437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
Size

208KB
MD5

6dff8989a1d2d5ad484186f84c8c105e
SHA1

9880727335a963849d6bb7ed0d082be3e45296d6
SHA256

437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296
SHA512

f31a528f02ebad2eb4db37510e369f3cbed7a87a7543f8c204af65f54440ff7ed062c5edabbfc9e7c0621ac8248eebdd67c1034f7141b97b2eb56be9d3a238cc
SSDEEP

3072:PGXfAoDm58xr9uRDdxJaXN0AGZlNXPngEodk68bR+xx394NLthEjQT67:PGPAoC8xrsJZAGPNXPg/ibcx39QEj9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	FIUHWE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	CJDIR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	IAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ERNMRQQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	CNME.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	MLBI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	FXIQMG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ZKZWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	TYBNXBA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	BBKTVHH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	AGCD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	MLGJP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	FMGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	QYEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	INM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	LQHMRYY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	FCJIA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	NXUM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	YRM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	GLBOFKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	QCHJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	SPUPKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ZZWYD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WFCOSO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	CFKB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ONYD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	RJUWEDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	GUC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	TMW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	SLWKGWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DEG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ABV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	UNWFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	RKS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	MXFRJAW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	DDKA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	EZOGSUR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	TWMSCW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	SEPGAHO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	UZRKZOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	BPUBMSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	LCOTQLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	OKYO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	FGR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	HAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	BYG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WOZUQKJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	PPK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	GQROI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	OVEUT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	HAU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	HOU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	BPSKY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	AGAXPHS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WRQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	BFBD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	BLOG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	XDMHLKB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	MPTI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	TQVH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	STGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	QFYVUQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	SURHCS.exe

Executes dropped EXE 64 IoCs

pid	Process
212	AGCD.exe
3988	PWPUOI.exe
4128	TMW.exe
1036	XUYKDZG.exe
920	TAWH.exe
3516	ZADV.exe
216	HQEMAZZ.exe
2532	WLOZL.exe
4068	WOZUQKJ.exe
1408	GPTZC.exe
3548	GSFDHFM.exe
1004	FHRYUK.exe
3592	JKPT.exe
4952	WVXSQGS.exe
4760	MLGJP.exe
3988	KJR.exe
1568	OMQHKA.exe
1632	FRAZ.exe
2024	LCE.exe
3668	CCYDI.exe
1852	PNOC.exe
2188	DTO.exe
2120	HBVNK.exe
5044	FMGD.exe
3188	TXOCHRU.exe
512	VKTL.exe
2024	QFYVUQ.exe
3416	DDYG.exe
5032	FBEB.exe
2660	KGWQBGK.exe
3168	QCHJ.exe
3472	AZNDXDB.exe
1440	SURHCS.exe
4720	CSE.exe
3424	QYEF.exe
696	DBI.exe
4060	OBQ.exe
3020	UCX.exe
2076	ZUHN.exe
1788	SXLQIT.exe
2224	FIUHWE.exe
3508	WIWMABP.exe
2504	CJDIR.exe
2136	VMHDWT.exe
3696	NHYH.exe
2908	THGVKSC.exe
4380	INM.exe
2956	BFBD.exe
2024	IAY.exe
1744	LQHMRYY.exe
4104	TWMSCW.exe
4340	DUZMJF.exe
3188	CECCS.exe
3584	PPK.exe
640	YQMG.exe
448	ZTQ.exe
2328	HYD.exe
3168	ABHM.exe
920	ERNMRQQ.exe
4728	QZUMDI.exe
4140	CNME.exe
3588	EPWT.exe
3320	YDOKYRQ.exe
2308	XVE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ZADV.exe.bat	TAWH.exe
File opened for modification	C:\windows\SysWOW64\DEG.exe	UVEICCI.exe
File opened for modification	C:\windows\SysWOW64\XPA.exe	MXFRJAW.exe
File created	C:\windows\SysWOW64\UCX.exe	OBQ.exe
File opened for modification	C:\windows\SysWOW64\LQHMRYY.exe	IAY.exe
File created	C:\windows\SysWOW64\TWMSCW.exe	LQHMRYY.exe
File created	C:\windows\SysWOW64\UVEICCI.exe	OVEUT.exe
File opened for modification	C:\windows\SysWOW64\DFBDSV.exe	CCXZEFC.exe
File opened for modification	C:\windows\SysWOW64\FGR.exe	QDIEH.exe
File created	C:\windows\SysWOW64\QIRT.exe	DFBDSV.exe
File created	C:\windows\SysWOW64\AZNDXDB.exe	QCHJ.exe
File created	C:\windows\SysWOW64\DBI.exe	QYEF.exe
File created	C:\windows\SysWOW64\RVLBI.exe.bat	CFKB.exe
File opened for modification	C:\windows\SysWOW64\HLL.exe	BPUBMSN.exe
File created	C:\windows\SysWOW64\TMW.exe	PWPUOI.exe
File created	C:\windows\SysWOW64\DEG.exe.bat	UVEICCI.exe
File created	C:\windows\SysWOW64\XGBPURQ.exe	TQVH.exe
File created	C:\windows\SysWOW64\THGVKSC.exe.bat	NHYH.exe
File created	C:\windows\SysWOW64\NTNG.exe.bat	XDMHLKB.exe
File created	C:\windows\SysWOW64\ZZWYD.exe.bat	VWYDETO.exe
File created	C:\windows\SysWOW64\FGR.exe	QDIEH.exe
File created	C:\windows\SysWOW64\IKBTGD.exe.bat	SUACAQP.exe
File opened for modification	C:\windows\SysWOW64\TMW.exe	PWPUOI.exe
File created	C:\windows\SysWOW64\DEG.exe	UVEICCI.exe
File created	C:\windows\SysWOW64\DACAA.exe	LXQ.exe
File created	C:\windows\SysWOW64\DACAA.exe.bat	LXQ.exe
File created	C:\windows\SysWOW64\TMW.exe.bat	PWPUOI.exe
File created	C:\windows\SysWOW64\KGWQBGK.exe	FBEB.exe
File created	C:\windows\SysWOW64\SUACAQP.exe.bat	EOCES.exe
File created	C:\windows\SysWOW64\DDKA.exe.bat	JIFRCHK.exe
File created	C:\windows\SysWOW64\XPA.exe	MXFRJAW.exe
File opened for modification	C:\windows\SysWOW64\QWHPRGK.exe	CMD.exe
File opened for modification	C:\windows\SysWOW64\DBI.exe	QYEF.exe
File created	C:\windows\SysWOW64\QIRT.exe.bat	DFBDSV.exe
File created	C:\windows\SysWOW64\LCOTQLC.exe.bat	FCGF.exe
File opened for modification	C:\windows\SysWOW64\YQMG.exe	PPK.exe
File opened for modification	C:\windows\SysWOW64\MQE.exe	HLL.exe
File created	C:\windows\SysWOW64\OJXX.exe.bat	TOTOCXT.exe
File opened for modification	C:\windows\SysWOW64\KGWQBGK.exe	FBEB.exe
File opened for modification	C:\windows\SysWOW64\SUACAQP.exe	EOCES.exe
File created	C:\windows\SysWOW64\TWKUJH.exe.bat	STGY.exe
File created	C:\windows\SysWOW64\FBEB.exe.bat	DDYG.exe
File opened for modification	C:\windows\SysWOW64\OMQHKA.exe	KJR.exe
File created	C:\windows\SysWOW64\VMHDWT.exe.bat	CJDIR.exe
File created	C:\windows\SysWOW64\MLBI.exe	SQWZPJA.exe
File created	C:\windows\SysWOW64\HLL.exe	BPUBMSN.exe
File created	C:\windows\SysWOW64\WFCOSO.exe	ZZWYD.exe
File opened for modification	C:\windows\SysWOW64\WFCOSO.exe	ZZWYD.exe
File opened for modification	C:\windows\SysWOW64\LCOTQLC.exe	FCGF.exe
File opened for modification	C:\windows\SysWOW64\DDKA.exe	JIFRCHK.exe
File created	C:\windows\SysWOW64\LQHMRYY.exe.bat	IAY.exe
File created	C:\windows\SysWOW64\ZTQ.exe.bat	YQMG.exe
File created	C:\windows\SysWOW64\DFBDSV.exe.bat	CCXZEFC.exe
File created	C:\windows\SysWOW64\MWEG.exe.bat	MQE.exe
File created	C:\windows\SysWOW64\FPFUO.exe	SMJWID.exe
File created	C:\windows\SysWOW64\FBEB.exe	DDYG.exe
File created	C:\windows\SysWOW64\LQHMRYY.exe	IAY.exe
File created	C:\windows\SysWOW64\OKYO.exe.bat	PZOYL.exe
File created	C:\windows\SysWOW64\DBI.exe.bat	QYEF.exe
File created	C:\windows\SysWOW64\XPA.exe.bat	MXFRJAW.exe
File created	C:\windows\SysWOW64\RVLBI.exe	CFKB.exe
File created	C:\windows\SysWOW64\FGR.exe.bat	QDIEH.exe
File created	C:\windows\SysWOW64\LCE.exe	FRAZ.exe
File opened for modification	C:\windows\SysWOW64\UCX.exe	OBQ.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\LRPLW.exe.bat	XVE.exe
File created	C:\windows\system\XDMHLKB.exe.bat	SDETC.exe
File created	C:\windows\ROU.exe.bat	RJUWEDB.exe
File created	C:\windows\GPTZC.exe.bat	WOZUQKJ.exe
File opened for modification	C:\windows\UZM.exe	KBG.exe
File created	C:\windows\QRWPWGZ.exe	UZM.exe
File created	C:\windows\system\RUBRYTF.exe.bat	BES.exe
File created	C:\windows\GQROI.exe.bat	CAL.exe
File created	C:\windows\JIFRCHK.exe.bat	ZKZWM.exe
File created	C:\windows\system\OQNTYXT.exe.bat	ASNH.exe
File opened for modification	C:\windows\WOZUQKJ.exe	WLOZL.exe
File created	C:\windows\system\PVHGSY.exe.bat	NXUM.exe
File opened for modification	C:\windows\system\CAL.exe	HMGWMR.exe
File created	C:\windows\system\HOU.exe	HAU.exe
File opened for modification	C:\windows\system\PZOYL.exe	YRM.exe
File created	C:\windows\FCSKYK.exe.bat	EZOGSUR.exe
File created	C:\windows\system\PIQ.exe	YXS.exe
File opened for modification	C:\windows\JKPT.exe	FHRYUK.exe
File created	C:\windows\system\SXLQIT.exe	ZUHN.exe
File created	C:\windows\NHYH.exe.bat	VMHDWT.exe
File created	C:\windows\QZUMDI.exe	ERNMRQQ.exe
File opened for modification	C:\windows\system\BES.exe	VELEIV.exe
File opened for modification	C:\windows\OVEUT.exe	GQROI.exe
File created	C:\windows\system\PZOYL.exe	YRM.exe
File opened for modification	C:\windows\system\IKIRUY.exe	LFQBE.exe
File created	C:\windows\AGCD.exe.bat	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
File created	C:\windows\system\ERNMRQQ.exe	ABHM.exe
File created	C:\windows\system\BES.exe	VELEIV.exe
File created	C:\windows\UZRKZOI.exe	PUG.exe
File opened for modification	C:\windows\TENWUF.exe	ABV.exe
File created	C:\windows\system\WRQ.exe	FGR.exe
File created	C:\windows\IAY.exe.bat	BFBD.exe
File created	C:\windows\SDETC.exe	XPA.exe
File opened for modification	C:\windows\system\HAU.exe	QVJIH.exe
File created	C:\windows\system\HOU.exe.bat	HAU.exe
File opened for modification	C:\windows\TYBNXBA.exe	DDKA.exe
File created	C:\windows\system\WLOZL.exe	HQEMAZZ.exe
File created	C:\windows\system\HQEMAZZ.exe.bat	ZADV.exe
File created	C:\windows\FMGD.exe.bat	HBVNK.exe
File created	C:\windows\CSE.exe	SURHCS.exe
File created	C:\windows\BLOG.exe.bat	PVHGSY.exe
File created	C:\windows\DFITFHE.exe.bat	OKYO.exe
File created	C:\windows\system\GUC.exe.bat	LHXXEE.exe
File created	C:\windows\system\FOD.exe	UNWFA.exe
File created	C:\windows\AGCD.exe	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
File opened for modification	C:\windows\system\NFM.exe	LHY.exe
File opened for modification	C:\windows\BPSKY.exe	UZRKZOI.exe
File created	C:\windows\system\AGAXPHS.exe	DACAA.exe
File opened for modification	C:\windows\YXS.exe	TWKUJH.exe
File opened for modification	C:\windows\VELEIV.exe	IBPGDEU.exe
File created	C:\windows\FIUHWE.exe.bat	SXLQIT.exe
File created	C:\windows\WIWMABP.exe.bat	FIUHWE.exe
File created	C:\windows\system\SEPGAHO.exe.bat	ABLKU.exe
File opened for modification	C:\windows\VWYDETO.exe	PWRQURN.exe
File created	C:\windows\system\PZOYL.exe.bat	YRM.exe
File created	C:\windows\XUYKDZG.exe.bat	TMW.exe
File created	C:\windows\system\PUPD.exe	AZSIE.exe
File created	C:\windows\system\PUPD.exe.bat	AZSIE.exe
File created	C:\windows\TYBNXBA.exe	DDKA.exe
File opened for modification	C:\windows\system\PIQ.exe	YXS.exe
File created	C:\windows\SPUPKH.exe	BPSKY.exe
File opened for modification	C:\windows\system\DDYG.exe	QFYVUQ.exe
File created	C:\windows\system\ZUHN.exe.bat	UCX.exe
File created	C:\windows\IAY.exe	BFBD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3296	4800	WerFault.exe	83
1536	212	WerFault.exe	91
2144	3988	WerFault.exe	97
1936	4128	WerFault.exe	104
4344	1036	WerFault.exe	109
4324	920	WerFault.exe	116
220	3516	WerFault.exe	121
3016	216	WerFault.exe	126
5104	2532	WerFault.exe	131
4580	4068	WerFault.exe	136
2504	1408	WerFault.exe	142
4240	3548	WerFault.exe	147
1440	1004	WerFault.exe	152
3444	3592	WerFault.exe	158
212	4952	WerFault.exe	163
3492	4760	WerFault.exe	168
1940	3988	WerFault.exe	174
2136	1568	WerFault.exe	179
4728	1632	WerFault.exe	184
972	2024	WerFault.exe	189
4752	3668	WerFault.exe	194
748	1852	WerFault.exe	199
1612	2188	WerFault.exe	204
3380	2120	WerFault.exe	209
4972	5044	WerFault.exe	214
3660	3188	WerFault.exe	219
4476	512	WerFault.exe	224
4752	2024	WerFault.exe	229
748	3416	WerFault.exe	234
1612	5032	WerFault.exe	239
2016	2660	WerFault.exe	244
5100	3168	WerFault.exe	249
4416	3472	WerFault.exe	254
3648	1440	WerFault.exe	259
1656	4720	WerFault.exe	264
1712	3424	WerFault.exe	269
2648	696	WerFault.exe	274
3720	4060	WerFault.exe	279
2880	3020	WerFault.exe	285
4512	2076	WerFault.exe	290
3576	1788	WerFault.exe	295
64	2224	WerFault.exe	300
2100	3508	WerFault.exe	305
4884	2504	WerFault.exe	310
2388	2136	WerFault.exe	317
1044	3696	WerFault.exe	322
4888	2908	WerFault.exe	327
1656	4380	WerFault.exe	332
1888	2956	WerFault.exe	337
4144	2024	WerFault.exe	342
3200	1744	WerFault.exe	347
3192	4104	WerFault.exe	352
756	4340	WerFault.exe	357
2076	3188	WerFault.exe	362
972	3584	WerFault.exe	367
1888	640	WerFault.exe	372
5044	448	WerFault.exe	377
1508	2328	WerFault.exe	382
3660	3168	WerFault.exe	386
1604	920	WerFault.exe	392
2372	4728	WerFault.exe	397
3088	4140	WerFault.exe	402
4740	3588	WerFault.exe	407
2660	3320	WerFault.exe	412

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
212	AGCD.exe
212	AGCD.exe
3988	PWPUOI.exe
3988	PWPUOI.exe
4128	TMW.exe
4128	TMW.exe
1036	XUYKDZG.exe
1036	XUYKDZG.exe
920	TAWH.exe
920	TAWH.exe
3516	ZADV.exe
3516	ZADV.exe
216	HQEMAZZ.exe
216	HQEMAZZ.exe
2532	WLOZL.exe
2532	WLOZL.exe
4068	WOZUQKJ.exe
4068	WOZUQKJ.exe
1408	GPTZC.exe
1408	GPTZC.exe
3548	GSFDHFM.exe
3548	GSFDHFM.exe
1004	FHRYUK.exe
1004	FHRYUK.exe
3592	JKPT.exe
3592	JKPT.exe
4952	WVXSQGS.exe
4952	WVXSQGS.exe
4760	MLGJP.exe
4760	MLGJP.exe
3988	KJR.exe
3988	KJR.exe
1568	OMQHKA.exe
1568	OMQHKA.exe
1632	FRAZ.exe
1632	FRAZ.exe
2024	LCE.exe
2024	LCE.exe
3668	CCYDI.exe
3668	CCYDI.exe
1852	PNOC.exe
1852	PNOC.exe
2188	DTO.exe
2188	DTO.exe
2120	HBVNK.exe
2120	HBVNK.exe
5044	FMGD.exe
5044	FMGD.exe
3188	TXOCHRU.exe
3188	TXOCHRU.exe
512	VKTL.exe
512	VKTL.exe
2024	QFYVUQ.exe
2024	QFYVUQ.exe
3416	DDYG.exe
3416	DDYG.exe
5032	FBEB.exe
5032	FBEB.exe
2660	KGWQBGK.exe
2660	KGWQBGK.exe
3168	QCHJ.exe
3168	QCHJ.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
212	AGCD.exe
212	AGCD.exe
3988	PWPUOI.exe
3988	PWPUOI.exe
4128	TMW.exe
4128	TMW.exe
1036	XUYKDZG.exe
1036	XUYKDZG.exe
920	TAWH.exe
920	TAWH.exe
3516	ZADV.exe
3516	ZADV.exe
216	HQEMAZZ.exe
216	HQEMAZZ.exe
2532	WLOZL.exe
2532	WLOZL.exe
4068	WOZUQKJ.exe
4068	WOZUQKJ.exe
1408	GPTZC.exe
1408	GPTZC.exe
3548	GSFDHFM.exe
3548	GSFDHFM.exe
1004	FHRYUK.exe
1004	FHRYUK.exe
3592	JKPT.exe
3592	JKPT.exe
4952	WVXSQGS.exe
4952	WVXSQGS.exe
4760	MLGJP.exe
4760	MLGJP.exe
3988	KJR.exe
3988	KJR.exe
1568	OMQHKA.exe
1568	OMQHKA.exe
1632	FRAZ.exe
1632	FRAZ.exe
2024	LCE.exe
2024	LCE.exe
3668	CCYDI.exe
3668	CCYDI.exe
1852	PNOC.exe
1852	PNOC.exe
2188	DTO.exe
2188	DTO.exe
2120	HBVNK.exe
2120	HBVNK.exe
5044	FMGD.exe
5044	FMGD.exe
3188	TXOCHRU.exe
3188	TXOCHRU.exe
512	VKTL.exe
512	VKTL.exe
2024	QFYVUQ.exe
2024	QFYVUQ.exe
3416	DDYG.exe
3416	DDYG.exe
5032	FBEB.exe
5032	FBEB.exe
2660	KGWQBGK.exe
2660	KGWQBGK.exe
3168	QCHJ.exe
3168	QCHJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 5052	4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe	87
PID 4800 wrote to memory of 5052	4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe	87
PID 4800 wrote to memory of 5052	4800	437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe	87
PID 5052 wrote to memory of 212	5052	cmd.exe	91
PID 5052 wrote to memory of 212	5052	cmd.exe	91
PID 5052 wrote to memory of 212	5052	cmd.exe	91
PID 212 wrote to memory of 3396	212	AGCD.exe	93
PID 212 wrote to memory of 3396	212	AGCD.exe	93
PID 212 wrote to memory of 3396	212	AGCD.exe	93
PID 3396 wrote to memory of 3988	3396	cmd.exe	97
PID 3396 wrote to memory of 3988	3396	cmd.exe	97
PID 3396 wrote to memory of 3988	3396	cmd.exe	97
PID 3988 wrote to memory of 2648	3988	PWPUOI.exe	100
PID 3988 wrote to memory of 2648	3988	PWPUOI.exe	100
PID 3988 wrote to memory of 2648	3988	PWPUOI.exe	100
PID 2648 wrote to memory of 4128	2648	cmd.exe	104
PID 2648 wrote to memory of 4128	2648	cmd.exe	104
PID 2648 wrote to memory of 4128	2648	cmd.exe	104
PID 4128 wrote to memory of 1408	4128	TMW.exe	105
PID 4128 wrote to memory of 1408	4128	TMW.exe	105
PID 4128 wrote to memory of 1408	4128	TMW.exe	105
PID 1408 wrote to memory of 1036	1408	cmd.exe	109
PID 1408 wrote to memory of 1036	1408	cmd.exe	109
PID 1408 wrote to memory of 1036	1408	cmd.exe	109
PID 1036 wrote to memory of 4420	1036	XUYKDZG.exe	112
PID 1036 wrote to memory of 4420	1036	XUYKDZG.exe	112
PID 1036 wrote to memory of 4420	1036	XUYKDZG.exe	112
PID 4420 wrote to memory of 920	4420	cmd.exe	116
PID 4420 wrote to memory of 920	4420	cmd.exe	116
PID 4420 wrote to memory of 920	4420	cmd.exe	116
PID 920 wrote to memory of 2620	920	TAWH.exe	117
PID 920 wrote to memory of 2620	920	TAWH.exe	117
PID 920 wrote to memory of 2620	920	TAWH.exe	117
PID 2620 wrote to memory of 3516	2620	cmd.exe	121
PID 2620 wrote to memory of 3516	2620	cmd.exe	121
PID 2620 wrote to memory of 3516	2620	cmd.exe	121
PID 3516 wrote to memory of 3200	3516	ZADV.exe	122
PID 3516 wrote to memory of 3200	3516	ZADV.exe	122
PID 3516 wrote to memory of 3200	3516	ZADV.exe	122
PID 3200 wrote to memory of 216	3200	cmd.exe	126
PID 3200 wrote to memory of 216	3200	cmd.exe	126
PID 3200 wrote to memory of 216	3200	cmd.exe	126
PID 216 wrote to memory of 3932	216	HQEMAZZ.exe	127
PID 216 wrote to memory of 3932	216	HQEMAZZ.exe	127
PID 216 wrote to memory of 3932	216	HQEMAZZ.exe	127
PID 3932 wrote to memory of 2532	3932	cmd.exe	131
PID 3932 wrote to memory of 2532	3932	cmd.exe	131
PID 3932 wrote to memory of 2532	3932	cmd.exe	131
PID 2532 wrote to memory of 4888	2532	WLOZL.exe	133
PID 2532 wrote to memory of 4888	2532	WLOZL.exe	133
PID 2532 wrote to memory of 4888	2532	WLOZL.exe	133
PID 4888 wrote to memory of 4068	4888	cmd.exe	136
PID 4888 wrote to memory of 4068	4888	cmd.exe	136
PID 4888 wrote to memory of 4068	4888	cmd.exe	136
PID 4068 wrote to memory of 2560	4068	WOZUQKJ.exe	138
PID 4068 wrote to memory of 2560	4068	WOZUQKJ.exe	138
PID 4068 wrote to memory of 2560	4068	WOZUQKJ.exe	138
PID 2560 wrote to memory of 1408	2560	cmd.exe	142
PID 2560 wrote to memory of 1408	2560	cmd.exe	142
PID 2560 wrote to memory of 1408	2560	cmd.exe	142
PID 1408 wrote to memory of 1612	1408	GPTZC.exe	143
PID 1408 wrote to memory of 1612	1408	GPTZC.exe	143
PID 1408 wrote to memory of 1612	1408	GPTZC.exe	143
PID 1612 wrote to memory of 3548	1612	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe
"C:\Users\Admin\AppData\Local\Temp\437d1045e811737dc7da8fa6a8d660d02a96fc3b6f5f12ece5f68a9b1f993296.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\AGCD.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\windows\AGCD.exe
    C:\windows\AGCD.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\PWPUOI.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\windows\PWPUOI.exe
        
        C:\windows\PWPUOI.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TMW.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\windows\SysWOW64\TMW.exe
        
        C:\windows\system32\TMW.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XUYKDZG.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\windows\XUYKDZG.exe
        
        C:\windows\XUYKDZG.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TAWH.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\windows\TAWH.exe
        
        C:\windows\TAWH.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZADV.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\windows\SysWOW64\ZADV.exe
        
        C:\windows\system32\ZADV.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HQEMAZZ.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\windows\system\HQEMAZZ.exe
        
        C:\windows\system\HQEMAZZ.exe
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLOZL.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\windows\system\WLOZL.exe
        
        C:\windows\system\WLOZL.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WOZUQKJ.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\windows\WOZUQKJ.exe
        
        C:\windows\WOZUQKJ.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GPTZC.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\windows\GPTZC.exe
        
        C:\windows\GPTZC.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GSFDHFM.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\windows\GSFDHFM.exe
        
        C:\windows\GSFDHFM.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHRYUK.exe.bat" "
        24⤵
        
        PID:3256
        
        C:\windows\SysWOW64\FHRYUK.exe
        
        C:\windows\system32\FHRYUK.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JKPT.exe.bat" "
        26⤵
        
        PID:756
        
        C:\windows\JKPT.exe
        
        C:\windows\JKPT.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WVXSQGS.exe.bat" "
        28⤵
        
        PID:3136
        
        C:\windows\WVXSQGS.exe
        
        C:\windows\WVXSQGS.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLGJP.exe.bat" "
        30⤵
        
        PID:3448
        
        C:\windows\system\MLGJP.exe
        
        C:\windows\system\MLGJP.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KJR.exe.bat" "
        32⤵
        
        PID:2336
        
        C:\windows\SysWOW64\KJR.exe
        
        C:\windows\system32\KJR.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMQHKA.exe.bat" "
        34⤵
        
        PID:1488
        
        C:\windows\SysWOW64\OMQHKA.exe
        
        C:\windows\system32\OMQHKA.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FRAZ.exe.bat" "
        36⤵
        
        PID:3240
        
        C:\windows\FRAZ.exe
        
        C:\windows\FRAZ.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCE.exe.bat" "
        38⤵
        
        PID:3392
        
        C:\windows\SysWOW64\LCE.exe
        
        C:\windows\system32\LCE.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCYDI.exe.bat" "
        40⤵
        
        PID:4168
        
        C:\windows\system\CCYDI.exe
        
        C:\windows\system\CCYDI.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNOC.exe.bat" "
        42⤵
        
        PID:1536
        
        C:\windows\SysWOW64\PNOC.exe
        
        C:\windows\system32\PNOC.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DTO.exe.bat" "
        44⤵
        
        PID:1336
        
        C:\windows\DTO.exe
        
        C:\windows\DTO.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBVNK.exe.bat" "
        46⤵
        
        PID:3528
        
        C:\windows\system\HBVNK.exe
        
        C:\windows\system\HBVNK.exe
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMGD.exe.bat" "
        48⤵
        
        PID:2464
        
        C:\windows\FMGD.exe
        
        C:\windows\FMGD.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TXOCHRU.exe.bat" "
        50⤵
        
        PID:436
        
        C:\windows\TXOCHRU.exe
        
        C:\windows\TXOCHRU.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VKTL.exe.bat" "
        52⤵
        
        PID:2076
        
        C:\windows\VKTL.exe
        
        C:\windows\VKTL.exe
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QFYVUQ.exe.bat" "
        54⤵
        
        PID:4432
        
        C:\windows\QFYVUQ.exe
        
        C:\windows\QFYVUQ.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDYG.exe.bat" "
        56⤵
        
        PID:2468
        
        C:\windows\system\DDYG.exe
        
        C:\windows\system\DDYG.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBEB.exe.bat" "
        58⤵
        
        PID:5076
        
        C:\windows\SysWOW64\FBEB.exe
        
        C:\windows\system32\FBEB.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KGWQBGK.exe.bat" "
        60⤵
        
        PID:1544
        
        C:\windows\SysWOW64\KGWQBGK.exe
        
        C:\windows\system32\KGWQBGK.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QCHJ.exe.bat" "
        62⤵
        
        PID:1508
        
        C:\windows\QCHJ.exe
        
        C:\windows\QCHJ.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AZNDXDB.exe.bat" "
        64⤵
        
        PID:4808
        
        C:\windows\SysWOW64\AZNDXDB.exe
        
        C:\windows\system32\AZNDXDB.exe
        65⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SURHCS.exe.bat" "
        66⤵
        
        PID:1004
        
        C:\windows\system\SURHCS.exe
        
        C:\windows\system\SURHCS.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CSE.exe.bat" "
        68⤵
        
        PID:3692
        
        C:\windows\CSE.exe
        
        C:\windows\CSE.exe
        69⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QYEF.exe.bat" "
        70⤵
        
        PID:184
        
        C:\windows\QYEF.exe
        
        C:\windows\QYEF.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBI.exe.bat" "
        72⤵
        
        PID:1932
        
        C:\windows\SysWOW64\DBI.exe
        
        C:\windows\system32\DBI.exe
        73⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OBQ.exe.bat" "
        74⤵
        
        PID:2268
        
        C:\windows\OBQ.exe
        
        C:\windows\OBQ.exe
        75⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCX.exe.bat" "
        76⤵
        
        PID:2308
        
        C:\windows\SysWOW64\UCX.exe
        
        C:\windows\system32\UCX.exe
        77⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUHN.exe.bat" "
        78⤵
        
        PID:3672
        
        C:\windows\system\ZUHN.exe
        
        C:\windows\system\ZUHN.exe
        79⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SXLQIT.exe.bat" "
        80⤵
        
        PID:1044
        
        C:\windows\system\SXLQIT.exe
        
        C:\windows\system\SXLQIT.exe
        81⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FIUHWE.exe.bat" "
        82⤵
        
        PID:3516
        
        C:\windows\FIUHWE.exe
        
        C:\windows\FIUHWE.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WIWMABP.exe.bat" "
        84⤵
        
        PID:4968
        
        C:\windows\WIWMABP.exe
        
        C:\windows\WIWMABP.exe
        85⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CJDIR.exe.bat" "
        86⤵
        
        PID:1712
        
        C:\windows\CJDIR.exe
        
        C:\windows\CJDIR.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "
        88⤵
        
        PID:2852
        
        C:\windows\SysWOW64\VMHDWT.exe
        
        C:\windows\system32\VMHDWT.exe
        89⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NHYH.exe.bat" "
        90⤵
        
        PID:4052
        
        C:\windows\NHYH.exe
        
        C:\windows\NHYH.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THGVKSC.exe.bat" "
        92⤵
        
        PID:2720
        
        C:\windows\SysWOW64\THGVKSC.exe
        
        C:\windows\system32\THGVKSC.exe
        93⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INM.exe.bat" "
        94⤵
        
        PID:1068
        
        C:\windows\SysWOW64\INM.exe
        
        C:\windows\system32\INM.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFBD.exe.bat" "
        96⤵
        
        PID:4284
        
        C:\windows\SysWOW64\BFBD.exe
        
        C:\windows\system32\BFBD.exe
        97⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IAY.exe.bat" "
        98⤵
        
        PID:2332
        
        C:\windows\IAY.exe
        
        C:\windows\IAY.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LQHMRYY.exe.bat" "
        100⤵
        
        PID:748
        
        C:\windows\SysWOW64\LQHMRYY.exe
        
        C:\windows\system32\LQHMRYY.exe
        101⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TWMSCW.exe.bat" "
        102⤵
        
        PID:4884
        
        C:\windows\SysWOW64\TWMSCW.exe
        
        C:\windows\system32\TWMSCW.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUZMJF.exe.bat" "
        104⤵
        
        PID:4236
        
        C:\windows\SysWOW64\DUZMJF.exe
        
        C:\windows\system32\DUZMJF.exe
        105⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CECCS.exe.bat" "
        106⤵
        
        PID:1148
        
        C:\windows\CECCS.exe
        
        C:\windows\CECCS.exe
        107⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PPK.exe.bat" "
        108⤵
        
        PID:3932
        
        C:\windows\system\PPK.exe
        
        C:\windows\system\PPK.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YQMG.exe.bat" "
        110⤵
        
        PID:1852
        
        C:\windows\SysWOW64\YQMG.exe
        
        C:\windows\system32\YQMG.exe
        111⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZTQ.exe.bat" "
        112⤵
        
        PID:1724
        
        C:\windows\SysWOW64\ZTQ.exe
        
        C:\windows\system32\ZTQ.exe
        113⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HYD.exe.bat" "
        114⤵
        
        PID:976
        
        C:\windows\system\HYD.exe
        
        C:\windows\system\HYD.exe
        115⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ABHM.exe.bat" "
        116⤵
        
        PID:3672
        
        C:\windows\system\ABHM.exe
        
        C:\windows\system\ABHM.exe
        117⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERNMRQQ.exe.bat" "
        118⤵
        
        PID:1992
        
        C:\windows\system\ERNMRQQ.exe
        
        C:\windows\system\ERNMRQQ.exe
        119⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QZUMDI.exe.bat" "
        120⤵
        
        PID:3696
        
        C:\windows\QZUMDI.exe
        
        C:\windows\QZUMDI.exe
        121⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CNME.exe.bat" "
        122⤵
        
        PID:212
        
        C:\windows\CNME.exe
        
        C:\windows\CNME.exe
        123⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPWT.exe.bat" "
        124⤵
        
        PID:2532
        
        C:\windows\system\EPWT.exe
        
        C:\windows\system\EPWT.exe
        125⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDOKYRQ.exe.bat" "
        126⤵
        
        PID:4948
        
        C:\windows\SysWOW64\YDOKYRQ.exe
        
        C:\windows\system32\YDOKYRQ.exe
        127⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVE.exe.bat" "
        128⤵
        
        PID:748
        
        C:\windows\system\XVE.exe
        
        C:\windows\system\XVE.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LRPLW.exe.bat" "
        130⤵
        
        PID:3004
        
        C:\windows\system\LRPLW.exe
        
        C:\windows\system\LRPLW.exe
        131⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMZ.exe.bat" "
        132⤵
        
        PID:3204
        
        C:\windows\SysWOW64\SMZ.exe
        
        C:\windows\system32\SMZ.exe
        133⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARZ.exe.bat" "
        134⤵
        
        PID:2776
        
        C:\windows\system\ARZ.exe
        
        C:\windows\system\ARZ.exe
        135⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZCCURSN.exe.bat" "
        136⤵
        
        PID:3932
        
        C:\windows\ZCCURSN.exe
        
        C:\windows\ZCCURSN.exe
        137⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FCJIA.exe.bat" "
        138⤵
        
        PID:2012
        
        C:\windows\FCJIA.exe
        
        C:\windows\FCJIA.exe
        139⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQOO.exe.bat" "
        140⤵
        
        PID:4796
        
        C:\windows\system\FQOO.exe
        
        C:\windows\system\FQOO.exe
        141⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\POCJSBS.exe.bat" "
        142⤵
        
        PID:1696
        
        C:\windows\POCJSBS.exe
        
        C:\windows\POCJSBS.exe
        143⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KBG.exe.bat" "
        144⤵
        
        PID:3992
        
        C:\windows\system\KBG.exe
        
        C:\windows\system\KBG.exe
        145⤵
        Drops file in Windows directory
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZM.exe.bat" "
        146⤵
        
        PID:2920
        
        C:\windows\UZM.exe
        
        C:\windows\UZM.exe
        147⤵
        Drops file in Windows directory
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QRWPWGZ.exe.bat" "
        148⤵
        
        PID:5016
        
        C:\windows\QRWPWGZ.exe
        
        C:\windows\QRWPWGZ.exe
        149⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NXUM.exe.bat" "
        150⤵
        
        PID:2444
        
        C:\windows\NXUM.exe
        
        C:\windows\NXUM.exe
        151⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PVHGSY.exe.bat" "
        152⤵
        
        PID:3448
        
        C:\windows\system\PVHGSY.exe
        
        C:\windows\system\PVHGSY.exe
        153⤵
        Drops file in Windows directory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BLOG.exe.bat" "
        154⤵
        
        PID:3948
        
        C:\windows\BLOG.exe
        
        C:\windows\BLOG.exe
        155⤵
        Checks computer location settings
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IBPGDEU.exe.bat" "
        156⤵
        
        PID:748
        
        C:\windows\SysWOW64\IBPGDEU.exe
        
        C:\windows\system32\IBPGDEU.exe
        157⤵
        Drops file in Windows directory
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VELEIV.exe.bat" "
        158⤵
        
        PID:3028
        
        C:\windows\VELEIV.exe
        
        C:\windows\VELEIV.exe
        159⤵
        Drops file in Windows directory
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "
        160⤵
        
        PID:4920
        
        C:\windows\system\BES.exe
        
        C:\windows\system\BES.exe
        161⤵
        Drops file in Windows directory
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RUBRYTF.exe.bat" "
        162⤵
        
        PID:1604
        
        C:\windows\system\RUBRYTF.exe
        
        C:\windows\system\RUBRYTF.exe
        163⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LHY.exe.bat" "
        164⤵
        
        PID:1012
        
        C:\windows\LHY.exe
        
        C:\windows\LHY.exe
        165⤵
        Drops file in Windows directory
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFM.exe.bat" "
        166⤵
        
        PID:1136
        
        C:\windows\system\NFM.exe
        
        C:\windows\system\NFM.exe
        167⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SLWKGWX.exe.bat" "
        168⤵
        
        PID:4968
        
        C:\windows\system\SLWKGWX.exe
        
        C:\windows\system\SLWKGWX.exe
        169⤵
        Checks computer location settings
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SQWZPJA.exe.bat" "
        170⤵
        
        PID:2100
        
        C:\windows\SQWZPJA.exe
        
        C:\windows\SQWZPJA.exe
        171⤵
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLBI.exe.bat" "
        172⤵
        
        PID:3508
        
        C:\windows\SysWOW64\MLBI.exe
        
        C:\windows\system32\MLBI.exe
        173⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMJWID.exe.bat" "
        174⤵
        
        PID:3708
        
        C:\windows\SysWOW64\SMJWID.exe
        
        C:\windows\system32\SMJWID.exe
        175⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FPFUO.exe.bat" "
        176⤵
        
        PID:2776
        
        C:\windows\SysWOW64\FPFUO.exe
        
        C:\windows\system32\FPFUO.exe
        177⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMGWMR.exe.bat" "
        178⤵
        
        PID:2004
        
        C:\windows\HMGWMR.exe
        
        C:\windows\HMGWMR.exe
        179⤵
        Drops file in Windows directory
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAL.exe.bat" "
        180⤵
        
        PID:3736
        
        C:\windows\system\CAL.exe
        
        C:\windows\system\CAL.exe
        181⤵
        Drops file in Windows directory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GQROI.exe.bat" "
        182⤵
        
        PID:2120
        
        C:\windows\GQROI.exe
        
        C:\windows\GQROI.exe
        183⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OVEUT.exe.bat" "
        184⤵
        
        PID:1848
        
        C:\windows\OVEUT.exe
        
        C:\windows\OVEUT.exe
        185⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UVEICCI.exe.bat" "
        186⤵
        
        PID:1728
        
        C:\windows\SysWOW64\UVEICCI.exe
        
        C:\windows\system32\UVEICCI.exe
        187⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEG.exe.bat" "
        188⤵
        
        PID:4760
        
        C:\windows\SysWOW64\DEG.exe
        
        C:\windows\system32\DEG.exe
        189⤵
        Checks computer location settings
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ABLKU.exe.bat" "
        190⤵
        
        PID:4428
        
        C:\windows\ABLKU.exe
        
        C:\windows\ABLKU.exe
        191⤵
        Drops file in Windows directory
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEPGAHO.exe.bat" "
        192⤵
        
        PID:1020
        
        C:\windows\system\SEPGAHO.exe
        
        C:\windows\system\SEPGAHO.exe
        193⤵
        Checks computer location settings
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MXFRJAW.exe.bat" "
        194⤵
        
        PID:4028
        
        C:\windows\SysWOW64\MXFRJAW.exe
        
        C:\windows\system32\MXFRJAW.exe
        195⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XPA.exe.bat" "
        196⤵
        
        PID:3504
        
        C:\windows\SysWOW64\XPA.exe
        
        C:\windows\system32\XPA.exe
        197⤵
        Drops file in Windows directory
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SDETC.exe.bat" "
        198⤵
        
        PID:888
        
        C:\windows\SDETC.exe
        
        C:\windows\SDETC.exe
        199⤵
        Drops file in Windows directory
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XDMHLKB.exe.bat" "
        200⤵
        
        PID:5076
        
        C:\windows\system\XDMHLKB.exe
        
        C:\windows\system\XDMHLKB.exe
        201⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTNG.exe.bat" "
        202⤵
        
        PID:64
        
        C:\windows\SysWOW64\NTNG.exe
        
        C:\windows\system32\NTNG.exe
        203⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JZTDZ.exe.bat" "
        204⤵
        
        PID:3308
        
        C:\windows\JZTDZ.exe
        
        C:\windows\JZTDZ.exe
        205⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCXZEFC.exe.bat" "
        206⤵
        
        PID:3200
        
        C:\windows\system\CCXZEFC.exe
        
        C:\windows\system\CCXZEFC.exe
        207⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DFBDSV.exe.bat" "
        208⤵
        
        PID:4444
        
        C:\windows\SysWOW64\DFBDSV.exe
        
        C:\windows\system32\DFBDSV.exe
        209⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QIRT.exe.bat" "
        210⤵
        
        PID:2560
        
        C:\windows\SysWOW64\QIRT.exe
        
        C:\windows\system32\QIRT.exe
        211⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QVJIH.exe.bat" "
        212⤵
        
        PID:2612
        
        C:\windows\system\QVJIH.exe
        
        C:\windows\system\QVJIH.exe
        213⤵
        Drops file in Windows directory
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HAU.exe.bat" "
        214⤵
        
        PID:4268
        
        C:\windows\system\HAU.exe
        
        C:\windows\system\HAU.exe
        215⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOU.exe.bat" "
        216⤵
        
        PID:3948
        
        C:\windows\system\HOU.exe
        
        C:\windows\system\HOU.exe
        217⤵
        Checks computer location settings
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PUG.exe.bat" "
        218⤵
        
        PID:1936
        
        C:\windows\PUG.exe
        
        C:\windows\PUG.exe
        219⤵
        Drops file in Windows directory
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UZRKZOI.exe.bat" "
        220⤵
        
        PID:3424
        
        C:\windows\UZRKZOI.exe
        
        C:\windows\UZRKZOI.exe
        221⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BPSKY.exe.bat" "
        222⤵
        
        PID:2800
        
        C:\windows\BPSKY.exe
        
        C:\windows\BPSKY.exe
        223⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SPUPKH.exe.bat" "
        224⤵
        
        PID:2136
        
        C:\windows\SPUPKH.exe
        
        C:\windows\SPUPKH.exe
        225⤵
        Checks computer location settings
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVZ.exe.bat" "
        226⤵
        
        PID:4644
        
        C:\windows\SysWOW64\HVZ.exe
        
        C:\windows\system32\HVZ.exe
        227⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGIDFB.exe.bat" "
        228⤵
        
        PID:4876
        
        C:\windows\SysWOW64\CGIDFB.exe
        
        C:\windows\system32\CGIDFB.exe
        229⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CLIRGGR.exe.bat" "
        230⤵
        
        PID:1636
        
        C:\windows\system\CLIRGGR.exe
        
        C:\windows\system\CLIRGGR.exe
        231⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWRQURN.exe.bat" "
        232⤵
        
        PID:3384
        
        C:\windows\system\PWRQURN.exe
        
        C:\windows\system\PWRQURN.exe
        233⤵
        Drops file in Windows directory
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VWYDETO.exe.bat" "
        234⤵
        
        PID:4140
        
        C:\windows\VWYDETO.exe
        
        C:\windows\VWYDETO.exe
        235⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZWYD.exe.bat" "
        236⤵
        
        PID:2100
        
        C:\windows\SysWOW64\ZZWYD.exe
        
        C:\windows\system32\ZZWYD.exe
        237⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WFCOSO.exe.bat" "
        238⤵
        
        PID:5012
        
        C:\windows\SysWOW64\WFCOSO.exe
        
        C:\windows\system32\WFCOSO.exe
        239⤵
        Checks computer location settings
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CFKB.exe.bat" "
        240⤵
        
        PID:4496
        
        C:\windows\system\CFKB.exe
        
        C:\windows\system\CFKB.exe
        241⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVLBI.exe.bat" "
        242⤵
        
        PID:404
        
        C:\windows\SysWOW64\RVLBI.exe
        
        C:\windows\system32\RVLBI.exe
        243⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABV.exe.bat" "
        244⤵
        
        PID:3704
        
        C:\windows\SysWOW64\ABV.exe
        
        C:\windows\system32\ABV.exe
        245⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TENWUF.exe.bat" "
        246⤵
        
        PID:1044
        
        C:\windows\TENWUF.exe
        
        C:\windows\TENWUF.exe
        247⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AZSIE.exe.bat" "
        248⤵
        
        PID:1968
        
        C:\windows\SysWOW64\AZSIE.exe
        
        C:\windows\system32\AZSIE.exe
        249⤵
        Drops file in Windows directory
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PUPD.exe.bat" "
        250⤵
        
        PID:4796
        
        C:\windows\system\PUPD.exe
        
        C:\windows\system\PUPD.exe
        251⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DABHRE.exe.bat" "
        252⤵
        
        PID:3188
        
        C:\windows\system\DABHRE.exe
        
        C:\windows\system\DABHRE.exe
        253⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPUBMSN.exe.bat" "
        254⤵
        
        PID:3756
        
        C:\windows\system\BPUBMSN.exe
        
        C:\windows\system\BPUBMSN.exe
        255⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HLL.exe.bat" "
        256⤵
        
        PID:4760
        
        C:\windows\SysWOW64\HLL.exe
        
        C:\windows\system32\HLL.exe
        257⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQE.exe.bat" "
        258⤵
        
        PID:4480
        
        C:\windows\SysWOW64\MQE.exe
        
        C:\windows\system32\MQE.exe
        259⤵
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MWEG.exe.bat" "
        260⤵
        
        PID:1536
        
        C:\windows\SysWOW64\MWEG.exe
        
        C:\windows\system32\MWEG.exe
        261⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CMD.exe.bat" "
        262⤵
        
        PID:4068
        
        C:\windows\system\CMD.exe
        
        C:\windows\system\CMD.exe
        263⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWHPRGK.exe.bat" "
        264⤵
        
        PID:1936
        
        C:\windows\SysWOW64\QWHPRGK.exe
        
        C:\windows\system32\QWHPRGK.exe
        265⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GMGADAR.exe.bat" "
        266⤵
        
        PID:1848
        
        C:\windows\SysWOW64\GMGADAR.exe
        
        C:\windows\system32\GMGADAR.exe
        267⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FXIQMG.exe.bat" "
        268⤵
        
        PID:4164
        
        C:\windows\SysWOW64\FXIQMG.exe
        
        C:\windows\system32\FXIQMG.exe
        269⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LXQ.exe.bat" "
        270⤵
        
        PID:4536
        
        C:\windows\LXQ.exe
        
        C:\windows\LXQ.exe
        271⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DACAA.exe.bat" "
        272⤵
        
        PID:1736
        
        C:\windows\SysWOW64\DACAA.exe
        
        C:\windows\system32\DACAA.exe
        273⤵
        Drops file in Windows directory
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AGAXPHS.exe.bat" "
        274⤵
        
        PID:1136
        
        C:\windows\system\AGAXPHS.exe
        
        C:\windows\system\AGAXPHS.exe
        275⤵
        Checks computer location settings
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EOCES.exe.bat" "
        276⤵
        
        PID:1236
        
        C:\windows\EOCES.exe
        
        C:\windows\EOCES.exe
        277⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUACAQP.exe.bat" "
        278⤵
        
        PID:5076
        
        C:\windows\SysWOW64\SUACAQP.exe
        
        C:\windows\system32\SUACAQP.exe
        279⤵
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKBTGD.exe.bat" "
        280⤵
        
        PID:2016
        
        C:\windows\SysWOW64\IKBTGD.exe
        
        C:\windows\system32\IKBTGD.exe
        281⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MPTI.exe.bat" "
        282⤵
        
        PID:3096
        
        C:\windows\system\MPTI.exe
        
        C:\windows\system\MPTI.exe
        283⤵
        Checks computer location settings
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONYD.exe.bat" "
        284⤵
        
        PID:2104
        
        C:\windows\system\ONYD.exe
        
        C:\windows\system\ONYD.exe
        285⤵
        Checks computer location settings
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EDZCL.exe.bat" "
        286⤵
        
        PID:4456
        
        C:\windows\EDZCL.exe
        
        C:\windows\EDZCL.exe
        287⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HLOC.exe.bat" "
        288⤵
        
        PID:5016
        
        C:\windows\HLOC.exe
        
        C:\windows\HLOC.exe
        289⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RJUWEDB.exe.bat" "
        290⤵
        
        PID:4908
        
        C:\windows\RJUWEDB.exe
        
        C:\windows\RJUWEDB.exe
        291⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ROU.exe.bat" "
        292⤵
        
        PID:2664
        
        C:\windows\ROU.exe
        
        C:\windows\ROU.exe
        293⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKD.exe.bat" "
        294⤵
        
        PID:2108
        
        C:\windows\SysWOW64\UKD.exe
        
        C:\windows\system32\UKD.exe
        295⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCGF.exe.bat" "
        296⤵
        
        PID:1572
        
        C:\windows\system\FCGF.exe
        
        C:\windows\system\FCGF.exe
        297⤵
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCOTQLC.exe.bat" "
        298⤵
        
        PID:2520
        
        C:\windows\SysWOW64\LCOTQLC.exe
        
        C:\windows\system32\LCOTQLC.exe
        299⤵
        Checks computer location settings
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDQ.exe.bat" "
        300⤵
        
        PID:5092
        
        C:\windows\SysWOW64\VDQ.exe
        
        C:\windows\system32\VDQ.exe
        301⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TOTOCXT.exe.bat" "
        302⤵
        
        PID:920
        
        C:\windows\system\TOTOCXT.exe
        
        C:\windows\system\TOTOCXT.exe
        303⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJXX.exe.bat" "
        304⤵
        
        PID:3968
        
        C:\windows\SysWOW64\OJXX.exe
        
        C:\windows\system32\OJXX.exe
        305⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEHKYJQ.exe.bat" "
        306⤵
        
        PID:3792
        
        C:\windows\SysWOW64\DEHKYJQ.exe
        
        C:\windows\system32\DEHKYJQ.exe
        307⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YRM.exe.bat" "
        308⤵
        
        PID:3492
        
        C:\windows\SysWOW64\YRM.exe
        
        C:\windows\system32\YRM.exe
        309⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PZOYL.exe.bat" "
        310⤵
        
        PID:2504
        
        C:\windows\system\PZOYL.exe
        
        C:\windows\system\PZOYL.exe
        311⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKYO.exe.bat" "
        312⤵
        
        PID:3092
        
        C:\windows\SysWOW64\OKYO.exe
        
        C:\windows\system32\OKYO.exe
        313⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DFITFHE.exe.bat" "
        314⤵
        
        PID:3992
        
        C:\windows\DFITFHE.exe
        
        C:\windows\DFITFHE.exe
        315⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\QDIEH.exe.bat" "
        316⤵
        
        PID:2456
        
        C:\windows\QDIEH.exe
        
        C:\windows\QDIEH.exe
        317⤵
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGR.exe.bat" "
        318⤵
        
        PID:3448
        
        C:\windows\SysWOW64\FGR.exe
        
        C:\windows\system32\FGR.exe
        319⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WRQ.exe.bat" "
        320⤵
        
        PID:4816
        
        C:\windows\system\WRQ.exe
        
        C:\windows\system\WRQ.exe
        321⤵
        Checks computer location settings
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YPVBHI.exe.bat" "
        322⤵
        
        PID:3240
        
        C:\windows\system\YPVBHI.exe
        
        C:\windows\system\YPVBHI.exe
        323⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZKZWM.exe.bat" "
        324⤵
        
        PID:5076
        
        C:\windows\system\ZKZWM.exe
        
        C:\windows\system\ZKZWM.exe
        325⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JIFRCHK.exe.bat" "
        326⤵
        
        PID:4388
        
        C:\windows\JIFRCHK.exe
        
        C:\windows\JIFRCHK.exe
        327⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DDKA.exe.bat" "
        328⤵
        
        PID:1600
        
        C:\windows\SysWOW64\DDKA.exe
        
        C:\windows\system32\DDKA.exe
        329⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TYBNXBA.exe.bat" "
        330⤵
        
        PID:3644
        
        C:\windows\TYBNXBA.exe
        
        C:\windows\TYBNXBA.exe
        331⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOCEE.exe.bat" "
        332⤵
        
        PID:3044
        
        C:\windows\system\AOCEE.exe
        
        C:\windows\system\AOCEE.exe
        333⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LHXXEE.exe.bat" "
        334⤵
        
        PID:3248
        
        C:\windows\system\LHXXEE.exe
        
        C:\windows\system\LHXXEE.exe
        335⤵
        Drops file in Windows directory
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GUC.exe.bat" "
        336⤵
        
        PID:3792
        
        C:\windows\system\GUC.exe
        
        C:\windows\system\GUC.exe
        337⤵
        Checks computer location settings
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CZIDV.exe.bat" "
        338⤵
        
        PID:2224
        
        C:\windows\CZIDV.exe
        
        C:\windows\CZIDV.exe
        339⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XNMNGGJ.exe.bat" "
        340⤵
        
        PID:64
        
        C:\windows\XNMNGGJ.exe
        
        C:\windows\XNMNGGJ.exe
        341⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNUAPIL.exe.bat" "
        342⤵
        
        PID:2520
        
        C:\windows\system\DNUAPIL.exe
        
        C:\windows\system\DNUAPIL.exe
        343⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UNWFA.exe.bat" "
        344⤵
        
        PID:512
        
        C:\windows\system\UNWFA.exe
        
        C:\windows\system\UNWFA.exe
        345⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOD.exe.bat" "
        346⤵
        
        PID:3644
        
        C:\windows\system\FOD.exe
        
        C:\windows\system\FOD.exe
        347⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EZOGSUR.exe.bat" "
        348⤵
        
        PID:548
        
        C:\windows\system\EZOGSUR.exe
        
        C:\windows\system\EZOGSUR.exe
        349⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FCSKYK.exe.bat" "
        350⤵
        
        PID:1408
        
        C:\windows\FCSKYK.exe
        
        C:\windows\FCSKYK.exe
        351⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QUZV.exe.bat" "
        352⤵
        
        PID:2208
        
        C:\windows\SysWOW64\QUZV.exe
        
        C:\windows\system32\QUZV.exe
        353⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ASNH.exe.bat" "
        354⤵
        
        PID:640
        
        C:\windows\ASNH.exe
        
        C:\windows\ASNH.exe
        355⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\OQNTYXT.exe.bat" "
        356⤵
        
        PID:4240
        
        C:\windows\system\OQNTYXT.exe
        
        C:\windows\system\OQNTYXT.exe
        357⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TQVH.exe.bat" "
        358⤵
        
        PID:2932
        
        C:\windows\SysWOW64\TQVH.exe
        
        C:\windows\system32\TQVH.exe
        359⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XGBPURQ.exe.bat" "
        360⤵
        
        PID:2560
        
        C:\windows\SysWOW64\XGBPURQ.exe
        
        C:\windows\system32\XGBPURQ.exe
        361⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\STGY.exe.bat" "
        362⤵
        
        PID:5092
        
        C:\windows\system\STGY.exe
        
        C:\windows\system\STGY.exe
        363⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TWKUJH.exe.bat" "
        364⤵
        
        PID:3044
        
        C:\windows\SysWOW64\TWKUJH.exe
        
        C:\windows\system32\TWKUJH.exe
        365⤵
        Drops file in Windows directory
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YXS.exe.bat" "
        366⤵
        
        PID:4408
        
        C:\windows\YXS.exe
        
        C:\windows\YXS.exe
        367⤵
        Drops file in Windows directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PIQ.exe.bat" "
        368⤵
        
        PID:2460
        
        C:\windows\system\PIQ.exe
        
        C:\windows\system\PIQ.exe
        369⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKS.exe.bat" "
        370⤵
        
        PID:2800
        
        C:\windows\system\RKS.exe
        
        C:\windows\system\RKS.exe
        371⤵
        Checks computer location settings
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HAY.exe.bat" "
        372⤵
        
        PID:3696
        
        C:\windows\SysWOW64\HAY.exe
        
        C:\windows\system32\HAY.exe
        373⤵
        Checks computer location settings
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GLBOFKI.exe.bat" "
        374⤵
        
        PID:1440
        
        C:\windows\GLBOFKI.exe
        
        C:\windows\GLBOFKI.exe
        375⤵
        Checks computer location settings
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BYG.exe.bat" "
        376⤵
        
        PID:4384
        
        C:\windows\system\BYG.exe
        
        C:\windows\system\BYG.exe
        377⤵
        Checks computer location settings
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BBKTVHH.exe.bat" "
        378⤵
        
        PID:1012
        
        C:\windows\SysWOW64\BBKTVHH.exe
        
        C:\windows\system32\BBKTVHH.exe
        379⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HCR.exe.bat" "
        380⤵
        
        PID:4456
        
        C:\windows\HCR.exe
        
        C:\windows\HCR.exe
        381⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LFQBE.exe.bat" "
        382⤵
        
        PID:3108
        
        C:\windows\system\LFQBE.exe
        
        C:\windows\system\LFQBE.exe
        383⤵
        Drops file in Windows directory
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IKIRUY.exe.bat" "
        384⤵
        
        PID:1296
        
        C:\windows\system\IKIRUY.exe
        
        C:\windows\system\IKIRUY.exe
        385⤵
        
        PID:64
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 964
        384⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 964
        382⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 988
        380⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 988
        378⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1336
        376⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 988
        374⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 988
        372⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1336
        370⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 976
        368⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 988
        366⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1328
        364⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1272
        362⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 960
        360⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 988
        358⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 960
        356⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1292
        354⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1328
        352⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 960
        350⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1328
        348⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1336
        346⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 988
        344⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1004
        342⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 988
        340⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 960
        338⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1336
        336⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 960
        334⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1304
        332⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1324
        330⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1328
        328⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1324
        326⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 960
        324⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1004
        322⤵
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 988
        320⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 988
        318⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1252
        316⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 988
        314⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1004
        312⤵
        
        PID:852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1336
        310⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 960
        308⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 960
        306⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1260
        304⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1004
        302⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1328
        300⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1296
        298⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 1336
        296⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1328
        294⤵
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1316
        292⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1324
        290⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1324
        288⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1292
        286⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1336
        284⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 960
        282⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1324
        280⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1264
        278⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1324
        276⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1312
        274⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1328
        272⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1004
        270⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 960
        268⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 960
        266⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 964
        264⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1336
        262⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 960
        260⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1296
        258⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1316
        256⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1336
        254⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 960
        252⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1336
        250⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1328
        248⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 988
        246⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 960
        244⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1004
        242⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1336
        240⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 960
        238⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1300
        236⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1324
        234⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1308
        232⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1336
        230⤵
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 1004
        228⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1328
        226⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1304
        224⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1000
        222⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 960
        220⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1268
        218⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 960
        216⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1308
        214⤵
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 960
        212⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1320
        210⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 960
        208⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 960
        206⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1324
        204⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1328
        202⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1336
        200⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1324
        198⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 960
        196⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 960
        194⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 960
        192⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 960
        190⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1316
        188⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1328
        186⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1292
        184⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1324
        182⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1304
        180⤵
        
        PID:512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 960
        178⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1004
        176⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 960
        174⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1328
        172⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1296
        170⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 976
        168⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1336
        166⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1316
        164⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1328
        162⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 976
        160⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1324
        158⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1308
        156⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1292
        154⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1336
        152⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1256
        150⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1324
        148⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1324
        146⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1336
        144⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 960
        142⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1328
        140⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1312
        138⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 988
        136⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 960
        134⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1312
        132⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1336
        130⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1336
        128⤵
        Program crash
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1328
        126⤵
        Program crash
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1336
        124⤵
        Program crash
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1296
        122⤵
        Program crash
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 960
        120⤵
        Program crash
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1264
        118⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 960
        116⤵
        Program crash
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 976
        114⤵
        Program crash
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1328
        112⤵
        Program crash
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1296
        110⤵
        Program crash
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1336
        108⤵
        Program crash
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1320
        106⤵
        Program crash
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1328
        104⤵
        Program crash
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1328
        102⤵
        Program crash
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 960
        100⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 992
        98⤵
        Program crash
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308
        96⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1296
        94⤵
        Program crash
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 976
        92⤵
        Program crash
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 960
        90⤵
        Program crash
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1328
        88⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 960
        86⤵
        Program crash
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 960
        84⤵
        Program crash
        
        PID:64
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1324
        82⤵
        Program crash
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1264
        80⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1336
        78⤵
        Program crash
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1256
        76⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 960
        74⤵
        Program crash
        
        PID:2648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1316
        72⤵
        Program crash
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 988
        70⤵
        Program crash
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 960
        68⤵
        Program crash
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1336
        66⤵
        Program crash
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1308
        64⤵
        Program crash
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1324
        62⤵
        Program crash
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1328
        60⤵
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 988
        58⤵
        Program crash
        
        PID:748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1324
        56⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 960
        54⤵
        Program crash
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 960
        52⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1324
        50⤵
        Program crash
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1260
        48⤵
        Program crash
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1336
        46⤵
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1312
        44⤵
        Program crash
        
        PID:748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 960
        42⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 984
        40⤵
        Program crash
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1328
        38⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
        36⤵
        Program crash
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1328
        34⤵
        Program crash
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1272
        32⤵
        Program crash
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 960
        30⤵
        Program crash
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1296
        28⤵
        Program crash
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 960
        26⤵
        Program crash
        
        PID:1440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 960
        24⤵
        Program crash
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 960
        22⤵
        Program crash
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1324
        20⤵
        Program crash
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1252
        18⤵
        Program crash
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1004
        16⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1336
        14⤵
        Program crash
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 976
        12⤵
        Program crash
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1320
        10⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1260
        8⤵
        Program crash
        
        PID:1936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 960
        6⤵
        Program crash
        
        PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1328
      4⤵
      Program crash
      PID:1536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 948
  2⤵
  - Program crash
  PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4800 -ip 4800
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 212 -ip 212
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3988 -ip 3988
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4128 -ip 4128
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1036 -ip 1036
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 920 -ip 920
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3516 -ip 3516
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 216 -ip 216
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2532 -ip 2532
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4068 -ip 4068
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1408 -ip 1408
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1004 -ip 1004
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3592 -ip 3592
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4952 -ip 4952
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 4760
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3988 -ip 3988
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1568 -ip 1568
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1632 -ip 1632
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2024 -ip 2024
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3668 -ip 3668
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1852 -ip 1852
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2188 -ip 2188
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2120 -ip 2120
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5044 -ip 5044
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3188 -ip 3188
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 512 -ip 512
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2024 -ip 2024
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3416 -ip 3416
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5032 -ip 5032
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2660 -ip 2660
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3168 -ip 3168
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3472 -ip 3472
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1440 -ip 1440
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4720 -ip 4720
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3424 -ip 3424
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 696 -ip 696
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4060 -ip 4060
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3020 -ip 3020
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2076 -ip 2076
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1788 -ip 1788
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2224 -ip 2224
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3508 -ip 3508
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2504 -ip 2504
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2136 -ip 2136
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3696 -ip 3696
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2908 -ip 2908
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4380 -ip 4380
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2956 -ip 2956
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2024 -ip 2024
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1744 -ip 1744
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4104 -ip 4104
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4340 -ip 4340
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3188 -ip 3188
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3584 -ip 3584
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 640 -ip 640
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 448 -ip 448
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2328 -ip 2328
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3168 -ip 3168
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 920 -ip 920
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4728 -ip 4728
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4140 -ip 4140
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3588 -ip 3588
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3320 -ip 3320
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2308 -ip 2308
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4876 -ip 4876
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2264 -ip 2264
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3272 -ip 3272
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1040 -ip 1040
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1504 -ip 1504
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4760 -ip 4760
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3240 -ip 3240
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1572 -ip 1572
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2304 -ip 2304
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4872 -ip 4872
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 212 -ip 212
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2532 -ip 2532
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1932 -ip 1932
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4192 -ip 4192
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1888 -ip 1888
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4792 -ip 4792
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3492 -ip 3492
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 756 -ip 756
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4460 -ip 4460
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2144 -ip 2144
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4240 -ip 4240
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2856 -ip 2856
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3972 -ip 3972
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1604 -ip 1604
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1148 -ip 1148
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3136 -ip 3136
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4140 -ip 4140
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3724 -ip 3724
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4496 -ip 4496
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5108 -ip 5108
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3028 -ip 3028
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4312 -ip 4312
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3648 -ip 3648
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3592 -ip 3592
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4968 -ip 4968
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2100 -ip 2100
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5012 -ip 5012
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3296 -ip 3296
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 404 -ip 404
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4068 -ip 4068
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5080 -ip 5080
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 184 -ip 184
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3996 -ip 3996
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1848 -ip 1848
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4128 -ip 4128
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3308 -ip 3308
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4232 -ip 4232
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 696 -ip 696
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 592 -ip 592
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3668 -ip 3668
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4828 -ip 4828
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1236 -ip 1236
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1112 -ip 1112
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5100 -ip 5100
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4604 -ip 4604
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2776 -ip 2776
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1284 -ip 1284
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4396 -ip 4396
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1040 -ip 1040
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4380 -ip 4380
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1248 -ip 1248
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2412 -ip 2412
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4352 -ip 4352
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2456 -ip 2456
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4064 -ip 4064
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1336 -ip 1336
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4800 -ip 4800
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1324 -ip 1324
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3708 -ip 3708
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4832 -ip 4832
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1608 -ip 1608
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5080 -ip 5080
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2004 -ip 2004
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1848 -ip 1848
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4164 -ip 4164
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3200 -ip 3200
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1736 -ip 1736
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2264 -ip 2264
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3684 -ip 3684
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1336 -ip 1336
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2868 -ip 2868
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3004 -ip 3004
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1384 -ip 1384
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 940 -ip 940
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4408 -ip 4408
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1360 -ip 1360
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3260 -ip 3260
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4232 -ip 4232
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2120 -ip 2120
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2412 -ip 2412
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2908 -ip 2908
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4184 -ip 4184
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1736 -ip 1736
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4908 -ip 4908
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5012 -ip 5012
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4036 -ip 4036
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2504 -ip 2504
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3092 -ip 3092
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3992 -ip 3992
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4372 -ip 4372
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1348 -ip 1348
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4952 -ip 4952
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1236 -ip 1236
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3392 -ip 3392
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1848 -ip 1848
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3688 -ip 3688
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4496 -ip 4496
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2700 -ip 2700
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4580 -ip 4580
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2464 -ip 2464
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1040 -ip 1040
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1508 -ip 1508
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2376 -ip 2376
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4884 -ip 4884
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4032 -ip 4032
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4868 -ip 4868
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3512 -ip 3512
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3020 -ip 3020
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1248 -ip 1248
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4860 -ip 4860
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1204 -ip 1204
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5108 -ip 5108
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3444 -ip 3444
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1608 -ip 1608
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4816 -ip 4816
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 640 -ip 640
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\FRAZ.exe

Filesize
208KB

MD5
6676c1c9fabbee7530f39ec5a3d4b2a3

SHA1
ad2b49d4ed87bb92220eea4fb0124919b64a6833

SHA256
50016f4d4d9a73599a93fbf7387e3226c2cb8f594362d1b20ed345ae0d785fb3

SHA512
dbff6d0f6505fd5e7ae7b0c5acff1c16b82c402422171683ff23ec41dcfe4baddbaa478e654241bf346dfc05daa0a6fb6251419613ed8a698b4e7f658e7ae075

Download Submit
C:\Windows\GSFDHFM.exe

Filesize
208KB

MD5
d3d623809ca0786f371d717c2099f969

SHA1
30250fe64cd0d167c178510c6f43301886eac4fa

SHA256
8467e650d3fcb9aed873c6deb4a9f2abfbadfb771930880b7c7316a88d3449ff

SHA512
4d6391cb0f1cf8f34b7c1ba4984e40684a9a88ca9c478b81a84bce5da3139e9e17e8c6c32784a933dc4fead15372378efbfe14aefe3e2d3104a549149672cbc9

Download Submit
C:\Windows\JKPT.exe

Filesize
208KB

MD5
137c8a6c9921fcbbd69f31fb7b2426f3

SHA1
3163462f9b74494e494a1596ecaa786a9bbdee9e

SHA256
9243810b7490119ce0bb35a8bb46aaf6dd676cd22289f69d789deb610400cdf2

SHA512
f23578571349f082db264af8429d04da5442d77da1d9cb058609eead1803ad7e3989c04fb3cf0d427f01b403c2e32de41d0954bb0a8cde001f4e15e9827c879e

Download Submit
C:\Windows\SysWOW64\FHRYUK.exe

Filesize
208KB

MD5
59648fb55c6dca82ed63b4b90f9b4ad3

SHA1
0a3b706d01f8381b5ca6c209deee7cfe62f69eb2

SHA256
03e5bd0f0f0d5da085bf6b20804b988d6db9fa1f7985e6899b0145a05fcc9823

SHA512
b9f8ed0ba6c2451d6823d5f76b194be244e9585654bd9cbdc391b1adbacb38bcacf42955e10c2bb971a65302ee7c8617296fb6afb5d642bbbe3c3e4af50a7aef

Download Submit
C:\Windows\SysWOW64\OMQHKA.exe

Filesize
208KB

MD5
89b5fd8438c8fc41b153b21cec528688

SHA1
b74b01ca3c3cf4b9a75bda9722b97cb9dde2a9e9

SHA256
b9fc63bf8b097aae29790605b635a45dc515bed42d0186175540d09136ef8b59

SHA512
b143cb499c1981323b7eec5a01f247354ee351a9f613da4d6c0209fe9642b2e44f56edd727b62d2031abc0609b1fb0046a0ae6224838623d12bc48d04637d3f8

Download Submit
C:\Windows\SysWOW64\PNOC.exe

Filesize
208KB

MD5
2eb63d032169d2d10bec9480ea0a8797

SHA1
e9a1f9ade52e9a1296f2feb434a19519b289ea23

SHA256
2beeaa4e654634e0b126c2feb1924a99d72f1759d2cc20606a918003cc3ea5b9

SHA512
dbab65782984ea5e5368fbe9571a56b5de7d4886a043753b77180a0c84ed40abdf185196ada5c53703f32ba99b0486aefe8efa812fe248c853c419d16a86bba2

Download Submit
C:\Windows\SysWOW64\TMW.exe

Filesize
208KB

MD5
25dc9e31cb6bf01ad80d121eca227bbf

SHA1
bf388026742e73efcf3836a044a0e4a94b7802ba

SHA256
ad6225c5725d707c96645ad8cc34d9996cce63713b8e9f8c368bf2971c462311

SHA512
34c6d1d4010bb1c149ada37a87415870a08687810f3909acb6f4496b5fb4f0f099a6944894999893941bfb9bc2acb87db85c539843846304dbdbabe4b5319c5d

Download Submit
C:\Windows\System\HQEMAZZ.exe

Filesize
208KB

MD5
5ed7bb6998b2059451f40e3cf445fbba

SHA1
b9c0b11aedbe9ac851da5a97c941457e291d8ed4

SHA256
9e5e5343a46bd7b397192a35b537c2561549159c17a02d9b578f2e4aacf9a16c

SHA512
3b9759ce30261a918e63399a33478cd135bfc994203c49a1635753106f63db48e559c4391cbc3fb7d69f0a6b90f0c50e14ca345a524f4fe1c21912c926f38ee7

Download Submit
C:\Windows\TAWH.exe

Filesize
208KB

MD5
b172d7eb9b047ee8ce1cb978ec090927

SHA1
b6dee84317ce5c9f0b424e1472763f56d4e460f5

SHA256
18955384f1805409ea6514853559fa1e26a74aa8d389f4d1ddec2053b62df31a

SHA512
1cf4b932e66414f9f4fa3546542c3a513711a63ad10065f02f134c8ecf1846ecf5c657edd2b5f36beaad6e35985bedee187de341af67ac487494c7f0b7d01447

Download Submit
C:\Windows\XUYKDZG.exe

Filesize
208KB

MD5
02161474d90a923b5332745c46545d95

SHA1
ad947124f5153efa711a31b9ab32b99590e2ad3e

SHA256
b76519918d08eb73fe4e2936540616526e4711d00ca24c70e8408c1623aaca72

SHA512
95329c397bdd9a7fe0b07f406a11c19e62c076987a1aa914199e8395be2334932b4583d81950fc4845aa38e4b2a0619e64796c9579db9db163a62698213beb64

Download Submit
C:\windows\AGCD.exe

Filesize
208KB

MD5
ce85eeb1cf57a164966e9af590ce2154

SHA1
9cf469299fdcc4a18f34fd9f247a3d9958bfbaea

SHA256
1763ec0ffc56b9e2833317078c64aacc85de189e6cf5a35b2397bb8a74a8d567

SHA512
0e5b19ad3e0bbd16aa23c0de7fc24f9611bbdc8642d650a0ccf67b89cd0d4cbf0601d246174af11ee75387d0b77f953a87596a86e7cf93ef16819fc0fbf146b9

Download Submit
C:\windows\AGCD.exe.bat

Filesize
54B

MD5
98d4149f465fb82f48fe65935f5c8d58

SHA1
cd252d5b9dc131335c1370439f1943e2219f2a08

SHA256
2d882c5387dd1ef9430803df575e8ad3415df5e98ac2d22c31b2958d7d0d5a19

SHA512
3466d40131278d3bf0bfd5c0541dc395e14cde9bfb5eec255aa2b9d52967743c9701433ee2e970ab51fa7b9093aa0cb7919edcc6c2cb0154c49160fa12fa1cfd

Download Submit
C:\windows\DTO.exe.bat

Filesize
52B

MD5
c257046a5258eabf0d62b466bb9d7b75

SHA1
601e72e6f81cedf4e36550c1c2aa1855cf611cd3

SHA256
3d273547a6ffd70cc10e5c12dfa09091e6d9b044c6ba0bb2241aa3f17654daf3

SHA512
056512a90926a01d79ded0f0b433af23cfaa8e7b0df840f21c66767a7168b104d022c67f5e0c020161ae21b3b590049bf679745e0c6b1b8a8db2e925f9a80885

Download Submit
C:\windows\FRAZ.exe.bat

Filesize
54B

MD5
62189ddb6d826854b6e5aff583ae9456

SHA1
53ca2e653f8c78ddaca9f01d5e963d7706b564c6

SHA256
c5063733154301241653f51e1c4a27aa17b6456cd67c0b45053639ffe474028e

SHA512
ef0cbd5b5e59c6aef4c74b313aafeabf5fe48930e81d05f081e3616f1ff00412ee19ae567d003f23b39d492a11c958854689880980ff1c014fdb5c4f83d55689

Download Submit
C:\windows\GPTZC.exe.bat

Filesize
56B

MD5
97e332f6c61c86ee4e88eef08547948e

SHA1
0e4538774b31f7325a33d2bf50c9e8fd34a32cf9

SHA256
6062f06e57c3cd4ee2e16b687147ee24da148d904504b28a25dac8233bd338bc

SHA512
b6d4fd6a5c8dd04e9488be0baf7798156ea2897864fd1314b3acee5757e420bbe8f6ef0fd86161754f8a18a9866ac78494fef6abf934a0e252e3dc04f3a43e44

Download Submit
C:\windows\GSFDHFM.exe.bat

Filesize
60B

MD5
b2c962646db8f4f7efabe4a782a488c6

SHA1
c0bf34fe6ae42b7a8bbf8aaad4f9e23ce875077b

SHA256
39d44d6357945230878cf94d47734c10a9ec215fb190e2d29bfdaed60d6ab262

SHA512
c8252dd1286aef66538b7b237f529c1319a19436e81e704fbb6fa8eb6f0281bf006370904e5bc0076abd8234f9a3ae97279ca590871579518f1be6e4d7c4cd0e

Download Submit
C:\windows\JKPT.exe.bat

Filesize
54B

MD5
8f8e845246dad2b28fc4f8653482a7dd

SHA1
4bd03f3f7ce3d5ffd6eb3648f9439551d4d5f655

SHA256
bccd64113d40f78bf420a08676b4213d3b25b2fc9973dceeb818f47d5b4e304e

SHA512
3147e2564cfb021b392f5ecf476a2fb871cd0ba886fedff280507a9435690630e4eeafd9ca0066eb516d73de0a84489b353cb1a3c9c19522fccd92d473f6d9c4

Download Submit
C:\windows\PWPUOI.exe.bat

Filesize
58B

MD5
770b25913aace99d83967821eee6142c

SHA1
729ba7543463707725d29c1ae303ca865db40555

SHA256
2d0500dd0c80f86a03b78b5a9b1fd210ad155399e8fcd5ed956fed2ff4401770

SHA512
494498a674d3809724f56e5de96d229ec947a716201e4ef5839e458b4f66379c2a9f16d4663bed7e9bbfada1c43cf3972714ae2c4779be79525893e698142c61

Download Submit
C:\windows\SysWOW64\FHRYUK.exe.bat

Filesize
76B

MD5
2702c99c5ee696723da6268a4b7238b9

SHA1
19469d4305636b3d6589b4b560f7ce4ef999e5f1

SHA256
46bff473d59c441383fd64261a29b16be8543ab7df02fe5021bf5d8099209453

SHA512
7b0e39bd5bc8ba38a22336d1d5939afeb2bdb42d27d156f7830b70e502fe6983e12670148f9c690983d8d9a96ff18a0ee244cf69b1caad56e78748a171ce2644

Download Submit
C:\windows\SysWOW64\KJR.exe.bat

Filesize
70B

MD5
3e2a2588230c65b0448e0e62b7b19a04

SHA1
f42412cb0f848bd64083cfc817057320eaa36f52

SHA256
bf99780590d3a346318d55fada498703cc0fd52a93d92fb911b88f28010353ae

SHA512
7989f9870e86b8ca835a5ecd3021f65cd36caf7d930758710a3b8d59e46f6f36d954a7b5b793dd3ae241c74c8593ca270f3baaf4d9760974ddbe55136e03e200

Download Submit
C:\windows\SysWOW64\LCE.exe

Filesize
208KB

MD5
adac76f48fee04920fd84554265b319a

SHA1
6b5d623e5440792cda0238a0ff37369f1f77991a

SHA256
4b9c7b875cfbf9984da3eddc64c665e083dcad834b710fbdd91d21edbcd6e346

SHA512
dbc99979bf879c127aa2dca54e128c8241922e65b4baac88ddbbabab7a361eb23c68cb6dfcea7a62a0d50e1a016d08db5660458a3159219678a805601b2105a0

Download Submit
C:\windows\SysWOW64\LCE.exe.bat

Filesize
70B

MD5
9c52f40a8b07bab4f678d2939312e503

SHA1
ae522bed71d2293a861b848ef4ce584e08f6b09f

SHA256
8e737a7cbd0c593f0755ebaa9c6071d542a8f0ab956400921575e80ec6b10b5e

SHA512
93c9aa1af335310909b3ed0e96ada0508529fae738c6816f58a5fb360603eaeacd1ed529919837f40ef3233823c019d0d1371696632bdb323561a700794a95e9

Download Submit
C:\windows\SysWOW64\OMQHKA.exe.bat

Filesize
76B

MD5
db4cb5eeaf7841241687e6bdaf81744b

SHA1
92d13ee01feb8d7df990ee15971c876068263351

SHA256
241aa43a53d3765bb5db7a7a10e38c4ffbf0990d39b491e24256d126b92bad51

SHA512
6971e865f7d7cb8ac6bc9ab4ce21f77c2717f24b637cf88be3f94d76456b7c405b58c973628cc3e0a5250dc82704ce73c2fc1f953af19d2c243e5f68982edd99

Download Submit
C:\windows\SysWOW64\PNOC.exe.bat

Filesize
72B

MD5
3d7534cd0cc36c51267e905a2642eb30

SHA1
f5c192cfdfdeeca8a4dd0221751ca3425ad9d29e

SHA256
3119aa8714c150485bb064c55b18727c7d13817aa3990b64cd42bf2bd1124c59

SHA512
12d2e1e5a6ea6ac96c3166b29e6e67044db5c7edad902776289dd9bc7fa8eeabe8cc60f7282f53d389adc8c90e4fb58ee83baae7b3642b9c38da2a0a4b8c2248

Download Submit
C:\windows\SysWOW64\TMW.exe.bat

Filesize
70B

MD5
a1f86f4fb3804836c7343092fe60de91

SHA1
a330a20916e6e61cef1c0d826874b392a23d3fca

SHA256
94811ecc37914a27229d79369be514d9fe610a9f540e2e55e8fddfba498c9508

SHA512
6bd3d0e92ed7862d28f0d15f922a0404fa1343a6f027ed2a7bb339af543f23c7cb801cf10b105f9cec5727c83cfd056e7bea6dac2ecb4ff55c4a96a96a7f5bc0

Download Submit
C:\windows\SysWOW64\ZADV.exe.bat

Filesize
72B

MD5
2f39772c922391b0d090bde34d0ccf43

SHA1
3d6a579ccf2e6f7e2bd596fa6e8e53037635b5ee

SHA256
104c4a637a39a52cd1ff5f48648967459e2dfc604ef1f4f8e1ecbf830e88162a

SHA512
90d91c861d69a6117eb1fcc48a8ea0687666eb972866df87f4c8b21c173c64ee5772d35962f3194da634df19844e9c5875201e29d3d29750849d6989b30b0e4e

Download Submit
C:\windows\TAWH.exe.bat

Filesize
54B

MD5
f36eb0e2af11d2272c928ce3d1fe1e1e

SHA1
6b587b0ea356d049fc33eff127f751141ac29aa6

SHA256
3ab5e85020a23eb473319328ccc9eae7522e238965abc2253b1a8a2dc984d748

SHA512
61c59dfadc8e7ff3ad690ac5c57db09fbe75a48aa21e0c3d3024512dfaf9536092696bfa07936386d1814e1270dd3c76e3940a2c8356dca44434c4d4ea506381

Download Submit
C:\windows\WOZUQKJ.exe

Filesize
208KB

MD5
9fde29fb8127219b8ffb0e5126b7a430

SHA1
4c4c4199d823f63f3cf7655841ca0d0360c189af

SHA256
e7e6455b5e793177204e89404de5dda0a47a2d4c6af4bac456224b79f4615e5a

SHA512
6e8631214d8991fe00f918317228817008b216f3f669fe3a76fa9376945e21f3adac77366cb6769a8495a9e0a96378f971f34406f7709f9f696017b8b0d42769

Download Submit
C:\windows\WOZUQKJ.exe.bat

Filesize
60B

MD5
c0dda6aaf506e9dbde1ac0a4d8678c20

SHA1
d43c616e3e90edd3068ca8cdd690f0a72b0fd232

SHA256
8ecb4fd52e89bff9857cb578440156f6dfcba128be83255c17690bdab4d6370a

SHA512
f6bac4d4bff0db67a17027834499d12281fcce14ece4950767c6ba0ded13c6cb6c2c3fcbe641c3db62e80b727e9d4f4dbb8dcfd403f159a82b5fbf11bf39071f

Download Submit
C:\windows\WVXSQGS.exe

Filesize
208KB

MD5
9f7fd15b7a3a4c1564407b92a115803d

SHA1
24adcfb5134f45cd3fa8bb4a7b2a53d956d1b210

SHA256
7b1c0e60ac72e2e675cdd914554cbcd5135f60078a52111b57d3fa8407a42b18

SHA512
f051a84e9108f0c6ac1457261dd7e22b5e14c2f3e17c18426dfda12766408db985c71e4ea9b0467a7e17a1c6e256a1f4df7a406ff169f5f380ae53a88dbb28f7

Download Submit
C:\windows\WVXSQGS.exe.bat

Filesize
60B

MD5
207c954c731ea4878899743d145c97f6

SHA1
9a297797b7db9902ab2740961c92ee24bd94c388

SHA256
a29a0055dac6f1ddc5f3357a1f4ecff41ac63f0d4b6a0b74f8af55cb640caad0

SHA512
5572f95553444425296b6bfdc5e25515f9882a617f2c45b78c5f3570ae28efc5c53e94309f7d28adda5fccb898941d81912dcc2e18ddc394caa177bc7da0c784

Download Submit
C:\windows\XUYKDZG.exe.bat

Filesize
60B

MD5
8416c67331fb7c65d14cc3c2d57125a8

SHA1
35137b1cd52db3e9f199d5884f3240a95a1f8746

SHA256
dc55df8ce426e4906f4887363152733fa84d2626f4cb91799a88787839817dd4

SHA512
578ddc4570ac5ce3a3d4aebbce5006e41e0a355a5a7515cac27cc37134ed0f076c857eefb376f11195e1f3e11dd97bd6b13781da9bdc752140d1b41f40a5b917

Download Submit
C:\windows\system\CCYDI.exe.bat

Filesize
70B

MD5
9948e2e1391b4e5ddbb5c4464daca47e

SHA1
3417573c467622c125b1ddb9a26c7cd03d240949

SHA256
4c8197f63569f3ddfb7eb29a165afe2285f948b2e4b9cf5ecf3880f68f38c1ae

SHA512
5e16acd5ef9be6a76282694cbf87cf35f58a4b28156109d6e82643cacbbc5ad64ff4cd13e9534f4bde03ea8c75c09bd6ae09991465d985daabe75251f636e3f4

Download Submit
C:\windows\system\HQEMAZZ.exe.bat

Filesize
74B

MD5
32cf385a70d580a179335464726c8510

SHA1
1341df43cc45de76f2957c0160ab5783de3fb067

SHA256
bc570fff0e7da99d4221520b7f1e8a6a4811394c16b0c5bbdd278921eab12ec4

SHA512
99f2266519ef79f8df8dc5f2bb23ac277fda2869e81d0d9fb5b1fdff517493481982f7be021369cbd1a2e4e0d77a460bbadb5c20dcf6a2c2c38397894a046c83

Download Submit
C:\windows\system\MLGJP.exe

Filesize
208KB

MD5
32f9cbbee1bb442dc34c9d7e52214dff

SHA1
2ebc8a0b01822105c994e0d78ae0bc8fd22f790b

SHA256
6f6330b866ef1bdfd26862308c1784ae346de7bd37dfc18294253993a14623b8

SHA512
6b817b7897f8720641ddce8eec8e03d41c15244fd4912c39a469348d891f5cf42cfa8ec2df993578df7ad89444470d73586e0132561cce31ccdb27dd66ff08db

Download Submit
C:\windows\system\MLGJP.exe.bat

Filesize
70B

MD5
3d205d039d27218a93245428b257c029

SHA1
31ceadf84f8ba8d38bfaa89002e683646ea0207d

SHA256
bb96290cdc646a5c259007cacec363151046caad9afa89d0208ec8155e5d46e8

SHA512
317918c5e74e1aa57425e09b82df693ef1775dd00cd45d7943f5129b43f682073861e365e7cc37beb5e5257a1b2540b0ba708df45d1bb2e4d7097c84fd9fe2b6

Download Submit
C:\windows\system\WLOZL.exe

Filesize
208KB

MD5
a58f20cdc77ae1d0c56f17a6d413ccfe

SHA1
964dc7ae622fdbd980efb34f5e664bc88d52ef65

SHA256
5e770c1147ddbbb3836e1393ccd937e57e75725c299b3a21735be17d31532900

SHA512
48daded31cf43b17b54e1a72c47f32da422d9ff70506bfcb832bdfa0ddf36e86654105d5feb11be0ffec62c67484835221d0552f212a9589634a8d8abee69675

Download Submit
C:\windows\system\WLOZL.exe.bat

Filesize
70B

MD5
de9bd1b1f6229c108417553625b51ca1

SHA1
603086a794538e6d001fa85df741d6fa60ddb0a9

SHA256
402b894e929fb02e91fce45dda7eefd34f9eacb04b0534ff9b4ca86874545797

SHA512
517a61ee9a826ee1030c3518982fdeaf23f7f78535418668f5cd1785de94220fcc391f0dc54f006252654091b0ff71746ce08d0e4f17eca7f7e688ae78c87077

Download Submit
memory/212-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/212-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/216-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/216-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/512-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/512-307-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/696-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/696-397-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/920-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/920-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1408-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1408-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1440-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1440-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1568-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1568-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1632-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1632-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-433-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1852-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1852-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2076-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2076-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2120-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2120-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2136-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2136-469-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2224-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2224-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2504-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2504-460-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2532-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2532-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2660-343-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2660-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-487-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2956-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-405-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3168-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3168-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3188-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3188-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3416-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3416-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3424-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3472-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3508-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3508-451-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3516-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3516-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3548-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3548-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3592-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3592-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3668-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3668-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-478-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-204-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4060-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4060-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4068-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4068-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4128-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4128-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4380-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4720-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4720-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4760-192-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4760-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4800-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5032-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5032-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5044-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5044-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download