Analysis Overview
SHA256
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246
Threat Level: Known bad
The file 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 20:56
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 20:56
Reported
2024-05-21 20:58
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\RIIND.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\RIIND.exe | C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RIIND.exe | C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe | N/A |
| File created | C:\windows\SysWOW64\RIIND.exe.bat | C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\RIIND.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\RIIND.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\RIIND.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\RIIND.exe.bat" "
C:\windows\SysWOW64\RIIND.exe
C:\windows\system32\RIIND.exe
Network
Files
memory/2192-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\RIIND.exe.bat
| MD5 | bff55cdd2819120c3a49a4fa8d6581a8 |
| SHA1 | 4e5a2787bae1b515bad285a717cd701da56e9f72 |
| SHA256 | 96e6f0d0430ef4397a508c208a661494cf2d54cb70c3799f3919d5e622098b04 |
| SHA512 | 691725ff5a311dd28822f2e3d707dc73939c85e5df45fdbcf09b987242db84428bc0735cccc2977c9693b4ed4005588dd562eb940cfb002f65fb3b936199813b |
memory/2192-12-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\SysWOW64\RIIND.exe
| MD5 | d2ffe8c41c62b4d304f9de64cb3ee352 |
| SHA1 | 7a6adf74addcd5a3151652efc8cb759cf70d58d8 |
| SHA256 | b123465ae62c7e1ea36ab7a7f981273e4f8a2b3f2ee97ef11c81c041ad692ca3 |
| SHA512 | 42a309ffc64ac484e9a26dc48bfb8f45b19832a1ce86100d2a80f3b84dcbf38548602c128b13878167821a83d08ac0029448ba21987d6385af115fbfee2c8b02 |
memory/1036-17-0x0000000000170000-0x00000000001A9000-memory.dmp
memory/2532-20-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1036-18-0x0000000000170000-0x00000000001A9000-memory.dmp
memory/2532-21-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 20:56
Reported
2024-05-21 20:58
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
110s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CWFLDSZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\INUQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\FCMD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\RNZO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\RKTL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\VELEIV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\FOH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\WVZR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\HEFO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UPWM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\GRH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\JNCQGQT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\XJN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\VMHIVDX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\EGE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\HVQB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\AWN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\FHXCVL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\UAQP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\KZLZPBS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\KRPPFV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\FPO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\XGL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\JCQN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\TGESJEC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\TDBOV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\RVHAOC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\UTNRMCM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\ZFWYI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\ZFUPCR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\IAP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\IBLL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\PHVUM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DXRR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\MMHTUGD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\GTSIYPI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\WFEUPLX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ABFRSMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\AVM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ZPG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\YOURJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\XCZTCZO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\UIGZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ZVIYMIM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\DRPMZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\QNIEP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\LBVNW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\DFPBJIL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\BVIEW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\JZMR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\QMZUEBW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CVP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\NOV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\MGQJMK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\RZKDH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\VKONKE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\PNGCRHP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ZKONEFV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\JPTHVPQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\HXWEAQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\XQWFTPM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\system\IJOMCG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\MZUM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\windows\NHIMZS.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\SysWOW64\EKBFIXJ.exe | C:\windows\SysWOW64\JOWVX.exe | N/A |
| File created | C:\windows\SysWOW64\UPWM.exe.bat | C:\windows\system\HEFO.exe | N/A |
| File created | C:\windows\SysWOW64\NLOA.exe | C:\windows\system\FXKLI.exe | N/A |
| File created | C:\windows\SysWOW64\ZPG.exe | C:\windows\SysWOW64\CWFLDSZ.exe | N/A |
| File created | C:\windows\SysWOW64\VLKKHIG.exe.bat | C:\windows\SysWOW64\ZTA.exe | N/A |
| File created | C:\windows\SysWOW64\RNZO.exe | C:\windows\system\JCQN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NUX.exe | C:\windows\SysWOW64\DXRR.exe | N/A |
| File created | C:\windows\SysWOW64\DXRR.exe | C:\windows\ZHLJIX.exe | N/A |
| File created | C:\windows\SysWOW64\CLFLVA.exe | C:\windows\system\GBXMHP.exe | N/A |
| File created | C:\windows\SysWOW64\TAKMC.exe | C:\windows\SysWOW64\WVEPU.exe | N/A |
| File created | C:\windows\SysWOW64\HYTGHU.exe.bat | C:\windows\system\LPZ.exe | N/A |
| File created | C:\windows\SysWOW64\RZKDH.exe.bat | C:\windows\system\UTSOR.exe | N/A |
| File created | C:\windows\SysWOW64\BNSXCIM.exe | C:\windows\KZHFML.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ATGAU.exe | C:\windows\YWSOFGZ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\MVOHZ.exe | C:\windows\UAQP.exe | N/A |
| File created | C:\windows\SysWOW64\KPTXWVF.exe | C:\windows\SysWOW64\TGESJEC.exe | N/A |
| File created | C:\windows\SysWOW64\PSNUT.exe | C:\windows\SysWOW64\JRF.exe | N/A |
| File created | C:\windows\SysWOW64\HXWEAQ.exe.bat | C:\windows\OUSI.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\GUNODJB.exe | C:\windows\SysWOW64\ATGAU.exe | N/A |
| File created | C:\windows\SysWOW64\JPD.exe.bat | C:\windows\system\VMHIVDX.exe | N/A |
| File created | C:\windows\SysWOW64\MVOHZ.exe.bat | C:\windows\UAQP.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NLOA.exe | C:\windows\system\FXKLI.exe | N/A |
| File created | C:\windows\SysWOW64\NLOA.exe.bat | C:\windows\system\FXKLI.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CNU.exe | C:\windows\SysWOW64\UAP.exe | N/A |
| File created | C:\windows\SysWOW64\RFBLS.exe | C:\windows\SysWOW64\TIHI.exe | N/A |
| File created | C:\windows\SysWOW64\LFNW.exe.bat | C:\windows\TCJASVH.exe | N/A |
| File created | C:\windows\SysWOW64\IAXA.exe.bat | C:\windows\SysWOW64\XHU.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\XYDMST.exe | C:\windows\system\WVZR.exe | N/A |
| File created | C:\windows\SysWOW64\UZMR.exe.bat | C:\windows\system\UWANDVU.exe | N/A |
| File created | C:\windows\SysWOW64\CVP.exe | C:\windows\system\QNIEP.exe | N/A |
| File created | C:\windows\SysWOW64\JKVQG.exe | C:\windows\system\RKTL.exe | N/A |
| File created | C:\windows\SysWOW64\KRPPFV.exe | C:\windows\system\RQZ.exe | N/A |
| File created | C:\windows\SysWOW64\HVQB.exe | C:\windows\GSA.exe | N/A |
| File created | C:\windows\SysWOW64\XHU.exe.bat | C:\windows\system\VKONKE.exe | N/A |
| File created | C:\windows\SysWOW64\JKVQG.exe.bat | C:\windows\system\RKTL.exe | N/A |
| File created | C:\windows\SysWOW64\WVEPU.exe | C:\windows\SysWOW64\JKVQG.exe | N/A |
| File created | C:\windows\SysWOW64\KPTXWVF.exe.bat | C:\windows\SysWOW64\TGESJEC.exe | N/A |
| File created | C:\windows\SysWOW64\HYTGHU.exe | C:\windows\system\LPZ.exe | N/A |
| File created | C:\windows\SysWOW64\UAP.exe | C:\windows\UUP.exe | N/A |
| File created | C:\windows\SysWOW64\VDQ.exe.bat | C:\windows\SysWOW64\HSHHG.exe | N/A |
| File created | C:\windows\SysWOW64\ATGAU.exe | C:\windows\YWSOFGZ.exe | N/A |
| File created | C:\windows\SysWOW64\ZVIYMIM.exe.bat | C:\windows\system\CYC.exe | N/A |
| File created | C:\windows\SysWOW64\ZKONEFV.exe.bat | C:\windows\SysWOW64\YHYZPD.exe | N/A |
| File created | C:\windows\SysWOW64\DXRR.exe.bat | C:\windows\ZHLJIX.exe | N/A |
| File created | C:\windows\SysWOW64\OLYDLQ.exe | C:\windows\WDWYHTR.exe | N/A |
| File created | C:\windows\SysWOW64\NMKJGJ.exe.bat | C:\windows\FHXCVL.exe | N/A |
| File created | C:\windows\SysWOW64\INUQ.exe | C:\windows\NHIMZS.exe | N/A |
| File created | C:\windows\SysWOW64\CNU.exe.bat | C:\windows\SysWOW64\UAP.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ZJCPJUR.exe | C:\windows\DTZ.exe | N/A |
| File created | C:\windows\SysWOW64\HVQB.exe.bat | C:\windows\GSA.exe | N/A |
| File created | C:\windows\SysWOW64\HSHHG.exe.bat | C:\windows\SysWOW64\HXWEAQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\IAXA.exe | C:\windows\SysWOW64\XHU.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\KSXDBF.exe | C:\windows\system\JPTHVPQ.exe | N/A |
| File created | C:\windows\SysWOW64\EKBFIXJ.exe | C:\windows\SysWOW64\JOWVX.exe | N/A |
| File created | C:\windows\SysWOW64\EKBFIXJ.exe.bat | C:\windows\SysWOW64\JOWVX.exe | N/A |
| File created | C:\windows\SysWOW64\MVOHZ.exe | C:\windows\UAQP.exe | N/A |
| File created | C:\windows\SysWOW64\CWFLDSZ.exe | C:\windows\SysWOW64\HBABS.exe | N/A |
| File created | C:\windows\SysWOW64\ULOWCLK.exe.bat | C:\windows\GAGFNIP.exe | N/A |
| File created | C:\windows\SysWOW64\BVIEW.exe.bat | C:\windows\DFPBJIL.exe | N/A |
| File created | C:\windows\SysWOW64\YHYZPD.exe | C:\windows\system\PHVUM.exe | N/A |
| File created | C:\windows\SysWOW64\MZUM.exe.bat | C:\windows\system\IJOMCG.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\HBABS.exe | C:\windows\NOV.exe | N/A |
| File created | C:\windows\SysWOW64\CNU.exe | C:\windows\SysWOW64\UAP.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RZKDH.exe | C:\windows\system\UTSOR.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\system\VJOCB.exe | C:\windows\SysWOW64\XYDMST.exe | N/A |
| File created | C:\windows\XHFCD.exe | C:\windows\NKAIWS.exe | N/A |
| File created | C:\windows\system\FPO.exe.bat | C:\windows\SysWOW64\ZPG.exe | N/A |
| File created | C:\windows\system\AABTKA.exe | C:\windows\LKNJCT.exe | N/A |
| File created | C:\windows\UAQP.exe.bat | C:\windows\SysWOW64\WKXMDS.exe | N/A |
| File opened for modification | C:\windows\XBJA.exe | C:\windows\SysWOW64\VDQ.exe | N/A |
| File opened for modification | C:\windows\JZMR.exe | C:\windows\system\NODA.exe | N/A |
| File created | C:\windows\ZHLJIX.exe | C:\windows\system\QJRIWB.exe | N/A |
| File created | C:\windows\system\GBXMHP.exe.bat | C:\windows\system\EDE.exe | N/A |
| File opened for modification | C:\windows\ARL.exe | C:\windows\SysWOW64\TAKMC.exe | N/A |
| File opened for modification | C:\windows\SVR.exe | C:\windows\DAZIU.exe | N/A |
| File opened for modification | C:\windows\system\UTSOR.exe | C:\windows\system\YOURJ.exe | N/A |
| File created | C:\windows\DID.exe.bat | C:\windows\system\ONYD.exe | N/A |
| File created | C:\windows\ZRSOL.exe.bat | C:\windows\system\IBLL.exe | N/A |
| File opened for modification | C:\windows\system\GBXMHP.exe | C:\windows\system\EDE.exe | N/A |
| File created | C:\windows\HPQSJ.exe | C:\windows\SysWOW64\MMHTUGD.exe | N/A |
| File created | C:\windows\system\ZGIHC.exe.bat | C:\windows\SysWOW64\ZDE.exe | N/A |
| File created | C:\windows\system\QLJDDJI.exe | C:\windows\SysWOW64\BVIEW.exe | N/A |
| File created | C:\windows\system\NDPNWJF.exe | C:\windows\SysWOW64\UZMR.exe | N/A |
| File opened for modification | C:\windows\system\FOH.exe | C:\windows\CGYEDXU.exe | N/A |
| File created | C:\windows\IZZKL.exe | C:\windows\system\NMU.exe | N/A |
| File opened for modification | C:\windows\system\QLJDDJI.exe | C:\windows\SysWOW64\BVIEW.exe | N/A |
| File created | C:\windows\system\VJOCB.exe | C:\windows\SysWOW64\XYDMST.exe | N/A |
| File opened for modification | C:\windows\system\AVM.exe | C:\windows\system\TACEO.exe | N/A |
| File opened for modification | C:\windows\system\FXKLI.exe | C:\windows\MCG.exe | N/A |
| File created | C:\windows\system\XJN.exe.bat | C:\windows\WOJVTV.exe | N/A |
| File created | C:\windows\system\TACEO.exe.bat | C:\windows\SysWOW64\EKBFIXJ.exe | N/A |
| File opened for modification | C:\windows\LBVNW.exe | C:\windows\KYRRQT.exe | N/A |
| File opened for modification | C:\windows\NKAIWS.exe | C:\windows\SysWOW64\UPWM.exe | N/A |
| File opened for modification | C:\windows\XGL.exe | C:\windows\SysWOW64\ABFRSMZ.exe | N/A |
| File opened for modification | C:\windows\SYDN.exe | C:\windows\SysWOW64\IAXA.exe | N/A |
| File created | C:\windows\system\XJN.exe | C:\windows\WOJVTV.exe | N/A |
| File created | C:\windows\MPLT.exe | C:\windows\system\JBG.exe | N/A |
| File opened for modification | C:\windows\system\TACEO.exe | C:\windows\SysWOW64\EKBFIXJ.exe | N/A |
| File created | C:\windows\system\UTNRMCM.exe.bat | C:\windows\system\ZGIHC.exe | N/A |
| File created | C:\windows\system\QPY.exe | C:\windows\system\KOQXQV.exe | N/A |
| File created | C:\windows\VELEIV.exe | C:\windows\ZDJCEZG.exe | N/A |
| File opened for modification | C:\windows\system\IJOMCG.exe | C:\windows\system\STN.exe | N/A |
| File created | C:\windows\system\PHVUM.exe | C:\windows\system\DRPMZ.exe | N/A |
| File created | C:\windows\ZTKFLI.exe | C:\windows\DSIDH.exe | N/A |
| File created | C:\windows\system\ZFWYI.exe | C:\windows\system\AVM.exe | N/A |
| File opened for modification | C:\windows\AWN.exe | C:\windows\LBVNW.exe | N/A |
| File opened for modification | C:\windows\DTZ.exe | C:\windows\KAS.exe | N/A |
| File opened for modification | C:\windows\UIGZ.exe | C:\windows\SysWOW64\JPD.exe | N/A |
| File created | C:\windows\system\CGGPY.exe | C:\windows\HSOYPMD.exe | N/A |
| File created | C:\windows\system\JCQN.exe | C:\windows\WRMGP.exe | N/A |
| File opened for modification | C:\windows\ZDJCEZG.exe | C:\windows\system\TDBOV.exe | N/A |
| File created | C:\windows\system\QLJDDJI.exe.bat | C:\windows\SysWOW64\BVIEW.exe | N/A |
| File created | C:\windows\system\LPZ.exe | C:\windows\SysWOW64\PSNUT.exe | N/A |
| File created | C:\windows\system\PYYSX.exe.bat | C:\windows\system\XQWFTPM.exe | N/A |
| File opened for modification | C:\windows\CGYEDXU.exe | C:\windows\SysWOW64\NLOA.exe | N/A |
| File created | C:\windows\system\FOH.exe.bat | C:\windows\CGYEDXU.exe | N/A |
| File created | C:\windows\SVR.exe.bat | C:\windows\DAZIU.exe | N/A |
| File created | C:\windows\system\NODA.exe | C:\windows\system\CVOPIL.exe | N/A |
| File created | C:\windows\system\DRPMZ.exe | C:\windows\EGE.exe | N/A |
| File opened for modification | C:\windows\ZTKFLI.exe | C:\windows\DSIDH.exe | N/A |
| File created | C:\windows\system\JBG.exe.bat | C:\windows\SysWOW64\CLFLVA.exe | N/A |
| File created | C:\windows\system\IAP.exe.bat | C:\windows\SysWOW64\NMKJGJ.exe | N/A |
| File opened for modification | C:\windows\system\FCMD.exe | C:\windows\system\CPV.exe | N/A |
| File created | C:\windows\OUSI.exe.bat | C:\windows\system\PJPSM.exe | N/A |
| File created | C:\windows\DFPBJIL.exe.bat | C:\windows\SysWOW64\LFNW.exe | N/A |
| File created | C:\windows\SYDN.exe | C:\windows\SysWOW64\IAXA.exe | N/A |
| File created | C:\windows\ZTKFLI.exe.bat | C:\windows\DSIDH.exe | N/A |
| File created | C:\windows\ZFUPCR.exe | C:\windows\SysWOW64\KPTXWVF.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IBLL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3732 -ip 3732
C:\windows\system\IBLL.exe
C:\windows\system\IBLL.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1292
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZRSOL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 960
C:\windows\ZRSOL.exe
C:\windows\ZRSOL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MNKWV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 880 -ip 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1304
C:\windows\MNKWV.exe
C:\windows\MNKWV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TIHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1328
C:\windows\SysWOW64\TIHI.exe
C:\windows\system32\TIHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFBLS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1304
C:\windows\SysWOW64\RFBLS.exe
C:\windows\system32\RFBLS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KAS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1304
C:\windows\KAS.exe
C:\windows\KAS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DTZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1324
C:\windows\DTZ.exe
C:\windows\DTZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZJCPJUR.exe.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1124 -ip 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1264
C:\windows\SysWOW64\ZJCPJUR.exe
C:\windows\system32\ZJCPJUR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TCJASVH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1296
C:\windows\TCJASVH.exe
C:\windows\TCJASVH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFNW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1272
C:\windows\SysWOW64\LFNW.exe
C:\windows\system32\LFNW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DFPBJIL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 2168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 960
C:\windows\DFPBJIL.exe
C:\windows\DFPBJIL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVIEW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3580 -ip 3580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1300
C:\windows\SysWOW64\BVIEW.exe
C:\windows\system32\BVIEW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QLJDDJI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3008 -ip 3008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 960
C:\windows\system\QLJDDJI.exe
C:\windows\system\QLJDDJI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PEMLLP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3832 -ip 3832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1324
C:\windows\PEMLLP.exe
C:\windows\PEMLLP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGUKAA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1584 -ip 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1292
C:\windows\SysWOW64\CGUKAA.exe
C:\windows\system32\CGUKAA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XCZTCZO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 376 -ip 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1236
C:\windows\XCZTCZO.exe
C:\windows\XCZTCZO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KZHFML.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5104 -ip 5104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1316
C:\windows\KZHFML.exe
C:\windows\KZHFML.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BNSXCIM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1328
C:\windows\SysWOW64\BNSXCIM.exe
C:\windows\system32\BNSXCIM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KSWEEG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2888 -ip 2888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1260
C:\windows\KSWEEG.exe
C:\windows\KSWEEG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CVOPIL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1008
C:\windows\system\CVOPIL.exe
C:\windows\system\CVOPIL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NODA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1004
C:\windows\system\NODA.exe
C:\windows\system\NODA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JZMR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1184 -ip 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1000
C:\windows\JZMR.exe
C:\windows\JZMR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SZOESM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3916 -ip 3916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1304
C:\windows\SZOESM.exe
C:\windows\SZOESM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HPPV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3612 -ip 3612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1336
C:\windows\system\HPPV.exe
C:\windows\system\HPPV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 456 -ip 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1324
C:\windows\JNCQGQT.exe
C:\windows\JNCQGQT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GSA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1324
C:\windows\GSA.exe
C:\windows\GSA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HVQB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4788 -ip 4788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 960
C:\windows\SysWOW64\HVQB.exe
C:\windows\system32\HVQB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YWSOFGZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2040 -ip 2040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1260
C:\windows\YWSOFGZ.exe
C:\windows\YWSOFGZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATGAU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 988
C:\windows\SysWOW64\ATGAU.exe
C:\windows\system32\ATGAU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GUNODJB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1184 -ip 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960
C:\windows\SysWOW64\GUNODJB.exe
C:\windows\system32\GUNODJB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VKONKE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1316
C:\windows\system\VKONKE.exe
C:\windows\system\VKONKE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XHU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1328
C:\windows\SysWOW64\XHU.exe
C:\windows\system32\XHU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAXA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4796 -ip 4796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 976
C:\windows\SysWOW64\IAXA.exe
C:\windows\system32\IAXA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SYDN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3376 -ip 3376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1304
C:\windows\SYDN.exe
C:\windows\SYDN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WOJVTV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1296
C:\windows\WOJVTV.exe
C:\windows\WOJVTV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3788 -ip 3788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1336
C:\windows\system\XJN.exe
C:\windows\system\XJN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QMZUEBW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1308
C:\windows\system\QMZUEBW.exe
C:\windows\system\QMZUEBW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VMHIVDX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2080 -ip 2080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1316
C:\windows\system\VMHIVDX.exe
C:\windows\system\VMHIVDX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3008 -ip 3008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1328
C:\windows\SysWOW64\JPD.exe
C:\windows\system32\JPD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UIGZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3136 -ip 3136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1236
C:\windows\UIGZ.exe
C:\windows\UIGZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HSOYPMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 848 -ip 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 968
C:\windows\HSOYPMD.exe
C:\windows\HSOYPMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGGPY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1960 -ip 1960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 960
C:\windows\system\CGGPY.exe
C:\windows\system\CGGPY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GWN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 960
C:\windows\GWN.exe
C:\windows\GWN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CEH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 408 -ip 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1296
C:\windows\CEH.exe
C:\windows\CEH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1296
C:\windows\WRMGP.exe
C:\windows\WRMGP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JCQN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1404 -ip 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1336
C:\windows\system\JCQN.exe
C:\windows\system\JCQN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960
C:\windows\SysWOW64\RNZO.exe
C:\windows\system32\RNZO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNGCRHP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1336
C:\windows\system\PNGCRHP.exe
C:\windows\system\PNGCRHP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CYC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1304
C:\windows\system\CYC.exe
C:\windows\system\CYC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZVIYMIM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 812 -ip 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1300
C:\windows\SysWOW64\ZVIYMIM.exe
C:\windows\system32\ZVIYMIM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EGE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1440 -ip 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1252
C:\windows\EGE.exe
C:\windows\EGE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRPMZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2936 -ip 2936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1336
C:\windows\system\DRPMZ.exe
C:\windows\system\DRPMZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVUM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1612 -ip 1612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1316
C:\windows\system\PHVUM.exe
C:\windows\system\PHVUM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHYZPD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 960
C:\windows\SysWOW64\YHYZPD.exe
C:\windows\system32\YHYZPD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZKONEFV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1844 -ip 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960
C:\windows\SysWOW64\ZKONEFV.exe
C:\windows\system32\ZKONEFV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DSIDH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2928 -ip 2928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 960
C:\windows\DSIDH.exe
C:\windows\DSIDH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZTKFLI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1008
C:\windows\ZTKFLI.exe
C:\windows\ZTKFLI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2912 -ip 2912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1312
C:\windows\system\QJRIWB.exe
C:\windows\system\QJRIWB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZHLJIX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4560 -ip 4560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1324
C:\windows\ZHLJIX.exe
C:\windows\ZHLJIX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DXRR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1328
C:\windows\SysWOW64\DXRR.exe
C:\windows\system32\DXRR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NUX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1328
C:\windows\SysWOW64\NUX.exe
C:\windows\system32\NUX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WVZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 988
C:\windows\system\WVZR.exe
C:\windows\system\WVZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYDMST.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 988
C:\windows\SysWOW64\XYDMST.exe
C:\windows\system32\XYDMST.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VJOCB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1308
C:\windows\system\VJOCB.exe
C:\windows\system\VJOCB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KOLZIJW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1304
C:\windows\SysWOW64\KOLZIJW.exe
C:\windows\system32\KOLZIJW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2536 -ip 2536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1324
C:\windows\EBQJ.exe
C:\windows\EBQJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UWANDVU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1280
C:\windows\system\UWANDVU.exe
C:\windows\system\UWANDVU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZMR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3188 -ip 3188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1300
C:\windows\SysWOW64\UZMR.exe
C:\windows\system32\UZMR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1336
C:\windows\system\NDPNWJF.exe
C:\windows\system\NDPNWJF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1264
C:\windows\system\EDE.exe
C:\windows\system\EDE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1592 -ip 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 976
C:\windows\system\GBXMHP.exe
C:\windows\system\GBXMHP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CLFLVA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1328
C:\windows\SysWOW64\CLFLVA.exe
C:\windows\system32\CLFLVA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JBG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 844 -ip 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1316
C:\windows\system\JBG.exe
C:\windows\system\JBG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MPLT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1256
C:\windows\MPLT.exe
C:\windows\MPLT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3376 -ip 3376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 988
C:\windows\system\JPTHVPQ.exe
C:\windows\system\JPTHVPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4588 -ip 4588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1220
C:\windows\SysWOW64\KSXDBF.exe
C:\windows\system32\KSXDBF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QNIEP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3220 -ip 3220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1336
C:\windows\system\QNIEP.exe
C:\windows\system\QNIEP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1240
C:\windows\SysWOW64\CVP.exe
C:\windows\system32\CVP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VYBIGCX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1664 -ip 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960
C:\windows\VYBIGCX.exe
C:\windows\VYBIGCX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1068 -ip 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1008
C:\windows\system\KOC.exe
C:\windows\system\KOC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMHTUGD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4328 -ip 4328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1264
C:\windows\SysWOW64\MMHTUGD.exe
C:\windows\system32\MMHTUGD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HPQSJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 960
C:\windows\HPQSJ.exe
C:\windows\HPQSJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFESV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 976
C:\windows\SysWOW64\LFESV.exe
C:\windows\system32\LFESV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZDE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1260
C:\windows\SysWOW64\ZDE.exe
C:\windows\system32\ZDE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGIHC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1336
C:\windows\system\ZGIHC.exe
C:\windows\system\ZGIHC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTNRMCM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2500 -ip 2500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1336
C:\windows\system\UTNRMCM.exe
C:\windows\system\UTNRMCM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOWVX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1524 -ip 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960
C:\windows\SysWOW64\JOWVX.exe
C:\windows\system32\JOWVX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EKBFIXJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1308
C:\windows\SysWOW64\EKBFIXJ.exe
C:\windows\system32\EKBFIXJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TACEO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1336
C:\windows\system\TACEO.exe
C:\windows\system\TACEO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AVM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4336 -ip 4336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 988
C:\windows\system\AVM.exe
C:\windows\system\AVM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFWYI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4652 -ip 4652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1336
C:\windows\system\ZFWYI.exe
C:\windows\system\ZFWYI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KYRRQT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 872
C:\windows\KYRRQT.exe
C:\windows\KYRRQT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LBVNW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1592 -ip 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1324
C:\windows\LBVNW.exe
C:\windows\LBVNW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AWN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3328 -ip 3328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1324
C:\windows\AWN.exe
C:\windows\AWN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICRGRCQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2584 -ip 2584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 872
C:\windows\SysWOW64\ICRGRCQ.exe
C:\windows\system32\ICRGRCQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RKTL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 960
C:\windows\system\RKTL.exe
C:\windows\system\RKTL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JKVQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 3372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1260
C:\windows\SysWOW64\JKVQG.exe
C:\windows\system32\JKVQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVEPU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 524 -ip 524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1256
C:\windows\SysWOW64\WVEPU.exe
C:\windows\system32\WVEPU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAKMC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 988
C:\windows\SysWOW64\TAKMC.exe
C:\windows\system32\TAKMC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ARL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1236
C:\windows\ARL.exe
C:\windows\ARL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KOQXQV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1004
C:\windows\system\KOQXQV.exe
C:\windows\system\KOQXQV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QPY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1336
C:\windows\system\QPY.exe
C:\windows\system\QPY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WKXMDS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 960
C:\windows\SysWOW64\WKXMDS.exe
C:\windows\system32\WKXMDS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UAQP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3332 -ip 3332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1352
C:\windows\UAQP.exe
C:\windows\UAQP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1260
C:\windows\SysWOW64\MVOHZ.exe
C:\windows\system32\MVOHZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WDWYHTR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1000
C:\windows\WDWYHTR.exe
C:\windows\WDWYHTR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLYDLQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1328
C:\windows\SysWOW64\OLYDLQ.exe
C:\windows\system32\OLYDLQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HEFO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2220 -ip 2220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1004
C:\windows\system\HEFO.exe
C:\windows\system\HEFO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPWM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3308 -ip 3308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 960
C:\windows\SysWOW64\UPWM.exe
C:\windows\system32\UPWM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NKAIWS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4176 -ip 4176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1324
C:\windows\NKAIWS.exe
C:\windows\NKAIWS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XHFCD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1324
C:\windows\XHFCD.exe
C:\windows\XHFCD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GQHHHY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 988
C:\windows\GQHHHY.exe
C:\windows\GQHHHY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XQWFTPM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 988
C:\windows\system\XQWFTPM.exe
C:\windows\system\XQWFTPM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PYYSX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1308
C:\windows\system\PYYSX.exe
C:\windows\system\PYYSX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGESJEC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1296
C:\windows\SysWOW64\TGESJEC.exe
C:\windows\system32\TGESJEC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPTXWVF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 416 -ip 416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1300
C:\windows\SysWOW64\KPTXWVF.exe
C:\windows\system32\KPTXWVF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960
C:\windows\ZFUPCR.exe
C:\windows\ZFUPCR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\USZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1324
C:\windows\USZ.exe
C:\windows\USZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TDBOV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4892 -ip 4892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 960
C:\windows\system\TDBOV.exe
C:\windows\system\TDBOV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZDJCEZG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 960
C:\windows\ZDJCEZG.exe
C:\windows\ZDJCEZG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VELEIV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3736 -ip 3736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1324
C:\windows\VELEIV.exe
C:\windows\VELEIV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 988
C:\windows\system\BES.exe
C:\windows\system\BES.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JRF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 848 -ip 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1008
C:\windows\SysWOW64\JRF.exe
C:\windows\system32\JRF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSNUT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4776 -ip 4776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1328
C:\windows\SysWOW64\PSNUT.exe
C:\windows\system32\PSNUT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LPZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 960
C:\windows\system\LPZ.exe
C:\windows\system\LPZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HYTGHU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1328
C:\windows\SysWOW64\HYTGHU.exe
C:\windows\system32\HYTGHU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RVHAOC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 456 -ip 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 960
C:\windows\RVHAOC.exe
C:\windows\RVHAOC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\STN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2900 -ip 2900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1316
C:\windows\system\STN.exe
C:\windows\system\STN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IJOMCG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2936 -ip 2936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1280
C:\windows\system\IJOMCG.exe
C:\windows\system\IJOMCG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZUM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1328
C:\windows\SysWOW64\MZUM.exe
C:\windows\system32\MZUM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MCG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1304
C:\windows\MCG.exe
C:\windows\MCG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FXKLI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 988
C:\windows\system\FXKLI.exe
C:\windows\system\FXKLI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NLOA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2656 -ip 2656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1328
C:\windows\SysWOW64\NLOA.exe
C:\windows\system32\NLOA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CGYEDXU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1256
C:\windows\CGYEDXU.exe
C:\windows\CGYEDXU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FOH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 440 -ip 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1336
C:\windows\system\FOH.exe
C:\windows\system\FOH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KZLZPBS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3092 -ip 3092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1304
C:\windows\KZLZPBS.exe
C:\windows\KZLZPBS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NMU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1336
C:\windows\system\NMU.exe
C:\windows\system\NMU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IZZKL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 960
C:\windows\IZZKL.exe
C:\windows\IZZKL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GKJA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2908 -ip 2908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1300
C:\windows\system\GKJA.exe
C:\windows\system\GKJA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BGOKEA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4480 -ip 4480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 960
C:\windows\system\BGOKEA.exe
C:\windows\system\BGOKEA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NOV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 988
C:\windows\NOV.exe
C:\windows\NOV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HBABS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4048 -ip 4048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 872
C:\windows\SysWOW64\HBABS.exe
C:\windows\system32\HBABS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWFLDSZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1328
C:\windows\SysWOW64\CWFLDSZ.exe
C:\windows\system32\CWFLDSZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1240
C:\windows\SysWOW64\ZPG.exe
C:\windows\system32\ZPG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FPO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1248
C:\windows\system\FPO.exe
C:\windows\system\FPO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LKNJCT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1304
C:\windows\LKNJCT.exe
C:\windows\LKNJCT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AABTKA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 960
C:\windows\system\AABTKA.exe
C:\windows\system\AABTKA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 988
C:\windows\system\RQZ.exe
C:\windows\system\RQZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRPPFV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2120 -ip 2120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1256
C:\windows\SysWOW64\KRPPFV.exe
C:\windows\system32\KRPPFV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1496 -ip 1496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1324
C:\windows\MGQJMK.exe
C:\windows\MGQJMK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FHXCVL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 960
C:\windows\FHXCVL.exe
C:\windows\FHXCVL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NMKJGJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1584 -ip 1584
C:\windows\SysWOW64\NMKJGJ.exe
C:\windows\system32\NMKJGJ.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 960
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IAP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1336
C:\windows\system\IAP.exe
C:\windows\system\IAP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GTSIYPI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3708 -ip 3708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1004
C:\windows\GTSIYPI.exe
C:\windows\GTSIYPI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MLZWIRJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1240 -ip 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 988
C:\windows\system\MLZWIRJ.exe
C:\windows\system\MLZWIRJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2732 -ip 2732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1308
C:\windows\system\DECMQX.exe
C:\windows\system\DECMQX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2912 -ip 2912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 960
C:\windows\system\GRH.exe
C:\windows\system\GRH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NHIMZS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 636 -ip 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1324
C:\windows\NHIMZS.exe
C:\windows\NHIMZS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INUQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1328
C:\windows\SysWOW64\INUQ.exe
C:\windows\system32\INUQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DAZIU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3272 -ip 3272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1324
C:\windows\DAZIU.exe
C:\windows\DAZIU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SVR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2420 -ip 2420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 960
C:\windows\SVR.exe
C:\windows\SVR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GQU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 960
C:\windows\GQU.exe
C:\windows\GQU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOVH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3252 -ip 3252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1260
C:\windows\SysWOW64\IOVH.exe
C:\windows\system32\IOVH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KMB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2976 -ip 2976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 988
C:\windows\KMB.exe
C:\windows\KMB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WFEUPLX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2256 -ip 2256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1324
C:\windows\WFEUPLX.exe
C:\windows\WFEUPLX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UUP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3424 -ip 3424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1296
C:\windows\UUP.exe
C:\windows\UUP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3092 -ip 3092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1328
C:\windows\SysWOW64\UAP.exe
C:\windows\system32\UAP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CNU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 960
C:\windows\SysWOW64\CNU.exe
C:\windows\system32\CNU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZTA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1328
C:\windows\SysWOW64\ZTA.exe
C:\windows\system32\ZTA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VLKKHIG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1332
C:\windows\SysWOW64\VLKKHIG.exe
C:\windows\system32\VLKKHIG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HCQSLA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1236
C:\windows\HCQSLA.exe
C:\windows\HCQSLA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2284 -ip 2284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1336
C:\windows\system\CPV.exe
C:\windows\system\CPV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 960
C:\windows\system\FCMD.exe
C:\windows\system\FCMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GAGFNIP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1268
C:\windows\GAGFNIP.exe
C:\windows\GAGFNIP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ULOWCLK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1468 -ip 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1292
C:\windows\SysWOW64\ULOWCLK.exe
C:\windows\system32\ULOWCLK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOURJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1280
C:\windows\system\YOURJ.exe
C:\windows\system\YOURJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UTSOR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1336
C:\windows\system\UTSOR.exe
C:\windows\system\UTSOR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZKDH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 988
C:\windows\SysWOW64\RZKDH.exe
C:\windows\system32\RZKDH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CRNWHYY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1336
C:\windows\system\CRNWHYY.exe
C:\windows\system\CRNWHYY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXFKQDT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1004
C:\windows\SysWOW64\CXFKQDT.exe
C:\windows\system32\CXFKQDT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ONYD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 960
C:\windows\system\ONYD.exe
C:\windows\system\ONYD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DID.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1324
C:\windows\DID.exe
C:\windows\DID.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ABFRSMZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4788 -ip 4788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1328
C:\windows\SysWOW64\ABFRSMZ.exe
C:\windows\system32\ABFRSMZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XGL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3760 -ip 3760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 988
C:\windows\XGL.exe
C:\windows\XGL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PJPSM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 960
C:\windows\system\PJPSM.exe
C:\windows\system\PJPSM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OUSI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1324
C:\windows\OUSI.exe
C:\windows\OUSI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXWEAQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1208 -ip 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1332
C:\windows\SysWOW64\HXWEAQ.exe
C:\windows\system32\HXWEAQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3548 -ip 3548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1300
C:\windows\SysWOW64\HSHHG.exe
C:\windows\system32\HSHHG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VDQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4920 -ip 4920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 960
C:\windows\SysWOW64\VDQ.exe
C:\windows\system32\VDQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XBJA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1184 -ip 1184
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3732-0-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3604-11-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\IBLL.exe
| MD5 | 027d898f7d07f5732eeba3c92255d8b6 |
| SHA1 | e1baecf51b2dd7fffabceb76038fa90228d8f35c |
| SHA256 | a57aa248e241effc35b532154a4ba095175d0dc0c204cde96157142dfea7ce34 |
| SHA512 | c739b92dc718843b2513b885ff514e0e36c5fe9bbd5aabfe4a520239c082f07467e09b3eb13521344acb387bafb7e3b7f364f89d6a43561aa08c7a5d0d12ec3e |
C:\windows\system\IBLL.exe.bat
| MD5 | 5c3c010d3a2a8f695d748350608cb2b7 |
| SHA1 | 21624967e3b4857b17204e4dc8862954f32bc581 |
| SHA256 | 154785748311478640d21803068a7c0d1fa80e91673b50e048e64719271f1f34 |
| SHA512 | a4fa3d41410e0e58812fa702f5c78b93a1d4b32527e79b79a4c85c09dd84c2c28d5b4a1c91f0b1d4ebcb190aaea69c4c0de2702421e80ec12e9c7f4525893b27 |
C:\Windows\ZRSOL.exe
| MD5 | 53d161b63ebbdfbed69ae40a81a37109 |
| SHA1 | 41a75455f9b519ff6dd517d8183774685f2f7ce1 |
| SHA256 | bc08410d6b1655220a8bd0313e89dd4dac55cee11ba0c97848e20d80806e9624 |
| SHA512 | aae607f0e633ee853b8bfb7d8ec00fecf6ba7c2ab2f06db9d6366fb3e7256eed5e43c4ab8df5b3288c1cac53665303672235f5602c580e0fdddc2b9e64627e23 |
C:\windows\ZRSOL.exe.bat
| MD5 | c4e55d1c98fe97df5f2b464485e6c806 |
| SHA1 | ab16054b11752d41cf795e4be301b80424cb91db |
| SHA256 | 84dd500ffa93ab601affaec35b6a980d7f2024289f24e4b9835dc2605ca6169a |
| SHA512 | 7e331af53fc35995fae75f4595d100a305dde64c7499842cfc996f7374ca79e48545282fcf5f4d07d070ee2993f07c672a33bdbc47bf8613fda5177d89fbc3a1 |
memory/3732-23-0x0000000000400000-0x0000000000439000-memory.dmp
memory/880-21-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3604-24-0x0000000000400000-0x0000000000439000-memory.dmp
memory/552-35-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\MNKWV.exe
| MD5 | 59553510740d9fcb11bba4c78a68bdac |
| SHA1 | 7ba065b8a7da6844dfb2e77e4adfdefc395dbaa3 |
| SHA256 | fb9b4b96a0d86fa016836a46f71876813f3dc9633d1262970c9eabbf8a1a288b |
| SHA512 | 892e61cd23cde80cbe677dabb99607c8529790cc9beccd86cc94b5ccd6adb49c98b4c6b2517f1381774f093b529fb8ccacc8c9efa33f44bea7bf70450e4dc2ed |
C:\windows\MNKWV.exe.bat
| MD5 | ef771ebf66f62ab2f2760180363bf427 |
| SHA1 | 5a761f552e6c88d339a18277237ec5605ad8b5a6 |
| SHA256 | 55231d59520ec32be05995d09c2b1c061bbff7641979a4e4bf9a8803942e952d |
| SHA512 | 98f4d0cb8882913c956191473ec8f4aa997208363f7352f5e51493620889abc87d93ab93e87ced8e317f15cc14cb0aaf6b0f2936b81462239dfbb1bb8a546d90 |
C:\Windows\SysWOW64\TIHI.exe
| MD5 | b862aa81b3a6ec3a300395dace1c8478 |
| SHA1 | ab8c72d6f94bded666aa27cee995148cc545d875 |
| SHA256 | 94f6e49c7c8afb173a81326c1e4c8a8f89c416aafbfd873643dca4551637140e |
| SHA512 | 8ca21290e5e4a3f12dce7ae011ff739de7d61e0497720e28c3466c80837d0c9eb448f87b5b44fee5a9757ef55fc18cc36badeb39e6c2ecaf2d820a86311986b2 |
memory/3636-46-0x0000000000400000-0x0000000000439000-memory.dmp
memory/880-47-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\TIHI.exe.bat
| MD5 | e6f1ad8c5d7ad44b3b0e90e2a6e35258 |
| SHA1 | c5fbe41b97a3de5c78900d42717b60b5a9647640 |
| SHA256 | 20f608f2ecb39233e48eadfcc47d78f34310dfc67f394b71f0a8fc0aabf0a53a |
| SHA512 | 1619a7bacbaa00f4ed0b91be6216b68b0913710fe657f30e8bddf2bf6c298086ada1aad1f2b7a91c9cce15e46485c1d915821aeecf153b0d885a2d2cd07e3000 |
memory/552-59-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RFBLS.exe
| MD5 | ef7f3917e14f676e965b73ff34c5b9a0 |
| SHA1 | 70293b6c54afcada727fd3f91a20d3b2567b6a17 |
| SHA256 | 13724d13034d8f2bbbf168aa77728338a5798f405392f01ca0ec1f0b10add178 |
| SHA512 | 63b1de084539185c062a2820be43a740d2a8816de32cd172b9589ea44e4c71a61cd554eed6f900231a41e594a04c27014eaf9b938a1c83581a23a1e4d11e1124 |
memory/4836-58-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RFBLS.exe.bat
| MD5 | 46a7771b6f61cc21c90634ec67d347e2 |
| SHA1 | 0d48369aa035215e7e79b0bb1200f865bddcc758 |
| SHA256 | 48ff637e90c84e7ae23ff789b41096d3f3ed8efc912b99be9e3ff4c5682a42c0 |
| SHA512 | ac17a63d9ea81fadb3041e5570847d99fea8d6ab0b980e5da408623105aced36b678fb51fbd5443860537f86e1e170860540c702367293b60451382f7c860ae2 |
memory/3636-71-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1116-69-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\KAS.exe.bat
| MD5 | d38bc76c67b8c0068b0bcc87909e17a8 |
| SHA1 | 9a3025b50534a2ea263f656cb139c3fab2855edc |
| SHA256 | e37402e6b0a7c4527c5e1be632a335e91acfdbdc6494f24973487c34e4b170be |
| SHA512 | aa62bd47d87bff50195fe753fa0f8457219d106d56b1c760dd2d3e3f72fb7f68b388346afb35bf5a3aa7a1b3e6fcfb539964fd50dd96c4817a0bfee86b3dce18 |
C:\windows\DTZ.exe.bat
| MD5 | 1d56abef9ea06041a780706a18d27bb6 |
| SHA1 | e8d984f4e67787fb3fe7afd849be764933b271f3 |
| SHA256 | 3694760db436b324bff908f087db17414ba8c8f7f27d3d9bc34822abbeed11cb |
| SHA512 | 576d5f951098961c84363b871111bb88033fb03d7ff5ea7b228b346391200cbbb10ba05bdaa8402e4e2578cd823b35887ed8fb878794629a114780c8610e7ff4 |
C:\Windows\DTZ.exe
| MD5 | 6218d2c5b6d48f96e55b65c49df8e00c |
| SHA1 | 12989e653bc7702fba132956b371a61d0b690fd2 |
| SHA256 | dfd49c4dcc4379ff92af56977706db0419694e82a0ee527e6cc55703f0a5f111 |
| SHA512 | 8aff20cb01cd5ad66070dd795ddc43545c5697b091647c5f12a14bbc4777e2d856b2a950cd3c10692488e38fc685736e8d6f4ea6dcb28cc32984b7d362cb8acf |
memory/1124-83-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4836-78-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\ZJCPJUR.exe.bat
| MD5 | bf1ca2c8a130f61825a40f4d58e2ea10 |
| SHA1 | cbd83b536e02559ee10b94af5c122d165c50a8ee |
| SHA256 | d82a489bb3517f78a9f73f05b95b16b7584b5a249555d84df2f09b2b9f46b034 |
| SHA512 | f4f1d3a80b84167e5a8a81fa83604b6905e5f36ba2496b3519a4a8209222f540634da3baa7ee787b0231de9753d423a63791274c1c1012347843635bb555c0d7 |
C:\windows\SysWOW64\ZJCPJUR.exe
| MD5 | ff9cd4ae921ec9eecd53a436fbf4a9d1 |
| SHA1 | 45395d28292e140e6180554bbc3c833694c4c3ff |
| SHA256 | 97a513d112128180d1e6c7f908c8fa6d2d98f267ca1808ce9938c45e0b454302 |
| SHA512 | 842bcc8744bafdfd275e59d69321c181846b5ff31bb7d163a91da4780d1de81becb7498c6d4120dda642e817f14ce65625ac26166f91de9c18f852cc6abee7d6 |
memory/4500-94-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1116-95-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\TCJASVH.exe.bat
| MD5 | 7dc0704f3766d8f50ffbc8a666932f9e |
| SHA1 | 60092e15ba9fb3d8136fa4ba2325f3293a48c699 |
| SHA256 | 6ce7118d64ad6cdf702c67bed5c9559c6d471d9aaabba8785710939684710075 |
| SHA512 | 6462f2213fc0440185e64c9f0d956486415a0e6ee650f9ffb9f2f16be0cee958062a6269e6283f606c21cedda39996da4a9d1d8bed0af326fbab94f219300717 |
C:\windows\TCJASVH.exe
| MD5 | 8a1a7328a500ac9a815829ccec2b137a |
| SHA1 | 0bc74be71df02a110a8d834ef157502281a1035e |
| SHA256 | 55fa4027d17481ddc75469f61b82eea9a103afdaa8f2961ef6476e1df1d5ed4e |
| SHA512 | c48989ef1d7bb590c690d3e4c078d349f737f22557dede791604c445d360053075f27b17a5938d1e44d7ce5c2f8c3b26f9c5d71279fb2712891527247422c986 |
memory/4808-106-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1124-107-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\LFNW.exe.bat
| MD5 | 6ae15ec63cec9ccfb6d5b10097f163fe |
| SHA1 | 119afbf06c929802bf0c3fcff7b7aedda807f393 |
| SHA256 | 48c2e5b7fcf1728ae75e277d834829c8f53617ce0ec9c0e13129bd9a1b877b95 |
| SHA512 | 61f075bce441facbaf54501c26ef8588781eeb6ac731a46b5d97b4ffda5da06abe12cf3a8ea5651c571361a83d92c383048e227f023d6d678af0d33d5a1b3e69 |
memory/2168-118-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4500-119-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\DFPBJIL.exe.bat
| MD5 | 6f7d0da4f112e3a0f2e794e297c8995f |
| SHA1 | 69cff315af8076a40777c9f3b942fc44d51c5061 |
| SHA256 | f3ec88724dc8936985a804a2883f6e4eb128a76c8f270fd8d5270e43b1bec074 |
| SHA512 | 837dabeaece9dfae81ade85c6433e6031cfcea526004d5cfd3aea177778e82e399602b3830d6a898b85649288b067f4b5f117b4e1b6a8d9f4058f159da486cdb |
C:\Windows\DFPBJIL.exe
| MD5 | 2ff7d9deadfe9369b3e3288667caa448 |
| SHA1 | 7a2014f86c8c718a34269f88355ca676fe84cc3e |
| SHA256 | 4f145e84f61823ff86586225cb92b36396f3919639ee940fd09c45f36ed95ac1 |
| SHA512 | 96a8661b0afd29e091cb53a8e8acaa748c3304b3a38680928be7d33da651f24d7e75cdb056f7613d9e57bb33ba02a8e1d6c354dc778374f7cf5507645cd07e9d |
memory/4808-127-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3580-131-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\BVIEW.exe.bat
| MD5 | 72a8fa12fe2b74194c3d146c9fe2153d |
| SHA1 | 042acd4ff9f0e0eab3e6717efc3ceb2842a6587c |
| SHA256 | 9314e2ff5dc8ff00e100ed0de7f5c4b6a7765c46d32ea98b01a5a88c38af2a35 |
| SHA512 | 118db61e07ea548d6d13cb52f691b2c4f3b121f25c64c6da9f8576904f316380c405d086a875e9261336086254fb4963e9c82a12cdb8b65a956689494b09dcae |
C:\Windows\SysWOW64\BVIEW.exe
| MD5 | 6cf2e898dbc0e2fd87721f967b316a37 |
| SHA1 | eb57640e95b0eac8ca160d6f7b6a9e29b4457ef8 |
| SHA256 | fdc7fe40fb3f459262efd6d13edc776aa06afb0a992cd4ba71b0d642e2a452c1 |
| SHA512 | 495edbba6431b4d6df12b9f1985bdfb1949088be0bc65dd8e606d069a634eafa8345ec491f734a77853abf58abe19dee9785a8f02bd41eb661796ae8ee0f14e4 |
memory/3008-142-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2168-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\QLJDDJI.exe.bat
| MD5 | ac193dc4f896809041e4714df10f20de |
| SHA1 | fea507f4d90d45d6886a2e3fd95e9717dff322e5 |
| SHA256 | 1f204497df237e4e5adfc7c7ec05700b400a7336acbad08ecd149005feb00fdd |
| SHA512 | 0f82f2eccbdd5614e2f83cfb1cfc5cfb5531a53d0109922cf771a4b55732c071e31e01b4952e02efbb1463999a665e125d63e7218acff00fac6f0e1493097bf1 |
C:\Windows\System\QLJDDJI.exe
| MD5 | a790e9709a97b6433809120301f1dc11 |
| SHA1 | e725b081ae12ced2295a3a4403815002a0e53d20 |
| SHA256 | 8a5f53f2a4889c0a670eb41d7ab599f06526cec6c52d4d5b9411d8d301fde5c7 |
| SHA512 | e062197839fbf161007654c63384dff99943db07f2888a42b96d1555341d2c92713faad76c900e9935da73555d3339220579eea51cc4abf05820714498f8ce2d |
memory/3832-153-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3580-155-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\PEMLLP.exe.bat
| MD5 | b8106c3ceba551793df05356f66d2ece |
| SHA1 | 44b954a41033f57604383ec5e51ed9e1cb257928 |
| SHA256 | 7eb080d0dfb87053bf3c6e2fd4d141b43d642efe1a0d3928e8c9d0cce6d8ccac |
| SHA512 | d760936d91aa2bb8bad3a55f1ee051268b3cd1a42879f4ebbdb1ea0c77ee672b0caa0c1f6f74cad37453e87a5aca49f48804872f074b8ad46caf5c3fe154b52d |
C:\Windows\PEMLLP.exe
| MD5 | c661cfe098001d9527f9257cdd00550a |
| SHA1 | c5893b7130c8a2ec1ac92685fb3af5c8fb3883c4 |
| SHA256 | a2a7f95a95b66c7c95c8c4c28bc9733284c06aec0085c6abdf89a6d031365e39 |
| SHA512 | 3868e215da4d770e1d28c5ea1d262af9eb21ffd6c51dde3e0e2db15a545963c5e91c62f868e8f73dbc0b2fb56bb85e9369c16ea68b841d01f17fc8d15129d0d2 |
memory/1584-165-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3008-167-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\CGUKAA.exe.bat
| MD5 | 1221bfb8095b97880b08b585c75c9caa |
| SHA1 | 4430ad871d37bb52d26a012c1116cf0a9e9ea9d3 |
| SHA256 | 01c9a1740f8e93603420e8b8d6e76d22cbf65a5b9ba68fa5147764a19985bd1b |
| SHA512 | b5ff45c05553f0a63e618c916a6e399ff90faa91640e51083a2f073f57f8dda385bf450a273688d14a72022979c8791d9948d23b1eafa9ea86e727ef48563629 |
memory/3832-178-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\XCZTCZO.exe.bat
| MD5 | 09ec7ef89c3556f5691c667786a98603 |
| SHA1 | 919206bde831cf17158f2e6619923dc974ad0155 |
| SHA256 | 35b325c7e79d38bb460fd3ccf523fe4d3e6f7fb663e5adfaccabfe99fca28c94 |
| SHA512 | 14d4a0ce4bcfd0b95e11b265e185c2a0668077374973424a93722320599b854b08e9c5ff37cf2a2efceba7626a52e39f3a5cb4847458653227b4b0faf1b8fd73 |
memory/5104-188-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\XCZTCZO.exe
| MD5 | 9e7f1a57141927ca584e207400152624 |
| SHA1 | 81a43ff33445b71f580abb5c20f1560c46a95548 |
| SHA256 | 827c9a9f6c6c8000f510724ddbac4bc6281c612a3d717525c3953b8d0292e567 |
| SHA512 | 862be1fbba6c5954f39a3e09b27b7dbffb489bd5040311425b13406df1a77585131efece0f4fc120e857857979fab6ce38ccf7deab0422334c2c61385774aed5 |
memory/1584-190-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\KZHFML.exe.bat
| MD5 | c2de9f9f9720b18c00f4563818b0e711 |
| SHA1 | 7de1083774cdf36f60d96be77d5fd580bba45fbe |
| SHA256 | e5cd502ba80b35f7b9b0a617c5d267b50cf08f0e16aeaa1c6c3efa786e17b81b |
| SHA512 | 440629ffe94f00d32909ef59a48245586aba6aa75b3bd8a50da177039ed13ae1ae4ec1f203dafa3e914f56d56dc1a868f81bc04310104317df74b8a3f21edf6e |
C:\windows\KZHFML.exe
| MD5 | 156f7756d655b53fbe69e703fcdef2c2 |
| SHA1 | 2f2d22dd16500bde788a8256049d123fa218cda2 |
| SHA256 | aa8ce448421182aabaa96858f3f49bede660ca656514d8c6c016254f77deecf6 |
| SHA512 | 8af535353cc4e6f9a12bdea2feb922d800ff9e11cd814066a34592486c0e2e91eb7a0971fd5a3e4aa29df471c2af39c8aceed85686005f1a70aee1f1223f77d8 |
memory/376-202-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4968-200-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\BNSXCIM.exe.bat
| MD5 | 1d41af64a3962a7156b2ea9366ea8090 |
| SHA1 | 852b7398bb2f8cd06f5eb38e2b9917b5d4f0d3f9 |
| SHA256 | e7bb91cf45fa93afc103e19bd9825f85d338a8b7877818ea9d379a2c0c03538c |
| SHA512 | 134e87248d2bac5799c2cd69dae4e6d165071a41eec553a66577aae27a8b7b2963e2b1169f2786075242c71fb35daeb7b30d53db34016801973f8ada124de435 |
C:\windows\SysWOW64\BNSXCIM.exe
| MD5 | 39e7dcd7264e81398759ecfc7d2bf11c |
| SHA1 | 2fe26d06ec121fb39f051414c09f13e7f145046d |
| SHA256 | 1a1bb0a376d1599aceb84f2f4f05ee181938c5d7b430dcd9e7ee7963d253f59e |
| SHA512 | d8a325da6d433619caba0949112813f570d139251ee57f22e7204367c8ca247f37a9e2bb4f7b8fe4da019a0736313c63479b25a0f8a2d24d03853bd68b178570 |
memory/2888-212-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5104-214-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4968-221-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\KSWEEG.exe.bat
| MD5 | fd7575e508ce29059e6d166a918f2da9 |
| SHA1 | bb79a048192abc491f50522de5f974deb241c208 |
| SHA256 | 96794bb514a30827c9ed3880277ae751262770df7c110c9f483b408b4460d6ed |
| SHA512 | 0422754a054d65d4a5e3b8868261a254f95b14587078fad082898c4b65a1df551e98dcf9f360d1d3f1c9202d7a7649ca7ef92fa0b4c68924c6d9aa17a5fd413d |
C:\Windows\KSWEEG.exe
| MD5 | 054c64e6d3413221fb037fe25cd1c2c2 |
| SHA1 | 1d864d68cf384beee2f8b54e3ac23a6b6ac7623a |
| SHA256 | dd5a9b4ce315dd4ed7115b0573e8b4af841d3a5fbae0f49bbc95155ee6fe29d5 |
| SHA512 | 64ad8fc8bc8b707b991049fc870542180fd3b167f3ec394b6789355f8ebe4b1ec0b4e221f98b9a028e57fd7ee0bf0d896ddf6c5c7454472ed93365e2a8e5f818 |
memory/5116-226-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2888-233-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\CVOPIL.exe.bat
| MD5 | 3b107942880ce69704d7b22bc400ba91 |
| SHA1 | 6fa0009801cf11a794abf8852c4c37b75d370c41 |
| SHA256 | ae5e7f9a966f12c941dd0213e0e2ac08edd866e1dab7dbe7f1a6826615db0927 |
| SHA512 | 35f2633c31f800cc37697fc9a61eb5eb255adc4c3ab37445272b8c5e865a1236d240a57f281fd4971c0040ffe9f0ac56bb1c0b5d3967cf00bab6747744c4f614 |
memory/4044-238-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5116-245-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\NODA.exe.bat
| MD5 | dd7e7eba6832922c76f508399d513ed8 |
| SHA1 | 2dd0c70d6fa1e7e50e3c0deeec0a3f74ddf87e9a |
| SHA256 | b219a02c11d74d4835395d25308e9438948d6898fd0876046387d8e69793cb48 |
| SHA512 | 459a2ebf6baf0141c62f469c71c5467d07d0d068f4427eaa07a2eab66849b4dc6afbf21a8d97823d52b153ef9c13310d5d1661e848bac915ca3bc03679546e05 |
C:\Windows\System\NODA.exe
| MD5 | 832b54c8af7f1522a8a4a32f12cc4c18 |
| SHA1 | eacae944e1ffe285fc16b0d7db0c1ef5fa381853 |
| SHA256 | ddd35632fa1a2c5d38e9de0899989172582f6970cd0d4b0f2835b726997f9bed |
| SHA512 | 4c51dbf31e0fc6aee6e6a5355e445b29a0b93b742a75b968a9a0353a80aa43bed19d253c1bf2d4cf4185356fab10a4ef055d359f4bebb5cc560ae53dcb11ad17 |
memory/1184-250-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4044-257-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\JZMR.exe.bat
| MD5 | e5ef7f7977ec6e45641a11c12a31ccdf |
| SHA1 | e1bf1f5933d66e651f5d5f6d73eee5cfb95b6607 |
| SHA256 | 8308453b97aef9fbd9c67efba13e688da93d4a4ce276db861d09da1eccec0103 |
| SHA512 | e33de41a2e95bc0fce2d0d7fa1b88b7b65443a0bac9eb7f26d790787ed89614d4d0116a2f31408770a02f550fb2427ead0d5488c42c696ca939c110654f94610 |
memory/3916-260-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3612-268-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1184-269-0x0000000000400000-0x0000000000439000-memory.dmp
memory/456-277-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3916-278-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4460-286-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3612-287-0x0000000000400000-0x0000000000439000-memory.dmp
memory/456-294-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4788-296-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4460-303-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2040-305-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5088-313-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4788-314-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2040-321-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1184-323-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4368-331-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5088-332-0x0000000000400000-0x0000000000439000-memory.dmp
memory/220-340-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1184-341-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4368-348-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4796-350-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3376-358-0x0000000000400000-0x0000000000439000-memory.dmp
memory/220-359-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4796-367-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4224-368-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3376-375-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3788-377-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4224-384-0x0000000000400000-0x0000000000439000-memory.dmp
memory/400-386-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2080-394-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3788-395-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3008-403-0x0000000000400000-0x0000000000439000-memory.dmp
memory/400-404-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3136-412-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2080-413-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3008-422-0x0000000000400000-0x0000000000439000-memory.dmp
memory/848-421-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3136-431-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1960-430-0x0000000000400000-0x0000000000439000-memory.dmp
memory/848-440-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2008-439-0x0000000000400000-0x0000000000439000-memory.dmp
memory/408-449-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1960-447-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4808-457-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2008-458-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1404-466-0x0000000000400000-0x0000000000439000-memory.dmp
memory/408-467-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4556-475-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4808-476-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1404-485-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2400-484-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4516-493-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4556-494-0x0000000000400000-0x0000000000439000-memory.dmp
memory/812-502-0x0000000000400000-0x0000000000439000-memory.dmp