Malware Analysis Report

2025-03-15 09:59

Sample ID 240520-k48eaadd6y
Target 091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe
SHA256 dabafc685f8c2e86167423e7d6d32f1309f51561b713f76cb0eba3b769aab2c3
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dabafc685f8c2e86167423e7d6d32f1309f51561b713f76cb0eba3b769aab2c3

Threat Level: Known bad

The file 091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 09:10

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 09:10

Reported

2024-05-20 09:13

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\system\ULENJQF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\system\ULENJQF.exe C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
File created C:\windows\system\ULENJQF.exe.bat C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
File created C:\windows\system\ULENJQF.exe C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
N/A N/A C:\windows\system\ULENJQF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\ULENJQF.exe.bat" "

C:\windows\system\ULENJQF.exe

C:\windows\system\ULENJQF.exe

Network

N/A

Files

memory/856-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\ULENJQF.exe.bat

MD5 bd8e585df4299c2a4c2e220180c6487a
SHA1 6137e8f4ad59f9282e42f80c64b48581f4650c9f
SHA256 03f8ffb3d0d8d67200e33b3402b80efeb234badc93466dd6a4f6f58d2f1d474b
SHA512 caa5a0d3a1a121ddd037f40141a7fbef62f7820ee011db83df4735825cb0a77d840858c32e8598b88fd6512b6920886c0fc16e404501499fbfc9fb2a431b566b

memory/856-12-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\ULENJQF.exe

MD5 bb155dbf7af096cdc9397ce5d4aef4cf
SHA1 34d077422d1ae5f31d26c6e010ca1b1fc7239c19
SHA256 16dd109dfea91e33393ef1389227b8281a67e96065c781eb41dea692288196a5
SHA512 fe54b7bf29b9a91345a748df588ba74e93e7a68f7baebeed1405f2ef27bb5da5192b0348a1b9d35a239f4aca382dfb7c976b92b40533a42b46c6ab36ccab2724

memory/2980-18-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2980-19-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 09:10

Reported

2024-05-20 09:13

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\PNHE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\LAOGMD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PXA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\JTMV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\NQPRGS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\VLKCLR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QMCTMXU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\FJPEPQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\OFMKV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\CHTBT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\GTLMYO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PSP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\EVMILO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\FWEAFH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\HFC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\ZUY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\QJWF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\QZG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UPXEWNR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\GDIIAX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XRRTUJP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\THMZTK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QHYQKZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\SSIHAP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\CZNKH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JNQUX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\QAREA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\XCVN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\JLB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\GNAIH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DKXRJQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\CQZO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\ZOMVAO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\VHUFI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\RJMNXBH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\FEHX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\LUEXBNZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\JIBMEOL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\CXBQZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\BTTSN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\EFLD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\TZMN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\NRUIO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\SLYNB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\VEZJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\BAKJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\NSU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\TVWL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MVOHZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\FOKCAU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\NAYOV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\FBEMY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\RMQO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XBXKEF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\FMLL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\TXWBE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SQWZPJA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\TCNDN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PMJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\RWFAOMG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\system\XUMJG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\XGCSJYY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\DCUU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\OVGT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\VDZRQ.exe N/A
N/A N/A C:\windows\system\FBEMY.exe N/A
N/A N/A C:\windows\SysWOW64\ZZULR.exe N/A
N/A N/A C:\windows\system\MEG.exe N/A
N/A N/A C:\windows\system\PNHE.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\ELJB.exe N/A
N/A N/A C:\windows\system\OEB.exe N/A
N/A N/A C:\windows\FEHX.exe N/A
N/A N/A C:\windows\system\NSU.exe N/A
N/A N/A C:\windows\system\SSIHAP.exe N/A
N/A N/A C:\windows\SysWOW64\DKXRJQ.exe N/A
N/A N/A C:\windows\system\XYWPO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\IUEL.exe N/A
N/A N/A C:\windows\system\CXBQZ.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\system\LAOGMD.exe N/A
N/A N/A C:\windows\system\YGA.exe N/A
N/A N/A C:\windows\system\URQILL.exe N/A
N/A N/A C:\windows\FUIK.exe N/A
N/A N/A C:\windows\EEQEMX.exe N/A
N/A N/A C:\windows\SysWOW64\PXA.exe N/A
N/A N/A C:\windows\system\VXHZZ.exe N/A
N/A N/A C:\windows\system\BTTSN.exe N/A
N/A N/A C:\windows\SysWOW64\FJASZBT.exe N/A
N/A N/A C:\windows\system\CZNKH.exe N/A
N/A N/A C:\windows\SysWOW64\XXAOSNL.exe N/A
N/A N/A C:\windows\HFC.exe N/A
N/A N/A C:\windows\system\EFLD.exe N/A
N/A N/A C:\windows\SysWOW64\EAPZNE.exe N/A
N/A N/A C:\windows\SysWOW64\XBXKEF.exe N/A
N/A N/A C:\windows\JTMV.exe N/A
N/A N/A C:\windows\CHTBT.exe N/A
N/A N/A C:\windows\FUCCET.exe N/A
N/A N/A C:\windows\system\JXN.exe N/A
N/A N/A C:\windows\SysWOW64\PXUDW.exe N/A
N/A N/A C:\windows\system\XLHK.exe N/A
N/A N/A C:\windows\QZG.exe N/A
N/A N/A C:\windows\SysWOW64\UHVQY.exe N/A
N/A N/A C:\windows\SysWOW64\ACYJEHZ.exe N/A
N/A N/A C:\windows\WNPHS.exe N/A
N/A N/A C:\windows\SysWOW64\YKUCI.exe N/A
N/A N/A C:\windows\SysWOW64\VAITP.exe N/A
N/A N/A C:\windows\system\GTLMYO.exe N/A
N/A N/A C:\windows\YWVPHA.exe N/A
N/A N/A C:\windows\SysWOW64\TZMN.exe N/A
N/A N/A C:\windows\system\FMLL.exe N/A
N/A N/A C:\windows\system\WVZR.exe N/A
N/A N/A C:\windows\SysWOW64\PNOC.exe N/A
N/A N/A C:\windows\system\RLUWEEO.exe N/A
N/A N/A C:\windows\system\NRUIO.exe N/A
N/A N/A C:\windows\SysWOW64\CML.exe N/A
N/A N/A C:\windows\system\XUMJG.exe N/A
N/A N/A C:\windows\TVWL.exe N/A
N/A N/A C:\windows\SysWOW64\FDDLWT.exe N/A
N/A N/A C:\windows\NQPRGS.exe N/A
N/A N/A C:\windows\system\DLZE.exe N/A
N/A N/A C:\windows\SysWOW64\BHYFWH.exe N/A
N/A N/A C:\windows\WEKI.exe N/A
N/A N/A C:\windows\SysWOW64\LZUNSZV.exe N/A
N/A N/A C:\windows\SysWOW64\KSXDBF.exe N/A
N/A N/A C:\windows\VLAWJNH.exe N/A
N/A N/A C:\windows\SysWOW64\JNQUX.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\AACA.exe.bat C:\windows\SysWOW64\SUQL.exe N/A
File opened for modification C:\windows\SysWOW64\PMJ.exe C:\windows\JLB.exe N/A
File created C:\windows\SysWOW64\VDZRQ.exe.bat C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
File created C:\windows\SysWOW64\EAPZNE.exe.bat C:\windows\system\EFLD.exe N/A
File created C:\windows\SysWOW64\XBXKEF.exe.bat C:\windows\SysWOW64\EAPZNE.exe N/A
File created C:\windows\SysWOW64\TZMN.exe.bat C:\windows\YWVPHA.exe N/A
File created C:\windows\SysWOW64\ESFXXS.exe C:\windows\SysWOW64\CKWAQ.exe N/A
File opened for modification C:\windows\SysWOW64\QMCTMXU.exe C:\windows\DCUU.exe N/A
File opened for modification C:\windows\SysWOW64\JFQLCWN.exe C:\windows\system\ICAP.exe N/A
File opened for modification C:\windows\SysWOW64\ZPQTIA.exe C:\windows\RJMNXBH.exe N/A
File created C:\windows\SysWOW64\ZZULR.exe C:\windows\system\FBEMY.exe N/A
File created C:\windows\SysWOW64\PXUDW.exe.bat C:\windows\system\JXN.exe N/A
File opened for modification C:\windows\SysWOW64\ACYJEHZ.exe C:\windows\SysWOW64\UHVQY.exe N/A
File created C:\windows\SysWOW64\YKUCI.exe C:\windows\WNPHS.exe N/A
File opened for modification C:\windows\SysWOW64\CML.exe C:\windows\system\NRUIO.exe N/A
File created C:\windows\SysWOW64\UNPBINO.exe.bat C:\windows\SysWOW64\ESFXXS.exe N/A
File created C:\windows\SysWOW64\QHYQKZ.exe C:\windows\SysWOW64\OFOJRL.exe N/A
File created C:\windows\SysWOW64\PXA.exe C:\windows\EEQEMX.exe N/A
File created C:\windows\SysWOW64\FDDLWT.exe.bat C:\windows\TVWL.exe N/A
File created C:\windows\SysWOW64\KSXDBF.exe C:\windows\SysWOW64\LZUNSZV.exe N/A
File created C:\windows\SysWOW64\MVOHZ.exe.bat C:\windows\system\NKLRQJ.exe N/A
File opened for modification C:\windows\SysWOW64\FQOU.exe C:\windows\SysWOW64\QANDKQM.exe N/A
File opened for modification C:\windows\SysWOW64\AACA.exe C:\windows\SysWOW64\SUQL.exe N/A
File created C:\windows\SysWOW64\PSP.exe.bat C:\windows\SysWOW64\JFQLCWN.exe N/A
File opened for modification C:\windows\SysWOW64\GDEL.exe C:\windows\SysWOW64\MQZBREN.exe N/A
File created C:\windows\SysWOW64\UFNB.exe.bat C:\windows\SysWOW64\UKJYUZR.exe N/A
File created C:\windows\SysWOW64\TEDYTBL.exe C:\windows\LYY.exe N/A
File created C:\windows\SysWOW64\ZOEDJCH.exe.bat C:\windows\system\LTAKV.exe N/A
File created C:\windows\SysWOW64\THMZTK.exe C:\windows\FWEAFH.exe N/A
File opened for modification C:\windows\SysWOW64\PNOC.exe C:\windows\system\WVZR.exe N/A
File created C:\windows\SysWOW64\FQOU.exe C:\windows\SysWOW64\QANDKQM.exe N/A
File created C:\windows\SysWOW64\THMZTK.exe.bat C:\windows\FWEAFH.exe N/A
File opened for modification C:\windows\SysWOW64\ZZULR.exe C:\windows\system\FBEMY.exe N/A
File created C:\windows\SysWOW64\ZZULR.exe.bat C:\windows\system\FBEMY.exe N/A
File created C:\windows\SysWOW64\CKWAQ.exe C:\windows\SysWOW64\DRUKHS.exe N/A
File created C:\windows\SysWOW64\ESFXXS.exe.bat C:\windows\SysWOW64\CKWAQ.exe N/A
File opened for modification C:\windows\SysWOW64\SYB.exe C:\windows\SysWOW64\MYTJGT.exe N/A
File created C:\windows\SysWOW64\UHVQY.exe C:\windows\QZG.exe N/A
File created C:\windows\SysWOW64\YUKSJOM.exe C:\windows\ECVHAVE.exe N/A
File created C:\windows\SysWOW64\JFQLCWN.exe.bat C:\windows\system\ICAP.exe N/A
File created C:\windows\SysWOW64\DNNEK.exe C:\windows\system\BPI.exe N/A
File opened for modification C:\windows\SysWOW64\PXA.exe C:\windows\EEQEMX.exe N/A
File opened for modification C:\windows\SysWOW64\FJASZBT.exe C:\windows\system\BTTSN.exe N/A
File created C:\windows\SysWOW64\PXUDW.exe C:\windows\system\JXN.exe N/A
File opened for modification C:\windows\SysWOW64\KSXDBF.exe C:\windows\SysWOW64\LZUNSZV.exe N/A
File created C:\windows\SysWOW64\UKJYUZR.exe C:\windows\system\GABH.exe N/A
File created C:\windows\SysWOW64\QANDKQM.exe.bat C:\windows\SysWOW64\UPXEWNR.exe N/A
File opened for modification C:\windows\SysWOW64\JNQUX.exe C:\windows\VLAWJNH.exe N/A
File created C:\windows\SysWOW64\LRFNUB.exe.bat C:\windows\system\YGPOGY.exe N/A
File created C:\windows\SysWOW64\QMCTMXU.exe C:\windows\DCUU.exe N/A
File created C:\windows\SysWOW64\KTPZ.exe C:\windows\system\YQELVDT.exe N/A
File created C:\windows\SysWOW64\OFOJRL.exe C:\windows\system\OJVZIH.exe N/A
File opened for modification C:\windows\SysWOW64\OFOJRL.exe C:\windows\system\OJVZIH.exe N/A
File created C:\windows\SysWOW64\EAPZNE.exe C:\windows\system\EFLD.exe N/A
File opened for modification C:\windows\SysWOW64\PXUDW.exe C:\windows\system\JXN.exe N/A
File opened for modification C:\windows\SysWOW64\PWGXLV.exe C:\windows\KTH.exe N/A
File created C:\windows\SysWOW64\SUQL.exe C:\windows\system\TCNDN.exe N/A
File opened for modification C:\windows\SysWOW64\OVGT.exe C:\windows\SysWOW64\AACA.exe N/A
File created C:\windows\SysWOW64\MYTJGT.exe.bat C:\windows\SysWOW64\GDIIAX.exe N/A
File opened for modification C:\windows\SysWOW64\UHVQY.exe C:\windows\QZG.exe N/A
File created C:\windows\SysWOW64\ACYJEHZ.exe C:\windows\SysWOW64\UHVQY.exe N/A
File created C:\windows\SysWOW64\CML.exe.bat C:\windows\system\NRUIO.exe N/A
File created C:\windows\SysWOW64\VEZJ.exe.bat C:\windows\system\FJPEPQ.exe N/A
File created C:\windows\SysWOW64\PXA.exe.bat C:\windows\EEQEMX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\BAKJ.exe C:\windows\SysWOW64\VEZJ.exe N/A
File opened for modification C:\windows\FWEAFH.exe C:\windows\SysWOW64\XRRTUJP.exe N/A
File created C:\windows\system\ELJB.exe C:\windows\system\WXEMS.exe N/A
File created C:\windows\system\ELJB.exe.bat C:\windows\system\WXEMS.exe N/A
File created C:\windows\system\YGA.exe.bat C:\windows\system\LAOGMD.exe N/A
File opened for modification C:\windows\JTMV.exe C:\windows\SysWOW64\XBXKEF.exe N/A
File opened for modification C:\windows\system\PBIMQLN.exe C:\windows\system\CQZO.exe N/A
File created C:\windows\FUCCET.exe C:\windows\CHTBT.exe N/A
File created C:\windows\LAAFSVT.exe C:\windows\TXWBE.exe N/A
File created C:\windows\system\OVX.exe C:\windows\SysWOW64\UNPBINO.exe N/A
File created C:\windows\system\ZSPZWV.exe.bat C:\windows\SysWOW64\QMCTMXU.exe N/A
File created C:\windows\system\UJFLWR.exe C:\windows\VQCVNLU.exe N/A
File created C:\windows\EEQEMX.exe.bat C:\windows\FUIK.exe N/A
File created C:\windows\SQWZPJA.exe C:\windows\QAREA.exe N/A
File opened for modification C:\windows\EFU.exe C:\windows\DCQSIJT.exe N/A
File created C:\windows\RJMNXBH.exe.bat C:\windows\SysWOW64\SYB.exe N/A
File created C:\windows\system\EFLD.exe.bat C:\windows\HFC.exe N/A
File created C:\windows\JTMV.exe C:\windows\SysWOW64\XBXKEF.exe N/A
File opened for modification C:\windows\NQPRGS.exe C:\windows\SysWOW64\FDDLWT.exe N/A
File created C:\windows\system\FBEMY.exe C:\windows\SysWOW64\VDZRQ.exe N/A
File created C:\windows\system\MEG.exe.bat C:\windows\SysWOW64\ZZULR.exe N/A
File created C:\windows\system\NSU.exe C:\windows\FEHX.exe N/A
File opened for modification C:\windows\system\CXBQZ.exe C:\windows\IUEL.exe N/A
File opened for modification C:\windows\system\CZNKH.exe C:\windows\SysWOW64\FJASZBT.exe N/A
File created C:\windows\DCQSIJT.exe C:\windows\SysWOW64\TEDYTBL.exe N/A
File created C:\windows\RJMNXBH.exe C:\windows\SysWOW64\SYB.exe N/A
File created C:\windows\JNCQGQT.exe.bat C:\windows\system\CXBQZ.exe N/A
File opened for modification C:\windows\system\BPI.exe C:\windows\MZHK.exe N/A
File created C:\windows\HFC.exe C:\windows\SysWOW64\XXAOSNL.exe N/A
File created C:\windows\GNAIH.exe.bat C:\windows\OFMKV.exe N/A
File created C:\windows\system\WVZR.exe C:\windows\system\FMLL.exe N/A
File opened for modification C:\windows\LAAFSVT.exe C:\windows\TXWBE.exe N/A
File created C:\windows\system\PBIMQLN.exe.bat C:\windows\system\CQZO.exe N/A
File opened for modification C:\windows\WGDZT.exe C:\windows\SQWZPJA.exe N/A
File created C:\windows\RMQO.exe.bat C:\windows\system\XYWPO.exe N/A
File opened for modification C:\windows\system\CQZO.exe C:\windows\system\NAYOV.exe N/A
File created C:\windows\VHUFI.exe C:\windows\SysWOW64\PMJ.exe N/A
File opened for modification C:\windows\system\TPKJIDF.exe C:\windows\UFH.exe N/A
File opened for modification C:\windows\system\GABH.exe C:\windows\system\XCVN.exe N/A
File created C:\windows\system\BPI.exe.bat C:\windows\MZHK.exe N/A
File opened for modification C:\windows\system\BDO.exe C:\windows\BAKJ.exe N/A
File created C:\windows\QXASNF.exe.bat C:\windows\system\ZOMVAO.exe N/A
File opened for modification C:\windows\system\OJVZIH.exe C:\windows\SysWOW64\KTPZ.exe N/A
File created C:\windows\system\SSIHAP.exe.bat C:\windows\system\NSU.exe N/A
File created C:\windows\EEQEMX.exe C:\windows\FUIK.exe N/A
File created C:\windows\VLAWJNH.exe.bat C:\windows\SysWOW64\KSXDBF.exe N/A
File created C:\windows\system\ZGHI.exe.bat C:\windows\VYBIGCX.exe N/A
File created C:\windows\system\DQJB.exe.bat C:\windows\VLKCLR.exe N/A
File opened for modification C:\windows\system\WVZR.exe C:\windows\system\FMLL.exe N/A
File created C:\windows\LUEXBNZ.exe.bat C:\windows\system\TZBB.exe N/A
File opened for modification C:\windows\MZHK.exe C:\windows\SysWOW64\ZPQTIA.exe N/A
File created C:\windows\LUEXBNZ.exe C:\windows\system\TZBB.exe N/A
File opened for modification C:\windows\LUEXBNZ.exe C:\windows\system\TZBB.exe N/A
File opened for modification C:\windows\system\AHJ.exe C:\windows\QJWF.exe N/A
File opened for modification C:\windows\RWFAOMG.exe C:\windows\JIBMEOL.exe N/A
File opened for modification C:\windows\system\UJFLWR.exe C:\windows\VQCVNLU.exe N/A
File created C:\windows\ZTL.exe C:\windows\XGCSJYY.exe N/A
File created C:\windows\system\FOKCAU.exe C:\windows\ZTL.exe N/A
File created C:\windows\system\NAYOV.exe C:\windows\EVMILO.exe N/A
File opened for modification C:\windows\system\ELJB.exe C:\windows\system\WXEMS.exe N/A
File created C:\windows\system\GTLMYO.exe.bat C:\windows\SysWOW64\VAITP.exe N/A
File created C:\windows\YWVPHA.exe C:\windows\system\GTLMYO.exe N/A
File created C:\windows\system\QBR.exe.bat C:\windows\system\IOF.exe N/A
File created C:\windows\QBF.exe.bat C:\windows\system\DQJB.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\VDZRQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FBEMY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZZULR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\MEG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PNHE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\WXEMS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\ELJB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OEB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FEHX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NSU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\SSIHAP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DKXRJQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XYWPO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\RMQO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IUEL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CXBQZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JNCQGQT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\LAOGMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\YGA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\URQILL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FUIK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\EEQEMX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\PXA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VXHZZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BTTSN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\FJASZBT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CZNKH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XXAOSNL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\HFC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EFLD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\EAPZNE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XBXKEF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JTMV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CHTBT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FUCCET.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\JXN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\PXUDW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XLHK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\QZG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UHVQY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ACYJEHZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WNPHS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\YKUCI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\VAITP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\GTLMYO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YWVPHA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\TZMN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FMLL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\WVZR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\PNOC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\RLUWEEO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NRUIO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CML.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XUMJG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\TVWL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\FDDLWT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NQPRGS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\DLZE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BHYFWH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WEKI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LZUNSZV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\KSXDBF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VLAWJNH.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
N/A N/A C:\windows\SysWOW64\VDZRQ.exe N/A
N/A N/A C:\windows\SysWOW64\VDZRQ.exe N/A
N/A N/A C:\windows\system\FBEMY.exe N/A
N/A N/A C:\windows\system\FBEMY.exe N/A
N/A N/A C:\windows\SysWOW64\ZZULR.exe N/A
N/A N/A C:\windows\SysWOW64\ZZULR.exe N/A
N/A N/A C:\windows\system\MEG.exe N/A
N/A N/A C:\windows\system\MEG.exe N/A
N/A N/A C:\windows\system\PNHE.exe N/A
N/A N/A C:\windows\system\PNHE.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\ELJB.exe N/A
N/A N/A C:\windows\system\ELJB.exe N/A
N/A N/A C:\windows\system\OEB.exe N/A
N/A N/A C:\windows\system\OEB.exe N/A
N/A N/A C:\windows\FEHX.exe N/A
N/A N/A C:\windows\FEHX.exe N/A
N/A N/A C:\windows\system\NSU.exe N/A
N/A N/A C:\windows\system\NSU.exe N/A
N/A N/A C:\windows\system\SSIHAP.exe N/A
N/A N/A C:\windows\system\SSIHAP.exe N/A
N/A N/A C:\windows\SysWOW64\DKXRJQ.exe N/A
N/A N/A C:\windows\SysWOW64\DKXRJQ.exe N/A
N/A N/A C:\windows\system\XYWPO.exe N/A
N/A N/A C:\windows\system\XYWPO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\IUEL.exe N/A
N/A N/A C:\windows\IUEL.exe N/A
N/A N/A C:\windows\system\CXBQZ.exe N/A
N/A N/A C:\windows\system\CXBQZ.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\system\LAOGMD.exe N/A
N/A N/A C:\windows\system\LAOGMD.exe N/A
N/A N/A C:\windows\system\YGA.exe N/A
N/A N/A C:\windows\system\YGA.exe N/A
N/A N/A C:\windows\system\URQILL.exe N/A
N/A N/A C:\windows\system\URQILL.exe N/A
N/A N/A C:\windows\FUIK.exe N/A
N/A N/A C:\windows\FUIK.exe N/A
N/A N/A C:\windows\EEQEMX.exe N/A
N/A N/A C:\windows\EEQEMX.exe N/A
N/A N/A C:\windows\SysWOW64\PXA.exe N/A
N/A N/A C:\windows\SysWOW64\PXA.exe N/A
N/A N/A C:\windows\system\VXHZZ.exe N/A
N/A N/A C:\windows\system\VXHZZ.exe N/A
N/A N/A C:\windows\system\BTTSN.exe N/A
N/A N/A C:\windows\system\BTTSN.exe N/A
N/A N/A C:\windows\SysWOW64\FJASZBT.exe N/A
N/A N/A C:\windows\SysWOW64\FJASZBT.exe N/A
N/A N/A C:\windows\system\CZNKH.exe N/A
N/A N/A C:\windows\system\CZNKH.exe N/A
N/A N/A C:\windows\SysWOW64\XXAOSNL.exe N/A
N/A N/A C:\windows\SysWOW64\XXAOSNL.exe N/A
N/A N/A C:\windows\HFC.exe N/A
N/A N/A C:\windows\HFC.exe N/A
N/A N/A C:\windows\system\EFLD.exe N/A
N/A N/A C:\windows\system\EFLD.exe N/A
N/A N/A C:\windows\SysWOW64\EAPZNE.exe N/A
N/A N/A C:\windows\SysWOW64\EAPZNE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe N/A
N/A N/A C:\windows\SysWOW64\VDZRQ.exe N/A
N/A N/A C:\windows\SysWOW64\VDZRQ.exe N/A
N/A N/A C:\windows\system\FBEMY.exe N/A
N/A N/A C:\windows\system\FBEMY.exe N/A
N/A N/A C:\windows\SysWOW64\ZZULR.exe N/A
N/A N/A C:\windows\SysWOW64\ZZULR.exe N/A
N/A N/A C:\windows\system\MEG.exe N/A
N/A N/A C:\windows\system\MEG.exe N/A
N/A N/A C:\windows\system\PNHE.exe N/A
N/A N/A C:\windows\system\PNHE.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\ELJB.exe N/A
N/A N/A C:\windows\system\ELJB.exe N/A
N/A N/A C:\windows\system\OEB.exe N/A
N/A N/A C:\windows\system\OEB.exe N/A
N/A N/A C:\windows\FEHX.exe N/A
N/A N/A C:\windows\FEHX.exe N/A
N/A N/A C:\windows\system\NSU.exe N/A
N/A N/A C:\windows\system\NSU.exe N/A
N/A N/A C:\windows\system\SSIHAP.exe N/A
N/A N/A C:\windows\system\SSIHAP.exe N/A
N/A N/A C:\windows\SysWOW64\DKXRJQ.exe N/A
N/A N/A C:\windows\SysWOW64\DKXRJQ.exe N/A
N/A N/A C:\windows\system\XYWPO.exe N/A
N/A N/A C:\windows\system\XYWPO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\IUEL.exe N/A
N/A N/A C:\windows\IUEL.exe N/A
N/A N/A C:\windows\system\CXBQZ.exe N/A
N/A N/A C:\windows\system\CXBQZ.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\system\LAOGMD.exe N/A
N/A N/A C:\windows\system\LAOGMD.exe N/A
N/A N/A C:\windows\system\YGA.exe N/A
N/A N/A C:\windows\system\YGA.exe N/A
N/A N/A C:\windows\system\URQILL.exe N/A
N/A N/A C:\windows\system\URQILL.exe N/A
N/A N/A C:\windows\FUIK.exe N/A
N/A N/A C:\windows\FUIK.exe N/A
N/A N/A C:\windows\EEQEMX.exe N/A
N/A N/A C:\windows\EEQEMX.exe N/A
N/A N/A C:\windows\SysWOW64\PXA.exe N/A
N/A N/A C:\windows\SysWOW64\PXA.exe N/A
N/A N/A C:\windows\system\VXHZZ.exe N/A
N/A N/A C:\windows\system\VXHZZ.exe N/A
N/A N/A C:\windows\system\BTTSN.exe N/A
N/A N/A C:\windows\system\BTTSN.exe N/A
N/A N/A C:\windows\SysWOW64\FJASZBT.exe N/A
N/A N/A C:\windows\SysWOW64\FJASZBT.exe N/A
N/A N/A C:\windows\system\CZNKH.exe N/A
N/A N/A C:\windows\system\CZNKH.exe N/A
N/A N/A C:\windows\SysWOW64\XXAOSNL.exe N/A
N/A N/A C:\windows\SysWOW64\XXAOSNL.exe N/A
N/A N/A C:\windows\HFC.exe N/A
N/A N/A C:\windows\HFC.exe N/A
N/A N/A C:\windows\system\EFLD.exe N/A
N/A N/A C:\windows\system\EFLD.exe N/A
N/A N/A C:\windows\SysWOW64\EAPZNE.exe N/A
N/A N/A C:\windows\SysWOW64\EAPZNE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VDZRQ.exe
PID 4184 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VDZRQ.exe
PID 4184 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VDZRQ.exe
PID 1524 wrote to memory of 5040 N/A C:\windows\SysWOW64\VDZRQ.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 5040 N/A C:\windows\SysWOW64\VDZRQ.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 5040 N/A C:\windows\SysWOW64\VDZRQ.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FBEMY.exe
PID 5040 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FBEMY.exe
PID 5040 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FBEMY.exe
PID 1356 wrote to memory of 2600 N/A C:\windows\system\FBEMY.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2600 N/A C:\windows\system\FBEMY.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2600 N/A C:\windows\system\FBEMY.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ZZULR.exe
PID 2600 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ZZULR.exe
PID 2600 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ZZULR.exe
PID 3408 wrote to memory of 2108 N/A C:\windows\SysWOW64\ZZULR.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 2108 N/A C:\windows\SysWOW64\ZZULR.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 2108 N/A C:\windows\SysWOW64\ZZULR.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\MEG.exe
PID 2108 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\MEG.exe
PID 2108 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\MEG.exe
PID 4636 wrote to memory of 2068 N/A C:\windows\system\MEG.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 2068 N/A C:\windows\system\MEG.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 2068 N/A C:\windows\system\MEG.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\PNHE.exe
PID 2068 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\PNHE.exe
PID 2068 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\PNHE.exe
PID 4520 wrote to memory of 1920 N/A C:\windows\system\PNHE.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1920 N/A C:\windows\system\PNHE.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1920 N/A C:\windows\system\PNHE.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\WXEMS.exe
PID 1920 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\WXEMS.exe
PID 1920 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\WXEMS.exe
PID 1680 wrote to memory of 4864 N/A C:\windows\system\WXEMS.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4864 N/A C:\windows\system\WXEMS.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4864 N/A C:\windows\system\WXEMS.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ELJB.exe
PID 4864 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ELJB.exe
PID 4864 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ELJB.exe
PID 588 wrote to memory of 4120 N/A C:\windows\system\ELJB.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 4120 N/A C:\windows\system\ELJB.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 4120 N/A C:\windows\system\ELJB.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\OEB.exe
PID 4120 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\OEB.exe
PID 4120 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\OEB.exe
PID 2448 wrote to memory of 3480 N/A C:\windows\system\OEB.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 3480 N/A C:\windows\system\OEB.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 3480 N/A C:\windows\system\OEB.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\FEHX.exe
PID 3480 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\FEHX.exe
PID 3480 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\FEHX.exe
PID 5016 wrote to memory of 4460 N/A C:\windows\FEHX.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4460 N/A C:\windows\FEHX.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4460 N/A C:\windows\FEHX.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\NSU.exe
PID 4460 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\NSU.exe
PID 4460 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\NSU.exe
PID 2864 wrote to memory of 4260 N/A C:\windows\system\NSU.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 4260 N/A C:\windows\system\NSU.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 4260 N/A C:\windows\system\NSU.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\SSIHAP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDZRQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2972 -ip 2972

C:\windows\SysWOW64\VDZRQ.exe

C:\windows\system32\VDZRQ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 948

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBEMY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1524 -ip 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1008

C:\windows\system\FBEMY.exe

C:\windows\system\FBEMY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZULR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1356 -ip 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 988

C:\windows\SysWOW64\ZZULR.exe

C:\windows\system32\ZZULR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3408 -ip 3408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1336

C:\windows\system\MEG.exe

C:\windows\system\MEG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNHE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4636 -ip 4636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1304

C:\windows\system\PNHE.exe

C:\windows\system\PNHE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXEMS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 968

C:\windows\system\WXEMS.exe

C:\windows\system\WXEMS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELJB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1268

C:\windows\system\ELJB.exe

C:\windows\system\ELJB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OEB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 588 -ip 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 964

C:\windows\system\OEB.exe

C:\windows\system\OEB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FEHX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 964

C:\windows\FEHX.exe

C:\windows\FEHX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1228

C:\windows\system\NSU.exe

C:\windows\system\NSU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SSIHAP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1268

C:\windows\system\SSIHAP.exe

C:\windows\system\SSIHAP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKXRJQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1308

C:\windows\SysWOW64\DKXRJQ.exe

C:\windows\system32\DKXRJQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XYWPO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 960

C:\windows\system\XYWPO.exe

C:\windows\system\XYWPO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RMQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 960

C:\windows\RMQO.exe

C:\windows\RMQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IUEL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 988

C:\windows\IUEL.exe

C:\windows\IUEL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CXBQZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 996

C:\windows\system\CXBQZ.exe

C:\windows\system\CXBQZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2432 -ip 2432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 876

C:\windows\JNCQGQT.exe

C:\windows\JNCQGQT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LAOGMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1300

C:\windows\system\LAOGMD.exe

C:\windows\system\LAOGMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YGA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2132 -ip 2132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1248

C:\windows\system\YGA.exe

C:\windows\system\YGA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\URQILL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1336

C:\windows\system\URQILL.exe

C:\windows\system\URQILL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FUIK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4116 -ip 4116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1296

C:\windows\FUIK.exe

C:\windows\FUIK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EEQEMX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2108 -ip 2108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1324

C:\windows\EEQEMX.exe

C:\windows\EEQEMX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 872 -ip 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 876

C:\windows\SysWOW64\PXA.exe

C:\windows\system32\PXA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VXHZZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1976 -ip 1976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 960

C:\windows\system\VXHZZ.exe

C:\windows\system\VXHZZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTTSN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 588 -ip 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 964

C:\windows\system\BTTSN.exe

C:\windows\system\BTTSN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJASZBT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4768 -ip 4768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1328

C:\windows\SysWOW64\FJASZBT.exe

C:\windows\system32\FJASZBT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CZNKH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1336 -ip 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1304

C:\windows\system\CZNKH.exe

C:\windows\system\CZNKH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XXAOSNL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1328

C:\windows\SysWOW64\XXAOSNL.exe

C:\windows\system32\XXAOSNL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HFC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3748 -ip 3748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1216

C:\windows\HFC.exe

C:\windows\HFC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EFLD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1328

C:\windows\system\EFLD.exe

C:\windows\system\EFLD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAPZNE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1328

C:\windows\SysWOW64\EAPZNE.exe

C:\windows\system32\EAPZNE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBXKEF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1296

C:\windows\SysWOW64\XBXKEF.exe

C:\windows\system32\XBXKEF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JTMV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1324

C:\windows\JTMV.exe

C:\windows\JTMV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CHTBT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2440 -ip 2440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1288

C:\windows\CHTBT.exe

C:\windows\CHTBT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FUCCET.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1304

C:\windows\FUCCET.exe

C:\windows\FUCCET.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JXN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1248 -ip 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1264

C:\windows\system\JXN.exe

C:\windows\system\JXN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXUDW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1308

C:\windows\SysWOW64\PXUDW.exe

C:\windows\system32\PXUDW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XLHK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 960

C:\windows\system\XLHK.exe

C:\windows\system\XLHK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 960

C:\windows\QZG.exe

C:\windows\QZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UHVQY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328

C:\windows\SysWOW64\UHVQY.exe

C:\windows\system32\UHVQY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ACYJEHZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3248 -ip 3248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 960

C:\windows\SysWOW64\ACYJEHZ.exe

C:\windows\system32\ACYJEHZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WNPHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1324

C:\windows\WNPHS.exe

C:\windows\WNPHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKUCI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 752 -ip 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 960

C:\windows\SysWOW64\YKUCI.exe

C:\windows\system32\YKUCI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VAITP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1248 -ip 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1300

C:\windows\SysWOW64\VAITP.exe

C:\windows\system32\VAITP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GTLMYO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1336

C:\windows\system\GTLMYO.exe

C:\windows\system\GTLMYO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YWVPHA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 684 -ip 684

C:\windows\YWVPHA.exe

C:\windows\YWVPHA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1292

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZMN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1328

C:\windows\SysWOW64\TZMN.exe

C:\windows\system32\TZMN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3692 -ip 3692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960

C:\windows\system\FMLL.exe

C:\windows\system\FMLL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1248

C:\windows\system\WVZR.exe

C:\windows\system\WVZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNOC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1328

C:\windows\SysWOW64\PNOC.exe

C:\windows\system32\PNOC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RLUWEEO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 312 -ip 312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 960

C:\windows\system\RLUWEEO.exe

C:\windows\system\RLUWEEO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NRUIO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1268

C:\windows\system\NRUIO.exe

C:\windows\system\NRUIO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CML.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1328

C:\windows\SysWOW64\CML.exe

C:\windows\system32\CML.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XUMJG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4452 -ip 4452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 872

C:\windows\system\XUMJG.exe

C:\windows\system\XUMJG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TVWL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4176 -ip 4176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1316

C:\windows\TVWL.exe

C:\windows\TVWL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDDLWT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1252

C:\windows\SysWOW64\FDDLWT.exe

C:\windows\system32\FDDLWT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NQPRGS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 960

C:\windows\NQPRGS.exe

C:\windows\NQPRGS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DLZE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1212

C:\windows\system\DLZE.exe

C:\windows\system\DLZE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHYFWH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1248 -ip 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 960

C:\windows\SysWOW64\BHYFWH.exe

C:\windows\system32\BHYFWH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WEKI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 960

C:\windows\WEKI.exe

C:\windows\WEKI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZUNSZV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1328

C:\windows\SysWOW64\LZUNSZV.exe

C:\windows\system32\LZUNSZV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328

C:\windows\SysWOW64\KSXDBF.exe

C:\windows\system32\KSXDBF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VLAWJNH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1296

C:\windows\VLAWJNH.exe

C:\windows\VLAWJNH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNQUX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3472 -ip 3472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1296

C:\windows\SysWOW64\JNQUX.exe

C:\windows\system32\JNQUX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VYBIGCX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1304

C:\windows\VYBIGCX.exe

C:\windows\VYBIGCX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1004

C:\windows\system\ZGHI.exe

C:\windows\system\ZGHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NCLJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1324

C:\windows\NCLJ.exe

C:\windows\NCLJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TXWBE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1260

C:\windows\TXWBE.exe

C:\windows\TXWBE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LAAFSVT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2880 -ip 2880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1000

C:\windows\LAAFSVT.exe

C:\windows\LAAFSVT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SLYNB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1000

C:\windows\system\SLYNB.exe

C:\windows\system\SLYNB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YGPOGY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1336

C:\windows\system\YGPOGY.exe

C:\windows\system\YGPOGY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRFNUB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1328

C:\windows\SysWOW64\LRFNUB.exe

C:\windows\system32\LRFNUB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRUKHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1328

C:\windows\SysWOW64\DRUKHS.exe

C:\windows\system32\DRUKHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CKWAQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1308

C:\windows\SysWOW64\CKWAQ.exe

C:\windows\system32\CKWAQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESFXXS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1296

C:\windows\SysWOW64\ESFXXS.exe

C:\windows\system32\ESFXXS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UNPBINO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3468 -ip 3468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 960

C:\windows\SysWOW64\UNPBINO.exe

C:\windows\system32\UNPBINO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1304

C:\windows\system\OVX.exe

C:\windows\system\OVX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1308

C:\windows\system\IOF.exe

C:\windows\system\IOF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QBR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1268

C:\windows\system\QBR.exe

C:\windows\system\QBR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FSSHPU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3720 -ip 3720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 988

C:\windows\FSSHPU.exe

C:\windows\FSSHPU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GVJDEDM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 960

C:\windows\GVJDEDM.exe

C:\windows\GVJDEDM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VLKCLR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 960

C:\windows\VLKCLR.exe

C:\windows\VLKCLR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQJB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1564 -ip 1564

C:\windows\system\DQJB.exe

C:\windows\system\DQJB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1296

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QBF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2880 -ip 2880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1304

C:\windows\QBF.exe

C:\windows\QBF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEPMK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 960

C:\windows\SysWOW64\DEPMK.exe

C:\windows\system32\DEPMK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ECVHAVE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 988

C:\windows\ECVHAVE.exe

C:\windows\ECVHAVE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YUKSJOM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 960

C:\windows\SysWOW64\YUKSJOM.exe

C:\windows\system32\YUKSJOM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NKLRQJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2176 -ip 2176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1336

C:\windows\system\NKLRQJ.exe

C:\windows\system\NKLRQJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2672 -ip 2672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1296

C:\windows\SysWOW64\MVOHZ.exe

C:\windows\system32\MVOHZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KTH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1320 -ip 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 960

C:\windows\KTH.exe

C:\windows\KTH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PWGXLV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1304

C:\windows\SysWOW64\PWGXLV.exe

C:\windows\system32\PWGXLV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZUY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3768 -ip 3768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1288

C:\windows\ZUY.exe

C:\windows\ZUY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICAP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3888 -ip 3888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1248

C:\windows\system\ICAP.exe

C:\windows\system\ICAP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFQLCWN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 960

C:\windows\SysWOW64\JFQLCWN.exe

C:\windows\system32\JFQLCWN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 960

C:\windows\SysWOW64\PSP.exe

C:\windows\system32\PSP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XGCSJYY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 960

C:\windows\XGCSJYY.exe

C:\windows\XGCSJYY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZTL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1300

C:\windows\ZTL.exe

C:\windows\ZTL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOKCAU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 960

C:\windows\system\FOKCAU.exe

C:\windows\system\FOKCAU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TZBB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2328 -ip 2328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1256

C:\windows\system\TZBB.exe

C:\windows\system\TZBB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LUEXBNZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1236

C:\windows\LUEXBNZ.exe

C:\windows\LUEXBNZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EVMILO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2236 -ip 2236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1296

C:\windows\EVMILO.exe

C:\windows\EVMILO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NAYOV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 960

C:\windows\system\NAYOV.exe

C:\windows\system\NAYOV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQZO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1004

C:\windows\system\CQZO.exe

C:\windows\system\CQZO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PBIMQLN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1340 -ip 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 960

C:\windows\system\PBIMQLN.exe

C:\windows\system\PBIMQLN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZZVZYT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1336

C:\windows\system\ZZVZYT.exe

C:\windows\system\ZZVZYT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DCUU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2272 -ip 2272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1324

C:\windows\DCUU.exe

C:\windows\DCUU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMCTMXU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 976

C:\windows\SysWOW64\QMCTMXU.exe

C:\windows\system32\QMCTMXU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSPZWV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2652 -ip 2652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1304

C:\windows\system\ZSPZWV.exe

C:\windows\system\ZSPZWV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QAREA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1252

C:\windows\QAREA.exe

C:\windows\QAREA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SQWZPJA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1236

C:\windows\SQWZPJA.exe

C:\windows\SQWZPJA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WGDZT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3044 -ip 3044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 988

C:\windows\WGDZT.exe

C:\windows\WGDZT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZOMVAO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1244

C:\windows\system\ZOMVAO.exe

C:\windows\system\ZOMVAO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QXASNF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1324

C:\windows\QXASNF.exe

C:\windows\QXASNF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UFH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 976

C:\windows\UFH.exe

C:\windows\UFH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TPKJIDF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1336

C:\windows\system\TPKJIDF.exe

C:\windows\system\TPKJIDF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQZBREN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4060 -ip 4060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1328

C:\windows\SysWOW64\MQZBREN.exe

C:\windows\system32\MQZBREN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDEL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1328

C:\windows\SysWOW64\GDEL.exe

C:\windows\system32\GDEL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QBJX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2884 -ip 2884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 960

C:\windows\QBJX.exe

C:\windows\QBJX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ABLKU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1236

C:\windows\ABLKU.exe

C:\windows\ABLKU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XCVN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2804 -ip 2804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 988

C:\windows\system\XCVN.exe

C:\windows\system\XCVN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GABH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2612 -ip 2612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1304

C:\windows\system\GABH.exe

C:\windows\system\GABH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKJYUZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1328

C:\windows\SysWOW64\UKJYUZR.exe

C:\windows\system32\UKJYUZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFNB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1328

C:\windows\SysWOW64\UFNB.exe

C:\windows\system32\UFNB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LYY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1292

C:\windows\LYY.exe

C:\windows\LYY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TEDYTBL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1308

C:\windows\SysWOW64\TEDYTBL.exe

C:\windows\system32\TEDYTBL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DCQSIJT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 960

C:\windows\DCQSIJT.exe

C:\windows\DCQSIJT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EFU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 508 -ip 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1292

C:\windows\EFU.exe

C:\windows\EFU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPXEWNR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1328

C:\windows\SysWOW64\UPXEWNR.exe

C:\windows\system32\UPXEWNR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QANDKQM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1308

C:\windows\SysWOW64\QANDKQM.exe

C:\windows\system32\QANDKQM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQOU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2672 -ip 2672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1300

C:\windows\SysWOW64\FQOU.exe

C:\windows\system32\FQOU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QJWF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1324

C:\windows\QJWF.exe

C:\windows\QJWF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AHJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 960

C:\windows\system\AHJ.exe

C:\windows\system\AHJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TCNDN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 988

C:\windows\system\TCNDN.exe

C:\windows\system\TCNDN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUQL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 960

C:\windows\SysWOW64\SUQL.exe

C:\windows\system32\SUQL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AACA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 976

C:\windows\SysWOW64\AACA.exe

C:\windows\system32\AACA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVGT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1328

C:\windows\SysWOW64\OVGT.exe

C:\windows\system32\OVGT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VQXXGZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1328

C:\windows\SysWOW64\VQXXGZ.exe

C:\windows\system32\VQXXGZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JLB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 960

C:\windows\JLB.exe

C:\windows\JLB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1328

C:\windows\SysWOW64\PMJ.exe

C:\windows\system32\PMJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VHUFI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1324

C:\windows\VHUFI.exe

C:\windows\VHUFI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DUHTT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1004

C:\windows\DUHTT.exe

C:\windows\DUHTT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDIIAX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1308

C:\windows\SysWOW64\GDIIAX.exe

C:\windows\system32\GDIIAX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYTJGT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3464 -ip 3464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 960

C:\windows\SysWOW64\MYTJGT.exe

C:\windows\system32\MYTJGT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1328

C:\windows\SysWOW64\SYB.exe

C:\windows\system32\SYB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RJMNXBH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 988

C:\windows\RJMNXBH.exe

C:\windows\RJMNXBH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPQTIA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 960

C:\windows\SysWOW64\ZPQTIA.exe

C:\windows\system32\ZPQTIA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MZHK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2316 -ip 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 976

C:\windows\MZHK.exe

C:\windows\MZHK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 988

C:\windows\system\BPI.exe

C:\windows\system\BPI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNNEK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1264

C:\windows\SysWOW64\DNNEK.exe

C:\windows\system32\DNNEK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LTAKV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1512 -ip 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1336

C:\windows\system\LTAKV.exe

C:\windows\system\LTAKV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZOEDJCH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3100 -ip 3100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 960

C:\windows\SysWOW64\ZOEDJCH.exe

C:\windows\system32\ZOEDJCH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FJPEPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1304

C:\windows\system\FJPEPQ.exe

C:\windows\system\FJPEPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEZJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1328

C:\windows\SysWOW64\VEZJ.exe

C:\windows\system32\VEZJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BAKJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1016

C:\windows\BAKJ.exe

C:\windows\BAKJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3212 -ip 3212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1336

C:\windows\system\BDO.exe

C:\windows\system\BDO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JIBMEOL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1324

C:\windows\JIBMEOL.exe

C:\windows\JIBMEOL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RWFAOMG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1012

C:\windows\RWFAOMG.exe

C:\windows\RWFAOMG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRRTUJP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1256

C:\windows\SysWOW64\XRRTUJP.exe

C:\windows\system32\XRRTUJP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FWEAFH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 776 -ip 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1304

C:\windows\FWEAFH.exe

C:\windows\FWEAFH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THMZTK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 524 -ip 524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 960

C:\windows\SysWOW64\THMZTK.exe

C:\windows\system32\THMZTK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OFMKV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1256

C:\windows\OFMKV.exe

C:\windows\OFMKV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GNAIH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1324

C:\windows\GNAIH.exe

C:\windows\GNAIH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQELVDT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1984 -ip 1984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1336

C:\windows\system\YQELVDT.exe

C:\windows\system\YQELVDT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KTPZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3800 -ip 3800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1260

C:\windows\SysWOW64\KTPZ.exe

C:\windows\system32\KTPZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OJVZIH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1316

C:\windows\system\OJVZIH.exe

C:\windows\system\OJVZIH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OFOJRL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 988

C:\windows\SysWOW64\OFOJRL.exe

C:\windows\system32\OFOJRL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QHYQKZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2508 -ip 2508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1328

C:\windows\SysWOW64\QHYQKZ.exe

C:\windows\system32\QHYQKZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CNERQGY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4460 -ip 4460

C:\windows\system\CNERQGY.exe

C:\windows\system\CNERQGY.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1336

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JIJDSH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1300

C:\windows\SysWOW64\JIJDSH.exe

C:\windows\system32\JIJDSH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VQCVNLU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 988

C:\windows\VQCVNLU.exe

C:\windows\VQCVNLU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJFLWR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 960

C:\windows\system\UJFLWR.exe

C:\windows\system\UJFLWR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCPVA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4312 -ip 4312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 964

C:\windows\system\QCPVA.exe

C:\windows\system\QCPVA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2972-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\VDZRQ.exe.bat

MD5 9e72f8199b9bf45662cf16d5f1955d64
SHA1 4ce5dfaf8aa9cc992d76c715c3872cdd513df553
SHA256 3e9ce561af39e4eceec5d39b784d0b7133a23c7639c462cc31a2cc0039eb97b8
SHA512 292a134a5d11eaa4b649153d05d3a1d960bf8b32e374463ab182bab34492f5c9e02b6522f2a2b507f1349156d8147c9628cd3e5fde6567db505b1d57cc0cf106

C:\Windows\SysWOW64\VDZRQ.exe

MD5 bb155dbf7af096cdc9397ce5d4aef4cf
SHA1 34d077422d1ae5f31d26c6e010ca1b1fc7239c19
SHA256 16dd109dfea91e33393ef1389227b8281a67e96065c781eb41dea692288196a5
SHA512 fe54b7bf29b9a91345a748df588ba74e93e7a68f7baebeed1405f2ef27bb5da5192b0348a1b9d35a239f4aca382dfb7c976b92b40533a42b46c6ab36ccab2724

memory/1524-11-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\FBEMY.exe

MD5 124a592bcfafd743b7a0a65bb467e895
SHA1 b4301e537841716e22e88ef04547a18c91eb654d
SHA256 2aedd5f469ed00b01c676283d1a70d0b399bc273f957457a3bd9af1ae204e07e
SHA512 8621876952ec8298c467ec2d4949d4fe2050dbee183ecd75300f42bc248794333a0941a1d5a6af6ade6a80e0b3e4e669ee3f1c7228f5ef7a134b9cc1e1d2f62b

C:\windows\system\FBEMY.exe.bat

MD5 445c0c190c9158325dd172b4a52fb6ba
SHA1 c2f24b95b2d9bb2b308204c72f50a1a024f78782
SHA256 fb6eec2542786149ef668b5ec5be4a50f2fe0b566e68d58f83912f1c40c59484
SHA512 bc507ed2b0b172898cc2cd00179df25162210d9719cbd9294d869dba4a167d9e17c07d9b747c59b3aa20782e0f27948e134bd3542312eb65265994fc400d92d1

memory/1356-21-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2972-23-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1524-26-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\ZZULR.exe.bat

MD5 a701f97d9dd7a7a0bfc617f0739812d7
SHA1 959a3da11b05aee40a02ff3ad06214839f5a47fb
SHA256 58ca2c69c4d795dc786b2d7b50645bf05f4da3916d43acaa203cc9713be316b1
SHA512 37aa729405867c206a2ce5d9a74ca92a2dc309c8fd906281d59a2f7b3bb7af7ea4f73dd84364218f130447a275edbc54dd4e0e8aed9c84b617b219951bdc428c

C:\Windows\SysWOW64\ZZULR.exe

MD5 c5f66bd14c8e7ebff7a4e9aaa6798e31
SHA1 973360aa514a6a174dffd113fd880d14eb42f615
SHA256 dd32cb6d5377288e149be695e57162482b3b777ca8be8ea4229249be7dffca0c
SHA512 3fb197ac9659cb05dc7741e4a85cfe973a8a7b2c82e27aefad19571b210ec4eabb364983b4d8bff4cb1926205df86b5dc3d685220f2cdd17a6a2f0f2122a30f9

memory/3408-34-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\MEG.exe.bat

MD5 fc265a581085c546c48dd26c359713e8
SHA1 83610f42aea951cab8fc6bdd5c1472e94ed53935
SHA256 19bfcb019ffc0d4211d4976007efffe8377d6034d57d8fb718cad429fe069ee8
SHA512 f13200fbe83542283d86478c4bb2dcc70c1c0735a822b115aa3def3289470457a5e4392d7dff806f2b644512e13dc34e3281775de7c3f75e1196d31f5eb05a4c

memory/4636-46-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\MEG.exe

MD5 ac90685173ec3bb2d82826c301f0a670
SHA1 13712479ebea5c7bf8ce813749a98f416ad9e084
SHA256 66ede377b3522dfd8e10ee7a28902b552c8df41eaf7deab57294d9fdac49983c
SHA512 75fc366a8c595cae050afd951dac972b312843df81035d3b40662b437e88c5be27dc95405ebe3bd50a92489bbf69cb4921ea36170ffc9fb86e1ee09d0fc46ff6

memory/1356-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\PNHE.exe.bat

MD5 d99d3e8fd0c439e8a9f035eb7053ffd2
SHA1 3f088652a2ee634a30e92f57a233a4bb4cdfe9ed
SHA256 9e3bfef94ab929e5a583ed981ce8bf31acb2c3fa24b9e8208d73bf1111ee7fa4
SHA512 f92db7e76399f6c03977193644836f97d9f2375401759c09cfe03afe941cafd10ab719a4a346d9dbc708cd6783de093361df2d5b523d161d98a9f340bdecd244

memory/4520-58-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\PNHE.exe

MD5 57e4d37c09e001023b013977a112c66f
SHA1 edb842f5078376dd81351359fa4b34d5a5871f1c
SHA256 d6264e628ee716ac324b13ffb192d8e8cab182725bd6b0bd2cc5bd83cc5299ff
SHA512 47441b3d334f54b745f429556f3eb2e7699e8a30113f5d68e8429c5c3f33243288d573711438d476e51eb1d3d23ead1a9bf75b67ae53e15d44b28237d337a016

memory/3408-59-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\WXEMS.exe.bat

MD5 5abd00c4e3c301118ef9812fe3ed474f
SHA1 8dacee611e60d8ce874c7e955ad8af8494a18989
SHA256 36c926c8454477b3e87e001390fccfa664877d1c974ab71ed05bd89f39583fed
SHA512 be1cce14ca5cdab0ebdba735efd52a7e6a3f7a1a9188329f8650a73529a261e0bcd688ae13c9f201f3337278642c5b780d24407dcdecfadd03e16e54e03b1786

C:\windows\system\WXEMS.exe

MD5 76ae68310d43eefa84bc6ddfaca54ac8
SHA1 797489feb3e3e9192e46b7ed0267de042eedb91d
SHA256 3d919f201ceac69c20f9a6a0bb2c67cb851e7acd11b1f9ea53588efcafa871d5
SHA512 b24d43cdead05ac023eb7fc6a804917c1a22452775c69c95e7ca1dcb3285412cd4791cee8d8853d897eecb947ede5bc08f31a803bf5175218704b4fe0cf38a84

memory/1680-70-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4636-71-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\ELJB.exe.bat

MD5 42c1dc92c8eafb447bb2534ddbcba96a
SHA1 52d923bf152c3a951d0723359add87eb6ccd866a
SHA256 cd0222513c18debef1e1e964cd9a45037cd88fcc4e61fdcda73cc9b265e203d1
SHA512 7efe2bdeebd5f0efe36af18fd01d36436431329f1e5f68b70da213c83389c4b55e73ce80c4baf62f13793c5ff28226ef2c196424e8547018283ac4216172900b

memory/588-82-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\ELJB.exe

MD5 50b9fbbbc2dd8ea3372259c81df7120b
SHA1 daf7dff0a81310fbb9f8dc31e3e9699b7bad7725
SHA256 f7724c1e471eca4a4575c8ccf6bf67c48ce5792e12cf1a60433d293bed953bea
SHA512 4fc1623835800249d468055db9846ecb77834084b5c72e1c7d25cac0a2e795073fc912c43ac628a71d89f0ece9a578d47a9cde65d489624bb599acfd5317542b

memory/4520-83-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\OEB.exe.bat

MD5 74c98b1d080c2f035d56e33f56d2b9b6
SHA1 3f80690cd6d254e1d721b286a311eba063d12f26
SHA256 2516263139dc8233b903fe9915611ec314719dcb4ee132f61e26e7d2101fb70f
SHA512 23b1fcf7e9ddfb5a4e09aa42b03c8da67ea7d1429edbce65143852a58dbc9fb7fd719a93c35c1cf5fff13c3d5c25141e619c1bb1e8baad857c618cf1383b4b8a

C:\Windows\System\OEB.exe

MD5 e8958f9f63547be5959113c17c9a523f
SHA1 8f11ef1645b613723f58cf8e97a9cd3bbcda1270
SHA256 7be01a4fbb029338a1efaf782fb428e0d355d6a082a87c795b990ab23a7a7a20
SHA512 f0ecd78e6841be1cea74a27d4f7cac70c93716b77405cc8658b39214a6765f661ede411d985d4f0f51d0ef9565bde353fb0a205a4b077b6bab6b43051af114fa

memory/2448-94-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1680-95-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\FEHX.exe.bat

MD5 f409c526080730cbfdfd5591a3d1fe8f
SHA1 d8782be2a929d91b60784d5eacddcff11c1f16c9
SHA256 844fcf03f8c0d38e02781676aafc8a4a49e812914fd4fcd5df8e232a06db411d
SHA512 faa68287f63d8c8821c3042f8fe1397d402237ff45eccc4136a8b5f71b0a106365388c9cc93fa637a4af3cb3d3e2faaa9d8d52e675d32e2b9598c3ad17069540

C:\Windows\FEHX.exe

MD5 70cc9417bf91509da10647b5eb9452f8
SHA1 3fab65ddf6b9d5bc9277495f00c707697085a400
SHA256 b35ec7c53b77b680fc0716c47d78fa6632bdfa0bc16364efbfcb1c6ebe53f2f4
SHA512 45d99cf8784fae0d9278b3af5f43530857c450720b33e2e02d46810bcf8065225c81d3ad153ccb1fee0f5cc21b92cf03245b178cf42619e506ce7be811ce7cd6

memory/588-106-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5016-107-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\NSU.exe.bat

MD5 be129890db38b2510af97a60defc6162
SHA1 8b92958ad4673cf089761f815416f3c91938373c
SHA256 e8ed512190b80aa3a3d92078fe42dee970cd8df1e57dfd6e7751998cd3aa6e94
SHA512 6958d44aac3c914679952943f3214509e8df68ad450e62ae2a3a8a7621ed4f22915789ebf77cdc0e6d2cc6d7c7f05424c0fb23d1f1b4f08f578f35a52164cfb7

memory/2864-118-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2448-119-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\SSIHAP.exe.bat

MD5 92c7fb239c7127db7c89d5318f5c70ae
SHA1 82c8b1dbab6217226c50bcef012b2441a355b1eb
SHA256 c597185644b74ab5e746199d8b8c4ecfb5548d4859bb8ed822ed2516f698b44b
SHA512 550f8ddb12da84a68ba0d398d530082c26d3c56ec89cb0ffef433a29a40e65b65c008494182c024e2119636fccb982c8b9dc07038d1d658c4f44d85df88efabc

C:\Windows\System\SSIHAP.exe

MD5 ca9c56d10e0347ed9439181d84889f97
SHA1 7baadbf6deb5841c91f9a2f509be65e3ed79194b
SHA256 75d136581f0cc1c6d6c13bda0b06503dff6a79fc61a13358ce9140d348bea124
SHA512 b498698dd3012d1db8a793b2089320c041bd85af2e298afb0a4bf4dc71bcebcc91c880d84ac0f2a74c92f0b42fdca4bd0358aa0e75fcbd22aa6f6bb936e8a095

memory/4820-130-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5016-131-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\DKXRJQ.exe.bat

MD5 994aa9038bd31120eb0e98f91f5d7318
SHA1 2ca402899a029572bce8751789670429a633f579
SHA256 7d0075a0d3571ded32b1933fb2104a1bffbb231741b7fd6834eee47cde13b288
SHA512 65081711064024e64bb74642e25ca8ff5f52e28f51c61157c6d713238b2e7581f6fc74afef51753f64cfa543136dc6f35254b758581dee8338a2a8f430a3aba7

memory/4448-142-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2864-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\XYWPO.exe.bat

MD5 8b342c73fbd519d7f1f8a095a720aaf3
SHA1 ce615c87e4bebb73972ff1c0fa84e571816dfb0f
SHA256 401adbf3f3f278b4c29de55868a61d305e2f9fb1295975124b80909de2957186
SHA512 3348957a1f63e7a1db9fec2aa5388e34d0128b30d6abdc7872f5f43fd11558d4d6676b162f7b7b0391b2629886995893efcd53e6dd406a0eed34614215e0e11e

memory/4820-150-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\XYWPO.exe

MD5 5ee92136b0116aae05b74075d012fc4d
SHA1 596901f2ccb9f0d745ad472532d4e04075978701
SHA256 a8d8ded13b42553375fde276076be3ff859f5bb10cd052f3b0e3ccfce8bc89da
SHA512 4875cda09cd29fdb578d668eb29043b73baf7c43a1749f14b2d3a3619ee240393d7157b00da7326d2cd69e7c57d214c81ea5477733e2581420ca765274c253dc

memory/4908-155-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\RMQO.exe.bat

MD5 b89973179199adde9cda321fa6cbde32
SHA1 eb074de042543ac30b5d3bb5c9e373e39b108269
SHA256 55adefc16a9977ed3d6424b42b2becaee454825a83c32fbcffebf81a6af5a9e8
SHA512 30d5784530b7185b68f64c6b02626911097d8f1a13c38f8aeca9b0cc1fe7289a85f770dcb4112eb3ea8d22a5bc1a8bbf5b157a38816a1ddb114d1eb33a113898

memory/4448-164-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\RMQO.exe

MD5 5b7c1ff8318079cad979490fcccdc610
SHA1 186c1581cc552831c2e5df3099b1a4b0d1cf8971
SHA256 136c8fb93753250bef471d20b4a1e3966beb0b7b27f337877756dc0646d4d64b
SHA512 018f4113200ffe88e5c6e8b47fdd6213c634b1a9a94a50f9471aae747cf2465d72b02ba7c84f2511122f481fb107064c924c53046fbbdeba68d83bb38210b63d

memory/4792-167-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\IUEL.exe.bat

MD5 90a2349d0eab38dc49ed39586b7484da
SHA1 009613d458ea091b9ee971db153bb845bbd60c35
SHA256 469f8a4745b32a015d8f9cd2bb00b71cb7387366fc078db7b5fe8fb368eef13b
SHA512 9a97f5737236da0a0c2b56e28ff72e13657f5166793170493fe859ebddd303de40267cd1eb853bbf347fa68653de0c5d25ef7f9c90edf45195d83126e6ab1f8b

C:\windows\IUEL.exe

MD5 55cc3a655671bac3b0b2d7b758df4b16
SHA1 4e8d20e46c6c51e7587453520baf5bfab99adf9d
SHA256 35f646aeb49e64146c9e75ad530ef0edd2bc4fe9b98fdb59efa9044c1ba04e83
SHA512 895bf0ebd43a080bb6640aa8419ecf11244967849bd7b3b870eadfeba81780b6955e199e8fa754244f1822fd138e73ddfcb2037c5628311288783ed62037f700

memory/1856-178-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4908-179-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\CXBQZ.exe.bat

MD5 6ccb08242b0fe0c4cc9453317e7aa648
SHA1 d0355f31613c85033fda918ce6e97190c422f044
SHA256 df1849cd752f8590ee3526b85d45c906bdea6222488f8526e49f7781849abc41
SHA512 fa6925e6a65ece6c39c5cefa43e34958297887b2e2ecb843b201d8d4bb8881d146d853c8af3e71c223241fbbb9dfde3b7bea6dd4de22fc1b8b8950d7f1077dbc

C:\Windows\System\CXBQZ.exe

MD5 0cf32f7a4847353a2f548b707374a3e1
SHA1 26f0f5fcd5fe0fb14df598ded53d07fc905ddb74
SHA256 0dfe01977624a162af0a8ae3c7ec3dbabf6dd3d194521f28402c0ce64d6c731a
SHA512 33d75bc3af89af7283d31f86ad32cb405be4352cc5cb393a6f9259d3bd06806af53a9ca7ce6eb7509a2ccef310c11c2b1b93fad8d0b8158b38ec83e5007cb605

memory/4792-190-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2432-191-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\JNCQGQT.exe.bat

MD5 54242b1ce5a6c535a0929676fda4ad69
SHA1 71076c1a5795195a1a7d7ba4b98c7b2351b6c016
SHA256 140812ebe791339dc11379b633788adeb4bb31d57a70840c155e7288e562564f
SHA512 7bdac734c5a521a06f7fdfcc82e6f06d443feab87319ca59ffb87f2c027a7d1c0afc941f86f7ba91d80f7a972e922700eb1626ab147fff63453b3f8a80d109d6

memory/2864-202-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\JNCQGQT.exe

MD5 18f94bdf5d41c2208f874b53a5b84ed6
SHA1 686563486156181ac40a5d821bbd72f148ebf537
SHA256 c42c2814b51c2b50d7db5c13d9141e0b80d571c7b6d29c9c0c315c6d3504bd15
SHA512 b9a4652bd99b3a2b76236c425227ebd7a65bd9e3bb7075daeed4b5b581c346349b1298c4f027bdeab78401db2bf8c3247e60febabc6c4191c387f227a1906986

memory/1856-203-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\LAOGMD.exe.bat

MD5 677d03a739ae89751d32665ec4f81cff
SHA1 0569718a792a40971338143c5a58f04fe9c4a36d
SHA256 53d866bfd617a36d171f9c8d2f7353df85b4f22dcfe5fe04b1188a3540a8e687
SHA512 19e04ee236ef375122f970553ee5028087c5ee69539a9c37eca63e29b59a1102332665687bc97467bedcac919401a4f4fc055eeecf39c961d11df2870c8104d1

memory/2432-211-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2132-214-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\LAOGMD.exe

MD5 a0ab39e6a5d507ac241b008755bf1d30
SHA1 07c79be5a747267810700315bc40623a1a9d8f31
SHA256 cdebd505cdce292f83e01d73375d1df378ba7fce5c16d6c3e6d47a74021d9191
SHA512 7b5c69e0013c384240bcc72650ebdadba7a81b293793be515cf180046c1e0a4b2afce409d839be1b77b551a8482eeb9c578c92c82219cb72e135e6b4cb01be07

C:\windows\system\YGA.exe.bat

MD5 b5439b7fb0aa88106fe172a819866a82
SHA1 70342e042e8314ad505acc60a5198b29b86c2714
SHA256 673089b13fc6bc57a7b751627b1e0abe007da9ecea92cffe92fbbc75b21e68e1
SHA512 2e2533d0c2f2b474192d987a5c36255ad57b216ec364debf02c2147ccc634d1528b09df475c36f75e9e3748f21b410839bd509be8abc34d15bcfb4e5c9bfb40b

C:\Windows\System\YGA.exe

MD5 f5f6409c54661bffac16c26db641cf19
SHA1 1f1dceaab120b724c67dbbf5baed738c47977526
SHA256 07905847a45ea22fa7249a65ed3273e46b510fe15af15118efdf92360fb5da01
SHA512 aa1aae4ebdfb0029bdbe68a72b592041aca440eb2f582e38fe6bf3b0a50824216938c1ed7778c15033872ea5ce048081da7f7f9360b5ed248cdea437ec595700

memory/1096-225-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2864-227-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\URQILL.exe.bat

MD5 18f80912766dd4585fc57e283f79ed3c
SHA1 946b9cd70302b613a29adea46050c87975643c57
SHA256 b5ed8aa51b95bf79969201273d405f9c2cc893d5bd640439010557ac0614754f
SHA512 7fdd6f5107c762a284c42afac0486c34a56fc5e6729111ae4072a51dca7fd3d6790489ceff1bd9b2fc226a754660a541962f5dd4d62bacbddb3a397d38d3ff30

memory/2132-235-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\URQILL.exe

MD5 08e70e5c4016f0d9d0ab9220ec7e1860
SHA1 e61555bb242203b61418c455f350006368661619
SHA256 a30afc883b881101c1c3b0e4873e1b535a9c55fc7311786a749f5cb8da2170b8
SHA512 93da09a39600b9495ad7418cdb907a19bd67bf7a23bd9894005fd04115c96dc8a7c2f5f9b4a2438ca6ab7251dc4d25ed734ee46333b5058d9ab438f4e99c042c

memory/4116-239-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1096-240-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\FUIK.exe.bat

MD5 8056ca437ab58f294d329e6452d3823b
SHA1 2d80d273312d1444362820e68bd741f1436c1dd8
SHA256 bd1ce388533ce69044dc8e417faac18de02df8185e00245fa4003a721f7661d6
SHA512 4d810697fd4e362b901676bfe23f4515890a520ed5c1e2f8086c0e9fd3f4c8d3e773e04720e98658226a5e9dad6865f7e2a74bb31ea7932b6ddd67f2aaf81858

C:\windows\FUIK.exe

MD5 e74875a3edbd76e7dbdc652ca5d58b89
SHA1 63ba5f7374729d1d2d5ecb521a5b31b25f692337
SHA256 17d8622b6efb7fe4df4274b2cd7378aabd0580b32d28b8668d9989997cd333c5
SHA512 d61f495a5ce88afc5383cb01f6ed3d22c55fd54f695fa5ab4f9ef2031eb62bb306cace6cfc7de9a420c484e39a013c1cdf3d6d3f7d540296c87abfa7c5bacbd2

memory/2108-251-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\EEQEMX.exe.bat

MD5 b3831743b152a37a35e97c9e614d6c4d
SHA1 1d3045b5a6dc2a19507d2b816f7ce3b3bd0392fa
SHA256 47db168a82538e1e715ca691157fe6bed34191cd7e270bbe824d33515f1a777a
SHA512 ccca2e0420d8bb2c6ea60196916d4cc773a4a6e796cd1fb523657529849d1c82a3916cd21659abf7a6523862998dafd3f08c1a8ad61d90391e1e8a037b15cb92

memory/872-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4116-261-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2108-268-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1976-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/588-278-0x0000000000400000-0x0000000000439000-memory.dmp

memory/872-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4768-287-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1976-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1336-296-0x0000000000400000-0x0000000000439000-memory.dmp

memory/588-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4768-304-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4120-306-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1336-313-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3748-315-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4120-322-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4404-324-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3748-332-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4960-333-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5016-341-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4404-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1680-351-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4960-350-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5016-358-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2440-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3060-368-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1680-369-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2440-376-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1248-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3060-385-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4180-387-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3936-395-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1248-396-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4180-403-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2908-405-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1600-413-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3936-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2908-421-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3248-423-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1600-430-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1948-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3248-439-0x0000000000400000-0x0000000000439000-memory.dmp

memory/752-441-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1948-448-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1248-450-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4960-458-0x0000000000400000-0x0000000000439000-memory.dmp

memory/752-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1248-466-0x0000000000400000-0x0000000000439000-memory.dmp

memory/684-468-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4960-469-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5004-477-0x0000000000400000-0x0000000000439000-memory.dmp

memory/684-484-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3692-486-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5004-493-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4888-495-0x0000000000400000-0x0000000000439000-memory.dmp