Analysis Overview
SHA256
437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba
Threat Level: Known bad
The file 437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:45
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:45
Reported
2024-05-22 21:47
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\JIRRDUO.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\JIRRDUO.exe | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JIRRDUO.exe | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
| File created | C:\windows\SysWOW64\JIRRDUO.exe.bat | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\JIRRDUO.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\JIRRDUO.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\JIRRDUO.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe
"C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\JIRRDUO.exe.bat" "
C:\windows\SysWOW64\JIRRDUO.exe
C:\windows\system32\JIRRDUO.exe
Network
Files
memory/2492-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\JIRRDUO.exe.bat
| MD5 | cd54e4b81d04210064c43011e4f6e09e |
| SHA1 | dc2abd4c1c047c5e2be8091321c8332f8c3c3897 |
| SHA256 | df09de02fcb03ff7d008756eeba72008f7f9f618ddeb5d67e598ae5a590f2fb1 |
| SHA512 | 83cccbfe571919929b7e934774a1d4211611bb5fee813900b07d624071b2f66ff3a36f3a49ecd34937fe7bfaf28a9935250743f1bba92db4e29b585c8de2e5f2 |
memory/2492-12-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\SysWOW64\JIRRDUO.exe
| MD5 | e899d4788e42036d1a07c6a1d0576744 |
| SHA1 | d8665d09c363d6cb145de102ff88c103008e70ae |
| SHA256 | 8620526e69e8bf0206c0ee1fc5f8912e0f7c5d5122816ff01883f680292b16a9 |
| SHA512 | a1a32c54e8240b4c347e1f4c3d89e12d78a17cfa13da573102da563359aed3b41f2d29fa64e27a5ff41b3d23200f5bfa5fe8ad994e7f67e77e20e252513ca1bc |
memory/3020-16-0x0000000000190000-0x00000000001C9000-memory.dmp
memory/3020-18-0x0000000000190000-0x00000000001C9000-memory.dmp
memory/2632-20-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:45
Reported
2024-05-22 21:47
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\QGPZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\FQOPGC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\GRH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\EUSFPPX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\JZWE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\SBRAMEB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CIODI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\BHRIS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\IPTT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\MHJMH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YTAIH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\LJS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CCHXGJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NPYIEYR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\CGBHEBP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ZZTLWJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\BTW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\JFQLCWN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\OOYXB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\KISNU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\OBRWQV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UJXTLPE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\LQTBZU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\RQZSY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\WFIKKP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XBAFLW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CJM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\EPMFZPU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PDPHS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SWF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\KUVKZMC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\VZYKNO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\TTGQRJN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\UAQP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\OIQRD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\ZRYPQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SFWCQG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\PWPUOI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\MBFA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\GKIMJY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\WUYGEY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\FHJYUUP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NYGXXW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DLTKCT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\MKVTBV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\AKGRMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CGDFXPE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\GQROI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\OIHPMPP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\OMAB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\FMLL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\KCYWBL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\BICPQCB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\NOUVYRI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YDGKHI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DCXSVQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\AEMFD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\IIZBDUO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\system\OAFOJW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DFMYIFQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\TKLXC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\KVRFATV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\STS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\MIECLV.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\XVRDMT.exe.bat | C:\windows\GVCGAC.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DFMYIFQ.exe | C:\windows\SysWOW64\IJHPY.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\YDGKHI.exe | C:\windows\system\DQJB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\MIECLV.exe | C:\windows\system\APBJDO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CGDFXPE.exe | C:\windows\SysWOW64\MIECLV.exe | N/A |
| File created | C:\windows\SysWOW64\NYGXXW.exe | C:\windows\SysWOW64\CGDFXPE.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\YRFWWIP.exe | C:\windows\system\UJYOR.exe | N/A |
| File created | C:\windows\SysWOW64\BCQE.exe.bat | C:\windows\MMPNJJY.exe | N/A |
| File created | C:\windows\SysWOW64\OESQYI.exe.bat | C:\windows\system\RYZBINV.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\FTOR.exe | C:\windows\SysWOW64\PDPHS.exe | N/A |
| File created | C:\windows\SysWOW64\WRUKQAZ.exe | C:\windows\system\DNRGL.exe | N/A |
| File created | C:\windows\SysWOW64\LKT.exe.bat | C:\windows\UAQP.exe | N/A |
| File created | C:\windows\SysWOW64\WPM.exe.bat | C:\windows\SysWOW64\CCHXGJ.exe | N/A |
| File created | C:\windows\SysWOW64\RGDAQU.exe | C:\windows\NYJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\QGPZ.exe | C:\windows\SysWOW64\ISLT.exe | N/A |
| File created | C:\windows\SysWOW64\DFMYIFQ.exe.bat | C:\windows\SysWOW64\IJHPY.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\WRUKQAZ.exe | C:\windows\system\DNRGL.exe | N/A |
| File created | C:\windows\SysWOW64\ZIUBK.exe | C:\windows\SysWOW64\QAA.exe | N/A |
| File created | C:\windows\SysWOW64\PJYLL.exe | C:\windows\SysWOW64\YTAIH.exe | N/A |
| File created | C:\windows\SysWOW64\NTMVCPM.exe.bat | C:\windows\system\HTEHT.exe | N/A |
| File created | C:\windows\SysWOW64\XLVSGN.exe | C:\windows\PYILVO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\BICPQCB.exe | C:\windows\ZLWVA.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PCOYL.exe | C:\windows\system\AZFLAVS.exe | N/A |
| File created | C:\windows\SysWOW64\FTOR.exe | C:\windows\SysWOW64\PDPHS.exe | N/A |
| File created | C:\windows\SysWOW64\ZIUBK.exe.bat | C:\windows\SysWOW64\QAA.exe | N/A |
| File created | C:\windows\SysWOW64\YTAIH.exe.bat | C:\windows\STS.exe | N/A |
| File created | C:\windows\SysWOW64\CGDFXPE.exe.bat | C:\windows\SysWOW64\MIECLV.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RGDAQU.exe | C:\windows\NYJ.exe | N/A |
| File created | C:\windows\SysWOW64\NTMVCPM.exe | C:\windows\system\HTEHT.exe | N/A |
| File created | C:\windows\SysWOW64\QGPZ.exe.bat | C:\windows\SysWOW64\ISLT.exe | N/A |
| File created | C:\windows\SysWOW64\DLTKCT.exe | C:\windows\SysWOW64\DIQHXDI.exe | N/A |
| File created | C:\windows\SysWOW64\ARZHJD.exe | C:\windows\SysWOW64\DLTKCT.exe | N/A |
| File created | C:\windows\SysWOW64\LRQ.exe.bat | C:\windows\ZBKA.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\IJHPY.exe | C:\windows\system\TTGQRJN.exe | N/A |
| File created | C:\windows\SysWOW64\NYGXXW.exe.bat | C:\windows\SysWOW64\CGDFXPE.exe | N/A |
| File created | C:\windows\SysWOW64\QQSUPS.exe.bat | C:\windows\system\OTYSJ.exe | N/A |
| File created | C:\windows\SysWOW64\WPM.exe | C:\windows\SysWOW64\CCHXGJ.exe | N/A |
| File created | C:\windows\SysWOW64\RPPSK.exe.bat | C:\windows\system\GXMI.exe | N/A |
| File created | C:\windows\SysWOW64\ISLT.exe | C:\windows\DSDFZZG.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DKJPHJ.exe | C:\windows\MCVRVS.exe | N/A |
| File created | C:\windows\SysWOW64\XEMVKNS.exe | C:\windows\SysWOW64\OESQYI.exe | N/A |
| File created | C:\windows\SysWOW64\ESP.exe | C:\windows\SysWOW64\PCOYL.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\FHJYUUP.exe | C:\windows\system\WUYGEY.exe | N/A |
| File created | C:\windows\SysWOW64\XBAFLW.exe | C:\windows\SysWOW64\LKT.exe | N/A |
| File created | C:\windows\SysWOW64\NGHK.exe | C:\windows\SysWOW64\KYY.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LRQ.exe | C:\windows\ZBKA.exe | N/A |
| File created | C:\windows\SysWOW64\DKJPHJ.exe.bat | C:\windows\MCVRVS.exe | N/A |
| File created | C:\windows\SysWOW64\MBFA.exe | C:\windows\SysWOW64\BICPQCB.exe | N/A |
| File created | C:\windows\SysWOW64\MBFA.exe.bat | C:\windows\SysWOW64\BICPQCB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ESP.exe | C:\windows\SysWOW64\PCOYL.exe | N/A |
| File created | C:\windows\SysWOW64\PDPHS.exe.bat | C:\windows\VLAWJNH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\KVRFATV.exe | C:\windows\SysWOW64\JFQLCWN.exe | N/A |
| File created | C:\windows\SysWOW64\DCXSVQ.exe | C:\windows\PAH.exe | N/A |
| File created | C:\windows\SysWOW64\EANTE.exe.bat | C:\windows\system\FQFR.exe | N/A |
| File created | C:\windows\SysWOW64\RPPSK.exe | C:\windows\system\GXMI.exe | N/A |
| File created | C:\windows\SysWOW64\QAA.exe | C:\windows\system\ESLOUA.exe | N/A |
| File created | C:\windows\SysWOW64\MIECLV.exe | C:\windows\system\APBJDO.exe | N/A |
| File created | C:\windows\SysWOW64\JZWE.exe | C:\windows\system\FJPEPQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CVHEWXY.exe | C:\windows\FQOPGC.exe | N/A |
| File created | C:\windows\SysWOW64\TKLXC.exe.bat | C:\windows\SysWOW64\DFMYIFQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ZFK.exe | C:\windows\SysWOW64\TKLXC.exe | N/A |
| File created | C:\windows\SysWOW64\LDJKUMU.exe.bat | C:\windows\AKGRMX.exe | N/A |
| File created | C:\windows\SysWOW64\CIODI.exe | C:\windows\SysWOW64\RQZSY.exe | N/A |
| File created | C:\windows\SysWOW64\TKLXC.exe | C:\windows\SysWOW64\DFMYIFQ.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\DPNG.exe.bat | C:\windows\EAOV.exe | N/A |
| File created | C:\windows\GQROI.exe | C:\windows\system\RAQO.exe | N/A |
| File created | C:\windows\JBDB.exe | C:\windows\WDDQYI.exe | N/A |
| File opened for modification | C:\windows\system\WNMYJBK.exe | C:\windows\SysWOW64\KVRFATV.exe | N/A |
| File created | C:\windows\DPNG.exe | C:\windows\EAOV.exe | N/A |
| File opened for modification | C:\windows\KISNU.exe | C:\windows\EUSFPPX.exe | N/A |
| File opened for modification | C:\windows\system\IIZBDUO.exe | C:\windows\KISNU.exe | N/A |
| File created | C:\windows\system\EWYEIQB.exe.bat | C:\windows\AGREW.exe | N/A |
| File created | C:\windows\system\BTW.exe | C:\windows\system\ORNTK.exe | N/A |
| File opened for modification | C:\windows\system\NDPNWJF.exe | C:\windows\WFIKKP.exe | N/A |
| File opened for modification | C:\windows\system\EPDPBM.exe | C:\windows\QMZJO.exe | N/A |
| File created | C:\windows\PAH.exe.bat | C:\windows\SysWOW64\YRFWWIP.exe | N/A |
| File opened for modification | C:\windows\ERCI.exe | C:\windows\system\EWYEIQB.exe | N/A |
| File created | C:\windows\system\UJYOR.exe.bat | C:\windows\system\JJRDA.exe | N/A |
| File created | C:\windows\system\GXMI.exe.bat | C:\windows\OWK.exe | N/A |
| File opened for modification | C:\windows\PWUSV.exe | C:\windows\system\GWS.exe | N/A |
| File created | C:\windows\SWF.exe.bat | C:\windows\system\OOYXB.exe | N/A |
| File created | C:\windows\system\RILXZP.exe.bat | C:\windows\IVB.exe | N/A |
| File created | C:\windows\WRGI.exe.bat | C:\windows\system\SBRAMEB.exe | N/A |
| File created | C:\windows\MMPNJJY.exe.bat | C:\windows\WRGI.exe | N/A |
| File created | C:\windows\system\LQTBZU.exe | C:\windows\GKIMJY.exe | N/A |
| File created | C:\windows\system\ZRYPQ.exe | C:\windows\system\HIRJE.exe | N/A |
| File created | C:\windows\DSDFZZG.exe.bat | C:\windows\NCC.exe | N/A |
| File opened for modification | C:\windows\system\KCYWBL.exe | C:\windows\system\BTW.exe | N/A |
| File created | C:\windows\system\WNMYJBK.exe | C:\windows\SysWOW64\KVRFATV.exe | N/A |
| File created | C:\windows\FQOPGC.exe | C:\windows\system\FMLL.exe | N/A |
| File created | C:\windows\AGREW.exe.bat | C:\windows\SysWOW64\QGPZ.exe | N/A |
| File created | C:\windows\JKR.exe | C:\windows\SysWOW64\DKJPHJ.exe | N/A |
| File created | C:\windows\ZNSCHC.exe | C:\windows\SysWOW64\EANTE.exe | N/A |
| File created | C:\windows\system\ESLOUA.exe.bat | C:\windows\SysWOW64\FHJYUUP.exe | N/A |
| File created | C:\windows\NOY.exe | C:\windows\system\RILXZP.exe | N/A |
| File created | C:\windows\system\GXMI.exe | C:\windows\OWK.exe | N/A |
| File created | C:\windows\system\EPMFZPU.exe.bat | C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe | N/A |
| File opened for modification | C:\windows\IANTT.exe | C:\windows\NNI.exe | N/A |
| File created | C:\windows\NNI.exe | C:\windows\system\EPDPBM.exe | N/A |
| File created | C:\windows\PWUSV.exe.bat | C:\windows\system\GWS.exe | N/A |
| File opened for modification | C:\windows\system\DQJB.exe | C:\windows\SysWOW64\ZIUBK.exe | N/A |
| File opened for modification | C:\windows\QMZJO.exe | C:\windows\UHOUGR.exe | N/A |
| File opened for modification | C:\windows\system\RILXZP.exe | C:\windows\IVB.exe | N/A |
| File created | C:\windows\system\FJPEPQ.exe | C:\windows\NOY.exe | N/A |
| File created | C:\windows\system\TBHKSOO.exe | C:\windows\OIZWJ.exe | N/A |
| File opened for modification | C:\windows\SWF.exe | C:\windows\system\OOYXB.exe | N/A |
| File opened for modification | C:\windows\system\RAQO.exe | C:\windows\system\UULRVEN.exe | N/A |
| File created | C:\windows\ERCI.exe.bat | C:\windows\system\EWYEIQB.exe | N/A |
| File created | C:\windows\system\RYZBINV.exe | C:\windows\SysWOW64\XLVSGN.exe | N/A |
| File opened for modification | C:\windows\WFIKKP.exe | C:\windows\system\KCYWBL.exe | N/A |
| File created | C:\windows\system\JMHJOSY.exe | C:\windows\MHJMH.exe | N/A |
| File created | C:\windows\system\IPTT.exe.bat | C:\windows\YGR.exe | N/A |
| File opened for modification | C:\windows\PAH.exe | C:\windows\SysWOW64\YRFWWIP.exe | N/A |
| File created | C:\windows\system\HTEHT.exe | C:\windows\IIBZLH.exe | N/A |
| File opened for modification | C:\windows\GVCGAC.exe | C:\windows\system\CFV.exe | N/A |
| File opened for modification | C:\windows\system\LJS.exe | C:\windows\system\CJQPNBE.exe | N/A |
| File opened for modification | C:\windows\system\EUM.exe | C:\windows\system\EPMFZPU.exe | N/A |
| File created | C:\windows\system\KYIR.exe.bat | C:\windows\SysWOW64\XBAFLW.exe | N/A |
| File opened for modification | C:\windows\system\RWCG.exe | C:\windows\CGBHEBP.exe | N/A |
| File opened for modification | C:\windows\SYLFSM.exe | C:\windows\SysWOW64\YCGW.exe | N/A |
| File opened for modification | C:\windows\system\TBHKSOO.exe | C:\windows\OIZWJ.exe | N/A |
| File opened for modification | C:\windows\VZYKNO.exe | C:\windows\SysWOW64\NTMVCPM.exe | N/A |
| File created | C:\windows\SFWCQG.exe.bat | C:\windows\system\SCSH.exe | N/A |
| File opened for modification | C:\windows\KUVKZMC.exe | C:\windows\system\LJS.exe | N/A |
| File opened for modification | C:\windows\system\GWS.exe | C:\windows\SysWOW64\FTOR.exe | N/A |
| File created | C:\windows\CGBHEBP.exe | C:\windows\system\XBRROYU.exe | N/A |
| File created | C:\windows\NOUVYRI.exe | C:\windows\system\LQTBZU.exe | N/A |
| File created | C:\windows\PYILVO.exe | C:\windows\JKR.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe
"C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPMFZPU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1996 -ip 1996
C:\windows\system\EPMFZPU.exe
C:\windows\system\EPMFZPU.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EUM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1308
C:\windows\system\EUM.exe
C:\windows\system\EUM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AKGRMX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 976
C:\windows\AKGRMX.exe
C:\windows\AKGRMX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDJKUMU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3620 -ip 3620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1328
C:\windows\SysWOW64\LDJKUMU.exe
C:\windows\system32\LDJKUMU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IIBZLH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5112 -ip 5112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 960
C:\windows\IIBZLH.exe
C:\windows\IIBZLH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HTEHT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 396 -ip 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1336
C:\windows\system\HTEHT.exe
C:\windows\system\HTEHT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTMVCPM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1300
C:\windows\SysWOW64\NTMVCPM.exe
C:\windows\system32\NTMVCPM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VZYKNO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3000 -ip 3000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1304
C:\windows\VZYKNO.exe
C:\windows\VZYKNO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NCC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1324
C:\windows\NCC.exe
C:\windows\NCC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DSDFZZG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4284 -ip 4284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1292
C:\windows\DSDFZZG.exe
C:\windows\DSDFZZG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ISLT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3352 -ip 3352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1328
C:\windows\SysWOW64\ISLT.exe
C:\windows\system32\ISLT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGPZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3904 -ip 3904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1328
C:\windows\SysWOW64\QGPZ.exe
C:\windows\system32\QGPZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AGREW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2988 -ip 2988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1324
C:\windows\AGREW.exe
C:\windows\AGREW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EWYEIQB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1336
C:\windows\system\EWYEIQB.exe
C:\windows\system\EWYEIQB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ERCI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4308 -ip 4308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1316
C:\windows\ERCI.exe
C:\windows\ERCI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SCSH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 976
C:\windows\system\SCSH.exe
C:\windows\system\SCSH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SFWCQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3312 -ip 3312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1324
C:\windows\SFWCQG.exe
C:\windows\SFWCQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RQZSY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1304
C:\windows\SysWOW64\RQZSY.exe
C:\windows\system32\RQZSY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CIODI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1236 -ip 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1328
C:\windows\SysWOW64\CIODI.exe
C:\windows\system32\CIODI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OBRWQV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 960
C:\windows\OBRWQV.exe
C:\windows\OBRWQV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BHRIS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1236
C:\windows\BHRIS.exe
C:\windows\BHRIS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NPYIEYR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1064 -ip 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 988
C:\windows\SysWOW64\NPYIEYR.exe
C:\windows\system32\NPYIEYR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSJV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1292
C:\windows\SysWOW64\RSJV.exe
C:\windows\system32\RSJV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QQPG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 384 -ip 384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1340
C:\windows\system\QQPG.exe
C:\windows\system\QQPG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OAFOJW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1540 -ip 1540
C:\windows\system\OAFOJW.exe
C:\windows\system\OAFOJW.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1336
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NQDRVI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4152 -ip 4152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1324
C:\windows\NQDRVI.exe
C:\windows\NQDRVI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KMRGV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 668 -ip 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 960
C:\windows\KMRGV.exe
C:\windows\KMRGV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJXTLPE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3872 -ip 3872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 960
C:\windows\SysWOW64\UJXTLPE.exe
C:\windows\system32\UJXTLPE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JEGFW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1076 -ip 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1336
C:\windows\system\JEGFW.exe
C:\windows\system\JEGFW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UXJYEJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2568 -ip 2568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1272
C:\windows\system\UXJYEJ.exe
C:\windows\system\UXJYEJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EQTXI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1012
C:\windows\system\EQTXI.exe
C:\windows\system\EQTXI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WDDQYI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1324
C:\windows\WDDQYI.exe
C:\windows\WDDQYI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JBDB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2376 -ip 2376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1236
C:\windows\JBDB.exe
C:\windows\JBDB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PWPUOI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2324 -ip 2324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1324
C:\windows\PWPUOI.exe
C:\windows\PWPUOI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MCVRVS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1328
C:\windows\MCVRVS.exe
C:\windows\MCVRVS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKJPHJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2548 -ip 2548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1292
C:\windows\SysWOW64\DKJPHJ.exe
C:\windows\system32\DKJPHJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JKR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 988
C:\windows\JKR.exe
C:\windows\JKR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PYILVO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1320
C:\windows\PYILVO.exe
C:\windows\PYILVO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLVSGN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3452 -ip 3452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1328
C:\windows\SysWOW64\XLVSGN.exe
C:\windows\system32\XLVSGN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYZBINV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 988
C:\windows\system\RYZBINV.exe
C:\windows\system\RYZBINV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OESQYI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4312 -ip 4312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1208
C:\windows\SysWOW64\OESQYI.exe
C:\windows\system32\OESQYI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XEMVKNS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4188 -ip 4188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1328
C:\windows\SysWOW64\XEMVKNS.exe
C:\windows\system32\XEMVKNS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CFV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1212 -ip 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 988
C:\windows\system\CFV.exe
C:\windows\system\CFV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GVCGAC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 804 -ip 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 988
C:\windows\GVCGAC.exe
C:\windows\GVCGAC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XVRDMT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1328
C:\windows\SysWOW64\XVRDMT.exe
C:\windows\system32\XVRDMT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XBRROYU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 988
C:\windows\system\XBRROYU.exe
C:\windows\system\XBRROYU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1296
C:\windows\CGBHEBP.exe
C:\windows\CGBHEBP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4772 -ip 4772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1264
C:\windows\system\RWCG.exe
C:\windows\system\RWCG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZTLWJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3740 -ip 3740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1332
C:\windows\SysWOW64\ZZTLWJ.exe
C:\windows\system32\ZZTLWJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1096 -ip 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1264
C:\windows\system\FMLL.exe
C:\windows\system\FMLL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FQOPGC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3032 -ip 3032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 976
C:\windows\FQOPGC.exe
C:\windows\FQOPGC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVHEWXY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 964
C:\windows\SysWOW64\CVHEWXY.exe
C:\windows\system32\CVHEWXY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CBHTXKB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 960
C:\windows\system\CBHTXKB.exe
C:\windows\system\CBHTXKB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 972
C:\windows\system\ORNTK.exe
C:\windows\system\ORNTK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1312
C:\windows\system\BTW.exe
C:\windows\system\BTW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KCYWBL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1076 -ip 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 960
C:\windows\system\KCYWBL.exe
C:\windows\system\KCYWBL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WFIKKP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3312 -ip 3312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1260
C:\windows\WFIKKP.exe
C:\windows\WFIKKP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1012
C:\windows\system\NDPNWJF.exe
C:\windows\system\NDPNWJF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZLWVA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1004
C:\windows\ZLWVA.exe
C:\windows\ZLWVA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2576 -ip 2576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 976
C:\windows\SysWOW64\BICPQCB.exe
C:\windows\system32\BICPQCB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBFA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1328
C:\windows\SysWOW64\MBFA.exe
C:\windows\system32\MBFA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AZFLAVS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 872
C:\windows\system\AZFLAVS.exe
C:\windows\system\AZFLAVS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PCOYL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4772 -ip 4772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 960
C:\windows\SysWOW64\PCOYL.exe
C:\windows\system32\PCOYL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1928 -ip 1928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1304
C:\windows\SysWOW64\ESP.exe
C:\windows\system32\ESP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RVFOGO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3112 -ip 3112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1336
C:\windows\system\RVFOGO.exe
C:\windows\system\RVFOGO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VLAWJNH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4072 -ip 4072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1004
C:\windows\VLAWJNH.exe
C:\windows\VLAWJNH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDPHS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1008 -ip 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 996
C:\windows\SysWOW64\PDPHS.exe
C:\windows\system32\PDPHS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTOR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3596 -ip 3596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1328
C:\windows\SysWOW64\FTOR.exe
C:\windows\system32\FTOR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GWS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4216 -ip 4216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1308
C:\windows\system\GWS.exe
C:\windows\system\GWS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PWUSV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5112 -ip 5112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1320
C:\windows\PWUSV.exe
C:\windows\PWUSV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CHK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1248
C:\windows\system\CHK.exe
C:\windows\system\CHK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2740 -ip 2740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1324
C:\windows\GKIMJY.exe
C:\windows\GKIMJY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQTBZU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1308
C:\windows\system\LQTBZU.exe
C:\windows\system\LQTBZU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NOUVYRI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 744 -ip 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 960
C:\windows\NOUVYRI.exe
C:\windows\NOUVYRI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EWIBKIL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3452 -ip 3452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 960
C:\windows\EWIBKIL.exe
C:\windows\EWIBKIL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTGQRJN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 988
C:\windows\system\TTGQRJN.exe
C:\windows\system\TTGQRJN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJHPY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1152 -ip 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1328
C:\windows\SysWOW64\IJHPY.exe
C:\windows\system32\IJHPY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DFMYIFQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 960
C:\windows\SysWOW64\DFMYIFQ.exe
C:\windows\system32\DFMYIFQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKLXC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3712 -ip 3712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 960
C:\windows\SysWOW64\TKLXC.exe
C:\windows\system32\TKLXC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 980
C:\windows\SysWOW64\ZFK.exe
C:\windows\system32\ZFK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNRGL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1308
C:\windows\system\DNRGL.exe
C:\windows\system\DNRGL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRUKQAZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1460 -ip 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 988
C:\windows\SysWOW64\WRUKQAZ.exe
C:\windows\system32\WRUKQAZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WUYGEY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1336
C:\windows\system\WUYGEY.exe
C:\windows\system\WUYGEY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHJYUUP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1864 -ip 1864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 988
C:\windows\SysWOW64\FHJYUUP.exe
C:\windows\system32\FHJYUUP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ESLOUA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2748 -ip 2748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1336
C:\windows\system\ESLOUA.exe
C:\windows\system\ESLOUA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QAA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1328
C:\windows\SysWOW64\QAA.exe
C:\windows\system32\QAA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIUBK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1328
C:\windows\SysWOW64\ZIUBK.exe
C:\windows\system32\ZIUBK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQJB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 872
C:\windows\system\DQJB.exe
C:\windows\system\DQJB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDGKHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3152 -ip 3152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 960
C:\windows\SysWOW64\YDGKHI.exe
C:\windows\system32\YDGKHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YGR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 960
C:\windows\YGR.exe
C:\windows\YGR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IPTT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1336
C:\windows\system\IPTT.exe
C:\windows\system\IPTT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CCQCAE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 960
C:\windows\CCQCAE.exe
C:\windows\CCQCAE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UAQP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4304 -ip 4304
C:\windows\UAQP.exe
C:\windows\UAQP.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1316
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LKT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1308
C:\windows\SysWOW64\LKT.exe
C:\windows\system32\LKT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBAFLW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1328
C:\windows\SysWOW64\XBAFLW.exe
C:\windows\system32\XBAFLW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYIR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 804 -ip 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1316
C:\windows\system\KYIR.exe
C:\windows\system\KYIR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BOGB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4652 -ip 4652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1340
C:\windows\system\BOGB.exe
C:\windows\system\BOGB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MHJMH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 960
C:\windows\MHJMH.exe
C:\windows\MHJMH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JMHJOSY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4320 -ip 4320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1316
C:\windows\system\JMHJOSY.exe
C:\windows\system\JMHJOSY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFQLCWN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1328
C:\windows\SysWOW64\JFQLCWN.exe
C:\windows\system32\JFQLCWN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVRFATV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1236 -ip 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1328
C:\windows\SysWOW64\KVRFATV.exe
C:\windows\system32\KVRFATV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WNMYJBK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 960
C:\windows\system\WNMYJBK.exe
C:\windows\system\WNMYJBK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\STS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1324
C:\windows\STS.exe
C:\windows\STS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YTAIH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1328
C:\windows\SysWOW64\YTAIH.exe
C:\windows\system32\YTAIH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PJYLL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1328
C:\windows\SysWOW64\PJYLL.exe
C:\windows\system32\PJYLL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RHANRN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1336
C:\windows\system\RHANRN.exe
C:\windows\system\RHANRN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ESWMW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3972 -ip 3972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1336
C:\windows\system\ESWMW.exe
C:\windows\system\ESWMW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\APBJDO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 452 -ip 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1308
C:\windows\system\APBJDO.exe
C:\windows\system\APBJDO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIECLV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4304 -ip 4304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1328
C:\windows\SysWOW64\MIECLV.exe
C:\windows\system32\MIECLV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGDFXPE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3592 -ip 3592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1240
C:\windows\SysWOW64\CGDFXPE.exe
C:\windows\system32\CGDFXPE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 976
C:\windows\SysWOW64\NYGXXW.exe
C:\windows\system32\NYGXXW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EOF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1324
C:\windows\EOF.exe
C:\windows\EOF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RRJHOHD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3384 -ip 3384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1308
C:\windows\system\RRJHOHD.exe
C:\windows\system\RRJHOHD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CJM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3352 -ip 3352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1328
C:\windows\SysWOW64\CJM.exe
C:\windows\system32\CJM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NPPF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 988
C:\windows\NPPF.exe
C:\windows\NPPF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EAOV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1300
C:\windows\EAOV.exe
C:\windows\EAOV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DPNG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4312 -ip 4312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1324
C:\windows\DPNG.exe
C:\windows\DPNG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OIQRD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1324
C:\windows\OIQRD.exe
C:\windows\OIQRD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OTYSJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1316
C:\windows\system\OTYSJ.exe
C:\windows\system\OTYSJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQSUPS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1912 -ip 1912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1328
C:\windows\SysWOW64\QQSUPS.exe
C:\windows\system32\QQSUPS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOYXB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1272
C:\windows\system\OOYXB.exe
C:\windows\system\OOYXB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SWF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1108 -ip 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1304
C:\windows\SWF.exe
C:\windows\SWF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UULRVEN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1336
C:\windows\system\UULRVEN.exe
C:\windows\system\UULRVEN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RAQO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2920 -ip 2920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1364
C:\windows\system\RAQO.exe
C:\windows\system\RAQO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GQROI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 668 -ip 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 960
C:\windows\GQROI.exe
C:\windows\GQROI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3748 -ip 3748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 960
C:\windows\SysWOW64\KYY.exe
C:\windows\system32\KYY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGHK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 988
C:\windows\SysWOW64\NGHK.exe
C:\windows\system32\NGHK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CJQPNBE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 792 -ip 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 1336
C:\windows\system\CJQPNBE.exe
C:\windows\system\CJQPNBE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LJS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4328 -ip 4328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 960
C:\windows\system\LJS.exe
C:\windows\system\LJS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KUVKZMC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1300
C:\windows\KUVKZMC.exe
C:\windows\KUVKZMC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPEOK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1212 -ip 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1004
C:\windows\system\ZPEOK.exe
C:\windows\system\ZPEOK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CFNLRT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2876 -ip 2876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1304
C:\windows\CFNLRT.exe
C:\windows\CFNLRT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HIRJE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1308
C:\windows\system\HIRJE.exe
C:\windows\system\HIRJE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRYPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1336
C:\windows\system\ZRYPQ.exe
C:\windows\system\ZRYPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KJBHRJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 988
C:\windows\KJBHRJ.exe
C:\windows\KJBHRJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UHOUGR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1324
C:\windows\UHOUGR.exe
C:\windows\UHOUGR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QMZJO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1244 -ip 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 988
C:\windows\QMZJO.exe
C:\windows\QMZJO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPDPBM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 988
C:\windows\system\EPDPBM.exe
C:\windows\system\EPDPBM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NNI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1324
C:\windows\NNI.exe
C:\windows\NNI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IANTT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1296
C:\windows\IANTT.exe
C:\windows\IANTT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BDRP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1324
C:\windows\BDRP.exe
C:\windows\BDRP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JJRDA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4528 -ip 4528
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1316
C:\windows\system\JJRDA.exe
C:\windows\system\JJRDA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJYOR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1336
C:\windows\system\UJYOR.exe
C:\windows\system\UJYOR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YRFWWIP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1320
C:\windows\SysWOW64\YRFWWIP.exe
C:\windows\system32\YRFWWIP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PAH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1288
C:\windows\PAH.exe
C:\windows\PAH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCXSVQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4792 -ip 4792
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1328
C:\windows\SysWOW64\DCXSVQ.exe
C:\windows\system32\DCXSVQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DIQHXDI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2748 -ip 2748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 960
C:\windows\SysWOW64\DIQHXDI.exe
C:\windows\system32\DIQHXDI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLTKCT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 988
C:\windows\SysWOW64\DLTKCT.exe
C:\windows\system32\DLTKCT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARZHJD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 960
C:\windows\SysWOW64\ARZHJD.exe
C:\windows\system32\ARZHJD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 960
C:\windows\system\GRH.exe
C:\windows\system\GRH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AEMFD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4240 -ip 4240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1236
C:\windows\AEMFD.exe
C:\windows\AEMFD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EUSFPPX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 960
C:\windows\EUSFPPX.exe
C:\windows\EUSFPPX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KISNU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1296
C:\windows\KISNU.exe
C:\windows\KISNU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IIZBDUO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2740 -ip 2740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 960
C:\windows\system\IIZBDUO.exe
C:\windows\system\IIZBDUO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OIHPMPP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 960
C:\windows\SysWOW64\OIHPMPP.exe
C:\windows\system32\OIHPMPP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZBKA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3504 -ip 3504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1008
C:\windows\ZBKA.exe
C:\windows\ZBKA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 964
C:\windows\SysWOW64\LRQ.exe
C:\windows\system32\LRQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CCHXGJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 964
C:\windows\SysWOW64\CCHXGJ.exe
C:\windows\system32\CCHXGJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WPM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1152 -ip 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1308
C:\windows\SysWOW64\WPM.exe
C:\windows\system32\WPM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKVTBV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3896 -ip 3896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1328
C:\windows\system\MKVTBV.exe
C:\windows\system\MKVTBV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MYVICI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 960
C:\windows\MYVICI.exe
C:\windows\MYVICI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IVB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1524 -ip 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1292
C:\windows\IVB.exe
C:\windows\IVB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RILXZP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 636 -ip 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1308
C:\windows\system\RILXZP.exe
C:\windows\system\RILXZP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NOY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 960
C:\windows\NOY.exe
C:\windows\NOY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FJPEPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1308
C:\windows\system\FJPEPQ.exe
C:\windows\system\FJPEPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JZWE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 960
C:\windows\SysWOW64\JZWE.exe
C:\windows\system32\JZWE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KUA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3704 -ip 3704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 988
C:\windows\KUA.exe
C:\windows\KUA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQFR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2476 -ip 2476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 872
C:\windows\system\FQFR.exe
C:\windows\system\FQFR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EANTE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4324 -ip 4324
C:\windows\SysWOW64\EANTE.exe
C:\windows\system32\EANTE.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1204
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZNSCHC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4936 -ip 4936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 960
C:\windows\ZNSCHC.exe
C:\windows\ZNSCHC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBRAMEB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3420 -ip 3420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 988
C:\windows\system\SBRAMEB.exe
C:\windows\system\SBRAMEB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WRGI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1236
C:\windows\WRGI.exe
C:\windows\WRGI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MMPNJJY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1304
C:\windows\MMPNJJY.exe
C:\windows\MMPNJJY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCQE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 320 -ip 320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1328
C:\windows\SysWOW64\BCQE.exe
C:\windows\system32\BCQE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1336
C:\windows\system\FKX.exe
C:\windows\system\FKX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NYJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1324
C:\windows\NYJ.exe
C:\windows\NYJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RGDAQU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1328
C:\windows\SysWOW64\RGDAQU.exe
C:\windows\system32\RGDAQU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IOSGCL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2284 -ip 2284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1288
C:\windows\IOSGCL.exe
C:\windows\IOSGCL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZERIOF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3172 -ip 3172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1300
C:\windows\SysWOW64\ZERIOF.exe
C:\windows\system32\ZERIOF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XPCYP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2576 -ip 2576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 960
C:\windows\SysWOW64\XPCYP.exe
C:\windows\system32\XPCYP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OMAB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4652 -ip 4652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 960
C:\windows\OMAB.exe
C:\windows\OMAB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YCGW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4640 -ip 4640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1328
C:\windows\SysWOW64\YCGW.exe
C:\windows\system32\YCGW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SYLFSM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1324
C:\windows\SYLFSM.exe
C:\windows\SYLFSM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOMEZAZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2604 -ip 2604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1336
C:\windows\system\IOMEZAZ.exe
C:\windows\system\IOMEZAZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VQCVNLU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1296
C:\windows\VQCVNLU.exe
C:\windows\VQCVNLU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BMB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3032 -ip 3032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1336
C:\windows\system\BMB.exe
C:\windows\system\BMB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OWK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 960
C:\windows\OWK.exe
C:\windows\OWK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GXMI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1316
C:\windows\system\GXMI.exe
C:\windows\system\GXMI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RPPSK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2920 -ip 2920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 960
C:\windows\SysWOW64\RPPSK.exe
C:\windows\system32\RPPSK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EAX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2588 -ip 2588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 960
C:\windows\EAX.exe
C:\windows\EAX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OIZWJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 960
C:\windows\OIZWJ.exe
C:\windows\OIZWJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TBHKSOO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1248
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 193.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
memory/1996-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EPMFZPU.exe.bat
| MD5 | e7dea36e83534c273dcb36effd8bd73e |
| SHA1 | af9298ffc868961dba36b61d479b740a5e9da988 |
| SHA256 | be3091d53b5277454e49323b8344a8de5e22a3f3e09c5de22bd382c00f6b24f4 |
| SHA512 | f82b1a17601ee66ad812581536e5e46f9a635e46d1d476a0f23da6d40b9096b04cc4f4ab32bbea6476e76b92e0c1245a72d20253ba1a4ce505f83a2b1416f1f0 |
C:\Windows\System\EPMFZPU.exe
| MD5 | 946399285501a6e0284a2db3e96a9f68 |
| SHA1 | 45de53fbc9e986bf7e15a8435fd8d50f9c6cf7bf |
| SHA256 | 8a5fccb25f0cb352936d5991d658be274ac056083fc56ad8a51ba2fdaa218cbb |
| SHA512 | 167ac7269cf2d9b371805359c31bb239842efa256b62aa22c8e903cc833664821beef24cf76d8a44ba499ac5c66e0c1b5169950b3c161d943a8f1c3e7e8d8054 |
memory/3672-10-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\EUM.exe
| MD5 | 3defc3151c1bed816337e01fa4af2c92 |
| SHA1 | 81ebfe4bc581956cfa7234cac77cdeb0f2801b8b |
| SHA256 | fe6901f8d699f6e1fb91cb32861a68d88c6c036bed63d7ff64e67b31a07c009a |
| SHA512 | fb02978782f49011ae4b9afb1379041b1a14196604ec8d4dd75d89d197b3a7fa4f50347240bc6b8847381488cf3796b6b6faea95958af4eaa2fbc703f5f7dd4b |
C:\windows\system\EUM.exe.bat
| MD5 | ba8a31164e396724fab1f8ffd4e77dee |
| SHA1 | ce6c3c437211cdb348ba714f07ef906fcef37200 |
| SHA256 | b80082eefbf180df63eb505cd575428e639b758a470df45790bcc0623bebc780 |
| SHA512 | bb1949d0934e3c7991fe732efa539767616f71176939ce815a2a589d4003e6b8a3a1a9edbf5159a1be9e7668ca832f6f82d450bb3100ce37b8485c6b5386b34c |
memory/3568-21-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1996-23-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3672-28-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\AKGRMX.exe.bat
| MD5 | f061741ee67766c9704980b4aab1d931 |
| SHA1 | 7e4e5be8806b878b908b341f18e8ce3e412d08f8 |
| SHA256 | 6aebe995cde0785794e8e9d82c11e4d1915054608707eaa647d3902b9218e2cf |
| SHA512 | 6d78158ba4a6ac5ec1100be6f6f2ea70be62f30630404a7ad4da8e96913f766b090a19f69e704d9cefe1826171e4e3d9ac54a950fa3e180ab91aea75c662aeca |
C:\Windows\AKGRMX.exe
| MD5 | 4a13c219719616dd3b21f44cf9f891b1 |
| SHA1 | 66967d18448a352f85f5fe665d4faea42a648ad1 |
| SHA256 | 6a1daa9b2346b64998fc914bd9bcff0083ce8adf2ef8aee6eb23273fd5649069 |
| SHA512 | 725aa9cd3a4032dedf400851ce821ead0c18f569bc3aa3c291a1a4cad72e5804df97ef751bc47547f26e8c3eea7e00e55746bfc4bee1b4ff0455b5a2b2e5b763 |
memory/3620-34-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\LDJKUMU.exe.bat
| MD5 | 413cc89e72807f162aa9d4dc1cc9fb79 |
| SHA1 | 1fe768757240dc99c43fa0a5d778ee7d4ae72a30 |
| SHA256 | 9f8261fb438172f83f32b9eadbfc6c12615a26362e3ea626355600e666834b5d |
| SHA512 | ecf3d9169a2c6fc07aab96f320e8d4b89cdeaf92c3cc5db48a0f14ae512e74093f1082d14961dabd2fc1bba40561dda8279939621222032fa2def2683a63dd3b |
C:\windows\SysWOW64\LDJKUMU.exe
| MD5 | 5e6c4084a821fed70146f1798922ace8 |
| SHA1 | 2f8745755a27cd2a68234f5095ac3ed627a4e5cd |
| SHA256 | aad16376308835b5548745a89bcc5449ecf329c28f5cefbb7d3d7d60e6de9784 |
| SHA512 | c098c97c84043a407ae763d9d0d2aeb728b9378d7ded44e24964ed3edc0efa6cb688ebb0da7b299c60b3a0ce0931f0973341193fd33ed2538599577f818d2478 |
memory/5112-46-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3568-47-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\IIBZLH.exe.bat
| MD5 | def80c87bd94bc2890479262b1961a47 |
| SHA1 | ebe85824f9d9c7bbec23b63821bb7b8796be7e45 |
| SHA256 | 5a5b0d8ed9e31bc8156f69f8c2e1eb95c104cdc32d1c0fd026ac33a434fa7ae2 |
| SHA512 | 766dcb1eef81484883102d9a251b2c137927adb17b301b8a9bd188d1a4ee1f68e99ac880a589ff3a7bdaeaeaf96ae0d986a8ee77458748de2be5584f90ebbca3 |
memory/396-58-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\IIBZLH.exe
| MD5 | e899d4788e42036d1a07c6a1d0576744 |
| SHA1 | d8665d09c363d6cb145de102ff88c103008e70ae |
| SHA256 | 8620526e69e8bf0206c0ee1fc5f8912e0f7c5d5122816ff01883f680292b16a9 |
| SHA512 | a1a32c54e8240b4c347e1f4c3d89e12d78a17cfa13da573102da563359aed3b41f2d29fa64e27a5ff41b3d23200f5bfa5fe8ad994e7f67e77e20e252513ca1bc |
memory/3620-59-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5112-66-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\HTEHT.exe.bat
| MD5 | 21d365bb040a4d98ba07798d15fd656b |
| SHA1 | 28449a8cee224d537166735d186ccc9601523bd9 |
| SHA256 | 371d3c3a15e6570cd54f0c293a1cdacf7397c31b7c9a1102ec00a433c14e0532 |
| SHA512 | c8e590cb589f3f2342a7f0052bda6a074e29b05f4e24fac95d26bdf2ce2b952c3a7c2b00728cf1ef61f5d9a8fddc5355f46941c5e40bbbef89f0bbd08da227c9 |
C:\Windows\System\HTEHT.exe
| MD5 | 995eb65ff8353eff88fa0877bad4b281 |
| SHA1 | b5ad60bff2f0a31646b57b6e1655fb0b8e481cff |
| SHA256 | f49a11044e05ae89f4768682346f5f1699c793cf31635079c744794b97501453 |
| SHA512 | 21e4a068952664bd8c4caa68cdd5b823eb984af902c4ffbcd70e9c0df8ec73c3c872d72f24c3e5632d38b8530c3f2c0826380f16e62f4aabf0757e4439ec1bda |
memory/3924-71-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NTMVCPM.exe.bat
| MD5 | 405727e544cef76189babccb49fa80c4 |
| SHA1 | a64312b3522302be37e31f26d09892ccb0da02b7 |
| SHA256 | fb8d21c427ece42f08fb8cadc0dcf369e19ffd27d796dd1d6e4ec11c229cf859 |
| SHA512 | 8458851fdd8d8a4b429cf28ba846d7562582cdaec3602ac07c89e4d58933fef6ee50730cf21b1fb98b4560b5717b141e2860c3fa78f2421528138621e2b8927e |
memory/3000-82-0x0000000000400000-0x0000000000439000-memory.dmp
memory/396-83-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\VZYKNO.exe.bat
| MD5 | 5220e0c13439d45e991a3b476b2a2bb8 |
| SHA1 | 36a9b677c9dcb9160c7a1fda55c86cce775f12b6 |
| SHA256 | c4653aa9360608f84293b02b4c5606cd264eb7a1e708cfb2284106881c6ea2da |
| SHA512 | 095485773f8c6820fa92a92e688baf9a8901bfa75acc59446f5fb874df76b1ba1e0181785c201333dae9c90d1b36ae5773d5db8f703783beb9f3ff10324920ab |
memory/3924-90-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\VZYKNO.exe
| MD5 | 3b2cb1962ae8619f291f60c9a32719ed |
| SHA1 | fbd08022cd1b42379ef77f88ffb9060995434cad |
| SHA256 | b9d43ab0677a9ade870fabfe6eaf039ca12defc74393cd285e84ac9732142a31 |
| SHA512 | 7484fddb1513d6a31a9b2756152cd80a31704c5a957e80ce16cd16e73485f47644d769c6d5356311c73b72984e6ce528c9bf72980151c0061cb3d235164cf3f9 |
memory/4464-95-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\NCC.exe.bat
| MD5 | e1d2f5cae1f7f57f5ac24a745d673ecc |
| SHA1 | ccbd56cf89b97cec1afbcce452995ba74a22eba9 |
| SHA256 | 39fb2f886fde0a8ab02163a199c6b4b85ceb1ce274b4347894f964d200357677 |
| SHA512 | 0b79c299ecd4361592faf0e4c36cae1752baf1be937109ea5004c466c595c16779091cafe6e2ad89e5f8ef162805df23f43eb059c2890f55c096f64feb33cd96 |
C:\windows\NCC.exe
| MD5 | 6369a3d5f7050b0bb4a238a0d38abfb0 |
| SHA1 | dd487122e7d7618e102cec932d0315c85d7ec30e |
| SHA256 | 6af5e98b16653893cb8aac59d23e6bb24d4af714f042290d050713c9b28a38e8 |
| SHA512 | 04cb10943f3d34b3f1236d406f0666cf2489d43fbc4f673fb9e46f3a4c7ccdac1a4133f65dbda47eefd4d9b8a578370f83ce8e570e45a2470b5c42e84ca34f25 |
memory/4284-106-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3000-107-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4464-114-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\DSDFZZG.exe.bat
| MD5 | 2134b505e5b309f4d2526cf7f48ecfcf |
| SHA1 | ee09eb981e20eeae3ef0337cda257d5cf55a86c4 |
| SHA256 | 9beea90570f223dd0e75842045c332aa6a47cf18ee61dcc46b5fc142a4229b70 |
| SHA512 | aad9b2688a4d517e20f07788468b723be36ceec5ae907a418aafd5e2ed650985850b52ef42f69b88e005815c716140a290e2b58b49a89f075c28b80ca69bc754 |
C:\Windows\DSDFZZG.exe
| MD5 | 44d7b9dd791b642457c6c734706af2a7 |
| SHA1 | 851b9e497774d82609c104b06be7d6705a02fadd |
| SHA256 | c3db4dc5787b8c1264206a716667bd2c45ab1ef0eb7e4e85211d81c296234ba4 |
| SHA512 | 83019b68638632407eb8f96bd4b87075f185ef11921bd78f419ccf3091148e9dede56dc0f11cf68c5465256d078916d8527c82835457f4ce628ee4edfee932f6 |
memory/3352-119-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\ISLT.exe.bat
| MD5 | 8def13c4959fcbaf79faaa940d9f5374 |
| SHA1 | e770f2f848796168cd7600b739adb9ba0ed0e439 |
| SHA256 | 563ffeec3c195359da970569463e4ddd1190910d993a9c7880752f03abe81150 |
| SHA512 | 601ed4d7da2daf7632532e48ef397010f1e21a1dcfd6c440598ed43ef44b89f788d6920b973f1e08704f0b85641cae91459dc0c293c100bd428b23fb39c0fa8c |
C:\Windows\SysWOW64\ISLT.exe
| MD5 | 8f55709aa22648ef89405c92908a30ea |
| SHA1 | 6c7772752be64cab90578b4871947529cc87807a |
| SHA256 | ae733d0bb0438cf7c198e98d1e04e0f33fcbeaebeff8e758d3da2d386992e698 |
| SHA512 | 627c019ef9813aaa7e8cec7dba8ccfe8a8657480f43b1f260f63e2e7340d5b8e5e162f1ccd1d3f38bc0168d07c45bec3f3c47e49862703fe299ad7b8f5840e7a |
memory/3904-130-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4284-131-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3352-138-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\QGPZ.exe.bat
| MD5 | 1ce83e2272806e1cebd3f4946e4f3508 |
| SHA1 | cca1d6ec806a99637dfddc442bb1f0666ef59f1d |
| SHA256 | fc4efc673745c81217947ca1a703b872cfc88d12ce93abf2e1603d038a3e6832 |
| SHA512 | a25c41f3fbd34b00206273fb78ba83c25b5688cf9063c138751c79977e9f146f6350be81377b0fa1647d11654e986766194c775927672b35ece82d70497c0848 |
C:\Windows\SysWOW64\QGPZ.exe
| MD5 | 678dc562ec9a8df1aaff778cbcbf34ab |
| SHA1 | f38cf7425be9aa55487c568da58b22486f767225 |
| SHA256 | 546c45bbb5da34540770791ce85512b8e5757054c54ea44c7a717333e98ba90a |
| SHA512 | 349749dbc239000432584dccc990ed47f7353cd165dea7ea5b3dd6e3d6a9b422ede1179b62e210139713eec4c41c612dace8fd146e3bdebc14e71e32d54a8194 |
memory/2988-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\AGREW.exe.bat
| MD5 | e9e5fa6680d93eb6bf100c5edb06d3e6 |
| SHA1 | f3103b93e24732caf45579fca35b255955d02898 |
| SHA256 | 5b0e55994f850ccd271d0d4924e5f6a533ee32afaa9ef5480fa2df9868914e3e |
| SHA512 | 42f7393d3e21e2708bc427d98f2e040012f014be672e8535a7eb2ec4a3791bb2618313687b4505a7e3cfc9c7f343a3600e3e0b31b0d804a43835926947d8b5c9 |
memory/4324-154-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3904-155-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EWYEIQB.exe.bat
| MD5 | 78090cfd814593a6bec33fc1b1fcf8f7 |
| SHA1 | dc91b59fe8db672b8776b9d6619de92a8a6f5626 |
| SHA256 | 9091ec264a7fc702a52d8e1b4b3bb49a63d26bc20293c39c8735531df8c4c970 |
| SHA512 | 6314a9ce113d6f4858cf06d0b60a697d3f6228098b22f5e734bdcab3e1be2364b4ed22102a9d04ad2d171e3edc4531e672c542485b0b3a8fab890a04a3355af7 |
C:\Windows\System\EWYEIQB.exe
| MD5 | 7919e63b36aff29f39c7041a6acfbc70 |
| SHA1 | 7d0b01cdd4a59f43320a6eda5d8773af2d0a44af |
| SHA256 | a41045c3cf09e03ef2ded70256bb6af9d496b8f778dc7173626001abc217ef45 |
| SHA512 | 23f442d03eaa439dd27492955fadeed94c242c1f0e41e0815604bae071746ffc34704eee0657880de3a734299f85cb5aa368c24444a9ee2e611a8dad2b0b9404 |
memory/4308-166-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2988-167-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4324-174-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\ERCI.exe.bat
| MD5 | 726978057fb743663319749e7a65571f |
| SHA1 | 4be751ea7afce932d70f49ece896c811b4f26c76 |
| SHA256 | bb2e0c6c9c2d8f9e6adccdfa16ee6e186c1bc5054da3af7e6b97163a693dd4b4 |
| SHA512 | 9b9f83350726214f62920bf18e97769acd9a678975a1ad0305f1d31b29ec49b787aa7988f7753958bd7e35213d5bac47294d082cb3207fcb2088ea662452021c |
C:\windows\ERCI.exe
| MD5 | fd28ed7fb76e3bee59bc8fb66daaebfb |
| SHA1 | 99bcd6e4b502a34cf4a07e2fcecef0d65cd792ec |
| SHA256 | 79f0d0a2fe276518e27ee1eefb24dd0ee3c7bb046efc558d2c0b6aea20a217d7 |
| SHA512 | c5e3e32facba4fde648a2334ea340750ed285b2f9cbcd4b0b8c49876c0782ff9f95a6afd5cd171ee373f51d120b825c20fd652954015279b8a1910f20bd0434a |
memory/4448-178-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\SCSH.exe.bat
| MD5 | 13857420f2bc76a0bc08fbb886fd38e4 |
| SHA1 | 649aa92d24f0157bac607d1c64b8a59f0381f469 |
| SHA256 | 7265903a13bb24ff1b5f8519ad0b59570a6741591b47b00be03a885d36f3e4ff |
| SHA512 | c163ca478d98e87e0c4535f1a98ef2758ea24b4c24c0cfb3b6886280c2dee76466fb766affaf018f05647290114895715bc29139ccaf25aa34533c155658ca4f |
C:\windows\system\SCSH.exe
| MD5 | 598b27e1df10a7b5b4c2abc24dbcf92b |
| SHA1 | 91e89b86fbe2deca74cd05ed1e41ee08ca93cec6 |
| SHA256 | d3a8989cc62cdd173dc52774fba112ba4946ab5f443dd5f905f6e858ad9a9dc1 |
| SHA512 | 3b5b0f0b6a653e44fc274f1fdac9b0c5bf5e2494ffbbef1f9184c55e1c52181f8bf6ef7a4e8a29c52b0e4702bd0d69400588d31df8e4f6e2baf3c46c25d84a04 |
memory/3312-190-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4308-191-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SFWCQG.exe.bat
| MD5 | 665669de21022f87701db796a71af37d |
| SHA1 | 1e2a10ebc841dce028cde8e1b5ffd8b9972bb66c |
| SHA256 | 53f024bd18340d693b0c8430ec55895d572e5aefc551438e3fba6efc96e90032 |
| SHA512 | b67dc4a48c35ad06cb7839d241cd4b1303004b5fe5e4ed12e355b5771917d94d1cd794ed6fdbcaef879603e4984810cbe479f1d41468a2e2a1f047e5155652eb |
C:\windows\SFWCQG.exe
| MD5 | 99011faeda3e96ae5c5623e2bea52c3a |
| SHA1 | bfc0c1607570fc517d3f54f2bebf511862ad0f3f |
| SHA256 | c16a415c359114883ab93ddba42c5f2974a5824e17161b55ccb4afbad824ad35 |
| SHA512 | 87300412a359031c8d93ed141c5c1d24a6c2f8455243d81c0e32d30010e4776ba283b509b0ef6143b0ba242e1c929d3c3872816c5a6e1cf4acac53d3512a243b |
memory/4448-202-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1760-203-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RQZSY.exe.bat
| MD5 | 261784823c505393240abe4b4e7f9930 |
| SHA1 | 42b340130652f5c20b3e4501214c18cd65f8ae9c |
| SHA256 | 4060341e5a1b85b3eb32e0ba60d040a0c2edc86c6833e2f761a27dca9c057588 |
| SHA512 | 8213e4ad36411cf5252512755032b95f00bed2f43af17124dc401bafbbb262e7db0929b5bf9c41ac966a01db921b4fe41a320790dbfe6d3689700b8f27495286 |
memory/1236-214-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3312-215-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1760-222-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\CIODI.exe.bat
| MD5 | a3014011c43e5e5e3bbdba4a54d209aa |
| SHA1 | e4f510a8f7c7aed3af9986903f15f0063a55612a |
| SHA256 | 213c7a4ed6d7264d72d15fd4b5ad865a792531f8b3ad57e877e7030ad3f71d14 |
| SHA512 | e2289e75155e4044f024bb860d927dbbb9e90777010bd587ca76ef9f5ac495ba4e36aeb42999211523231e886c324845e15cd77fc16d8375f8e45a9d3874b931 |
memory/3624-227-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\CIODI.exe
| MD5 | e98d0e7cf2402e58950868d10d1f9eaf |
| SHA1 | f20a577778ae8743d58a8d06b0ea6e46c916fd30 |
| SHA256 | 59a6c15b4af7729eb2a6f54ed0a5b8d917e7f17e837cc971909eff05ab4d67be |
| SHA512 | 8be5f9c413c29d42a958f1b1303ea388f21410142eea9ab15d4b8f4ddce52bff738d618c42b476e2e13eca8c0bd6cbe5128fc8976e175763bdd3ec61a9b7d006 |
memory/1236-234-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\OBRWQV.exe.bat
| MD5 | 653b559728b87d96f4b11b565009cafc |
| SHA1 | fa5a4c07a0e561f58c185aa39214bbaa9dac3b9c |
| SHA256 | e7fe4358ecd95bd5929587460f7b7360da9545e5205761015602e65427fd4bee |
| SHA512 | 2aa97af0c736f468adb17a0ae8ef627b6ac3e90604d17f6be4adf0fee8f851cc8366f2ff2f82f839801907fdb12b802806ecf2def6c685077093da1dd449fa92 |
C:\Windows\OBRWQV.exe
| MD5 | 4d87da48bd44a98b67d442d916cfe256 |
| SHA1 | 68bf600049154f20f6aa05693876231450235074 |
| SHA256 | 8d031adea432996a94d766dd0492aee73f9cc7d80ac7001109399188df8640b7 |
| SHA512 | f5e8481a7b837f1ddac9b18ae5ab27aa9e75c04748dda35942b7217e0baea0ee03d1272eaf79b1b8d352cf299724a2730cadeda2ed2a15610b93cb657cc3b0fd |
memory/2916-239-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\BHRIS.exe.bat
| MD5 | 1f234c0c3efa23a898153c6df7a69c26 |
| SHA1 | 30e7c89f6ea121f49fb8895bce39d6e7660d0ad4 |
| SHA256 | 07f97524cdd16f549e4af36b4ed7f486ee228fc8f37cc751f21e27466d7c7cc4 |
| SHA512 | 5b9cf5cb3884139847fa2ac6c6d63f9a10d8bea4d3e956a86bc6a02463cbb44f95c1e3340449d62daff758089c0b63449b24376f398b49b2d41421a4a2b8186b |
memory/3624-248-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\BHRIS.exe
| MD5 | 15663efd0229de8d88cdac29f7f5bd35 |
| SHA1 | 37dcf9b1e4cfeeefb547052b8d029b6f41581418 |
| SHA256 | 8c8097eaafa3fa162df14bfadd75cd13e1fff5cd1853b97e2a04af4c6287aba7 |
| SHA512 | 971967c68686ca432626225d6e055ed03187a98a8b3104557f301d8888fa2b82e2e7fe264adcdd200410ff4c02ae3fe3abcd589ca7ea47364b4732cd54bf806c |
memory/1064-251-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NPYIEYR.exe.bat
| MD5 | 6618f918fef1ce366d28546d60376c07 |
| SHA1 | a2d8ace29d617c12c3222e8c80ef6ef71ec61635 |
| SHA256 | 43313ee6c525ab8b643387316a11a15ea356d0b60d720837ef0de942a5310d2e |
| SHA512 | d22cd904d805cd03e55831c44089712a8cc6b2348372d82ad32ea5cc8a21d5a978092369f6f96b01351627e90c30e425a8942f7628a4f6cf29bc3b5f1903d207 |
memory/2916-261-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1980-260-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1064-268-0x0000000000400000-0x0000000000439000-memory.dmp
memory/384-270-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1540-278-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1980-279-0x0000000000400000-0x0000000000439000-memory.dmp
memory/384-285-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4152-288-0x0000000000400000-0x0000000000439000-memory.dmp
memory/668-296-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1540-297-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4152-298-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3872-306-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1076-314-0x0000000000400000-0x0000000000439000-memory.dmp
memory/668-315-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2568-323-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3872-324-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1076-331-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4456-333-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2568-340-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4628-342-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2376-350-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4456-351-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2324-359-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4628-360-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2376-367-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1564-369-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2548-377-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2324-378-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1564-383-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2212-387-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3900-395-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2548-396-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3452-404-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2212-405-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4464-413-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3900-414-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3452-422-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4312-423-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4464-430-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4188-432-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1212-440-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4312-441-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4188-448-0x0000000000400000-0x0000000000439000-memory.dmp
memory/804-450-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3644-458-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1212-459-0x0000000000400000-0x0000000000439000-memory.dmp
memory/804-466-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3104-468-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3644-475-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1980-477-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3104-484-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4772-486-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3740-494-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1980-495-0x0000000000400000-0x0000000000439000-memory.dmp