Analysis Overview
SHA256
dabafc685f8c2e86167423e7d6d32f1309f51561b713f76cb0eba3b769aab2c3
Threat Level: Known bad
The file 091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 09:10
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 09:10
Reported
2024-05-20 09:13
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\system\ULENJQF.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\system\ULENJQF.exe | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
| File created | C:\windows\system\ULENJQF.exe.bat | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
| File created | C:\windows\system\ULENJQF.exe | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\system\ULENJQF.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\system\ULENJQF.exe | N/A |
| N/A | N/A | C:\windows\system\ULENJQF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\ULENJQF.exe.bat" "
C:\windows\system\ULENJQF.exe
C:\windows\system\ULENJQF.exe
Network
Files
memory/856-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\ULENJQF.exe.bat
| MD5 | bd8e585df4299c2a4c2e220180c6487a |
| SHA1 | 6137e8f4ad59f9282e42f80c64b48581f4650c9f |
| SHA256 | 03f8ffb3d0d8d67200e33b3402b80efeb234badc93466dd6a4f6f58d2f1d474b |
| SHA512 | caa5a0d3a1a121ddd037f40141a7fbef62f7820ee011db83df4735825cb0a77d840858c32e8598b88fd6512b6920886c0fc16e404501499fbfc9fb2a431b566b |
memory/856-12-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\ULENJQF.exe
| MD5 | bb155dbf7af096cdc9397ce5d4aef4cf |
| SHA1 | 34d077422d1ae5f31d26c6e010ca1b1fc7239c19 |
| SHA256 | 16dd109dfea91e33393ef1389227b8281a67e96065c781eb41dea692288196a5 |
| SHA512 | fe54b7bf29b9a91345a748df588ba74e93e7a68f7baebeed1405f2ef27bb5da5192b0348a1b9d35a239f4aca382dfb7c976b92b40533a42b46c6ab36ccab2724 |
memory/2980-18-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2980-19-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 09:10
Reported
2024-05-20 09:13
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\PNHE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\LAOGMD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PXA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\JTMV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\NQPRGS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\VLKCLR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\QMCTMXU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\FJPEPQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\OFMKV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\CHTBT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\GTLMYO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PSP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\EVMILO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\FWEAFH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\HFC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\ZUY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\QJWF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\QZG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UPXEWNR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\GDIIAX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XRRTUJP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\THMZTK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\QHYQKZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\SSIHAP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\CZNKH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\JNQUX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\QAREA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\XCVN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\JLB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\GNAIH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DKXRJQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\CQZO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\ZOMVAO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\VHUFI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\RJMNXBH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\FEHX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\LUEXBNZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\JIBMEOL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\CXBQZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\BTTSN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\EFLD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\TZMN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\NRUIO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\SLYNB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\VEZJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\BAKJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\NSU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\TVWL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\MVOHZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\FOKCAU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\NAYOV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\FBEMY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\RMQO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XBXKEF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\FMLL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\TXWBE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SQWZPJA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\TCNDN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PMJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\RWFAOMG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\system\XUMJG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\XGCSJYY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\DCUU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\OVGT.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\AACA.exe.bat | C:\windows\SysWOW64\SUQL.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PMJ.exe | C:\windows\JLB.exe | N/A |
| File created | C:\windows\SysWOW64\VDZRQ.exe.bat | C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe | N/A |
| File created | C:\windows\SysWOW64\EAPZNE.exe.bat | C:\windows\system\EFLD.exe | N/A |
| File created | C:\windows\SysWOW64\XBXKEF.exe.bat | C:\windows\SysWOW64\EAPZNE.exe | N/A |
| File created | C:\windows\SysWOW64\TZMN.exe.bat | C:\windows\YWVPHA.exe | N/A |
| File created | C:\windows\SysWOW64\ESFXXS.exe | C:\windows\SysWOW64\CKWAQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\QMCTMXU.exe | C:\windows\DCUU.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JFQLCWN.exe | C:\windows\system\ICAP.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ZPQTIA.exe | C:\windows\RJMNXBH.exe | N/A |
| File created | C:\windows\SysWOW64\ZZULR.exe | C:\windows\system\FBEMY.exe | N/A |
| File created | C:\windows\SysWOW64\PXUDW.exe.bat | C:\windows\system\JXN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ACYJEHZ.exe | C:\windows\SysWOW64\UHVQY.exe | N/A |
| File created | C:\windows\SysWOW64\YKUCI.exe | C:\windows\WNPHS.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CML.exe | C:\windows\system\NRUIO.exe | N/A |
| File created | C:\windows\SysWOW64\UNPBINO.exe.bat | C:\windows\SysWOW64\ESFXXS.exe | N/A |
| File created | C:\windows\SysWOW64\QHYQKZ.exe | C:\windows\SysWOW64\OFOJRL.exe | N/A |
| File created | C:\windows\SysWOW64\PXA.exe | C:\windows\EEQEMX.exe | N/A |
| File created | C:\windows\SysWOW64\FDDLWT.exe.bat | C:\windows\TVWL.exe | N/A |
| File created | C:\windows\SysWOW64\KSXDBF.exe | C:\windows\SysWOW64\LZUNSZV.exe | N/A |
| File created | C:\windows\SysWOW64\MVOHZ.exe.bat | C:\windows\system\NKLRQJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\FQOU.exe | C:\windows\SysWOW64\QANDKQM.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\AACA.exe | C:\windows\SysWOW64\SUQL.exe | N/A |
| File created | C:\windows\SysWOW64\PSP.exe.bat | C:\windows\SysWOW64\JFQLCWN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\GDEL.exe | C:\windows\SysWOW64\MQZBREN.exe | N/A |
| File created | C:\windows\SysWOW64\UFNB.exe.bat | C:\windows\SysWOW64\UKJYUZR.exe | N/A |
| File created | C:\windows\SysWOW64\TEDYTBL.exe | C:\windows\LYY.exe | N/A |
| File created | C:\windows\SysWOW64\ZOEDJCH.exe.bat | C:\windows\system\LTAKV.exe | N/A |
| File created | C:\windows\SysWOW64\THMZTK.exe | C:\windows\FWEAFH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PNOC.exe | C:\windows\system\WVZR.exe | N/A |
| File created | C:\windows\SysWOW64\FQOU.exe | C:\windows\SysWOW64\QANDKQM.exe | N/A |
| File created | C:\windows\SysWOW64\THMZTK.exe.bat | C:\windows\FWEAFH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ZZULR.exe | C:\windows\system\FBEMY.exe | N/A |
| File created | C:\windows\SysWOW64\ZZULR.exe.bat | C:\windows\system\FBEMY.exe | N/A |
| File created | C:\windows\SysWOW64\CKWAQ.exe | C:\windows\SysWOW64\DRUKHS.exe | N/A |
| File created | C:\windows\SysWOW64\ESFXXS.exe.bat | C:\windows\SysWOW64\CKWAQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\SYB.exe | C:\windows\SysWOW64\MYTJGT.exe | N/A |
| File created | C:\windows\SysWOW64\UHVQY.exe | C:\windows\QZG.exe | N/A |
| File created | C:\windows\SysWOW64\YUKSJOM.exe | C:\windows\ECVHAVE.exe | N/A |
| File created | C:\windows\SysWOW64\JFQLCWN.exe.bat | C:\windows\system\ICAP.exe | N/A |
| File created | C:\windows\SysWOW64\DNNEK.exe | C:\windows\system\BPI.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PXA.exe | C:\windows\EEQEMX.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\FJASZBT.exe | C:\windows\system\BTTSN.exe | N/A |
| File created | C:\windows\SysWOW64\PXUDW.exe | C:\windows\system\JXN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\KSXDBF.exe | C:\windows\SysWOW64\LZUNSZV.exe | N/A |
| File created | C:\windows\SysWOW64\UKJYUZR.exe | C:\windows\system\GABH.exe | N/A |
| File created | C:\windows\SysWOW64\QANDKQM.exe.bat | C:\windows\SysWOW64\UPXEWNR.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JNQUX.exe | C:\windows\VLAWJNH.exe | N/A |
| File created | C:\windows\SysWOW64\LRFNUB.exe.bat | C:\windows\system\YGPOGY.exe | N/A |
| File created | C:\windows\SysWOW64\QMCTMXU.exe | C:\windows\DCUU.exe | N/A |
| File created | C:\windows\SysWOW64\KTPZ.exe | C:\windows\system\YQELVDT.exe | N/A |
| File created | C:\windows\SysWOW64\OFOJRL.exe | C:\windows\system\OJVZIH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\OFOJRL.exe | C:\windows\system\OJVZIH.exe | N/A |
| File created | C:\windows\SysWOW64\EAPZNE.exe | C:\windows\system\EFLD.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PXUDW.exe | C:\windows\system\JXN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PWGXLV.exe | C:\windows\KTH.exe | N/A |
| File created | C:\windows\SysWOW64\SUQL.exe | C:\windows\system\TCNDN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\OVGT.exe | C:\windows\SysWOW64\AACA.exe | N/A |
| File created | C:\windows\SysWOW64\MYTJGT.exe.bat | C:\windows\SysWOW64\GDIIAX.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\UHVQY.exe | C:\windows\QZG.exe | N/A |
| File created | C:\windows\SysWOW64\ACYJEHZ.exe | C:\windows\SysWOW64\UHVQY.exe | N/A |
| File created | C:\windows\SysWOW64\CML.exe.bat | C:\windows\system\NRUIO.exe | N/A |
| File created | C:\windows\SysWOW64\VEZJ.exe.bat | C:\windows\system\FJPEPQ.exe | N/A |
| File created | C:\windows\SysWOW64\PXA.exe.bat | C:\windows\EEQEMX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\BAKJ.exe | C:\windows\SysWOW64\VEZJ.exe | N/A |
| File opened for modification | C:\windows\FWEAFH.exe | C:\windows\SysWOW64\XRRTUJP.exe | N/A |
| File created | C:\windows\system\ELJB.exe | C:\windows\system\WXEMS.exe | N/A |
| File created | C:\windows\system\ELJB.exe.bat | C:\windows\system\WXEMS.exe | N/A |
| File created | C:\windows\system\YGA.exe.bat | C:\windows\system\LAOGMD.exe | N/A |
| File opened for modification | C:\windows\JTMV.exe | C:\windows\SysWOW64\XBXKEF.exe | N/A |
| File opened for modification | C:\windows\system\PBIMQLN.exe | C:\windows\system\CQZO.exe | N/A |
| File created | C:\windows\FUCCET.exe | C:\windows\CHTBT.exe | N/A |
| File created | C:\windows\LAAFSVT.exe | C:\windows\TXWBE.exe | N/A |
| File created | C:\windows\system\OVX.exe | C:\windows\SysWOW64\UNPBINO.exe | N/A |
| File created | C:\windows\system\ZSPZWV.exe.bat | C:\windows\SysWOW64\QMCTMXU.exe | N/A |
| File created | C:\windows\system\UJFLWR.exe | C:\windows\VQCVNLU.exe | N/A |
| File created | C:\windows\EEQEMX.exe.bat | C:\windows\FUIK.exe | N/A |
| File created | C:\windows\SQWZPJA.exe | C:\windows\QAREA.exe | N/A |
| File opened for modification | C:\windows\EFU.exe | C:\windows\DCQSIJT.exe | N/A |
| File created | C:\windows\RJMNXBH.exe.bat | C:\windows\SysWOW64\SYB.exe | N/A |
| File created | C:\windows\system\EFLD.exe.bat | C:\windows\HFC.exe | N/A |
| File created | C:\windows\JTMV.exe | C:\windows\SysWOW64\XBXKEF.exe | N/A |
| File opened for modification | C:\windows\NQPRGS.exe | C:\windows\SysWOW64\FDDLWT.exe | N/A |
| File created | C:\windows\system\FBEMY.exe | C:\windows\SysWOW64\VDZRQ.exe | N/A |
| File created | C:\windows\system\MEG.exe.bat | C:\windows\SysWOW64\ZZULR.exe | N/A |
| File created | C:\windows\system\NSU.exe | C:\windows\FEHX.exe | N/A |
| File opened for modification | C:\windows\system\CXBQZ.exe | C:\windows\IUEL.exe | N/A |
| File opened for modification | C:\windows\system\CZNKH.exe | C:\windows\SysWOW64\FJASZBT.exe | N/A |
| File created | C:\windows\DCQSIJT.exe | C:\windows\SysWOW64\TEDYTBL.exe | N/A |
| File created | C:\windows\RJMNXBH.exe | C:\windows\SysWOW64\SYB.exe | N/A |
| File created | C:\windows\JNCQGQT.exe.bat | C:\windows\system\CXBQZ.exe | N/A |
| File opened for modification | C:\windows\system\BPI.exe | C:\windows\MZHK.exe | N/A |
| File created | C:\windows\HFC.exe | C:\windows\SysWOW64\XXAOSNL.exe | N/A |
| File created | C:\windows\GNAIH.exe.bat | C:\windows\OFMKV.exe | N/A |
| File created | C:\windows\system\WVZR.exe | C:\windows\system\FMLL.exe | N/A |
| File opened for modification | C:\windows\LAAFSVT.exe | C:\windows\TXWBE.exe | N/A |
| File created | C:\windows\system\PBIMQLN.exe.bat | C:\windows\system\CQZO.exe | N/A |
| File opened for modification | C:\windows\WGDZT.exe | C:\windows\SQWZPJA.exe | N/A |
| File created | C:\windows\RMQO.exe.bat | C:\windows\system\XYWPO.exe | N/A |
| File opened for modification | C:\windows\system\CQZO.exe | C:\windows\system\NAYOV.exe | N/A |
| File created | C:\windows\VHUFI.exe | C:\windows\SysWOW64\PMJ.exe | N/A |
| File opened for modification | C:\windows\system\TPKJIDF.exe | C:\windows\UFH.exe | N/A |
| File opened for modification | C:\windows\system\GABH.exe | C:\windows\system\XCVN.exe | N/A |
| File created | C:\windows\system\BPI.exe.bat | C:\windows\MZHK.exe | N/A |
| File opened for modification | C:\windows\system\BDO.exe | C:\windows\BAKJ.exe | N/A |
| File created | C:\windows\QXASNF.exe.bat | C:\windows\system\ZOMVAO.exe | N/A |
| File opened for modification | C:\windows\system\OJVZIH.exe | C:\windows\SysWOW64\KTPZ.exe | N/A |
| File created | C:\windows\system\SSIHAP.exe.bat | C:\windows\system\NSU.exe | N/A |
| File created | C:\windows\EEQEMX.exe | C:\windows\FUIK.exe | N/A |
| File created | C:\windows\VLAWJNH.exe.bat | C:\windows\SysWOW64\KSXDBF.exe | N/A |
| File created | C:\windows\system\ZGHI.exe.bat | C:\windows\VYBIGCX.exe | N/A |
| File created | C:\windows\system\DQJB.exe.bat | C:\windows\VLKCLR.exe | N/A |
| File opened for modification | C:\windows\system\WVZR.exe | C:\windows\system\FMLL.exe | N/A |
| File created | C:\windows\LUEXBNZ.exe.bat | C:\windows\system\TZBB.exe | N/A |
| File opened for modification | C:\windows\MZHK.exe | C:\windows\SysWOW64\ZPQTIA.exe | N/A |
| File created | C:\windows\LUEXBNZ.exe | C:\windows\system\TZBB.exe | N/A |
| File opened for modification | C:\windows\LUEXBNZ.exe | C:\windows\system\TZBB.exe | N/A |
| File opened for modification | C:\windows\system\AHJ.exe | C:\windows\QJWF.exe | N/A |
| File opened for modification | C:\windows\RWFAOMG.exe | C:\windows\JIBMEOL.exe | N/A |
| File opened for modification | C:\windows\system\UJFLWR.exe | C:\windows\VQCVNLU.exe | N/A |
| File created | C:\windows\ZTL.exe | C:\windows\XGCSJYY.exe | N/A |
| File created | C:\windows\system\FOKCAU.exe | C:\windows\ZTL.exe | N/A |
| File created | C:\windows\system\NAYOV.exe | C:\windows\EVMILO.exe | N/A |
| File opened for modification | C:\windows\system\ELJB.exe | C:\windows\system\WXEMS.exe | N/A |
| File created | C:\windows\system\GTLMYO.exe.bat | C:\windows\SysWOW64\VAITP.exe | N/A |
| File created | C:\windows\YWVPHA.exe | C:\windows\system\GTLMYO.exe | N/A |
| File created | C:\windows\system\QBR.exe.bat | C:\windows\system\IOF.exe | N/A |
| File created | C:\windows\QBF.exe.bat | C:\windows\system\DQJB.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\091d2c87a9e6e4a49a23b7549fa27b73_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDZRQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2972 -ip 2972
C:\windows\SysWOW64\VDZRQ.exe
C:\windows\system32\VDZRQ.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 948
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FBEMY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1524 -ip 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1008
C:\windows\system\FBEMY.exe
C:\windows\system\FBEMY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZULR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1356 -ip 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 988
C:\windows\SysWOW64\ZZULR.exe
C:\windows\system32\ZZULR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MEG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3408 -ip 3408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1336
C:\windows\system\MEG.exe
C:\windows\system\MEG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNHE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1304
C:\windows\system\PNHE.exe
C:\windows\system\PNHE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXEMS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4520 -ip 4520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 968
C:\windows\system\WXEMS.exe
C:\windows\system\WXEMS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELJB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1268
C:\windows\system\ELJB.exe
C:\windows\system\ELJB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OEB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 588 -ip 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 964
C:\windows\system\OEB.exe
C:\windows\system\OEB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FEHX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 964
C:\windows\FEHX.exe
C:\windows\FEHX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1228
C:\windows\system\NSU.exe
C:\windows\system\NSU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SSIHAP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1268
C:\windows\system\SSIHAP.exe
C:\windows\system\SSIHAP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKXRJQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4820 -ip 4820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1308
C:\windows\SysWOW64\DKXRJQ.exe
C:\windows\system32\DKXRJQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XYWPO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 960
C:\windows\system\XYWPO.exe
C:\windows\system\XYWPO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RMQO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 960
C:\windows\RMQO.exe
C:\windows\RMQO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IUEL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 988
C:\windows\IUEL.exe
C:\windows\IUEL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CXBQZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1856 -ip 1856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 996
C:\windows\system\CXBQZ.exe
C:\windows\system\CXBQZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2432 -ip 2432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 876
C:\windows\JNCQGQT.exe
C:\windows\JNCQGQT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LAOGMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1300
C:\windows\system\LAOGMD.exe
C:\windows\system\LAOGMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YGA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2132 -ip 2132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1248
C:\windows\system\YGA.exe
C:\windows\system\YGA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\URQILL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1096 -ip 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1336
C:\windows\system\URQILL.exe
C:\windows\system\URQILL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FUIK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4116 -ip 4116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1296
C:\windows\FUIK.exe
C:\windows\FUIK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EEQEMX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2108 -ip 2108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1324
C:\windows\EEQEMX.exe
C:\windows\EEQEMX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 872 -ip 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 876
C:\windows\SysWOW64\PXA.exe
C:\windows\system32\PXA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VXHZZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 960
C:\windows\system\VXHZZ.exe
C:\windows\system\VXHZZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTTSN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 588 -ip 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 964
C:\windows\system\BTTSN.exe
C:\windows\system\BTTSN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJASZBT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4768 -ip 4768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1328
C:\windows\SysWOW64\FJASZBT.exe
C:\windows\system32\FJASZBT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CZNKH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1336 -ip 1336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1304
C:\windows\system\CZNKH.exe
C:\windows\system\CZNKH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XXAOSNL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4120 -ip 4120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1328
C:\windows\SysWOW64\XXAOSNL.exe
C:\windows\system32\XXAOSNL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HFC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3748 -ip 3748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1216
C:\windows\HFC.exe
C:\windows\HFC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EFLD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1328
C:\windows\system\EFLD.exe
C:\windows\system\EFLD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAPZNE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4960 -ip 4960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1328
C:\windows\SysWOW64\EAPZNE.exe
C:\windows\system32\EAPZNE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBXKEF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1296
C:\windows\SysWOW64\XBXKEF.exe
C:\windows\system32\XBXKEF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JTMV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1324
C:\windows\JTMV.exe
C:\windows\JTMV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CHTBT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1288
C:\windows\CHTBT.exe
C:\windows\CHTBT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FUCCET.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3060 -ip 3060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1304
C:\windows\FUCCET.exe
C:\windows\FUCCET.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JXN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1248 -ip 1248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1264
C:\windows\system\JXN.exe
C:\windows\system\JXN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXUDW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4180 -ip 4180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1308
C:\windows\SysWOW64\PXUDW.exe
C:\windows\system32\PXUDW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XLHK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3936 -ip 3936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 960
C:\windows\system\XLHK.exe
C:\windows\system\XLHK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QZG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2908 -ip 2908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 960
C:\windows\QZG.exe
C:\windows\QZG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UHVQY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1600 -ip 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328
C:\windows\SysWOW64\UHVQY.exe
C:\windows\system32\UHVQY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ACYJEHZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3248 -ip 3248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 960
C:\windows\SysWOW64\ACYJEHZ.exe
C:\windows\system32\ACYJEHZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WNPHS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1324
C:\windows\WNPHS.exe
C:\windows\WNPHS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKUCI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 752 -ip 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 960
C:\windows\SysWOW64\YKUCI.exe
C:\windows\system32\YKUCI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VAITP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1248 -ip 1248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1300
C:\windows\SysWOW64\VAITP.exe
C:\windows\system32\VAITP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GTLMYO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4960 -ip 4960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1336
C:\windows\system\GTLMYO.exe
C:\windows\system\GTLMYO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YWVPHA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 684 -ip 684
C:\windows\YWVPHA.exe
C:\windows\YWVPHA.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1292
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZMN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5004 -ip 5004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1328
C:\windows\SysWOW64\TZMN.exe
C:\windows\system32\TZMN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3692 -ip 3692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960
C:\windows\system\FMLL.exe
C:\windows\system\FMLL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1248
C:\windows\system\WVZR.exe
C:\windows\system\WVZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNOC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1328
C:\windows\SysWOW64\PNOC.exe
C:\windows\system32\PNOC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RLUWEEO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 312 -ip 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 960
C:\windows\system\RLUWEEO.exe
C:\windows\system\RLUWEEO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NRUIO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4828 -ip 4828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1268
C:\windows\system\NRUIO.exe
C:\windows\system\NRUIO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CML.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1328
C:\windows\SysWOW64\CML.exe
C:\windows\system32\CML.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XUMJG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 872
C:\windows\system\XUMJG.exe
C:\windows\system\XUMJG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TVWL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4176 -ip 4176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1316
C:\windows\TVWL.exe
C:\windows\TVWL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDDLWT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1252
C:\windows\SysWOW64\FDDLWT.exe
C:\windows\system32\FDDLWT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NQPRGS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1632 -ip 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 960
C:\windows\NQPRGS.exe
C:\windows\NQPRGS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DLZE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1212
C:\windows\system\DLZE.exe
C:\windows\system\DLZE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHYFWH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1248 -ip 1248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 960
C:\windows\SysWOW64\BHYFWH.exe
C:\windows\system32\BHYFWH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WEKI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 960
C:\windows\WEKI.exe
C:\windows\WEKI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZUNSZV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1668 -ip 1668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1328
C:\windows\SysWOW64\LZUNSZV.exe
C:\windows\system32\LZUNSZV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1600 -ip 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328
C:\windows\SysWOW64\KSXDBF.exe
C:\windows\system32\KSXDBF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VLAWJNH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1296
C:\windows\VLAWJNH.exe
C:\windows\VLAWJNH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNQUX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3472 -ip 3472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1296
C:\windows\SysWOW64\JNQUX.exe
C:\windows\system32\JNQUX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VYBIGCX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1304
C:\windows\VYBIGCX.exe
C:\windows\VYBIGCX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3592 -ip 3592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1004
C:\windows\system\ZGHI.exe
C:\windows\system\ZGHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NCLJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1988 -ip 1988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1324
C:\windows\NCLJ.exe
C:\windows\NCLJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TXWBE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1260
C:\windows\TXWBE.exe
C:\windows\TXWBE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LAAFSVT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2880 -ip 2880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1000
C:\windows\LAAFSVT.exe
C:\windows\LAAFSVT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SLYNB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1000
C:\windows\system\SLYNB.exe
C:\windows\system\SLYNB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YGPOGY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1336
C:\windows\system\YGPOGY.exe
C:\windows\system\YGPOGY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRFNUB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1328
C:\windows\SysWOW64\LRFNUB.exe
C:\windows\system32\LRFNUB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRUKHS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1652 -ip 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1328
C:\windows\SysWOW64\DRUKHS.exe
C:\windows\system32\DRUKHS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CKWAQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1308
C:\windows\SysWOW64\CKWAQ.exe
C:\windows\system32\CKWAQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESFXXS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1296
C:\windows\SysWOW64\ESFXXS.exe
C:\windows\system32\ESFXXS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UNPBINO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3468 -ip 3468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 960
C:\windows\SysWOW64\UNPBINO.exe
C:\windows\system32\UNPBINO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1304
C:\windows\system\OVX.exe
C:\windows\system\OVX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1308
C:\windows\system\IOF.exe
C:\windows\system\IOF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QBR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 448 -ip 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1268
C:\windows\system\QBR.exe
C:\windows\system\QBR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FSSHPU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 988
C:\windows\FSSHPU.exe
C:\windows\FSSHPU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GVJDEDM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 960
C:\windows\GVJDEDM.exe
C:\windows\GVJDEDM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VLKCLR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 960
C:\windows\VLKCLR.exe
C:\windows\VLKCLR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQJB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1564 -ip 1564
C:\windows\system\DQJB.exe
C:\windows\system\DQJB.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1296
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QBF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2880 -ip 2880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1304
C:\windows\QBF.exe
C:\windows\QBF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEPMK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1632 -ip 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 960
C:\windows\SysWOW64\DEPMK.exe
C:\windows\system32\DEPMK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ECVHAVE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 988
C:\windows\ECVHAVE.exe
C:\windows\ECVHAVE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YUKSJOM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 960
C:\windows\SysWOW64\YUKSJOM.exe
C:\windows\system32\YUKSJOM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NKLRQJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2176 -ip 2176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1336
C:\windows\system\NKLRQJ.exe
C:\windows\system\NKLRQJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1296
C:\windows\SysWOW64\MVOHZ.exe
C:\windows\system32\MVOHZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KTH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1320 -ip 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 960
C:\windows\KTH.exe
C:\windows\KTH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PWGXLV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1304
C:\windows\SysWOW64\PWGXLV.exe
C:\windows\system32\PWGXLV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZUY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3768 -ip 3768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1288
C:\windows\ZUY.exe
C:\windows\ZUY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICAP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3888 -ip 3888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1248
C:\windows\system\ICAP.exe
C:\windows\system\ICAP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFQLCWN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 960
C:\windows\SysWOW64\JFQLCWN.exe
C:\windows\system32\JFQLCWN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2068 -ip 2068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 960
C:\windows\SysWOW64\PSP.exe
C:\windows\system32\PSP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XGCSJYY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 960
C:\windows\XGCSJYY.exe
C:\windows\XGCSJYY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZTL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2324 -ip 2324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1300
C:\windows\ZTL.exe
C:\windows\ZTL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOKCAU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 960
C:\windows\system\FOKCAU.exe
C:\windows\system\FOKCAU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TZBB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1256
C:\windows\system\TZBB.exe
C:\windows\system\TZBB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LUEXBNZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1256 -ip 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1236
C:\windows\LUEXBNZ.exe
C:\windows\LUEXBNZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EVMILO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2236 -ip 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1296
C:\windows\EVMILO.exe
C:\windows\EVMILO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NAYOV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 960
C:\windows\system\NAYOV.exe
C:\windows\system\NAYOV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CQZO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1004
C:\windows\system\CQZO.exe
C:\windows\system\CQZO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PBIMQLN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1340 -ip 1340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 960
C:\windows\system\PBIMQLN.exe
C:\windows\system\PBIMQLN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZZVZYT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1336
C:\windows\system\ZZVZYT.exe
C:\windows\system\ZZVZYT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DCUU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2272 -ip 2272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1324
C:\windows\DCUU.exe
C:\windows\DCUU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMCTMXU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 976
C:\windows\SysWOW64\QMCTMXU.exe
C:\windows\system32\QMCTMXU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSPZWV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2652 -ip 2652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1304
C:\windows\system\ZSPZWV.exe
C:\windows\system\ZSPZWV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QAREA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4728 -ip 4728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1252
C:\windows\QAREA.exe
C:\windows\QAREA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SQWZPJA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1256 -ip 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1236
C:\windows\SQWZPJA.exe
C:\windows\SQWZPJA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WGDZT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3044 -ip 3044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 988
C:\windows\WGDZT.exe
C:\windows\WGDZT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZOMVAO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1244
C:\windows\system\ZOMVAO.exe
C:\windows\system\ZOMVAO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QXASNF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3204 -ip 3204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1324
C:\windows\QXASNF.exe
C:\windows\QXASNF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UFH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 976
C:\windows\UFH.exe
C:\windows\UFH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TPKJIDF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1336
C:\windows\system\TPKJIDF.exe
C:\windows\system\TPKJIDF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQZBREN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4060 -ip 4060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1328
C:\windows\SysWOW64\MQZBREN.exe
C:\windows\system32\MQZBREN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDEL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 812 -ip 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1328
C:\windows\SysWOW64\GDEL.exe
C:\windows\system32\GDEL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QBJX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 960
C:\windows\QBJX.exe
C:\windows\QBJX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ABLKU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1236
C:\windows\ABLKU.exe
C:\windows\ABLKU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XCVN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2804 -ip 2804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 988
C:\windows\system\XCVN.exe
C:\windows\system\XCVN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GABH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2612 -ip 2612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1304
C:\windows\system\GABH.exe
C:\windows\system\GABH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKJYUZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1328
C:\windows\SysWOW64\UKJYUZR.exe
C:\windows\system32\UKJYUZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFNB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 64 -ip 64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1328
C:\windows\SysWOW64\UFNB.exe
C:\windows\system32\UFNB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LYY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1292
C:\windows\LYY.exe
C:\windows\LYY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TEDYTBL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1308
C:\windows\SysWOW64\TEDYTBL.exe
C:\windows\system32\TEDYTBL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DCQSIJT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2116 -ip 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 960
C:\windows\DCQSIJT.exe
C:\windows\DCQSIJT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EFU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 508 -ip 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1292
C:\windows\EFU.exe
C:\windows\EFU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPXEWNR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1096 -ip 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1328
C:\windows\SysWOW64\UPXEWNR.exe
C:\windows\system32\UPXEWNR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QANDKQM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1308
C:\windows\SysWOW64\QANDKQM.exe
C:\windows\system32\QANDKQM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQOU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1300
C:\windows\SysWOW64\FQOU.exe
C:\windows\system32\FQOU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QJWF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1324
C:\windows\QJWF.exe
C:\windows\QJWF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AHJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 960
C:\windows\system\AHJ.exe
C:\windows\system\AHJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TCNDN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4328 -ip 4328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 988
C:\windows\system\TCNDN.exe
C:\windows\system\TCNDN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUQL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 960
C:\windows\SysWOW64\SUQL.exe
C:\windows\system32\SUQL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AACA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 976
C:\windows\SysWOW64\AACA.exe
C:\windows\system32\AACA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVGT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4880 -ip 4880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1328
C:\windows\SysWOW64\OVGT.exe
C:\windows\system32\OVGT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VQXXGZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1328
C:\windows\SysWOW64\VQXXGZ.exe
C:\windows\system32\VQXXGZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JLB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 960
C:\windows\JLB.exe
C:\windows\JLB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2600 -ip 2600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1328
C:\windows\SysWOW64\PMJ.exe
C:\windows\system32\PMJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VHUFI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1324
C:\windows\VHUFI.exe
C:\windows\VHUFI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DUHTT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4832 -ip 4832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1004
C:\windows\DUHTT.exe
C:\windows\DUHTT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDIIAX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1308
C:\windows\SysWOW64\GDIIAX.exe
C:\windows\system32\GDIIAX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYTJGT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3464 -ip 3464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 960
C:\windows\SysWOW64\MYTJGT.exe
C:\windows\system32\MYTJGT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1328
C:\windows\SysWOW64\SYB.exe
C:\windows\system32\SYB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RJMNXBH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 988
C:\windows\RJMNXBH.exe
C:\windows\RJMNXBH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPQTIA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 960
C:\windows\SysWOW64\ZPQTIA.exe
C:\windows\system32\ZPQTIA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MZHK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2316 -ip 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 976
C:\windows\MZHK.exe
C:\windows\MZHK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2724 -ip 2724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 988
C:\windows\system\BPI.exe
C:\windows\system\BPI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNNEK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1264
C:\windows\SysWOW64\DNNEK.exe
C:\windows\system32\DNNEK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LTAKV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1512 -ip 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1336
C:\windows\system\LTAKV.exe
C:\windows\system\LTAKV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZOEDJCH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3100 -ip 3100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 960
C:\windows\SysWOW64\ZOEDJCH.exe
C:\windows\system32\ZOEDJCH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FJPEPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1304
C:\windows\system\FJPEPQ.exe
C:\windows\system\FJPEPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEZJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1328
C:\windows\SysWOW64\VEZJ.exe
C:\windows\system32\VEZJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BAKJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1016
C:\windows\BAKJ.exe
C:\windows\BAKJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3212 -ip 3212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1336
C:\windows\system\BDO.exe
C:\windows\system\BDO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JIBMEOL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1324
C:\windows\JIBMEOL.exe
C:\windows\JIBMEOL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RWFAOMG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1012
C:\windows\RWFAOMG.exe
C:\windows\RWFAOMG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRRTUJP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1256
C:\windows\SysWOW64\XRRTUJP.exe
C:\windows\system32\XRRTUJP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FWEAFH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 776 -ip 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1304
C:\windows\FWEAFH.exe
C:\windows\FWEAFH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THMZTK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 524 -ip 524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 960
C:\windows\SysWOW64\THMZTK.exe
C:\windows\system32\THMZTK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OFMKV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2492 -ip 2492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1256
C:\windows\OFMKV.exe
C:\windows\OFMKV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GNAIH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1988 -ip 1988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1324
C:\windows\GNAIH.exe
C:\windows\GNAIH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YQELVDT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1984 -ip 1984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1336
C:\windows\system\YQELVDT.exe
C:\windows\system\YQELVDT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KTPZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3800 -ip 3800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1260
C:\windows\SysWOW64\KTPZ.exe
C:\windows\system32\KTPZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OJVZIH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1316
C:\windows\system\OJVZIH.exe
C:\windows\system\OJVZIH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OFOJRL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 988
C:\windows\SysWOW64\OFOJRL.exe
C:\windows\system32\OFOJRL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QHYQKZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2508 -ip 2508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1328
C:\windows\SysWOW64\QHYQKZ.exe
C:\windows\system32\QHYQKZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CNERQGY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4460 -ip 4460
C:\windows\system\CNERQGY.exe
C:\windows\system\CNERQGY.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1336
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JIJDSH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1036 -ip 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1300
C:\windows\SysWOW64\JIJDSH.exe
C:\windows\system32\JIJDSH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VQCVNLU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1568 -ip 1568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 988
C:\windows\VQCVNLU.exe
C:\windows\VQCVNLU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJFLWR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 960
C:\windows\system\UJFLWR.exe
C:\windows\system\UJFLWR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCPVA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4312 -ip 4312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 964
C:\windows\system\QCPVA.exe
C:\windows\system\QCPVA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2972-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\VDZRQ.exe.bat
| MD5 | 9e72f8199b9bf45662cf16d5f1955d64 |
| SHA1 | 4ce5dfaf8aa9cc992d76c715c3872cdd513df553 |
| SHA256 | 3e9ce561af39e4eceec5d39b784d0b7133a23c7639c462cc31a2cc0039eb97b8 |
| SHA512 | 292a134a5d11eaa4b649153d05d3a1d960bf8b32e374463ab182bab34492f5c9e02b6522f2a2b507f1349156d8147c9628cd3e5fde6567db505b1d57cc0cf106 |
C:\Windows\SysWOW64\VDZRQ.exe
| MD5 | bb155dbf7af096cdc9397ce5d4aef4cf |
| SHA1 | 34d077422d1ae5f31d26c6e010ca1b1fc7239c19 |
| SHA256 | 16dd109dfea91e33393ef1389227b8281a67e96065c781eb41dea692288196a5 |
| SHA512 | fe54b7bf29b9a91345a748df588ba74e93e7a68f7baebeed1405f2ef27bb5da5192b0348a1b9d35a239f4aca382dfb7c976b92b40533a42b46c6ab36ccab2724 |
memory/1524-11-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\FBEMY.exe
| MD5 | 124a592bcfafd743b7a0a65bb467e895 |
| SHA1 | b4301e537841716e22e88ef04547a18c91eb654d |
| SHA256 | 2aedd5f469ed00b01c676283d1a70d0b399bc273f957457a3bd9af1ae204e07e |
| SHA512 | 8621876952ec8298c467ec2d4949d4fe2050dbee183ecd75300f42bc248794333a0941a1d5a6af6ade6a80e0b3e4e669ee3f1c7228f5ef7a134b9cc1e1d2f62b |
C:\windows\system\FBEMY.exe.bat
| MD5 | 445c0c190c9158325dd172b4a52fb6ba |
| SHA1 | c2f24b95b2d9bb2b308204c72f50a1a024f78782 |
| SHA256 | fb6eec2542786149ef668b5ec5be4a50f2fe0b566e68d58f83912f1c40c59484 |
| SHA512 | bc507ed2b0b172898cc2cd00179df25162210d9719cbd9294d869dba4a167d9e17c07d9b747c59b3aa20782e0f27948e134bd3542312eb65265994fc400d92d1 |
memory/1356-21-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2972-23-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1524-26-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\ZZULR.exe.bat
| MD5 | a701f97d9dd7a7a0bfc617f0739812d7 |
| SHA1 | 959a3da11b05aee40a02ff3ad06214839f5a47fb |
| SHA256 | 58ca2c69c4d795dc786b2d7b50645bf05f4da3916d43acaa203cc9713be316b1 |
| SHA512 | 37aa729405867c206a2ce5d9a74ca92a2dc309c8fd906281d59a2f7b3bb7af7ea4f73dd84364218f130447a275edbc54dd4e0e8aed9c84b617b219951bdc428c |
C:\Windows\SysWOW64\ZZULR.exe
| MD5 | c5f66bd14c8e7ebff7a4e9aaa6798e31 |
| SHA1 | 973360aa514a6a174dffd113fd880d14eb42f615 |
| SHA256 | dd32cb6d5377288e149be695e57162482b3b777ca8be8ea4229249be7dffca0c |
| SHA512 | 3fb197ac9659cb05dc7741e4a85cfe973a8a7b2c82e27aefad19571b210ec4eabb364983b4d8bff4cb1926205df86b5dc3d685220f2cdd17a6a2f0f2122a30f9 |
memory/3408-34-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\MEG.exe.bat
| MD5 | fc265a581085c546c48dd26c359713e8 |
| SHA1 | 83610f42aea951cab8fc6bdd5c1472e94ed53935 |
| SHA256 | 19bfcb019ffc0d4211d4976007efffe8377d6034d57d8fb718cad429fe069ee8 |
| SHA512 | f13200fbe83542283d86478c4bb2dcc70c1c0735a822b115aa3def3289470457a5e4392d7dff806f2b644512e13dc34e3281775de7c3f75e1196d31f5eb05a4c |
memory/4636-46-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\MEG.exe
| MD5 | ac90685173ec3bb2d82826c301f0a670 |
| SHA1 | 13712479ebea5c7bf8ce813749a98f416ad9e084 |
| SHA256 | 66ede377b3522dfd8e10ee7a28902b552c8df41eaf7deab57294d9fdac49983c |
| SHA512 | 75fc366a8c595cae050afd951dac972b312843df81035d3b40662b437e88c5be27dc95405ebe3bd50a92489bbf69cb4921ea36170ffc9fb86e1ee09d0fc46ff6 |
memory/1356-47-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\PNHE.exe.bat
| MD5 | d99d3e8fd0c439e8a9f035eb7053ffd2 |
| SHA1 | 3f088652a2ee634a30e92f57a233a4bb4cdfe9ed |
| SHA256 | 9e3bfef94ab929e5a583ed981ce8bf31acb2c3fa24b9e8208d73bf1111ee7fa4 |
| SHA512 | f92db7e76399f6c03977193644836f97d9f2375401759c09cfe03afe941cafd10ab719a4a346d9dbc708cd6783de093361df2d5b523d161d98a9f340bdecd244 |
memory/4520-58-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\PNHE.exe
| MD5 | 57e4d37c09e001023b013977a112c66f |
| SHA1 | edb842f5078376dd81351359fa4b34d5a5871f1c |
| SHA256 | d6264e628ee716ac324b13ffb192d8e8cab182725bd6b0bd2cc5bd83cc5299ff |
| SHA512 | 47441b3d334f54b745f429556f3eb2e7699e8a30113f5d68e8429c5c3f33243288d573711438d476e51eb1d3d23ead1a9bf75b67ae53e15d44b28237d337a016 |
memory/3408-59-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\WXEMS.exe.bat
| MD5 | 5abd00c4e3c301118ef9812fe3ed474f |
| SHA1 | 8dacee611e60d8ce874c7e955ad8af8494a18989 |
| SHA256 | 36c926c8454477b3e87e001390fccfa664877d1c974ab71ed05bd89f39583fed |
| SHA512 | be1cce14ca5cdab0ebdba735efd52a7e6a3f7a1a9188329f8650a73529a261e0bcd688ae13c9f201f3337278642c5b780d24407dcdecfadd03e16e54e03b1786 |
C:\windows\system\WXEMS.exe
| MD5 | 76ae68310d43eefa84bc6ddfaca54ac8 |
| SHA1 | 797489feb3e3e9192e46b7ed0267de042eedb91d |
| SHA256 | 3d919f201ceac69c20f9a6a0bb2c67cb851e7acd11b1f9ea53588efcafa871d5 |
| SHA512 | b24d43cdead05ac023eb7fc6a804917c1a22452775c69c95e7ca1dcb3285412cd4791cee8d8853d897eecb947ede5bc08f31a803bf5175218704b4fe0cf38a84 |
memory/1680-70-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4636-71-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\ELJB.exe.bat
| MD5 | 42c1dc92c8eafb447bb2534ddbcba96a |
| SHA1 | 52d923bf152c3a951d0723359add87eb6ccd866a |
| SHA256 | cd0222513c18debef1e1e964cd9a45037cd88fcc4e61fdcda73cc9b265e203d1 |
| SHA512 | 7efe2bdeebd5f0efe36af18fd01d36436431329f1e5f68b70da213c83389c4b55e73ce80c4baf62f13793c5ff28226ef2c196424e8547018283ac4216172900b |
memory/588-82-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\ELJB.exe
| MD5 | 50b9fbbbc2dd8ea3372259c81df7120b |
| SHA1 | daf7dff0a81310fbb9f8dc31e3e9699b7bad7725 |
| SHA256 | f7724c1e471eca4a4575c8ccf6bf67c48ce5792e12cf1a60433d293bed953bea |
| SHA512 | 4fc1623835800249d468055db9846ecb77834084b5c72e1c7d25cac0a2e795073fc912c43ac628a71d89f0ece9a578d47a9cde65d489624bb599acfd5317542b |
memory/4520-83-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\OEB.exe.bat
| MD5 | 74c98b1d080c2f035d56e33f56d2b9b6 |
| SHA1 | 3f80690cd6d254e1d721b286a311eba063d12f26 |
| SHA256 | 2516263139dc8233b903fe9915611ec314719dcb4ee132f61e26e7d2101fb70f |
| SHA512 | 23b1fcf7e9ddfb5a4e09aa42b03c8da67ea7d1429edbce65143852a58dbc9fb7fd719a93c35c1cf5fff13c3d5c25141e619c1bb1e8baad857c618cf1383b4b8a |
C:\Windows\System\OEB.exe
| MD5 | e8958f9f63547be5959113c17c9a523f |
| SHA1 | 8f11ef1645b613723f58cf8e97a9cd3bbcda1270 |
| SHA256 | 7be01a4fbb029338a1efaf782fb428e0d355d6a082a87c795b990ab23a7a7a20 |
| SHA512 | f0ecd78e6841be1cea74a27d4f7cac70c93716b77405cc8658b39214a6765f661ede411d985d4f0f51d0ef9565bde353fb0a205a4b077b6bab6b43051af114fa |
memory/2448-94-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1680-95-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\FEHX.exe.bat
| MD5 | f409c526080730cbfdfd5591a3d1fe8f |
| SHA1 | d8782be2a929d91b60784d5eacddcff11c1f16c9 |
| SHA256 | 844fcf03f8c0d38e02781676aafc8a4a49e812914fd4fcd5df8e232a06db411d |
| SHA512 | faa68287f63d8c8821c3042f8fe1397d402237ff45eccc4136a8b5f71b0a106365388c9cc93fa637a4af3cb3d3e2faaa9d8d52e675d32e2b9598c3ad17069540 |
C:\Windows\FEHX.exe
| MD5 | 70cc9417bf91509da10647b5eb9452f8 |
| SHA1 | 3fab65ddf6b9d5bc9277495f00c707697085a400 |
| SHA256 | b35ec7c53b77b680fc0716c47d78fa6632bdfa0bc16364efbfcb1c6ebe53f2f4 |
| SHA512 | 45d99cf8784fae0d9278b3af5f43530857c450720b33e2e02d46810bcf8065225c81d3ad153ccb1fee0f5cc21b92cf03245b178cf42619e506ce7be811ce7cd6 |
memory/588-106-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5016-107-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\NSU.exe.bat
| MD5 | be129890db38b2510af97a60defc6162 |
| SHA1 | 8b92958ad4673cf089761f815416f3c91938373c |
| SHA256 | e8ed512190b80aa3a3d92078fe42dee970cd8df1e57dfd6e7751998cd3aa6e94 |
| SHA512 | 6958d44aac3c914679952943f3214509e8df68ad450e62ae2a3a8a7621ed4f22915789ebf77cdc0e6d2cc6d7c7f05424c0fb23d1f1b4f08f578f35a52164cfb7 |
memory/2864-118-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2448-119-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\SSIHAP.exe.bat
| MD5 | 92c7fb239c7127db7c89d5318f5c70ae |
| SHA1 | 82c8b1dbab6217226c50bcef012b2441a355b1eb |
| SHA256 | c597185644b74ab5e746199d8b8c4ecfb5548d4859bb8ed822ed2516f698b44b |
| SHA512 | 550f8ddb12da84a68ba0d398d530082c26d3c56ec89cb0ffef433a29a40e65b65c008494182c024e2119636fccb982c8b9dc07038d1d658c4f44d85df88efabc |
C:\Windows\System\SSIHAP.exe
| MD5 | ca9c56d10e0347ed9439181d84889f97 |
| SHA1 | 7baadbf6deb5841c91f9a2f509be65e3ed79194b |
| SHA256 | 75d136581f0cc1c6d6c13bda0b06503dff6a79fc61a13358ce9140d348bea124 |
| SHA512 | b498698dd3012d1db8a793b2089320c041bd85af2e298afb0a4bf4dc71bcebcc91c880d84ac0f2a74c92f0b42fdca4bd0358aa0e75fcbd22aa6f6bb936e8a095 |
memory/4820-130-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5016-131-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\DKXRJQ.exe.bat
| MD5 | 994aa9038bd31120eb0e98f91f5d7318 |
| SHA1 | 2ca402899a029572bce8751789670429a633f579 |
| SHA256 | 7d0075a0d3571ded32b1933fb2104a1bffbb231741b7fd6834eee47cde13b288 |
| SHA512 | 65081711064024e64bb74642e25ca8ff5f52e28f51c61157c6d713238b2e7581f6fc74afef51753f64cfa543136dc6f35254b758581dee8338a2a8f430a3aba7 |
memory/4448-142-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2864-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\XYWPO.exe.bat
| MD5 | 8b342c73fbd519d7f1f8a095a720aaf3 |
| SHA1 | ce615c87e4bebb73972ff1c0fa84e571816dfb0f |
| SHA256 | 401adbf3f3f278b4c29de55868a61d305e2f9fb1295975124b80909de2957186 |
| SHA512 | 3348957a1f63e7a1db9fec2aa5388e34d0128b30d6abdc7872f5f43fd11558d4d6676b162f7b7b0391b2629886995893efcd53e6dd406a0eed34614215e0e11e |
memory/4820-150-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\XYWPO.exe
| MD5 | 5ee92136b0116aae05b74075d012fc4d |
| SHA1 | 596901f2ccb9f0d745ad472532d4e04075978701 |
| SHA256 | a8d8ded13b42553375fde276076be3ff859f5bb10cd052f3b0e3ccfce8bc89da |
| SHA512 | 4875cda09cd29fdb578d668eb29043b73baf7c43a1749f14b2d3a3619ee240393d7157b00da7326d2cd69e7c57d214c81ea5477733e2581420ca765274c253dc |
memory/4908-155-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\RMQO.exe.bat
| MD5 | b89973179199adde9cda321fa6cbde32 |
| SHA1 | eb074de042543ac30b5d3bb5c9e373e39b108269 |
| SHA256 | 55adefc16a9977ed3d6424b42b2becaee454825a83c32fbcffebf81a6af5a9e8 |
| SHA512 | 30d5784530b7185b68f64c6b02626911097d8f1a13c38f8aeca9b0cc1fe7289a85f770dcb4112eb3ea8d22a5bc1a8bbf5b157a38816a1ddb114d1eb33a113898 |
memory/4448-164-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\RMQO.exe
| MD5 | 5b7c1ff8318079cad979490fcccdc610 |
| SHA1 | 186c1581cc552831c2e5df3099b1a4b0d1cf8971 |
| SHA256 | 136c8fb93753250bef471d20b4a1e3966beb0b7b27f337877756dc0646d4d64b |
| SHA512 | 018f4113200ffe88e5c6e8b47fdd6213c634b1a9a94a50f9471aae747cf2465d72b02ba7c84f2511122f481fb107064c924c53046fbbdeba68d83bb38210b63d |
memory/4792-167-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\IUEL.exe.bat
| MD5 | 90a2349d0eab38dc49ed39586b7484da |
| SHA1 | 009613d458ea091b9ee971db153bb845bbd60c35 |
| SHA256 | 469f8a4745b32a015d8f9cd2bb00b71cb7387366fc078db7b5fe8fb368eef13b |
| SHA512 | 9a97f5737236da0a0c2b56e28ff72e13657f5166793170493fe859ebddd303de40267cd1eb853bbf347fa68653de0c5d25ef7f9c90edf45195d83126e6ab1f8b |
C:\windows\IUEL.exe
| MD5 | 55cc3a655671bac3b0b2d7b758df4b16 |
| SHA1 | 4e8d20e46c6c51e7587453520baf5bfab99adf9d |
| SHA256 | 35f646aeb49e64146c9e75ad530ef0edd2bc4fe9b98fdb59efa9044c1ba04e83 |
| SHA512 | 895bf0ebd43a080bb6640aa8419ecf11244967849bd7b3b870eadfeba81780b6955e199e8fa754244f1822fd138e73ddfcb2037c5628311288783ed62037f700 |
memory/1856-178-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4908-179-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\CXBQZ.exe.bat
| MD5 | 6ccb08242b0fe0c4cc9453317e7aa648 |
| SHA1 | d0355f31613c85033fda918ce6e97190c422f044 |
| SHA256 | df1849cd752f8590ee3526b85d45c906bdea6222488f8526e49f7781849abc41 |
| SHA512 | fa6925e6a65ece6c39c5cefa43e34958297887b2e2ecb843b201d8d4bb8881d146d853c8af3e71c223241fbbb9dfde3b7bea6dd4de22fc1b8b8950d7f1077dbc |
C:\Windows\System\CXBQZ.exe
| MD5 | 0cf32f7a4847353a2f548b707374a3e1 |
| SHA1 | 26f0f5fcd5fe0fb14df598ded53d07fc905ddb74 |
| SHA256 | 0dfe01977624a162af0a8ae3c7ec3dbabf6dd3d194521f28402c0ce64d6c731a |
| SHA512 | 33d75bc3af89af7283d31f86ad32cb405be4352cc5cb393a6f9259d3bd06806af53a9ca7ce6eb7509a2ccef310c11c2b1b93fad8d0b8158b38ec83e5007cb605 |
memory/4792-190-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2432-191-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\JNCQGQT.exe.bat
| MD5 | 54242b1ce5a6c535a0929676fda4ad69 |
| SHA1 | 71076c1a5795195a1a7d7ba4b98c7b2351b6c016 |
| SHA256 | 140812ebe791339dc11379b633788adeb4bb31d57a70840c155e7288e562564f |
| SHA512 | 7bdac734c5a521a06f7fdfcc82e6f06d443feab87319ca59ffb87f2c027a7d1c0afc941f86f7ba91d80f7a972e922700eb1626ab147fff63453b3f8a80d109d6 |
memory/2864-202-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\JNCQGQT.exe
| MD5 | 18f94bdf5d41c2208f874b53a5b84ed6 |
| SHA1 | 686563486156181ac40a5d821bbd72f148ebf537 |
| SHA256 | c42c2814b51c2b50d7db5c13d9141e0b80d571c7b6d29c9c0c315c6d3504bd15 |
| SHA512 | b9a4652bd99b3a2b76236c425227ebd7a65bd9e3bb7075daeed4b5b581c346349b1298c4f027bdeab78401db2bf8c3247e60febabc6c4191c387f227a1906986 |
memory/1856-203-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\LAOGMD.exe.bat
| MD5 | 677d03a739ae89751d32665ec4f81cff |
| SHA1 | 0569718a792a40971338143c5a58f04fe9c4a36d |
| SHA256 | 53d866bfd617a36d171f9c8d2f7353df85b4f22dcfe5fe04b1188a3540a8e687 |
| SHA512 | 19e04ee236ef375122f970553ee5028087c5ee69539a9c37eca63e29b59a1102332665687bc97467bedcac919401a4f4fc055eeecf39c961d11df2870c8104d1 |
memory/2432-211-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2132-214-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\LAOGMD.exe
| MD5 | a0ab39e6a5d507ac241b008755bf1d30 |
| SHA1 | 07c79be5a747267810700315bc40623a1a9d8f31 |
| SHA256 | cdebd505cdce292f83e01d73375d1df378ba7fce5c16d6c3e6d47a74021d9191 |
| SHA512 | 7b5c69e0013c384240bcc72650ebdadba7a81b293793be515cf180046c1e0a4b2afce409d839be1b77b551a8482eeb9c578c92c82219cb72e135e6b4cb01be07 |
C:\windows\system\YGA.exe.bat
| MD5 | b5439b7fb0aa88106fe172a819866a82 |
| SHA1 | 70342e042e8314ad505acc60a5198b29b86c2714 |
| SHA256 | 673089b13fc6bc57a7b751627b1e0abe007da9ecea92cffe92fbbc75b21e68e1 |
| SHA512 | 2e2533d0c2f2b474192d987a5c36255ad57b216ec364debf02c2147ccc634d1528b09df475c36f75e9e3748f21b410839bd509be8abc34d15bcfb4e5c9bfb40b |
C:\Windows\System\YGA.exe
| MD5 | f5f6409c54661bffac16c26db641cf19 |
| SHA1 | 1f1dceaab120b724c67dbbf5baed738c47977526 |
| SHA256 | 07905847a45ea22fa7249a65ed3273e46b510fe15af15118efdf92360fb5da01 |
| SHA512 | aa1aae4ebdfb0029bdbe68a72b592041aca440eb2f582e38fe6bf3b0a50824216938c1ed7778c15033872ea5ce048081da7f7f9360b5ed248cdea437ec595700 |
memory/1096-225-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2864-227-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\URQILL.exe.bat
| MD5 | 18f80912766dd4585fc57e283f79ed3c |
| SHA1 | 946b9cd70302b613a29adea46050c87975643c57 |
| SHA256 | b5ed8aa51b95bf79969201273d405f9c2cc893d5bd640439010557ac0614754f |
| SHA512 | 7fdd6f5107c762a284c42afac0486c34a56fc5e6729111ae4072a51dca7fd3d6790489ceff1bd9b2fc226a754660a541962f5dd4d62bacbddb3a397d38d3ff30 |
memory/2132-235-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\URQILL.exe
| MD5 | 08e70e5c4016f0d9d0ab9220ec7e1860 |
| SHA1 | e61555bb242203b61418c455f350006368661619 |
| SHA256 | a30afc883b881101c1c3b0e4873e1b535a9c55fc7311786a749f5cb8da2170b8 |
| SHA512 | 93da09a39600b9495ad7418cdb907a19bd67bf7a23bd9894005fd04115c96dc8a7c2f5f9b4a2438ca6ab7251dc4d25ed734ee46333b5058d9ab438f4e99c042c |
memory/4116-239-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1096-240-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\FUIK.exe.bat
| MD5 | 8056ca437ab58f294d329e6452d3823b |
| SHA1 | 2d80d273312d1444362820e68bd741f1436c1dd8 |
| SHA256 | bd1ce388533ce69044dc8e417faac18de02df8185e00245fa4003a721f7661d6 |
| SHA512 | 4d810697fd4e362b901676bfe23f4515890a520ed5c1e2f8086c0e9fd3f4c8d3e773e04720e98658226a5e9dad6865f7e2a74bb31ea7932b6ddd67f2aaf81858 |
C:\windows\FUIK.exe
| MD5 | e74875a3edbd76e7dbdc652ca5d58b89 |
| SHA1 | 63ba5f7374729d1d2d5ecb521a5b31b25f692337 |
| SHA256 | 17d8622b6efb7fe4df4274b2cd7378aabd0580b32d28b8668d9989997cd333c5 |
| SHA512 | d61f495a5ce88afc5383cb01f6ed3d22c55fd54f695fa5ab4f9ef2031eb62bb306cace6cfc7de9a420c484e39a013c1cdf3d6d3f7d540296c87abfa7c5bacbd2 |
memory/2108-251-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\EEQEMX.exe.bat
| MD5 | b3831743b152a37a35e97c9e614d6c4d |
| SHA1 | 1d3045b5a6dc2a19507d2b816f7ce3b3bd0392fa |
| SHA256 | 47db168a82538e1e715ca691157fe6bed34191cd7e270bbe824d33515f1a777a |
| SHA512 | ccca2e0420d8bb2c6ea60196916d4cc773a4a6e796cd1fb523657529849d1c82a3916cd21659abf7a6523862998dafd3f08c1a8ad61d90391e1e8a037b15cb92 |
memory/872-260-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4116-261-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2108-268-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1976-270-0x0000000000400000-0x0000000000439000-memory.dmp
memory/588-278-0x0000000000400000-0x0000000000439000-memory.dmp
memory/872-279-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4768-287-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1976-288-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1336-296-0x0000000000400000-0x0000000000439000-memory.dmp
memory/588-297-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4768-304-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4120-306-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1336-313-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3748-315-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4120-322-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4404-324-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3748-332-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4960-333-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5016-341-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4404-342-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1680-351-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4960-350-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5016-358-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2440-360-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3060-368-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1680-369-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2440-376-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1248-378-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3060-385-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4180-387-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3936-395-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1248-396-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4180-403-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2908-405-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1600-413-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3936-414-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2908-421-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3248-423-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1600-430-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1948-432-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3248-439-0x0000000000400000-0x0000000000439000-memory.dmp
memory/752-441-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1948-448-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1248-450-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4960-458-0x0000000000400000-0x0000000000439000-memory.dmp
memory/752-459-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1248-466-0x0000000000400000-0x0000000000439000-memory.dmp
memory/684-468-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4960-469-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5004-477-0x0000000000400000-0x0000000000439000-memory.dmp
memory/684-484-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3692-486-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5004-493-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4888-495-0x0000000000400000-0x0000000000439000-memory.dmp