773bd6f37bd8703faffedb3b5be6f248f11b41f73681e4131cfaab56a63bc703

Analysis

max time kernel
149s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
Size

384KB
MD5

296676abd5bf566947f9292a3d689bb0
SHA1

d276a3e6d1eaf4122fd64daeb2c12a04ac8f5294
SHA256

773bd6f37bd8703faffedb3b5be6f248f11b41f73681e4131cfaab56a63bc703
SHA512

768dcb1acb069caa45fa62e8ff41565e5c6cfceb29c4aea3b46f23a50b9f9572daca809be2b34c057eadd3012e63eb1816d503c6619b51fc4fbe8287d75d2928
SSDEEP

6144:Ql6cUbD+nhLDEDCh10kEjiPISUOgW9X+hOGzC/NM:Ql6coinhLDEDnkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 19 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\QWWPC.exe	family_berbew
C:\Windows\HJGHS.exe	family_berbew
C:\Windows\SysWOW64\SMF.exe	family_berbew
C:\windows\SysWOW64\NAKLH.exe	family_berbew
C:\Windows\SysWOW64\CYYCXUA.exe	family_berbew
C:\Windows\FGG.exe	family_berbew
C:\windows\EWSURMD.exe	family_berbew
C:\Windows\System\QHC.exe	family_berbew
C:\windows\UUJWOWX.exe	family_berbew
C:\Windows\SysWOW64\ANYM.exe	family_berbew
C:\Windows\System\QDZDER.exe	family_berbew
C:\Windows\DGQCST.exe	family_berbew
C:\windows\system\JBTVY.exe	family_berbew
C:\windows\VMEIHVH.exe	family_berbew
C:\Windows\SysWOW64\HFH.exe	family_berbew
C:\Windows\SysWOW64\LQEXQEN.exe	family_berbew
C:\windows\system\HVMJS.exe	family_berbew
C:\Windows\YWSOFGZ.exe	family_berbew
C:\windows\VWCQRC.exe	family_berbew

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HPGU.exeOPJBADQ.exeCGTH.exeEHCXUK.exeLQCHYP.exeBFMIY.exeSTTRIMS.exeSXK.exeHJGHS.exeRCZNG.exeAZI.exeDOUA.exeDNIHOVB.exeSGG.exeRGZCI.exeBQP.exeVJG.exeHVMJS.exeIHHFIKR.exeUVU.exeCHU.exeIEZ.exeHSV.exeBDJW.exeMRVGTXY.exeHZJR.exeRTC.exeQWWPC.exeLQEXQEN.exeXVWL.exeYGLN.exeMSRELJA.exeWDLUQJE.exeQDZDER.exePXA.exeZFGXKP.exeXJXM.exeKERS.exeDEHKYJQ.exeANYM.exeIQUE.exeTUAZUJH.exeBHDDE.exeHXMYUN.exeQDAFKEQ.exeHGJF.exeLBXQ.exePXXCKXM.exeSTAFPWX.exeTLRQUT.exeWXYIC.exeISTVT.exeGRW.exeHBCOKKP.exeUTGGAXC.exeORR.exe296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exeNAKLH.exeQHC.exeQAJ.exeOQKRMSK.exeEPBTJCE.exeDQTYV.exeKAAHH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HPGU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	OPJBADQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	CGTH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	EHCXUK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LQCHYP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BFMIY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	STTRIMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SXK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HJGHS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RCZNG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AZI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DOUA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DNIHOVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SGG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RGZCI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BQP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	VJG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HVMJS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IHHFIKR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	UVU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	CHU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IEZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HSV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BDJW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	MRVGTXY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HZJR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RTC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QWWPC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LQEXQEN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	XVWL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	YGLN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	MSRELJA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WDLUQJE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QDZDER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PXA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ZFGXKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	XJXM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	KERS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DEHKYJQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ANYM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IQUE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	TUAZUJH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BHDDE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HXMYUN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QDAFKEQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HGJF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	LBXQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PXXCKXM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	STAFPWX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	TLRQUT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WXYIC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ISTVT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GRW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HBCOKKP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	UTGGAXC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ORR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	NAKLH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QHC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	QAJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	OQKRMSK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	EPBTJCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DQTYV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	KAAHH.exe

Executes dropped EXE 64 IoCs

Processes:

QWWPC.exeHJGHS.exeSMF.exeNAKLH.exeCYYCXUA.exeFGG.exeEWSURMD.exeQHC.exeVJG.exeUUJWOWX.exeANYM.exeQDZDER.exeDGQCST.exeJBTVY.exeVMEIHVH.exeHFH.exeRCZNG.exeLQEXQEN.exeHVMJS.exeYWSOFGZ.exeVWCQRC.exeOPJBADQ.exeHSV.exePXA.exeQAJ.exePLMJJUD.exeXYZPUSH.exeIRU.exeAZI.exePPJF.exeXVWL.exeKFEC.exeCGTH.exeTOVMC.exeEHCXUK.exeFKOBZAL.exeTHO.exeZDA.exeJAFAWJM.exeBDJW.exeLBXQ.exeIHHFIKR.exeKUMP.exeHVW.exeAND.exeATDQ.exeDOUA.exeCZX.exePXXCKXM.exeBPNNCYU.exeMFTN.exeUVU.exeUYYIS.exeRWQXI.exeMRVGTXY.exeWPBBI.exeJNJ.exeUFEF.exeIQUE.exeSOAQORU.exeSTAFPWX.exeCRGZXFG.exeRMPDQ.exeXHOMNU.exe

pid	process
4016	QWWPC.exe
4080	HJGHS.exe
2976	SMF.exe
3988	NAKLH.exe
2964	CYYCXUA.exe
212	FGG.exe
2124	EWSURMD.exe
1644	QHC.exe
4016	VJG.exe
2956	UUJWOWX.exe
4436	ANYM.exe
1752	QDZDER.exe
1632	DGQCST.exe
2144	JBTVY.exe
4036	VMEIHVH.exe
4880	HFH.exe
1456	RCZNG.exe
452	LQEXQEN.exe
3164	HVMJS.exe
4032	YWSOFGZ.exe
4996	VWCQRC.exe
1224	OPJBADQ.exe
4400	HSV.exe
1400	PXA.exe
3620	QAJ.exe
1092	PLMJJUD.exe
2440	XYZPUSH.exe
1212	IRU.exe
3272	AZI.exe
3240	PPJF.exe
4628	XVWL.exe
1184	KFEC.exe
3692	CGTH.exe
1624	TOVMC.exe
3344	EHCXUK.exe
1228	FKOBZAL.exe
1428	THO.exe
2168	ZDA.exe
3208	JAFAWJM.exe
2020	BDJW.exe
2768	LBXQ.exe
5024	IHHFIKR.exe
1644	KUMP.exe
1208	HVW.exe
2308	AND.exe
4264	ATDQ.exe
2980	DOUA.exe
4884	CZX.exe
4136	PXXCKXM.exe
4308	BPNNCYU.exe
2408	MFTN.exe
2040	UVU.exe
5092	UYYIS.exe
520	RWQXI.exe
4452	MRVGTXY.exe
3200	WPBBI.exe
2044	JNJ.exe
3640	UFEF.exe
1396	IQUE.exe
720	SOAQORU.exe
2012	STAFPWX.exe
4272	CRGZXFG.exe
1364	RMPDQ.exe
4384	XHOMNU.exe

Drops file in System32 directory 64 IoCs

Processes:

UUJWOWX.exeZDA.exeMFTN.exeIQUE.exeMMOQ.exeRJP.exeHHFXY.exeNAKLH.exeEHCXUK.exeDNIHOVB.exeLFIX.exeZFGXKP.exePLEOV.exeWUZ.exeWDLUQJE.exeVMEIHVH.exeFFL.exePXA.exeUYYIS.exeBHEFEH.exeDOUA.exeLQCHYP.exeHJGHS.exeWPBBI.exeNYIW.exeRTC.exeVQCVNLU.exeISTVT.exeGZDG.exeCWOXF.exeRWMMJ.exeIHHFIKR.exeZSXZ.exeHGJF.exeRJGELCX.exeSMF.exeCZX.exeUFEF.exeJLRS.exeSTAFPWX.exeRCIR.exeXQJ.exeCTSINGZ.exeRCZNG.exeOPJBADQ.exeYCNYU.exe

description	ioc	process
File created	C:\windows\SysWOW64\ANYM.exe	UUJWOWX.exe
File created	C:\windows\SysWOW64\JAFAWJM.exe	ZDA.exe
File created	C:\windows\SysWOW64\UVU.exe	MFTN.exe
File created	C:\windows\SysWOW64\SOAQORU.exe.bat	IQUE.exe
File opened for modification	C:\windows\SysWOW64\QUUYLA.exe	MMOQ.exe
File created	C:\windows\SysWOW64\XJXM.exe.bat	RJP.exe
File opened for modification	C:\windows\SysWOW64\HPGU.exe	HHFXY.exe
File created	C:\windows\SysWOW64\CYYCXUA.exe.bat	NAKLH.exe
File created	C:\windows\SysWOW64\FKOBZAL.exe.bat	EHCXUK.exe
File created	C:\windows\SysWOW64\PDPHS.exe.bat	DNIHOVB.exe
File created	C:\windows\SysWOW64\WXYIC.exe	LFIX.exe
File created	C:\windows\SysWOW64\XQJ.exe	ZFGXKP.exe
File created	C:\windows\SysWOW64\MMOQ.exe.bat	PLEOV.exe
File opened for modification	C:\windows\SysWOW64\RCIR.exe	WUZ.exe
File created	C:\windows\SysWOW64\CDSI.exe	WDLUQJE.exe
File created	C:\windows\SysWOW64\HFH.exe	VMEIHVH.exe
File created	C:\windows\SysWOW64\CYNKEKM.exe	FFL.exe
File created	C:\windows\SysWOW64\QAJ.exe	PXA.exe
File opened for modification	C:\windows\SysWOW64\FKOBZAL.exe	EHCXUK.exe
File created	C:\windows\SysWOW64\RWQXI.exe	UYYIS.exe
File created	C:\windows\SysWOW64\ZIMT.exe.bat	BHEFEH.exe
File created	C:\windows\SysWOW64\RCIR.exe.bat	WUZ.exe
File opened for modification	C:\windows\SysWOW64\ANYM.exe	UUJWOWX.exe
File created	C:\windows\SysWOW64\CZX.exe	DOUA.exe
File opened for modification	C:\windows\SysWOW64\JAFAWJM.exe	ZDA.exe
File created	C:\windows\SysWOW64\EEJFDQ.exe	LQCHYP.exe
File opened for modification	C:\windows\SysWOW64\SMF.exe	HJGHS.exe
File created	C:\windows\SysWOW64\JNJ.exe.bat	WPBBI.exe
File created	C:\windows\SysWOW64\CTSINGZ.exe	NYIW.exe
File opened for modification	C:\windows\SysWOW64\BQP.exe	RTC.exe
File created	C:\windows\SysWOW64\DEHKYJQ.exe	VQCVNLU.exe
File created	C:\windows\SysWOW64\SMF.exe	HJGHS.exe
File created	C:\windows\SysWOW64\OGS.exe	ISTVT.exe
File created	C:\windows\SysWOW64\TKLW.exe	GZDG.exe
File created	C:\windows\SysWOW64\BUUI.exe	CWOXF.exe
File opened for modification	C:\windows\SysWOW64\CZX.exe	DOUA.exe
File created	C:\windows\SysWOW64\BUZ.exe.bat	RWMMJ.exe
File created	C:\windows\SysWOW64\HFH.exe.bat	VMEIHVH.exe
File created	C:\windows\SysWOW64\KUMP.exe	IHHFIKR.exe
File created	C:\windows\SysWOW64\HGJF.exe.bat	ZSXZ.exe
File created	C:\windows\SysWOW64\NTNG.exe	HGJF.exe
File created	C:\windows\SysWOW64\LXLO.exe.bat	RJGELCX.exe
File opened for modification	C:\windows\SysWOW64\NAKLH.exe	SMF.exe
File opened for modification	C:\windows\SysWOW64\PXXCKXM.exe	CZX.exe
File created	C:\windows\SysWOW64\IQUE.exe.bat	UFEF.exe
File opened for modification	C:\windows\SysWOW64\KPDVXZ.exe	JLRS.exe
File created	C:\windows\SysWOW64\SMF.exe.bat	HJGHS.exe
File created	C:\windows\SysWOW64\CRGZXFG.exe	STAFPWX.exe
File opened for modification	C:\windows\SysWOW64\ENE.exe	RCIR.exe
File created	C:\windows\SysWOW64\HPGU.exe	HHFXY.exe
File created	C:\windows\SysWOW64\JAFAWJM.exe.bat	ZDA.exe
File opened for modification	C:\windows\SysWOW64\ZIMT.exe	BHEFEH.exe
File created	C:\windows\SysWOW64\XQJ.exe.bat	ZFGXKP.exe
File created	C:\windows\SysWOW64\RJR.exe	XQJ.exe
File created	C:\windows\SysWOW64\MMOQ.exe	PLEOV.exe
File opened for modification	C:\windows\SysWOW64\UTGGAXC.exe	CTSINGZ.exe
File created	C:\windows\SysWOW64\BQP.exe.bat	RTC.exe
File created	C:\windows\SysWOW64\LQEXQEN.exe.bat	RCZNG.exe
File opened for modification	C:\windows\SysWOW64\HSV.exe	OPJBADQ.exe
File created	C:\windows\SysWOW64\HSV.exe.bat	OPJBADQ.exe
File created	C:\windows\SysWOW64\CZX.exe.bat	DOUA.exe
File created	C:\windows\SysWOW64\PXXCKXM.exe	CZX.exe
File created	C:\windows\SysWOW64\BUUI.exe.bat	CWOXF.exe
File created	C:\windows\SysWOW64\OHE.exe	YCNYU.exe

Drops file in Windows directory 64 IoCs

Processes:

KAAHH.exeTUTDUHS.exeCYNKEKM.exeEWSURMD.exeJAFAWJM.exeZGDZQLN.exeTKLW.exeLKACD.exeSDQDRSF.exeRGZCI.exeQDZDER.exeHFH.exeXYZPUSH.exeFKOBZAL.exeBUUI.exeHVW.exeAND.exeSOAQORU.exeEQHCAT.exeHPGU.exeETW.exeVFCPWPI.exeHXMYUN.exeENE.exeZEJPRU.exeDEHKYJQ.exeDQTYV.exeBPVMZ.exeGRW.exeYRGP.exeMSRELJA.exeOZAC.exeTTVUBZ.exeQHC.exeANYM.exeLBXQ.exePDPHS.exeHBCOKKP.exeXVWL.exeKFEC.exeBPNNCYU.exeDJNEHXR.exeOQKRMSK.exeQDAFKEQ.exeYWSOFGZ.exePPJF.exeTLRQUT.exeHWT.exeTHO.exeMRVGTXY.exeRMPDQ.exeRJR.exeIAXBEC.exeCHU.exePVREM.exe

description	ioc	process
File created	C:\windows\system\WDLUQJE.exe	KAAHH.exe
File created	C:\windows\PAESKD.exe.bat	TUTDUHS.exe
File opened for modification	C:\windows\VQCVNLU.exe	CYNKEKM.exe
File created	C:\windows\system\QHC.exe.bat	EWSURMD.exe
File opened for modification	C:\windows\system\BDJW.exe	JAFAWJM.exe
File opened for modification	C:\windows\YRGP.exe	ZGDZQLN.exe
File created	C:\windows\LKACD.exe	TKLW.exe
File opened for modification	C:\windows\RGZCI.exe	LKACD.exe
File opened for modification	C:\windows\SGG.exe	SDQDRSF.exe
File created	C:\windows\RJP.exe.bat	RGZCI.exe
File opened for modification	C:\windows\DGQCST.exe	QDZDER.exe
File created	C:\windows\system\RCZNG.exe.bat	HFH.exe
File created	C:\windows\IRU.exe	XYZPUSH.exe
File created	C:\windows\system\THO.exe.bat	FKOBZAL.exe
File opened for modification	C:\windows\system\CXLWG.exe	BUUI.exe
File opened for modification	C:\windows\AND.exe	HVW.exe
File opened for modification	C:\windows\ATDQ.exe	AND.exe
File opened for modification	C:\windows\system\STAFPWX.exe	SOAQORU.exe
File opened for modification	C:\windows\CWOXF.exe	EQHCAT.exe
File created	C:\windows\RGZCI.exe.bat	LKACD.exe
File opened for modification	C:\windows\system\OKD.exe	HPGU.exe
File created	C:\windows\OQKRMSK.exe.bat	ETW.exe
File created	C:\windows\JQKNKAD.exe.bat	VFCPWPI.exe
File created	C:\windows\JZWFEJ.exe	HXMYUN.exe
File created	C:\windows\RGZCI.exe	LKACD.exe
File created	C:\windows\MSRELJA.exe	ENE.exe
File opened for modification	C:\windows\OZAC.exe	ZEJPRU.exe
File created	C:\windows\HHFXY.exe	DEHKYJQ.exe
File created	C:\windows\RTC.exe	DQTYV.exe
File opened for modification	C:\windows\system\DNIHOVB.exe	BPVMZ.exe
File created	C:\windows\TUAZUJH.exe	GRW.exe
File created	C:\windows\CWOXF.exe	EQHCAT.exe
File opened for modification	C:\windows\system\CHU.exe	YRGP.exe
File created	C:\windows\system\LQCHYP.exe	MSRELJA.exe
File created	C:\windows\EPBTJCE.exe.bat	OZAC.exe
File opened for modification	C:\windows\system\GZDG.exe	TTVUBZ.exe
File created	C:\windows\PAESKD.exe	TUTDUHS.exe
File created	C:\windows\VJG.exe	QHC.exe
File created	C:\windows\system\QDZDER.exe.bat	ANYM.exe
File created	C:\windows\system\IHHFIKR.exe	LBXQ.exe
File created	C:\windows\ATDQ.exe.bat	AND.exe
File created	C:\windows\system\DJNEHXR.exe.bat	PDPHS.exe
File created	C:\windows\system\HXMYUN.exe	HBCOKKP.exe
File created	C:\windows\KFEC.exe.bat	XVWL.exe
File created	C:\windows\CGTH.exe	KFEC.exe
File opened for modification	C:\windows\MFTN.exe	BPNNCYU.exe
File created	C:\windows\GRW.exe	DJNEHXR.exe
File created	C:\windows\GRW.exe.bat	DJNEHXR.exe
File opened for modification	C:\windows\system\RCZNG.exe	HFH.exe
File created	C:\windows\ZEJPRU.exe.bat	OQKRMSK.exe
File opened for modification	C:\windows\system\RGQTZ.exe	QDAFKEQ.exe
File created	C:\windows\VWCQRC.exe	YWSOFGZ.exe
File opened for modification	C:\windows\system\XVWL.exe	PPJF.exe
File opened for modification	C:\windows\OYW.exe	TLRQUT.exe
File created	C:\windows\system\HZJR.exe	HWT.exe
File created	C:\windows\system\ZDA.exe.bat	THO.exe
File created	C:\windows\system\WPBBI.exe.bat	MRVGTXY.exe
File opened for modification	C:\windows\XHOMNU.exe	RMPDQ.exe
File created	C:\windows\system\HBCOKKP.exe.bat	RJR.exe
File opened for modification	C:\windows\system\DDGA.exe	IAXBEC.exe
File created	C:\windows\system\THO.exe	FKOBZAL.exe
File opened for modification	C:\windows\OQKRMSK.exe	ETW.exe
File opened for modification	C:\windows\VKYTI.exe	CHU.exe
File created	C:\windows\ZSXZ.exe.bat	PVREM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
520	3336	WerFault.exe	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
916	4016	WerFault.exe	QWWPC.exe
4524	4080	WerFault.exe	HJGHS.exe
2348	2976	WerFault.exe	SMF.exe
1228	3988	WerFault.exe	NAKLH.exe
4908	2964	WerFault.exe	CYYCXUA.exe
4368	212	WerFault.exe	FGG.exe
5004	2124	WerFault.exe	EWSURMD.exe
1604	1644	WerFault.exe	QHC.exe
372	4016	WerFault.exe	VJG.exe
1508	2956	WerFault.exe	UUJWOWX.exe
4388	4436	WerFault.exe	ANYM.exe
2620	1752	WerFault.exe	QDZDER.exe
1156	1632	WerFault.exe	DGQCST.exe
2308	2144	WerFault.exe	JBTVY.exe
4564	4036	WerFault.exe	VMEIHVH.exe
2716	4880	WerFault.exe	HFH.exe
3908	1456	WerFault.exe	RCZNG.exe
3560	452	WerFault.exe	LQEXQEN.exe
2560	3164	WerFault.exe	HVMJS.exe
3024	4032	WerFault.exe	YWSOFGZ.exe
3520	4996	WerFault.exe	VWCQRC.exe
2768	1224	WerFault.exe	OPJBADQ.exe
3128	4400	WerFault.exe	HSV.exe
2780	1400	WerFault.exe	PXA.exe
2816	3620	WerFault.exe	QAJ.exe
2864	1092	WerFault.exe	PLMJJUD.exe
5064	2440	WerFault.exe	XYZPUSH.exe
2076	1212	WerFault.exe	IRU.exe
3192	3272	WerFault.exe	AZI.exe
560	3240	WerFault.exe	PPJF.exe
4792	4628	WerFault.exe	XVWL.exe
3720	1184	WerFault.exe	KFEC.exe
2684	3692	WerFault.exe	CGTH.exe
4428	1624	WerFault.exe	TOVMC.exe
3752	3344	WerFault.exe	EHCXUK.exe
776	1228	WerFault.exe	FKOBZAL.exe
1752	1428	WerFault.exe	THO.exe
4940	2168	WerFault.exe	ZDA.exe
520	3208	WerFault.exe	JAFAWJM.exe
884	2020	WerFault.exe	BDJW.exe
4452	2768	WerFault.exe	LBXQ.exe
452	5024	WerFault.exe	IHHFIKR.exe
996	1644	WerFault.exe	KUMP.exe
4444	1208	WerFault.exe	HVW.exe
5092	2308	WerFault.exe	AND.exe
2780	4264	WerFault.exe	ATDQ.exe
2792	2980	WerFault.exe	DOUA.exe
552	4884	WerFault.exe	CZX.exe
5004	4136	WerFault.exe	PXXCKXM.exe
1916	4308	WerFault.exe	BPNNCYU.exe
432	2408	WerFault.exe	MFTN.exe
4496	2040	WerFault.exe	UVU.exe
3612	5092	WerFault.exe	UYYIS.exe
2336	520	WerFault.exe	RWQXI.exe
2376	4452	WerFault.exe	MRVGTXY.exe
2648	3200	WerFault.exe	WPBBI.exe
4572	2044	WerFault.exe	JNJ.exe
1844	3640	WerFault.exe	UFEF.exe
2028	1396	WerFault.exe	IQUE.exe
116	720	WerFault.exe	SOAQORU.exe
756	2012	WerFault.exe	STAFPWX.exe
908	4272	WerFault.exe	CRGZXFG.exe
744	1364	WerFault.exe	RMPDQ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exeQWWPC.exeHJGHS.exeSMF.exeNAKLH.exeCYYCXUA.exeFGG.exeEWSURMD.exeQHC.exeVJG.exeUUJWOWX.exeANYM.exeQDZDER.exeDGQCST.exeJBTVY.exeVMEIHVH.exeHFH.exeRCZNG.exeLQEXQEN.exeHVMJS.exeYWSOFGZ.exeVWCQRC.exeOPJBADQ.exeHSV.exePXA.exeQAJ.exePLMJJUD.exeXYZPUSH.exeIRU.exeAZI.exePPJF.exeXVWL.exe

pid	process
3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
4016	QWWPC.exe
4016	QWWPC.exe
4080	HJGHS.exe
4080	HJGHS.exe
2976	SMF.exe
2976	SMF.exe
3988	NAKLH.exe
3988	NAKLH.exe
2964	CYYCXUA.exe
2964	CYYCXUA.exe
212	FGG.exe
212	FGG.exe
2124	EWSURMD.exe
2124	EWSURMD.exe
1644	QHC.exe
1644	QHC.exe
4016	VJG.exe
4016	VJG.exe
2956	UUJWOWX.exe
2956	UUJWOWX.exe
4436	ANYM.exe
4436	ANYM.exe
1752	QDZDER.exe
1752	QDZDER.exe
1632	DGQCST.exe
1632	DGQCST.exe
2144	JBTVY.exe
2144	JBTVY.exe
4036	VMEIHVH.exe
4036	VMEIHVH.exe
4880	HFH.exe
4880	HFH.exe
1456	RCZNG.exe
1456	RCZNG.exe
452	LQEXQEN.exe
452	LQEXQEN.exe
3164	HVMJS.exe
3164	HVMJS.exe
4032	YWSOFGZ.exe
4032	YWSOFGZ.exe
4996	VWCQRC.exe
4996	VWCQRC.exe
1224	OPJBADQ.exe
1224	OPJBADQ.exe
4400	HSV.exe
4400	HSV.exe
1400	PXA.exe
1400	PXA.exe
3620	QAJ.exe
3620	QAJ.exe
1092	PLMJJUD.exe
1092	PLMJJUD.exe
2440	XYZPUSH.exe
2440	XYZPUSH.exe
1212	IRU.exe
1212	IRU.exe
3272	AZI.exe
3272	AZI.exe
3240	PPJF.exe
3240	PPJF.exe
4628	XVWL.exe
4628	XVWL.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
4016	QWWPC.exe
4016	QWWPC.exe
4080	HJGHS.exe
4080	HJGHS.exe
2976	SMF.exe
2976	SMF.exe
3988	NAKLH.exe
3988	NAKLH.exe
2964	CYYCXUA.exe
2964	CYYCXUA.exe
212	FGG.exe
212	FGG.exe
2124	EWSURMD.exe
2124	EWSURMD.exe
1644	QHC.exe
1644	QHC.exe
4016	VJG.exe
4016	VJG.exe
2956	UUJWOWX.exe
2956	UUJWOWX.exe
4436	ANYM.exe
4436	ANYM.exe
1752	QDZDER.exe
1752	QDZDER.exe
1632	DGQCST.exe
1632	DGQCST.exe
2144	JBTVY.exe
2144	JBTVY.exe
4036	VMEIHVH.exe
4036	VMEIHVH.exe
4880	HFH.exe
4880	HFH.exe
1456	RCZNG.exe
1456	RCZNG.exe
452	LQEXQEN.exe
452	LQEXQEN.exe
3164	HVMJS.exe
3164	HVMJS.exe
4032	YWSOFGZ.exe
4032	YWSOFGZ.exe
4996	VWCQRC.exe
4996	VWCQRC.exe
1224	OPJBADQ.exe
1224	OPJBADQ.exe
4400	HSV.exe
4400	HSV.exe
1400	PXA.exe
1400	PXA.exe
3620	QAJ.exe
3620	QAJ.exe
1092	PLMJJUD.exe
1092	PLMJJUD.exe
2440	XYZPUSH.exe
2440	XYZPUSH.exe
1212	IRU.exe
1212	IRU.exe
3272	AZI.exe
3272	AZI.exe
3240	PPJF.exe
3240	PPJF.exe
4628	XVWL.exe
4628	XVWL.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.execmd.exeQWWPC.execmd.exeHJGHS.execmd.exeSMF.execmd.exeNAKLH.execmd.exeCYYCXUA.execmd.exeFGG.execmd.exeEWSURMD.execmd.exeQHC.execmd.exeVJG.execmd.exeUUJWOWX.execmd.exe

description	pid	process	target process
PID 3336 wrote to memory of 2608	3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 3336 wrote to memory of 2608	3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 3336 wrote to memory of 2608	3336	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 2608 wrote to memory of 4016	2608	cmd.exe	QWWPC.exe
PID 2608 wrote to memory of 4016	2608	cmd.exe	QWWPC.exe
PID 2608 wrote to memory of 4016	2608	cmd.exe	QWWPC.exe
PID 4016 wrote to memory of 4240	4016	QWWPC.exe	cmd.exe
PID 4016 wrote to memory of 4240	4016	QWWPC.exe	cmd.exe
PID 4016 wrote to memory of 4240	4016	QWWPC.exe	cmd.exe
PID 4240 wrote to memory of 4080	4240	cmd.exe	HJGHS.exe
PID 4240 wrote to memory of 4080	4240	cmd.exe	HJGHS.exe
PID 4240 wrote to memory of 4080	4240	cmd.exe	HJGHS.exe
PID 4080 wrote to memory of 3260	4080	HJGHS.exe	cmd.exe
PID 4080 wrote to memory of 3260	4080	HJGHS.exe	cmd.exe
PID 4080 wrote to memory of 3260	4080	HJGHS.exe	cmd.exe
PID 3260 wrote to memory of 2976	3260	cmd.exe	SMF.exe
PID 3260 wrote to memory of 2976	3260	cmd.exe	SMF.exe
PID 3260 wrote to memory of 2976	3260	cmd.exe	SMF.exe
PID 2976 wrote to memory of 3200	2976	SMF.exe	cmd.exe
PID 2976 wrote to memory of 3200	2976	SMF.exe	cmd.exe
PID 2976 wrote to memory of 3200	2976	SMF.exe	cmd.exe
PID 3200 wrote to memory of 3988	3200	cmd.exe	NAKLH.exe
PID 3200 wrote to memory of 3988	3200	cmd.exe	NAKLH.exe
PID 3200 wrote to memory of 3988	3200	cmd.exe	NAKLH.exe
PID 3988 wrote to memory of 4476	3988	NAKLH.exe	cmd.exe
PID 3988 wrote to memory of 4476	3988	NAKLH.exe	cmd.exe
PID 3988 wrote to memory of 4476	3988	NAKLH.exe	cmd.exe
PID 4476 wrote to memory of 2964	4476	cmd.exe	CYYCXUA.exe
PID 4476 wrote to memory of 2964	4476	cmd.exe	CYYCXUA.exe
PID 4476 wrote to memory of 2964	4476	cmd.exe	CYYCXUA.exe
PID 2964 wrote to memory of 4564	2964	CYYCXUA.exe	cmd.exe
PID 2964 wrote to memory of 4564	2964	CYYCXUA.exe	cmd.exe
PID 2964 wrote to memory of 4564	2964	CYYCXUA.exe	cmd.exe
PID 4564 wrote to memory of 212	4564	cmd.exe	FGG.exe
PID 4564 wrote to memory of 212	4564	cmd.exe	FGG.exe
PID 4564 wrote to memory of 212	4564	cmd.exe	FGG.exe
PID 212 wrote to memory of 1752	212	FGG.exe	cmd.exe
PID 212 wrote to memory of 1752	212	FGG.exe	cmd.exe
PID 212 wrote to memory of 1752	212	FGG.exe	cmd.exe
PID 1752 wrote to memory of 2124	1752	cmd.exe	EWSURMD.exe
PID 1752 wrote to memory of 2124	1752	cmd.exe	EWSURMD.exe
PID 1752 wrote to memory of 2124	1752	cmd.exe	EWSURMD.exe
PID 2124 wrote to memory of 1560	2124	EWSURMD.exe	cmd.exe
PID 2124 wrote to memory of 1560	2124	EWSURMD.exe	cmd.exe
PID 2124 wrote to memory of 1560	2124	EWSURMD.exe	cmd.exe
PID 1560 wrote to memory of 1644	1560	cmd.exe	QHC.exe
PID 1560 wrote to memory of 1644	1560	cmd.exe	QHC.exe
PID 1560 wrote to memory of 1644	1560	cmd.exe	QHC.exe
PID 1644 wrote to memory of 4240	1644	QHC.exe	cmd.exe
PID 1644 wrote to memory of 4240	1644	QHC.exe	cmd.exe
PID 1644 wrote to memory of 4240	1644	QHC.exe	cmd.exe
PID 4240 wrote to memory of 4016	4240	cmd.exe	VJG.exe
PID 4240 wrote to memory of 4016	4240	cmd.exe	VJG.exe
PID 4240 wrote to memory of 4016	4240	cmd.exe	VJG.exe
PID 4016 wrote to memory of 2684	4016	VJG.exe	cmd.exe
PID 4016 wrote to memory of 2684	4016	VJG.exe	cmd.exe
PID 4016 wrote to memory of 2684	4016	VJG.exe	cmd.exe
PID 2684 wrote to memory of 2956	2684	cmd.exe	UUJWOWX.exe
PID 2684 wrote to memory of 2956	2684	cmd.exe	UUJWOWX.exe
PID 2684 wrote to memory of 2956	2684	cmd.exe	UUJWOWX.exe
PID 2956 wrote to memory of 5092	2956	UUJWOWX.exe	cmd.exe
PID 2956 wrote to memory of 5092	2956	UUJWOWX.exe	cmd.exe
PID 2956 wrote to memory of 5092	2956	UUJWOWX.exe	cmd.exe
PID 5092 wrote to memory of 4436	5092	cmd.exe	ANYM.exe

C:\Users\Admin\AppData\Local\Temp\296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QWWPC.exe.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\windows\QWWPC.exe
C:\windows\QWWPC.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HJGHS.exe.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\windows\HJGHS.exe
C:\windows\HJGHS.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMF.exe.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\windows\SysWOW64\SMF.exe
C:\windows\system32\SMF.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NAKLH.exe.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\windows\SysWOW64\NAKLH.exe
C:\windows\system32\NAKLH.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYYCXUA.exe.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\windows\SysWOW64\CYYCXUA.exe
C:\windows\system32\CYYCXUA.exe
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FGG.exe.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\windows\FGG.exe
C:\windows\FGG.exe
13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EWSURMD.exe.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\windows\EWSURMD.exe
C:\windows\EWSURMD.exe
15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QHC.exe.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\windows\system\QHC.exe
C:\windows\system\QHC.exe
17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VJG.exe.bat" "
18⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\windows\VJG.exe
C:\windows\VJG.exe
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UUJWOWX.exe.bat" "
20⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\windows\UUJWOWX.exe
C:\windows\UUJWOWX.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANYM.exe.bat" "
22⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\windows\SysWOW64\ANYM.exe
C:\windows\system32\ANYM.exe
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QDZDER.exe.bat" "
24⤵
PID:944

C:\windows\system\QDZDER.exe
C:\windows\system\QDZDER.exe
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DGQCST.exe.bat" "
26⤵
PID:3616

C:\windows\DGQCST.exe
C:\windows\DGQCST.exe
27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBTVY.exe.bat" "
28⤵
PID:3560

C:\windows\system\JBTVY.exe
C:\windows\system\JBTVY.exe
29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VMEIHVH.exe.bat" "
30⤵
PID:4988

C:\windows\VMEIHVH.exe
C:\windows\VMEIHVH.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HFH.exe.bat" "
32⤵
PID:4408

C:\windows\SysWOW64\HFH.exe
C:\windows\system32\HFH.exe
33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RCZNG.exe.bat" "
34⤵
PID:4904

C:\windows\system\RCZNG.exe
C:\windows\system\RCZNG.exe
35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LQEXQEN.exe.bat" "
36⤵
PID:2076

C:\windows\SysWOW64\LQEXQEN.exe
C:\windows\system32\LQEXQEN.exe
37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HVMJS.exe.bat" "
38⤵
PID:3612

C:\windows\system\HVMJS.exe
C:\windows\system\HVMJS.exe
39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YWSOFGZ.exe.bat" "
40⤵
PID:5032

C:\windows\YWSOFGZ.exe
C:\windows\YWSOFGZ.exe
41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VWCQRC.exe.bat" "
42⤵
PID:3244

C:\windows\VWCQRC.exe
C:\windows\VWCQRC.exe
43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OPJBADQ.exe.bat" "
44⤵
PID:2052

C:\windows\OPJBADQ.exe
C:\windows\OPJBADQ.exe
45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSV.exe.bat" "
46⤵
PID:1120

C:\windows\SysWOW64\HSV.exe
C:\windows\system32\HSV.exe
47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXA.exe.bat" "
48⤵
PID:2044

C:\windows\SysWOW64\PXA.exe
C:\windows\system32\PXA.exe
49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QAJ.exe.bat" "
50⤵
PID:1772

C:\windows\SysWOW64\QAJ.exe
C:\windows\system32\QAJ.exe
51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLMJJUD.exe.bat" "
52⤵
PID:2980

C:\windows\SysWOW64\PLMJJUD.exe
C:\windows\system32\PLMJJUD.exe
53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XYZPUSH.exe.bat" "
54⤵
PID:2380

C:\windows\XYZPUSH.exe
C:\windows\XYZPUSH.exe
55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IRU.exe.bat" "
56⤵
PID:4440

C:\windows\IRU.exe
C:\windows\IRU.exe
57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AZI.exe.bat" "
58⤵
PID:1328

C:\windows\system\AZI.exe
C:\windows\system\AZI.exe
59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PPJF.exe.bat" "
60⤵
PID:4136

C:\windows\system\PPJF.exe
C:\windows\system\PPJF.exe
61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVWL.exe.bat" "
62⤵
PID:1636

C:\windows\system\XVWL.exe
C:\windows\system\XVWL.exe
63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KFEC.exe.bat" "
64⤵
PID:4400

C:\windows\KFEC.exe
C:\windows\KFEC.exe
65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CGTH.exe.bat" "
66⤵
PID:4940

C:\windows\CGTH.exe
C:\windows\CGTH.exe
67⤵
- Checks computer location settings
- Executes dropped EXE
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TOVMC.exe.bat" "
68⤵
PID:2560

C:\windows\system\TOVMC.exe
C:\windows\system\TOVMC.exe
69⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EHCXUK.exe.bat" "
70⤵
PID:884

C:\windows\system\EHCXUK.exe
C:\windows\system\EHCXUK.exe
71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FKOBZAL.exe.bat" "
72⤵
PID:3504

C:\windows\SysWOW64\FKOBZAL.exe
C:\windows\system32\FKOBZAL.exe
73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\THO.exe.bat" "
74⤵
PID:1220

C:\windows\system\THO.exe
C:\windows\system\THO.exe
75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZDA.exe.bat" "
76⤵
PID:1040

C:\windows\system\ZDA.exe
C:\windows\system\ZDA.exe
77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAFAWJM.exe.bat" "
78⤵
PID:3864

C:\windows\SysWOW64\JAFAWJM.exe
C:\windows\system32\JAFAWJM.exe
79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDJW.exe.bat" "
80⤵
PID:432

C:\windows\system\BDJW.exe
C:\windows\system\BDJW.exe
81⤵
- Checks computer location settings
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBXQ.exe.bat" "
82⤵
PID:3692

C:\windows\SysWOW64\LBXQ.exe
C:\windows\system32\LBXQ.exe
83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IHHFIKR.exe.bat" "
84⤵
PID:4024

C:\windows\system\IHHFIKR.exe
C:\windows\system\IHHFIKR.exe
85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUMP.exe.bat" "
86⤵
PID:1604

C:\windows\SysWOW64\KUMP.exe
C:\windows\system32\KUMP.exe
87⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVW.exe.bat" "
88⤵
PID:3348

C:\windows\SysWOW64\HVW.exe
C:\windows\system32\HVW.exe
89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AND.exe.bat" "
90⤵
PID:2788

C:\windows\AND.exe
C:\windows\AND.exe
91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ATDQ.exe.bat" "
92⤵
PID:4708

C:\windows\ATDQ.exe
C:\windows\ATDQ.exe
93⤵
- Executes dropped EXE
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOUA.exe.bat" "
94⤵
PID:1328

C:\windows\system\DOUA.exe
C:\windows\system\DOUA.exe
95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CZX.exe.bat" "
96⤵
PID:3512

C:\windows\SysWOW64\CZX.exe
C:\windows\system32\CZX.exe
97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXCKXM.exe.bat" "
98⤵
PID:4772

C:\windows\SysWOW64\PXXCKXM.exe
C:\windows\system32\PXXCKXM.exe
99⤵
- Checks computer location settings
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BPNNCYU.exe.bat" "
100⤵
PID:4612

C:\windows\BPNNCYU.exe
C:\windows\BPNNCYU.exe
101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MFTN.exe.bat" "
102⤵
PID:3348

C:\windows\MFTN.exe
C:\windows\MFTN.exe
103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UVU.exe.bat" "
104⤵
PID:1844

C:\windows\SysWOW64\UVU.exe
C:\windows\system32\UVU.exe
105⤵
- Checks computer location settings
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UYYIS.exe.bat" "
106⤵
PID:1208

C:\windows\system\UYYIS.exe
C:\windows\system\UYYIS.exe
107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWQXI.exe.bat" "
108⤵
PID:3084

C:\windows\SysWOW64\RWQXI.exe
C:\windows\system32\RWQXI.exe
109⤵
- Executes dropped EXE
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MRVGTXY.exe.bat" "
110⤵
PID:1852

C:\windows\system\MRVGTXY.exe
C:\windows\system\MRVGTXY.exe
111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WPBBI.exe.bat" "
112⤵
PID:1212

C:\windows\system\WPBBI.exe
C:\windows\system\WPBBI.exe
113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNJ.exe.bat" "
114⤵
PID:744

C:\windows\SysWOW64\JNJ.exe
C:\windows\system32\JNJ.exe
115⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UFEF.exe.bat" "
116⤵
PID:3736

C:\windows\system\UFEF.exe
C:\windows\system\UFEF.exe
117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IQUE.exe.bat" "
118⤵
PID:4476

C:\windows\SysWOW64\IQUE.exe
C:\windows\system32\IQUE.exe
119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOAQORU.exe.bat" "
120⤵
PID:2144

C:\windows\SysWOW64\SOAQORU.exe
C:\windows\system32\SOAQORU.exe
121⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\STAFPWX.exe.bat" "
122⤵
PID:884

C:\windows\system\STAFPWX.exe
C:\windows\system\STAFPWX.exe
123⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRGZXFG.exe.bat" "
124⤵
PID:1504

C:\windows\SysWOW64\CRGZXFG.exe
C:\windows\system32\CRGZXFG.exe
125⤵
- Executes dropped EXE
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RMPDQ.exe.bat" "
126⤵
PID:3908

C:\windows\RMPDQ.exe
C:\windows\RMPDQ.exe
127⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XHOMNU.exe.bat" "
128⤵
PID:1732

C:\windows\XHOMNU.exe
C:\windows\XHOMNU.exe
129⤵
- Executes dropped EXE
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPVMZ.exe.bat" "
130⤵
PID:5068

C:\windows\system\BPVMZ.exe
C:\windows\system\BPVMZ.exe
131⤵
- Drops file in Windows directory
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNIHOVB.exe.bat" "
132⤵
PID:4840

C:\windows\system\DNIHOVB.exe
C:\windows\system\DNIHOVB.exe
133⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDPHS.exe.bat" "
134⤵
PID:1448

C:\windows\SysWOW64\PDPHS.exe
C:\windows\system32\PDPHS.exe
135⤵
- Drops file in Windows directory
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DJNEHXR.exe.bat" "
136⤵
PID:3520

C:\windows\system\DJNEHXR.exe
C:\windows\system\DJNEHXR.exe
137⤵
- Drops file in Windows directory
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GRW.exe.bat" "
138⤵
PID:3884

C:\windows\GRW.exe
C:\windows\GRW.exe
139⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TUAZUJH.exe.bat" "
140⤵
PID:2400

C:\windows\TUAZUJH.exe
C:\windows\TUAZUJH.exe
141⤵
- Checks computer location settings
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHEFEH.exe.bat" "
142⤵
PID:1216

C:\windows\system\BHEFEH.exe
C:\windows\system\BHEFEH.exe
143⤵
- Drops file in System32 directory
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIMT.exe.bat" "
144⤵
PID:3348

C:\windows\SysWOW64\ZIMT.exe
C:\windows\system32\ZIMT.exe
145⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSX.exe.bat" "
146⤵
PID:5052

C:\windows\system\YSX.exe
C:\windows\system\YSX.exe
147⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ETW.exe.bat" "
148⤵
PID:5032

C:\windows\ETW.exe
C:\windows\ETW.exe
149⤵
- Drops file in Windows directory
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OQKRMSK.exe.bat" "
150⤵
PID:3620

C:\windows\OQKRMSK.exe
C:\windows\OQKRMSK.exe
151⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZEJPRU.exe.bat" "
152⤵
PID:748

C:\windows\ZEJPRU.exe
C:\windows\ZEJPRU.exe
153⤵
- Drops file in Windows directory
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OZAC.exe.bat" "
154⤵
PID:3748

C:\windows\OZAC.exe
C:\windows\OZAC.exe
155⤵
- Drops file in Windows directory
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EPBTJCE.exe.bat" "
156⤵
PID:3556

C:\windows\EPBTJCE.exe
C:\windows\EPBTJCE.exe
157⤵
- Checks computer location settings
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MVGAUAZ.exe.bat" "
158⤵
PID:4408

C:\windows\system\MVGAUAZ.exe
C:\windows\system\MVGAUAZ.exe
159⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QLNI.exe.bat" "
160⤵
PID:3336

C:\windows\SysWOW64\QLNI.exe
C:\windows\system32\QLNI.exe
161⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JDCT.exe.bat" "
162⤵
PID:2568

C:\windows\JDCT.exe
C:\windows\JDCT.exe
163⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EQHCAT.exe.bat" "
164⤵
PID:4024

C:\windows\EQHCAT.exe
C:\windows\EQHCAT.exe
165⤵
- Drops file in Windows directory
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CWOXF.exe.bat" "
166⤵
PID:1748

C:\windows\CWOXF.exe
C:\windows\CWOXF.exe
167⤵
- Drops file in System32 directory
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUUI.exe.bat" "
168⤵
PID:4076

C:\windows\SysWOW64\BUUI.exe
C:\windows\system32\BUUI.exe
169⤵
- Drops file in Windows directory
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CXLWG.exe.bat" "
170⤵
PID:2300

C:\windows\system\CXLWG.exe
C:\windows\system\CXLWG.exe
171⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKIFQPT.exe.bat" "
172⤵
PID:3336

C:\windows\system\WKIFQPT.exe
C:\windows\system\WKIFQPT.exe
173⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TLRQUT.exe.bat" "
174⤵
PID:2480

C:\windows\TLRQUT.exe
C:\windows\TLRQUT.exe
175⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OYW.exe.bat" "
176⤵
PID:4840

C:\windows\OYW.exe
C:\windows\OYW.exe
177⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGDZQLN.exe.bat" "
178⤵
PID:2348

C:\windows\system\ZGDZQLN.exe
C:\windows\system\ZGDZQLN.exe
179⤵
- Drops file in Windows directory
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YRGP.exe.bat" "
180⤵
PID:1264

C:\windows\YRGP.exe
C:\windows\YRGP.exe
181⤵
- Drops file in Windows directory
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CHU.exe.bat" "
182⤵
PID:1328

C:\windows\system\CHU.exe
C:\windows\system\CHU.exe
183⤵
- Checks computer location settings
- Drops file in Windows directory
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VKYTI.exe.bat" "
184⤵
PID:2240

C:\windows\VKYTI.exe
C:\windows\VKYTI.exe
185⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFCPWPI.exe.bat" "
186⤵
PID:4428

C:\windows\system\VFCPWPI.exe
C:\windows\system\VFCPWPI.exe
187⤵
- Drops file in Windows directory
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JQKNKAD.exe.bat" "
188⤵
PID:1184

C:\windows\JQKNKAD.exe
C:\windows\JQKNKAD.exe
189⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YGLN.exe.bat" "
190⤵
PID:2308

C:\windows\SysWOW64\YGLN.exe
C:\windows\system32\YGLN.exe
191⤵
- Checks computer location settings
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IEZ.exe.bat" "
192⤵
PID:3864

C:\windows\IEZ.exe
C:\windows\IEZ.exe
193⤵
- Checks computer location settings
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHDDE.exe.bat" "
194⤵
PID:1224

C:\windows\system\BHDDE.exe
C:\windows\system\BHDDE.exe
195⤵
- Checks computer location settings
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFIX.exe.bat" "
196⤵
PID:884

C:\windows\SysWOW64\LFIX.exe
C:\windows\system32\LFIX.exe
197⤵
- Drops file in System32 directory
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WXYIC.exe.bat" "
198⤵
PID:1800

C:\windows\SysWOW64\WXYIC.exe
C:\windows\system32\WXYIC.exe
199⤵
- Checks computer location settings
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFGXKP.exe.bat" "
200⤵
PID:840

C:\windows\system\ZFGXKP.exe
C:\windows\system\ZFGXKP.exe
201⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XQJ.exe.bat" "
202⤵
PID:4572

C:\windows\SysWOW64\XQJ.exe
C:\windows\system32\XQJ.exe
203⤵
- Drops file in System32 directory
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RJR.exe.bat" "
204⤵
PID:220

C:\windows\SysWOW64\RJR.exe
C:\windows\system32\RJR.exe
205⤵
- Drops file in Windows directory
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HBCOKKP.exe.bat" "
206⤵
PID:4880

C:\windows\system\HBCOKKP.exe
C:\windows\system\HBCOKKP.exe
207⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HXMYUN.exe.bat" "
208⤵
PID:1788

C:\windows\system\HXMYUN.exe
C:\windows\system\HXMYUN.exe
209⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JZWFEJ.exe.bat" "
210⤵
PID:388

C:\windows\JZWFEJ.exe
C:\windows\JZWFEJ.exe
211⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZIE.exe.bat" "
212⤵
PID:884

C:\windows\system\ZIE.exe
C:\windows\system\ZIE.exe
213⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SDQDRSF.exe.bat" "
214⤵
PID:3244

C:\windows\SDQDRSF.exe
C:\windows\SDQDRSF.exe
215⤵
- Drops file in Windows directory
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SGG.exe.bat" "
216⤵
PID:3544

C:\windows\SGG.exe
C:\windows\SGG.exe
217⤵
- Checks computer location settings
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PLEOV.exe.bat" "
218⤵
PID:4620

C:\windows\PLEOV.exe
C:\windows\PLEOV.exe
219⤵
- Drops file in System32 directory
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMOQ.exe.bat" "
220⤵
PID:4408

C:\windows\SysWOW64\MMOQ.exe
C:\windows\system32\MMOQ.exe
221⤵
- Drops file in System32 directory
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QUUYLA.exe.bat" "
222⤵
PID:3888

C:\windows\SysWOW64\QUUYLA.exe
C:\windows\system32\QUUYLA.exe
223⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UVWAPWP.exe.bat" "
224⤵
PID:908

C:\windows\UVWAPWP.exe
C:\windows\UVWAPWP.exe
225⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NYIW.exe.bat" "
226⤵
PID:4296

C:\windows\system\NYIW.exe
C:\windows\system\NYIW.exe
227⤵
- Drops file in System32 directory
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CTSINGZ.exe.bat" "
228⤵
PID:1872

C:\windows\SysWOW64\CTSINGZ.exe
C:\windows\system32\CTSINGZ.exe
229⤵
- Drops file in System32 directory
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UTGGAXC.exe.bat" "
230⤵
PID:4132

C:\windows\SysWOW64\UTGGAXC.exe
C:\windows\system32\UTGGAXC.exe
231⤵
- Checks computer location settings
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOXGE.exe.bat" "
232⤵
PID:960

C:\windows\system\AOXGE.exe
C:\windows\system\AOXGE.exe
233⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWMMJ.exe.bat" "
234⤵
PID:4784

C:\windows\system\RWMMJ.exe
C:\windows\system\RWMMJ.exe
235⤵
- Drops file in System32 directory
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "
236⤵
PID:1428

C:\windows\SysWOW64\BUZ.exe
C:\windows\system32\BUZ.exe
237⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WIEPJ.exe.bat" "
238⤵
PID:2172

C:\windows\WIEPJ.exe
C:\windows\WIEPJ.exe
239⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ISTVT.exe.bat" "
240⤵
PID:4740

C:\windows\SysWOW64\ISTVT.exe
C:\windows\system32\ISTVT.exe
241⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGS.exe.bat" "
242⤵
PID:4728

C:\windows\SysWOW64\OGS.exe
C:\windows\system32\OGS.exe
243⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JLRS.exe.bat" "
244⤵
PID:2552

C:\windows\system\JLRS.exe
C:\windows\system\JLRS.exe
245⤵
- Drops file in System32 directory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPDVXZ.exe.bat" "
246⤵
PID:4272

C:\windows\SysWOW64\KPDVXZ.exe
C:\windows\system32\KPDVXZ.exe
247⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BXJTKQ.exe.bat" "
248⤵
PID:2792

C:\windows\BXJTKQ.exe
C:\windows\BXJTKQ.exe
249⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PVREM.exe.bat" "
250⤵
PID:1636

C:\windows\PVREM.exe
C:\windows\PVREM.exe
251⤵
- Drops file in Windows directory
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZSXZ.exe.bat" "
252⤵
PID:916

C:\windows\ZSXZ.exe
C:\windows\ZSXZ.exe
253⤵
- Drops file in System32 directory
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HGJF.exe.bat" "
254⤵
PID:1788

C:\windows\SysWOW64\HGJF.exe
C:\windows\system32\HGJF.exe
255⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTNG.exe.bat" "
256⤵
PID:4588

C:\windows\SysWOW64\NTNG.exe
C:\windows\system32\NTNG.exe
257⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TTVUBZ.exe.bat" "
258⤵
PID:2816

C:\windows\TTVUBZ.exe
C:\windows\TTVUBZ.exe
259⤵
- Drops file in Windows directory
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GZDG.exe.bat" "
260⤵
PID:440

C:\windows\system\GZDG.exe
C:\windows\system\GZDG.exe
261⤵
- Drops file in System32 directory
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKLW.exe.bat" "
262⤵
PID:1856

C:\windows\SysWOW64\TKLW.exe
C:\windows\system32\TKLW.exe
263⤵
- Drops file in Windows directory
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LKACD.exe.bat" "
264⤵
PID:1172

C:\windows\LKACD.exe
C:\windows\LKACD.exe
265⤵
- Drops file in Windows directory
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RGZCI.exe.bat" "
266⤵
PID:1600

C:\windows\RGZCI.exe
C:\windows\RGZCI.exe
267⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RJP.exe.bat" "
268⤵
PID:1732

C:\windows\RJP.exe
C:\windows\RJP.exe
269⤵
- Drops file in System32 directory
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJXM.exe.bat" "
270⤵
PID:4428

C:\windows\SysWOW64\XJXM.exe
C:\windows\system32\XJXM.exe
271⤵
- Checks computer location settings
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WUZ.exe.bat" "
272⤵
PID:2164

C:\windows\WUZ.exe
C:\windows\WUZ.exe
273⤵
- Drops file in System32 directory
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCIR.exe.bat" "
274⤵
PID:2436

C:\windows\SysWOW64\RCIR.exe
C:\windows\system32\RCIR.exe
275⤵
- Drops file in System32 directory
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ENE.exe.bat" "
276⤵
PID:956

C:\windows\SysWOW64\ENE.exe
C:\windows\system32\ENE.exe
277⤵
- Drops file in Windows directory
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MSRELJA.exe.bat" "
278⤵
PID:3316

C:\windows\MSRELJA.exe
C:\windows\MSRELJA.exe
279⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQCHYP.exe.bat" "
280⤵
PID:1172

C:\windows\system\LQCHYP.exe
C:\windows\system\LQCHYP.exe
281⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEJFDQ.exe.bat" "
282⤵
PID:4544

C:\windows\SysWOW64\EEJFDQ.exe
C:\windows\system32\EEJFDQ.exe
283⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KERS.exe.bat" "
284⤵
PID:4440

C:\windows\SysWOW64\KERS.exe
C:\windows\system32\KERS.exe
285⤵
- Checks computer location settings
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HWT.exe.bat" "
286⤵
PID:4748

C:\windows\HWT.exe
C:\windows\HWT.exe
287⤵
- Drops file in Windows directory
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HZJR.exe.bat" "
288⤵
PID:3212

C:\windows\system\HZJR.exe
C:\windows\system\HZJR.exe
289⤵
- Checks computer location settings
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RXW.exe.bat" "
290⤵
PID:2568

C:\windows\SysWOW64\RXW.exe
C:\windows\system32\RXW.exe
291⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAAHH.exe.bat" "
292⤵
PID:4072

C:\windows\system\KAAHH.exe
C:\windows\system\KAAHH.exe
293⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WDLUQJE.exe.bat" "
294⤵
PID:4536

C:\windows\system\WDLUQJE.exe
C:\windows\system\WDLUQJE.exe
295⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CDSI.exe.bat" "
296⤵
PID:916

C:\windows\SysWOW64\CDSI.exe
C:\windows\system32\CDSI.exe
297⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ORR.exe.bat" "
298⤵
PID:4760

C:\windows\ORR.exe
C:\windows\ORR.exe
299⤵
- Checks computer location settings
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SXK.exe.bat" "
300⤵
PID:1552

C:\windows\system\SXK.exe
C:\windows\system\SXK.exe
301⤵
- Checks computer location settings
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BFMIY.exe.bat" "
302⤵
PID:2648

C:\windows\system\BFMIY.exe
C:\windows\system\BFMIY.exe
303⤵
- Checks computer location settings
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IAXBEC.exe.bat" "
304⤵
PID:552

C:\windows\IAXBEC.exe
C:\windows\IAXBEC.exe
305⤵
- Drops file in Windows directory
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DDGA.exe.bat" "
306⤵
PID:4848

C:\windows\system\DDGA.exe
C:\windows\system\DDGA.exe
307⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\STTRIMS.exe.bat" "
308⤵
PID:1668

C:\windows\SysWOW64\STTRIMS.exe
C:\windows\system32\STTRIMS.exe
309⤵
- Checks computer location settings
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AGGYTK.exe.bat" "
310⤵
PID:840

C:\windows\AGGYTK.exe
C:\windows\AGGYTK.exe
311⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUTDUHS.exe.bat" "
312⤵
PID:4556

C:\windows\SysWOW64\TUTDUHS.exe
C:\windows\system32\TUTDUHS.exe
313⤵
- Drops file in Windows directory
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PAESKD.exe.bat" "
314⤵
PID:4932

C:\windows\PAESKD.exe
C:\windows\PAESKD.exe
315⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DQTYV.exe.bat" "
316⤵
PID:2768

C:\windows\DQTYV.exe
C:\windows\DQTYV.exe
317⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RTC.exe.bat" "
318⤵
PID:4308

C:\windows\RTC.exe
C:\windows\RTC.exe
319⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BQP.exe.bat" "
320⤵
PID:2972

C:\windows\SysWOW64\BQP.exe
C:\windows\system32\BQP.exe
321⤵
- Checks computer location settings
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HMTK.exe.bat" "
322⤵
PID:2568

C:\windows\HMTK.exe
C:\windows\HMTK.exe
323⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RJGELCX.exe.bat" "
324⤵
PID:4596

C:\windows\system\RJGELCX.exe
C:\windows\system\RJGELCX.exe
325⤵
- Drops file in System32 directory
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LXLO.exe.bat" "
326⤵
PID:844

C:\windows\SysWOW64\LXLO.exe
C:\windows\system32\LXLO.exe
327⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONYD.exe.bat" "
328⤵
PID:2308

C:\windows\system\ONYD.exe
C:\windows\system\ONYD.exe
329⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QDAFKEQ.exe.bat" "
330⤵
PID:4896

C:\windows\QDAFKEQ.exe
C:\windows\QDAFKEQ.exe
331⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RGQTZ.exe.bat" "
332⤵
PID:1368

C:\windows\system\RGQTZ.exe
C:\windows\system\RGQTZ.exe
333⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WBW.exe.bat" "
334⤵
PID:4452

C:\windows\system\WBW.exe
C:\windows\system\WBW.exe
335⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NOGA.exe.bat" "
336⤵
PID:1932

C:\windows\NOGA.exe
C:\windows\NOGA.exe
337⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YCNYU.exe.bat" "
338⤵
PID:3356

C:\windows\YCNYU.exe
C:\windows\YCNYU.exe
339⤵
- Drops file in System32 directory
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHE.exe.bat" "
340⤵
PID:1488

C:\windows\SysWOW64\OHE.exe
C:\windows\system32\OHE.exe
341⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FFL.exe.bat" "
342⤵
PID:2936

C:\windows\system\FFL.exe
C:\windows\system\FFL.exe
343⤵
- Drops file in System32 directory
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYNKEKM.exe.bat" "
344⤵
PID:4756

C:\windows\SysWOW64\CYNKEKM.exe
C:\windows\system32\CYNKEKM.exe
345⤵
- Drops file in Windows directory
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VQCVNLU.exe.bat" "
346⤵
PID:1960

C:\windows\VQCVNLU.exe
C:\windows\VQCVNLU.exe
347⤵
- Drops file in System32 directory
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEHKYJQ.exe.bat" "
348⤵
PID:2480

C:\windows\SysWOW64\DEHKYJQ.exe
C:\windows\system32\DEHKYJQ.exe
349⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HHFXY.exe.bat" "
350⤵
PID:1932

C:\windows\HHFXY.exe
C:\windows\HHFXY.exe
351⤵
- Drops file in System32 directory
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPGU.exe.bat" "
352⤵
PID:1228

C:\windows\SysWOW64\HPGU.exe
C:\windows\system32\HPGU.exe
353⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKD.exe.bat" "
354⤵
PID:4588

C:\windows\system\OKD.exe
C:\windows\system\OKD.exe
355⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 988
354⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1320
352⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1324
350⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1300
348⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1324
346⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1328
344⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1336
342⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1000
340⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1296
338⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 988
336⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 960
334⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1336
332⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1296
330⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1336
328⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1328
326⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1316
324⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1324
322⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1240
320⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1296
318⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 988
316⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1304
314⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1312
312⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 960
310⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1308
308⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 976
306⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1296
304⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1336
302⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 960
300⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1304
298⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1308
296⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1304
294⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1336
292⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 960
290⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 960
288⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1324
286⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1240
284⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1328
282⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1316
280⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1304
278⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1260
276⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1328
274⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 988
272⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1328
270⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1324
268⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1304
266⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1236
264⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1004
262⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1004
260⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1324
258⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 960
256⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1272
254⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1236
252⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1324
250⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1304
248⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1328
246⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1304
244⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1260
242⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1268
240⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1304
238⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1328
236⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1336
234⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 976
232⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1328
230⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1308
228⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 960
226⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1296
224⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1328
222⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 960
220⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1324
218⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1316
216⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960
214⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1316
212⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1324
210⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 960
208⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1336
206⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1004
204⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1328
202⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1336
200⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1308
198⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1328
196⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1336
194⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1296
192⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1264
190⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1304
188⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1248
186⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 960
184⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1336
182⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1324
180⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1316
178⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 960
176⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 988
174⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1336
172⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1336
170⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 960
168⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1308
166⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1324
164⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1324
162⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1328
160⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1316
158⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1324
156⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 960
154⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 960
152⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1296
150⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1300
148⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1272
146⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 960
144⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 960
142⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 988
140⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 960
138⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1316
136⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1328
134⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1336
132⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1336
130⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 960
128⤵
- Program crash
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1252
126⤵
- Program crash
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1308
124⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 988
122⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1296
120⤵
- Program crash
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1240
118⤵
- Program crash
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1336
116⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1292
114⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 960
112⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 1336
110⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1308
108⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1316
106⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1300
104⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1324
102⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1296
100⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 960
98⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1232
96⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1296
94⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1004
92⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1292
90⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 960
88⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 960
86⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1304
84⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 960
82⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1336
80⤵
- Program crash
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 960
78⤵
- Program crash
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1336
76⤵
- Program crash
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1004
74⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 960
72⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1336
70⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1336
68⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1324
66⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1324
64⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1248
62⤵
- Program crash
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 960
60⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1000
58⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1004
56⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1268
54⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1328
52⤵
- Program crash
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1300
50⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1344
48⤵
- Program crash
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1328
46⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1324
44⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 988
42⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1256
40⤵
- Program crash
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1336
38⤵
- Program crash
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1328
36⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 968
34⤵
- Program crash
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1300
32⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1304
30⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1004
28⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 960
26⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1316
24⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 960
22⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1324
20⤵
- Program crash
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 960
18⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 960
16⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1304
14⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1004
12⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 960
10⤵
- Program crash
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1308
8⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 960
6⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 844
4⤵
- Program crash
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 948
2⤵
- Program crash
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3336 -ip 3336
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4016 -ip 4016
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4080 -ip 4080
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2976 -ip 2976
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3988 -ip 3988
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2964 -ip 2964
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2124 -ip 2124
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1644 -ip 1644
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4016 -ip 4016
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2956 -ip 2956
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4436 -ip 4436
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1752 -ip 1752
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1632 -ip 1632
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2144 -ip 2144
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4036 -ip 4036
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4880 -ip 4880
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1456 -ip 1456
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 452 -ip 452
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3164 -ip 3164
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4032 -ip 4032
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4996 -ip 4996
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1224 -ip 1224
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4400 -ip 4400
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1400 -ip 1400
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3620 -ip 3620
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1092 -ip 1092
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2440 -ip 2440
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1212 -ip 1212
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3272 -ip 3272
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3240 -ip 3240
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4628 -ip 4628
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1184 -ip 1184
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3692 -ip 3692
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1624 -ip 1624
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3344 -ip 3344
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1228 -ip 1228
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1428 -ip 1428
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2168 -ip 2168
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3208 -ip 3208
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2020 -ip 2020
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2768 -ip 2768
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5024 -ip 5024
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1644 -ip 1644
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1208 -ip 1208
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2308 -ip 2308
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4264 -ip 4264
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2980 -ip 2980
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4884 -ip 4884
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4136 -ip 4136
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4308 -ip 4308
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2408 -ip 2408
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2040 -ip 2040
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5092 -ip 5092
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 520 -ip 520
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4452 -ip 4452
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3200 -ip 3200
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2044 -ip 2044
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3640 -ip 3640
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1396 -ip 1396
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 720 -ip 720
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2012 -ip 2012
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4272 -ip 4272
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1364 -ip 1364
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4384 -ip 4384
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3808 -ip 3808
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 3904
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1928 -ip 1928
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3748 -ip 3748
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3324 -ip 3324
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4596 -ip 4596
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4728 -ip 4728
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4016 -ip 4016
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1196 -ip 1196
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3996 -ip 3996
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2168 -ip 2168
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1884 -ip 1884
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4712 -ip 4712
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4788 -ip 4788
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 412 -ip 412
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2908 -ip 2908
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 748 -ip 748
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4364 -ip 4364
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4408 -ip 4408
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2816 -ip 2816
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4440 -ip 4440
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 412 -ip 412
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4320 -ip 4320
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1752 -ip 1752
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 748 -ip 748
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2300 -ip 2300
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 908 -ip 908
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1044 -ip 1044
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4296 -ip 4296
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1668 -ip 1668
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2792 -ip 2792
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2684 -ip 2684
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 8 -ip 8
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2468 -ip 2468
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4740 -ip 4740
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4280 -ip 4280
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4288 -ip 4288
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3224 -ip 3224
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1396 -ip 1396
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1844 -ip 1844
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1256 -ip 1256
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2888 -ip 2888
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2020 -ip 2020
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2920 -ip 2920
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2164 -ip 2164
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1196 -ip 1196
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4524 -ip 4524
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1396 -ip 1396
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2724 -ip 2724
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4544 -ip 4544
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4136 -ip 4136
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4588 -ip 4588
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2816 -ip 2816
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2716 -ip 2716
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5064 -ip 5064
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2788 -ip 2788
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1036 -ip 1036
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1400 -ip 1400
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1728 -ip 1728
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4728 -ip 4728
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2880 -ip 2880
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1864 -ip 1864
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 880 -ip 880
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1912 -ip 1912
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5100 -ip 5100
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4880 -ip 4880
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4092 -ip 4092
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4596 -ip 4596
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5040 -ip 5040
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1112 -ip 1112
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4460 -ip 4460
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1368 -ip 1368
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 996 -ip 996
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4580 -ip 4580
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2444 -ip 2444
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3888 -ip 3888
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4868 -ip 4868
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4356 -ip 4356
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1396 -ip 1396
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1384 -ip 1384
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1212 -ip 1212
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2428 -ip 2428
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4748 -ip 4748
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3512 -ip 3512
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3880 -ip 3880
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 960 -ip 960
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1456 -ip 1456
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4356 -ip 4356
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2448 -ip 2448
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4080 -ip 4080
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2968 -ip 2968
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3520 -ip 3520
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2804 -ip 2804
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1428 -ip 1428
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2580 -ip 2580
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3920 -ip 3920
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3740 -ip 3740
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1192 -ip 1192
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1016 -ip 1016
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1676 -ip 1676
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4288 -ip 4288
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1856 -ip 1856
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1256 -ip 1256
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3084 -ip 3084
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4308 -ip 4308
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 660 -ip 660
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3216 -ip 3216
1⤵
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DGQCST.exe
Filesize
384KB

MD5
7026f644ec26115b57d555134c8c812c

SHA1
916334c3446e9aca610c33d1fec626357a91956e

SHA256
08e91290401bbd82b9975bbe96808ce57927c4f1f70d7a2a1c7d4dde63cb0009

SHA512
7f0e9a51a3f537126eccb9e6b51727946f9a52f40cb6de0713237f41d88ca241032dbe0e2537df21fca619ff4d015202cf9a4841b8cf8753ebca53f8bfc433b4

Download Submit
C:\Windows\FGG.exe
Filesize
384KB

MD5
5ab45102599c47de33dea18288d9d22f

SHA1
6efac7112bb33e578879002eae0e0b4f90c9341d

SHA256
26b64e3d8b2660af6f9997a36af7b813a3053b0acb160af80586a534f0a30018

SHA512
4a09ed4ed85e54f3bc2a1ab52920f71b5ab84c52fcf651f4c2d1ac35c96e7f4489b2752e8a78c18b70c16543516b0134c1429a93e651bb2216c25da3b41b722f

Download Submit
C:\Windows\HJGHS.exe
Filesize
384KB

MD5
50c15cef34313e10fef96d308c8c4d70

SHA1
6dd6a9320b82ff96d3bce9b4b9bb031c3388ff10

SHA256
a155b19dc77d58fdf57f898a6b96923e1d649094dbc36767ffe94b297bfd1a3f

SHA512
1e6a120b945c4c133e471cf4913fd35e6f7a8e7cff7378c3f2b1341308fc8a18b48cb03f34b2d2b602d7ac3f14c8cee71893ebd8907ac598cc06d59d4e1f9984

Download Submit
C:\Windows\QWWPC.exe
Filesize
384KB

MD5
b850bab79d319f7443ba9cbc66b07a41

SHA1
9d7c6fb09870fd35597163da782924a430d73b85

SHA256
938ac9b398b9d4be74b05d59840bb0f01af4d656561faa20b8956dd6bc8bea6e

SHA512
ec859c4aa68f5c822208158f7fb6ea7d325abbae8718186f4a97633b0ce4a357d530ffcc8b43030ced415c639b7f050cd36bac8434de11bae83f12bc4068574b

Download Submit
C:\Windows\SysWOW64\ANYM.exe
Filesize
384KB

MD5
6e638f27bc9ae0e34761a7c2c78058b1

SHA1
4c12cdeb848e8c0dafa47926d312f4825829e2c8

SHA256
b54c5d91254d619cca6d400f6f1a7e6a1633cfcc51255c224a6443dd4792316a

SHA512
9bc9d0448e943649f83a0583c9f5c7ab23b8a5226db8d4600705d06ce556215bf61da7e5c8e3f062c472f284ab853459535f7ab5712e0a011e1beff48ae69969

Download Submit
C:\Windows\SysWOW64\CYYCXUA.exe
Filesize
384KB

MD5
011938241fa7058a3bc342ca1dc0ae46

SHA1
95c126e91478e19b2b48ad239427b22c15cd9cc2

SHA256
85181c0240c78ecfc2cc76d058b01f595be702aeaff754d65d7ce7f12776ba37

SHA512
ac97a6544d1e619797b1bfd4edd4f4030d12a75b0832bd1a1090cb00b55d605671f4a7634dbf3698569b5a7a57e0d1935a14dab54cb533065e13d3f361979229

Download Submit
C:\Windows\SysWOW64\HFH.exe
Filesize
384KB

MD5
f4f079cfd428dad18b4d495cd0549d4c

SHA1
23fc6da29690799899cb34cb26a0505083da9953

SHA256
bf8cf7c9773a5922b2ac0a57d561536a82de6d4a3588b2691ddcd20888bbee28

SHA512
ac4c8a776243367140402906be0738c8c5567a548b96fdf9e0fe39de57de05a2af4ab72812fe6b39dd87ada552ecb5873775ca796b8e8d8961df3e6aa1cc3063

Download Submit
C:\Windows\SysWOW64\LQEXQEN.exe
Filesize
384KB

MD5
2adc95ee89b442dfea13f69586a5763a

SHA1
7cdc74365c05f3171e2a5756cba559197042ba75

SHA256
b60e1e3cda34800942fc22ccbfd93d0c80cbd33059ca0c0fbd4246709b937863

SHA512
f155dfc2f806acbfadadeb27361be9c3a80819cb4a7ae8ce1ae94336b5e53c33adeb85f6c5e59e5c90c69d591f2050d26d6647322735ecab2817f2abb0ec3d5e

Download Submit
C:\Windows\SysWOW64\SMF.exe
Filesize
384KB

MD5
d74e0076835fa2316ba29a48d2c2cdbf

SHA1
e94e63474272968b9980949b0d37828e0f337b1c

SHA256
a0d079fd4fbe499b884efbb751cefa6f6215bc4f9644c1751f378b111c357cdd

SHA512
64648482e86b90a214e0a658d0fe24e84120ce606655433404ab0eae8a4583286ea7bcf3dd48c258884109ceb164104b3c890f6c38b95cb6746296eb6e34b739

Download Submit
C:\Windows\System\QDZDER.exe
Filesize
384KB

MD5
3f7af1689d05aab00791ae925fb51e5b

SHA1
1085b7ba782285c5a0c7e9379e4cf197d463eb1d

SHA256
4c1c111e1eac23fc330eb4086e0f88fe2188ea14ebc18eda68c09086c9bd71d3

SHA512
c04a0dc4d284df3f32dddfc482d8ae145cdad7070c8b1ae9aa79f62fab6795203e055a3667cbc926b84eed24c959ed2e1981eb10b13406b22bf176eb74394c23

Download Submit
C:\Windows\System\QHC.exe
Filesize
384KB

MD5
de6f2d9652d1b7c97b23be6dc2c2027c

SHA1
96e60cf4303aa7bf06a065614b2ae300ef27168d

SHA256
56568198b20f09250b85e819e6f498050368fd576f1860f59c33a1577a388780

SHA512
5dcf1f019ec3e03dc77a7ab3f1791f6bb69bd146ee43d1d7af1b086c017c10e6c3a461125ffbae80b064320e8289b8fa2736235c10801f0d9867bff0fb1d54b0

Download Submit
C:\Windows\YWSOFGZ.exe
Filesize
384KB

MD5
d040723770543b25b56224b0ea4fd04f

SHA1
9ea7375eb9bf4432bdaaf34818388c4a00b13da0

SHA256
7c7f777bcd8789d994b3fc6bea1f6e68644b5d4c562111dd122baafe1b8dfd7d

SHA512
83a935b02566e2e7bfac052e91ee1fbc011f0b964d900b985d1fff8f67194f96c6a41b3e7bf75c6feadcdd24e719eee8ebeb4a420c6045c84801ad422ccc572f

Download Submit
C:\windows\DGQCST.exe.bat
Filesize
58B

MD5
e85219bcb83bbab87ae808f5bf056b10

SHA1
fb8c377079eda65da4679efae0de059999532fd9

SHA256
8a5a42af6d6bd36ad6f4914f44a6cfe1ab72afaee36ebb7b17060a60046c94fc

SHA512
3b3f2e0e7e3838f3b03b993df60c3cfc97a3dfaf2f8ee741d63f62eb5927baf8cf3d272d4d3498d87a1ac45378a5eae2b63142dfc795b2f037ebfb3d19c4cc62

Download Submit
C:\windows\EWSURMD.exe
Filesize
384KB

MD5
367167f38b681c930ac8b7608c9bd901

SHA1
3ec4a7088c9d82c9fc0a27378a48dd92c8dffdaf

SHA256
533ba3995675e140e7d58cfa99a7890b60bc3a773538084837fb8deab632868c

SHA512
b3a57d833bf151f6dec2ae7caa672515ea9d01fec091f309fec294a22f9d63cf1f37370fdddcb27b762da38e9c9e215ac0211e19b2e99f49784192e7738cc76f

Download Submit
C:\windows\EWSURMD.exe.bat
Filesize
60B

MD5
969fa1ab47d03a3096d7942178b1e808

SHA1
98cf227946ed10f9754e4447ccbe6ef1638f3cef

SHA256
e4a89c3ea312c788b59ad0a41e5b81b9fe0a446242d15776972beacc9b0b5892

SHA512
5480bf943c7e4202f85f7b3d322020cbf0aa0dfa837fbe7d50417f23835c9da3351124da6900a363c2f8e1e087ab7b5d632b77ee4a83efd148f2a4b05b05141a

Download Submit
C:\windows\FGG.exe.bat
Filesize
52B

MD5
697882aa1b96887adeebefa706ae2e1f

SHA1
ee4a3ee21f35e65464a42cd7d81b34af644469fa

SHA256
f3e070ac9d974715f13e9b60a33b490ff7e8085a322c11250aca5f23c162fce6

SHA512
83a38179b0d2e60dc7d3b4f96dab788a2847c698ed431069f4064e634b8ac1ee4b5e840838e064a690e085d6637fafed31577fc551412bba2e9cdb0556c56966

Download Submit
C:\windows\HJGHS.exe.bat
Filesize
56B

MD5
3427be941757f534bc2476646e9e3ca8

SHA1
4b012959d5ec1a24797d04f1f5b22c3e5213003d

SHA256
2decf56bfadc7953f25097419d38b5027e49377f26e515609b8152305336cddb

SHA512
c9644091571fe2c2c86008e1c5a3e2443d7d7b2240ea4f00e9348f5caa0e0df1ca68de7b43c689693eafc321210f574892764c84386201c98f4c70bc17fc9d53

Download Submit
C:\windows\OPJBADQ.exe.bat
Filesize
60B

MD5
dad601724ec455ed5505ce0eae341d12

SHA1
9241eb916dd1686ad8ba74583fc5614704a08f9f

SHA256
00bd9968edf591023b405a335c42ad710c6adeeb3d33a82065c81210912329c1

SHA512
12b82fdd58e68ac0bbbefd0080a8921f93fc09ea0ea5f0352902d6412127b2a18ade4ab23ccc9858af37ffb52d1f331d3dae84b4d70791b8a72e97a67dd9e288

Download Submit
C:\windows\QWWPC.exe.bat
Filesize
56B

MD5
71d3f91941ee8d23cbbfdef303c6f74a

SHA1
9ec6c6ac11aab540152f0f8d4d5907a5de1c2d07

SHA256
98597f4b028240f591a93c86cb019d11c87aa6b66a74938cf2169bb924bedb10

SHA512
640e481a8c2e3a9de4c15c8a3cc0ffa9671fd1b5af923787b92d942f57d8250dbd626c184d7fa0a496ccd708f89f337babd757c44f5d57f84f23134eae7e7e1e

Download Submit
C:\windows\SysWOW64\ANYM.exe.bat
Filesize
72B

MD5
a5967031359f36d9e94fcc21efa228f4

SHA1
0b56e8bab0bf594c3015a6bcc66b7c3b86a2b89e

SHA256
20c4c83774a01e76d4db0d64173039470cd290115d7fccfdde4015afabef4a75

SHA512
0bfe382181f14e3c022ed8ded25dd5ade18d798fdca3150307a74fdde9ee5d610978897a19dfc545321f369ab39d57ab6b5867d2c63a933f370a86e4bbf860ed

Download Submit
C:\windows\SysWOW64\CYYCXUA.exe.bat
Filesize
78B

MD5
21db5834dbd93dca5e484b1a050a6485

SHA1
64d4de4f5d5492655fa32ba4a52867f052de406e

SHA256
83ea6eb169d2ea3873187737d4a8e167654f8b19129db2a19c3471e4df30f486

SHA512
d041e3c621b3d5e3ed4a6e1326be620d141002910e0c85dba08b27672859a01f8d06bf079fcb6cfb0451b19e1b117a738075148395808bc4457e14210136c083

Download Submit
C:\windows\SysWOW64\HFH.exe.bat
Filesize
70B

MD5
9acb98949d2a37ee72dc4294c44bfc97

SHA1
f4a6407846a7028a0eca9781d17eb17fa4dbff88

SHA256
58d83d4eb540fac520eec77d7723d7aacd22d8cfa71988232e34dd4960960f51

SHA512
619a174b2947256128eddfc38d5955e26c2385f93037b55b2478aa5bd1e17feda7fbf5eda0b6645b154706e3de704713156137ea52251ac8d9ea1339acc4fec3

Download Submit
C:\windows\SysWOW64\LQEXQEN.exe.bat
Filesize
78B

MD5
ae077b85756ce23d4cec6eb38e487161

SHA1
344e1d7f874f34dc45d5f72b0a264605ee51562e

SHA256
40cabfa2bc58bb3ede352aa63b00309d50f54b45c4e0cfce762f2a0e549405d5

SHA512
bda1f3edb0cb5f313acb08d342f52981fd9f65ace75b483f45939a17926d0fd61e985fbae759ab359d3c6f2b20fcd1f3674b9021a1eee472d31cefe1b4fe14cc

Download Submit
C:\windows\SysWOW64\NAKLH.exe
Filesize
384KB

MD5
62332aa9b34356bea78d49e3e2c66de9

SHA1
d78645f56bb81c20a83ddbe01dd988cb34a9c871

SHA256
dc1d1d8c9330f92c8188268ecbfa2bf40be50f217b4a935d3b181ea4ea35c116

SHA512
6a62b1446785613a95d57fbf89b369f525f9db89156f3e86e60492c92b49cc0cbaf8e92e60eb88dcdde57533cb9be7248537db971791ba39ad19959a626ab9ee

Download Submit
C:\windows\SysWOW64\NAKLH.exe.bat
Filesize
74B

MD5
553e014ff3f555420932f72786d606c8

SHA1
e67fec116195b76e42e508eb0053c8884f9df6a0

SHA256
af3d49d1376197cd1e6bc2f302003f4b7fa7a029f6bd41849921f32261592a07

SHA512
82c9d1a5ce1264f7b975b0be2c241441223d73488c408c981dcc1519da9264103e197cbb1286b65ab934b3b31d17a978a9bb7489c98c8a490437c76b609fda91

Download Submit
C:\windows\SysWOW64\SMF.exe.bat
Filesize
70B

MD5
b8bc5647d1314517705cb588b0232654

SHA1
b23a530eb8985dbff9d6bbc0b8cf456ff8ecb946

SHA256
c5ca3ca0b54c2c5f44ac049fa9730d522b95f92e3998be5438a17679d15160ed

SHA512
37c6fb679d96738449d2a894abcbd8c9055070c1822082faa02abb0cf709bb060af4387fef46ad9c9fc8d0c162af88436a836b11f633c386188398d14d7baf02

Download Submit
C:\windows\UUJWOWX.exe
Filesize
384KB

MD5
e549b802433ec00d6a08ec26e0b66b86

SHA1
244969376ab79882c2a95916b8f5398cfb948e31

SHA256
1e667a1d20d06fe12592d1a87461ac51c501307a06bc733af3b8985107e3d9fb

SHA512
c7c7308868a4402f1cf1440a7a0054c0f8e707777f8313d0663fbf16c25c0655da94b9c7f8e32c999df191770a176f57cbf30e1c3e4674e2aa68758694cd66d6

Download Submit
C:\windows\UUJWOWX.exe.bat
Filesize
60B

MD5
eadc9a77001593bc090646457ba81f51

SHA1
7b2e191a58d5a240ff1f02f99cfcb89f33515147

SHA256
a1d8d33f99c7a20d5a1f21a239ae8631fb3d4200c644b3b77e13a6b472af33e8

SHA512
3e917278d0b58d05d25a837d3214b7538ddb4233a87aa81cb43082ecb731c610587f6479f107cdb575c3418078e9fed385be4932116ab1b1b144477a41e918b0

Download Submit
C:\windows\VJG.exe.bat
Filesize
52B

MD5
8ffbb155643ba6ac873a1c36a0536097

SHA1
95c1386d7d370daf4b865096654d5543fe0c08b5

SHA256
47ce2da93c7a990b8908d1e6218e07079dfcdabb832117ce7df76b61863cda48

SHA512
39ac634a937f51d5faacd24e68ed32a957c313692a65aacb65f8c2d239b4e00abd3609bd8fb8ef07b63b4a5c3b886cafb2bbbd6d395dde46897041989ed8c07e

Download Submit
C:\windows\VMEIHVH.exe
Filesize
384KB

MD5
95f0ee57761e315249b53f7407cb1889

SHA1
836cf58045fe9bf370e6c60a4ed5a9adfb319aef

SHA256
fb3655a509922fec795d19ef9fed557f07a81a1da01ef5d38029fe22aa4f2e68

SHA512
b13b893ffc3880d3e4f71a41e87e279253116b77c22fbe8a14e0d7d06cbacb79494a7d6a430c4bbcaec1e4fe039743f0e5fabd9d0e9069e5193c5a57aa73d794

Download Submit
C:\windows\VMEIHVH.exe.bat
Filesize
60B

MD5
dd123ef9218ba056594d57b5aea736b9

SHA1
83baa0f30d1f1e6d8800a4eb7d1628c35fed9ec0

SHA256
fae2ea52fecbc51fa0899a4a45daa662b159a9fd6065c21054373c88e4ae8b85

SHA512
c3005fa37f57435f920d2dea6a6832cea0ac4e1ff33afa5808fc3ee9f32ba638eb048eaa7c5e5ffbb27be077af40bd23af7a3e8eb94f31f91e64d267683524f1

Download Submit
C:\windows\VWCQRC.exe
Filesize
384KB

MD5
634f32a3e1d4669df96a5d9cf4911aaa

SHA1
eeb9519e503952c3a152c051e6a42b5612eff7b2

SHA256
773d50d7905c13514427c979ef696a448438f862372ef3b00325e94435ff2e02

SHA512
1d386a77dd8d00224dd02cf1d39cf764e11106493f38fe3544e85fadfb7bed89127aa473d0ac48b061beb0e01dbbaca98bba9481283721926ef11f1ac5d8ad9d

Download Submit
C:\windows\VWCQRC.exe.bat
Filesize
58B

MD5
b7736f3c90a71fad2dc123482642235b

SHA1
eb4b8cb2aef2b7785065006befaf1cd3d1514013

SHA256
96e1de381eba12f8d75fc87f71faba04c6b4eaf2ef3c0974e8c57bfd90740d3c

SHA512
665b453b0184dc507085f8279ddfcfb51338c375f1f158e27906e076c4fe2b42ba400e87c9181bf192c2bb274c599c5774eeb9ea433ae92dd6dd1a9af12ef114

Download Submit
C:\windows\YWSOFGZ.exe.bat
Filesize
60B

MD5
1ea05af1ede3d6184f51a66c1f1186a5

SHA1
2d36dac4c9ac4bd52dd3ab3a367bc025c9210fc9

SHA256
7efe226e60e80defea8839fce697c60597a3787e28fb720bc5e3d10e9749845e

SHA512
82201d3a9e3aa06d639876d26af83f86b8246f884825ff670397d92a240d6def364519288ded9db6b57dc4e96d8096acb62d5f3ee704db2a4b7d5ece80ec8078

Download Submit
C:\windows\system\HVMJS.exe
Filesize
384KB

MD5
a35c17f4506d03d116f9f63577069398

SHA1
ead64d26dbbe4cc2a5cbee02910e0de3a4729c1f

SHA256
875fdaa4519dccb00d5bff08eab2b6e2250df4fad51af7bbdce6edb35ebe2b7e

SHA512
6f6f6681a37745dcf726851b1f2b20ee5bf0bcdac2cdbaa3acaae6b5de8e7b311f8e041fa625f6ce60c5d083d08899f66f974e10c6642bddb02545c22a073404

Download Submit
C:\windows\system\HVMJS.exe.bat
Filesize
70B

MD5
22e887b230862099ca1e66d0b772c716

SHA1
96007cfa49567c34255d06c448cd2cc3e1ba19d9

SHA256
6bcc5137c3f1785dd3a02d7ca2135fbc253fe9bf3aa2833b46243d908b65e83c

SHA512
b7596b892e084b4c2b8282d81e04319138613a714f21d6d78da5e4ca5816270cc7ef5c22eb64d53a1c8f2c622e2fc1dbd81ec0469fc12ef29481e1d400b2b8b5

Download Submit
C:\windows\system\JBTVY.exe
Filesize
384KB

MD5
e3fe5761eb87b2b9158b0eda1f1ac7fc

SHA1
b63481c83a29a674a7374d093da08f4fec52b181

SHA256
a6482aa023b207915e1d3203f69a5e3e52b529289ba4e7d25e0c554392662d8d

SHA512
222f616f29232bc12ec6d407360067a84e387f539437c756e4f088fa0eb8fc1238040e6440eb4d825bddbc0a952a6b0f3d210efb4e8909730d45e8328af5f734

Download Submit
C:\windows\system\JBTVY.exe.bat
Filesize
70B

MD5
9d1f103573762ed3bcd07f1b6652c4e8

SHA1
14d036b7fc1b80d09276438123ab4f8315d3dc99

SHA256
41597d272bea1cf670685d2379ec18a4c8e3b1a80179815a2756782324810f55

SHA512
e32a125e9ef93587b06c6d16b213114146ab891c01a2bbe2d427ddd1cddea82b92faa520bd52cc0ae8a695e816f674bb4dbfa48aa18b811db3fd94e72dc07e7b

Download Submit
C:\windows\system\QDZDER.exe.bat
Filesize
72B

MD5
8d359b62667fa7b4721307c419efda93

SHA1
087a0da614a9152a7de066442f180fa8e37b2464

SHA256
cb73678f839efe8052f27a95c4d640959ecec78a74b0c55463fb5e2c8d895407

SHA512
080f3eab3311bfb0e2a5ed1774b33341a93f2f0ee2dc4401a844768db74b35517d49371c97d94b6cffec30a2ecd14410e038dd9e27bfc50952009be72f94e7cc

Download Submit
C:\windows\system\QHC.exe.bat
Filesize
66B

MD5
2eff59851e2f9a332d851f274a217c08

SHA1
8507ecdefa94dc52698e5b5615e027d70405b46e

SHA256
9ac8752a6ce24c6bd356515abc70195baf34460872cfa9026f96dd911bca97ea

SHA512
a3e8e4d9b2e1de032c6cbafd45713cc7aaa2152cf69922457df92ca378547d54507626f46de75fb59c1526befffc5638c3a0418dadc24fba3f8d4800dd9d7ff6

Download Submit
C:\windows\system\RCZNG.exe.bat
Filesize
70B

MD5
a1d59a366632ff8326732e571e4ba9bc

SHA1
ccc475f240fa59238460affd4a457213ba027236

SHA256
b031070f8bbd2af4b36777ab29661b3c022782c87eff4393eb4832d063afe8a4

SHA512
937a5cb037a1a60b11dde20502e831666b3c945ddd298355fa0d25b9de41f6774173b7d738546eb1156b573fc4f15d24062f4a795ee85945e725a524921af00d

Download Submit
memory/212-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/212-91-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/452-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/452-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1184-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1184-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1212-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1212-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1224-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1224-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1228-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1456-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1456-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1644-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1644-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1644-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1644-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2124-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2124-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2168-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2168-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2440-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2440-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-78-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-34-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2980-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3164-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3164-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3208-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3208-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3272-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3272-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3336-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3336-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3344-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3344-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3620-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3620-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3692-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3692-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4032-238-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4032-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4036-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4036-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4080-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4080-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4264-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4264-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4436-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4436-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4880-190-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4880-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4884-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download