d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe
Size

448KB
MD5

e70b4bd8c73fc31e45b70f3fdc25fbc0
SHA1

014ad88900db361d35521dff1d0ae4bda7ed1ac1
SHA256

d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121
SHA512

b8694b316874c8f231fc3be4f95589aa3f15d3a9c2309b4b21c4b10aa2cab49b6f845ee57bce184e8d18d8064a456ca27b59c43bc7608968abbbe66bbfa990ad
SSDEEP

6144:AsOYejV06KkoVeJkslx4tkkT/ay++Jpm1QGg2kEjiPISUOgW9X+hOGzC/NM:3OYe+zi2tfpgNkmZzcukG2/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JAXQFX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RKDRNV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	VOT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	QKGODW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	PKLYAOH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CPLV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JQGPDOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	MECDEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JQEQGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	YMKNNEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	LCWO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	GZNY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	YULRGVW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	MFYVIA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	YASCXZK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	VTYCIP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	QYZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	XXOBTZD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ZEKM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	HVZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	KGYWM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	VMEIHVH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FKSDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	BGWS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	BEY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JFY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FYS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	QMAITJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	XFWHPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	VCRNMGK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ILB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	EIF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FWGC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	LYLCM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	GIVAXX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ROI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	QYSIVTW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RZHJVTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WBIPL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	GBXMHP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	BSXFM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	YTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	IKC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	YECC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	MDRUBOP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	HNC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	XHPB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ZVNVQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SLRR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	GAERL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	YVZKGH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CPJWXZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TPNIG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CPHI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	GSWTYDX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	BEEBOA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FPXKH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TJE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	HTI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ISFRF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	LXXCZPD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	XGUTTR.exe

Executes dropped EXE 64 IoCs

pid	Process
3916	XJZAW.exe
3756	RXKQC.exe
4648	ZKXX.exe
3908	OAKOD.exe
1744	JLSNR.exe
4480	MECDEX.exe
3184	VMEIHVH.exe
4268	FKSDX.exe
1660	ISFRF.exe
1784	TLIKNY.exe
1920	WTDRDE.exe
1080	ROI.exe
2028	WOWDBT.exe
4372	LXXCZPD.exe
4916	CFLZ.exe
3164	MDRUBOP.exe
5028	CTEL.exe
3008	YTO.exe
1056	AHMEK.exe
4456	VCRNMGK.exe
2028	CIYJS.exe
5068	MFYVIA.exe
3756	SLRR.exe
1784	RWU.exe
1912	NCGKR.exe
1332	NEWYFG.exe
3652	JKR.exe
4456	YASCXZK.exe
4032	ILB.exe
1612	QYSIVTW.exe
2488	CPHI.exe
3740	DETJ.exe
4060	EIF.exe
2988	TYTE.exe
4460	ZTKFLI.exe
3872	VZR.exe
2480	GRMUNGS.exe
1680	RZHJVTO.exe
4152	CSK.exe
4024	DVAP.exe
4840	JQEQGZ.exe
2384	WBIPL.exe
4540	FMGD.exe
1908	PKLYAOH.exe
4172	LPYB.exe
3212	JQGPDOL.exe
4008	GBXMHP.exe
3720	BOC.exe
3828	MEX.exe
4828	GRUUK.exe
4956	FCR.exe
1324	GFVFH.exe
3672	BLHJSPI.exe
2288	KLJOW.exe
1576	FWGC.exe
4020	XRK.exe
4224	AHFMJO.exe
4912	XND.exe
4768	NNGOHC.exe
2384	VTYCIP.exe
996	LBBOZTG.exe
972	YMKNNEC.exe
1076	GSWTYDX.exe
3452	JAXQFX.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ZWADP.exe.bat	VOT.exe
File created	C:\windows\SysWOW64\NJCHC.exe	DQT.exe
File created	C:\windows\SysWOW64\HVZ.exe.bat	TPNIG.exe
File created	C:\windows\SysWOW64\WBIPL.exe	JQEQGZ.exe
File created	C:\windows\SysWOW64\BOC.exe.bat	GBXMHP.exe
File created	C:\windows\SysWOW64\XND.exe	AHFMJO.exe
File created	C:\windows\SysWOW64\LBBOZTG.exe	VTYCIP.exe
File created	C:\windows\SysWOW64\LBBOZTG.exe.bat	VTYCIP.exe
File created	C:\windows\SysWOW64\GAERL.exe.bat	RKDRNV.exe
File created	C:\windows\SysWOW64\HVZ.exe	TPNIG.exe
File created	C:\windows\SysWOW64\EBMKG.exe.bat	MJCCUX.exe
File created	C:\windows\SysWOW64\NCGKR.exe	RWU.exe
File created	C:\windows\SysWOW64\MCQQX.exe	NZTNFD.exe
File opened for modification	C:\windows\SysWOW64\QGGKVOA.exe	KGYWM.exe
File created	C:\windows\SysWOW64\LCWO.exe.bat	BEEBOA.exe
File opened for modification	C:\windows\SysWOW64\BLHJSPI.exe	GFVFH.exe
File created	C:\windows\SysWOW64\SMZ.exe.bat	BEY.exe
File created	C:\windows\SysWOW64\CSK.exe.bat	RZHJVTO.exe
File created	C:\windows\SysWOW64\GFVFH.exe	FCR.exe
File created	C:\windows\SysWOW64\FWGC.exe	KLJOW.exe
File created	C:\windows\SysWOW64\GSWTYDX.exe.bat	YMKNNEC.exe
File opened for modification	C:\windows\SysWOW64\HNC.exe	FPXKH.exe
File created	C:\windows\SysWOW64\DETJ.exe.bat	CPHI.exe
File created	C:\windows\SysWOW64\SMZ.exe	BEY.exe
File created	C:\windows\SysWOW64\ZHGYIR.exe.bat	YECC.exe
File created	C:\windows\SysWOW64\EIF.exe	DETJ.exe
File created	C:\windows\SysWOW64\CFLZ.exe.bat	LXXCZPD.exe
File opened for modification	C:\windows\SysWOW64\CPHI.exe	QYSIVTW.exe
File created	C:\windows\SysWOW64\PKLYAOH.exe.bat	FMGD.exe
File created	C:\windows\SysWOW64\BLHJSPI.exe.bat	GFVFH.exe
File created	C:\windows\SysWOW64\VTYCIP.exe.bat	NNGOHC.exe
File created	C:\windows\SysWOW64\FPXKH.exe	SMZ.exe
File created	C:\windows\SysWOW64\EBMKG.exe	MJCCUX.exe
File created	C:\windows\SysWOW64\WOWDBT.exe.bat	ROI.exe
File created	C:\windows\SysWOW64\BLHJSPI.exe	GFVFH.exe
File created	C:\windows\SysWOW64\HKIB.exe	QKGODW.exe
File opened for modification	C:\windows\SysWOW64\GFVFH.exe	FCR.exe
File created	C:\windows\SysWOW64\CSK.exe	RZHJVTO.exe
File opened for modification	C:\windows\SysWOW64\JQEQGZ.exe	DVAP.exe
File created	C:\windows\SysWOW64\FWGC.exe.bat	KLJOW.exe
File opened for modification	C:\windows\SysWOW64\YMKNNEC.exe	LBBOZTG.exe
File created	C:\windows\SysWOW64\YMKNNEC.exe.bat	LBBOZTG.exe
File opened for modification	C:\windows\SysWOW64\VOT.exe	HTI.exe
File created	C:\windows\SysWOW64\MDRUBOP.exe	CFLZ.exe
File opened for modification	C:\windows\SysWOW64\WBIPL.exe	JQEQGZ.exe
File created	C:\windows\SysWOW64\NNGOHC.exe.bat	XND.exe
File created	C:\windows\SysWOW64\GSWTYDX.exe	YMKNNEC.exe
File opened for modification	C:\windows\SysWOW64\XGUTTR.exe	NJCHC.exe
File created	C:\windows\SysWOW64\JFY.exe	ZHGYIR.exe
File created	C:\windows\SysWOW64\UAOFHG.exe	RSH.exe
File opened for modification	C:\windows\SysWOW64\UAOFHG.exe	RSH.exe
File created	C:\windows\SysWOW64\JLSNR.exe	OAKOD.exe
File created	C:\windows\SysWOW64\AHMEK.exe.bat	YTO.exe
File opened for modification	C:\windows\SysWOW64\EIF.exe	DETJ.exe
File created	C:\windows\SysWOW64\WOWDBT.exe	ROI.exe
File created	C:\windows\SysWOW64\PKLYAOH.exe	FMGD.exe
File opened for modification	C:\windows\SysWOW64\KLJOW.exe	BLHJSPI.exe
File opened for modification	C:\windows\SysWOW64\FPXKH.exe	SMZ.exe
File created	C:\windows\SysWOW64\VOT.exe.bat	HTI.exe
File created	C:\windows\SysWOW64\OAKOD.exe	ZKXX.exe
File opened for modification	C:\windows\SysWOW64\GSWTYDX.exe	YMKNNEC.exe
File created	C:\windows\SysWOW64\HNC.exe.bat	FPXKH.exe
File created	C:\windows\SysWOW64\XGUTTR.exe	NJCHC.exe
File created	C:\windows\SysWOW64\JFY.exe.bat	ZHGYIR.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\windows\VGSNXPW.exe.bat	TJE.exe
File created	C:\windows\GZNY.exe.bat	VGSNXPW.exe
File created	C:\windows\system\HTI.exe.bat	TIZ.exe
File created	C:\windows\CPJWXZ.exe	NUA.exe
File opened for modification	C:\windows\system\YASCXZK.exe	JKR.exe
File created	C:\windows\system\AHFMJO.exe.bat	XRK.exe
File created	C:\windows\system\ECSVBX.exe.bat	MCQQX.exe
File opened for modification	C:\windows\system\BGWS.exe	GIVAXX.exe
File opened for modification	C:\windows\system\XQLLPS.exe	ECSVBX.exe
File created	C:\windows\system\FYS.exe	CPJWXZ.exe
File created	C:\windows\VMEIHVH.exe	MECDEX.exe
File created	C:\windows\system\GBXMHP.exe.bat	JQGPDOL.exe
File opened for modification	C:\windows\XRK.exe	FWGC.exe
File created	C:\windows\JKR.exe.bat	NEWYFG.exe
File created	C:\windows\YVZKGH.exe	JFY.exe
File opened for modification	C:\windows\YVZKGH.exe	JFY.exe
File opened for modification	C:\windows\TVF.exe	HKIB.exe
File created	C:\windows\system\BEEBOA.exe	BGWS.exe
File created	C:\windows\system\RKDRNV.exe.bat	HNC.exe
File created	C:\windows\YBWP.exe.bat	FYS.exe
File opened for modification	C:\windows\system\BONYD.exe	YBWP.exe
File created	C:\windows\system\GRMUNGS.exe.bat	VZR.exe
File created	C:\windows\system\AHFMJO.exe	XRK.exe
File created	C:\windows\system\IKC.exe	WSHMCLF.exe
File created	C:\windows\system\RXKQC.exe	XJZAW.exe
File created	C:\windows\system\ZKXX.exe	RXKQC.exe
File created	C:\windows\ZTKFLI.exe.bat	TYTE.exe
File created	C:\windows\YULRGVW.exe.bat	QGGKVOA.exe
File created	C:\windows\ROI.exe.bat	WTDRDE.exe
File created	C:\windows\system\MFYVIA.exe	CIYJS.exe
File created	C:\windows\system\KGYWM.exe.bat	YIKE.exe
File opened for modification	C:\windows\TIZ.exe	XHPB.exe
File created	C:\windows\YBWP.exe	FYS.exe
File opened for modification	C:\windows\ZCARQF.exe	ZWADP.exe
File opened for modification	C:\windows\YIKE.exe	HVZ.exe
File created	C:\windows\system\MFYVIA.exe.bat	CIYJS.exe
File created	C:\windows\LPYB.exe.bat	PKLYAOH.exe
File created	C:\windows\HDUFA.exe	GAERL.exe
File created	C:\windows\LYLCM.exe.bat	JAXQFX.exe
File created	C:\windows\system\FKSDX.exe.bat	VMEIHVH.exe
File opened for modification	C:\windows\system\MEX.exe	BOC.exe
File created	C:\windows\XRK.exe.bat	FWGC.exe
File opened for modification	C:\windows\system\RKDRNV.exe	HNC.exe
File created	C:\windows\ISFRF.exe	FKSDX.exe
File created	C:\windows\system\GRUUK.exe	MEX.exe
File created	C:\windows\system\PNVYBX.exe	BSXFM.exe
File created	C:\windows\SLRR.exe	MFYVIA.exe
File created	C:\windows\system\KGYWM.exe	YIKE.exe
File created	C:\windows\ZTKFLI.exe	TYTE.exe
File created	C:\windows\FMGD.exe	WBIPL.exe
File opened for modification	C:\windows\ISFRF.exe	FKSDX.exe
File created	C:\windows\system\RWU.exe.bat	SLRR.exe
File created	C:\windows\YVZKGH.exe.bat	JFY.exe
File created	C:\windows\XFWHPB.exe	YULRGVW.exe
File opened for modification	C:\windows\system\ZKXX.exe	RXKQC.exe
File created	C:\windows\system\FCR.exe	GRUUK.exe
File opened for modification	C:\windows\WSHMCLF.exe	XXOBTZD.exe
File opened for modification	C:\windows\system\PNVYBX.exe	BSXFM.exe
File opened for modification	C:\windows\system\HTI.exe	TIZ.exe
File created	C:\windows\MJCCUX.exe	UAOFHG.exe
File opened for modification	C:\windows\system\FKSDX.exe	VMEIHVH.exe
File opened for modification	C:\windows\system\TLIKNY.exe	ISFRF.exe
File created	C:\windows\system\XXOBTZD.exe	CBKSI.exe
File opened for modification	C:\windows\system\KGYWM.exe	YIKE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
680	348	WerFault.exe	82
5036	3916	WerFault.exe	90
368	3756	WerFault.exe	96
3740	4648	WerFault.exe	101
3368	3908	WerFault.exe	106
4412	1744	WerFault.exe	111
4432	4480	WerFault.exe	116
4408	3184	WerFault.exe	121
2432	4268	WerFault.exe	126
1128	1660	WerFault.exe	131
2080	1784	WerFault.exe	136
1508	1920	WerFault.exe	141
4568	1080	WerFault.exe	146
1292	2028	WerFault.exe	151
2820	4372	WerFault.exe	158
2156	4916	WerFault.exe	165
4736	3164	WerFault.exe	170
2304	5028	WerFault.exe	175
1920	3008	WerFault.exe	182
2864	1056	WerFault.exe	187
4932	4456	WerFault.exe	192
1500	2028	WerFault.exe	198
4052	5068	WerFault.exe	205
2432	3756	WerFault.exe	210
3784	1784	WerFault.exe	216
4804	1912	WerFault.exe	221
1484	1332	WerFault.exe	226
4064	3652	WerFault.exe	231
2544	4456	WerFault.exe	236
4208	4032	WerFault.exe	241
3208	1612	WerFault.exe	246
3556	2488	WerFault.exe	251
2864	3740	WerFault.exe	258
1200	4060	WerFault.exe	263
3316	2988	WerFault.exe	268
1052	4460	WerFault.exe	273
3224	3872	WerFault.exe	278
908	2480	WerFault.exe	283
1520	1680	WerFault.exe	288
2672	4152	WerFault.exe	293
4608	4024	WerFault.exe	298
4372	4840	WerFault.exe	303
2544	2384	WerFault.exe	308
2156	4540	WerFault.exe	312
3624	1908	WerFault.exe	318
1560	4172	WerFault.exe	323
4968	3212	WerFault.exe	328
4020	4008	WerFault.exe	333
3372	3720	WerFault.exe	338
2492	3828	WerFault.exe	343
1160	4828	WerFault.exe	348
2644	4956	WerFault.exe	353
1620	1324	WerFault.exe	358
1920	3672	WerFault.exe	363
3744	2288	WerFault.exe	368
4132	1576	WerFault.exe	373
5036	4020	WerFault.exe	378
1896	4224	WerFault.exe	383
2988	4912	WerFault.exe	388
3912	4768	WerFault.exe	393
1712	2384	WerFault.exe	398
1168	996	WerFault.exe	403
3940	972	WerFault.exe	408
1856	1076	WerFault.exe	413

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LBBOZTG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QYZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WOWDBT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LXXCZPD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BEEBOA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CPLV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WTDRDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DVAP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LCWO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XBAFLW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XHPB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AHFMJO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MDRUBOP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMGD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLHJSPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZHGYIR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TIZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YULRGVW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YASCXZK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RZHJVTO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XRK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XXOBTZD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CIYJS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XFWHPB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QGGKVOA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CBKSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HNC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe
348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe
3916	XJZAW.exe
3916	XJZAW.exe
3756	RXKQC.exe
3756	RXKQC.exe
4648	ZKXX.exe
4648	ZKXX.exe
3908	OAKOD.exe
3908	OAKOD.exe
1744	JLSNR.exe
1744	JLSNR.exe
4480	MECDEX.exe
4480	MECDEX.exe
3184	VMEIHVH.exe
3184	VMEIHVH.exe
4268	FKSDX.exe
4268	FKSDX.exe
1660	ISFRF.exe
1660	ISFRF.exe
1784	TLIKNY.exe
1784	TLIKNY.exe
1920	WTDRDE.exe
1920	WTDRDE.exe
1080	ROI.exe
1080	ROI.exe
2028	WOWDBT.exe
2028	WOWDBT.exe
4372	LXXCZPD.exe
4372	LXXCZPD.exe
4916	CFLZ.exe
4916	CFLZ.exe
3164	MDRUBOP.exe
3164	MDRUBOP.exe
5028	CTEL.exe
5028	CTEL.exe
3008	YTO.exe
3008	YTO.exe
1056	AHMEK.exe
1056	AHMEK.exe
4456	VCRNMGK.exe
4456	VCRNMGK.exe
2028	CIYJS.exe
2028	CIYJS.exe
5068	MFYVIA.exe
5068	MFYVIA.exe
3756	SLRR.exe
3756	SLRR.exe
1784	RWU.exe
1784	RWU.exe
1912	NCGKR.exe
1912	NCGKR.exe
1332	NEWYFG.exe
1332	NEWYFG.exe
3652	JKR.exe
3652	JKR.exe
4456	YASCXZK.exe
4456	YASCXZK.exe
4032	ILB.exe
4032	ILB.exe
1612	QYSIVTW.exe
1612	QYSIVTW.exe
2488	CPHI.exe
2488	CPHI.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe
348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe
3916	XJZAW.exe
3916	XJZAW.exe
3756	RXKQC.exe
3756	RXKQC.exe
4648	ZKXX.exe
4648	ZKXX.exe
3908	OAKOD.exe
3908	OAKOD.exe
1744	JLSNR.exe
1744	JLSNR.exe
4480	MECDEX.exe
4480	MECDEX.exe
3184	VMEIHVH.exe
3184	VMEIHVH.exe
4268	FKSDX.exe
4268	FKSDX.exe
1660	ISFRF.exe
1660	ISFRF.exe
1784	TLIKNY.exe
1784	TLIKNY.exe
1920	WTDRDE.exe
1920	WTDRDE.exe
1080	ROI.exe
1080	ROI.exe
2028	WOWDBT.exe
2028	WOWDBT.exe
4372	LXXCZPD.exe
4372	LXXCZPD.exe
4916	CFLZ.exe
4916	CFLZ.exe
3164	MDRUBOP.exe
3164	MDRUBOP.exe
5028	CTEL.exe
5028	CTEL.exe
3008	YTO.exe
3008	YTO.exe
1056	AHMEK.exe
1056	AHMEK.exe
4456	VCRNMGK.exe
4456	VCRNMGK.exe
2028	CIYJS.exe
2028	CIYJS.exe
5068	MFYVIA.exe
5068	MFYVIA.exe
3756	SLRR.exe
3756	SLRR.exe
1784	RWU.exe
1784	RWU.exe
1912	NCGKR.exe
1912	NCGKR.exe
1332	NEWYFG.exe
1332	NEWYFG.exe
3652	JKR.exe
3652	JKR.exe
4456	YASCXZK.exe
4456	YASCXZK.exe
4032	ILB.exe
4032	ILB.exe
1612	QYSIVTW.exe
1612	QYSIVTW.exe
2488	CPHI.exe
2488	CPHI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 4916	348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe	86
PID 348 wrote to memory of 4916	348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe	86
PID 348 wrote to memory of 4916	348	d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe	86
PID 4916 wrote to memory of 3916	4916	cmd.exe	90
PID 4916 wrote to memory of 3916	4916	cmd.exe	90
PID 4916 wrote to memory of 3916	4916	cmd.exe	90
PID 3916 wrote to memory of 1792	3916	XJZAW.exe	92
PID 3916 wrote to memory of 1792	3916	XJZAW.exe	92
PID 3916 wrote to memory of 1792	3916	XJZAW.exe	92
PID 1792 wrote to memory of 3756	1792	cmd.exe	96
PID 1792 wrote to memory of 3756	1792	cmd.exe	96
PID 1792 wrote to memory of 3756	1792	cmd.exe	96
PID 3756 wrote to memory of 1808	3756	RXKQC.exe	97
PID 3756 wrote to memory of 1808	3756	RXKQC.exe	97
PID 3756 wrote to memory of 1808	3756	RXKQC.exe	97
PID 1808 wrote to memory of 4648	1808	cmd.exe	101
PID 1808 wrote to memory of 4648	1808	cmd.exe	101
PID 1808 wrote to memory of 4648	1808	cmd.exe	101
PID 4648 wrote to memory of 2596	4648	ZKXX.exe	102
PID 4648 wrote to memory of 2596	4648	ZKXX.exe	102
PID 4648 wrote to memory of 2596	4648	ZKXX.exe	102
PID 2596 wrote to memory of 3908	2596	cmd.exe	106
PID 2596 wrote to memory of 3908	2596	cmd.exe	106
PID 2596 wrote to memory of 3908	2596	cmd.exe	106
PID 3908 wrote to memory of 4796	3908	OAKOD.exe	107
PID 3908 wrote to memory of 4796	3908	OAKOD.exe	107
PID 3908 wrote to memory of 4796	3908	OAKOD.exe	107
PID 4796 wrote to memory of 1744	4796	cmd.exe	111
PID 4796 wrote to memory of 1744	4796	cmd.exe	111
PID 4796 wrote to memory of 1744	4796	cmd.exe	111
PID 1744 wrote to memory of 2336	1744	JLSNR.exe	112
PID 1744 wrote to memory of 2336	1744	JLSNR.exe	112
PID 1744 wrote to memory of 2336	1744	JLSNR.exe	112
PID 2336 wrote to memory of 4480	2336	cmd.exe	116
PID 2336 wrote to memory of 4480	2336	cmd.exe	116
PID 2336 wrote to memory of 4480	2336	cmd.exe	116
PID 4480 wrote to memory of 4188	4480	MECDEX.exe	117
PID 4480 wrote to memory of 4188	4480	MECDEX.exe	117
PID 4480 wrote to memory of 4188	4480	MECDEX.exe	117
PID 4188 wrote to memory of 3184	4188	cmd.exe	121
PID 4188 wrote to memory of 3184	4188	cmd.exe	121
PID 4188 wrote to memory of 3184	4188	cmd.exe	121
PID 3184 wrote to memory of 4392	3184	VMEIHVH.exe	122
PID 3184 wrote to memory of 4392	3184	VMEIHVH.exe	122
PID 3184 wrote to memory of 4392	3184	VMEIHVH.exe	122
PID 4392 wrote to memory of 4268	4392	cmd.exe	126
PID 4392 wrote to memory of 4268	4392	cmd.exe	126
PID 4392 wrote to memory of 4268	4392	cmd.exe	126
PID 4268 wrote to memory of 1572	4268	FKSDX.exe	127
PID 4268 wrote to memory of 1572	4268	FKSDX.exe	127
PID 4268 wrote to memory of 1572	4268	FKSDX.exe	127
PID 1572 wrote to memory of 1660	1572	cmd.exe	131
PID 1572 wrote to memory of 1660	1572	cmd.exe	131
PID 1572 wrote to memory of 1660	1572	cmd.exe	131
PID 1660 wrote to memory of 3164	1660	ISFRF.exe	132
PID 1660 wrote to memory of 3164	1660	ISFRF.exe	132
PID 1660 wrote to memory of 3164	1660	ISFRF.exe	132
PID 3164 wrote to memory of 1784	3164	cmd.exe	136
PID 3164 wrote to memory of 1784	3164	cmd.exe	136
PID 3164 wrote to memory of 1784	3164	cmd.exe	136
PID 1784 wrote to memory of 1900	1784	TLIKNY.exe	137
PID 1784 wrote to memory of 1900	1784	TLIKNY.exe	137
PID 1784 wrote to memory of 1900	1784	TLIKNY.exe	137
PID 1900 wrote to memory of 1920	1900	cmd.exe	141

C:\Users\Admin\AppData\Local\Temp\d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe
"C:\Users\Admin\AppData\Local\Temp\d4d3893fde967246cde6d862b50bf55ef13a8337867b33bbe8ca577adc8c6121N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\XJZAW.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\windows\XJZAW.exe
    C:\windows\XJZAW.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\RXKQC.exe.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\windows\system\RXKQC.exe
        
        C:\windows\system\RXKQC.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZKXX.exe.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\windows\system\ZKXX.exe
        
        C:\windows\system\ZKXX.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OAKOD.exe.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\windows\SysWOW64\OAKOD.exe
        
        C:\windows\system32\OAKOD.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLSNR.exe.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\windows\SysWOW64\JLSNR.exe
        
        C:\windows\system32\JLSNR.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MECDEX.exe.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\windows\SysWOW64\MECDEX.exe
        
        C:\windows\system32\MECDEX.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VMEIHVH.exe.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\windows\VMEIHVH.exe
        
        C:\windows\VMEIHVH.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKSDX.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\windows\system\FKSDX.exe
        
        C:\windows\system\FKSDX.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ISFRF.exe.bat" "
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\windows\ISFRF.exe
        
        C:\windows\ISFRF.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\TLIKNY.exe.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\windows\system\TLIKNY.exe
        
        C:\windows\system\TLIKNY.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\WTDRDE.exe.bat" "
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\windows\system\WTDRDE.exe
        
        C:\windows\system\WTDRDE.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ROI.exe.bat" "
        24⤵
        
        PID:2928
        
        C:\windows\ROI.exe
        
        C:\windows\ROI.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOWDBT.exe.bat" "
        26⤵
        
        PID:1056
        
        C:\windows\SysWOW64\WOWDBT.exe
        
        C:\windows\system32\WOWDBT.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LXXCZPD.exe.bat" "
        28⤵
        
        PID:4924
        
        C:\windows\LXXCZPD.exe
        
        C:\windows\LXXCZPD.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CFLZ.exe.bat" "
        30⤵
        
        PID:2176
        
        C:\windows\SysWOW64\CFLZ.exe
        
        C:\windows\system32\CFLZ.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDRUBOP.exe.bat" "
        32⤵
        
        PID:3104
        
        C:\windows\SysWOW64\MDRUBOP.exe
        
        C:\windows\system32\MDRUBOP.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CTEL.exe.bat" "
        34⤵
        
        PID:3872
        
        C:\windows\CTEL.exe
        
        C:\windows\CTEL.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YTO.exe.bat" "
        36⤵
        
        PID:620
        
        C:\windows\system\YTO.exe
        
        C:\windows\system\YTO.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AHMEK.exe.bat" "
        38⤵
        
        PID:2012
        
        C:\windows\SysWOW64\AHMEK.exe
        
        C:\windows\system32\AHMEK.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VCRNMGK.exe.bat" "
        40⤵
        
        PID:4896
        
        C:\windows\SysWOW64\VCRNMGK.exe
        
        C:\windows\system32\VCRNMGK.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CIYJS.exe.bat" "
        42⤵
        
        PID:4592
        
        C:\windows\CIYJS.exe
        
        C:\windows\CIYJS.exe
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MFYVIA.exe.bat" "
        44⤵
        
        PID:468
        
        C:\windows\system\MFYVIA.exe
        
        C:\windows\system\MFYVIA.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\SLRR.exe.bat" "
        46⤵
        
        PID:4916
        
        C:\windows\SLRR.exe
        
        C:\windows\SLRR.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWU.exe.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\windows\system\RWU.exe
        
        C:\windows\system\RWU.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCGKR.exe.bat" "
        50⤵
        
        PID:888
        
        C:\windows\SysWOW64\NCGKR.exe
        
        C:\windows\system32\NCGKR.exe
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NEWYFG.exe.bat" "
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\windows\NEWYFG.exe
        
        C:\windows\NEWYFG.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JKR.exe.bat" "
        54⤵
        
        PID:4060
        
        C:\windows\JKR.exe
        
        C:\windows\JKR.exe
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YASCXZK.exe.bat" "
        56⤵
        
        PID:4632
        
        C:\windows\system\YASCXZK.exe
        
        C:\windows\system\YASCXZK.exe
        57⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILB.exe.bat" "
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\windows\system\ILB.exe
        
        C:\windows\system\ILB.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QYSIVTW.exe.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\windows\system\QYSIVTW.exe
        
        C:\windows\system\QYSIVTW.exe
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPHI.exe.bat" "
        62⤵
        
        PID:4080
        
        C:\windows\SysWOW64\CPHI.exe
        
        C:\windows\system32\CPHI.exe
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DETJ.exe.bat" "
        64⤵
        
        PID:1456
        
        C:\windows\SysWOW64\DETJ.exe
        
        C:\windows\system32\DETJ.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EIF.exe.bat" "
        66⤵
        
        PID:3668
        
        C:\windows\SysWOW64\EIF.exe
        
        C:\windows\system32\EIF.exe
        67⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TYTE.exe.bat" "
        68⤵
        
        PID:1840
        
        C:\windows\TYTE.exe
        
        C:\windows\TYTE.exe
        69⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZTKFLI.exe.bat" "
        70⤵
        
        PID:3372
        
        C:\windows\ZTKFLI.exe
        
        C:\windows\ZTKFLI.exe
        71⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VZR.exe.bat" "
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\windows\SysWOW64\VZR.exe
        
        C:\windows\system32\VZR.exe
        73⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRMUNGS.exe.bat" "
        74⤵
        
        PID:4052
        
        C:\windows\system\GRMUNGS.exe
        
        C:\windows\system\GRMUNGS.exe
        75⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RZHJVTO.exe.bat" "
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\windows\system\RZHJVTO.exe
        
        C:\windows\system\RZHJVTO.exe
        77⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSK.exe.bat" "
        78⤵
        
        PID:2984
        
        C:\windows\SysWOW64\CSK.exe
        
        C:\windows\system32\CSK.exe
        79⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\DVAP.exe.bat" "
        80⤵
        
        PID:1660
        
        C:\windows\DVAP.exe
        
        C:\windows\DVAP.exe
        81⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQEQGZ.exe.bat" "
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\windows\SysWOW64\JQEQGZ.exe
        
        C:\windows\system32\JQEQGZ.exe
        83⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WBIPL.exe.bat" "
        84⤵
        
        PID:60
        
        C:\windows\SysWOW64\WBIPL.exe
        
        C:\windows\system32\WBIPL.exe
        85⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\FMGD.exe.bat" "
        86⤵
        
        PID:1876
        
        C:\windows\FMGD.exe
        
        C:\windows\FMGD.exe
        87⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PKLYAOH.exe.bat" "
        88⤵
        
        PID:2476
        
        C:\windows\SysWOW64\PKLYAOH.exe
        
        C:\windows\system32\PKLYAOH.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LPYB.exe.bat" "
        90⤵
        
        PID:4384
        
        C:\windows\LPYB.exe
        
        C:\windows\LPYB.exe
        91⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\JQGPDOL.exe.bat" "
        92⤵
        
        PID:3888
        
        C:\windows\JQGPDOL.exe
        
        C:\windows\JQGPDOL.exe
        93⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "
        94⤵
        
        PID:888
        
        C:\windows\system\GBXMHP.exe
        
        C:\windows\system\GBXMHP.exe
        95⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BOC.exe.bat" "
        96⤵
        
        PID:3744
        
        C:\windows\SysWOW64\BOC.exe
        
        C:\windows\system32\BOC.exe
        97⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEX.exe.bat" "
        98⤵
        
        PID:4376
        
        C:\windows\system\MEX.exe
        
        C:\windows\system\MEX.exe
        99⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRUUK.exe.bat" "
        100⤵
        
        PID:1808
        
        C:\windows\system\GRUUK.exe
        
        C:\windows\system\GRUUK.exe
        101⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCR.exe.bat" "
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\windows\system\FCR.exe
        
        C:\windows\system\FCR.exe
        103⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFVFH.exe.bat" "
        104⤵
        
        PID:4348
        
        C:\windows\SysWOW64\GFVFH.exe
        
        C:\windows\system32\GFVFH.exe
        105⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BLHJSPI.exe.bat" "
        106⤵
        
        PID:5040
        
        C:\windows\SysWOW64\BLHJSPI.exe
        
        C:\windows\system32\BLHJSPI.exe
        107⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KLJOW.exe.bat" "
        108⤵
        
        PID:4932
        
        C:\windows\SysWOW64\KLJOW.exe
        
        C:\windows\system32\KLJOW.exe
        109⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWGC.exe.bat" "
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\windows\SysWOW64\FWGC.exe
        
        C:\windows\system32\FWGC.exe
        111⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XRK.exe.bat" "
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\windows\XRK.exe
        
        C:\windows\XRK.exe
        113⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\AHFMJO.exe.bat" "
        114⤵
        
        PID:4268
        
        C:\windows\system\AHFMJO.exe
        
        C:\windows\system\AHFMJO.exe
        115⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XND.exe.bat" "
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\windows\SysWOW64\XND.exe
        
        C:\windows\system32\XND.exe
        117⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNGOHC.exe.bat" "
        118⤵
        
        PID:4052
        
        C:\windows\SysWOW64\NNGOHC.exe
        
        C:\windows\system32\NNGOHC.exe
        119⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTYCIP.exe.bat" "
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\windows\SysWOW64\VTYCIP.exe
        
        C:\windows\system32\VTYCIP.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBBOZTG.exe.bat" "
        122⤵
        
        PID:4208
        
        C:\windows\SysWOW64\LBBOZTG.exe
        
        C:\windows\system32\LBBOZTG.exe
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YMKNNEC.exe.bat" "
        124⤵
        
        PID:3216
        
        C:\windows\SysWOW64\YMKNNEC.exe
        
        C:\windows\system32\YMKNNEC.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GSWTYDX.exe.bat" "
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\windows\SysWOW64\GSWTYDX.exe
        
        C:\windows\system32\GSWTYDX.exe
        127⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\JAXQFX.exe.bat" "
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\windows\system\JAXQFX.exe
        
        C:\windows\system\JAXQFX.exe
        129⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\LYLCM.exe.bat" "
        130⤵
        
        PID:1328
        
        C:\windows\LYLCM.exe
        
        C:\windows\LYLCM.exe
        131⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QYZ.exe.bat" "
        132⤵
        
        PID:4520
        
        C:\windows\system\QYZ.exe
        
        C:\windows\system\QYZ.exe
        133⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CBKSI.exe.bat" "
        134⤵
        
        PID:2328
        
        C:\windows\CBKSI.exe
        
        C:\windows\CBKSI.exe
        135⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XXOBTZD.exe.bat" "
        136⤵
        
        PID:3436
        
        C:\windows\system\XXOBTZD.exe
        
        C:\windows\system\XXOBTZD.exe
        137⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\WSHMCLF.exe.bat" "
        138⤵
        
        PID:4576
        
        C:\windows\WSHMCLF.exe
        
        C:\windows\WSHMCLF.exe
        139⤵
        Drops file in Windows directory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\IKC.exe.bat" "
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\windows\system\IKC.exe
        
        C:\windows\system\IKC.exe
        141⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GIVAXX.exe.bat" "
        142⤵
        
        PID:1616
        
        C:\windows\GIVAXX.exe
        
        C:\windows\GIVAXX.exe
        143⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BGWS.exe.bat" "
        144⤵
        
        PID:3312
        
        C:\windows\system\BGWS.exe
        
        C:\windows\system\BGWS.exe
        145⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BEEBOA.exe.bat" "
        146⤵
        
        PID:3964
        
        C:\windows\system\BEEBOA.exe
        
        C:\windows\system\BEEBOA.exe
        147⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCWO.exe.bat" "
        148⤵
        
        PID:1096
        
        C:\windows\SysWOW64\LCWO.exe
        
        C:\windows\system32\LCWO.exe
        149⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\BSXFM.exe.bat" "
        150⤵
        
        PID:4064
        
        C:\windows\BSXFM.exe
        
        C:\windows\BSXFM.exe
        151⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNVYBX.exe.bat" "
        152⤵
        
        PID:2196
        
        C:\windows\system\PNVYBX.exe
        
        C:\windows\system\PNVYBX.exe
        153⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBAFLW.exe.bat" "
        154⤵
        
        PID:1080
        
        C:\windows\SysWOW64\XBAFLW.exe
        
        C:\windows\system32\XBAFLW.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BEY.exe.bat" "
        156⤵
        
        PID:4516
        
        C:\windows\system\BEY.exe
        
        C:\windows\system\BEY.exe
        157⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMZ.exe.bat" "
        158⤵
        
        PID:4448
        
        C:\windows\SysWOW64\SMZ.exe
        
        C:\windows\system32\SMZ.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FPXKH.exe.bat" "
        160⤵
        
        PID:2640
        
        C:\windows\SysWOW64\FPXKH.exe
        
        C:\windows\system32\FPXKH.exe
        161⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HNC.exe.bat" "
        162⤵
        
        PID:1056
        
        C:\windows\SysWOW64\HNC.exe
        
        C:\windows\system32\HNC.exe
        163⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKDRNV.exe.bat" "
        164⤵
        
        PID:2604
        
        C:\windows\system\RKDRNV.exe
        
        C:\windows\system\RKDRNV.exe
        165⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GAERL.exe.bat" "
        166⤵
        
        PID:872
        
        C:\windows\SysWOW64\GAERL.exe
        
        C:\windows\system32\GAERL.exe
        167⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HDUFA.exe.bat" "
        168⤵
        
        PID:2596
        
        C:\windows\HDUFA.exe
        
        C:\windows\HDUFA.exe
        169⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZTNFD.exe.bat" "
        170⤵
        
        PID:4052
        
        C:\windows\SysWOW64\NZTNFD.exe
        
        C:\windows\system32\NZTNFD.exe
        171⤵
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MCQQX.exe.bat" "
        172⤵
        
        PID:632
        
        C:\windows\SysWOW64\MCQQX.exe
        
        C:\windows\system32\MCQQX.exe
        173⤵
        Drops file in Windows directory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ECSVBX.exe.bat" "
        174⤵
        
        PID:1616
        
        C:\windows\system\ECSVBX.exe
        
        C:\windows\system\ECSVBX.exe
        175⤵
        Drops file in Windows directory
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQLLPS.exe.bat" "
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\windows\system\XQLLPS.exe
        
        C:\windows\system\XQLLPS.exe
        177⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQT.exe.bat" "
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\windows\system\DQT.exe
        
        C:\windows\system\DQT.exe
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJCHC.exe.bat" "
        180⤵
        
        PID:3452
        
        C:\windows\SysWOW64\NJCHC.exe
        
        C:\windows\system32\NJCHC.exe
        181⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XGUTTR.exe.bat" "
        182⤵
        
        PID:1520
        
        C:\windows\SysWOW64\XGUTTR.exe
        
        C:\windows\system32\XGUTTR.exe
        183⤵
        Checks computer location settings
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\YECC.exe.bat" "
        184⤵
        
        PID:2500
        
        C:\windows\system\YECC.exe
        
        C:\windows\system\YECC.exe
        185⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZHGYIR.exe.bat" "
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\windows\SysWOW64\ZHGYIR.exe
        
        C:\windows\system32\ZHGYIR.exe
        187⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFY.exe.bat" "
        188⤵
        
        PID:4072
        
        C:\windows\SysWOW64\JFY.exe
        
        C:\windows\system32\JFY.exe
        189⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YVZKGH.exe.bat" "
        190⤵
        
        PID:4812
        
        C:\windows\YVZKGH.exe
        
        C:\windows\YVZKGH.exe
        191⤵
        Checks computer location settings
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TJE.exe.bat" "
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\windows\TJE.exe
        
        C:\windows\TJE.exe
        193⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VGSNXPW.exe.bat" "
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\windows\VGSNXPW.exe
        
        C:\windows\VGSNXPW.exe
        195⤵
        Drops file in Windows directory
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\GZNY.exe.bat" "
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\windows\GZNY.exe
        
        C:\windows\GZNY.exe
        197⤵
        Checks computer location settings
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NKKO.exe.bat" "
        198⤵
        
        PID:2068
        
        C:\windows\NKKO.exe
        
        C:\windows\NKKO.exe
        199⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\XHPB.exe.bat" "
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\windows\system\XHPB.exe
        
        C:\windows\system\XHPB.exe
        201⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TIZ.exe.bat" "
        202⤵
        
        PID:4676
        
        C:\windows\TIZ.exe
        
        C:\windows\TIZ.exe
        203⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\HTI.exe.bat" "
        204⤵
        
        PID:2864
        
        C:\windows\system\HTI.exe
        
        C:\windows\system\HTI.exe
        205⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VOT.exe.bat" "
        206⤵
        
        PID:3740
        
        C:\windows\SysWOW64\VOT.exe
        
        C:\windows\system32\VOT.exe
        207⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZWADP.exe.bat" "
        208⤵
        
        PID:1752
        
        C:\windows\SysWOW64\ZWADP.exe
        
        C:\windows\system32\ZWADP.exe
        209⤵
        Drops file in Windows directory
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZCARQF.exe.bat" "
        210⤵
        
        PID:4184
        
        C:\windows\ZCARQF.exe
        
        C:\windows\ZCARQF.exe
        211⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\QKGODW.exe.bat" "
        212⤵
        
        PID:2324
        
        C:\windows\system\QKGODW.exe
        
        C:\windows\system\QKGODW.exe
        213⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HKIB.exe.bat" "
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\windows\SysWOW64\HKIB.exe
        
        C:\windows\system32\HKIB.exe
        215⤵
        Drops file in Windows directory
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\TVF.exe.bat" "
        216⤵
        
        PID:1856
        
        C:\windows\TVF.exe
        
        C:\windows\TVF.exe
        217⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\ZVNVQ.exe.bat" "
        218⤵
        
        PID:3968
        
        C:\windows\ZVNVQ.exe
        
        C:\windows\ZVNVQ.exe
        219⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATHWB.exe.bat" "
        220⤵
        
        PID:2676
        
        C:\windows\SysWOW64\ATHWB.exe
        
        C:\windows\system32\ATHWB.exe
        221⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZEKM.exe.bat" "
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\windows\system\ZEKM.exe
        
        C:\windows\system\ZEKM.exe
        223⤵
        Checks computer location settings
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\NUA.exe.bat" "
        224⤵
        
        PID:1264
        
        C:\windows\NUA.exe
        
        C:\windows\NUA.exe
        225⤵
        Drops file in Windows directory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CPJWXZ.exe.bat" "
        226⤵
        
        PID:2560
        
        C:\windows\CPJWXZ.exe
        
        C:\windows\CPJWXZ.exe
        227⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\FYS.exe.bat" "
        228⤵
        
        PID:4184
        
        C:\windows\system\FYS.exe
        
        C:\windows\system\FYS.exe
        229⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YBWP.exe.bat" "
        230⤵
        
        PID:2788
        
        C:\windows\YBWP.exe
        
        C:\windows\YBWP.exe
        231⤵
        Drops file in Windows directory
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\BONYD.exe.bat" "
        232⤵
        
        PID:2800
        
        C:\windows\system\BONYD.exe
        
        C:\windows\system\BONYD.exe
        233⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMAITJU.exe.bat" "
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\windows\SysWOW64\QMAITJU.exe
        
        C:\windows\system32\QMAITJU.exe
        235⤵
        Checks computer location settings
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CPLV.exe.bat" "
        236⤵
        
        PID:3104
        
        C:\windows\CPLV.exe
        
        C:\windows\CPLV.exe
        237⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TPNIG.exe.bat" "
        238⤵
        
        PID:4916
        
        C:\windows\SysWOW64\TPNIG.exe
        
        C:\windows\system32\TPNIG.exe
        239⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVZ.exe.bat" "
        240⤵
        
        PID:1392
        
        C:\windows\SysWOW64\HVZ.exe
        
        C:\windows\system32\HVZ.exe
        241⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YIKE.exe.bat" "
        242⤵
        
        PID:2020
        
        C:\windows\YIKE.exe
        
        C:\windows\YIKE.exe
        243⤵
        Drops file in Windows directory
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system\KGYWM.exe.bat" "
        244⤵
        
        PID:368
        
        C:\windows\system\KGYWM.exe
        
        C:\windows\system\KGYWM.exe
        245⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGGKVOA.exe.bat" "
        246⤵
        
        PID:4316
        
        C:\windows\SysWOW64\QGGKVOA.exe
        
        C:\windows\system32\QGGKVOA.exe
        247⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\YULRGVW.exe.bat" "
        248⤵
        
        PID:888
        
        C:\windows\YULRGVW.exe
        
        C:\windows\YULRGVW.exe
        249⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\XFWHPB.exe.bat" "
        250⤵
        
        PID:1060
        
        C:\windows\XFWHPB.exe
        
        C:\windows\XFWHPB.exe
        251⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\RSH.exe.bat" "
        252⤵
        
        PID:2736
        
        C:\windows\RSH.exe
        
        C:\windows\RSH.exe
        253⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAOFHG.exe.bat" "
        254⤵
        
        PID:3968
        
        C:\windows\SysWOW64\UAOFHG.exe
        
        C:\windows\system32\UAOFHG.exe
        255⤵
        Drops file in Windows directory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\MJCCUX.exe.bat" "
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\windows\MJCCUX.exe
        
        C:\windows\MJCCUX.exe
        257⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBMKG.exe.bat" "
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\windows\SysWOW64\EBMKG.exe
        
        C:\windows\system32\EBMKG.exe
        259⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TWV.exe.bat" "
        260⤵
        
        PID:972
        
        C:\windows\SysWOW64\TWV.exe
        
        C:\windows\system32\TWV.exe
        261⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1296
        260⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 988
        258⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1316
        256⤵
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1328
        254⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 960
        252⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1008
        250⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 976
        248⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1328
        246⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 960
        244⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1304
        242⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1328
        240⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 988
        238⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1324
        236⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 988
        234⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1308
        232⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1300
        230⤵
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1336
        228⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1304
        226⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1324
        224⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1000
        222⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1292
        220⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 872
        218⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1004
        216⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1332
        214⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 988
        212⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1316
        210⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1328
        208⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 988
        206⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1336
        204⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1304
        202⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1336
        200⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1324
        198⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1296
        196⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1324
        194⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 988
        192⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1304
        190⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 960
        188⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 960
        186⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 960
        184⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1328
        182⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 976
        180⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 960
        178⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1336
        176⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1336
        174⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 960
        172⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 960
        170⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 960
        168⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 988
        166⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 960
        164⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1308
        162⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1328
        160⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1300
        158⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 988
        156⤵
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 960
        154⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1336
        152⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 988
        150⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1308
        148⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1336
        146⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1336
        144⤵
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1304
        142⤵
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1336
        140⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 988
        138⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1336
        136⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 960
        134⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1324
        132⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1304
        130⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1316
        128⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1308
        126⤵
        Program crash
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1328
        124⤵
        Program crash
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 976
        122⤵
        Program crash
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 988
        120⤵
        Program crash
        
        PID:3912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1004
        118⤵
        Program crash
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 988
        116⤵
        Program crash
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1336
        114⤵
        Program crash
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 960
        112⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1300
        110⤵
        Program crash
        
        PID:3744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1000
        108⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 960
        106⤵
        Program crash
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 988
        104⤵
        Program crash
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1308
        102⤵
        Program crash
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1316
        100⤵
        Program crash
        
        PID:2492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 960
        98⤵
        Program crash
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 960
        96⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1000
        94⤵
        Program crash
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1236
        92⤵
        Program crash
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 988
        90⤵
        Program crash
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 996
        88⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 960
        86⤵
        Program crash
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1240
        84⤵
        Program crash
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1012
        82⤵
        Program crash
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1288
        80⤵
        Program crash
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1328
        78⤵
        Program crash
        
        PID:1520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1336
        76⤵
        Program crash
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1336
        74⤵
        Program crash
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1324
        72⤵
        Program crash
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1300
        70⤵
        Program crash
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 960
        68⤵
        Program crash
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 960
        66⤵
        Program crash
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1328
        64⤵
        Program crash
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1328
        62⤵
        Program crash
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1336
        60⤵
        Program crash
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1316
        58⤵
        Program crash
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1336
        56⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 960
        54⤵
        Program crash
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 960
        52⤵
        Program crash
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1004
        50⤵
        Program crash
        
        PID:3784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1304
        48⤵
        Program crash
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1324
        46⤵
        Program crash
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1336
        44⤵
        Program crash
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 960
        42⤵
        Program crash
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1328
        40⤵
        Program crash
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1256
        38⤵
        Program crash
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 872
        36⤵
        Program crash
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1008
        34⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1328
        32⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 960
        30⤵
        Program crash
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1328
        28⤵
        Program crash
        
        PID:1292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1296
        26⤵
        Program crash
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1236
        24⤵
        Program crash
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 960
        22⤵
        Program crash
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1304
        20⤵
        Program crash
        
        PID:1128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 960
        18⤵
        Program crash
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 972
        16⤵
        Program crash
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1236
        14⤵
        Program crash
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1308
        12⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1008
        10⤵
        Program crash
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 872
        8⤵
        Program crash
        
        PID:3740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 960
        6⤵
        Program crash
        
        PID:368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 960
      4⤵
      Program crash
      PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 1312
  2⤵
  - Program crash
  PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 348 -ip 348
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3916 -ip 3916
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3756 -ip 3756
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4648 -ip 4648
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3908 -ip 3908
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1744 -ip 1744
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4480 -ip 4480
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3184 -ip 3184
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4268 -ip 4268
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1660 -ip 1660
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1784 -ip 1784
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1920 -ip 1920
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1080 -ip 1080
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2028 -ip 2028
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4372 -ip 4372
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4916 -ip 4916
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3164 -ip 3164
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5028 -ip 5028
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3008 -ip 3008
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1056 -ip 1056
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4456 -ip 4456
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2028 -ip 2028
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5068 -ip 5068
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3756 -ip 3756
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1784 -ip 1784
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1912 -ip 1912
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1332 -ip 1332
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3652 -ip 3652
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4456 -ip 4456
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4032 -ip 4032
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1612 -ip 1612
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2488 -ip 2488
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3740 -ip 3740
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4060 -ip 4060
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2988 -ip 2988
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4460 -ip 4460
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3872 -ip 3872
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2480 -ip 2480
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1680 -ip 1680
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4152 -ip 4152
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4024 -ip 4024
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4840 -ip 4840
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2384 -ip 2384
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4540 -ip 4540
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1908 -ip 1908
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4172 -ip 4172
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3212 -ip 3212
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4008 -ip 4008
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3720 -ip 3720
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3828 -ip 3828
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4828 -ip 4828
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4956 -ip 4956
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1324 -ip 1324
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3672 -ip 3672
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2288 -ip 2288
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1576 -ip 1576
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4020 -ip 4020
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4224 -ip 4224
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4912 -ip 4912
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4768 -ip 4768
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2384 -ip 2384
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 996 -ip 996
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 972 -ip 972
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1076 -ip 1076
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3452 -ip 3452
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4504 -ip 4504
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3372 -ip 3372
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2080 -ip 2080
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1456 -ip 1456
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2736 -ip 2736
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3008 -ip 3008
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2056 -ip 2056
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4824 -ip 4824
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2516 -ip 2516
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4832 -ip 4832
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1004 -ip 1004
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2096 -ip 2096
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 888 -ip 888
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2616 -ip 2616
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3536 -ip 3536
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2432 -ip 2432
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4828 -ip 4828
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 448 -ip 448
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3436 -ip 3436
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3740 -ip 3740
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1104 -ip 1104
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4480 -ip 4480
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1808 -ip 1808
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1292 -ip 1292
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4080 -ip 4080
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2544 -ip 2544
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4968 -ip 4968
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 448 -ip 448
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3928 -ip 3928
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4896 -ip 4896
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2956 -ip 2956
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3560 -ip 3560
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4608 -ip 4608
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1580 -ip 1580
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2276 -ip 2276
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3596 -ip 3596
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2984 -ip 2984
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2260 -ip 2260
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2592 -ip 2592
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4176 -ip 4176
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1712 -ip 1712
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 692 -ip 692
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1748 -ip 1748
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2932 -ip 2932
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1844 -ip 1844
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4060 -ip 4060
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 724 -ip 724
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4436 -ip 4436
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4980 -ip 4980
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2784 -ip 2784
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4568 -ip 4568
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4392 -ip 4392
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1856 -ip 1856
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4868 -ip 4868
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4808 -ip 4808
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3592 -ip 3592
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4776 -ip 4776
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4932 -ip 4932
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4132 -ip 4132
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4448 -ip 4448
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 804 -ip 804
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4568 -ip 4568
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5080 -ip 5080
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3020 -ip 3020
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2068 -ip 2068
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CTEL.exe

Filesize
448KB

MD5
cafcd9f8ade166091f122ac413ac1302

SHA1
b9b0f2933c3b481264e8a5377bdaeb44774a18cd

SHA256
81453231a8f8fb0f2ba0d86d3cd7b18a943f711578d159576c2701bb319d6d7b

SHA512
22f66104859f6692f2e58c7a0b324307bb85f062de1d31485581d0e7face51c667b4d7b9691cd07496ef06b236a52ac81f1af8702f7f0a31af2c18f5ec4ddcf4

Download Submit
C:\Windows\ISFRF.exe

Filesize
448KB

MD5
25d0cafdb9b55931a3f9ba55ca806927

SHA1
372763cff0bde8fd96750f1a68a823ac2e5da8c4

SHA256
3e6be54c01b7f270d5e5e679b89b6c6a9386da9983bd45a1526e10feec24010e

SHA512
b772960607ac8d5f5a4c842957599db138f44f19f64456a108318e0b44f2db10236008d3e4e2604ed9ad63dd8b90472cb3d5ea99a9607a47e2e1a56324e20166

Download Submit
C:\Windows\ROI.exe

Filesize
448KB

MD5
b8feecfa55dfa0cc97f81779c937c0b1

SHA1
68b07dbd575a65cb29fa9d2334932ab155ccd557

SHA256
0723a88bc7048570b15c1dfd37f495b5ee623a714034a6abdd0ff276fee39177

SHA512
a1288158ff895a735e4672427e1f0f8e74cdc770e94c33f6955239a22586d3fdabd128362d48a2723f3d8f7d87679830a0fa80544e637026890dfefcbe36a3c5

Download Submit
C:\Windows\SysWOW64\AHMEK.exe

Filesize
448KB

MD5
8dae932020ba5d8445f3298ac40cbee9

SHA1
626270dcdd42d6a817c00e673936894c87fcce18

SHA256
2db74c7acdf271b5d3f5035e90612f4f50b4dc37ed61987c9c700f6f3c9f7dd0

SHA512
b2b960ffc03da6875219f96dc0deb4e974a5fcc003d7e5482bd93522ab00c77bdf8f7c867b524e4a52d22ecd1ca9f5ce9259a1eb76d5917b46118b3001f2408c

Download Submit
C:\Windows\SysWOW64\CFLZ.exe

Filesize
448KB

MD5
b454a2cb6d5068eecf0295ca8c8ec42c

SHA1
e16721ac298bee37d37b6391329d0b20e4b8cd72

SHA256
f117a4cbd0c5c0ae8f28afd3856ac6f59e60e8135e5ae8ae3f33ce753515c7b7

SHA512
5ed13cde3115d477a909157b8249ed5c38d47e14952cbdd85d602ac7792961a9c959a56c5606164ca65a6f572aeaef072d4116d9971660e59cbf85234a7d897a

Download Submit
C:\Windows\SysWOW64\JLSNR.exe

Filesize
448KB

MD5
505c54f1df5d656064400f442becde4c

SHA1
c595bbc6a2ac3afb33ed6d9e51e95730e6769530

SHA256
8955bd710804224ef1efa7a688b4ccc380a1aec9029695fd49dbbfd3e59e189c

SHA512
6533227262cce483143d0b64c2305b0ab70210f7312e69c7075c31ec9b888d1dfa02c7cdb6aeaebae7a59053ce8c85446ad34003eee2b60dea871a5596b03eaa

Download Submit
C:\Windows\SysWOW64\MECDEX.exe

Filesize
448KB

MD5
360a1c6b6a76c5a67ab0031c9d4738ad

SHA1
77075073cabaa4a49f4dc7d430bb7f97529cb8cb

SHA256
ba7c8fbacaee1aa64f77bef06f3514e37654553745447f432c5c9e921259d683

SHA512
ffa8a52a182afe6bba0d9473bd3e1504447e1b38ef32163363437bbc1b8cdfc3f9dd83a1829544734d6dd82c4af80b570b521acbd44df09c41bcb0d161805987

Download Submit
C:\Windows\SysWOW64\WOWDBT.exe

Filesize
448KB

MD5
5d26777a8ada894e0bc575ca192183dc

SHA1
08d870793e66f483e7baf4493c1c3d5a08e05b92

SHA256
572c393f1dbf0040eb51b903a609bf8e973f354befc4836b01b419f63bf1add2

SHA512
05f8fc1acf2249fb70be8d1aa997c7d5f0013d9c929fc8e4ee3460d665b3d330b0be8d80c962397baf41243416618b59d4af3a280ec577537cd4eef2f329e42d

Download Submit
C:\Windows\System\RXKQC.exe

Filesize
448KB

MD5
839cc15ab4e8a2635b68f8e3e70edc73

SHA1
9537d07370581e7ec434de08a48640c1e46d0584

SHA256
d059635254cf31b6c35f6b736ab29c942920130221fda6baa2075ddce2c1539d

SHA512
caddf9d83403ad9e05f31d43a2cf7a12d2f34c3e1238ba3d6c8961f42ae4d76c76f3d7ef24aeb1e0cc08b974ffdcc2dccd9391643d136d71f9dfd9acd2047fc3

Download Submit
C:\Windows\System\WTDRDE.exe

Filesize
448KB

MD5
9785cc89fd23e74cf24e2601bcc984db

SHA1
90f73f079935eb3cfc1d66a0cdc41b3491e49199

SHA256
6baac91d20dae5c6445a6a239bd18b34c7434014cf61c584012e975b671d423e

SHA512
323e8494fceca331e3e1d2d31bcac75019ff1ed4029d08b308cd97e9f7354185248b9f1e12abd54c434bf42583be6565302c9f51b83792e894359d69700aeb4b

Download Submit
C:\windows\CIYJS.exe

Filesize
448KB

MD5
6c0ccc7af8dea80e5414a670c18ecc74

SHA1
be975cae41591b7c85378546c636a49182873510

SHA256
38d0b543455467a9b390eb990f2a2399b2f50d2317d57c7e5cff9492c761f391

SHA512
9bef13166a725c77a523bc120beb0cc5f4cbb29f7c361bd9e507e797649a372e066d0e32c48e9362c795c7d0dc0b047d5f5cebe63e801bacf925b07174d5d2ea

Download Submit
C:\windows\CIYJS.exe.bat

Filesize
56B

MD5
28efff2455f249c8c916550353bb9894

SHA1
192c6fc5879f338bdd85964319bf2a5f0effb6d6

SHA256
95ffc67b56f2b6e7df2a4870b48772239f32b8f41f5f050a841ad90d79f9a39c

SHA512
4c3fafd1bb7ae755b555c410a34eac155e88631fbcdf7079453cab38649c5656e3302d0925636cf8566cdcd28d1b397286ad308d085b49ffef29dcdeee97ce60

Download Submit
C:\windows\CTEL.exe.bat

Filesize
54B

MD5
caf1d1f97249f5c9410acabb3ad68981

SHA1
472571a59bb3f67b2bb76b0db47104aac1884870

SHA256
2ad0cf16fe8efd1461a41f951e7e6ad322959a1788b50bacf06c686acd7fd609

SHA512
9f0b1f10a36489dc2a614083a59a6ca14a85f0bd418d3828a6551464b459ee2fe9e17d236fd3088686a28e0b6718519101f2e38fdf9c5743476d47148cf2e30d

Download Submit
C:\windows\ISFRF.exe.bat

Filesize
56B

MD5
22b1ab1cb2341dbd6a62309e5300ca91

SHA1
67433d5264bad28b2e83ba5ba7479c7abea2a737

SHA256
2c263272ba2abb4da3aba6630eba4c7f320e713e3c68728b2f1e332e3924d37b

SHA512
bb4a1dc4b912689c28d5435ebeabffe2711a1c6f231c72bea46e25c8bcf11b2eb00a145d851eca1f56b7a1251758ac8c626672ceb48467afba18cb1daeba3298

Download Submit
C:\windows\LXXCZPD.exe

Filesize
448KB

MD5
cdb304fdefdfd8174f7ec3850ab9cd7e

SHA1
272dacb4f51d6f9a279ee4919aac8adb6b457a42

SHA256
c51a6ed8a569b266486ccfddf8f88423f937a59f5f16cf820e2a5526888a87e9

SHA512
4a403fd2071b25b599a28fe03f70c85fc86e5b293b5c87230c8cc86d9a2dcb863328c6be587478173cb857c0c4c2ab173e9c0ca232790c7197ba816a50141e08

Download Submit
C:\windows\LXXCZPD.exe.bat

Filesize
60B

MD5
67be3ed0ce8af21c890728553a23be35

SHA1
32716fc4c0419bca475fa5f19f7cb3fdf8215a9f

SHA256
f4a076b787781c3cfde2972b4354d0bd1e4e566fae6831d7f6b1cf0ba9237d51

SHA512
0191ed1f5ccd23099c1881af1ed16f4281bb1aee75263bbf8cddb78d2141c8da01fad56a5e31c7cf3b82121c9892babd2a8be2772acfdb9313d576cff9164a72

Download Submit
C:\windows\ROI.exe.bat

Filesize
52B

MD5
f47c84f3681ee4cd368805d0320fbfc8

SHA1
058dd698f06dc92908953ed8a0d7b62a62ef6706

SHA256
043c0b4024142798670784dd98428716fdcb6ea9fc007dd922fe8333389ca793

SHA512
ebbfb945a20be9ce7cb03836de145b9288d2ba994993f6ab68c8e4e7e7c9197e1c2ae440ca48e02062ffb070c292c38e67264f3e07daa062840372485cbd66cf

Download Submit
C:\windows\SysWOW64\AHMEK.exe.bat

Filesize
74B

MD5
9052672b6206ef8866e05a92fb358105

SHA1
7f6adf5c935be60f3c69f54be310e30ef2745a70

SHA256
43f7a479f95306ddd2321e6749e3074d2bc4d15c4f827f97d92f28df67536374

SHA512
d7cb34c64c877ab5c573bfae41d39e1d4a0e14a552346ceaf63e0dcb189468f75f590b0a957829b006d043e15485541525fc909885c9f62621fe683fd7786862

Download Submit
C:\windows\SysWOW64\CFLZ.exe.bat

Filesize
72B

MD5
768e5282375de2374874a7a80e20ed32

SHA1
4ddb2158ca3a84b9494939fde8941321f0084df7

SHA256
2febf430c0ec7431c2b5ccfbf1d233f822b81d965db6bb25495befe69894f8c3

SHA512
63a990c078d8d0c80e1218655165b7ec8d95fc15593c358768f1f133b40b44dc8eac10f35a439647158fdd896f2dcc146f14dde37a3db1eb928bb9e235972e22

Download Submit
C:\windows\SysWOW64\JLSNR.exe.bat

Filesize
74B

MD5
aafb811368b137f9c7205dcd7b43905b

SHA1
8192a437352bf044f20de874a87fc3277c3b739e

SHA256
dfdade57bc817c39d4c3b36e65226dce3ac52be44527470c95ee246556c0dab8

SHA512
60caa721bd412c816860cf588a417e1aab0f6f858a578809684e3510fd720b694f033ce44e4c9d3565e453f537ca69d36890a72b460c5a4a746bd8f66d14e2af

Download Submit
C:\windows\SysWOW64\MDRUBOP.exe

Filesize
448KB

MD5
c297d0bf16be340fe076d4a21e04a628

SHA1
aa1be7087f104a40377054263ca8ac48bb6c07f6

SHA256
fdddbbafaf13119a0e312f58366ebef150c7475474f74db17f777583a93b2cda

SHA512
08a86e1dda54e781d6b531b8b78ff617222c0643eb7928caa5edf4edd4950b39c8665b62b2e914c718d16b40955a4bff4cd95cba76ce48eb1e22c96fdf77d841

Download Submit
C:\windows\SysWOW64\MDRUBOP.exe.bat

Filesize
78B

MD5
766c8978841db7b46b5f6fec2f333d6c

SHA1
14ad3bbcd00d8dd79ac780dc92458240311e2bec

SHA256
9109532bd230e080f4855ddd008dfce953927c9ae78ec72fb53723442b2bc13e

SHA512
17d579265e2b5575e89bd1910e15ca0dda3904bbfea677bf5b3a9f59f8c28726d8f10e15b6956ceeb6ef76cdd1f20d75731faf365d0a8dd31a1df050ee598421

Download Submit
C:\windows\SysWOW64\MECDEX.exe.bat

Filesize
76B

MD5
7302d53134683708d09666b49fcd0d18

SHA1
163f248f59c30d988170852047d65e7eb1a9bb47

SHA256
e344b94aeaa08fedaa87cf55006a23cbf460b13693a24c66729a4edb48cedda5

SHA512
8d2e4648fad93f72ced3fcf4cbb6fa6314cdacf69352aa566e62a40101ca4e1ae17b52778b4d6e7242bfc0f84ccb462d6655fe6dd41dd790517d8386630b07e4

Download Submit
C:\windows\SysWOW64\OAKOD.exe

Filesize
448KB

MD5
49e94892115bb4202b4a9f875f63e8b7

SHA1
16604725b15096dcac5d68b070e8443605529584

SHA256
3a70867f5571af32ac87df207fd50e5f4fca161a56d8ac5a35f62caae962b56c

SHA512
90e07e20ca14f57657bf72b91bc2668418ce2a6b28334f892865e250be0ef437b2cfa7413edca699eb211f034a567dcc87616d899f63ee78ebed3450c47b17dc

Download Submit
C:\windows\SysWOW64\OAKOD.exe.bat

Filesize
74B

MD5
5348b1a42b4b3e1631a40aaf93317718

SHA1
57ebbdecb1375d376b87f2149935028e87673811

SHA256
966b0faefb86116357ca773c6c2f380df4ea8310daf72284a71a27db1d62844a

SHA512
b9415fdd9da26105794ceb885f871aae7748f8823fc9c6ec86db55fcfff81eef43f4666f8069ec3317ded46a076bb9acbd661e6ab194618cbbb30d254f7e2c58

Download Submit
C:\windows\SysWOW64\VCRNMGK.exe.bat

Filesize
78B

MD5
b085bd0ca4541e991bc2fbe1a2953f0d

SHA1
531057b19c4b54c617059f6a28c2d565cf79312f

SHA256
23c30f8e93f30ee4970a6cbe0efa8544a2b36b20fb7177f114fb40bbca3ca198

SHA512
5aac5dba3451bbd11eb79465a5fad4f49c2db5eec5031cb6219e5f135484dcba08e7129e09d8b66f103ba43c32dba80f9ee66bf4e067f77c350fb6354d5c1527

Download Submit
C:\windows\SysWOW64\WOWDBT.exe.bat

Filesize
76B

MD5
008b94d73b759de4f20c5af0eb0e2973

SHA1
0b4d47b6369db24d567293d2565226e773122a4c

SHA256
0b245ec234fbf9ef120253e46ed5deb66dcedb6dbae41c147aa03e6fc9f1ab42

SHA512
8f745d1c194cf7e102cd122486aa8ef4875685433633d5816a451c415cd766db1f5ccb945a818fe625e0b0a79d3f7ef671955a4020829538516522c668ab5cec

Download Submit
C:\windows\VMEIHVH.exe

Filesize
448KB

MD5
89b3d0d5cc54ab21221e412a0a4ce7a6

SHA1
8307faf5c2fcc64fdb2c879eb481d0b45e9a3ea5

SHA256
77a82a2f86d9b5c7b7d9d93ab3af5c557fbb8e5bcdcb0f3212f423bb35f3f34c

SHA512
978ce0eef92cdab8c54e8bea8c3b0f5ae09d3df8e69325189b3d23b3822b20b46cfc08368bfdc9862832002de09dbebe369c5954b85e19b124b9b267258a6328

Download Submit
C:\windows\VMEIHVH.exe.bat

Filesize
60B

MD5
dd123ef9218ba056594d57b5aea736b9

SHA1
83baa0f30d1f1e6d8800a4eb7d1628c35fed9ec0

SHA256
fae2ea52fecbc51fa0899a4a45daa662b159a9fd6065c21054373c88e4ae8b85

SHA512
c3005fa37f57435f920d2dea6a6832cea0ac4e1ff33afa5808fc3ee9f32ba638eb048eaa7c5e5ffbb27be077af40bd23af7a3e8eb94f31f91e64d267683524f1

Download Submit
C:\windows\XJZAW.exe

Filesize
448KB

MD5
a5bce8dc5c43a5443560c820743017c5

SHA1
87740e3000aaa9d6b42aee6a660959bcd55a085b

SHA256
6bc7d00485b69aa964fa0ed93e71afec85e71d42cca4934c20a4a5a118a27ee8

SHA512
a478e6abb2ffa5f6705693f5f6e50a3f3acc2e5c31988ef87632cc88ed0d1489981c28683ea6f1a7feacea94185cae3076fe766dc558d102af72a482f8baf4f0

Download Submit
C:\windows\XJZAW.exe.bat

Filesize
56B

MD5
d5a1f718801517308293100457171222

SHA1
c462d934ac9ac386b7da2765d90b76a075292252

SHA256
07d9dc512bf60443064c870653e061aed8a9eea211ed11b6ad6caf68a8127359

SHA512
bf72bb2f9afbb29e91143052a0a3b8e5c8968cb4cbbdfcd2398ce18bfe0767d0d24c51b3b0bcded907737aa25645713e1870a61b00692174107c3fe8de9a2881

Download Submit
C:\windows\system\FKSDX.exe.bat

Filesize
70B

MD5
9e80d9831c68cb331b8b166d9c78a3f7

SHA1
f114cf3a84b6d4a4e382dcf3a9e6df3eea1a16f0

SHA256
623fe833e1ad86c60a2d6b99f0dd9b4499cd606f0616bca48c30060c22d64e0c

SHA512
167a57ce53f6dacb1a1c74494343a195a70ff17cfe1510373df964f3a75331d85c280c41cc9b8eea6095a774f454bc2d29b6a12b8022d795fa4f1db1fa246cb2

Download Submit
C:\windows\system\MFYVIA.exe.bat

Filesize
72B

MD5
d792705dcad263f51c4f4758aa006187

SHA1
68fb10b27bf1d8e0f9f67d2b8d2701717fe8dee4

SHA256
01eeeea97572d7a3967caf922c19069757bdc90fc84466a2bd4cb1aa8d9e3118

SHA512
edbf9411b91863064ed57da861dcf7411b3acbd4b9cdeb99dedc93706aebe81e041d54335585755a6ec9eb2782f8071fc17474444a3bb0c9ded0c9e6a70e6e77

Download Submit
C:\windows\system\RXKQC.exe.bat

Filesize
70B

MD5
d455f461be4e3b459fe6dccfd76240f5

SHA1
ce0a3c57053c51b76a038cc35ee58c43fc179344

SHA256
ff3efd412e092be8ab201817e90bf9def819440a608e237a08a2ec1ac47d1d7b

SHA512
d76c160d37d2a6aeb426ea4a7737da738d18154e481cb36b7b0f4cf680ff9db12bc02f72f708f4e04f29c3e8a27078a665bb80f2b399a50f17d87821a4d7beea

Download Submit
C:\windows\system\TLIKNY.exe.bat

Filesize
72B

MD5
b7313c7b78c9e69f1e4f994a847d1072

SHA1
a26e8f29969bd181a2a6913cfb6e08fd0bf9f2f7

SHA256
9940430ce4c250b8079439a8bd9b3c4cf328aac8aebbcb40d117d5e6a36b8e21

SHA512
738ab2a238a55686f8396dbc1fa1787b4365b10b470813b90aa83e6dd7b1acd98e6ffeedbbf4795776f23d002ec0518412c5ac344e1b2cb17049dbfe19066069

Download Submit
C:\windows\system\WTDRDE.exe.bat

Filesize
72B

MD5
4794a553b535137e60009e304cd6e841

SHA1
cab87f8a337f9bff7b7795d4b6743b2fdf7f3dc0

SHA256
bdfc7285552e7f394cbe779aafc58f68e11a3822ef9cd836d9e1a42f3cb6da02

SHA512
34a3b34be6e62503aa613b7c066cbc2bae80566f6fd6059ec4968831107e3bced89c55b129403b3da2fd0eb21f9fce0e4690817448082e225a3010277d8da697

Download Submit
C:\windows\system\YTO.exe.bat

Filesize
66B

MD5
79924568b5437ff413b95090c6aa1f7e

SHA1
e2dad140d1fce6d40760d8ccbba1edc9666a82d0

SHA256
e92db942075c853abed87a2cc61f8d92fb62f24dee6871bda130b4b39aae87f0

SHA512
59c65a9b8c204bb582f6c123155267fdbca85c41514f07c304e5578ebbd1d6fc69adadcbac479bd86aa3d7a8ecfa3ae49a5bef2b4e971c0ec205e7ec72b77b17

Download Submit
C:\windows\system\ZKXX.exe.bat

Filesize
68B

MD5
77259c15adfd544578469f43a3b0fffa

SHA1
4aa52b550dd896dcdd22821a84607513a9a7fc8f

SHA256
f34649fb1e0ddfc34cc09cfc961c7bed7f109dc63845db5b26e6949456223ae7

SHA512
acbe68e5cfee1aa80c9964f735d0cb32ead9dcd8f233b4c015991e7cabef81e34c9c5d7a9af2e866bed7af0bc4044fbb56648794d837cdfc3b5507967559d147

Download Submit
memory/348-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/348-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1080-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1080-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1612-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1612-331-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1744-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1744-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1784-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1912-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1912-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2384-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2384-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2480-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2480-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2488-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2488-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3164-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3164-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-101-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3652-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3652-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3720-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3740-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3740-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3756-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3756-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3756-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3756-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3828-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3872-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3872-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3908-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3908-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4024-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4024-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4032-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4032-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4060-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4060-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-483-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4268-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4268-93-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4372-189-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4372-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4460-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4460-393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4540-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4540-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4648-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5028-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5028-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download