503f1b432f933c9c7a78687d3bb7a2e535b55b496785e3b0a92aff9326f9f176

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c85d262f202a73935e00423a524600N.exe
Size

208KB
MD5

56c85d262f202a73935e00423a524600
SHA1

2d29902cade3aedb92f60118217bde5d828f0234
SHA256

503f1b432f933c9c7a78687d3bb7a2e535b55b496785e3b0a92aff9326f9f176
SHA512

fd8d52d33030afaab17a5158df5939142535f152b1af77d7b224f83f41199ee3703fe02f0efb716e5651aa71ca9b8d5265772d5d6bcea1fe9614355bb1812454
SSDEEP

6144:TMAsW/uBFMhofrmKv6J3iMsd/xZ9qFD6ZyOY90dQEj:YbZg3ALkObQ

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	TGESJEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	SQWZPJA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	YTLNX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	MLYGCYK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	CQOUFLC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ENPWLI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	NVTWL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	UJVNUNO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WWCVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WBEDWU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	AXORVPO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	GKJA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	API.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	MLIFWK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ZKBFWGA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	GTNL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	JGYPY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	TJZAH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	VTVA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	UYZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WCUJDP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	UXGO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	TYBELTH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	JSQQMFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RWMMJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	BNE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	COAMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	XDWNNO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	CJX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	56c85d262f202a73935e00423a524600N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RSTMG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	KBXM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	YAYTDH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	OYNTU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	HHOSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	KOX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	XBFVCFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DDGA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	HHUNPJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	XYJOW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ELVO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	LXKZDAG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	KNCFQB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RQV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	VFYNZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	GKDZQXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	OYXSZCL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	NPUGH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	KNPNK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	XRUWVMJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	FQYL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	PLEOV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	XYT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	QZKOK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	NCJB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DGBWB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DTGEK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RKQJGW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	OYSRCJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	JSBLDPX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	VRHSYGV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	UKFAMU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	XTISY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	QVGZFRI.exe

Executes dropped EXE 64 IoCs

pid	Process
5112	ICQJ.exe
2928	AFIU.exe
2020	RSTMG.exe
2428	NQRJNK.exe
624	XYT.exe
1048	KBXM.exe
4404	TJZAH.exe
1832	JEI.exe
2656	DRNND.exe
4296	HHUNPJU.exe
5020	NVTWL.exe
2540	OYXSZCL.exe
464	DTGEK.exe
1512	YOLOUO.exe
2164	SBQ.exe
4452	NPUGH.exe
2076	JUADOYO.exe
1620	YAYTDH.exe
1376	JSBLDPX.exe
4936	ATDQ.exe
3556	XYJOW.exe
1720	BGQ.exe
1588	KPSB.exe
3112	ZKBFWGA.exe
5024	UXGO.exe
3260	CCYDI.exe
4048	GTNL.exe
1788	IQGFBAO.exe
4212	ORNTK.exe
3196	BTW.exe
4444	DRX.exe
3020	FPD.exe
4656	UFEF.exe
5060	IQUE.exe
4332	TYBELTH.exe
4936	DGD.exe
2476	XTISY.exe
1720	FMIUM.exe
4448	FSIIOQ.exe
464	FCR.exe
4732	QVMV.exe
3592	KNPNK.exe
668	JGYPY.exe
628	VYBIGCX.exe
3120	EZV.exe
4672	MRD.exe
1984	QZKOK.exe
4016	ZIMT.exe
728	OYNTU.exe
3592	NNGOHC.exe
5088	AYCUM.exe
232	VMHDWT.exe
3540	VRHSYGV.exe
2708	HHOSK.exe
2368	LPUAWJF.exe
4208	LVVOY.exe
4440	FQZYIW.exe
960	JYGY.exe
896	YTPKFBT.exe
2336	KMSVNI.exe
3832	WCZDS.exe
464	QPEMCAL.exe
2292	BIZ.exe
456	LIBKO.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\DRNND.exe	JEI.exe
File opened for modification	C:\windows\SysWOW64\CVJLHMM.exe	IIFBX.exe
File created	C:\windows\SysWOW64\API.exe.bat	PMJ.exe
File created	C:\windows\SysWOW64\KNI.exe.bat	PAESKD.exe
File created	C:\windows\SysWOW64\QVMV.exe	FCR.exe
File created	C:\windows\SysWOW64\VMHDWT.exe.bat	AYCUM.exe
File created	C:\windows\SysWOW64\HYTGHU.exe.bat	VFYNZ.exe
File opened for modification	C:\windows\SysWOW64\KNCFQB.exe	RKYJ.exe
File created	C:\windows\SysWOW64\API.exe	PMJ.exe
File opened for modification	C:\windows\SysWOW64\AXCNWF.exe	UKD.exe
File created	C:\windows\SysWOW64\UXGO.exe	ZKBFWGA.exe
File created	C:\windows\SysWOW64\ZIMT.exe.bat	QZKOK.exe
File opened for modification	C:\windows\SysWOW64\LPUAWJF.exe	HHOSK.exe
File created	C:\windows\SysWOW64\OYSRCJ.exe.bat	FQYL.exe
File opened for modification	C:\windows\SysWOW64\HOLFC.exe	BNE.exe
File created	C:\windows\SysWOW64\IIFBX.exe	GKDZQXQ.exe
File created	C:\windows\SysWOW64\FQOU.exe	CVJLHMM.exe
File created	C:\windows\SysWOW64\XPGHW.exe.bat	LXLO.exe
File created	C:\windows\SysWOW64\AFIU.exe.bat	ICQJ.exe
File created	C:\windows\SysWOW64\DRNND.exe.bat	JEI.exe
File created	C:\windows\SysWOW64\VMHDWT.exe	AYCUM.exe
File created	C:\windows\SysWOW64\LRKL.exe	PLEOV.exe
File created	C:\windows\SysWOW64\AFIU.exe	ICQJ.exe
File created	C:\windows\SysWOW64\LPUAWJF.exe	HHOSK.exe
File created	C:\windows\SysWOW64\WBEDWU.exe.bat	LIBKO.exe
File opened for modification	C:\windows\SysWOW64\LRKL.exe	PLEOV.exe
File created	C:\windows\SysWOW64\CVJLHMM.exe	IIFBX.exe
File created	C:\windows\SysWOW64\XYT.exe.bat	NQRJNK.exe
File created	C:\windows\SysWOW64\KPSB.exe.bat	BGQ.exe
File created	C:\windows\SysWOW64\GTNL.exe.bat	CCYDI.exe
File created	C:\windows\SysWOW64\XTISY.exe	DGD.exe
File created	C:\windows\SysWOW64\AXORVPO.exe	RWMMJ.exe
File created	C:\windows\SysWOW64\KNCFQB.exe	RKYJ.exe
File created	C:\windows\SysWOW64\XPGHW.exe	LXLO.exe
File opened for modification	C:\windows\SysWOW64\TJZAH.exe	KBXM.exe
File created	C:\windows\SysWOW64\GTNL.exe	CCYDI.exe
File opened for modification	C:\windows\SysWOW64\MRD.exe	EZV.exe
File created	C:\windows\SysWOW64\BNE.exe	KNCFQB.exe
File opened for modification	C:\windows\SysWOW64\UKD.exe	DWTUJFY.exe
File opened for modification	C:\windows\SysWOW64\YAYTDH.exe	JUADOYO.exe
File opened for modification	C:\windows\SysWOW64\IQUE.exe	UFEF.exe
File created	C:\windows\SysWOW64\RKYJ.exe.bat	AXORVPO.exe
File created	C:\windows\SysWOW64\RWNKOG.exe.bat	HOLFC.exe
File created	C:\windows\SysWOW64\AXCNWF.exe	UKD.exe
File opened for modification	C:\windows\SysWOW64\VMHDWT.exe	AYCUM.exe
File opened for modification	C:\windows\SysWOW64\QPEMCAL.exe	WCZDS.exe
File opened for modification	C:\windows\SysWOW64\BIZ.exe	QPEMCAL.exe
File created	C:\windows\SysWOW64\ENPWLI.exe.bat	CQOUFLC.exe
File created	C:\windows\SysWOW64\FBBUF.exe	KOX.exe
File created	C:\windows\SysWOW64\HYTGHU.exe	VFYNZ.exe
File created	C:\windows\SysWOW64\PMJ.exe.bat	JLB.exe
File opened for modification	C:\windows\SysWOW64\RVZSGNO.exe	NFSS.exe
File opened for modification	C:\windows\SysWOW64\EANTE.exe	KNI.exe
File created	C:\windows\SysWOW64\UKD.exe	DWTUJFY.exe
File created	C:\windows\SysWOW64\AXCNWF.exe.bat	UKD.exe
File created	C:\windows\SysWOW64\OYXSZCL.exe	NVTWL.exe
File created	C:\windows\SysWOW64\AXORVPO.exe.bat	RWMMJ.exe
File created	C:\windows\SysWOW64\KNCFQB.exe.bat	RKYJ.exe
File created	C:\windows\SysWOW64\LPUAWJF.exe.bat	HHOSK.exe
File created	C:\windows\SysWOW64\TGESJEC.exe.bat	ELVO.exe
File created	C:\windows\SysWOW64\CBS.exe.bat	YTLNX.exe
File created	C:\windows\SysWOW64\IIFBX.exe.bat	GKDZQXQ.exe
File opened for modification	C:\windows\SysWOW64\OYSRCJ.exe	FQYL.exe
File created	C:\windows\SysWOW64\MXFRJAW.exe	XCVN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\system\RWMMJ.exe.bat	GERT.exe
File opened for modification	C:\windows\MLYGCYK.exe	FQOU.exe
File created	C:\windows\TYBELTH.exe	IQUE.exe
File created	C:\windows\system\UFIDA.exe.bat	UKFAMU.exe
File created	C:\windows\system\JSQQMFK.exe	DSICD.exe
File opened for modification	C:\windows\PLEOV.exe	UYZ.exe
File created	C:\windows\PLEOV.exe.bat	UYZ.exe
File created	C:\windows\KNPNK.exe.bat	QVMV.exe
File created	C:\windows\SQWZPJA.exe.bat	HYTGHU.exe
File opened for modification	C:\windows\system\XCVN.exe	GRXP.exe
File created	C:\windows\system\LIBKO.exe	BIZ.exe
File created	C:\windows\ZCCURSN.exe	ARLERYR.exe
File created	C:\windows\system\LXKZDAG.exe.bat	LRKL.exe
File created	C:\windows\system\CCNZJ.exe.bat	API.exe
File opened for modification	C:\windows\KOX.exe	ENPWLI.exe
File opened for modification	C:\windows\system\NFSS.exe	EEQNQX.exe
File opened for modification	C:\windows\PAESKD.exe	LKXS.exe
File created	C:\windows\system\DTGEK.exe.bat	OYXSZCL.exe
File created	C:\windows\EZV.exe.bat	VYBIGCX.exe
File created	C:\windows\HHOSK.exe.bat	VRHSYGV.exe
File created	C:\windows\PLEOV.exe	UYZ.exe
File opened for modification	C:\windows\system\TPJQRR.exe	EMA.exe
File created	C:\windows\AYCUM.exe	NNGOHC.exe
File opened for modification	C:\windows\WCZDS.exe	KMSVNI.exe
File created	C:\windows\system\LENH.exe.bat	WBEDWU.exe
File created	C:\windows\system\CCNZJ.exe	API.exe
File opened for modification	C:\windows\system\ORNTK.exe	IQGFBAO.exe
File created	C:\windows\WCZDS.exe.bat	KMSVNI.exe
File created	C:\windows\system\KCDVJ.exe	XRUWVMJ.exe
File created	C:\windows\system\FBFPV.exe.bat	SQWZPJA.exe
File opened for modification	C:\windows\JLB.exe	YTGFLGD.exe
File created	C:\windows\system\YOLOUO.exe	DTGEK.exe
File opened for modification	C:\windows\system\UFEF.exe	FPD.exe
File created	C:\windows\system\VFYNZ.exe	EAOV.exe
File opened for modification	C:\windows\WCUJDP.exe	WWCVB.exe
File created	C:\windows\system\DWTUJFY.exe	FBBUF.exe
File opened for modification	C:\windows\KBXM.exe	XYT.exe
File opened for modification	C:\windows\system\FQZYIW.exe	LVVOY.exe
File created	C:\windows\system\KCDVJ.exe.bat	XRUWVMJ.exe
File created	C:\windows\system\LXKZDAG.exe	LRKL.exe
File created	C:\windows\SQWZPJA.exe	HYTGHU.exe
File opened for modification	C:\windows\UJVNUNO.exe	NGLI.exe
File opened for modification	C:\windows\system\ICQJ.exe	56c85d262f202a73935e00423a524600N.exe
File opened for modification	C:\windows\HHUNPJU.exe	DRNND.exe
File created	C:\windows\FMIUM.exe.bat	XTISY.exe
File opened for modification	C:\windows\system\LVVOY.exe	LPUAWJF.exe
File created	C:\windows\system\EEQNQX.exe	OJH.exe
File opened for modification	C:\windows\GRXP.exe	RWNKOG.exe
File opened for modification	C:\windows\XDWNNO.exe	LVQF.exe
File opened for modification	C:\windows\system\COAMS.exe	XDWNNO.exe
File created	C:\windows\KOX.exe.bat	ENPWLI.exe
File created	C:\windows\JEI.exe	TJZAH.exe
File opened for modification	C:\windows\TYBELTH.exe	IQUE.exe
File created	C:\windows\UYZ.exe.bat	OYSRCJ.exe
File created	C:\windows\EAOV.exe.bat	LXKZDAG.exe
File opened for modification	C:\windows\GERT.exe	FBFPV.exe
File created	C:\windows\FPD.exe.bat	DRX.exe
File opened for modification	C:\windows\KNPNK.exe	QVMV.exe
File created	C:\windows\VYBIGCX.exe.bat	JGYPY.exe
File created	C:\windows\HHOSK.exe	VRHSYGV.exe
File opened for modification	C:\windows\system\ARLERYR.exe	REBM.exe
File created	C:\windows\system\CQOUFLC.exe.bat	XPGHW.exe
File created	C:\windows\system\NPUGH.exe	SBQ.exe
File created	C:\windows\system\ORNTK.exe.bat	IQGFBAO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3680	728	WerFault.exe	82
2384	5112	WerFault.exe	90
5072	2928	WerFault.exe	96
456	2020	WerFault.exe	101
2540	2428	WerFault.exe	108
3248	624	WerFault.exe	114
232	1048	WerFault.exe	120
1152	4404	WerFault.exe	125
3328	1832	WerFault.exe	130
3996	2656	WerFault.exe	136
5016	4296	WerFault.exe	141
4044	5020	WerFault.exe	146
4016	2540	WerFault.exe	150
1248	464	WerFault.exe	158
4556	1512	WerFault.exe	163
5072	2164	WerFault.exe	168
1580	4452	WerFault.exe	173
2936	2076	WerFault.exe	177
4800	1620	WerFault.exe	183
2112	1376	WerFault.exe	188
4172	4936	WerFault.exe	193
3104	3556	WerFault.exe	198
5016	1720	WerFault.exe	203
4296	1588	WerFault.exe	208
1800	3112	WerFault.exe	213
4076	5024	WerFault.exe	218
4776	3260	WerFault.exe	223
1868	4048	WerFault.exe	228
1496	1788	WerFault.exe	233
2656	4212	WerFault.exe	238
3424	3196	WerFault.exe	243
3248	4444	WerFault.exe	248
3392	3020	WerFault.exe	253
1608	4656	WerFault.exe	258
4604	5060	WerFault.exe	263
2772	4332	WerFault.exe	268
2656	4936	WerFault.exe	273
4256	2476	WerFault.exe	278
4700	1720	WerFault.exe	283
2520	4448	WerFault.exe	288
972	464	WerFault.exe	294
4208	4732	WerFault.exe	299
2948	3592	WerFault.exe	304
1644	668	WerFault.exe	309
5020	628	WerFault.exe	314
2572	3120	WerFault.exe	319
4520	4672	WerFault.exe	325
4756	1984	WerFault.exe	330
4172	4016	WerFault.exe	335
2968	728	WerFault.exe	340
3000	3592	WerFault.exe	345
448	5088	WerFault.exe	350
4456	232	WerFault.exe	355
3300	3540	WerFault.exe	360
4776	2708	WerFault.exe	365
4476	2368	WerFault.exe	370
2844	4208	WerFault.exe	375
3196	4440	WerFault.exe	380
1612	960	WerFault.exe	385
4800	896	WerFault.exe	389
4884	2336	WerFault.exe	395
4104	3832	WerFault.exe	400
4512	464	WerFault.exe	405
3168	2292	WerFault.exe	410

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VTVA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VMHDWT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMIUM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REBM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LXKZDAG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56c85d262f202a73935e00423a524600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KPSB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CQOUFLC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OYNTU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKQJGW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LJUTNV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GERT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MLYGCYK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DSICD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TJZAH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JUADOYO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DGBWB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WCUJDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XRUWVMJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UKD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAESKD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AEEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKWL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCYDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JGYPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UYZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OJH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENPWLI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PLEOV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EAOV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UJVNUNO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YAYTDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
728	56c85d262f202a73935e00423a524600N.exe
728	56c85d262f202a73935e00423a524600N.exe
5112	ICQJ.exe
5112	ICQJ.exe
2928	AFIU.exe
2928	AFIU.exe
2020	RSTMG.exe
2020	RSTMG.exe
2428	NQRJNK.exe
2428	NQRJNK.exe
624	XYT.exe
624	XYT.exe
1048	KBXM.exe
1048	KBXM.exe
4404	TJZAH.exe
4404	TJZAH.exe
1832	JEI.exe
1832	JEI.exe
2656	DRNND.exe
2656	DRNND.exe
4296	HHUNPJU.exe
4296	HHUNPJU.exe
5020	NVTWL.exe
5020	NVTWL.exe
2540	OYXSZCL.exe
2540	OYXSZCL.exe
464	DTGEK.exe
464	DTGEK.exe
1512	YOLOUO.exe
1512	YOLOUO.exe
2164	SBQ.exe
2164	SBQ.exe
4452	NPUGH.exe
4452	NPUGH.exe
2076	JUADOYO.exe
2076	JUADOYO.exe
1620	YAYTDH.exe
1620	YAYTDH.exe
1376	JSBLDPX.exe
1376	JSBLDPX.exe
4936	ATDQ.exe
4936	ATDQ.exe
3556	XYJOW.exe
3556	XYJOW.exe
1720	BGQ.exe
1720	BGQ.exe
1588	KPSB.exe
1588	KPSB.exe
3112	ZKBFWGA.exe
3112	ZKBFWGA.exe
5024	UXGO.exe
5024	UXGO.exe
3260	CCYDI.exe
3260	CCYDI.exe
4048	GTNL.exe
4048	GTNL.exe
1788	IQGFBAO.exe
1788	IQGFBAO.exe
4212	ORNTK.exe
4212	ORNTK.exe
3196	BTW.exe
3196	BTW.exe
4444	DRX.exe
4444	DRX.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
728	56c85d262f202a73935e00423a524600N.exe
728	56c85d262f202a73935e00423a524600N.exe
5112	ICQJ.exe
5112	ICQJ.exe
2928	AFIU.exe
2928	AFIU.exe
2020	RSTMG.exe
2020	RSTMG.exe
2428	NQRJNK.exe
2428	NQRJNK.exe
624	XYT.exe
624	XYT.exe
1048	KBXM.exe
1048	KBXM.exe
4404	TJZAH.exe
4404	TJZAH.exe
1832	JEI.exe
1832	JEI.exe
2656	DRNND.exe
2656	DRNND.exe
4296	HHUNPJU.exe
4296	HHUNPJU.exe
5020	NVTWL.exe
5020	NVTWL.exe
2540	OYXSZCL.exe
2540	OYXSZCL.exe
464	DTGEK.exe
464	DTGEK.exe
1512	YOLOUO.exe
1512	YOLOUO.exe
2164	SBQ.exe
2164	SBQ.exe
4452	NPUGH.exe
4452	NPUGH.exe
2076	JUADOYO.exe
2076	JUADOYO.exe
1620	YAYTDH.exe
1620	YAYTDH.exe
1376	JSBLDPX.exe
1376	JSBLDPX.exe
4936	ATDQ.exe
4936	ATDQ.exe
3556	XYJOW.exe
3556	XYJOW.exe
1720	BGQ.exe
1720	BGQ.exe
1588	KPSB.exe
1588	KPSB.exe
3112	ZKBFWGA.exe
3112	ZKBFWGA.exe
5024	UXGO.exe
5024	UXGO.exe
3260	CCYDI.exe
3260	CCYDI.exe
4048	GTNL.exe
4048	GTNL.exe
1788	IQGFBAO.exe
1788	IQGFBAO.exe
4212	ORNTK.exe
4212	ORNTK.exe
3196	BTW.exe
3196	BTW.exe
4444	DRX.exe
4444	DRX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1088	728	56c85d262f202a73935e00423a524600N.exe	86
PID 728 wrote to memory of 1088	728	56c85d262f202a73935e00423a524600N.exe	86
PID 728 wrote to memory of 1088	728	56c85d262f202a73935e00423a524600N.exe	86
PID 1088 wrote to memory of 5112	1088	cmd.exe	90
PID 1088 wrote to memory of 5112	1088	cmd.exe	90
PID 1088 wrote to memory of 5112	1088	cmd.exe	90
PID 5112 wrote to memory of 3652	5112	ICQJ.exe	92
PID 5112 wrote to memory of 3652	5112	ICQJ.exe	92
PID 5112 wrote to memory of 3652	5112	ICQJ.exe	92
PID 3652 wrote to memory of 2928	3652	cmd.exe	96
PID 3652 wrote to memory of 2928	3652	cmd.exe	96
PID 3652 wrote to memory of 2928	3652	cmd.exe	96
PID 2928 wrote to memory of 1900	2928	AFIU.exe	97
PID 2928 wrote to memory of 1900	2928	AFIU.exe	97
PID 2928 wrote to memory of 1900	2928	AFIU.exe	97
PID 1900 wrote to memory of 2020	1900	cmd.exe	101
PID 1900 wrote to memory of 2020	1900	cmd.exe	101
PID 1900 wrote to memory of 2020	1900	cmd.exe	101
PID 2020 wrote to memory of 4000	2020	RSTMG.exe	104
PID 2020 wrote to memory of 4000	2020	RSTMG.exe	104
PID 2020 wrote to memory of 4000	2020	RSTMG.exe	104
PID 4000 wrote to memory of 2428	4000	cmd.exe	108
PID 4000 wrote to memory of 2428	4000	cmd.exe	108
PID 4000 wrote to memory of 2428	4000	cmd.exe	108
PID 2428 wrote to memory of 1012	2428	NQRJNK.exe	109
PID 2428 wrote to memory of 1012	2428	NQRJNK.exe	109
PID 2428 wrote to memory of 1012	2428	NQRJNK.exe	109
PID 1012 wrote to memory of 624	1012	cmd.exe	114
PID 1012 wrote to memory of 624	1012	cmd.exe	114
PID 1012 wrote to memory of 624	1012	cmd.exe	114
PID 624 wrote to memory of 4112	624	XYT.exe	116
PID 624 wrote to memory of 4112	624	XYT.exe	116
PID 624 wrote to memory of 4112	624	XYT.exe	116
PID 4112 wrote to memory of 1048	4112	cmd.exe	120
PID 4112 wrote to memory of 1048	4112	cmd.exe	120
PID 4112 wrote to memory of 1048	4112	cmd.exe	120
PID 1048 wrote to memory of 368	1048	KBXM.exe	121
PID 1048 wrote to memory of 368	1048	KBXM.exe	121
PID 1048 wrote to memory of 368	1048	KBXM.exe	121
PID 368 wrote to memory of 4404	368	cmd.exe	125
PID 368 wrote to memory of 4404	368	cmd.exe	125
PID 368 wrote to memory of 4404	368	cmd.exe	125
PID 4404 wrote to memory of 1388	4404	TJZAH.exe	126
PID 4404 wrote to memory of 1388	4404	TJZAH.exe	126
PID 4404 wrote to memory of 1388	4404	TJZAH.exe	126
PID 1388 wrote to memory of 1832	1388	cmd.exe	130
PID 1388 wrote to memory of 1832	1388	cmd.exe	130
PID 1388 wrote to memory of 1832	1388	cmd.exe	130
PID 1832 wrote to memory of 2568	1832	JEI.exe	132
PID 1832 wrote to memory of 2568	1832	JEI.exe	132
PID 1832 wrote to memory of 2568	1832	JEI.exe	132
PID 2568 wrote to memory of 2656	2568	cmd.exe	136
PID 2568 wrote to memory of 2656	2568	cmd.exe	136
PID 2568 wrote to memory of 2656	2568	cmd.exe	136
PID 2656 wrote to memory of 2700	2656	DRNND.exe	137
PID 2656 wrote to memory of 2700	2656	DRNND.exe	137
PID 2656 wrote to memory of 2700	2656	DRNND.exe	137
PID 2700 wrote to memory of 4296	2700	cmd.exe	141
PID 2700 wrote to memory of 4296	2700	cmd.exe	141
PID 2700 wrote to memory of 4296	2700	cmd.exe	141
PID 4296 wrote to memory of 4720	4296	HHUNPJU.exe	142
PID 4296 wrote to memory of 4720	4296	HHUNPJU.exe	142
PID 4296 wrote to memory of 4720	4296	HHUNPJU.exe	142
PID 4720 wrote to memory of 5020	4720	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\56c85d262f202a73935e00423a524600N.exe
"C:\Users\Admin\AppData\Local\Temp\56c85d262f202a73935e00423a524600N.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICQJ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\windows\system\ICQJ.exe
    C:\windows\system\ICQJ.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFIU.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\windows\SysWOW64\AFIU.exe
        
        C:\windows\system32\AFIU.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSTMG.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\windows\SysWOW64\RSTMG.exe
        
        C:\windows\system32\RSTMG.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NQRJNK.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\windows\system\NQRJNK.exe
        
        C:\windows\system\NQRJNK.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYT.exe.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\windows\SysWOW64\XYT.exe
        
        C:\windows\system32\XYT.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KBXM.exe.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\windows\KBXM.exe
        
        C:\windows\KBXM.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TJZAH.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\windows\SysWOW64\TJZAH.exe
        
        C:\windows\system32\TJZAH.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JEI.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\windows\JEI.exe
        
        C:\windows\JEI.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRNND.exe.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\windows\SysWOW64\DRNND.exe
        
        C:\windows\system32\DRNND.exe
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HHUNPJU.exe.bat" "
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\windows\HHUNPJU.exe
        
        C:\windows\HHUNPJU.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NVTWL.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\windows\system\NVTWL.exe
        
        C:\windows\system\NVTWL.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYXSZCL.exe.bat" "
        24⤵
        
        PID:2564
        
        C:\windows\SysWOW64\OYXSZCL.exe
        
        C:\windows\system32\OYXSZCL.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DTGEK.exe.bat" "
        26⤵
        
        PID:2912
        
        C:\windows\system\DTGEK.exe
        
        C:\windows\system\DTGEK.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOLOUO.exe.bat" "
        28⤵
        
        PID:3392
        
        C:\windows\system\YOLOUO.exe
        
        C:\windows\system\YOLOUO.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBQ.exe.bat" "
        30⤵
        
        PID:4932
        
        C:\windows\system\SBQ.exe
        
        C:\windows\system\SBQ.exe
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NPUGH.exe.bat" "
        32⤵
        
        PID:3224
        
        C:\windows\system\NPUGH.exe
        
        C:\windows\system\NPUGH.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUADOYO.exe.bat" "
        34⤵
        
        PID:764
        
        C:\windows\SysWOW64\JUADOYO.exe
        
        C:\windows\system32\JUADOYO.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YAYTDH.exe.bat" "
        36⤵
        
        PID:212
        
        C:\windows\SysWOW64\YAYTDH.exe
        
        C:\windows\system32\YAYTDH.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JSBLDPX.exe.bat" "
        38⤵
        
        PID:4276
        
        C:\windows\JSBLDPX.exe
        
        C:\windows\JSBLDPX.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ATDQ.exe.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\windows\ATDQ.exe
        
        C:\windows\ATDQ.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XYJOW.exe.bat" "
        42⤵
        
        PID:5112
        
        C:\windows\XYJOW.exe
        
        C:\windows\XYJOW.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BGQ.exe.bat" "
        44⤵
        
        PID:5056
        
        C:\windows\BGQ.exe
        
        C:\windows\BGQ.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPSB.exe.bat" "
        46⤵
        
        PID:456
        
        C:\windows\SysWOW64\KPSB.exe
        
        C:\windows\system32\KPSB.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZKBFWGA.exe.bat" "
        48⤵
        
        PID:1344
        
        C:\windows\ZKBFWGA.exe
        
        C:\windows\ZKBFWGA.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXGO.exe.bat" "
        50⤵
        
        PID:2564
        
        C:\windows\SysWOW64\UXGO.exe
        
        C:\windows\system32\UXGO.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCYDI.exe.bat" "
        52⤵
        
        PID:1756
        
        C:\windows\system\CCYDI.exe
        
        C:\windows\system\CCYDI.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GTNL.exe.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\windows\SysWOW64\GTNL.exe
        
        C:\windows\system32\GTNL.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\IQGFBAO.exe.bat" "
        56⤵
        
        PID:4852
        
        C:\windows\IQGFBAO.exe
        
        C:\windows\IQGFBAO.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "
        58⤵
        
        PID:3268
        
        C:\windows\system\ORNTK.exe
        
        C:\windows\system\ORNTK.exe
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTW.exe.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\windows\system\BTW.exe
        
        C:\windows\system\BTW.exe
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRX.exe.bat" "
        62⤵
        
        PID:5068
        
        C:\windows\system\DRX.exe
        
        C:\windows\system\DRX.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FPD.exe.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\windows\FPD.exe
        
        C:\windows\FPD.exe
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UFEF.exe.bat" "
        66⤵
        
        PID:2908
        
        C:\windows\system\UFEF.exe
        
        C:\windows\system\UFEF.exe
        67⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IQUE.exe.bat" "
        68⤵
        
        PID:2368
        
        C:\windows\SysWOW64\IQUE.exe
        
        C:\windows\system32\IQUE.exe
        69⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TYBELTH.exe.bat" "
        70⤵
        
        PID:3328
        
        C:\windows\TYBELTH.exe
        
        C:\windows\TYBELTH.exe
        71⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DGD.exe.bat" "
        72⤵
        
        PID:3312
        
        C:\windows\DGD.exe
        
        C:\windows\DGD.exe
        73⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTISY.exe.bat" "
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\windows\SysWOW64\XTISY.exe
        
        C:\windows\system32\XTISY.exe
        75⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMIUM.exe.bat" "
        76⤵
        
        PID:3140
        
        C:\windows\FMIUM.exe
        
        C:\windows\FMIUM.exe
        77⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FSIIOQ.exe.bat" "
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\windows\FSIIOQ.exe
        
        C:\windows\FSIIOQ.exe
        79⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCR.exe.bat" "
        80⤵
        
        PID:4076
        
        C:\windows\system\FCR.exe
        
        C:\windows\system\FCR.exe
        81⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVMV.exe.bat" "
        82⤵
        
        PID:2732
        
        C:\windows\SysWOW64\QVMV.exe
        
        C:\windows\system32\QVMV.exe
        83⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KNPNK.exe.bat" "
        84⤵
        
        PID:3924
        
        C:\windows\KNPNK.exe
        
        C:\windows\KNPNK.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JGYPY.exe.bat" "
        86⤵
        
        PID:4744
        
        C:\windows\system\JGYPY.exe
        
        C:\windows\system\JGYPY.exe
        87⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VYBIGCX.exe.bat" "
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\windows\VYBIGCX.exe
        
        C:\windows\VYBIGCX.exe
        89⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EZV.exe.bat" "
        90⤵
        
        PID:4120
        
        C:\windows\EZV.exe
        
        C:\windows\EZV.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MRD.exe.bat" "
        92⤵
        
        PID:4456
        
        C:\windows\SysWOW64\MRD.exe
        
        C:\windows\system32\MRD.exe
        93⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QZKOK.exe.bat" "
        94⤵
        
        PID:1756
        
        C:\windows\SysWOW64\QZKOK.exe
        
        C:\windows\system32\QZKOK.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIMT.exe.bat" "
        96⤵
        
        PID:2384
        
        C:\windows\SysWOW64\ZIMT.exe
        
        C:\windows\system32\ZIMT.exe
        97⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\OYNTU.exe.bat" "
        98⤵
        
        PID:4940
        
        C:\windows\OYNTU.exe
        
        C:\windows\OYNTU.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNGOHC.exe.bat" "
        100⤵
        
        PID:3556
        
        C:\windows\SysWOW64\NNGOHC.exe
        
        C:\windows\system32\NNGOHC.exe
        101⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\AYCUM.exe.bat" "
        102⤵
        
        PID:4720
        
        C:\windows\AYCUM.exe
        
        C:\windows\AYCUM.exe
        103⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "
        104⤵
        
        PID:2784
        
        C:\windows\SysWOW64\VMHDWT.exe
        
        C:\windows\system32\VMHDWT.exe
        105⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VRHSYGV.exe.bat" "
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\windows\system\VRHSYGV.exe
        
        C:\windows\system\VRHSYGV.exe
        107⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HHOSK.exe.bat" "
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\windows\HHOSK.exe
        
        C:\windows\HHOSK.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LPUAWJF.exe.bat" "
        110⤵
        
        PID:4040
        
        C:\windows\SysWOW64\LPUAWJF.exe
        
        C:\windows\system32\LPUAWJF.exe
        111⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LVVOY.exe.bat" "
        112⤵
        
        PID:2928
        
        C:\windows\system\LVVOY.exe
        
        C:\windows\system\LVVOY.exe
        113⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQZYIW.exe.bat" "
        114⤵
        
        PID:4016
        
        C:\windows\system\FQZYIW.exe
        
        C:\windows\system\FQZYIW.exe
        115⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JYGY.exe.bat" "
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\windows\system\JYGY.exe
        
        C:\windows\system\JYGY.exe
        117⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YTPKFBT.exe.bat" "
        118⤵
        
        PID:1864
        
        C:\windows\system\YTPKFBT.exe
        
        C:\windows\system\YTPKFBT.exe
        119⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KMSVNI.exe.bat" "
        120⤵
        
        PID:184
        
        C:\windows\KMSVNI.exe
        
        C:\windows\KMSVNI.exe
        121⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WCZDS.exe.bat" "
        122⤵
        
        PID:1568
        
        C:\windows\WCZDS.exe
        
        C:\windows\WCZDS.exe
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QPEMCAL.exe.bat" "
        124⤵
        
        PID:1608
        
        C:\windows\SysWOW64\QPEMCAL.exe
        
        C:\windows\system32\QPEMCAL.exe
        125⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BIZ.exe.bat" "
        126⤵
        
        PID:2732
        
        C:\windows\SysWOW64\BIZ.exe
        
        C:\windows\system32\BIZ.exe
        127⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LIBKO.exe.bat" "
        128⤵
        
        PID:4172
        
        C:\windows\system\LIBKO.exe
        
        C:\windows\system\LIBKO.exe
        129⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WBEDWU.exe.bat" "
        130⤵
        
        PID:4620
        
        C:\windows\SysWOW64\WBEDWU.exe
        
        C:\windows\system32\WBEDWU.exe
        131⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LENH.exe.bat" "
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\windows\system\LENH.exe
        
        C:\windows\system\LENH.exe
        133⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PMUPTZ.exe.bat" "
        134⤵
        
        PID:2372
        
        C:\windows\PMUPTZ.exe
        
        C:\windows\PMUPTZ.exe
        135⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRUWVMJ.exe.bat" "
        136⤵
        
        PID:4316
        
        C:\windows\SysWOW64\XRUWVMJ.exe
        
        C:\windows\system32\XRUWVMJ.exe
        137⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KCDVJ.exe.bat" "
        138⤵
        
        PID:4980
        
        C:\windows\system\KCDVJ.exe
        
        C:\windows\system\KCDVJ.exe
        139⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAMU.exe.bat" "
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\windows\SysWOW64\UKFAMU.exe
        
        C:\windows\system32\UKFAMU.exe
        141⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\UFIDA.exe.bat" "
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\windows\system\UFIDA.exe
        
        C:\windows\system\UFIDA.exe
        143⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PTNNCKX.exe.bat" "
        144⤵
        
        PID:860
        
        C:\windows\PTNNCKX.exe
        
        C:\windows\PTNNCKX.exe
        145⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTVA.exe.bat" "
        146⤵
        
        PID:2656
        
        C:\windows\SysWOW64\VTVA.exe
        
        C:\windows\system32\VTVA.exe
        147⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VGVPV.exe.bat" "
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\windows\VGVPV.exe
        
        C:\windows\VGVPV.exe
        149⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\REBM.exe.bat" "
        150⤵
        
        PID:2204
        
        C:\windows\system\REBM.exe
        
        C:\windows\system\REBM.exe
        151⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ARLERYR.exe.bat" "
        152⤵
        
        PID:3248
        
        C:\windows\system\ARLERYR.exe
        
        C:\windows\system\ARLERYR.exe
        153⤵
        Drops file in Windows directory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZCCURSN.exe.bat" "
        154⤵
        
        PID:4220
        
        C:\windows\ZCCURSN.exe
        
        C:\windows\ZCCURSN.exe
        155⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DSICD.exe.bat" "
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\windows\DSICD.exe
        
        C:\windows\DSICD.exe
        157⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JSQQMFK.exe.bat" "
        158⤵
        
        PID:2772
        
        C:\windows\system\JSQQMFK.exe
        
        C:\windows\system\JSQQMFK.exe
        159⤵
        Checks computer location settings
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ULT.exe.bat" "
        160⤵
        
        PID:3168
        
        C:\windows\ULT.exe
        
        C:\windows\ULT.exe
        161⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ELVO.exe.bat" "
        162⤵
        
        PID:3816
        
        C:\windows\SysWOW64\ELVO.exe
        
        C:\windows\system32\ELVO.exe
        163⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGESJEC.exe.bat" "
        164⤵
        
        PID:4796
        
        C:\windows\SysWOW64\TGESJEC.exe
        
        C:\windows\system32\TGESJEC.exe
        165⤵
        Checks computer location settings
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NCJB.exe.bat" "
        166⤵
        
        PID:1588
        
        C:\windows\NCJB.exe
        
        C:\windows\NCJB.exe
        167⤵
        Checks computer location settings
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RKQJGW.exe.bat" "
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\windows\RKQJGW.exe
        
        C:\windows\RKQJGW.exe
        169⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVGZFRI.exe.bat" "
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\windows\SysWOW64\QVGZFRI.exe
        
        C:\windows\system32\QVGZFRI.exe
        171⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQYL.exe.bat" "
        172⤵
        
        PID:1516
        
        C:\windows\system\FQYL.exe
        
        C:\windows\system\FQYL.exe
        173⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYSRCJ.exe.bat" "
        174⤵
        
        PID:632
        
        C:\windows\SysWOW64\OYSRCJ.exe
        
        C:\windows\system32\OYSRCJ.exe
        175⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UYZ.exe.bat" "
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\windows\UYZ.exe
        
        C:\windows\UYZ.exe
        177⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PLEOV.exe.bat" "
        178⤵
        
        PID:640
        
        C:\windows\PLEOV.exe
        
        C:\windows\PLEOV.exe
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRKL.exe.bat" "
        180⤵
        
        PID:2700
        
        C:\windows\SysWOW64\LRKL.exe
        
        C:\windows\system32\LRKL.exe
        181⤵
        Drops file in Windows directory
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXKZDAG.exe.bat" "
        182⤵
        
        PID:4212
        
        C:\windows\system\LXKZDAG.exe
        
        C:\windows\system\LXKZDAG.exe
        183⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\EAOV.exe.bat" "
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\windows\EAOV.exe
        
        C:\windows\EAOV.exe
        185⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFYNZ.exe.bat" "
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\windows\system\VFYNZ.exe
        
        C:\windows\system\VFYNZ.exe
        187⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HYTGHU.exe.bat" "
        188⤵
        
        PID:1376
        
        C:\windows\SysWOW64\HYTGHU.exe
        
        C:\windows\system32\HYTGHU.exe
        189⤵
        Drops file in Windows directory
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SQWZPJA.exe.bat" "
        190⤵
        
        PID:1792
        
        C:\windows\SQWZPJA.exe
        
        C:\windows\SQWZPJA.exe
        191⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBFPV.exe.bat" "
        192⤵
        
        PID:2992
        
        C:\windows\system\FBFPV.exe
        
        C:\windows\system\FBFPV.exe
        193⤵
        Drops file in Windows directory
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GERT.exe.bat" "
        194⤵
        
        PID:1960
        
        C:\windows\GERT.exe
        
        C:\windows\GERT.exe
        195⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWMMJ.exe.bat" "
        196⤵
        
        PID:4140
        
        C:\windows\system\RWMMJ.exe
        
        C:\windows\system\RWMMJ.exe
        197⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AXORVPO.exe.bat" "
        198⤵
        
        PID:1160
        
        C:\windows\SysWOW64\AXORVPO.exe
        
        C:\windows\system32\AXORVPO.exe
        199⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKYJ.exe.bat" "
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\windows\SysWOW64\RKYJ.exe
        
        C:\windows\system32\RKYJ.exe
        201⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNCFQB.exe.bat" "
        202⤵
        
        PID:3292
        
        C:\windows\SysWOW64\KNCFQB.exe
        
        C:\windows\system32\KNCFQB.exe
        203⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BNE.exe.bat" "
        204⤵
        
        PID:1924
        
        C:\windows\SysWOW64\BNE.exe
        
        C:\windows\system32\BNE.exe
        205⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HOLFC.exe.bat" "
        206⤵
        
        PID:2892
        
        C:\windows\SysWOW64\HOLFC.exe
        
        C:\windows\system32\HOLFC.exe
        207⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWNKOG.exe.bat" "
        208⤵
        
        PID:632
        
        C:\windows\SysWOW64\RWNKOG.exe
        
        C:\windows\system32\RWNKOG.exe
        209⤵
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GRXP.exe.bat" "
        210⤵
        
        PID:5072
        
        C:\windows\GRXP.exe
        
        C:\windows\GRXP.exe
        211⤵
        Drops file in Windows directory
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XCVN.exe.bat" "
        212⤵
        
        PID:1304
        
        C:\windows\system\XCVN.exe
        
        C:\windows\system\XCVN.exe
        213⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MXFRJAW.exe.bat" "
        214⤵
        
        PID:1912
        
        C:\windows\SysWOW64\MXFRJAW.exe
        
        C:\windows\system32\MXFRJAW.exe
        215⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKJA.exe.bat" "
        216⤵
        
        PID:2688
        
        C:\windows\system\GKJA.exe
        
        C:\windows\system\GKJA.exe
        217⤵
        Checks computer location settings
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YTLNX.exe.bat" "
        218⤵
        
        PID:1356
        
        C:\windows\YTLNX.exe
        
        C:\windows\YTLNX.exe
        219⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBS.exe.bat" "
        220⤵
        
        PID:436
        
        C:\windows\SysWOW64\CBS.exe
        
        C:\windows\system32\CBS.exe
        221⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LJUTNV.exe.bat" "
        222⤵
        
        PID:2612
        
        C:\windows\system\LJUTNV.exe
        
        C:\windows\system\LJUTNV.exe
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AEEX.exe.bat" "
        224⤵
        
        PID:2232
        
        C:\windows\system\AEEX.exe
        
        C:\windows\system\AEEX.exe
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKWL.exe.bat" "
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\windows\SysWOW64\IKWL.exe
        
        C:\windows\system32\IKWL.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKDZQXQ.exe.bat" "
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\windows\system\GKDZQXQ.exe
        
        C:\windows\system\GKDZQXQ.exe
        229⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IIFBX.exe.bat" "
        230⤵
        
        PID:4020
        
        C:\windows\SysWOW64\IIFBX.exe
        
        C:\windows\system32\IIFBX.exe
        231⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVJLHMM.exe.bat" "
        232⤵
        
        PID:4120
        
        C:\windows\SysWOW64\CVJLHMM.exe
        
        C:\windows\system32\CVJLHMM.exe
        233⤵
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQOU.exe.bat" "
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\windows\SysWOW64\FQOU.exe
        
        C:\windows\system32\FQOU.exe
        235⤵
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MLYGCYK.exe.bat" "
        236⤵
        
        PID:1976
        
        C:\windows\MLYGCYK.exe
        
        C:\windows\MLYGCYK.exe
        237⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EMA.exe.bat" "
        238⤵
        
        PID:4700
        
        C:\windows\system\EMA.exe
        
        C:\windows\system\EMA.exe
        239⤵
        Drops file in Windows directory
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TPJQRR.exe.bat" "
        240⤵
        
        PID:1840
        
        C:\windows\system\TPJQRR.exe
        
        C:\windows\system\TPJQRR.exe
        241⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JZZOQL.exe.bat" "
        242⤵
        
        PID:2556
        
        C:\windows\system\JZZOQL.exe
        
        C:\windows\system\JZZOQL.exe
        243⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NHO.exe.bat" "
        244⤵
        
        PID:3836
        
        C:\windows\NHO.exe
        
        C:\windows\NHO.exe
        245⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQV.exe.bat" "
        246⤵
        
        PID:1640
        
        C:\windows\system\RQV.exe
        
        C:\windows\system\RQV.exe
        247⤵
        Checks computer location settings
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DGBWB.exe.bat" "
        248⤵
        
        PID:4056
        
        C:\windows\system\DGBWB.exe
        
        C:\windows\system\DGBWB.exe
        249⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YTGFLGD.exe.bat" "
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\windows\system\YTGFLGD.exe
        
        C:\windows\system\YTGFLGD.exe
        251⤵
        Drops file in Windows directory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JLB.exe.bat" "
        252⤵
        
        PID:3296
        
        C:\windows\JLB.exe
        
        C:\windows\JLB.exe
        253⤵
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMJ.exe.bat" "
        254⤵
        
        PID:2336
        
        C:\windows\SysWOW64\PMJ.exe
        
        C:\windows\system32\PMJ.exe
        255⤵
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\API.exe.bat" "
        256⤵
        
        PID:3544
        
        C:\windows\SysWOW64\API.exe
        
        C:\windows\system32\API.exe
        257⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCNZJ.exe.bat" "
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\windows\system\CCNZJ.exe
        
        C:\windows\system\CCNZJ.exe
        259⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XPKITTG.exe.bat" "
        260⤵
        
        PID:1340
        
        C:\windows\XPKITTG.exe
        
        C:\windows\XPKITTG.exe
        261⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\LVQF.exe.bat" "
        262⤵
        
        PID:1376
        
        C:\windows\system\LVQF.exe
        
        C:\windows\system\LVQF.exe
        263⤵
        Drops file in Windows directory
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XDWNNO.exe.bat" "
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\windows\XDWNNO.exe
        
        C:\windows\XDWNNO.exe
        265⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\COAMS.exe.bat" "
        266⤵
        
        PID:3940
        
        C:\windows\system\COAMS.exe
        
        C:\windows\system\COAMS.exe
        267⤵
        Checks computer location settings
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XBFVCFN.exe.bat" "
        268⤵
        
        PID:3612
        
        C:\windows\XBFVCFN.exe
        
        C:\windows\XBFVCFN.exe
        269⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJH.exe.bat" "
        270⤵
        
        PID:2116
        
        C:\windows\SysWOW64\OJH.exe
        
        C:\windows\system32\OJH.exe
        271⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\EEQNQX.exe.bat" "
        272⤵
        
        PID:1592
        
        C:\windows\system\EEQNQX.exe
        
        C:\windows\system\EEQNQX.exe
        273⤵
        Drops file in Windows directory
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\NFSS.exe.bat" "
        274⤵
        
        PID:116
        
        C:\windows\system\NFSS.exe
        
        C:\windows\system\NFSS.exe
        275⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVZSGNO.exe.bat" "
        276⤵
        
        PID:1160
        
        C:\windows\SysWOW64\RVZSGNO.exe
        
        C:\windows\system32\RVZSGNO.exe
        277⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDGA.exe.bat" "
        278⤵
        
        PID:4776
        
        C:\windows\system\DDGA.exe
        
        C:\windows\system\DDGA.exe
        279⤵
        Checks computer location settings
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLIFWK.exe.bat" "
        280⤵
        
        PID:716
        
        C:\windows\system\MLIFWK.exe
        
        C:\windows\system\MLIFWK.exe
        281⤵
        Checks computer location settings
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NGLI.exe.bat" "
        282⤵
        
        PID:2892
        
        C:\windows\NGLI.exe
        
        C:\windows\NGLI.exe
        283⤵
        Drops file in Windows directory
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\UJVNUNO.exe.bat" "
        284⤵
        
        PID:3964
        
        C:\windows\UJVNUNO.exe
        
        C:\windows\UJVNUNO.exe
        285⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LKXS.exe.bat" "
        286⤵
        
        PID:976
        
        C:\windows\SysWOW64\LKXS.exe
        
        C:\windows\system32\LKXS.exe
        287⤵
        Drops file in Windows directory
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\PAESKD.exe.bat" "
        288⤵
        
        PID:3280
        
        C:\windows\PAESKD.exe
        
        C:\windows\PAESKD.exe
        289⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNI.exe.bat" "
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\windows\SysWOW64\KNI.exe
        
        C:\windows\system32\KNI.exe
        291⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EANTE.exe.bat" "
        292⤵
        
        PID:1212
        
        C:\windows\SysWOW64\EANTE.exe
        
        C:\windows\system32\EANTE.exe
        293⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KWMTBFF.exe.bat" "
        294⤵
        
        PID:4052
        
        C:\windows\KWMTBFF.exe
        
        C:\windows\KWMTBFF.exe
        295⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CJX.exe.bat" "
        296⤵
        
        PID:448
        
        C:\windows\CJX.exe
        
        C:\windows\CJX.exe
        297⤵
        Checks computer location settings
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWCVB.exe.bat" "
        298⤵
        
        PID:3460
        
        C:\windows\SysWOW64\WWCVB.exe
        
        C:\windows\system32\WWCVB.exe
        299⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WCUJDP.exe.bat" "
        300⤵
        
        PID:1004
        
        C:\windows\WCUJDP.exe
        
        C:\windows\WCUJDP.exe
        301⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LXLO.exe.bat" "
        302⤵
        
        PID:1040
        
        C:\windows\SysWOW64\LXLO.exe
        
        C:\windows\system32\LXLO.exe
        303⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XPGHW.exe.bat" "
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\windows\SysWOW64\XPGHW.exe
        
        C:\windows\system32\XPGHW.exe
        305⤵
        Drops file in Windows directory
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQOUFLC.exe.bat" "
        306⤵
        
        PID:4332
        
        C:\windows\system\CQOUFLC.exe
        
        C:\windows\system\CQOUFLC.exe
        307⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ENPWLI.exe.bat" "
        308⤵
        
        PID:3168
        
        C:\windows\SysWOW64\ENPWLI.exe
        
        C:\windows\system32\ENPWLI.exe
        309⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\KOX.exe.bat" "
        310⤵
        
        PID:2368
        
        C:\windows\KOX.exe
        
        C:\windows\KOX.exe
        311⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBBUF.exe.bat" "
        312⤵
        
        PID:1976
        
        C:\windows\SysWOW64\FBBUF.exe
        
        C:\windows\system32\FBBUF.exe
        313⤵
        Drops file in Windows directory
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DWTUJFY.exe.bat" "
        314⤵
        
        PID:4268
        
        C:\windows\system\DWTUJFY.exe
        
        C:\windows\system\DWTUJFY.exe
        315⤵
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKD.exe.bat" "
        316⤵
        
        PID:4416
        
        C:\windows\SysWOW64\UKD.exe
        
        C:\windows\system32\UKD.exe
        317⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AXCNWF.exe.bat" "
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\windows\SysWOW64\AXCNWF.exe
        
        C:\windows\system32\AXCNWF.exe
        319⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1316
        318⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1308
        316⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1336
        314⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 960
        312⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 960
        310⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 960
        308⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1336
        306⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1328
        304⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1256
        302⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1292
        300⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 960
        298⤵
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1004
        296⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1316
        294⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1260
        292⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1296
        290⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1292
        288⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 988
        286⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 1288
        284⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1288
        282⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1268
        280⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1304
        278⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1296
        276⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1336
        274⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1336
        272⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1260
        270⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1236
        268⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 964
        266⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1304
        264⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 988
        262⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1292
        260⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 960
        258⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1328
        256⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1328
        254⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1324
        252⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 988
        250⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1008
        248⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1336
        246⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 960
        244⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 960
        242⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1336
        240⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 976
        238⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1312
        236⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1328
        234⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1296
        232⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1328
        230⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1336
        228⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1328
        226⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 960
        224⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1332
        222⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1324
        220⤵
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1324
        218⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1324
        216⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1328
        214⤵
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960
        212⤵
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1316
        210⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 960
        208⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 960
        206⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 960
        204⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 960
        202⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 960
        200⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 960
        198⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1336
        196⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 960
        194⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 988
        192⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1324
        190⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1328
        188⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 960
        186⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1324
        184⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1336
        182⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1296
        180⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1292
        178⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1324
        176⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1328
        174⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1336
        172⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 988
        170⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1304
        168⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1324
        166⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1296
        164⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1264
        162⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 960
        160⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1336
        158⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1260
        156⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1256
        154⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1300
        152⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1264
        150⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1324
        148⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 960
        146⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1324
        144⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 964
        142⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1328
        140⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1336
        138⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 988
        136⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1324
        134⤵
        
        PID:556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1268
        132⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 960
        130⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1336
        128⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 960
        126⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1328
        124⤵
        Program crash
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1324
        122⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1324
        120⤵
        Program crash
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 960
        118⤵
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1336
        116⤵
        Program crash
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1336
        114⤵
        Program crash
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1336
        112⤵
        Program crash
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 960
        110⤵
        Program crash
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1268
        108⤵
        Program crash
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1336
        106⤵
        Program crash
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1328
        104⤵
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1316
        102⤵
        Program crash
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 1264
        100⤵
        Program crash
        
        PID:2968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 960
        98⤵
        Program crash
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1292
        96⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1328
        94⤵
        Program crash
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1328
        92⤵
        Program crash
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1004
        90⤵
        Program crash
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 960
        88⤵
        Program crash
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1328
        86⤵
        Program crash
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1324
        84⤵
        Program crash
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1328
        82⤵
        Program crash
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1336
        80⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 960
        78⤵
        Program crash
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 1292
        76⤵
        Program crash
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 960
        74⤵
        Program crash
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 960
        72⤵
        Program crash
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 960
        70⤵
        Program crash
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 960
        68⤵
        Program crash
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1336
        66⤵
        Program crash
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1324
        64⤵
        Program crash
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1304
        62⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1304
        60⤵
        Program crash
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 988
        58⤵
        Program crash
        
        PID:1496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1324
        56⤵
        Program crash
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1296
        54⤵
        Program crash
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1336
        52⤵
        Program crash
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 960
        50⤵
        Program crash
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1260
        48⤵
        Program crash
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1328
        46⤵
        Program crash
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1316
        44⤵
        Program crash
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1324
        42⤵
        Program crash
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1324
        40⤵
        Program crash
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 960
        38⤵
        Program crash
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1320
        36⤵
        Program crash
        
        PID:2936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1296
        34⤵
        Program crash
        
        PID:1580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1336
        32⤵
        Program crash
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 988
        30⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1324
        28⤵
        Program crash
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1336
        26⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 960
        24⤵
        Program crash
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 960
        22⤵
        Program crash
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1324
        20⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 960
        18⤵
        Program crash
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1252
        16⤵
        Program crash
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1328
        14⤵
        Program crash
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1260
        12⤵
        Program crash
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1004
        10⤵
        Program crash
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 960
        8⤵
        Program crash
        
        PID:456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 976
        6⤵
        Program crash
        
        PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1328
      4⤵
      Program crash
      PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 996
  2⤵
  - Program crash
  PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 728 -ip 728
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5112 -ip 5112
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2928 -ip 2928
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2020 -ip 2020
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2428 -ip 2428
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 624 -ip 624
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1048 -ip 1048
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4404 -ip 4404
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1832 -ip 1832
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2656 -ip 2656
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4296 -ip 4296
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5020 -ip 5020
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2540 -ip 2540
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 464 -ip 464
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1512 -ip 1512
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2164 -ip 2164
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4452 -ip 4452
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2076 -ip 2076
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1620 -ip 1620
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1376 -ip 1376
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4936 -ip 4936
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3556 -ip 3556
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1720 -ip 1720
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1588 -ip 1588
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3112 -ip 3112
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5024 -ip 5024
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3260 -ip 3260
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4048 -ip 4048
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1788 -ip 1788
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4212 -ip 4212
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3196 -ip 3196
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4444 -ip 4444
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3020 -ip 3020
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4656 -ip 4656
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5060 -ip 5060
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4332 -ip 4332
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4936 -ip 4936
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2476 -ip 2476
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1720 -ip 1720
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4448 -ip 4448
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 464 -ip 464
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4732 -ip 4732
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3592 -ip 3592
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 668 -ip 668
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 628 -ip 628
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3120 -ip 3120
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4672 -ip 4672
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1984 -ip 1984
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4016 -ip 4016
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 728 -ip 728
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3592 -ip 3592
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5088 -ip 5088
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 232 -ip 232
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3540 -ip 3540
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2708 -ip 2708
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2368 -ip 2368
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4208 -ip 4208
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4440 -ip 4440
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 960 -ip 960
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 896 -ip 896
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2336 -ip 2336
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3832 -ip 3832
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 464 -ip 464
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2292 -ip 2292
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 456 -ip 456
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3700 -ip 3700
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3000 -ip 3000
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4256 -ip 4256
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4296 -ip 4296
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3596 -ip 3596
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1900 -ip 1900
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4300 -ip 4300
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1716 -ip 1716
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5060 -ip 5060
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4936 -ip 4936
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5024 -ip 5024
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2312 -ip 2312
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5020 -ip 5020
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1548 -ip 1548
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1200 -ip 1200
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2412 -ip 2412
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2368 -ip 2368
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5088 -ip 5088
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 680 -ip 680
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4444 -ip 4444
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4648 -ip 4648
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3044 -ip 3044
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4548 -ip 4548
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1708 -ip 1708
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3444 -ip 3444
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 456 -ip 456
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1612 -ip 1612
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4792 -ip 4792
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1648 -ip 1648
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4996 -ip 4996
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3972 -ip 3972
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 880 -ip 880
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3616 -ip 3616
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4124 -ip 4124
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4400 -ip 4400
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4044 -ip 4044
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2080 -ip 2080
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3204 -ip 3204
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3936 -ip 3936
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1424 -ip 1424
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4556 -ip 4556
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 116 -ip 116
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2428 -ip 2428
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4936 -ip 4936
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 536 -ip 536
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1376 -ip 1376
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4924 -ip 4924
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4756 -ip 4756
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3612 -ip 3612
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2972 -ip 2972
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 5060
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1344 -ip 1344
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1388 -ip 1388
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1892 -ip 1892
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 404 -ip 404
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2760 -ip 2760
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3268 -ip 3268
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2992 -ip 2992
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1716 -ip 1716
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2248 -ip 2248
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3212 -ip 3212
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 552 -ip 552
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 896 -ip 896
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4964 -ip 4964
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3464 -ip 3464
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3836 -ip 3836
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1640 -ip 1640
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1748 -ip 1748
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1812 -ip 1812
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3632 -ip 3632
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2204 -ip 2204
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5088 -ip 5088
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1000 -ip 1000
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4016 -ip 4016
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5096 -ip 5096
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 428 -ip 428
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2164 -ip 2164
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2180 -ip 2180
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4264 -ip 4264
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3020 -ip 3020
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1344 -ip 1344
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4512 -ip 4512
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2232 -ip 2232
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1984 -ip 1984
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5112 -ip 5112
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4328 -ip 4328
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2656 -ip 2656
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2688 -ip 2688
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4536 -ip 4536
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2076 -ip 2076
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4184 -ip 4184
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4988 -ip 4988
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3664 -ip 3664
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ATDQ.exe

Filesize
208KB

MD5
947e201b51306ddf40f93715ea86a698

SHA1
002fd4fd3f94d2032b9e85798cbd59187169d117

SHA256
8978d93d0f29b8bdd25784632d7c2c9a0f042c64398e62428cc585edf183ace0

SHA512
bdd2a540aa20f8a178501a3b499683ddc242ab95df6f1fd43497395d10ace82e9a3873b832dd7b8efb63fcdae4e2594a8a27deb556cb2b7a94152363c20953f7

Download Submit
C:\Windows\SysWOW64\AFIU.exe

Filesize
208KB

MD5
6ed7562e54f85ebe429a51be845c56d0

SHA1
50dad2fb012298217b6abb75970da9f539866133

SHA256
997feb75605a3b41f693a49602c7c19dc84fcd8589b5d668c3e70ae104cfc54b

SHA512
1bddf5628f10a1f02f0d52e9463a912b736300c66aa0eb503839f9f480aae733bc00d5f41a08b9dada93b213bc050db25af31d55bafd981c08f35a0b8839762b

Download Submit
C:\Windows\SysWOW64\AFIU.exe

Filesize
208KB

MD5
fe50d53fafc22f94f8e7f0c67df4bf19

SHA1
19c32b7cab8e3cd95c69b6a69628a628dff72147

SHA256
ca615ff51717e103e4d4556e92f37ef662f115775a6270da1bc663f72b92cd0b

SHA512
87c41afa3a1bb3002f61762a650d2adc5f4fa4e49e3667243880a4404cf57de205c4f784e05bc9cbb273a86b70bd87a4e7742a670ad9d35c2fd4a5c66f043184

Download Submit
C:\Windows\SysWOW64\DRNND.exe

Filesize
208KB

MD5
2f249cf94cb308b45c2883eb20d731aa

SHA1
115743a4fe0eaea04215d4a1197231ec6770fd01

SHA256
725c4cf3c14c63b7f380ea5a565117c64a4028edb315185ff8352575502c05d3

SHA512
405074d90e6f6b7285b5dbba013cfe9e5f3eb319da854cf740a02eff9e7763d909e74c10a42a864d921cc3714d98dc5f787fcf3b47fa7bb00cc9cd0cb815cd9b

Download Submit
C:\Windows\SysWOW64\RSTMG.exe

Filesize
208KB

MD5
efdeb8fcd930a45d84a157c9a633b94c

SHA1
6a2d3a69e26fa0e480c08d7e94acff582287b912

SHA256
843ca4f3698dab77d571844dc802261cbd5adbf067be57fc5dc55654ca1e7d45

SHA512
25fc0bb926bf2eb2d68892c9e8c2f18a44f71c0d122fce157ba2fb2b74051887a2d9de4a2e81f3820035430a8fda9a34768978aee7b636073a38d54bd625e7c4

Download Submit
C:\Windows\SysWOW64\TJZAH.exe

Filesize
208KB

MD5
dcf6f98eee0f073f3d7e3fa02ef34c81

SHA1
845225d3a441f76747c510f260a3fcdc8a13eaaa

SHA256
f3e92fce68feba84c94686e6cdc5e7af52e5515121d5e3de7552dbb1a9be8715

SHA512
0822647cf625fb5d749c43930aade667770368d8964d44d639058250c4470e8eea2747bab65021d31a5f96b65b41597074723c78c0f0c630eb2491928e5ac6bb

Download Submit
C:\Windows\SysWOW64\XYT.exe

Filesize
208KB

MD5
6a6b803e0316b4cbca910912ad6f9009

SHA1
ff1b5392e87443e46d6cb9aa1c44c26ea07926d7

SHA256
230c7d8928ffbb23bebb591022fb3c447e59d7a0a3807fa9bd68ea25c1d8a98b

SHA512
256dfb70c9eafa51cea8871067927c7191d5cfd016b71b601f1f9ee3227aba6133b7cebef26ace826363387193215d8dcfb5b968ab8a60a857c55201bd882706

Download Submit
C:\Windows\System\DTGEK.exe

Filesize
208KB

MD5
2117103bc3fefac5dbf179b070247bfd

SHA1
baf192c5bdd8b451a15b85ede328bd878b9ebf46

SHA256
5392a2175aae41535cc60883ca7fed5831238e0a3c9ccec0f04f6777a0b217e5

SHA512
a291a9da737aab81ec577c952a99142b74418376a6fb56248439417fb2d1afc99a93f7546c89a05fb459e5adf8377f7978e13de2df3126e0421d3305f9228ef7

Download Submit
C:\Windows\System\ICQJ.exe

Filesize
208KB

MD5
b4ad998cb521806a4a010e01b43b4183

SHA1
3cdd71c43d229a1a52fb1c42c39153da918e7160

SHA256
3f478fdf3fcd0b76bd2fbbfeceb4b7c4d93cd95fb750c7793647f93b78bde7a3

SHA512
011132807aea558fbc18bb52da3c60a0b8d01b098616659ea3f65d55f681aa2f3d31e06c140fa1686c19091988d95dc1bdd5fcb377a88e08802d2062caf7534c

Download Submit
C:\Windows\System\NQRJNK.exe

Filesize
208KB

MD5
993859ed0c49aec191d90821c131a5c5

SHA1
056bafe19f601836f77577522cb4ca391120f85e

SHA256
816c65a4dd825e059f80058ca5325e29fd9e01eac506898b3ad55b851c006c71

SHA512
96bb57c39eba315a5f77a25a8eb88b55f7bd7f43ebce5f31171b361a61d77adad56a011edeae625789d78db7021282cbf1d7b1d8e7a722d761fa04b79e1e6ca3

Download Submit
C:\Windows\System\NVTWL.exe

Filesize
208KB

MD5
71bf8847792da4df57494e3a5726e083

SHA1
f2b08d66e21dc458c364939b64cbfeb5a5622dcd

SHA256
af0bd182d6b490c3f837c156117201f991451d05b073d3a23ce16ff92643e4d1

SHA512
e89a0683c416cd784a6a1efd665aeac3f77f66cff72cf6c6254b3e4b8ca5027cfc11eecfa5e1d7f28427398f70d1e414c8a870975733bff2d17d43116f0333e3

Download Submit
C:\Windows\System\SBQ.exe

Filesize
208KB

MD5
96e3296e209976c9a0dc851bfbbd3f69

SHA1
b7e96cb457e274819e8899fdc2acb6cb011de430

SHA256
8e91536eaffb2cd76ee0926dee065cf17a5a50886f08992e0af52c45e8584073

SHA512
652acfbb00f3b2c8b3e21eb72b19ce3f5074657b2722c91596ed1959930bedc18d88da7068027304c42ac8992f60f90ffa945fbea2aed5868c28ebd7442781a7

Download Submit
C:\Windows\XYJOW.exe

Filesize
208KB

MD5
d3c2cdd799b53269e72bc9f97d65da87

SHA1
3063f8d6e4008b79a6c230ed8e099f848537e24e

SHA256
ca5ac2b4c29749a13b5c517809c5d8264774ed83ada4dc6150665882f6908706

SHA512
956167d0f1987c6d97d47e6a27a1de7998e90e32285383c135c837098af45342faa4e272b0db87d7bdf977a08ca5375afbb82101f2c631fb3f15323df681fdd3

Download Submit
C:\windows\ATDQ.exe.bat

Filesize
54B

MD5
1eea184bcf1dfd88b0ae3e5fd622e167

SHA1
4c00924f6cc1af82a70c533fa231a1c3a2039bfb

SHA256
45bea1ecc409fbf38c6bb0657b2b0d897abfc11c6da69a73b7dd108069ac0662

SHA512
4f2292bd6c1c5355e91fdbd95680ae1db9842ac32026aaabd3792d8e4e42a3b41daac31c7ba068013f3d3658e2ecce6a7cf7cc2154bffe2f2d5dff9c1dacdd4d

Download Submit
C:\windows\BGQ.exe.bat

Filesize
52B

MD5
3f604957d2592d707cc968e740f51ff9

SHA1
07f2f7ebe452c9f8bd83998bdaba77f41d905a4d

SHA256
a49f57e62cb7fd63ee39859e26272fa60115a1a75eef65aa1b0f9d4bec1436e1

SHA512
14a922c7b729682c5aa69a721c76924c04c88971d28e0c199c287864892fde98634d1399f0235759446d08bbdd829db31191a18be7f8754c639aec80deeb1ab9

Download Submit
C:\windows\HHUNPJU.exe.bat

Filesize
60B

MD5
dc7a8cdeb58e9ceab64ef58a9c1c39bf

SHA1
d9244b85b2305219db93505fa1d2fa0d37b3c3c3

SHA256
9635eb9ebf1969c1c0cfedc158ef38957b3e9033b06325f3c0e64c05bcda5ca2

SHA512
653abf6f4f31ae2472f8e33ee916f7867d3d4b87d12d8cc951272b8ce79d1e06b1372397f07401d884b73c9d841ecea67166091ca40971cf3cd8da3d4594e659

Download Submit
C:\windows\JEI.exe

Filesize
208KB

MD5
9148405582fb8a88949ed7b9202ce502

SHA1
c2ba8732a91eee6b358275a683960b1a82443b97

SHA256
1098786966c446baac621218dbbd788c49cc2a3b249137ce6da24fbdce520b17

SHA512
4f4ad59fd11e7088fdbc719262d627c6c1d4bcd8e6b32d0777d70d3704fd24510aa23b94259a185a2ea8dafe3df7632f4cd0e968ea85bc1367863f6c6c36acc7

Download Submit
C:\windows\JEI.exe.bat

Filesize
52B

MD5
d3d153d058047b6fbc2610642ac41e4b

SHA1
4d74d10ec49d88b44821cc8b854e00a75f9935b7

SHA256
21e7d6a03643eec72c7972cd5fc9fdf323ee62c97b1647160da89e44deee4831

SHA512
a072c5ecb30c7722dcc5dd32afbcff34a718dcc8c1c730fdb2e94c1bcb9ec8c7887d364627398fba5fa928e9b00a856f67c1b2344026c6cf460841b1f240ac13

Download Submit
C:\windows\JSBLDPX.exe

Filesize
208KB

MD5
7ae6b6096397add618f57dd1b7d0621d

SHA1
67dc12e5c245a151d101a7aa624eec74f6da1579

SHA256
75e8321d8e30ac7ccee1064b402b14dd9afbc1ddab2783a6abed2ce9867513f5

SHA512
d069d4cc24bc826f17e0d0958ddb5ef807d98f1fa461c767efe83edb7fda1f893aa5366278645f33b7b8c3f9ae4b62be7eaef8defadcbc4442c4d8afce5b59ed

Download Submit
C:\windows\JSBLDPX.exe.bat

Filesize
60B

MD5
5e775e8d162a471feb09ece6bc447dba

SHA1
2fc43973afadce0d784deba2990f0e46fce7de29

SHA256
75644f18f2f7c8fa114f14de2b5ec3099cd23a723d57505d41bf9a440fe857e2

SHA512
8071a96b42e241a2d4bf7a45c9ff3f2685ae95c5341fddb4883e5d881ff5a81718d1cb2934cc8fcc60fdfb8e32be28acf4b77cdc9d83c55948c29ffb88531bd4

Download Submit
C:\windows\KBXM.exe.bat

Filesize
54B

MD5
9935f8351dc10dd75c13aed59c9436fb

SHA1
f63598a068c6f561a26f3a588d5d12f58a27bb97

SHA256
f26d653965fd82abdcd0929904f00f03cf278f1f39fb18d2ccb453c853935127

SHA512
939dab4125fc396afac619779b10d62c84640411e648e4555ddffa1bdaf0ad3a802b07f1ebe9b62296e12299eb83d64220d2d899a509ce8ee7bb096c82decdd0

Download Submit
C:\windows\SysWOW64\AFIU.exe.bat

Filesize
72B

MD5
a152a94ac798ba8f6a23387d83595816

SHA1
50952560a19236a19724218c8da28a4878d563cc

SHA256
e5995fd72760359987d02a4f5117db01d24ed33c3737f0b3271e4bba02cdab34

SHA512
9253686c4a7c6e027e44440ce478325f71982ffbf72d243da21a077288b5b29b1e783aa3a50e5b2a9ea0462a67d58beea4796c7cbf473a671dafb9b5b454f531

Download Submit
C:\windows\SysWOW64\DRNND.exe.bat

Filesize
74B

MD5
c46b4e97ce5306209aa8c857d35f0097

SHA1
76a74228173ef9ede0a74c8687fa0d9cc5791dec

SHA256
b469a706522629eabfaf422d57e5eae292eb840fdff51aaa24ed9df6f66f20fa

SHA512
910e3fd221cb0ce6a8f5349299c3fe8d6744eb7fc9e6171e73e26eb8ca792a5ed08a7447babbf4c21880fde560e487cd37be6f4c332d16fc155f24001f016f13

Download Submit
C:\windows\SysWOW64\JUADOYO.exe

Filesize
208KB

MD5
d5d1998d760e197384d5ec122b8d9822

SHA1
19f79a9eff8261257215355dfe89a5e7da6693f8

SHA256
deffecce564254317d4585ea853bcfc081fad603c84d056e5dcd9a261a6c5348

SHA512
2cdb7f080fc7e359dd274306bca4973ec6adc4475096c390f738e85c86eec889558e5d1c4052ac04d16014d9096c8204d29caaf14a989bef55e9663b72713cb5

Download Submit
C:\windows\SysWOW64\JUADOYO.exe.bat

Filesize
78B

MD5
7861a44e76505b4af8e2bb191bd6140d

SHA1
b9750b71e92a9aeaf1eeaad0490a31394d3776db

SHA256
9615a598b2a95b142a60aa0966a72697f5fe6b8630f1041d47c985f5c508a944

SHA512
1328833674e88e055e8526d729b0d66d82b1e7e54b1bb7c28da3702fb1edb1b8c0afa8400b08e232a4cd885bdee1fea44072510ba47d8c3594ab00c511f90cc4

Download Submit
C:\windows\SysWOW64\OYXSZCL.exe

Filesize
208KB

MD5
dfe5e1fd72e3b5932a6d3c758d73a208

SHA1
b907c246bbc21c7dc37685d16a4f57b931a3ab84

SHA256
d4e05873e7061beb98b892ede14dc4d89e095fa4b1f3abbf2d2d3f4da61c9452

SHA512
e71392ea059b4f1185965a40f713abb479754ac29351d5e33117aaeae96dadcc3d80594e09652ed2d1ec581a562e1f38c7f8540ca9e60721cb9dcd4bb353118c

Download Submit
C:\windows\SysWOW64\OYXSZCL.exe.bat

Filesize
78B

MD5
1266f0a793dd872a7205ff4e4018cfdc

SHA1
453d592bb3ca28f90db58a7487ad4fc22afa78d7

SHA256
b9d384c633db75d9e7f4c00a484bb7a4e8cd4bf7d2cb2598671e1426b00b0ca3

SHA512
30317f48ce7fcec28ed571c44cb8f8fe72c6ac3c930f847ba934d8e83e0cd5b640e687aea446f7b6bf642a0250bcab185d4c62955e65af57b5e49d79e584aa4a

Download Submit
C:\windows\SysWOW64\RSTMG.exe.bat

Filesize
74B

MD5
4ad7ab46b37f7f572065d0346b60ce8c

SHA1
defcd082fd6db9a84741581e9e8d7edb4439494b

SHA256
6f72b20f1259aef9e94610f036bc86926f7ec7ab1f1254e3e50e8dbd5709bd1f

SHA512
77d17a861ad6d20f000a8d9aa59c781e5b319d7c07ac8f44d569029286f2d396d47aa762bee8482de481f1402ceaf12c03f8e68c84020102eca43d74b89d8549

Download Submit
C:\windows\SysWOW64\TJZAH.exe.bat

Filesize
74B

MD5
818019d832c64b06b74f8648018b9e88

SHA1
d0a6f7fe5b81d470db90c1b4135f69f2a25bcab8

SHA256
93f68b679bbc32687d0f01df41acd285bd6bcb008032928792ab62ebebf8867a

SHA512
2c5205b1bb2609f7be2fc6e1a3d755f0e76b894c43db8416525f6e4614b93549dbfa2ca076cb9a3f9027a17770b8d47b7f06e38ae299d5a587bf47545e9f11fe

Download Submit
C:\windows\SysWOW64\XYT.exe.bat

Filesize
70B

MD5
9cf4e69df5db3cb13b602b615dccd218

SHA1
9fc43e85e325ff2028019a5f68e43123b5590f69

SHA256
ca58ae04a05e40b92585bfb7ce92364a0ad92bcbd91cb48fe264c42d5e69bf0b

SHA512
a59c9a54317960968267cf469cad2d18eaa961f5e33b8e0052cf24ff71a57870cd5f04c942d5ec8b6d963b22e93b60f5aaf418a61f2c8a1979fa74cdb02011ab

Download Submit
C:\windows\SysWOW64\YAYTDH.exe.bat

Filesize
76B

MD5
e9206c579ef6e44b6ed9f60aaf8ae02e

SHA1
e0c3ead4ac35f564400541a7ff4090f9a91eb775

SHA256
85049baccb5886de1a8e7d77be97c1b22ca2d2548dc85824e558d3fa961a5a35

SHA512
ebe64e48fb1c438e4ae62d6165c64548abd50f5ce62b2145dafdd19b65750301c2955341ae6883c2bed332b2cd66fc72b74f6be38ce0fd09819f09e4f75285eb

Download Submit
C:\windows\XYJOW.exe.bat

Filesize
56B

MD5
d08140a215a662d5c32bc85a6d601266

SHA1
0ae637c7d0409b9663dacc90c14cad0b7d5f2b64

SHA256
2ef8bb6181914b05b5323383651e57502d37144eb25d0ef1e19c161a09abaea6

SHA512
9ee6286f2ee774c7cda8430dabbab677241a1d547cfeca02c4a2c2afd0d61f2bbee3967f19f59b00e03558a5251bc8ba9fe17eba413a71133bcaca3b884700d3

Download Submit
C:\windows\system\DTGEK.exe.bat

Filesize
70B

MD5
4cfd2e7275d0b97d4eefad9415ac844b

SHA1
eb3a3c1bb7e0b07d018a65596762b05eed37fde2

SHA256
3edf5c5c3f3dc556620e4198b3b63396b34566ddcfa7819bb0bdbc3d08fecd36

SHA512
8c895d797d86c1f5278e58b3cffa686d37ac927ce509ee150a4d765ccb37ca0d2179e2789ca35d8088085e9f21b58dcee08fddb27f30ae33d0748c2acd1eeba6

Download Submit
C:\windows\system\ICQJ.exe.bat

Filesize
68B

MD5
c2be2842bb290dfbe905c2f38e8142f5

SHA1
63d308da381b1030dd78944f255ab46a5fa0bddf

SHA256
2732dbc1216badb5ca07e6db6e76f7924f1ea844a128c7d147075996fdf33931

SHA512
6bff3b9a33fb7f608e2dcf100342adc7b5f6e60a8db0b7c1c4094e85b942a59074328b0283083f410ceae2f3e26a392fd034139d7bc26dddb7e0b671acd8c3ad

Download Submit
C:\windows\system\NPUGH.exe

Filesize
208KB

MD5
e5d77021a973cefa7c8c3824c8cb9448

SHA1
75b75bd8c8637d10697cd118477c8e8a63e389b5

SHA256
cb5ed4c1cca18a8eef1975490b6561ef52871a5706dd12561b252e270dbd737e

SHA512
182db49521043d0d80be9983ed0a1d7281ab42ac09b2f3f1d9ad5c9714b8a1a8a9f761f375cab065c1ce6182975854350c6ca0a31c99e4597b38a165a19ae97a

Download Submit
C:\windows\system\NPUGH.exe.bat

Filesize
70B

MD5
c21cdc20b155ca43b214a2f55e151cfd

SHA1
ced639e54336448d8d79f773a6ca1dac2b096b0d

SHA256
68703c05241bf04cf1f37173e4603c0e624b54c5d4617512d2f6a75bbad98511

SHA512
9b5686257b0d4d42f1de74f1ade03d2e48795da433fb74cec5fee980b47dda71c763f7c87ce5a2c4fb3809ec784f1b24f3ef5c1d9ece307c5e75a62cdff296b7

Download Submit
C:\windows\system\NQRJNK.exe.bat

Filesize
72B

MD5
be3045f0b7db9063901e415bb13f104b

SHA1
b4a437654fb7d874840b905076c76ca9156b427a

SHA256
9d5a69a0d1e788354f16bb9979d8d148521f06d203a1b0c1d1e39fec398a63de

SHA512
b158ee2d7d9d82bf0e097f389b7309a690fa49e29259bad3a6ed616df5db8a3f2b76fb21a29ce3b8db6dffa14e674376d9c88e44d1dbc50a732c8c3b38ecf0e8

Download Submit
C:\windows\system\NVTWL.exe.bat

Filesize
70B

MD5
1560a7edf60828ee33de257ffdbba5f2

SHA1
47b701fd68f31f4b18a1929c8c7e91e1c691762e

SHA256
3eaf3d4becbc4cb99d83322d9d2fa1f143b9a6623e8c6fc62e54c8da3f818d3f

SHA512
47caf85f49688b7100d864e9156ec4c3bdbf8fd0c5a78a421f7c8f0c2ffe59447c6de3a1e5c5f90d8e79e54f26e2d2e257c6eea017c87385fcae868720264bbb

Download Submit
C:\windows\system\SBQ.exe.bat

Filesize
66B

MD5
7c31034f2d2e98d013d901e0891570db

SHA1
0a98d4fb3c2b5339e9d24323decfb84f8a1f7896

SHA256
f875901b4ecf49b02784d98e67faeff52aabbc21e3d04fec7b92ba9640b2244d

SHA512
d64d8f8482c319ac9ee1a2d1a6aa1f2fc872c1d0c6ee7abcd008815b3b502ce90ce5c00a2496acf367f71e2423469ac024c034ff2db200cc9c6956b206c7329b

Download Submit
C:\windows\system\YOLOUO.exe.bat

Filesize
72B

MD5
faf5fb95389a45fc9baad38f4c62d98f

SHA1
4471465cd8af64a80bfd09dc9ce1ff8684eb6379

SHA256
192674cf8417e53a6301daf07299f255c342056c8775916b292262e097cda5ee

SHA512
5a7c51de5c61a22d792863530482644a1a4d7a764bb24af8769891434456e67a34379208d05feea5cd17a92f590f97a898a56c2d19f7d33a6ceb519b2c8d355a

Download Submit
memory/464-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/464-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/464-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/464-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/624-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/624-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/668-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/668-449-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/728-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/728-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1376-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1376-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1512-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1512-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1588-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1588-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-270-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1832-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1984-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1984-495-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2076-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2076-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2164-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2164-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2428-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2428-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2476-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2476-405-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2656-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2656-119-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2928-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2928-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3112-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3112-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3120-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3120-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3196-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3196-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3260-306-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3260-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3556-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3556-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3592-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3592-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4016-494-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4048-305-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4048-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4212-333-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4212-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4296-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4296-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4332-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4332-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4404-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4404-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4444-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4452-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4452-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4656-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4656-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4672-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4672-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5020-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5020-129-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5024-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5024-287-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5112-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5112-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download