMSKB.exe	AUUEA.exe
File created	C:\windows\SysWOW64\QIIKZG.exe	ASHLSSU.exe
File opened for modification	C:\windows\SysWOW64\WBSHKB.exe	MBQ.exe
File created	C:\windows\SysWOW64\IPLXONV.exe	ZWNJGPF.exe
File created	C:\windows\SysWOW64\UJTRN.exe.bat	QBNRBUD.exe
File created	C:\windows\SysWOW64\LZB.exe	MOQE.exe
File created	C:\windows\SysWOW64\IAG.exe	TFXKWY.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\XRAA.exe	JHKBYU.exe
File created	C:\windows\IIW.exe	PFTLVG.exe
File created	C:\windows\ZWNJGPF.exe.bat	BMK.exe
File opened for modification	C:\windows\SSA.exe	SNACP.exe
File created	C:\windows\JMUG.exe	YUR.exe
File opened for modification	C:\windows\CNDH.exe	DYKEMY.exe
File opened for modification	C:\windows\PXALNZF.exe	PJIWL.exe
File created	C:\windows\RHJJG.exe.bat	BMAFVZF.exe
File opened for modification	C:\windows\system\SWVZ.exe	JJK.exe
File created	C:\windows\system\IASBSC.exe.bat	TVMEDT.exe
File opened for modification	C:\windows\MWZG.exe	VRO.exe
File created	C:\windows\YUR.exe.bat	QBJUWK.exe
File opened for modification	C:\windows\PTBQQRQ.exe	NVW.exe
File created	C:\windows\system\NRBMP.exe	JJU.exe
File created	C:\windows\system\WSK.exe.bat	QSCIZ.exe
File opened for modification	C:\windows\system\TFXKWY.exe	ZSSB.exe
File created	C:\windows\system\QBJUWK.exe.bat	CWLXPA.exe
File created	C:\windows\system\DFOZXVM.exe.bat	ZXIZK.exe
File created	C:\windows\UKFQVAW.exe.bat	FHNL.exe
File opened for modification	C:\windows\system\DDEDID.exe	XHFCD.exe
File created	C:\windows\AEJFSIV.exe	PLGMSA.exe
File created	C:\windows\system\JJU.exe	COXA.exe
File opened for modification	C:\windows\IJUIDHZ.exe	CNDH.exe
File created	C:\windows\system\TFXKWY.exe.bat	ZSSB.exe
File opened for modification	C:\windows\DDBC.exe	ZVUUYI.exe
File opened for modification	C:\windows\RVTWXUL.exe	JPTHVPQ.exe
File created	C:\windows\HWG.exe.bat	HQOYPDR.exe
File created	C:\windows\system\WSK.exe	QSCIZ.exe
File created	C:\windows\system\OVDZYPM.exe.bat	CNWZT.exe
File opened for modification	C:\windows\HHMUCE.exe	OEIYXOG.exe
File created	C:\windows\system\BTIVLGC.exe.bat	TFQHJT.exe
File created	C:\windows\FZDB.exe	NVMY.exe
File opened for modification	C:\windows\system\NAVTGW.exe	QAURCRJ.exe
File created	C:\windows\system\NAVTGW.exe.bat	QAURCRJ.exe
File created	C:\windows\KKFU.exe.bat	PXALNZF.exe
File created	C:\windows\system\BQEWE.exe.bat	XIP.exe
File opened for modification	C:\windows\system\BMK.exe	BTB.exe
File opened for modification	C:\windows\DCBN.exe	XBUZDV.exe
File opened for modification	C:\windows\system\WUYGEY.exe	EQHCAT.exe
File created	C:\windows\system\SIKQ.exe	SFHMPSC.exe
File created	C:\windows\system\YSLQ.exe	UKFQVAW.exe
File opened for modification	C:\windows\system\BTIVLGC.exe	TFQHJT.exe
File opened for modification	C:\windows\ZNSCHC.exe	QIIKZG.exe
File created	C:\windows\system\FBV.exe	LOQNQB.exe
File opened for modification	C:\windows\system\UVVB.exe	SXQOQFC.exe
File created	C:\windows\system\RHANRN.exe	HGYINQJ.exe
File created	C:\windows\system\TVMEDT.exe	EADZ.exe
File opened for modification	C:\windows\ZWHZHFC.exe	EJCQX.exe
File created	C:\windows\DCBN.exe.bat	XBUZDV.exe
File opened for modification	C:\windows\system\DCTVB.exe	HELJZJ.exe
File created	C:\windows\system\QAXAF.exe	RIM.exe
File created	C:\windows\XBUZDV.exe	COPQB.exe
File created	C:\windows\system\OEIYXOG.exe.bat	CWBQK.exe
File created	C:\windows\system\YUEVFM.exe	OXYBYMN.exe
File created	C:\windows\EQHCAT.exe	NBAROAL.exe
File created	C:\windows\system\SWVZ.exe	JJK.exe
File created	C:\windows\ZNSCHC.exe.bat	QIIKZG.exe
File created	C:\windows\system\ZVUUYI.exe.bat	XXT.exe
File created	C:\windows\UHMWND.exe	TMAAZNV.exe
File created	C:\windows\UYZ.exe.bat	UVVB.exe
File opened for modification	C:\windows\system\CLLMNF.exe	SLJH.exe
File opened for modification	C:\windows\system\DFOZXVM.exe	ZXIZK.exe
File created	C:\windows\SSA.exe	SNACP.exe
File created	C:\windows\system\YNE.exe.bat	EAZQVD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5096	2824	WerFault.exe	85
4560	2628	WerFault.exe	94
3316	3404	WerFault.exe	100
1980	4632	WerFault.exe	105
4064	2564	WerFault.exe	110
4812	1464	WerFault.exe	115
4504	3780	WerFault.exe	120
3812	4884	WerFault.exe	125
1096	5012	WerFault.exe	130
1912	636	WerFault.exe	135
5008	3528	WerFault.exe	140
1980	2100	WerFault.exe	145
4020	3848	WerFault.exe	150
4752	1352	WerFault.exe	155
5036	3800	WerFault.exe	159
1320	3780	WerFault.exe	165
1964	3628	WerFault.exe	170
4852	3424	WerFault.exe	175
4696	1076	WerFault.exe	180
1696	1092	WerFault.exe	185
2308	604	WerFault.exe	190
1680	3784	WerFault.exe	195
2732	3816	WerFault.exe	200
4868	336	WerFault.exe	207
4736	1660	WerFault.exe	213
1224	1436	WerFault.exe	219
2728	4172	WerFault.exe	224
2308	3352	WerFault.exe	229
1680	3948	WerFault.exe	234
2600	1108	WerFault.exe	240
3412	3000	WerFault.exe	245
3864	336	WerFault.exe	250
4144	4596	WerFault.exe	255
4020	3004	WerFault.exe	261
2624	4712	WerFault.exe	266
4984	3248	WerFault.exe	271
4232	4876	WerFault.exe	276
1912	4448	WerFault.exe	282
4424	336	WerFault.exe	288
4120	3936	WerFault.exe	293
2400	2944	WerFault.exe	298
3248	4660	WerFault.exe	303
4876	4452	WerFault.exe	308
2092	492	WerFault.exe	313
4596	3116	WerFault.exe	318
820	2212	WerFault.exe	323
2344	3228	WerFault.exe	328
4488	448	WerFault.exe	333
3776	1552	WerFault.exe	338
1884	3660	WerFault.exe	343
1720	1476	WerFault.exe	348
4576	4144	WerFault.exe	354
3936	2792	WerFault.exe	359
2524	3708	WerFault.exe	364
1484	1768	WerFault.exe	369
4552	3352	WerFault.exe	374
2044	4232	WerFault.exe	379
2192	2628	WerFault.exe	384
2536	3076	WerFault.exe	389
4880	2496	WerFault.exe	394
4920	4592	WerFault.exe	399
2604	3624	WerFault.exe	404
1108	2928	WerFault.exe	409
4364	3000	WerFault.exe	414

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	0506f2c306f1eb3760e3931573bda550N.exe
2824	0506f2c306f1eb3760e3931573bda550N.exe
2628	PQREJS.exe
2628	PQREJS.exe
3404	BTB.exe
3404	BTB.exe
4632	BMK.exe
4632	BMK.exe
2564	ZWNJGPF.exe
2564	ZWNJGPF.exe
1464	IPLXONV.exe
1464	IPLXONV.exe
3780	QAURCRJ.exe
3780	QAURCRJ.exe
4884	NAVTGW.exe
4884	NAVTGW.exe
5012	ALMSUY.exe
5012	ALMSUY.exe
636	QBNRBUD.exe
636	QBNRBUD.exe
3528	UJTRN.exe
3528	UJTRN.exe
2100	OXYBYMN.exe
2100	OXYBYMN.exe
3848	YUEVFM.exe
3848	YUEVFM.exe
1352	ZXIZK.exe
1352	ZXIZK.exe
3800	DFOZXVM.exe
3800	DFOZXVM.exe
3780	MOQE.exe
3780	MOQE.exe
3628	LZB.exe
3628	LZB.exe
3424	HELJZJ.exe
3424	HELJZJ.exe
1076	DCTVB.exe
1076	DCTVB.exe
1092	SFD.exe
1092	SFD.exe
604	QSCIZ.exe
604	QSCIZ.exe
3784	WSK.exe
3784	WSK.exe
3816	FBEB.exe
3816	FBEB.exe
336	SEI.exe
336	SEI.exe
1660	IHRMJO.exe
1660	IHRMJO.exe
1436	EEX.exe
1436	EEX.exe
4172	JPTHVPQ.exe
4172	JPTHVPQ.exe
3352	RVTWXUL.exe
3352	RVTWXUL.exe
3948	MIYF.exe
3948	MIYF.exe
1108	SIFTQW.exe
1108	SIFTQW.exe
3000	MEK.exe
3000	MEK.exe
336	AGTBPH.exe
336	AGTBPH.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2824	0506f2c306f1eb3760e3931573bda550N.exe
2824	0506f2c306f1eb3760e3931573bda550N.exe
2628	PQREJS.exe
2628	PQREJS.exe
3404	BTB.exe
3404	BTB.exe
4632	BMK.exe
4632	BMK.exe
2564	ZWNJGPF.exe
2564	ZWNJGPF.exe
1464	IPLXONV.exe
1464	IPLXONV.exe
3780	QAURCRJ.exe
3780	QAURCRJ.exe
4884	NAVTGW.exe
4884	NAVTGW.exe
5012	ALMSUY.exe
5012	ALMSUY.exe
636	QBNRBUD.exe
636	QBNRBUD.exe
3528	UJTRN.exe
3528	UJTRN.exe
2100	OXYBYMN.exe
2100	OXYBYMN.exe
3848	YUEVFM.exe
3848	YUEVFM.exe
1352	ZXIZK.exe
1352	ZXIZK.exe
3800	DFOZXVM.exe
3800	DFOZXVM.exe
3780	MOQE.exe
3780	MOQE.exe
3628	LZB.exe
3628	LZB.exe
3424	HELJZJ.exe
3424	HELJZJ.exe
1076	DCTVB.exe
1076	DCTVB.exe
1092	SFD.exe
1092	SFD.exe
604	QSCIZ.exe
604	QSCIZ.exe
3784	WSK.exe
3784	WSK.exe
3816	FBEB.exe
3816	FBEB.exe
336	SEI.exe
336	SEI.exe
1660	IHRMJO.exe
1660	IHRMJO.exe
1436	EEX.exe
1436	EEX.exe
4172	JPTHVPQ.exe
4172	JPTHVPQ.exe
3352	RVTWXUL.exe
3352	RVTWXUL.exe
3948	MIYF.exe
3948	MIYF.exe
1108	SIFTQW.exe
1108	SIFTQW.exe
3000	MEK.exe
3000	MEK.exe
336	AGTBPH.exe
336	AGTBPH.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3628	2824	0506f2c306f1eb3760e3931573bda550N.exe	90
PID 2824 wrote to memory of 3628	2824	0506f2c306f1eb3760e3931573bda550N.exe	90
PID 2824 wrote to memory of 3628	2824	0506f2c306f1eb3760e3931573bda550N.exe	90
PID 3628 wrote to memory of 2628	3628	cmd.exe	94
PID 3628 wrote to memory of 2628	3628	cmd.exe	94
PID 3628 wrote to memory of 2628	3628	cmd.exe	94
PID 2628 wrote to memory of 3164	2628	PQREJS.exe	96
PID 2628 wrote to memory of 3164	2628	PQREJS.exe	96
PID 2628 wrote to memory of 3164	2628	PQREJS.exe	96
PID 3164 wrote to memory of 3404	3164	cmd.exe	100
PID 3164 wrote to memory of 3404	3164	cmd.exe	100
PID 3164 wrote to memory of 3404	3164	cmd.exe	100
PID 3404 wrote to memory of 4664	3404	BTB.exe	101
PID 3404 wrote to memory of 4664	3404	BTB.exe	101
PID 3404 wrote to memory of 4664	3404	BTB.exe	101
PID 4664 wrote to memory of 4632	4664	cmd.exe	105
PID 4664 wrote to memory of 4632	4664	cmd.exe	105
PID 4664 wrote to memory of 4632	4664	cmd.exe	105
PID 4632 wrote to memory of 4100	4632	BMK.exe	106
PID 4632 wrote to memory of 4100	4632	BMK.exe	106
PID 4632 wrote to memory of 4100	4632	BMK.exe	106
PID 4100 wrote to memory of 2564	4100	cmd.exe	110
PID 4100 wrote to memory of 2564	4100	cmd.exe	110
PID 4100 wrote to memory of 2564	4100	cmd.exe	110
PID 2564 wrote to memory of 2292	2564	ZWNJGPF.exe	111
PID 2564 wrote to memory of 2292	2564	ZWNJGPF.exe	111
PID 2564 wrote to memory of 2292	2564	ZWNJGPF.exe	111
PID 2292 wrote to memory of 1464	2292	cmd.exe	115
PID 2292 wrote to memory of 1464	2292	cmd.exe	115
PID 2292 wrote to memory of 1464	2292	cmd.exe	115
PID 1464 wrote to memory of 4580	1464	IPLXONV.exe	116
PID 1464 wrote to memory of 4580	1464	IPLXONV.exe	116
PID 1464 wrote to memory of 4580	1464	IPLXONV.exe	116
PID 4580 wrote to memory of 3780	4580	cmd.exe	120
PID 4580 wrote to memory of 3780	4580	cmd.exe	120
PID 4580 wrote to memory of 3780	4580	cmd.exe	120
PID 3780 wrote to memory of 2040	3780	QAURCRJ.exe	121
PID 3780 wrote to memory of 2040	3780	QAURCRJ.exe	121
PID 3780 wrote to memory of 2040	3780	QAURCRJ.exe	121
PID 2040 wrote to memory of 4884	2040	cmd.exe	125
PID 2040 wrote to memory of 4884	2040	cmd.exe	125
PID 2040 wrote to memory of 4884	2040	cmd.exe	125
PID 4884 wrote to memory of 116	4884	NAVTGW.exe	126
PID 4884 wrote to memory of 116	4884	NAVTGW.exe	126
PID 4884 wrote to memory of 116	4884	NAVTGW.exe	126
PID 116 wrote to memory of 5012	116	cmd.exe	130
PID 116 wrote to memory of 5012	116	cmd.exe	130
PID 116 wrote to memory of 5012	116	cmd.exe	130
PID 5012 wrote to memory of 2904	5012	ALMSUY.exe	131
PID 5012 wrote to memory of 2904	5012	ALMSUY.exe	131
PID 5012 wrote to memory of 2904	5012	ALMSUY.exe	131
PID 2904 wrote to memory of 636	2904	cmd.exe	135
PID 2904 wrote to memory of 636	2904	cmd.exe	135
PID 2904 wrote to memory of 636	2904	cmd.exe	135
PID 636 wrote to memory of 1472	636	QBNRBUD.exe	136
PID 636 wrote to memory of 1472	636	QBNRBUD.exe	136
PID 636 wrote to memory of 1472	636	QBNRBUD.exe	136
PID 1472 wrote to memory of 3528	1472	cmd.exe	140
PID 1472 wrote to memory of 3528	1472	cmd.exe	140
PID 1472 wrote to memory of 3528	1472	cmd.exe	140
PID 3528 wrote to memory of 2704	3528	UJTRN.exe	141
PID 3528 wrote to memory of 2704	3528	UJTRN.exe	141
PID 3528 wrote to memory of 2704	3528	UJTRN.exe	141
PID 2704 wrote to memory of 2100	2704	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\0506f2c306f1eb3760e3931573bda550N.exe
"C:\Users\Admin\AppData\Local\Temp\0506f2c306f1eb3760e3931573bda550N.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PQREJS.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\windows\SysWOW64\PQREJS.exe
    C:\windows\system32\PQREJS.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BTB.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\windows\SysWOW64\BTB.exe
        
        C:\windows\system32\BTB.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BMK.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\windows\system\BMK.exe
        
        C:\windows\system\BMK.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZWNJGPF.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\windows\ZWNJGPF.exe
        
        C:\windows\ZWNJGPF.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPLXONV.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\windows\SysWOW64\IPLXONV.exe
        
        C:\windows\system32\IPLXONV.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QAURCRJ.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\windows\system\QAURCRJ.exe
        
        C:\windows\system\QAURCRJ.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NAVTGW.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\windows\system\NAVTGW.exe
        
        C:\windows\system\NAVTGW.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALMSUY.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\windows\SysWOW64\ALMSUY.exe
        
        C:\windows\system32\ALMSUY.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QBNRBUD.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\windows\QBNRBUD.exe
        
        C:\windows\QBNRBUD.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJTRN.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\windows\SysWOW64\UJTRN.exe
        
        C:\windows\system32\UJTRN.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXYBYMN.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\windows\SysWOW64\OXYBYMN.exe
        
        C:\windows\system32\OXYBYMN.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YUEVFM.exe.bat" "
        24⤵
        
        PID:2728
        
        C:\windows\system\YUEVFM.exe
        
        C:\windows\system\YUEVFM.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZXIZK.exe.bat" "
        26⤵
        
        PID:3148
        
        C:\windows\system\ZXIZK.exe
        
        C:\windows\system\ZXIZK.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DFOZXVM.exe.bat" "
        28⤵
        
        PID:2160
        
        C:\windows\system\DFOZXVM.exe
        
        C:\windows\system\DFOZXVM.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOQE.exe.bat" "
        30⤵
        
        PID:1476
        
        C:\windows\system\MOQE.exe
        
        C:\windows\system\MOQE.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "
        32⤵
        
        PID:3184
        
        C:\windows\SysWOW64\LZB.exe
        
        C:\windows\system32\LZB.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HELJZJ.exe.bat" "
        34⤵
        
        PID:4596
        
        C:\windows\system\HELJZJ.exe
        
        C:\windows\system\HELJZJ.exe
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DCTVB.exe.bat" "
        36⤵
        
        PID:2044
        
        C:\windows\system\DCTVB.exe
        
        C:\windows\system\DCTVB.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SFD.exe.bat" "
        38⤵
        
        PID:2940
        
        C:\windows\system\SFD.exe
        
        C:\windows\system\SFD.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSCIZ.exe.bat" "
        40⤵
        
        PID:4728
        
        C:\windows\SysWOW64\QSCIZ.exe
        
        C:\windows\system32\QSCIZ.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WSK.exe.bat" "
        42⤵
        
        PID:3240
        
        C:\windows\system\WSK.exe
        
        C:\windows\system\WSK.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBEB.exe.bat" "
        44⤵
        
        PID:2420
        
        C:\windows\SysWOW64\FBEB.exe
        
        C:\windows\system32\FBEB.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEI.exe.bat" "
        46⤵
        
        PID:4640
        
        C:\windows\system\SEI.exe
        
        C:\windows\system\SEI.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IHRMJO.exe.bat" "
        48⤵
        
        PID:2748
        
        C:\windows\IHRMJO.exe
        
        C:\windows\IHRMJO.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEX.exe.bat" "
        50⤵
        
        PID:1012
        
        C:\windows\SysWOW64\EEX.exe
        
        C:\windows\system32\EEX.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "
        52⤵
        
        PID:452
        
        C:\windows\system\JPTHVPQ.exe
        
        C:\windows\system\JPTHVPQ.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RVTWXUL.exe.bat" "
        54⤵
        
        PID:2212
        
        C:\windows\RVTWXUL.exe
        
        C:\windows\RVTWXUL.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MIYF.exe.bat" "
        56⤵
        
        PID:2920
        
        C:\windows\system\MIYF.exe
        
        C:\windows\system\MIYF.exe
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SIFTQW.exe.bat" "
        58⤵
        
        PID:1060
        
        C:\windows\SIFTQW.exe
        
        C:\windows\SIFTQW.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEK.exe.bat" "
        60⤵
        
        PID:1644
        
        C:\windows\system\MEK.exe
        
        C:\windows\system\MEK.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AGTBPH.exe.bat" "
        62⤵
        
        PID:2448
        
        C:\windows\AGTBPH.exe
        
        C:\windows\AGTBPH.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCX.exe.bat" "
        64⤵
        
        PID:2628
        
        C:\windows\SysWOW64\UCX.exe
        
        C:\windows\system32\UCX.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TMAAZNV.exe.bat" "
        66⤵
        
        PID:708
        
        C:\windows\SysWOW64\TMAAZNV.exe
        
        C:\windows\system32\TMAAZNV.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UHMWND.exe.bat" "
        68⤵
        
        PID:4728
        
        C:\windows\UHMWND.exe
        
        C:\windows\UHMWND.exe
        69⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIM.exe.bat" "
        70⤵
        
        PID:3848
        
        C:\windows\system\RIM.exe
        
        C:\windows\system\RIM.exe
        71⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QAXAF.exe.bat" "
        72⤵
        
        PID:4620
        
        C:\windows\system\QAXAF.exe
        
        C:\windows\system\QAXAF.exe
        73⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NYCXMVW.exe.bat" "
        74⤵
        
        PID:2328
        
        C:\windows\system\NYCXMVW.exe
        
        C:\windows\system\NYCXMVW.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBGS.exe.bat" "
        76⤵
        
        PID:1884
        
        C:\windows\SysWOW64\NBGS.exe
        
        C:\windows\system32\NBGS.exe
        77⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERFDD.exe.bat" "
        78⤵
        
        PID:4476
        
        C:\windows\SysWOW64\ERFDD.exe
        
        C:\windows\system32\ERFDD.exe
        79⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PJIWL.exe.bat" "
        80⤵
        
        PID:1428
        
        C:\windows\PJIWL.exe
        
        C:\windows\PJIWL.exe
        81⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PXALNZF.exe.bat" "
        82⤵
        
        PID:4948
        
        C:\windows\PXALNZF.exe
        
        C:\windows\PXALNZF.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KKFU.exe.bat" "
        84⤵
        
        PID:4492
        
        C:\windows\KKFU.exe
        
        C:\windows\KKFU.exe
        85⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDUFGRC.exe.bat" "
        86⤵
        
        PID:5036
        
        C:\windows\system\DDUFGRC.exe
        
        C:\windows\system\DDUFGRC.exe
        87⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBAROAL.exe.bat" "
        88⤵
        
        PID:3864
        
        C:\windows\SysWOW64\NBAROAL.exe
        
        C:\windows\system32\NBAROAL.exe
        89⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EQHCAT.exe.bat" "
        90⤵
        
        PID:216
        
        C:\windows\EQHCAT.exe
        
        C:\windows\EQHCAT.exe
        91⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WUYGEY.exe.bat" "
        92⤵
        
        PID:1424
        
        C:\windows\system\WUYGEY.exe
        
        C:\windows\system\WUYGEY.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHJYUUP.exe.bat" "
        94⤵
        
        PID:2292
        
        C:\windows\SysWOW64\FHJYUUP.exe
        
        C:\windows\system32\FHJYUUP.exe
        95⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CEOV.exe.bat" "
        96⤵
        
        PID:4964
        
        C:\windows\SysWOW64\CEOV.exe
        
        C:\windows\system32\CEOV.exe
        97⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NXJNB.exe.bat" "
        98⤵
        
        PID:3648
        
        C:\windows\NXJNB.exe
        
        C:\windows\NXJNB.exe
        99⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDPDQ.exe.bat" "
        100⤵
        
        PID:1664
        
        C:\windows\system\KDPDQ.exe
        
        C:\windows\system\KDPDQ.exe
        101⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XIP.exe.bat" "
        102⤵
        
        PID:4980
        
        C:\windows\XIP.exe
        
        C:\windows\XIP.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BQEWE.exe.bat" "
        104⤵
        
        PID:708
        
        C:\windows\system\BQEWE.exe
        
        C:\windows\system\BQEWE.exe
        105⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OTAVJIA.exe.bat" "
        106⤵
        
        PID:4156
        
        C:\windows\OTAVJIA.exe
        
        C:\windows\OTAVJIA.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZGSQS.exe.bat" "
        108⤵
        
        PID:2172
        
        C:\windows\SysWOW64\LZGSQS.exe
        
        C:\windows\system32\LZGSQS.exe
        109⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UHIXU.exe.bat" "
        110⤵
        
        PID:4620
        
        C:\windows\system\UHIXU.exe
        
        C:\windows\system\UHIXU.exe
        111⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCRJNKF.exe.bat" "
        112⤵
        
        PID:2448
        
        C:\windows\SysWOW64\JCRJNKF.exe
        
        C:\windows\system32\JCRJNKF.exe
        113⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSSB.exe.bat" "
        114⤵
        
        PID:1852
        
        C:\windows\SysWOW64\ZSSB.exe
        
        C:\windows\system32\ZSSB.exe
        115⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFXKWY.exe.bat" "
        116⤵
        
        PID:4632
        
        C:\windows\system\TFXKWY.exe
        
        C:\windows\system\TFXKWY.exe
        117⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAG.exe.bat" "
        118⤵
        
        PID:1980
        
        C:\windows\SysWOW64\IAG.exe
        
        C:\windows\system32\IAG.exe
        119⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PWGXLV.exe.bat" "
        120⤵
        
        PID:4992
        
        C:\windows\SysWOW64\PWGXLV.exe
        
        C:\windows\system32\PWGXLV.exe
        121⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JJK.exe.bat" "
        122⤵
        
        PID:548
        
        C:\windows\JJK.exe
        
        C:\windows\JJK.exe
        123⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SWVZ.exe.bat" "
        124⤵
        
        PID:5028
        
        C:\windows\system\SWVZ.exe
        
        C:\windows\system\SWVZ.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFXEPPM.exe.bat" "
        126⤵
        
        PID:320
        
        C:\windows\SysWOW64\KFXEPPM.exe
        
        C:\windows\system32\KFXEPPM.exe
        127⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XHFCD.exe.bat" "
        128⤵
        
        PID:4972
        
        C:\windows\XHFCD.exe
        
        C:\windows\XHFCD.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDEDID.exe.bat" "
        130⤵
        
        PID:4308
        
        C:\windows\system\DDEDID.exe
        
        C:\windows\system\DDEDID.exe
        131⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QONCWG.exe.bat" "
        132⤵
        
        PID:4976
        
        C:\windows\QONCWG.exe
        
        C:\windows\QONCWG.exe
        133⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HDUFA.exe.bat" "
        134⤵
        
        PID:3076
        
        C:\windows\HDUFA.exe
        
        C:\windows\HDUFA.exe
        135⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HGYINQJ.exe.bat" "
        136⤵
        
        PID:3444
        
        C:\windows\SysWOW64\HGYINQJ.exe
        
        C:\windows\system32\HGYINQJ.exe
        137⤵
        Drops file in Windows directory
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RHANRN.exe.bat" "
        138⤵
        
        PID:4696
        
        C:\windows\system\RHANRN.exe
        
        C:\windows\system\RHANRN.exe
        139⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CZDGZ.exe.bat" "
        140⤵
        
        PID:4504
        
        C:\windows\SysWOW64\CZDGZ.exe
        
        C:\windows\system32\CZDGZ.exe
        141⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUM.exe.bat" "
        142⤵
        
        PID:2928
        
        C:\windows\system\RUM.exe
        
        C:\windows\system\RUM.exe
        143⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SXQOQFC.exe.bat" "
        144⤵
        
        PID:4516
        
        C:\windows\SysWOW64\SXQOQFC.exe
        
        C:\windows\system32\SXQOQFC.exe
        145⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UVVB.exe.bat" "
        146⤵
        
        PID:4896
        
        C:\windows\system\UVVB.exe
        
        C:\windows\system\UVVB.exe
        147⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UYZ.exe.bat" "
        148⤵
        
        PID:2476
        
        C:\windows\UYZ.exe
        
        C:\windows\UYZ.exe
        149⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LOG.exe.bat" "
        150⤵
        
        PID:4112
        
        C:\windows\SysWOW64\LOG.exe
        
        C:\windows\system32\LOG.exe
        151⤵
        Checks computer location settings
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RJF.exe.bat" "
        152⤵
        
        PID:684
        
        C:\windows\RJF.exe
        
        C:\windows\RJF.exe
        153⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMJMHQT.exe.bat" "
        154⤵
        
        PID:1228
        
        C:\windows\SysWOW64\KMJMHQT.exe
        
        C:\windows\system32\KMJMHQT.exe
        155⤵
        Checks computer location settings
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZHSQS.exe.bat" "
        156⤵
        
        PID:1504
        
        C:\windows\ZHSQS.exe
        
        C:\windows\ZHSQS.exe
        157⤵
        Checks computer location settings
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFYNZ.exe.bat" "
        158⤵
        
        PID:1748
        
        C:\windows\system\VFYNZ.exe
        
        C:\windows\system\VFYNZ.exe
        159⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WICR.exe.bat" "
        160⤵
        
        PID:4024
        
        C:\windows\system\WICR.exe
        
        C:\windows\system\WICR.exe
        161⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PLGMSA.exe.bat" "
        162⤵
        
        PID:1476
        
        C:\windows\system\PLGMSA.exe
        
        C:\windows\system\PLGMSA.exe
        163⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AEJFSIV.exe.bat" "
        164⤵
        
        PID:2100
        
        C:\windows\AEJFSIV.exe
        
        C:\windows\AEJFSIV.exe
        165⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGF.exe.bat" "
        166⤵
        
        PID:1764
        
        C:\windows\SysWOW64\NGF.exe
        
        C:\windows\system32\NGF.exe
        167⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CML.exe.bat" "
        168⤵
        
        PID:2448
        
        C:\windows\CML.exe
        
        C:\windows\CML.exe
        169⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XXT.exe.bat" "
        170⤵
        
        PID:4512
        
        C:\windows\XXT.exe
        
        C:\windows\XXT.exe
        171⤵
        Drops file in Windows directory
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZVUUYI.exe.bat" "
        172⤵
        
        PID:3004
        
        C:\windows\system\ZVUUYI.exe
        
        C:\windows\system\ZVUUYI.exe
        173⤵
        Drops file in Windows directory
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DDBC.exe.bat" "
        174⤵
        
        PID:4964
        
        C:\windows\DDBC.exe
        
        C:\windows\DDBC.exe
        175⤵
        Checks computer location settings
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HTI.exe.bat" "
        176⤵
        
        PID:2044
        
        C:\windows\system\HTI.exe
        
        C:\windows\system\HTI.exe
        177⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WJJB.exe.bat" "
        178⤵
        
        PID:3084
        
        C:\windows\SysWOW64\WJJB.exe
        
        C:\windows\system32\WJJB.exe
        179⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TGOYLQ.exe.bat" "
        180⤵
        
        PID:4536
        
        C:\windows\TGOYLQ.exe
        
        C:\windows\TGOYLQ.exe
        181⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JENBWC.exe.bat" "
        182⤵
        
        PID:320
        
        C:\windows\system\JENBWC.exe
        
        C:\windows\system\JENBWC.exe
        183⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AUUEA.exe.bat" "
        184⤵
        
        PID:3644
        
        C:\windows\system\AUUEA.exe
        
        C:\windows\system\AUUEA.exe
        185⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAMSKB.exe.bat" "
        186⤵
        
        PID:3632
        
        C:\windows\SysWOW64\IAMSKB.exe
        
        C:\windows\system32\IAMSKB.exe
        187⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVEF.exe.bat" "
        188⤵
        
        PID:3348
        
        C:\windows\system\XVEF.exe
        
        C:\windows\system\XVEF.exe
        189⤵
        Checks computer location settings
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GDGKY.exe.bat" "
        190⤵
        
        PID:1500
        
        C:\windows\GDGKY.exe
        
        C:\windows\GDGKY.exe
        191⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLMKL.exe.bat" "
        192⤵
        
        PID:3116
        
        C:\windows\SysWOW64\KLMKL.exe
        
        C:\windows\system32\KLMKL.exe
        193⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LOQNQB.exe.bat" "
        194⤵
        
        PID:2656
        
        C:\windows\LOQNQB.exe
        
        C:\windows\LOQNQB.exe
        195⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBV.exe.bat" "
        196⤵
        
        PID:2160
        
        C:\windows\system\FBV.exe
        
        C:\windows\system\FBV.exe
        197⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FHNL.exe.bat" "
        198⤵
        
        PID:1636
        
        C:\windows\FHNL.exe
        
        C:\windows\FHNL.exe
        199⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UKFQVAW.exe.bat" "
        200⤵
        
        PID:3596
        
        C:\windows\UKFQVAW.exe
        
        C:\windows\UKFQVAW.exe
        201⤵
        Drops file in Windows directory
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSLQ.exe.bat" "
        202⤵
        
        PID:1436
        
        C:\windows\system\YSLQ.exe
        
        C:\windows\system\YSLQ.exe
        203⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFQHJT.exe.bat" "
        204⤵
        
        PID:3084
        
        C:\windows\system\TFQHJT.exe
        
        C:\windows\system\TFQHJT.exe
        205⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTIVLGC.exe.bat" "
        206⤵
        
        PID:3784
        
        C:\windows\system\BTIVLGC.exe
        
        C:\windows\system\BTIVLGC.exe
        207⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGN.exe.bat" "
        208⤵
        
        PID:640
        
        C:\windows\SysWOW64\WGN.exe
        
        C:\windows\system32\WGN.exe
        209⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\URYNELN.exe.bat" "
        210⤵
        
        PID:5028
        
        C:\windows\SysWOW64\URYNELN.exe
        
        C:\windows\system32\URYNELN.exe
        211⤵
        Checks computer location settings
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YHEVQ.exe.bat" "
        212⤵
        
        PID:1852
        
        C:\windows\system\YHEVQ.exe
        
        C:\windows\system\YHEVQ.exe
        213⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCIR.exe.bat" "
        214⤵
        
        PID:4552
        
        C:\windows\SysWOW64\RCIR.exe
        
        C:\windows\system32\RCIR.exe
        215⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TPNIG.exe.bat" "
        216⤵
        
        PID:3420
        
        C:\windows\SysWOW64\TPNIG.exe
        
        C:\windows\system32\TPNIG.exe
        217⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MSRELJA.exe.bat" "
        218⤵
        
        PID:4708
        
        C:\windows\MSRELJA.exe
        
        C:\windows\MSRELJA.exe
        219⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BNAIW.exe.bat" "
        220⤵
        
        PID:3016
        
        C:\windows\system\BNAIW.exe
        
        C:\windows\system\BNAIW.exe
        221⤵
        Checks computer location settings
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FDH.exe.bat" "
        222⤵
        
        PID:2784
        
        C:\windows\FDH.exe
        
        C:\windows\FDH.exe
        223⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GGLMWEY.exe.bat" "
        224⤵
        
        PID:4736
        
        C:\windows\system\GGLMWEY.exe
        
        C:\windows\system\GGLMWEY.exe
        225⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZO.exe.bat" "
        226⤵
        
        PID:2684
        
        C:\windows\SysWOW64\RZO.exe
        
        C:\windows\system32\RZO.exe
        227⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUSIJ.exe.bat" "
        228⤵
        
        PID:4292
        
        C:\windows\SysWOW64\KUSIJ.exe
        
        C:\windows\system32\KUSIJ.exe
        229⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SNACP.exe.bat" "
        230⤵
        
        PID:1768
        
        C:\windows\SNACP.exe
        
        C:\windows\SNACP.exe
        231⤵
        Drops file in Windows directory
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SSA.exe.bat" "
        232⤵
        
        PID:3812
        
        C:\windows\SSA.exe
        
        C:\windows\SSA.exe
        233⤵
        Checks computer location settings
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MFXA.exe.bat" "
        234⤵
        
        PID:2536
        
        C:\windows\system\MFXA.exe
        
        C:\windows\system\MFXA.exe
        235⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQOYPDR.exe.bat" "
        236⤵
        
        PID:3848
        
        C:\windows\SysWOW64\HQOYPDR.exe
        
        C:\windows\system32\HQOYPDR.exe
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HWG.exe.bat" "
        238⤵
        
        PID:4988
        
        C:\windows\HWG.exe
        
        C:\windows\HWG.exe
        239⤵
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHWLFB.exe.bat" "
        240⤵
        
        PID:2192
        
        C:\windows\SysWOW64\VHWLFB.exe
        
        C:\windows\system32\VHWLFB.exe
        241⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PUB.exe.bat" "
        242⤵
        
        PID:560
        
        C:\windows\system\PUB.exe
        
        C:\windows\system\PUB.exe
        243⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CFXT.exe.bat" "
        244⤵
        
        PID:3444
        
        C:\windows\CFXT.exe
        
        C:\windows\CFXT.exe
        245⤵
        Checks computer location settings
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OXAMD.exe.bat" "
        246⤵
        
        PID:4132
        
        C:\windows\OXAMD.exe
        
        C:\windows\OXAMD.exe
        247⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SFHMPSC.exe.bat" "
        248⤵
        
        PID:2460
        
        C:\windows\system\SFHMPSC.exe
        
        C:\windows\system\SFHMPSC.exe
        249⤵
        Drops file in Windows directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SIKQ.exe.bat" "
        250⤵
        
        PID:4120
        
        C:\windows\system\SIKQ.exe
        
        C:\windows\system\SIKQ.exe
        251⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBNJCP.exe.bat" "
        252⤵
        
        PID:1800
        
        C:\windows\SysWOW64\EBNJCP.exe
        
        C:\windows\system32\EBNJCP.exe
        253⤵
        Checks computer location settings
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGTGKZU.exe.bat" "
        254⤵
        
        PID:3308
        
        C:\windows\system\SGTGKZU.exe
        
        C:\windows\system\SGTGKZU.exe
        255⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARUZXDJ.exe.bat" "
        256⤵
        
        PID:4384
        
        C:\windows\SysWOW64\ARUZXDJ.exe
        
        C:\windows\system32\ARUZXDJ.exe
        257⤵
        Checks computer location settings
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXAW.exe.bat" "
        258⤵
        
        PID:4200
        
        C:\windows\system\WXAW.exe
        
        C:\windows\system\WXAW.exe
        259⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ENBWL.exe.bat" "
        260⤵
        
        PID:1428
        
        C:\windows\system\ENBWL.exe
        
        C:\windows\system\ENBWL.exe
        261⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ASHLSSU.exe.bat" "
        262⤵
        
        PID:5076
        
        C:\windows\system\ASHLSSU.exe
        
        C:\windows\system\ASHLSSU.exe
        263⤵
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QIIKZG.exe.bat" "
        264⤵
        
        PID:1592
        
        C:\windows\SysWOW64\QIIKZG.exe
        
        C:\windows\system32\QIIKZG.exe
        265⤵
        Drops file in Windows directory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZNSCHC.exe.bat" "
        266⤵
        
        PID:3896
        
        C:\windows\ZNSCHC.exe
        
        C:\windows\ZNSCHC.exe
        267⤵
        Checks computer location settings
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARW.exe.bat" "
        268⤵
        
        PID:4496
        
        C:\windows\system\ARW.exe
        
        C:\windows\system\ARW.exe
        269⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\COXA.exe.bat" "
        270⤵
        
        PID:4384
        
        C:\windows\SysWOW64\COXA.exe
        
        C:\windows\system32\COXA.exe
        271⤵
        Drops file in Windows directory
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JJU.exe.bat" "
        272⤵
        
        PID:1612
        
        C:\windows\system\JJU.exe
        
        C:\windows\system\JJU.exe
        273⤵
        Drops file in Windows directory
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NRBMP.exe.bat" "
        274⤵
        
        PID:3404
        
        C:\windows\system\NRBMP.exe
        
        C:\windows\system\NRBMP.exe
        275⤵
        Checks computer location settings
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EADZ.exe.bat" "
        276⤵
        
        PID:2700
        
        C:\windows\system\EADZ.exe
        
        C:\windows\system\EADZ.exe
        277⤵
        Drops file in Windows directory
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TVMEDT.exe.bat" "
        278⤵
        
        PID:2112
        
        C:\windows\system\TVMEDT.exe
        
        C:\windows\system\TVMEDT.exe
        279⤵
        Drops file in Windows directory
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IASBSC.exe.bat" "
        280⤵
        
        PID:1456
        
        C:\windows\system\IASBSC.exe
        
        C:\windows\system\IASBSC.exe
        281⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDOZXUZ.exe.bat" "
        282⤵
        
        PID:4256
        
        C:\windows\SysWOW64\VDOZXUZ.exe
        
        C:\windows\system32\VDOZXUZ.exe
        283⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VRO.exe.bat" "
        284⤵
        
        PID:4536
        
        C:\windows\SysWOW64\VRO.exe
        
        C:\windows\system32\VRO.exe
        285⤵
        Drops file in Windows directory
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MWZG.exe.bat" "
        286⤵
        
        PID:2732
        
        C:\windows\MWZG.exe
        
        C:\windows\MWZG.exe
        287⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BMAFVZF.exe.bat" "
        288⤵
        
        PID:4824
        
        C:\windows\SysWOW64\BMAFVZF.exe
        
        C:\windows\system32\BMAFVZF.exe
        289⤵
        Drops file in Windows directory
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RHJJG.exe.bat" "
        290⤵
        
        PID:3568
        
        C:\windows\RHJJG.exe
        
        C:\windows\RHJJG.exe
        291⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKA.exe.bat" "
        292⤵
        
        PID:2168
        
        C:\windows\SysWOW64\JKA.exe
        
        C:\windows\system32\JKA.exe
        293⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAH.exe.bat" "
        294⤵
        
        PID:3304
        
        C:\windows\SysWOW64\AAH.exe
        
        C:\windows\system32\AAH.exe
        295⤵
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGNN.exe.bat" "
        296⤵
        
        PID:2868
        
        C:\windows\SysWOW64\WGNN.exe
        
        C:\windows\system32\WGNN.exe
        297⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NVMY.exe.bat" "
        298⤵
        
        PID:4672
        
        C:\windows\SysWOW64\NVMY.exe
        
        C:\windows\system32\NVMY.exe
        299⤵
        Drops file in Windows directory
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FZDB.exe.bat" "
        300⤵
        
        PID:1840
        
        C:\windows\FZDB.exe
        
        C:\windows\FZDB.exe
        301⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JHKBYU.exe.bat" "
        302⤵
        
        PID:1180
        
        C:\windows\JHKBYU.exe
        
        C:\windows\JHKBYU.exe
        303⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XRAA.exe.bat" "
        304⤵
        
        PID:2160
        
        C:\windows\XRAA.exe
        
        C:\windows\XRAA.exe
        305⤵
        Checks computer location settings
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OSCFPCH.exe.bat" "
        306⤵
        
        PID:2120
        
        C:\windows\OSCFPCH.exe
        
        C:\windows\OSCFPCH.exe
        307⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SIJNU.exe.bat" "
        308⤵
        
        PID:4256
        
        C:\windows\SIJNU.exe
        
        C:\windows\SIJNU.exe
        309⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ONPCJ.exe.bat" "
        310⤵
        
        PID:4856
        
        C:\windows\ONPCJ.exe
        
        C:\windows\ONPCJ.exe
        311⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AGKVJL.exe.bat" "
        312⤵
        
        PID:3676
        
        C:\windows\AGKVJL.exe
        
        C:\windows\AGKVJL.exe
        313⤵
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWLXPA.exe.bat" "
        314⤵
        
        PID:3360
        
        C:\windows\SysWOW64\CWLXPA.exe
        
        C:\windows\system32\CWLXPA.exe
        315⤵
        Drops file in Windows directory
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QBJUWK.exe.bat" "
        316⤵
        
        PID:1344
        
        C:\windows\system\QBJUWK.exe
        
        C:\windows\system\QBJUWK.exe
        317⤵
        Drops file in Windows directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YUR.exe.bat" "
        318⤵
        
        PID:4600
        
        C:\windows\YUR.exe
        
        C:\windows\YUR.exe
        319⤵
        Drops file in Windows directory
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JMUG.exe.bat" "
        320⤵
        
        PID:640
        
        C:\windows\JMUG.exe
        
        C:\windows\JMUG.exe
        321⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EAZQVD.exe.bat" "
        322⤵
        
        PID:4120
        
        C:\windows\EAZQVD.exe
        
        C:\windows\EAZQVD.exe
        323⤵
        Drops file in Windows directory
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YNE.exe.bat" "
        324⤵
        
        PID:2308
        
        C:\windows\system\YNE.exe
        
        C:\windows\system\YNE.exe
        325⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZQIDS.exe.bat" "
        326⤵
        
        PID:1852
        
        C:\windows\ZQIDS.exe
        
        C:\windows\ZQIDS.exe
        327⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MBQ.exe.bat" "
        328⤵
        
        PID:4592
        
        C:\windows\MBQ.exe
        
        C:\windows\MBQ.exe
        329⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WBSHKB.exe.bat" "
        330⤵
        
        PID:2160
        
        C:\windows\SysWOW64\WBSHKB.exe
        
        C:\windows\system32\WBSHKB.exe
        331⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHYERL.exe.bat" "
        332⤵
        
        PID:4232
        
        C:\windows\SysWOW64\SHYERL.exe
        
        C:\windows\system32\SHYERL.exe
        333⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KHAJ.exe.bat" "
        334⤵
        
        PID:3412
        
        C:\windows\SysWOW64\KHAJ.exe
        
        C:\windows\system32\KHAJ.exe
        335⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CKEFAY.exe.bat" "
        336⤵
        
        PID:428
        
        C:\windows\SysWOW64\CKEFAY.exe
        
        C:\windows\system32\CKEFAY.exe
        337⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GSK.exe.bat" "
        338⤵
        
        PID:1636
        
        C:\windows\GSK.exe
        
        C:\windows\GSK.exe
        339⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KIRNZJ.exe.bat" "
        340⤵
        
        PID:4924
        
        C:\windows\SysWOW64\KIRNZJ.exe
        
        C:\windows\system32\KIRNZJ.exe
        341⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NVW.exe.bat" "
        342⤵
        
        PID:1496
        
        C:\windows\SysWOW64\NVW.exe
        
        C:\windows\system32\NVW.exe
        343⤵
        Drops file in Windows directory
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTBQQRQ.exe.bat" "
        344⤵
        
        PID:4988
        
        C:\windows\PTBQQRQ.exe
        
        C:\windows\PTBQQRQ.exe
        345⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EJCQX.exe.bat" "
        346⤵
        
        PID:3364
        
        C:\windows\system\EJCQX.exe
        
        C:\windows\system\EJCQX.exe
        347⤵
        Drops file in Windows directory
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZWHZHFC.exe.bat" "
        348⤵
        
        PID:1696
        
        C:\windows\ZWHZHFC.exe
        
        C:\windows\ZWHZHFC.exe
        349⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CNWZT.exe.bat" "
        350⤵
        
        PID:3304
        
        C:\windows\CNWZT.exe
        
        C:\windows\CNWZT.exe
        351⤵
        Drops file in Windows directory
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVDZYPM.exe.bat" "
        352⤵
        
        PID:644
        
        C:\windows\system\OVDZYPM.exe
        
        C:\windows\system\OVDZYPM.exe
        353⤵
        Checks computer location settings
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SLJH.exe.bat" "
        354⤵
        
        PID:2724
        
        C:\windows\SLJH.exe
        
        C:\windows\SLJH.exe
        355⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CLLMNF.exe.bat" "
        356⤵
        
        PID:2124
        
        C:\windows\system\CLLMNF.exe
        
        C:\windows\system\CLLMNF.exe
        357⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\COPQB.exe.bat" "
        358⤵
        
        PID:1100
        
        C:\windows\SysWOW64\COPQB.exe
        
        C:\windows\system32\COPQB.exe
        359⤵
        Drops file in Windows directory
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XBUZDV.exe.bat" "
        360⤵
        
        PID:3600
        
        C:\windows\XBUZDV.exe
        
        C:\windows\XBUZDV.exe
        361⤵
        Drops file in Windows directory
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DCBN.exe.bat" "
        362⤵
        
        PID:4032
        
        C:\windows\DCBN.exe
        
        C:\windows\DCBN.exe
        363⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFFJZN.exe.bat" "
        364⤵
        
        PID:1064
        
        C:\windows\SysWOW64\VFFJZN.exe
        
        C:\windows\system32\VFFJZN.exe
        365⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LVGI.exe.bat" "
        366⤵
        
        PID:1568
        
        C:\windows\system\LVGI.exe
        
        C:\windows\system\LVGI.exe
        367⤵
        Checks computer location settings
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DYKEMY.exe.bat" "
        368⤵
        
        PID:1392
        
        C:\windows\system\DYKEMY.exe
        
        C:\windows\system\DYKEMY.exe
        369⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CNDH.exe.bat" "
        370⤵
        
        PID:3628
        
        C:\windows\CNDH.exe
        
        C:\windows\CNDH.exe
        371⤵
        Drops file in Windows directory
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IJUIDHZ.exe.bat" "
        372⤵
        
        PID:3220
        
        C:\windows\IJUIDHZ.exe
        
        C:\windows\IJUIDHZ.exe
        373⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OJCV.exe.bat" "
        374⤵
        
        PID:2212
        
        C:\windows\OJCV.exe
        
        C:\windows\OJCV.exe
        375⤵
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJEAYG.exe.bat" "
        376⤵
        
        PID:2744
        
        C:\windows\SysWOW64\XJEAYG.exe
        
        C:\windows\system32\XJEAYG.exe
        377⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXPTODQ.exe.bat" "
        378⤵
        
        PID:4568
        
        C:\windows\system\OXPTODQ.exe
        
        C:\windows\system\OXPTODQ.exe
        379⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCPHPQT.exe.bat" "
        380⤵
        
        PID:5080
        
        C:\windows\SysWOW64\OCPHPQT.exe
        
        C:\windows\system32\OCPHPQT.exe
        381⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PFTLVG.exe.bat" "
        382⤵
        
        PID:3936
        
        C:\windows\PFTLVG.exe
        
        C:\windows\PFTLVG.exe
        383⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IIW.exe.bat" "
        384⤵
        
        PID:1416
        
        C:\windows\IIW.exe
        
        C:\windows\IIW.exe
        385⤵
        Checks computer location settings
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CWBQK.exe.bat" "
        386⤵
        
        PID:4164
        
        C:\windows\system\CWBQK.exe
        
        C:\windows\system\CWBQK.exe
        387⤵
        Drops file in Windows directory
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OEIYXOG.exe.bat" "
        388⤵
        
        PID:1692
        
        C:\windows\system\OEIYXOG.exe
        
        C:\windows\system\OEIYXOG.exe
        389⤵
        Drops file in Windows directory
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HHMUCE.exe.bat" "
        390⤵
        
        PID:5112
        
        C:\windows\HHMUCE.exe
        
        C:\windows\HHMUCE.exe
        391⤵
        Checks computer location settings
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NHT.exe.bat" "
        392⤵
        
        PID:3680
        
        C:\windows\system\NHT.exe
        
        C:\windows\system\NHT.exe
        393⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RXAPXQ.exe.bat" "
        394⤵
        
        PID:2904
        
        C:\windows\system\RXAPXQ.exe
        
        C:\windows\system\RXAPXQ.exe
        395⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 988
        394⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1264
        392⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 1292
        390⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1272
        388⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1304
        386⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 988
        384⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1324
        382⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1328
        380⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1336
        378⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 988
        376⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1236
        374⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1004
        372⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1324
        370⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1008
        368⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1304
        366⤵
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1328
        364⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1004
        362⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1324
        360⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 988
        358⤵
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1264
        356⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1260
        354⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 960
        352⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 960
        350⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1324
        348⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1276
        346⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1324
        344⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1328
        342⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 988
        340⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1008
        338⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 976
        336⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 988
        334⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 988
        332⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1248
        330⤵
        
        PID:656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1304
        328⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 960
        326⤵
        
        PID:708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 996
        324⤵
        
        PID:560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 968
        322⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1324
        320⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 960
        318⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 960
        316⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1328
        314⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1004
        312⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1304
        310⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1292
        308⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1256
        306⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1292
        304⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1324
        302⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1324
        300⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1328
        298⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 988
        296⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1328
        294⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 960
        292⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 960
        290⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1328
        288⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1324
        286⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1328
        284⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1296
        282⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1316
        280⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 960
        278⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1336
        276⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1336
        274⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 960
        272⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 988
        270⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1336
        268⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 960
        266⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 960
        264⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1336
        262⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 960
        260⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1336
        258⤵
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1328
        256⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1336
        254⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1320
        252⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1336
        250⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1336
        248⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1324
        246⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1300
        244⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 960
        242⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 960
        240⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1324
        238⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1296
        236⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1116
        234⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1324
        232⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 988
        230⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1328
        228⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 960
        226⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 960
        224⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 960
        222⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1336
        220⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1324
        218⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1328
        216⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1300
        214⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1300
        212⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1328
        210⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1328
        208⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1336
        206⤵
        
        PID:820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1324
        204⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1336
        202⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 960
        200⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1312
        198⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1280
        196⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1288
        194⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1004
        192⤵
        
        PID:772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1292
        190⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 960
        188⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 976
        186⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 960
        184⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1336
        182⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1324
        180⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1328
        178⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 960
        176⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1004
        174⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1008
        172⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 960
        170⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1324
        168⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1000
        166⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1292
        164⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1336
        162⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1300
        160⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 960
        158⤵
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1324
        156⤵
        
        PID:388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1240
        154⤵
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1292
        152⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1328
        150⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1324
        148⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 976
        146⤵
        
        PID:708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 960
        144⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1336
        142⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1328
        140⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1336
        138⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1312
        136⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1324
        134⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1304
        132⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1272
        130⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1292
        128⤵
        Program crash
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 960
        126⤵
        Program crash
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1316
        124⤵
        Program crash
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1324
        122⤵
        Program crash
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1008
        120⤵
        Program crash
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1272
        118⤵
        Program crash
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1272
        116⤵
        Program crash
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1328
        114⤵
        Program crash
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1328
        112⤵
        Program crash
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 960
        110⤵
        Program crash
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1328
        108⤵
        Program crash
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1324
        106⤵
        Program crash
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1336
        104⤵
        Program crash
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1324
        102⤵
        Program crash
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 988
        100⤵
        Program crash
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 960
        98⤵
        Program crash
        
        PID:3776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1328
        96⤵
        Program crash
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 960
        94⤵
        Program crash
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 960
        92⤵
        Program crash
        
        PID:820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1316
        90⤵
        Program crash
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1308
        88⤵
        Program crash
        
        PID:2092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1336
        86⤵
        Program crash
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1324
        84⤵
        Program crash
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1324
        82⤵
        Program crash
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1292
        80⤵
        Program crash
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1328
        78⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1328
        76⤵
        Program crash
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1328
        74⤵
        Program crash
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1268
        72⤵
        Program crash
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1304
        70⤵
        Program crash
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 1324
        68⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1328
        66⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1328
        64⤵
        Program crash
        
        PID:3864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1252
        62⤵
        Program crash
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1304
        60⤵
        Program crash
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1292
        58⤵
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 976
        56⤵
        Program crash
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 960
        54⤵
        Program crash
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1304
        52⤵
        Program crash
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1328
        50⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 960
        48⤵
        Program crash
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1304
        46⤵
        Program crash
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1328
        44⤵
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 1336
        42⤵
        Program crash
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1328
        40⤵
        Program crash
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1336
        38⤵
        Program crash
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1328
        36⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1264
        34⤵
        Program crash
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1264
        32⤵
        Program crash
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1272
        30⤵
        Program crash
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1336
        28⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1248
        26⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1276
        24⤵
        Program crash
        
        PID:1980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 960
        22⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1300
        20⤵
        Program crash
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1288
        18⤵
        Program crash
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 960
        16⤵
        Program crash
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 976
        14⤵
        Program crash
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 960
        12⤵
        Program crash
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 960
        10⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1324
        8⤵
        Program crash
        
        PID:1980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1336
        6⤵
        Program crash
        
        PID:3316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 960
      4⤵
      Program crash
      PID:4560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 984
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2824 -ip 2824
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2628 -ip 2628
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4632 -ip 4632
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2564 -ip 2564
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1464 -ip 1464
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3780 -ip 3780
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4884 -ip 4884
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5012 -ip 5012
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 636 -ip 636
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3528 -ip 3528
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2100 -ip 2100
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3848 -ip 3848
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1352 -ip 1352
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3800 -ip 3800
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3780 -ip 3780
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3628 -ip 3628
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3424 -ip 3424
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1076 -ip 1076
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1092 -ip 1092
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 604 -ip 604
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3784 -ip 3784
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3816 -ip 3816
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 336 -ip 336
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1660 -ip 1660
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1436 -ip 1436
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4172 -ip 4172
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3352 -ip 3352
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3948 -ip 3948
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1108 -ip 1108
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3000 -ip 3000
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 336 -ip 336
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4596 -ip 4596
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3004 -ip 3004
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4712 -ip 4712
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3248 -ip 3248
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4876 -ip 4876
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4448 -ip 4448
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 336 -ip 336
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3936 -ip 3936
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2944 -ip 2944
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4660 -ip 4660
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4452 -ip 4452
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 492 -ip 492
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3116 -ip 3116
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2212 -ip 2212
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3228 -ip 3228
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 448 -ip 448
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1552 -ip 1552
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3660 -ip 3660
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1476 -ip 1476
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4144 -ip 4144
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2792 -ip 2792
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3708 -ip 3708
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1768 -ip 1768
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3352 -ip 3352
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4232 -ip 4232
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2628 -ip 2628
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3076 -ip 3076
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2496 -ip 2496
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4592 -ip 4592
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3624 -ip 3624
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2928 -ip 2928
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3000 -ip 3000
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4896 -ip 4896
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4368 -ip 4368
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4496 -ip 4496
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1584 -ip 1584
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3408 -ip 3408
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4752 -ip 4752
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1552 -ip 1552
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1884 -ip 1884
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 440 -ip 440
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4976 -ip 4976
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3372 -ip 3372
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4064 -ip 4064
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1576 -ip 1576
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5036 -ip 5036
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2840 -ip 2840
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 3196
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2428 -ip 2428
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5020 -ip 5020
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3500 -ip 3500
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3240 -ip 3240
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2732 -ip 2732
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2844 -ip 2844
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1696 -ip 1696
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2904 -ip 2904
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4800 -ip 4800
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2656 -ip 2656
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1060 -ip 1060
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1428 -ip 1428
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4876 -ip 4876
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4024 -ip 4024
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3212 -ip 3212
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2784 -ip 2784
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4500 -ip 4500
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1756 -ip 1756
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3472 -ip 3472
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2700 -ip 2700
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4232 -ip 4232
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3896 -ip 3896
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2984 -ip 2984
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1692 -ip 1692
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3624 -ip 3624
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3280 -ip 3280
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2092 -ip 2092
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4556 -ip 4556
1⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4852 -ip 4852
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4424 -ip 4424
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3760 -ip 3760
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2328 -ip 2328
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4672 -ip 4672
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4112 -ip 4112
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1824 -ip 1824
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3252 -ip 3252
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1760 -ip 1760
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1912 -ip 1912
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 376 -ip 376
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4064 -ip 4064
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3776 -ip 3776
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3568 -ip 3568
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2092 -ip 2092
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 556 -ip 556
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3212 -ip 3212
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4872 -ip 4872
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1224 -ip 1224
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4660 -ip 4660
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3408 -ip 3408
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2088 -ip 2088
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3680 -ip 3680
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4056 -ip 4056
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2456 -ip 2456
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 116 -ip 116
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4676 -ip 4676
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3784 -ip 3784
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2688 -ip 2688
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4728 -ip 4728
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1696 -ip 1696
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4692 -ip 4692
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2536 -ip 2536
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5028 -ip 5028
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1084 -ip 1084
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4512 -ip 4512
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3800 -ip 3800
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3680 -ip 3680
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1720 -ip 1720
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3760 -ip 3760
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4536 -ip 4536
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3248 -ip 3248
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3632 -ip 3632
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4616 -ip 4616
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3412 -ip 3412
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4920 -ip 4920
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2784 -ip 2784
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 448 -ip 448
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3352 -ip 3352
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4572 -ip 4572
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4056 -ip 4056
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3116 -ip 3116
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4696 -ip 4696
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4492 -ip 4492
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2684 -ip 2684
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4512 -ip 4512
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3404 -ip 3404
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4328 -ip 4328
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2196 -ip 2196
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4688 -ip 4688
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4920 -ip 4920
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1484 -ip 1484
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4176 -ip 4176
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4156 -ip 4156
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 4972
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 456 -ip 456
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4940 -ip 4940
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 116 -ip 116
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1352 -ip 1352
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4308 -ip 4308
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4028 -ip 4028
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2324 -ip 2324
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4568 -ip 4568
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3412 -ip 3412
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3936 -ip 3936
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4800 -ip 4800
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2400 -ip 2400
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2124 -ip 2124
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3148 -ip 3148
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2168 -ip 2168
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2500 -ip 2500
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2000 -ip 2000
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5008 -ip 5008
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2276 -ip 2276
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1496 -ip 1496
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 656 -ip 656
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2940 -ip 2940
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2976 -ip 2976
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2436 -ip 2436
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ALMSUY.exe

Filesize
208KB

MD5
923b0074d79317fcbd81fb708c34e1f1

SHA1
fe9267431c5842980d67fb493ce9725c146c5709

SHA256
998547fd4be98c91f371d4d1c85aa8d738456625523de6e939922687057da9d4

SHA512
deeaf263092f947e93c8725d4881c64fc021e2de14a3d0c33ccae7721d616b3826cb545ba380f4b11dca1f23e24fda656ae7871743d03908ef80db1f9dda981a

Download Submit
C:\Windows\SysWOW64\BTB.exe

Filesize
208KB

MD5
dba9fb54196686391da4c742937a01b7

SHA1
b1de3c3d680ad48900da9eafb820babf53069e3e

SHA256
8e522e49a5143fcb5792380e16aec2c5ad8a05ce338c90c1791686a277dacf04

SHA512
6aaab3d22dd005d79894ef07710df7a25b374a2aa10654e53b57b5fc146ca6ff7f47d0ae527d3c74ccda1648f71d6b866d1f4bbf4d0133958b969704610e5e70

Download Submit
C:\Windows\SysWOW64\IPLXONV.exe

Filesize
208KB

MD5
4d0d5aecff8d44e08053d039a27a9009

SHA1
93afb4b87a2ecaef2d32d71ecabcb868c6859d19

SHA256
1b62b136f3519819086de5bf38aafa2c3933b48684ec52ba2a742b470a6b4115

SHA512
2cc6a17b44d5c5c945334fc9bc8dcde32a90c78410756623549752886ee9d2474c423c059ca4f09cb8189cdb3c392480e5c5d7c313c866c04b4c1cba00c72603

Download Submit
C:\Windows\SysWOW64\OXYBYMN.exe

Filesize
208KB

MD5
22902ceb114d46b05a0075e622c99eba

SHA1
852316fd9fe9e1f84cbb90a7f8ee895714f874e6

SHA256
526b83ad8caae32bc521ad0f31126b163b9a59572eb4af5c1c544e05f4e41dba

SHA512
9d64bdd682539ff00ba005c4a3816e9b272c01435bbf1ca38477a83e8ed5133ed4157ae971a81051ba964742243c590aa01d3fb6d9d66ca11ab86146fd283a0f

Download Submit
C:\Windows\SysWOW64\PQREJS.exe

Filesize
208KB

MD5
73880218992ed66c273f73b8d17fceec

SHA1
a9716680c47186b31f458d52ef7b34eef80b19d8

SHA256
5a1582508778f065f80d5d717d6352c23d20bed27507280547496d4012f0650d

SHA512
4934e6321b5bf80eb03d7656c3dff96eb484f62ad9194847675fcf03e0432ea17e931e650d12cd81d9eac0df68fa56fa5031fb2505211fdbffff132621287ef2

Download Submit
C:\Windows\SysWOW64\QSCIZ.exe

Filesize
208KB

MD5
9c131b4b7a030f61076d47918f3b29c8

SHA1
7262a0d6a502e69611a59ff37c7bb4a2abea1544

SHA256
f061e6e85966ba17a6124106144c87b4c2d36f935516ff8c2b9e69f33f2bb5a9

SHA512
5abb41259755ea1a8c0bf9d583bfa3a9aeda7407284bcb311da00de5b8fc74e9f096cffb5e017a5fb17a39c326dba246a234d23c1b8185f32d56c5f5010156a6

Download Submit
C:\Windows\SysWOW64\UJTRN.exe

Filesize
208KB

MD5
db99353bc2608b4968a6c1e52efe19ae

SHA1
517cd1f8f9e0b00b4f4ec7cea1b9772e9dd0fb55

SHA256
ce325691f5e5e69b10f6d2f60e9b81fedb1d1f298430b11578f4ff7ca10bc393

SHA512
dd5c5d7af24d3da8387f01bbf9a53779a17b63923647abec170b7e2ce30687629c08f9ebfeacb67d47db55add1ea1288dc368f5b23bef8b30d1948d89fcfb83a

Download Submit
C:\Windows\System\BMK.exe

Filesize
208KB

MD5
a145e862418c383f967b9af040128d1b

SHA1
67e32ab77761e1123d6fcdb9746166490690e203

SHA256
7225ce5f1a9f5e7b9012db9241439e2a8d59aa2405ce3211c8849dabec3eadde

SHA512
0f2695704bf28f7685af6160e4d3768ea0ad36d59e1b840b6007add6b605685bf4a9c9eade22a197166e9583347dc7cfb6b09a7996460beb39dcc9760d945f82

Download Submit
C:\Windows\System\DCTVB.exe

Filesize
208KB

MD5
f113a90ae6d88a4a8c047a36f642bd98

SHA1
ef05d87d4f80db6a3e23aabd99f10038159c6ddc

SHA256
928fd76da8131c30d6a7e6a5f669e3bcfa4f506c1255c2e0acb719c7e264f0ac

SHA512
1c06411c98372dce300dd5d510e994389ab402792d2b4f4d9a70c0a6b9cd60848c4638b59429d07f2bed7606e9fcf5ede0720255f12feddc3976e9f57dc97502

Download Submit
C:\Windows\System\MOQE.exe

Filesize
208KB

MD5
8996477ec271ac0458fef6b6911d0a1b

SHA1
cb0eeb5ae9c205b6aef0bbc87a986ba528957cc7

SHA256
d6da2ef3cef59a377eaadaee6791c92473880f397b9df219ce620255166383cd

SHA512
38be898e26bae1a09e3c3feb31546609a8d91d3e473b97c684e5bd4cb42c6bd36051ec272cb8b1756eb7de994a83ca377363b980f6c4721aed7a0459dda23751

Download Submit
C:\Windows\System\NAVTGW.exe

Filesize
208KB

MD5
07fce13ac38015a2d65db4c04e482cfd

SHA1
8c63a8adb5ab4faa83d5269017dec86a41ea10af

SHA256
4804cc1eb729e981c94b200fa71bee0f2a5b69f3c2fa68518154e974a373df47

SHA512
75de9b45141eb98ab4501836dddf30c0f16aa5c0fc7c4bde087a1a15a14f77fc41e1e9f4f55fd95b8f9f874d3c41b247772014eaa8317f802e1d8d6d94b1c151

Download Submit
C:\Windows\System\WSK.exe

Filesize
208KB

MD5
5f3bc04367f7868ab85e446d6bf7b889

SHA1
e390d72d10f6472507daedbdbc1b6ace611feedc

SHA256
181b8c56435fd719eca122445959b8c3f6ec3ebbe9945c10dc7f3b9f58043d53

SHA512
3024bcec21689a34ccca4ce95b1f5523eadf07d19a8ef734aae08a3d9dd5b404be22cb9af29bbebee039a24dd7f11ce725498b0b8ace88bfb0b60a4a470877c7

Download Submit
C:\Windows\System\YUEVFM.exe

Filesize
208KB

MD5
7daf074efe2c97f659a931dc60a2de28

SHA1
4cdb7faa252f9eee049a6bdaa56925683dc34050

SHA256
682ab1fe35df6b2b3bd4317ea4755b1e4f3c8773d1cb356878e896f671bf3569

SHA512
36a5a3617e5cd865cb468ee32b89f2c569986d6ce36f441dfa06cfb287cf759f81571258f2ab900cf4ad4789b5f17a14679d933a1d503d548a728dc8f7895d8c

Download Submit
C:\Windows\System\ZXIZK.exe

Filesize
208KB

MD5
3d2d8969077e8a452a18743a42cf02a2

SHA1
30cb79a48a586860304f409e8d2cebee85828c65

SHA256
fccce269622fe3c0d09725c2d9ac9728fcef66c9496250145bfccb6f279a78ca

SHA512
a5aba93e1ad261147f4e81d8ee3d94386bb6ee72cf2aef10ca206ac78f32c6cd93a66686156c200beedd50812a141d001d379769737ad7b65fd9584d3234df96

Download Submit
C:\windows\QBNRBUD.exe.bat

Filesize
60B

MD5
3e6ca3ae6ee59a71783a01e8a13ccee0

SHA1
16ae7633c61af6444e1a3b4e0178d4ab5f1cda6d

SHA256
71966dfdef5d9783b0a508f668c059c1e1f8096bbdd32cd4a8e8539f5defca8a

SHA512
9da9f34a97d65a91b88cc50b2c1a9ec066c71cb633556a1760d937cb61813b1acb53073270f95ac57b7c031b3a420c250128192c3c95327485fb5b30395a0cf1

Download Submit
C:\windows\SysWOW64\ALMSUY.exe.bat

Filesize
76B

MD5
da505d04679c27baf5988965845c511c

SHA1
187a119095c5022a6174d528dbe54476b73ab268

SHA256
e92e268cdfe5031bba5296281591f99d4187c1a45a54af5f8c5e283d8b28d075

SHA512
be4cbd2271414a32ebb6c346b31e3974d52ee828793df48cc1204b459ecb64e2e1b38cbdede87c9cce39df714239f8d044fb5d88796a45465f174d422720597d

Download Submit
C:\windows\SysWOW64\BTB.exe.bat

Filesize
70B

MD5
337b1911b645fc9633674cca40909e61

SHA1
e19f3aa6ab3cd1cbd4eeb56f36530be3c1f0d731

SHA256
f5bf9bde658e01047ecd4903c623125aa53aeb48cd13f2aaff8e667076fc3d2c

SHA512
9f6112d7fea4608fc0c0f0d083b77a25dad5a8e87e9f619ae56032f49c6197470eb5d9197d0a8dc76c395e5483d95404658b2d67c1d0497d97708a692ed95e3a

Download Submit
C:\windows\SysWOW64\FBEB.exe.bat

Filesize
72B

MD5
8044343d063100eb72bda54848c5560f

SHA1
2095494b3f392f16a00b7b76b26f85674a41a76c

SHA256
7029492467f1f797e3f7b066cce00e83414b8111c7faa9f9337f88e6362e9a73

SHA512
57037f213d59d250dc41f1690e0267467f78a83e3598dcc19926dc2c2a4b85cbe020f97cbe12e024d29dfaa406c7282ea78d595132eef286d6af2fba078edf0c

Download Submit
C:\windows\SysWOW64\IPLXONV.exe.bat

Filesize
78B

MD5
f1ea221f97fcc3243ed777f6fec41668

SHA1
17cd02f348aecf2d74fe5c29a3674a58b16eb9fc

SHA256
4a8dbc9e5ff89426deebf69c7ec74ef442cd55c4e5fcacca9714079b5a10d498

SHA512
8b04a8185b8be0c6b6b9285ec57129f0416b92a01e6023e27dfbf05ef20abcdc4ae29825df2d9b6ffacaff2b6afa21aae6d6df277631463566bbd560b2876238

Download Submit
C:\windows\SysWOW64\LZB.exe

Filesize
208KB

MD5
10de3a0654f69c4c4587709c0230ee45

SHA1
bd9d1fb7e60e1dacb26b6dc535c1a57d39bec202

SHA256
f640dcfad340af0335fd803131a08d3b8046a2defcce489d3de2a4fd92e363b0

SHA512
f8a246e6502bbcfc01f39f7f8b9f11bb270e297577496ec4c470c5df18543234195d773f4c5a17ffff71920dbf2562d73358f93e8e4dc118f91b77ac50e460ab

Download Submit
C:\windows\SysWOW64\LZB.exe.bat

Filesize
70B

MD5
9cd18fb8c7b1914c1e6456ccb46b5aea

SHA1
de599f36f535eae7d0035712ffeb24fcda1911b9

SHA256
659b542a1afda4c19f8cf83fc99e1eedc46a8a37e49c010eb69ecf8cc3729777

SHA512
03c8cf07a4d8a28eb17fb4a1918acd396d436fe3acd32060ff3bb74c357821e99a3fffe58c766a5511fc02bd3b1c97f369bb461bb0b6153e90e61acd92fbaccf

Download Submit
C:\windows\SysWOW64\OXYBYMN.exe.bat

Filesize
78B

MD5
7d21588186223b6c1d44c5ee071e58c7

SHA1
1a8c4fb8dc1f2f17e0d65262cdd7c4aa3ab023e3

SHA256
dfd61ddde75334b91b17cee5dc811fb9f0a12d15cfa498c182c31fdb956bbd4f

SHA512
ce11cc8e7e7c1539333db6bcf151732b4415b54f33eeaf0bd0821907f05a9e7b507a281107cd0ec7a8f3c2d5bb2d45aecbb6d42fb34cb6db368d668199e76798

Download Submit
C:\windows\SysWOW64\PQREJS.exe.bat

Filesize
76B

MD5
abc48aab4931935fc19ddf527519d4df

SHA1
dbc11edb15f60f9779f600f070d04cab45f8b5db

SHA256
c77be82952ef2d9552c1c571e190aaf196b56fad4256fb462e8f7a63e0c48f35

SHA512
ad771cdb47d99d2e569f963be0ecf776c50e6d63ba982612a105d11c8c1145ccef835b8dabb489e6d15677fae5bafd3c70c2d5508c6ad376695761e540208d30

Download Submit
C:\windows\SysWOW64\QSCIZ.exe.bat

Filesize
74B

MD5
e520ced0e75bea4c390aa377908afe7e

SHA1
8d5a7fd3ddba555c116024cb4bb6f72658262dac

SHA256
16e9153805080b59e5949e1205f970f0b2b5f166530f76872015f5326f8052eb

SHA512
218d6f27f866f0ee7233ce6520095e30950dd1569d9f05612e2cc704567ab29bdb6955a39c3374095da7e02689dfbff0b4b7c0fdc992edf248fc8bc15302cbe9

Download Submit
C:\windows\SysWOW64\UJTRN.exe.bat

Filesize
74B

MD5
5e142a635fe638ae64faa61f2c847f5a

SHA1
f2c92d7fb59c24cafb584b48380588022c8e6352

SHA256
719d3160f832f87e4c0f96277c4a0a82396eb5ed34ade070f3e901f73c5525e3

SHA512
dfd5bf406fc87412d9786cf05fc0fd44ac5a47ba46e5f9e4f8a323172581dd3828187ed5185b05bb5c38484c3fd502e6f43b1c98ac9f0c395bb03ada6314f577

Download Submit
C:\windows\ZWNJGPF.exe

Filesize
208KB

MD5
1ddd6174588ddab820c170e907cbfe92

SHA1
ed9d6dae9e4f0caa733ee2a79006489c9a933e0e

SHA256
88c7b92de1be154a242c3caf3ba3856d26374fbda21e3bfb1f2cb0a5afb561e5

SHA512
683002652d4c73cbcfc7398cd5083ab1a2816071e9268c9bba61f3e326d4412c1f8864c6a86c0eb19bfc4e57f5b474e0870672817a8e6ec76b0f51c0bd7dae0d

Download Submit
C:\windows\ZWNJGPF.exe.bat

Filesize
60B

MD5
ff95ea7b9465929ea4eaa4dfcaee7305

SHA1
fe0c626de8c179f4fdbcb67eeaa30a6bf99284b2

SHA256
b2aa2233026a3428365f039c6763e103492f5b763c296125e1b2fb6310cebe8c

SHA512
f49363a8c351c5b9d5e758feb47bce9fba6753326459fc332871e112a1a30dfc68ba3d4d75a816ae214920c6a4ce9dcb7d20c2132920b0865b5a2a4673c7c8f0

Download Submit
C:\windows\system\BMK.exe.bat

Filesize
66B

MD5
8603e63eb96fc5fd7e77a796ea969151

SHA1
c2fa81b9bd0b3ae48a1c2d4b93a734001ebfa376

SHA256
2230fca5c75779fab7988984d07b70cdaee0c7edd87ca2a03edb3b33b27bb39b

SHA512
24e2eea6de02582f31bc2fb82da748ea34c9ec904f92494c24099454a0f9fc48202dc8ea6f33f95cb7e31bfff61d8ea01f3095ae4d25faef741d9adf7c18b509

Download Submit
C:\windows\system\DCTVB.exe.bat

Filesize
70B

MD5
fb7f13ce6cdd70757aa2e93c89ad435b

SHA1
8d0c65731a66355c7f9bd92b8f92281e9ef3b2ad

SHA256
7ffd36a6b3a0071587f8d4c9fcca77078fe4e15bd643cace01f97c2c6d36f6c1

SHA512
976766f890447dc099047ae8eef39a3e4c019cdde87745fc29dfb05f869673354a8073c1b345051075c3012feaee1945121c6aab72fc7100a04329ff759c0696

Download Submit
C:\windows\system\DFOZXVM.exe.bat

Filesize
74B

MD5
02bfb2835a78ae3e09cca5869ae0e7e9

SHA1
26dcff7654ac4b24bf097edb9246ced3980a091f

SHA256
ed97bf032aad2733b236eede26c538f2722fd796b5551ce4b78cbe08287c3a2b

SHA512
3915ad77e786738ebb7526f900bf0c8b268b6f257f9fd55528ce3c847186df7764427263709d1e9d657a4d17920908642eabf54eca8e53ea7e17cc9319f08c52

Download Submit
C:\windows\system\HELJZJ.exe

Filesize
208KB

MD5
a75c440deff262347fd45bf2f4d6f27c

SHA1
5f413123c266b719402ee0cc3beb4161028cb200

SHA256
d8636770d0ff70a3e58d14fd1e66440e9c16c2bf928207c74ebf7deea9cfc5e0

SHA512
b766b6067ad3e5d13107abce0a411243e99afbc2f1c02e7eea36a89787a218ba3dad61ea4afb8b21ac0e5a0b26b0babe3b78f45f55d383d5fd1595dcb166416a

Download Submit
C:\windows\system\HELJZJ.exe.bat

Filesize
72B

MD5
56a4dc57994db26c97ad18cf67185a96

SHA1
63e9a2670a49b7fdc016091e87f60427da60b749

SHA256
52d9c811e6d2cd4a00edc32125ab2ed036f8b44dd571974cbb3c4870f3c0c581

SHA512
81ce81f20b955cb73672def99bea9337413e8bbdecebfcd9101a27b69c4349d476cbfe04ffacbd587f4888c0982c8f981b9a6dbc5d4a88c466828affcee15432

Download Submit
C:\windows\system\MOQE.exe.bat

Filesize
68B

MD5
6cc52d51d0a013a11b96063427b16389

SHA1
cfa9dc3232f647f83256276312fd8ae704988434

SHA256
c0e3fa16e070e58e91f771b600fd1cfc9d8be94eb204c299ffd46dc1f9a845d1

SHA512
334403f6e3dbce14ca77f2c3a6d05b64e50a14a6d95935171fc170f9f568f31b04f598d6653bc3f205362e8f9971c35fbadca8f006658739f173abcfb49357a1

Download Submit
C:\windows\system\NAVTGW.exe.bat

Filesize
72B

MD5
b9aa7719c4498af5fd46882a48b82adc

SHA1
2ac91c5cd5173c04a092f554e74916d21c7fa305

SHA256
701fb1132fa8af23497b77910b022f0571bc4c8506d778de2ae18e9a29b91a85

SHA512
cffcf46053fbc98ebd119f74c3da7f6a491afb7a99dc0d48a8e4bdab2703e4b208888ee0123d7481aeb6b98747ecb1921502cc3adeea26efd00fa1866892cbe7

Download Submit
C:\windows\system\QAURCRJ.exe

Filesize
208KB

MD5
c092354d385f7a90ad6076ab9d9b84a3

SHA1
5686574c3334cbb3b2297b1f4d906c1be26ead19

SHA256
99acf86c4d3f86b06c9b18beac0387ef06723a4ec003d07cddd96bc5cc7bb62f

SHA512
5a2275ffd51884b103ce02578a6e793784995ac1b4e991e63d0ae1317cfefb7f1c94f335f0f89cf8f335689cb6fdcbcf637e87cddff8dcd482dcf49032688029

Download Submit
C:\windows\system\QAURCRJ.exe.bat

Filesize
74B

MD5
900e75cf5ded4df6fe999cc352c4c8b2

SHA1
0f0bf04e313fa0faa6c50d1bfa8716114e22ac4b

SHA256
f3524c111fe1472570a421b77ee57fa30dfe6bb0bf85d37cd781f9020cc4e9cb

SHA512
09c9abcf49063ba73c5bc9d1055c5aa861548fc6504e6778e99e1928f220d9645fbc98cdbd52603c2b53a939e5fa689f15310911aa45c702b6da47f053df9847

Download Submit
C:\windows\system\SFD.exe.bat

Filesize
66B

MD5
d1208c8cb24e6f41e6719ee341291acf

SHA1
3a80a6215b82b705f4061fc2151a654b6b9ee78a

SHA256
80fbf24941e72816aeae6bf4efc82cb0b14dd367ec1a0479f343064faf48da58

SHA512
6c3a7811af5e2e7fdd711f7983148a3f343ad4c014bf9f964c65161cf12989caf1e5ee2a20610433d23fc92b22300982ef1d5bdad818c11639e78dc5349a738a

Download Submit
C:\windows\system\WSK.exe.bat

Filesize
66B

MD5
d744332741e6475a7a5c9328983a4151

SHA1
9c017c1f6d250b7e8fcb4d601c5c3ae6cc93d85d

SHA256
6f0d718f85d570aa1f64071414db289cb4bc47d9bc2ddaf9659d20685889d0af

SHA512
053454c4e0c1dc29cd72acb3ec484e92e31b546d79348e59f669cabc5798998e3c19c37bf4defa553723fbf59246837cc34f07dd3d1f363dc00e22947a14044d

Download Submit
C:\windows\system\YUEVFM.exe.bat

Filesize
72B

MD5
c479508c2b6cf11294b4d60453227e0a

SHA1
19ae65ea6d58ed6a108cd0837149d76aa4b99cab

SHA256
9a5aeb3ef300fbb2d9ff0f02fab0fd27383145944b654efe1653b927e4afa530

SHA512
2245b741196f2eae9f230dca112346509c69aea6064b29858dc7bd4e310cd5fc2022c1ba96c97c3d4ffd496e9fdb0461dfc56afe838b847b8ea155a46ea9cca6

Download Submit
C:\windows\system\ZXIZK.exe.bat

Filesize
70B

MD5
f1faea823026a0b9c2b1deb238f4b053

SHA1
2d6314c26d5f3d17a848254e2d950a8657be6fac

SHA256
2b1812737c0581bb672af14d2723a96b5abfd07d669999bba77bde2f8f74776e

SHA512
7771690a1fad1a598f8619be92b4338c4b4785728d4067d29908b1d851d81610f4164d7e3b96c28a5cf65c6f5fe26a0367a6a3fba51b4287a9aab75640ebb1f2

Download Submit
memory/336-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/336-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/336-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/336-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/336-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/336-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/448-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/448-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/492-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/492-449-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/604-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/604-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1076-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1108-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1464-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1464-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1552-494-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2100-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2100-129-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2212-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2212-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2824-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2824-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3000-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3000-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3004-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3004-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3116-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3116-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3228-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3228-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3248-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3248-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3352-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3404-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3528-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3528-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3628-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3628-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3780-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3780-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3780-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3780-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3784-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3784-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3800-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3800-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3816-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3816-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3848-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3848-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3936-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3936-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3948-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3948-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4172-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4172-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-405-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4452-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4452-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4596-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4596-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4660-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4660-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4876-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4876-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5012-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5012-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download