Malware Analysis Report

2025-01-23 05:07

Sample ID 240521-zqzbsaab93
Target 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
SHA256 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246

Threat Level: Known bad

The file 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 20:56

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 20:56

Reported

2024-05-21 20:58

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\RIIND.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\RIIND.exe C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
File opened for modification C:\windows\SysWOW64\RIIND.exe C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
File created C:\windows\SysWOW64\RIIND.exe.bat C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
N/A N/A C:\windows\SysWOW64\RIIND.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe

"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\RIIND.exe.bat" "

C:\windows\SysWOW64\RIIND.exe

C:\windows\system32\RIIND.exe

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\RIIND.exe.bat

MD5 bff55cdd2819120c3a49a4fa8d6581a8
SHA1 4e5a2787bae1b515bad285a717cd701da56e9f72
SHA256 96e6f0d0430ef4397a508c208a661494cf2d54cb70c3799f3919d5e622098b04
SHA512 691725ff5a311dd28822f2e3d707dc73939c85e5df45fdbcf09b987242db84428bc0735cccc2977c9693b4ed4005588dd562eb940cfb002f65fb3b936199813b

memory/2192-12-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\RIIND.exe

MD5 d2ffe8c41c62b4d304f9de64cb3ee352
SHA1 7a6adf74addcd5a3151652efc8cb759cf70d58d8
SHA256 b123465ae62c7e1ea36ab7a7f981273e4f8a2b3f2ee97ef11c81c041ad692ca3
SHA512 42a309ffc64ac484e9a26dc48bfb8f45b19832a1ce86100d2a80f3b84dcbf38548602c128b13878167821a83d08ac0029448ba21987d6385af115fbfee2c8b02

memory/1036-17-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/2532-20-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1036-18-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/2532-21-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 20:56

Reported

2024-05-21 20:58

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CWFLDSZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\INUQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\FCMD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\RNZO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\RKTL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\VELEIV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\FOH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\WVZR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\HEFO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UPWM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\GRH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\JNCQGQT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\XJN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\VMHIVDX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\EGE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HVQB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\AWN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\FHXCVL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\UAQP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\KZLZPBS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\KRPPFV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\FPO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\XGL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\JCQN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\TGESJEC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\TDBOV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\RVHAOC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\UTNRMCM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\ZFWYI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\ZFUPCR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\IAP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\IBLL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\PHVUM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DXRR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MMHTUGD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\GTSIYPI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\WFEUPLX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ABFRSMZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\AVM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZPG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\YOURJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\XCZTCZO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\UIGZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZVIYMIM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\DRPMZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\QNIEP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\LBVNW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\DFPBJIL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\BVIEW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\JZMR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\QMZUEBW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CVP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\NOV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\MGQJMK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\RZKDH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\VKONKE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\PNGCRHP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZKONEFV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\JPTHVPQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HXWEAQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\XQWFTPM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\system\IJOMCG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MZUM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\windows\NHIMZS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\system\IBLL.exe N/A
N/A N/A C:\windows\ZRSOL.exe N/A
N/A N/A C:\windows\MNKWV.exe N/A
N/A N/A C:\windows\SysWOW64\TIHI.exe N/A
N/A N/A C:\windows\SysWOW64\RFBLS.exe N/A
N/A N/A C:\windows\KAS.exe N/A
N/A N/A C:\windows\DTZ.exe N/A
N/A N/A C:\windows\SysWOW64\ZJCPJUR.exe N/A
N/A N/A C:\windows\TCJASVH.exe N/A
N/A N/A C:\windows\SysWOW64\LFNW.exe N/A
N/A N/A C:\windows\DFPBJIL.exe N/A
N/A N/A C:\windows\SysWOW64\BVIEW.exe N/A
N/A N/A C:\windows\system\QLJDDJI.exe N/A
N/A N/A C:\windows\PEMLLP.exe N/A
N/A N/A C:\windows\SysWOW64\CGUKAA.exe N/A
N/A N/A C:\windows\XCZTCZO.exe N/A
N/A N/A C:\windows\KZHFML.exe N/A
N/A N/A C:\windows\SysWOW64\BNSXCIM.exe N/A
N/A N/A C:\windows\KSWEEG.exe N/A
N/A N/A C:\windows\system\CVOPIL.exe N/A
N/A N/A C:\windows\system\NODA.exe N/A
N/A N/A C:\windows\JZMR.exe N/A
N/A N/A C:\windows\SZOESM.exe N/A
N/A N/A C:\windows\system\HPPV.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\GSA.exe N/A
N/A N/A C:\windows\SysWOW64\HVQB.exe N/A
N/A N/A C:\windows\YWSOFGZ.exe N/A
N/A N/A C:\windows\SysWOW64\ATGAU.exe N/A
N/A N/A C:\windows\SysWOW64\GUNODJB.exe N/A
N/A N/A C:\windows\system\VKONKE.exe N/A
N/A N/A C:\windows\SysWOW64\XHU.exe N/A
N/A N/A C:\windows\SysWOW64\IAXA.exe N/A
N/A N/A C:\windows\SYDN.exe N/A
N/A N/A C:\windows\WOJVTV.exe N/A
N/A N/A C:\windows\system\XJN.exe N/A
N/A N/A C:\windows\system\QMZUEBW.exe N/A
N/A N/A C:\windows\system\VMHIVDX.exe N/A
N/A N/A C:\windows\SysWOW64\JPD.exe N/A
N/A N/A C:\windows\UIGZ.exe N/A
N/A N/A C:\windows\HSOYPMD.exe N/A
N/A N/A C:\windows\system\CGGPY.exe N/A
N/A N/A C:\windows\GWN.exe N/A
N/A N/A C:\windows\CEH.exe N/A
N/A N/A C:\windows\WRMGP.exe N/A
N/A N/A C:\windows\system\JCQN.exe N/A
N/A N/A C:\windows\SysWOW64\RNZO.exe N/A
N/A N/A C:\windows\system\PNGCRHP.exe N/A
N/A N/A C:\windows\system\CYC.exe N/A
N/A N/A C:\windows\SysWOW64\ZVIYMIM.exe N/A
N/A N/A C:\windows\EGE.exe N/A
N/A N/A C:\windows\system\DRPMZ.exe N/A
N/A N/A C:\windows\system\PHVUM.exe N/A
N/A N/A C:\windows\SysWOW64\YHYZPD.exe N/A
N/A N/A C:\windows\SysWOW64\ZKONEFV.exe N/A
N/A N/A C:\windows\DSIDH.exe N/A
N/A N/A C:\windows\ZTKFLI.exe N/A
N/A N/A C:\windows\system\QJRIWB.exe N/A
N/A N/A C:\windows\ZHLJIX.exe N/A
N/A N/A C:\windows\SysWOW64\DXRR.exe N/A
N/A N/A C:\windows\SysWOW64\NUX.exe N/A
N/A N/A C:\windows\system\WVZR.exe N/A
N/A N/A C:\windows\SysWOW64\XYDMST.exe N/A
N/A N/A C:\windows\system\VJOCB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\windows\SysWOW64\EKBFIXJ.exe C:\windows\SysWOW64\JOWVX.exe N/A
File created C:\windows\SysWOW64\UPWM.exe.bat C:\windows\system\HEFO.exe N/A
File created C:\windows\SysWOW64\NLOA.exe C:\windows\system\FXKLI.exe N/A
File created C:\windows\SysWOW64\ZPG.exe C:\windows\SysWOW64\CWFLDSZ.exe N/A
File created C:\windows\SysWOW64\VLKKHIG.exe.bat C:\windows\SysWOW64\ZTA.exe N/A
File created C:\windows\SysWOW64\RNZO.exe C:\windows\system\JCQN.exe N/A
File opened for modification C:\windows\SysWOW64\NUX.exe C:\windows\SysWOW64\DXRR.exe N/A
File created C:\windows\SysWOW64\DXRR.exe C:\windows\ZHLJIX.exe N/A
File created C:\windows\SysWOW64\CLFLVA.exe C:\windows\system\GBXMHP.exe N/A
File created C:\windows\SysWOW64\TAKMC.exe C:\windows\SysWOW64\WVEPU.exe N/A
File created C:\windows\SysWOW64\HYTGHU.exe.bat C:\windows\system\LPZ.exe N/A
File created C:\windows\SysWOW64\RZKDH.exe.bat C:\windows\system\UTSOR.exe N/A
File created C:\windows\SysWOW64\BNSXCIM.exe C:\windows\KZHFML.exe N/A
File opened for modification C:\windows\SysWOW64\ATGAU.exe C:\windows\YWSOFGZ.exe N/A
File opened for modification C:\windows\SysWOW64\MVOHZ.exe C:\windows\UAQP.exe N/A
File created C:\windows\SysWOW64\KPTXWVF.exe C:\windows\SysWOW64\TGESJEC.exe N/A
File created C:\windows\SysWOW64\PSNUT.exe C:\windows\SysWOW64\JRF.exe N/A
File created C:\windows\SysWOW64\HXWEAQ.exe.bat C:\windows\OUSI.exe N/A
File opened for modification C:\windows\SysWOW64\GUNODJB.exe C:\windows\SysWOW64\ATGAU.exe N/A
File created C:\windows\SysWOW64\JPD.exe.bat C:\windows\system\VMHIVDX.exe N/A
File created C:\windows\SysWOW64\MVOHZ.exe.bat C:\windows\UAQP.exe N/A
File opened for modification C:\windows\SysWOW64\NLOA.exe C:\windows\system\FXKLI.exe N/A
File created C:\windows\SysWOW64\NLOA.exe.bat C:\windows\system\FXKLI.exe N/A
File opened for modification C:\windows\SysWOW64\CNU.exe C:\windows\SysWOW64\UAP.exe N/A
File created C:\windows\SysWOW64\RFBLS.exe C:\windows\SysWOW64\TIHI.exe N/A
File created C:\windows\SysWOW64\LFNW.exe.bat C:\windows\TCJASVH.exe N/A
File created C:\windows\SysWOW64\IAXA.exe.bat C:\windows\SysWOW64\XHU.exe N/A
File opened for modification C:\windows\SysWOW64\XYDMST.exe C:\windows\system\WVZR.exe N/A
File created C:\windows\SysWOW64\UZMR.exe.bat C:\windows\system\UWANDVU.exe N/A
File created C:\windows\SysWOW64\CVP.exe C:\windows\system\QNIEP.exe N/A
File created C:\windows\SysWOW64\JKVQG.exe C:\windows\system\RKTL.exe N/A
File created C:\windows\SysWOW64\KRPPFV.exe C:\windows\system\RQZ.exe N/A
File created C:\windows\SysWOW64\HVQB.exe C:\windows\GSA.exe N/A
File created C:\windows\SysWOW64\XHU.exe.bat C:\windows\system\VKONKE.exe N/A
File created C:\windows\SysWOW64\JKVQG.exe.bat C:\windows\system\RKTL.exe N/A
File created C:\windows\SysWOW64\WVEPU.exe C:\windows\SysWOW64\JKVQG.exe N/A
File created C:\windows\SysWOW64\KPTXWVF.exe.bat C:\windows\SysWOW64\TGESJEC.exe N/A
File created C:\windows\SysWOW64\HYTGHU.exe C:\windows\system\LPZ.exe N/A
File created C:\windows\SysWOW64\UAP.exe C:\windows\UUP.exe N/A
File created C:\windows\SysWOW64\VDQ.exe.bat C:\windows\SysWOW64\HSHHG.exe N/A
File created C:\windows\SysWOW64\ATGAU.exe C:\windows\YWSOFGZ.exe N/A
File created C:\windows\SysWOW64\ZVIYMIM.exe.bat C:\windows\system\CYC.exe N/A
File created C:\windows\SysWOW64\ZKONEFV.exe.bat C:\windows\SysWOW64\YHYZPD.exe N/A
File created C:\windows\SysWOW64\DXRR.exe.bat C:\windows\ZHLJIX.exe N/A
File created C:\windows\SysWOW64\OLYDLQ.exe C:\windows\WDWYHTR.exe N/A
File created C:\windows\SysWOW64\NMKJGJ.exe.bat C:\windows\FHXCVL.exe N/A
File created C:\windows\SysWOW64\INUQ.exe C:\windows\NHIMZS.exe N/A
File created C:\windows\SysWOW64\CNU.exe.bat C:\windows\SysWOW64\UAP.exe N/A
File opened for modification C:\windows\SysWOW64\ZJCPJUR.exe C:\windows\DTZ.exe N/A
File created C:\windows\SysWOW64\HVQB.exe.bat C:\windows\GSA.exe N/A
File created C:\windows\SysWOW64\HSHHG.exe.bat C:\windows\SysWOW64\HXWEAQ.exe N/A
File opened for modification C:\windows\SysWOW64\IAXA.exe C:\windows\SysWOW64\XHU.exe N/A
File opened for modification C:\windows\SysWOW64\KSXDBF.exe C:\windows\system\JPTHVPQ.exe N/A
File created C:\windows\SysWOW64\EKBFIXJ.exe C:\windows\SysWOW64\JOWVX.exe N/A
File created C:\windows\SysWOW64\EKBFIXJ.exe.bat C:\windows\SysWOW64\JOWVX.exe N/A
File created C:\windows\SysWOW64\MVOHZ.exe C:\windows\UAQP.exe N/A
File created C:\windows\SysWOW64\CWFLDSZ.exe C:\windows\SysWOW64\HBABS.exe N/A
File created C:\windows\SysWOW64\ULOWCLK.exe.bat C:\windows\GAGFNIP.exe N/A
File created C:\windows\SysWOW64\BVIEW.exe.bat C:\windows\DFPBJIL.exe N/A
File created C:\windows\SysWOW64\YHYZPD.exe C:\windows\system\PHVUM.exe N/A
File created C:\windows\SysWOW64\MZUM.exe.bat C:\windows\system\IJOMCG.exe N/A
File opened for modification C:\windows\SysWOW64\HBABS.exe C:\windows\NOV.exe N/A
File created C:\windows\SysWOW64\CNU.exe C:\windows\SysWOW64\UAP.exe N/A
File opened for modification C:\windows\SysWOW64\RZKDH.exe C:\windows\system\UTSOR.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\system\VJOCB.exe C:\windows\SysWOW64\XYDMST.exe N/A
File created C:\windows\XHFCD.exe C:\windows\NKAIWS.exe N/A
File created C:\windows\system\FPO.exe.bat C:\windows\SysWOW64\ZPG.exe N/A
File created C:\windows\system\AABTKA.exe C:\windows\LKNJCT.exe N/A
File created C:\windows\UAQP.exe.bat C:\windows\SysWOW64\WKXMDS.exe N/A
File opened for modification C:\windows\XBJA.exe C:\windows\SysWOW64\VDQ.exe N/A
File opened for modification C:\windows\JZMR.exe C:\windows\system\NODA.exe N/A
File created C:\windows\ZHLJIX.exe C:\windows\system\QJRIWB.exe N/A
File created C:\windows\system\GBXMHP.exe.bat C:\windows\system\EDE.exe N/A
File opened for modification C:\windows\ARL.exe C:\windows\SysWOW64\TAKMC.exe N/A
File opened for modification C:\windows\SVR.exe C:\windows\DAZIU.exe N/A
File opened for modification C:\windows\system\UTSOR.exe C:\windows\system\YOURJ.exe N/A
File created C:\windows\DID.exe.bat C:\windows\system\ONYD.exe N/A
File created C:\windows\ZRSOL.exe.bat C:\windows\system\IBLL.exe N/A
File opened for modification C:\windows\system\GBXMHP.exe C:\windows\system\EDE.exe N/A
File created C:\windows\HPQSJ.exe C:\windows\SysWOW64\MMHTUGD.exe N/A
File created C:\windows\system\ZGIHC.exe.bat C:\windows\SysWOW64\ZDE.exe N/A
File created C:\windows\system\QLJDDJI.exe C:\windows\SysWOW64\BVIEW.exe N/A
File created C:\windows\system\NDPNWJF.exe C:\windows\SysWOW64\UZMR.exe N/A
File opened for modification C:\windows\system\FOH.exe C:\windows\CGYEDXU.exe N/A
File created C:\windows\IZZKL.exe C:\windows\system\NMU.exe N/A
File opened for modification C:\windows\system\QLJDDJI.exe C:\windows\SysWOW64\BVIEW.exe N/A
File created C:\windows\system\VJOCB.exe C:\windows\SysWOW64\XYDMST.exe N/A
File opened for modification C:\windows\system\AVM.exe C:\windows\system\TACEO.exe N/A
File opened for modification C:\windows\system\FXKLI.exe C:\windows\MCG.exe N/A
File created C:\windows\system\XJN.exe.bat C:\windows\WOJVTV.exe N/A
File created C:\windows\system\TACEO.exe.bat C:\windows\SysWOW64\EKBFIXJ.exe N/A
File opened for modification C:\windows\LBVNW.exe C:\windows\KYRRQT.exe N/A
File opened for modification C:\windows\NKAIWS.exe C:\windows\SysWOW64\UPWM.exe N/A
File opened for modification C:\windows\XGL.exe C:\windows\SysWOW64\ABFRSMZ.exe N/A
File opened for modification C:\windows\SYDN.exe C:\windows\SysWOW64\IAXA.exe N/A
File created C:\windows\system\XJN.exe C:\windows\WOJVTV.exe N/A
File created C:\windows\MPLT.exe C:\windows\system\JBG.exe N/A
File opened for modification C:\windows\system\TACEO.exe C:\windows\SysWOW64\EKBFIXJ.exe N/A
File created C:\windows\system\UTNRMCM.exe.bat C:\windows\system\ZGIHC.exe N/A
File created C:\windows\system\QPY.exe C:\windows\system\KOQXQV.exe N/A
File created C:\windows\VELEIV.exe C:\windows\ZDJCEZG.exe N/A
File opened for modification C:\windows\system\IJOMCG.exe C:\windows\system\STN.exe N/A
File created C:\windows\system\PHVUM.exe C:\windows\system\DRPMZ.exe N/A
File created C:\windows\ZTKFLI.exe C:\windows\DSIDH.exe N/A
File created C:\windows\system\ZFWYI.exe C:\windows\system\AVM.exe N/A
File opened for modification C:\windows\AWN.exe C:\windows\LBVNW.exe N/A
File opened for modification C:\windows\DTZ.exe C:\windows\KAS.exe N/A
File opened for modification C:\windows\UIGZ.exe C:\windows\SysWOW64\JPD.exe N/A
File created C:\windows\system\CGGPY.exe C:\windows\HSOYPMD.exe N/A
File created C:\windows\system\JCQN.exe C:\windows\WRMGP.exe N/A
File opened for modification C:\windows\ZDJCEZG.exe C:\windows\system\TDBOV.exe N/A
File created C:\windows\system\QLJDDJI.exe.bat C:\windows\SysWOW64\BVIEW.exe N/A
File created C:\windows\system\LPZ.exe C:\windows\SysWOW64\PSNUT.exe N/A
File created C:\windows\system\PYYSX.exe.bat C:\windows\system\XQWFTPM.exe N/A
File opened for modification C:\windows\CGYEDXU.exe C:\windows\SysWOW64\NLOA.exe N/A
File created C:\windows\system\FOH.exe.bat C:\windows\CGYEDXU.exe N/A
File created C:\windows\SVR.exe.bat C:\windows\DAZIU.exe N/A
File created C:\windows\system\NODA.exe C:\windows\system\CVOPIL.exe N/A
File created C:\windows\system\DRPMZ.exe C:\windows\EGE.exe N/A
File opened for modification C:\windows\ZTKFLI.exe C:\windows\DSIDH.exe N/A
File created C:\windows\system\JBG.exe.bat C:\windows\SysWOW64\CLFLVA.exe N/A
File created C:\windows\system\IAP.exe.bat C:\windows\SysWOW64\NMKJGJ.exe N/A
File opened for modification C:\windows\system\FCMD.exe C:\windows\system\CPV.exe N/A
File created C:\windows\OUSI.exe.bat C:\windows\system\PJPSM.exe N/A
File created C:\windows\DFPBJIL.exe.bat C:\windows\SysWOW64\LFNW.exe N/A
File created C:\windows\SYDN.exe C:\windows\SysWOW64\IAXA.exe N/A
File created C:\windows\ZTKFLI.exe.bat C:\windows\DSIDH.exe N/A
File created C:\windows\ZFUPCR.exe C:\windows\SysWOW64\KPTXWVF.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\IBLL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZRSOL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\MNKWV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\TIHI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RFBLS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\KAS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\DTZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZJCPJUR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\TCJASVH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LFNW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\DFPBJIL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BVIEW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QLJDDJI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\PEMLLP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CGUKAA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XCZTCZO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\KZHFML.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BNSXCIM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\KSWEEG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CVOPIL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NODA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JZMR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SZOESM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\HPPV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JNCQGQT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GSA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\HVQB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YWSOFGZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ATGAU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\GUNODJB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VKONKE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XHU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\IAXA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SYDN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WOJVTV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XJN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QMZUEBW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VMHIVDX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JPD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\UIGZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\HSOYPMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CGGPY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GWN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CEH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WRMGP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\JCQN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RNZO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PNGCRHP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CYC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZVIYMIM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\EGE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\DRPMZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PHVUM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\YHYZPD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZKONEFV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\DSIDH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZTKFLI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QJRIWB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZHLJIX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DXRR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NUX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\WVZR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XYDMST.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
N/A N/A C:\windows\system\IBLL.exe N/A
N/A N/A C:\windows\system\IBLL.exe N/A
N/A N/A C:\windows\ZRSOL.exe N/A
N/A N/A C:\windows\ZRSOL.exe N/A
N/A N/A C:\windows\MNKWV.exe N/A
N/A N/A C:\windows\MNKWV.exe N/A
N/A N/A C:\windows\SysWOW64\TIHI.exe N/A
N/A N/A C:\windows\SysWOW64\TIHI.exe N/A
N/A N/A C:\windows\SysWOW64\RFBLS.exe N/A
N/A N/A C:\windows\SysWOW64\RFBLS.exe N/A
N/A N/A C:\windows\KAS.exe N/A
N/A N/A C:\windows\KAS.exe N/A
N/A N/A C:\windows\DTZ.exe N/A
N/A N/A C:\windows\DTZ.exe N/A
N/A N/A C:\windows\SysWOW64\ZJCPJUR.exe N/A
N/A N/A C:\windows\SysWOW64\ZJCPJUR.exe N/A
N/A N/A C:\windows\TCJASVH.exe N/A
N/A N/A C:\windows\TCJASVH.exe N/A
N/A N/A C:\windows\SysWOW64\LFNW.exe N/A
N/A N/A C:\windows\SysWOW64\LFNW.exe N/A
N/A N/A C:\windows\DFPBJIL.exe N/A
N/A N/A C:\windows\DFPBJIL.exe N/A
N/A N/A C:\windows\SysWOW64\BVIEW.exe N/A
N/A N/A C:\windows\SysWOW64\BVIEW.exe N/A
N/A N/A C:\windows\system\QLJDDJI.exe N/A
N/A N/A C:\windows\system\QLJDDJI.exe N/A
N/A N/A C:\windows\PEMLLP.exe N/A
N/A N/A C:\windows\PEMLLP.exe N/A
N/A N/A C:\windows\SysWOW64\CGUKAA.exe N/A
N/A N/A C:\windows\SysWOW64\CGUKAA.exe N/A
N/A N/A C:\windows\XCZTCZO.exe N/A
N/A N/A C:\windows\XCZTCZO.exe N/A
N/A N/A C:\windows\KZHFML.exe N/A
N/A N/A C:\windows\KZHFML.exe N/A
N/A N/A C:\windows\SysWOW64\BNSXCIM.exe N/A
N/A N/A C:\windows\SysWOW64\BNSXCIM.exe N/A
N/A N/A C:\windows\KSWEEG.exe N/A
N/A N/A C:\windows\KSWEEG.exe N/A
N/A N/A C:\windows\system\CVOPIL.exe N/A
N/A N/A C:\windows\system\CVOPIL.exe N/A
N/A N/A C:\windows\system\NODA.exe N/A
N/A N/A C:\windows\system\NODA.exe N/A
N/A N/A C:\windows\JZMR.exe N/A
N/A N/A C:\windows\JZMR.exe N/A
N/A N/A C:\windows\SZOESM.exe N/A
N/A N/A C:\windows\SZOESM.exe N/A
N/A N/A C:\windows\system\HPPV.exe N/A
N/A N/A C:\windows\system\HPPV.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\GSA.exe N/A
N/A N/A C:\windows\GSA.exe N/A
N/A N/A C:\windows\SysWOW64\HVQB.exe N/A
N/A N/A C:\windows\SysWOW64\HVQB.exe N/A
N/A N/A C:\windows\YWSOFGZ.exe N/A
N/A N/A C:\windows\YWSOFGZ.exe N/A
N/A N/A C:\windows\SysWOW64\ATGAU.exe N/A
N/A N/A C:\windows\SysWOW64\ATGAU.exe N/A
N/A N/A C:\windows\SysWOW64\GUNODJB.exe N/A
N/A N/A C:\windows\SysWOW64\GUNODJB.exe N/A
N/A N/A C:\windows\system\VKONKE.exe N/A
N/A N/A C:\windows\system\VKONKE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe N/A
N/A N/A C:\windows\system\IBLL.exe N/A
N/A N/A C:\windows\system\IBLL.exe N/A
N/A N/A C:\windows\ZRSOL.exe N/A
N/A N/A C:\windows\ZRSOL.exe N/A
N/A N/A C:\windows\MNKWV.exe N/A
N/A N/A C:\windows\MNKWV.exe N/A
N/A N/A C:\windows\SysWOW64\TIHI.exe N/A
N/A N/A C:\windows\SysWOW64\TIHI.exe N/A
N/A N/A C:\windows\SysWOW64\RFBLS.exe N/A
N/A N/A C:\windows\SysWOW64\RFBLS.exe N/A
N/A N/A C:\windows\KAS.exe N/A
N/A N/A C:\windows\KAS.exe N/A
N/A N/A C:\windows\DTZ.exe N/A
N/A N/A C:\windows\DTZ.exe N/A
N/A N/A C:\windows\SysWOW64\ZJCPJUR.exe N/A
N/A N/A C:\windows\SysWOW64\ZJCPJUR.exe N/A
N/A N/A C:\windows\TCJASVH.exe N/A
N/A N/A C:\windows\TCJASVH.exe N/A
N/A N/A C:\windows\SysWOW64\LFNW.exe N/A
N/A N/A C:\windows\SysWOW64\LFNW.exe N/A
N/A N/A C:\windows\DFPBJIL.exe N/A
N/A N/A C:\windows\DFPBJIL.exe N/A
N/A N/A C:\windows\SysWOW64\BVIEW.exe N/A
N/A N/A C:\windows\SysWOW64\BVIEW.exe N/A
N/A N/A C:\windows\system\QLJDDJI.exe N/A
N/A N/A C:\windows\system\QLJDDJI.exe N/A
N/A N/A C:\windows\PEMLLP.exe N/A
N/A N/A C:\windows\PEMLLP.exe N/A
N/A N/A C:\windows\SysWOW64\CGUKAA.exe N/A
N/A N/A C:\windows\SysWOW64\CGUKAA.exe N/A
N/A N/A C:\windows\XCZTCZO.exe N/A
N/A N/A C:\windows\XCZTCZO.exe N/A
N/A N/A C:\windows\KZHFML.exe N/A
N/A N/A C:\windows\KZHFML.exe N/A
N/A N/A C:\windows\SysWOW64\BNSXCIM.exe N/A
N/A N/A C:\windows\SysWOW64\BNSXCIM.exe N/A
N/A N/A C:\windows\KSWEEG.exe N/A
N/A N/A C:\windows\KSWEEG.exe N/A
N/A N/A C:\windows\system\CVOPIL.exe N/A
N/A N/A C:\windows\system\CVOPIL.exe N/A
N/A N/A C:\windows\system\NODA.exe N/A
N/A N/A C:\windows\system\NODA.exe N/A
N/A N/A C:\windows\JZMR.exe N/A
N/A N/A C:\windows\JZMR.exe N/A
N/A N/A C:\windows\SZOESM.exe N/A
N/A N/A C:\windows\SZOESM.exe N/A
N/A N/A C:\windows\system\HPPV.exe N/A
N/A N/A C:\windows\system\HPPV.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\GSA.exe N/A
N/A N/A C:\windows\GSA.exe N/A
N/A N/A C:\windows\SysWOW64\HVQB.exe N/A
N/A N/A C:\windows\SysWOW64\HVQB.exe N/A
N/A N/A C:\windows\YWSOFGZ.exe N/A
N/A N/A C:\windows\YWSOFGZ.exe N/A
N/A N/A C:\windows\SysWOW64\ATGAU.exe N/A
N/A N/A C:\windows\SysWOW64\ATGAU.exe N/A
N/A N/A C:\windows\SysWOW64\GUNODJB.exe N/A
N/A N/A C:\windows\SysWOW64\GUNODJB.exe N/A
N/A N/A C:\windows\system\VKONKE.exe N/A
N/A N/A C:\windows\system\VKONKE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3732 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\IBLL.exe
PID 5068 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\IBLL.exe
PID 5068 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\IBLL.exe
PID 3604 wrote to memory of 4716 N/A C:\windows\system\IBLL.exe C:\Windows\SysWOW64\cmd.exe
PID 3604 wrote to memory of 4716 N/A C:\windows\system\IBLL.exe C:\Windows\SysWOW64\cmd.exe
PID 3604 wrote to memory of 4716 N/A C:\windows\system\IBLL.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ZRSOL.exe
PID 4716 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ZRSOL.exe
PID 4716 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ZRSOL.exe
PID 880 wrote to memory of 1240 N/A C:\windows\ZRSOL.exe C:\Windows\System32\Conhost.exe
PID 880 wrote to memory of 1240 N/A C:\windows\ZRSOL.exe C:\Windows\System32\Conhost.exe
PID 880 wrote to memory of 1240 N/A C:\windows\ZRSOL.exe C:\Windows\System32\Conhost.exe
PID 1240 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\MNKWV.exe
PID 1240 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\MNKWV.exe
PID 1240 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\MNKWV.exe
PID 552 wrote to memory of 4044 N/A C:\windows\MNKWV.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 4044 N/A C:\windows\MNKWV.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 4044 N/A C:\windows\MNKWV.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\TIHI.exe
PID 4044 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\TIHI.exe
PID 4044 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\TIHI.exe
PID 3636 wrote to memory of 1468 N/A C:\windows\SysWOW64\TIHI.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 1468 N/A C:\windows\SysWOW64\TIHI.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 1468 N/A C:\windows\SysWOW64\TIHI.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RFBLS.exe
PID 1468 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RFBLS.exe
PID 1468 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RFBLS.exe
PID 4836 wrote to memory of 4620 N/A C:\windows\SysWOW64\RFBLS.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4620 N/A C:\windows\SysWOW64\RFBLS.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4620 N/A C:\windows\SysWOW64\RFBLS.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KAS.exe
PID 4620 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KAS.exe
PID 4620 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KAS.exe
PID 1116 wrote to memory of 3788 N/A C:\windows\KAS.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 3788 N/A C:\windows\KAS.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 3788 N/A C:\windows\KAS.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DTZ.exe
PID 3788 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DTZ.exe
PID 3788 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DTZ.exe
PID 1124 wrote to memory of 4008 N/A C:\windows\DTZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 4008 N/A C:\windows\DTZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 4008 N/A C:\windows\DTZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ZJCPJUR.exe
PID 4008 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ZJCPJUR.exe
PID 4008 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ZJCPJUR.exe
PID 4500 wrote to memory of 4496 N/A C:\windows\SysWOW64\ZJCPJUR.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 4496 N/A C:\windows\SysWOW64\ZJCPJUR.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 4496 N/A C:\windows\SysWOW64\ZJCPJUR.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\TCJASVH.exe
PID 4496 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\TCJASVH.exe
PID 4496 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\TCJASVH.exe
PID 4808 wrote to memory of 376 N/A C:\windows\TCJASVH.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 376 N/A C:\windows\TCJASVH.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 376 N/A C:\windows\TCJASVH.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\LFNW.exe
PID 376 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\LFNW.exe
PID 376 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\LFNW.exe
PID 2168 wrote to memory of 3612 N/A C:\windows\SysWOW64\LFNW.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3612 N/A C:\windows\SysWOW64\LFNW.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3612 N/A C:\windows\SysWOW64\LFNW.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DFPBJIL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe

"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBLL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3732 -ip 3732

C:\windows\system\IBLL.exe

C:\windows\system\IBLL.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1292

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZRSOL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 960

C:\windows\ZRSOL.exe

C:\windows\ZRSOL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MNKWV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 880 -ip 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1304

C:\windows\MNKWV.exe

C:\windows\MNKWV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TIHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 552 -ip 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1328

C:\windows\SysWOW64\TIHI.exe

C:\windows\system32\TIHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFBLS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3636 -ip 3636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1304

C:\windows\SysWOW64\RFBLS.exe

C:\windows\system32\RFBLS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KAS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1304

C:\windows\KAS.exe

C:\windows\KAS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DTZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1324

C:\windows\DTZ.exe

C:\windows\DTZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZJCPJUR.exe.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1124 -ip 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1264

C:\windows\SysWOW64\ZJCPJUR.exe

C:\windows\system32\ZJCPJUR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TCJASVH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1296

C:\windows\TCJASVH.exe

C:\windows\TCJASVH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFNW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1272

C:\windows\SysWOW64\LFNW.exe

C:\windows\system32\LFNW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DFPBJIL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 960

C:\windows\DFPBJIL.exe

C:\windows\DFPBJIL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVIEW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3580 -ip 3580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1300

C:\windows\SysWOW64\BVIEW.exe

C:\windows\system32\BVIEW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLJDDJI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 960

C:\windows\system\QLJDDJI.exe

C:\windows\system\QLJDDJI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PEMLLP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3832 -ip 3832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1324

C:\windows\PEMLLP.exe

C:\windows\PEMLLP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGUKAA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1292

C:\windows\SysWOW64\CGUKAA.exe

C:\windows\system32\CGUKAA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XCZTCZO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1236

C:\windows\XCZTCZO.exe

C:\windows\XCZTCZO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KZHFML.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1316

C:\windows\KZHFML.exe

C:\windows\KZHFML.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BNSXCIM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1328

C:\windows\SysWOW64\BNSXCIM.exe

C:\windows\system32\BNSXCIM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KSWEEG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2888 -ip 2888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1260

C:\windows\KSWEEG.exe

C:\windows\KSWEEG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CVOPIL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1008

C:\windows\system\CVOPIL.exe

C:\windows\system\CVOPIL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NODA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1004

C:\windows\system\NODA.exe

C:\windows\system\NODA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JZMR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1000

C:\windows\JZMR.exe

C:\windows\JZMR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SZOESM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3916 -ip 3916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1304

C:\windows\SZOESM.exe

C:\windows\SZOESM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HPPV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3612 -ip 3612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1336

C:\windows\system\HPPV.exe

C:\windows\system\HPPV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1324

C:\windows\JNCQGQT.exe

C:\windows\JNCQGQT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GSA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1324

C:\windows\GSA.exe

C:\windows\GSA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVQB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4788 -ip 4788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 960

C:\windows\SysWOW64\HVQB.exe

C:\windows\system32\HVQB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YWSOFGZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1260

C:\windows\YWSOFGZ.exe

C:\windows\YWSOFGZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATGAU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 988

C:\windows\SysWOW64\ATGAU.exe

C:\windows\system32\ATGAU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GUNODJB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960

C:\windows\SysWOW64\GUNODJB.exe

C:\windows\system32\GUNODJB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKONKE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1316

C:\windows\system\VKONKE.exe

C:\windows\system\VKONKE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XHU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1328

C:\windows\SysWOW64\XHU.exe

C:\windows\system32\XHU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAXA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4796 -ip 4796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 976

C:\windows\SysWOW64\IAXA.exe

C:\windows\system32\IAXA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SYDN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3376 -ip 3376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1304

C:\windows\SYDN.exe

C:\windows\SYDN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WOJVTV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1296

C:\windows\WOJVTV.exe

C:\windows\WOJVTV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3788 -ip 3788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1336

C:\windows\system\XJN.exe

C:\windows\system\XJN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMZUEBW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1308

C:\windows\system\QMZUEBW.exe

C:\windows\system\QMZUEBW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VMHIVDX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2080 -ip 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1316

C:\windows\system\VMHIVDX.exe

C:\windows\system\VMHIVDX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1328

C:\windows\SysWOW64\JPD.exe

C:\windows\system32\JPD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UIGZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3136 -ip 3136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1236

C:\windows\UIGZ.exe

C:\windows\UIGZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HSOYPMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 968

C:\windows\HSOYPMD.exe

C:\windows\HSOYPMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGGPY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1960 -ip 1960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 960

C:\windows\system\CGGPY.exe

C:\windows\system\CGGPY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GWN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 960

C:\windows\GWN.exe

C:\windows\GWN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CEH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 408 -ip 408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1296

C:\windows\CEH.exe

C:\windows\CEH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1296

C:\windows\WRMGP.exe

C:\windows\WRMGP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JCQN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1336

C:\windows\system\JCQN.exe

C:\windows\system\JCQN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960

C:\windows\SysWOW64\RNZO.exe

C:\windows\system32\RNZO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNGCRHP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1336

C:\windows\system\PNGCRHP.exe

C:\windows\system\PNGCRHP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1304

C:\windows\system\CYC.exe

C:\windows\system\CYC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZVIYMIM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1300

C:\windows\SysWOW64\ZVIYMIM.exe

C:\windows\system32\ZVIYMIM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EGE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1252

C:\windows\EGE.exe

C:\windows\EGE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRPMZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1336

C:\windows\system\DRPMZ.exe

C:\windows\system\DRPMZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVUM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1612 -ip 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1316

C:\windows\system\PHVUM.exe

C:\windows\system\PHVUM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHYZPD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 960

C:\windows\SysWOW64\YHYZPD.exe

C:\windows\system32\YHYZPD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZKONEFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960

C:\windows\SysWOW64\ZKONEFV.exe

C:\windows\system32\ZKONEFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DSIDH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 960

C:\windows\DSIDH.exe

C:\windows\DSIDH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZTKFLI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1008

C:\windows\ZTKFLI.exe

C:\windows\ZTKFLI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1312

C:\windows\system\QJRIWB.exe

C:\windows\system\QJRIWB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZHLJIX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1324

C:\windows\ZHLJIX.exe

C:\windows\ZHLJIX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DXRR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1328

C:\windows\SysWOW64\DXRR.exe

C:\windows\system32\DXRR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NUX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1328

C:\windows\SysWOW64\NUX.exe

C:\windows\system32\NUX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 988

C:\windows\system\WVZR.exe

C:\windows\system\WVZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYDMST.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 988

C:\windows\SysWOW64\XYDMST.exe

C:\windows\system32\XYDMST.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VJOCB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1308

C:\windows\system\VJOCB.exe

C:\windows\system\VJOCB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KOLZIJW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1304

C:\windows\SysWOW64\KOLZIJW.exe

C:\windows\system32\KOLZIJW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1324

C:\windows\EBQJ.exe

C:\windows\EBQJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UWANDVU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1280

C:\windows\system\UWANDVU.exe

C:\windows\system\UWANDVU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZMR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1300

C:\windows\SysWOW64\UZMR.exe

C:\windows\system32\UZMR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1336

C:\windows\system\NDPNWJF.exe

C:\windows\system\NDPNWJF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1264

C:\windows\system\EDE.exe

C:\windows\system\EDE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1592 -ip 1592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 976

C:\windows\system\GBXMHP.exe

C:\windows\system\GBXMHP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CLFLVA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1328

C:\windows\SysWOW64\CLFLVA.exe

C:\windows\system32\CLFLVA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 844 -ip 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1316

C:\windows\system\JBG.exe

C:\windows\system\JBG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MPLT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1256

C:\windows\MPLT.exe

C:\windows\MPLT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3376 -ip 3376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 988

C:\windows\system\JPTHVPQ.exe

C:\windows\system\JPTHVPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1220

C:\windows\SysWOW64\KSXDBF.exe

C:\windows\system32\KSXDBF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNIEP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3220 -ip 3220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1336

C:\windows\system\QNIEP.exe

C:\windows\system\QNIEP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1240

C:\windows\SysWOW64\CVP.exe

C:\windows\system32\CVP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VYBIGCX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960

C:\windows\VYBIGCX.exe

C:\windows\VYBIGCX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1068 -ip 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1008

C:\windows\system\KOC.exe

C:\windows\system\KOC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMHTUGD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1264

C:\windows\SysWOW64\MMHTUGD.exe

C:\windows\system32\MMHTUGD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HPQSJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 960

C:\windows\HPQSJ.exe

C:\windows\HPQSJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFESV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4452 -ip 4452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 976

C:\windows\SysWOW64\LFESV.exe

C:\windows\system32\LFESV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZDE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1260

C:\windows\SysWOW64\ZDE.exe

C:\windows\system32\ZDE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGIHC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1336

C:\windows\system\ZGIHC.exe

C:\windows\system\ZGIHC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTNRMCM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2500 -ip 2500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1336

C:\windows\system\UTNRMCM.exe

C:\windows\system\UTNRMCM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOWVX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1524 -ip 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960

C:\windows\SysWOW64\JOWVX.exe

C:\windows\system32\JOWVX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EKBFIXJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1308

C:\windows\SysWOW64\EKBFIXJ.exe

C:\windows\system32\EKBFIXJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TACEO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3720 -ip 3720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1336

C:\windows\system\TACEO.exe

C:\windows\system\TACEO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AVM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4336 -ip 4336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988

C:\windows\system\AVM.exe

C:\windows\system\AVM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFWYI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4652 -ip 4652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1336

C:\windows\system\ZFWYI.exe

C:\windows\system\ZFWYI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KYRRQT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 872

C:\windows\KYRRQT.exe

C:\windows\KYRRQT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LBVNW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1592 -ip 1592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1324

C:\windows\LBVNW.exe

C:\windows\LBVNW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AWN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1324

C:\windows\AWN.exe

C:\windows\AWN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICRGRCQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2584 -ip 2584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 872

C:\windows\SysWOW64\ICRGRCQ.exe

C:\windows\system32\ICRGRCQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKTL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 960

C:\windows\system\RKTL.exe

C:\windows\system\RKTL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKVQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1260

C:\windows\SysWOW64\JKVQG.exe

C:\windows\system32\JKVQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVEPU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 524 -ip 524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1256

C:\windows\SysWOW64\WVEPU.exe

C:\windows\system32\WVEPU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAKMC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2336 -ip 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 988

C:\windows\SysWOW64\TAKMC.exe

C:\windows\system32\TAKMC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ARL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1236

C:\windows\ARL.exe

C:\windows\ARL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOQXQV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1004

C:\windows\system\KOQXQV.exe

C:\windows\system\KOQXQV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1336

C:\windows\system\QPY.exe

C:\windows\system\QPY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WKXMDS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 960

C:\windows\SysWOW64\WKXMDS.exe

C:\windows\system32\WKXMDS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UAQP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3332 -ip 3332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1352

C:\windows\UAQP.exe

C:\windows\UAQP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1260

C:\windows\SysWOW64\MVOHZ.exe

C:\windows\system32\MVOHZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WDWYHTR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1000

C:\windows\WDWYHTR.exe

C:\windows\WDWYHTR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLYDLQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1328

C:\windows\SysWOW64\OLYDLQ.exe

C:\windows\system32\OLYDLQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HEFO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2220 -ip 2220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1004

C:\windows\system\HEFO.exe

C:\windows\system\HEFO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3308 -ip 3308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 960

C:\windows\SysWOW64\UPWM.exe

C:\windows\system32\UPWM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NKAIWS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4176 -ip 4176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1324

C:\windows\NKAIWS.exe

C:\windows\NKAIWS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XHFCD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1324

C:\windows\XHFCD.exe

C:\windows\XHFCD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GQHHHY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 988

C:\windows\GQHHHY.exe

C:\windows\GQHHHY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQWFTPM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 988

C:\windows\system\XQWFTPM.exe

C:\windows\system\XQWFTPM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PYYSX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1308

C:\windows\system\PYYSX.exe

C:\windows\system\PYYSX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGESJEC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1296

C:\windows\SysWOW64\TGESJEC.exe

C:\windows\system32\TGESJEC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPTXWVF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1300

C:\windows\SysWOW64\KPTXWVF.exe

C:\windows\system32\KPTXWVF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960

C:\windows\ZFUPCR.exe

C:\windows\ZFUPCR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\USZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1324

C:\windows\USZ.exe

C:\windows\USZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TDBOV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 960

C:\windows\system\TDBOV.exe

C:\windows\system\TDBOV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZDJCEZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 960

C:\windows\ZDJCEZG.exe

C:\windows\ZDJCEZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VELEIV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3736 -ip 3736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1324

C:\windows\VELEIV.exe

C:\windows\VELEIV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 988

C:\windows\system\BES.exe

C:\windows\system\BES.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JRF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1008

C:\windows\SysWOW64\JRF.exe

C:\windows\system32\JRF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSNUT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1328

C:\windows\SysWOW64\PSNUT.exe

C:\windows\system32\PSNUT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 960

C:\windows\system\LPZ.exe

C:\windows\system\LPZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HYTGHU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1328

C:\windows\SysWOW64\HYTGHU.exe

C:\windows\system32\HYTGHU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RVHAOC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 960

C:\windows\RVHAOC.exe

C:\windows\RVHAOC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\STN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1316

C:\windows\system\STN.exe

C:\windows\system\STN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IJOMCG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1280

C:\windows\system\IJOMCG.exe

C:\windows\system\IJOMCG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZUM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1328

C:\windows\SysWOW64\MZUM.exe

C:\windows\system32\MZUM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MCG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1304

C:\windows\MCG.exe

C:\windows\MCG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FXKLI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 988

C:\windows\system\FXKLI.exe

C:\windows\system\FXKLI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NLOA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2656 -ip 2656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1328

C:\windows\SysWOW64\NLOA.exe

C:\windows\system32\NLOA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CGYEDXU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1256

C:\windows\CGYEDXU.exe

C:\windows\CGYEDXU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 440 -ip 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1336

C:\windows\system\FOH.exe

C:\windows\system\FOH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KZLZPBS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3092 -ip 3092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1304

C:\windows\KZLZPBS.exe

C:\windows\KZLZPBS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NMU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1336

C:\windows\system\NMU.exe

C:\windows\system\NMU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IZZKL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 960

C:\windows\IZZKL.exe

C:\windows\IZZKL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKJA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1300

C:\windows\system\GKJA.exe

C:\windows\system\GKJA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BGOKEA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 960

C:\windows\system\BGOKEA.exe

C:\windows\system\BGOKEA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NOV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 988

C:\windows\NOV.exe

C:\windows\NOV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HBABS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4048 -ip 4048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 872

C:\windows\SysWOW64\HBABS.exe

C:\windows\system32\HBABS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWFLDSZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1328

C:\windows\SysWOW64\CWFLDSZ.exe

C:\windows\system32\CWFLDSZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1240

C:\windows\SysWOW64\ZPG.exe

C:\windows\system32\ZPG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FPO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1248

C:\windows\system\FPO.exe

C:\windows\system\FPO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LKNJCT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4536 -ip 4536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1304

C:\windows\LKNJCT.exe

C:\windows\LKNJCT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AABTKA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 960

C:\windows\system\AABTKA.exe

C:\windows\system\AABTKA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 988

C:\windows\system\RQZ.exe

C:\windows\system\RQZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRPPFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1256

C:\windows\SysWOW64\KRPPFV.exe

C:\windows\system32\KRPPFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1496 -ip 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1324

C:\windows\MGQJMK.exe

C:\windows\MGQJMK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FHXCVL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960

C:\windows\FHXCVL.exe

C:\windows\FHXCVL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NMKJGJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1584 -ip 1584

C:\windows\SysWOW64\NMKJGJ.exe

C:\windows\system32\NMKJGJ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IAP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1336

C:\windows\system\IAP.exe

C:\windows\system\IAP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GTSIYPI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1004

C:\windows\GTSIYPI.exe

C:\windows\GTSIYPI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLZWIRJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1240 -ip 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 988

C:\windows\system\MLZWIRJ.exe

C:\windows\system\MLZWIRJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2732 -ip 2732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1308

C:\windows\system\DECMQX.exe

C:\windows\system\DECMQX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 960

C:\windows\system\GRH.exe

C:\windows\system\GRH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NHIMZS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1324

C:\windows\NHIMZS.exe

C:\windows\NHIMZS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INUQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1328

C:\windows\SysWOW64\INUQ.exe

C:\windows\system32\INUQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DAZIU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1324

C:\windows\DAZIU.exe

C:\windows\DAZIU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SVR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2420 -ip 2420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 960

C:\windows\SVR.exe

C:\windows\SVR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GQU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 960

C:\windows\GQU.exe

C:\windows\GQU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOVH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1260

C:\windows\SysWOW64\IOVH.exe

C:\windows\system32\IOVH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KMB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2976 -ip 2976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 988

C:\windows\KMB.exe

C:\windows\KMB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WFEUPLX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1324

C:\windows\WFEUPLX.exe

C:\windows\WFEUPLX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UUP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1296

C:\windows\UUP.exe

C:\windows\UUP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3092 -ip 3092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1328

C:\windows\SysWOW64\UAP.exe

C:\windows\system32\UAP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CNU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 960

C:\windows\SysWOW64\CNU.exe

C:\windows\system32\CNU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZTA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1328

C:\windows\SysWOW64\ZTA.exe

C:\windows\system32\ZTA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VLKKHIG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3388 -ip 3388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1332

C:\windows\SysWOW64\VLKKHIG.exe

C:\windows\system32\VLKKHIG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HCQSLA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1236

C:\windows\HCQSLA.exe

C:\windows\HCQSLA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1336

C:\windows\system\CPV.exe

C:\windows\system\CPV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 960

C:\windows\system\FCMD.exe

C:\windows\system\FCMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GAGFNIP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1268

C:\windows\GAGFNIP.exe

C:\windows\GAGFNIP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ULOWCLK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1292

C:\windows\SysWOW64\ULOWCLK.exe

C:\windows\system32\ULOWCLK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOURJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1280

C:\windows\system\YOURJ.exe

C:\windows\system\YOURJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTSOR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1336

C:\windows\system\UTSOR.exe

C:\windows\system\UTSOR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZKDH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 988

C:\windows\SysWOW64\RZKDH.exe

C:\windows\system32\RZKDH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CRNWHYY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1336

C:\windows\system\CRNWHYY.exe

C:\windows\system\CRNWHYY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXFKQDT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1004

C:\windows\SysWOW64\CXFKQDT.exe

C:\windows\system32\CXFKQDT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONYD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 960

C:\windows\system\ONYD.exe

C:\windows\system\ONYD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DID.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1324

C:\windows\DID.exe

C:\windows\DID.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABFRSMZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4788 -ip 4788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1328

C:\windows\SysWOW64\ABFRSMZ.exe

C:\windows\system32\ABFRSMZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XGL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3760 -ip 3760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 988

C:\windows\XGL.exe

C:\windows\XGL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJPSM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 552 -ip 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 960

C:\windows\system\PJPSM.exe

C:\windows\system\PJPSM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OUSI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1324

C:\windows\OUSI.exe

C:\windows\OUSI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXWEAQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1208 -ip 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1332

C:\windows\SysWOW64\HXWEAQ.exe

C:\windows\system32\HXWEAQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1300

C:\windows\SysWOW64\HSHHG.exe

C:\windows\system32\HSHHG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 960

C:\windows\SysWOW64\VDQ.exe

C:\windows\system32\VDQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XBJA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1184 -ip 1184

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3732-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3604-11-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\IBLL.exe

MD5 027d898f7d07f5732eeba3c92255d8b6
SHA1 e1baecf51b2dd7fffabceb76038fa90228d8f35c
SHA256 a57aa248e241effc35b532154a4ba095175d0dc0c204cde96157142dfea7ce34
SHA512 c739b92dc718843b2513b885ff514e0e36c5fe9bbd5aabfe4a520239c082f07467e09b3eb13521344acb387bafb7e3b7f364f89d6a43561aa08c7a5d0d12ec3e

C:\windows\system\IBLL.exe.bat

MD5 5c3c010d3a2a8f695d748350608cb2b7
SHA1 21624967e3b4857b17204e4dc8862954f32bc581
SHA256 154785748311478640d21803068a7c0d1fa80e91673b50e048e64719271f1f34
SHA512 a4fa3d41410e0e58812fa702f5c78b93a1d4b32527e79b79a4c85c09dd84c2c28d5b4a1c91f0b1d4ebcb190aaea69c4c0de2702421e80ec12e9c7f4525893b27

C:\Windows\ZRSOL.exe

MD5 53d161b63ebbdfbed69ae40a81a37109
SHA1 41a75455f9b519ff6dd517d8183774685f2f7ce1
SHA256 bc08410d6b1655220a8bd0313e89dd4dac55cee11ba0c97848e20d80806e9624
SHA512 aae607f0e633ee853b8bfb7d8ec00fecf6ba7c2ab2f06db9d6366fb3e7256eed5e43c4ab8df5b3288c1cac53665303672235f5602c580e0fdddc2b9e64627e23

C:\windows\ZRSOL.exe.bat

MD5 c4e55d1c98fe97df5f2b464485e6c806
SHA1 ab16054b11752d41cf795e4be301b80424cb91db
SHA256 84dd500ffa93ab601affaec35b6a980d7f2024289f24e4b9835dc2605ca6169a
SHA512 7e331af53fc35995fae75f4595d100a305dde64c7499842cfc996f7374ca79e48545282fcf5f4d07d070ee2993f07c672a33bdbc47bf8613fda5177d89fbc3a1

memory/3732-23-0x0000000000400000-0x0000000000439000-memory.dmp

memory/880-21-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3604-24-0x0000000000400000-0x0000000000439000-memory.dmp

memory/552-35-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\MNKWV.exe

MD5 59553510740d9fcb11bba4c78a68bdac
SHA1 7ba065b8a7da6844dfb2e77e4adfdefc395dbaa3
SHA256 fb9b4b96a0d86fa016836a46f71876813f3dc9633d1262970c9eabbf8a1a288b
SHA512 892e61cd23cde80cbe677dabb99607c8529790cc9beccd86cc94b5ccd6adb49c98b4c6b2517f1381774f093b529fb8ccacc8c9efa33f44bea7bf70450e4dc2ed

C:\windows\MNKWV.exe.bat

MD5 ef771ebf66f62ab2f2760180363bf427
SHA1 5a761f552e6c88d339a18277237ec5605ad8b5a6
SHA256 55231d59520ec32be05995d09c2b1c061bbff7641979a4e4bf9a8803942e952d
SHA512 98f4d0cb8882913c956191473ec8f4aa997208363f7352f5e51493620889abc87d93ab93e87ced8e317f15cc14cb0aaf6b0f2936b81462239dfbb1bb8a546d90

C:\Windows\SysWOW64\TIHI.exe

MD5 b862aa81b3a6ec3a300395dace1c8478
SHA1 ab8c72d6f94bded666aa27cee995148cc545d875
SHA256 94f6e49c7c8afb173a81326c1e4c8a8f89c416aafbfd873643dca4551637140e
SHA512 8ca21290e5e4a3f12dce7ae011ff739de7d61e0497720e28c3466c80837d0c9eb448f87b5b44fee5a9757ef55fc18cc36badeb39e6c2ecaf2d820a86311986b2

memory/3636-46-0x0000000000400000-0x0000000000439000-memory.dmp

memory/880-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\TIHI.exe.bat

MD5 e6f1ad8c5d7ad44b3b0e90e2a6e35258
SHA1 c5fbe41b97a3de5c78900d42717b60b5a9647640
SHA256 20f608f2ecb39233e48eadfcc47d78f34310dfc67f394b71f0a8fc0aabf0a53a
SHA512 1619a7bacbaa00f4ed0b91be6216b68b0913710fe657f30e8bddf2bf6c298086ada1aad1f2b7a91c9cce15e46485c1d915821aeecf153b0d885a2d2cd07e3000

memory/552-59-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RFBLS.exe

MD5 ef7f3917e14f676e965b73ff34c5b9a0
SHA1 70293b6c54afcada727fd3f91a20d3b2567b6a17
SHA256 13724d13034d8f2bbbf168aa77728338a5798f405392f01ca0ec1f0b10add178
SHA512 63b1de084539185c062a2820be43a740d2a8816de32cd172b9589ea44e4c71a61cd554eed6f900231a41e594a04c27014eaf9b938a1c83581a23a1e4d11e1124

memory/4836-58-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RFBLS.exe.bat

MD5 46a7771b6f61cc21c90634ec67d347e2
SHA1 0d48369aa035215e7e79b0bb1200f865bddcc758
SHA256 48ff637e90c84e7ae23ff789b41096d3f3ed8efc912b99be9e3ff4c5682a42c0
SHA512 ac17a63d9ea81fadb3041e5570847d99fea8d6ab0b980e5da408623105aced36b678fb51fbd5443860537f86e1e170860540c702367293b60451382f7c860ae2

memory/3636-71-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1116-69-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\KAS.exe.bat

MD5 d38bc76c67b8c0068b0bcc87909e17a8
SHA1 9a3025b50534a2ea263f656cb139c3fab2855edc
SHA256 e37402e6b0a7c4527c5e1be632a335e91acfdbdc6494f24973487c34e4b170be
SHA512 aa62bd47d87bff50195fe753fa0f8457219d106d56b1c760dd2d3e3f72fb7f68b388346afb35bf5a3aa7a1b3e6fcfb539964fd50dd96c4817a0bfee86b3dce18

C:\windows\DTZ.exe.bat

MD5 1d56abef9ea06041a780706a18d27bb6
SHA1 e8d984f4e67787fb3fe7afd849be764933b271f3
SHA256 3694760db436b324bff908f087db17414ba8c8f7f27d3d9bc34822abbeed11cb
SHA512 576d5f951098961c84363b871111bb88033fb03d7ff5ea7b228b346391200cbbb10ba05bdaa8402e4e2578cd823b35887ed8fb878794629a114780c8610e7ff4

C:\Windows\DTZ.exe

MD5 6218d2c5b6d48f96e55b65c49df8e00c
SHA1 12989e653bc7702fba132956b371a61d0b690fd2
SHA256 dfd49c4dcc4379ff92af56977706db0419694e82a0ee527e6cc55703f0a5f111
SHA512 8aff20cb01cd5ad66070dd795ddc43545c5697b091647c5f12a14bbc4777e2d856b2a950cd3c10692488e38fc685736e8d6f4ea6dcb28cc32984b7d362cb8acf

memory/1124-83-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4836-78-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\ZJCPJUR.exe.bat

MD5 bf1ca2c8a130f61825a40f4d58e2ea10
SHA1 cbd83b536e02559ee10b94af5c122d165c50a8ee
SHA256 d82a489bb3517f78a9f73f05b95b16b7584b5a249555d84df2f09b2b9f46b034
SHA512 f4f1d3a80b84167e5a8a81fa83604b6905e5f36ba2496b3519a4a8209222f540634da3baa7ee787b0231de9753d423a63791274c1c1012347843635bb555c0d7

C:\windows\SysWOW64\ZJCPJUR.exe

MD5 ff9cd4ae921ec9eecd53a436fbf4a9d1
SHA1 45395d28292e140e6180554bbc3c833694c4c3ff
SHA256 97a513d112128180d1e6c7f908c8fa6d2d98f267ca1808ce9938c45e0b454302
SHA512 842bcc8744bafdfd275e59d69321c181846b5ff31bb7d163a91da4780d1de81becb7498c6d4120dda642e817f14ce65625ac26166f91de9c18f852cc6abee7d6

memory/4500-94-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1116-95-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\TCJASVH.exe.bat

MD5 7dc0704f3766d8f50ffbc8a666932f9e
SHA1 60092e15ba9fb3d8136fa4ba2325f3293a48c699
SHA256 6ce7118d64ad6cdf702c67bed5c9559c6d471d9aaabba8785710939684710075
SHA512 6462f2213fc0440185e64c9f0d956486415a0e6ee650f9ffb9f2f16be0cee958062a6269e6283f606c21cedda39996da4a9d1d8bed0af326fbab94f219300717

C:\windows\TCJASVH.exe

MD5 8a1a7328a500ac9a815829ccec2b137a
SHA1 0bc74be71df02a110a8d834ef157502281a1035e
SHA256 55fa4027d17481ddc75469f61b82eea9a103afdaa8f2961ef6476e1df1d5ed4e
SHA512 c48989ef1d7bb590c690d3e4c078d349f737f22557dede791604c445d360053075f27b17a5938d1e44d7ce5c2f8c3b26f9c5d71279fb2712891527247422c986

memory/4808-106-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1124-107-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\LFNW.exe.bat

MD5 6ae15ec63cec9ccfb6d5b10097f163fe
SHA1 119afbf06c929802bf0c3fcff7b7aedda807f393
SHA256 48c2e5b7fcf1728ae75e277d834829c8f53617ce0ec9c0e13129bd9a1b877b95
SHA512 61f075bce441facbaf54501c26ef8588781eeb6ac731a46b5d97b4ffda5da06abe12cf3a8ea5651c571361a83d92c383048e227f023d6d678af0d33d5a1b3e69

memory/2168-118-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4500-119-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\DFPBJIL.exe.bat

MD5 6f7d0da4f112e3a0f2e794e297c8995f
SHA1 69cff315af8076a40777c9f3b942fc44d51c5061
SHA256 f3ec88724dc8936985a804a2883f6e4eb128a76c8f270fd8d5270e43b1bec074
SHA512 837dabeaece9dfae81ade85c6433e6031cfcea526004d5cfd3aea177778e82e399602b3830d6a898b85649288b067f4b5f117b4e1b6a8d9f4058f159da486cdb

C:\Windows\DFPBJIL.exe

MD5 2ff7d9deadfe9369b3e3288667caa448
SHA1 7a2014f86c8c718a34269f88355ca676fe84cc3e
SHA256 4f145e84f61823ff86586225cb92b36396f3919639ee940fd09c45f36ed95ac1
SHA512 96a8661b0afd29e091cb53a8e8acaa748c3304b3a38680928be7d33da651f24d7e75cdb056f7613d9e57bb33ba02a8e1d6c354dc778374f7cf5507645cd07e9d

memory/4808-127-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3580-131-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\BVIEW.exe.bat

MD5 72a8fa12fe2b74194c3d146c9fe2153d
SHA1 042acd4ff9f0e0eab3e6717efc3ceb2842a6587c
SHA256 9314e2ff5dc8ff00e100ed0de7f5c4b6a7765c46d32ea98b01a5a88c38af2a35
SHA512 118db61e07ea548d6d13cb52f691b2c4f3b121f25c64c6da9f8576904f316380c405d086a875e9261336086254fb4963e9c82a12cdb8b65a956689494b09dcae

C:\Windows\SysWOW64\BVIEW.exe

MD5 6cf2e898dbc0e2fd87721f967b316a37
SHA1 eb57640e95b0eac8ca160d6f7b6a9e29b4457ef8
SHA256 fdc7fe40fb3f459262efd6d13edc776aa06afb0a992cd4ba71b0d642e2a452c1
SHA512 495edbba6431b4d6df12b9f1985bdfb1949088be0bc65dd8e606d069a634eafa8345ec491f734a77853abf58abe19dee9785a8f02bd41eb661796ae8ee0f14e4

memory/3008-142-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2168-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\QLJDDJI.exe.bat

MD5 ac193dc4f896809041e4714df10f20de
SHA1 fea507f4d90d45d6886a2e3fd95e9717dff322e5
SHA256 1f204497df237e4e5adfc7c7ec05700b400a7336acbad08ecd149005feb00fdd
SHA512 0f82f2eccbdd5614e2f83cfb1cfc5cfb5531a53d0109922cf771a4b55732c071e31e01b4952e02efbb1463999a665e125d63e7218acff00fac6f0e1493097bf1

C:\Windows\System\QLJDDJI.exe

MD5 a790e9709a97b6433809120301f1dc11
SHA1 e725b081ae12ced2295a3a4403815002a0e53d20
SHA256 8a5f53f2a4889c0a670eb41d7ab599f06526cec6c52d4d5b9411d8d301fde5c7
SHA512 e062197839fbf161007654c63384dff99943db07f2888a42b96d1555341d2c92713faad76c900e9935da73555d3339220579eea51cc4abf05820714498f8ce2d

memory/3832-153-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3580-155-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\PEMLLP.exe.bat

MD5 b8106c3ceba551793df05356f66d2ece
SHA1 44b954a41033f57604383ec5e51ed9e1cb257928
SHA256 7eb080d0dfb87053bf3c6e2fd4d141b43d642efe1a0d3928e8c9d0cce6d8ccac
SHA512 d760936d91aa2bb8bad3a55f1ee051268b3cd1a42879f4ebbdb1ea0c77ee672b0caa0c1f6f74cad37453e87a5aca49f48804872f074b8ad46caf5c3fe154b52d

C:\Windows\PEMLLP.exe

MD5 c661cfe098001d9527f9257cdd00550a
SHA1 c5893b7130c8a2ec1ac92685fb3af5c8fb3883c4
SHA256 a2a7f95a95b66c7c95c8c4c28bc9733284c06aec0085c6abdf89a6d031365e39
SHA512 3868e215da4d770e1d28c5ea1d262af9eb21ffd6c51dde3e0e2db15a545963c5e91c62f868e8f73dbc0b2fb56bb85e9369c16ea68b841d01f17fc8d15129d0d2

memory/1584-165-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3008-167-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\CGUKAA.exe.bat

MD5 1221bfb8095b97880b08b585c75c9caa
SHA1 4430ad871d37bb52d26a012c1116cf0a9e9ea9d3
SHA256 01c9a1740f8e93603420e8b8d6e76d22cbf65a5b9ba68fa5147764a19985bd1b
SHA512 b5ff45c05553f0a63e618c916a6e399ff90faa91640e51083a2f073f57f8dda385bf450a273688d14a72022979c8791d9948d23b1eafa9ea86e727ef48563629

memory/3832-178-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\XCZTCZO.exe.bat

MD5 09ec7ef89c3556f5691c667786a98603
SHA1 919206bde831cf17158f2e6619923dc974ad0155
SHA256 35b325c7e79d38bb460fd3ccf523fe4d3e6f7fb663e5adfaccabfe99fca28c94
SHA512 14d4a0ce4bcfd0b95e11b265e185c2a0668077374973424a93722320599b854b08e9c5ff37cf2a2efceba7626a52e39f3a5cb4847458653227b4b0faf1b8fd73

memory/5104-188-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\XCZTCZO.exe

MD5 9e7f1a57141927ca584e207400152624
SHA1 81a43ff33445b71f580abb5c20f1560c46a95548
SHA256 827c9a9f6c6c8000f510724ddbac4bc6281c612a3d717525c3953b8d0292e567
SHA512 862be1fbba6c5954f39a3e09b27b7dbffb489bd5040311425b13406df1a77585131efece0f4fc120e857857979fab6ce38ccf7deab0422334c2c61385774aed5

memory/1584-190-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\KZHFML.exe.bat

MD5 c2de9f9f9720b18c00f4563818b0e711
SHA1 7de1083774cdf36f60d96be77d5fd580bba45fbe
SHA256 e5cd502ba80b35f7b9b0a617c5d267b50cf08f0e16aeaa1c6c3efa786e17b81b
SHA512 440629ffe94f00d32909ef59a48245586aba6aa75b3bd8a50da177039ed13ae1ae4ec1f203dafa3e914f56d56dc1a868f81bc04310104317df74b8a3f21edf6e

C:\windows\KZHFML.exe

MD5 156f7756d655b53fbe69e703fcdef2c2
SHA1 2f2d22dd16500bde788a8256049d123fa218cda2
SHA256 aa8ce448421182aabaa96858f3f49bede660ca656514d8c6c016254f77deecf6
SHA512 8af535353cc4e6f9a12bdea2feb922d800ff9e11cd814066a34592486c0e2e91eb7a0971fd5a3e4aa29df471c2af39c8aceed85686005f1a70aee1f1223f77d8

memory/376-202-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-200-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\BNSXCIM.exe.bat

MD5 1d41af64a3962a7156b2ea9366ea8090
SHA1 852b7398bb2f8cd06f5eb38e2b9917b5d4f0d3f9
SHA256 e7bb91cf45fa93afc103e19bd9825f85d338a8b7877818ea9d379a2c0c03538c
SHA512 134e87248d2bac5799c2cd69dae4e6d165071a41eec553a66577aae27a8b7b2963e2b1169f2786075242c71fb35daeb7b30d53db34016801973f8ada124de435

C:\windows\SysWOW64\BNSXCIM.exe

MD5 39e7dcd7264e81398759ecfc7d2bf11c
SHA1 2fe26d06ec121fb39f051414c09f13e7f145046d
SHA256 1a1bb0a376d1599aceb84f2f4f05ee181938c5d7b430dcd9e7ee7963d253f59e
SHA512 d8a325da6d433619caba0949112813f570d139251ee57f22e7204367c8ca247f37a9e2bb4f7b8fe4da019a0736313c63479b25a0f8a2d24d03853bd68b178570

memory/2888-212-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5104-214-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-221-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\KSWEEG.exe.bat

MD5 fd7575e508ce29059e6d166a918f2da9
SHA1 bb79a048192abc491f50522de5f974deb241c208
SHA256 96794bb514a30827c9ed3880277ae751262770df7c110c9f483b408b4460d6ed
SHA512 0422754a054d65d4a5e3b8868261a254f95b14587078fad082898c4b65a1df551e98dcf9f360d1d3f1c9202d7a7649ca7ef92fa0b4c68924c6d9aa17a5fd413d

C:\Windows\KSWEEG.exe

MD5 054c64e6d3413221fb037fe25cd1c2c2
SHA1 1d864d68cf384beee2f8b54e3ac23a6b6ac7623a
SHA256 dd5a9b4ce315dd4ed7115b0573e8b4af841d3a5fbae0f49bbc95155ee6fe29d5
SHA512 64ad8fc8bc8b707b991049fc870542180fd3b167f3ec394b6789355f8ebe4b1ec0b4e221f98b9a028e57fd7ee0bf0d896ddf6c5c7454472ed93365e2a8e5f818

memory/5116-226-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2888-233-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\CVOPIL.exe.bat

MD5 3b107942880ce69704d7b22bc400ba91
SHA1 6fa0009801cf11a794abf8852c4c37b75d370c41
SHA256 ae5e7f9a966f12c941dd0213e0e2ac08edd866e1dab7dbe7f1a6826615db0927
SHA512 35f2633c31f800cc37697fc9a61eb5eb255adc4c3ab37445272b8c5e865a1236d240a57f281fd4971c0040ffe9f0ac56bb1c0b5d3967cf00bab6747744c4f614

memory/4044-238-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5116-245-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\NODA.exe.bat

MD5 dd7e7eba6832922c76f508399d513ed8
SHA1 2dd0c70d6fa1e7e50e3c0deeec0a3f74ddf87e9a
SHA256 b219a02c11d74d4835395d25308e9438948d6898fd0876046387d8e69793cb48
SHA512 459a2ebf6baf0141c62f469c71c5467d07d0d068f4427eaa07a2eab66849b4dc6afbf21a8d97823d52b153ef9c13310d5d1661e848bac915ca3bc03679546e05

C:\Windows\System\NODA.exe

MD5 832b54c8af7f1522a8a4a32f12cc4c18
SHA1 eacae944e1ffe285fc16b0d7db0c1ef5fa381853
SHA256 ddd35632fa1a2c5d38e9de0899989172582f6970cd0d4b0f2835b726997f9bed
SHA512 4c51dbf31e0fc6aee6e6a5355e445b29a0b93b742a75b968a9a0353a80aa43bed19d253c1bf2d4cf4185356fab10a4ef055d359f4bebb5cc560ae53dcb11ad17

memory/1184-250-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4044-257-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\JZMR.exe.bat

MD5 e5ef7f7977ec6e45641a11c12a31ccdf
SHA1 e1bf1f5933d66e651f5d5f6d73eee5cfb95b6607
SHA256 8308453b97aef9fbd9c67efba13e688da93d4a4ce276db861d09da1eccec0103
SHA512 e33de41a2e95bc0fce2d0d7fa1b88b7b65443a0bac9eb7f26d790787ed89614d4d0116a2f31408770a02f550fb2427ead0d5488c42c696ca939c110654f94610

memory/3916-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3612-268-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1184-269-0x0000000000400000-0x0000000000439000-memory.dmp

memory/456-277-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3916-278-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4460-286-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3612-287-0x0000000000400000-0x0000000000439000-memory.dmp

memory/456-294-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4788-296-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4460-303-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2040-305-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5088-313-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4788-314-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2040-321-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1184-323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4368-331-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5088-332-0x0000000000400000-0x0000000000439000-memory.dmp

memory/220-340-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1184-341-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4368-348-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4796-350-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3376-358-0x0000000000400000-0x0000000000439000-memory.dmp

memory/220-359-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4796-367-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4224-368-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3376-375-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3788-377-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4224-384-0x0000000000400000-0x0000000000439000-memory.dmp

memory/400-386-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2080-394-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3788-395-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3008-403-0x0000000000400000-0x0000000000439000-memory.dmp

memory/400-404-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3136-412-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2080-413-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3008-422-0x0000000000400000-0x0000000000439000-memory.dmp

memory/848-421-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3136-431-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1960-430-0x0000000000400000-0x0000000000439000-memory.dmp

memory/848-440-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2008-439-0x0000000000400000-0x0000000000439000-memory.dmp

memory/408-449-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1960-447-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4808-457-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2008-458-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1404-466-0x0000000000400000-0x0000000000439000-memory.dmp

memory/408-467-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4556-475-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4808-476-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1404-485-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2400-484-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4516-493-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4556-494-0x0000000000400000-0x0000000000439000-memory.dmp

memory/812-502-0x0000000000400000-0x0000000000439000-memory.dmp