Malware Analysis Report

2025-01-23 04:42

Sample ID 240522-1l23jsab25
Target 437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe
SHA256 437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba

Threat Level: Known bad

The file 437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:45

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:45

Reported

2024-05-22 21:47

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\JIRRDUO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\JIRRDUO.exe C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
File opened for modification C:\windows\SysWOW64\JIRRDUO.exe C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
File created C:\windows\SysWOW64\JIRRDUO.exe.bat C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
N/A N/A C:\windows\SysWOW64\JIRRDUO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe

"C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\JIRRDUO.exe.bat" "

C:\windows\SysWOW64\JIRRDUO.exe

C:\windows\system32\JIRRDUO.exe

Network

N/A

Files

memory/2492-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\JIRRDUO.exe.bat

MD5 cd54e4b81d04210064c43011e4f6e09e
SHA1 dc2abd4c1c047c5e2be8091321c8332f8c3c3897
SHA256 df09de02fcb03ff7d008756eeba72008f7f9f618ddeb5d67e598ae5a590f2fb1
SHA512 83cccbfe571919929b7e934774a1d4211611bb5fee813900b07d624071b2f66ff3a36f3a49ecd34937fe7bfaf28a9935250743f1bba92db4e29b585c8de2e5f2

memory/2492-12-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\JIRRDUO.exe

MD5 e899d4788e42036d1a07c6a1d0576744
SHA1 d8665d09c363d6cb145de102ff88c103008e70ae
SHA256 8620526e69e8bf0206c0ee1fc5f8912e0f7c5d5122816ff01883f680292b16a9
SHA512 a1a32c54e8240b4c347e1f4c3d89e12d78a17cfa13da573102da563359aed3b41f2d29fa64e27a5ff41b3d23200f5bfa5fe8ad994e7f67e77e20e252513ca1bc

memory/3020-16-0x0000000000190000-0x00000000001C9000-memory.dmp

memory/3020-18-0x0000000000190000-0x00000000001C9000-memory.dmp

memory/2632-20-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:45

Reported

2024-05-22 21:47

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QGPZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\FQOPGC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\GRH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\EUSFPPX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JZWE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\SBRAMEB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CIODI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\BHRIS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\IPTT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\MHJMH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YTAIH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\LJS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CCHXGJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NPYIEYR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\CGBHEBP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZZTLWJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\BTW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JFQLCWN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\OOYXB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\KISNU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\OBRWQV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UJXTLPE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\LQTBZU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\RQZSY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\WFIKKP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XBAFLW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CJM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\EPMFZPU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PDPHS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SWF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\KUVKZMC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\VZYKNO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\TTGQRJN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\UAQP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\OIQRD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\ZRYPQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SFWCQG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\PWPUOI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MBFA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\GKIMJY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\WUYGEY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\FHJYUUP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NYGXXW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DLTKCT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\MKVTBV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\AKGRMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CGDFXPE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\GQROI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\OIHPMPP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\OMAB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\FMLL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\KCYWBL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\BICPQCB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\NOUVYRI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YDGKHI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DCXSVQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\AEMFD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\IIZBDUO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\system\OAFOJW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DFMYIFQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\TKLXC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\KVRFATV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\STS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MIECLV.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\system\EPMFZPU.exe N/A
N/A N/A C:\windows\system\EUM.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\SysWOW64\LDJKUMU.exe N/A
N/A N/A C:\windows\IIBZLH.exe N/A
N/A N/A C:\windows\system\HTEHT.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\VZYKNO.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\DSDFZZG.exe N/A
N/A N/A C:\windows\SysWOW64\ISLT.exe N/A
N/A N/A C:\windows\SysWOW64\QGPZ.exe N/A
N/A N/A C:\windows\AGREW.exe N/A
N/A N/A C:\windows\system\EWYEIQB.exe N/A
N/A N/A C:\windows\ERCI.exe N/A
N/A N/A C:\windows\system\SCSH.exe N/A
N/A N/A C:\windows\SFWCQG.exe N/A
N/A N/A C:\windows\SysWOW64\RQZSY.exe N/A
N/A N/A C:\windows\SysWOW64\CIODI.exe N/A
N/A N/A C:\windows\OBRWQV.exe N/A
N/A N/A C:\windows\BHRIS.exe N/A
N/A N/A C:\windows\SysWOW64\NPYIEYR.exe N/A
N/A N/A C:\windows\SysWOW64\RSJV.exe N/A
N/A N/A C:\windows\system\QQPG.exe N/A
N/A N/A C:\windows\system\OAFOJW.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\KMRGV.exe N/A
N/A N/A C:\windows\SysWOW64\UJXTLPE.exe N/A
N/A N/A C:\windows\system\JEGFW.exe N/A
N/A N/A C:\windows\system\UXJYEJ.exe N/A
N/A N/A C:\windows\system\EQTXI.exe N/A
N/A N/A C:\windows\WDDQYI.exe N/A
N/A N/A C:\windows\JBDB.exe N/A
N/A N/A C:\windows\PWPUOI.exe N/A
N/A N/A C:\windows\MCVRVS.exe N/A
N/A N/A C:\windows\SysWOW64\DKJPHJ.exe N/A
N/A N/A C:\windows\JKR.exe N/A
N/A N/A C:\windows\PYILVO.exe N/A
N/A N/A C:\windows\SysWOW64\XLVSGN.exe N/A
N/A N/A C:\windows\system\RYZBINV.exe N/A
N/A N/A C:\windows\SysWOW64\OESQYI.exe N/A
N/A N/A C:\windows\SysWOW64\XEMVKNS.exe N/A
N/A N/A C:\windows\system\CFV.exe N/A
N/A N/A C:\windows\GVCGAC.exe N/A
N/A N/A C:\windows\SysWOW64\XVRDMT.exe N/A
N/A N/A C:\windows\system\XBRROYU.exe N/A
N/A N/A C:\windows\CGBHEBP.exe N/A
N/A N/A C:\windows\system\RWCG.exe N/A
N/A N/A C:\windows\SysWOW64\ZZTLWJ.exe N/A
N/A N/A C:\windows\system\FMLL.exe N/A
N/A N/A C:\windows\FQOPGC.exe N/A
N/A N/A C:\windows\SysWOW64\CVHEWXY.exe N/A
N/A N/A C:\windows\system\CBHTXKB.exe N/A
N/A N/A C:\windows\system\ORNTK.exe N/A
N/A N/A C:\windows\system\BTW.exe N/A
N/A N/A C:\windows\system\KCYWBL.exe N/A
N/A N/A C:\windows\WFIKKP.exe N/A
N/A N/A C:\windows\system\NDPNWJF.exe N/A
N/A N/A C:\windows\ZLWVA.exe N/A
N/A N/A C:\windows\SysWOW64\BICPQCB.exe N/A
N/A N/A C:\windows\SysWOW64\MBFA.exe N/A
N/A N/A C:\windows\system\AZFLAVS.exe N/A
N/A N/A C:\windows\SysWOW64\PCOYL.exe N/A
N/A N/A C:\windows\SysWOW64\ESP.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\XVRDMT.exe.bat C:\windows\GVCGAC.exe N/A
File opened for modification C:\windows\SysWOW64\DFMYIFQ.exe C:\windows\SysWOW64\IJHPY.exe N/A
File opened for modification C:\windows\SysWOW64\YDGKHI.exe C:\windows\system\DQJB.exe N/A
File opened for modification C:\windows\SysWOW64\MIECLV.exe C:\windows\system\APBJDO.exe N/A
File opened for modification C:\windows\SysWOW64\CGDFXPE.exe C:\windows\SysWOW64\MIECLV.exe N/A
File created C:\windows\SysWOW64\NYGXXW.exe C:\windows\SysWOW64\CGDFXPE.exe N/A
File opened for modification C:\windows\SysWOW64\YRFWWIP.exe C:\windows\system\UJYOR.exe N/A
File created C:\windows\SysWOW64\BCQE.exe.bat C:\windows\MMPNJJY.exe N/A
File created C:\windows\SysWOW64\OESQYI.exe.bat C:\windows\system\RYZBINV.exe N/A
File opened for modification C:\windows\SysWOW64\FTOR.exe C:\windows\SysWOW64\PDPHS.exe N/A
File created C:\windows\SysWOW64\WRUKQAZ.exe C:\windows\system\DNRGL.exe N/A
File created C:\windows\SysWOW64\LKT.exe.bat C:\windows\UAQP.exe N/A
File created C:\windows\SysWOW64\WPM.exe.bat C:\windows\SysWOW64\CCHXGJ.exe N/A
File created C:\windows\SysWOW64\RGDAQU.exe C:\windows\NYJ.exe N/A
File opened for modification C:\windows\SysWOW64\QGPZ.exe C:\windows\SysWOW64\ISLT.exe N/A
File created C:\windows\SysWOW64\DFMYIFQ.exe.bat C:\windows\SysWOW64\IJHPY.exe N/A
File opened for modification C:\windows\SysWOW64\WRUKQAZ.exe C:\windows\system\DNRGL.exe N/A
File created C:\windows\SysWOW64\ZIUBK.exe C:\windows\SysWOW64\QAA.exe N/A
File created C:\windows\SysWOW64\PJYLL.exe C:\windows\SysWOW64\YTAIH.exe N/A
File created C:\windows\SysWOW64\NTMVCPM.exe.bat C:\windows\system\HTEHT.exe N/A
File created C:\windows\SysWOW64\XLVSGN.exe C:\windows\PYILVO.exe N/A
File opened for modification C:\windows\SysWOW64\BICPQCB.exe C:\windows\ZLWVA.exe N/A
File opened for modification C:\windows\SysWOW64\PCOYL.exe C:\windows\system\AZFLAVS.exe N/A
File created C:\windows\SysWOW64\FTOR.exe C:\windows\SysWOW64\PDPHS.exe N/A
File created C:\windows\SysWOW64\ZIUBK.exe.bat C:\windows\SysWOW64\QAA.exe N/A
File created C:\windows\SysWOW64\YTAIH.exe.bat C:\windows\STS.exe N/A
File created C:\windows\SysWOW64\CGDFXPE.exe.bat C:\windows\SysWOW64\MIECLV.exe N/A
File opened for modification C:\windows\SysWOW64\RGDAQU.exe C:\windows\NYJ.exe N/A
File created C:\windows\SysWOW64\NTMVCPM.exe C:\windows\system\HTEHT.exe N/A
File created C:\windows\SysWOW64\QGPZ.exe.bat C:\windows\SysWOW64\ISLT.exe N/A
File created C:\windows\SysWOW64\DLTKCT.exe C:\windows\SysWOW64\DIQHXDI.exe N/A
File created C:\windows\SysWOW64\ARZHJD.exe C:\windows\SysWOW64\DLTKCT.exe N/A
File created C:\windows\SysWOW64\LRQ.exe.bat C:\windows\ZBKA.exe N/A
File opened for modification C:\windows\SysWOW64\IJHPY.exe C:\windows\system\TTGQRJN.exe N/A
File created C:\windows\SysWOW64\NYGXXW.exe.bat C:\windows\SysWOW64\CGDFXPE.exe N/A
File created C:\windows\SysWOW64\QQSUPS.exe.bat C:\windows\system\OTYSJ.exe N/A
File created C:\windows\SysWOW64\WPM.exe C:\windows\SysWOW64\CCHXGJ.exe N/A
File created C:\windows\SysWOW64\RPPSK.exe.bat C:\windows\system\GXMI.exe N/A
File created C:\windows\SysWOW64\ISLT.exe C:\windows\DSDFZZG.exe N/A
File opened for modification C:\windows\SysWOW64\DKJPHJ.exe C:\windows\MCVRVS.exe N/A
File created C:\windows\SysWOW64\XEMVKNS.exe C:\windows\SysWOW64\OESQYI.exe N/A
File created C:\windows\SysWOW64\ESP.exe C:\windows\SysWOW64\PCOYL.exe N/A
File opened for modification C:\windows\SysWOW64\FHJYUUP.exe C:\windows\system\WUYGEY.exe N/A
File created C:\windows\SysWOW64\XBAFLW.exe C:\windows\SysWOW64\LKT.exe N/A
File created C:\windows\SysWOW64\NGHK.exe C:\windows\SysWOW64\KYY.exe N/A
File opened for modification C:\windows\SysWOW64\LRQ.exe C:\windows\ZBKA.exe N/A
File created C:\windows\SysWOW64\DKJPHJ.exe.bat C:\windows\MCVRVS.exe N/A
File created C:\windows\SysWOW64\MBFA.exe C:\windows\SysWOW64\BICPQCB.exe N/A
File created C:\windows\SysWOW64\MBFA.exe.bat C:\windows\SysWOW64\BICPQCB.exe N/A
File opened for modification C:\windows\SysWOW64\ESP.exe C:\windows\SysWOW64\PCOYL.exe N/A
File created C:\windows\SysWOW64\PDPHS.exe.bat C:\windows\VLAWJNH.exe N/A
File opened for modification C:\windows\SysWOW64\KVRFATV.exe C:\windows\SysWOW64\JFQLCWN.exe N/A
File created C:\windows\SysWOW64\DCXSVQ.exe C:\windows\PAH.exe N/A
File created C:\windows\SysWOW64\EANTE.exe.bat C:\windows\system\FQFR.exe N/A
File created C:\windows\SysWOW64\RPPSK.exe C:\windows\system\GXMI.exe N/A
File created C:\windows\SysWOW64\QAA.exe C:\windows\system\ESLOUA.exe N/A
File created C:\windows\SysWOW64\MIECLV.exe C:\windows\system\APBJDO.exe N/A
File created C:\windows\SysWOW64\JZWE.exe C:\windows\system\FJPEPQ.exe N/A
File opened for modification C:\windows\SysWOW64\CVHEWXY.exe C:\windows\FQOPGC.exe N/A
File created C:\windows\SysWOW64\TKLXC.exe.bat C:\windows\SysWOW64\DFMYIFQ.exe N/A
File opened for modification C:\windows\SysWOW64\ZFK.exe C:\windows\SysWOW64\TKLXC.exe N/A
File created C:\windows\SysWOW64\LDJKUMU.exe.bat C:\windows\AKGRMX.exe N/A
File created C:\windows\SysWOW64\CIODI.exe C:\windows\SysWOW64\RQZSY.exe N/A
File created C:\windows\SysWOW64\TKLXC.exe C:\windows\SysWOW64\DFMYIFQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\DPNG.exe.bat C:\windows\EAOV.exe N/A
File created C:\windows\GQROI.exe C:\windows\system\RAQO.exe N/A
File created C:\windows\JBDB.exe C:\windows\WDDQYI.exe N/A
File opened for modification C:\windows\system\WNMYJBK.exe C:\windows\SysWOW64\KVRFATV.exe N/A
File created C:\windows\DPNG.exe C:\windows\EAOV.exe N/A
File opened for modification C:\windows\KISNU.exe C:\windows\EUSFPPX.exe N/A
File opened for modification C:\windows\system\IIZBDUO.exe C:\windows\KISNU.exe N/A
File created C:\windows\system\EWYEIQB.exe.bat C:\windows\AGREW.exe N/A
File created C:\windows\system\BTW.exe C:\windows\system\ORNTK.exe N/A
File opened for modification C:\windows\system\NDPNWJF.exe C:\windows\WFIKKP.exe N/A
File opened for modification C:\windows\system\EPDPBM.exe C:\windows\QMZJO.exe N/A
File created C:\windows\PAH.exe.bat C:\windows\SysWOW64\YRFWWIP.exe N/A
File opened for modification C:\windows\ERCI.exe C:\windows\system\EWYEIQB.exe N/A
File created C:\windows\system\UJYOR.exe.bat C:\windows\system\JJRDA.exe N/A
File created C:\windows\system\GXMI.exe.bat C:\windows\OWK.exe N/A
File opened for modification C:\windows\PWUSV.exe C:\windows\system\GWS.exe N/A
File created C:\windows\SWF.exe.bat C:\windows\system\OOYXB.exe N/A
File created C:\windows\system\RILXZP.exe.bat C:\windows\IVB.exe N/A
File created C:\windows\WRGI.exe.bat C:\windows\system\SBRAMEB.exe N/A
File created C:\windows\MMPNJJY.exe.bat C:\windows\WRGI.exe N/A
File created C:\windows\system\LQTBZU.exe C:\windows\GKIMJY.exe N/A
File created C:\windows\system\ZRYPQ.exe C:\windows\system\HIRJE.exe N/A
File created C:\windows\DSDFZZG.exe.bat C:\windows\NCC.exe N/A
File opened for modification C:\windows\system\KCYWBL.exe C:\windows\system\BTW.exe N/A
File created C:\windows\system\WNMYJBK.exe C:\windows\SysWOW64\KVRFATV.exe N/A
File created C:\windows\FQOPGC.exe C:\windows\system\FMLL.exe N/A
File created C:\windows\AGREW.exe.bat C:\windows\SysWOW64\QGPZ.exe N/A
File created C:\windows\JKR.exe C:\windows\SysWOW64\DKJPHJ.exe N/A
File created C:\windows\ZNSCHC.exe C:\windows\SysWOW64\EANTE.exe N/A
File created C:\windows\system\ESLOUA.exe.bat C:\windows\SysWOW64\FHJYUUP.exe N/A
File created C:\windows\NOY.exe C:\windows\system\RILXZP.exe N/A
File created C:\windows\system\GXMI.exe C:\windows\OWK.exe N/A
File created C:\windows\system\EPMFZPU.exe.bat C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
File opened for modification C:\windows\IANTT.exe C:\windows\NNI.exe N/A
File created C:\windows\NNI.exe C:\windows\system\EPDPBM.exe N/A
File created C:\windows\PWUSV.exe.bat C:\windows\system\GWS.exe N/A
File opened for modification C:\windows\system\DQJB.exe C:\windows\SysWOW64\ZIUBK.exe N/A
File opened for modification C:\windows\QMZJO.exe C:\windows\UHOUGR.exe N/A
File opened for modification C:\windows\system\RILXZP.exe C:\windows\IVB.exe N/A
File created C:\windows\system\FJPEPQ.exe C:\windows\NOY.exe N/A
File created C:\windows\system\TBHKSOO.exe C:\windows\OIZWJ.exe N/A
File opened for modification C:\windows\SWF.exe C:\windows\system\OOYXB.exe N/A
File opened for modification C:\windows\system\RAQO.exe C:\windows\system\UULRVEN.exe N/A
File created C:\windows\ERCI.exe.bat C:\windows\system\EWYEIQB.exe N/A
File created C:\windows\system\RYZBINV.exe C:\windows\SysWOW64\XLVSGN.exe N/A
File opened for modification C:\windows\WFIKKP.exe C:\windows\system\KCYWBL.exe N/A
File created C:\windows\system\JMHJOSY.exe C:\windows\MHJMH.exe N/A
File created C:\windows\system\IPTT.exe.bat C:\windows\YGR.exe N/A
File opened for modification C:\windows\PAH.exe C:\windows\SysWOW64\YRFWWIP.exe N/A
File created C:\windows\system\HTEHT.exe C:\windows\IIBZLH.exe N/A
File opened for modification C:\windows\GVCGAC.exe C:\windows\system\CFV.exe N/A
File opened for modification C:\windows\system\LJS.exe C:\windows\system\CJQPNBE.exe N/A
File opened for modification C:\windows\system\EUM.exe C:\windows\system\EPMFZPU.exe N/A
File created C:\windows\system\KYIR.exe.bat C:\windows\SysWOW64\XBAFLW.exe N/A
File opened for modification C:\windows\system\RWCG.exe C:\windows\CGBHEBP.exe N/A
File opened for modification C:\windows\SYLFSM.exe C:\windows\SysWOW64\YCGW.exe N/A
File opened for modification C:\windows\system\TBHKSOO.exe C:\windows\OIZWJ.exe N/A
File opened for modification C:\windows\VZYKNO.exe C:\windows\SysWOW64\NTMVCPM.exe N/A
File created C:\windows\SFWCQG.exe.bat C:\windows\system\SCSH.exe N/A
File opened for modification C:\windows\KUVKZMC.exe C:\windows\system\LJS.exe N/A
File opened for modification C:\windows\system\GWS.exe C:\windows\SysWOW64\FTOR.exe N/A
File created C:\windows\CGBHEBP.exe C:\windows\system\XBRROYU.exe N/A
File created C:\windows\NOUVYRI.exe C:\windows\system\LQTBZU.exe N/A
File created C:\windows\PYILVO.exe C:\windows\JKR.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EPMFZPU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EUM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\AKGRMX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LDJKUMU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IIBZLH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\HTEHT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NTMVCPM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VZYKNO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NCC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\DSDFZZG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ISLT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\QGPZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\AGREW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EWYEIQB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ERCI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\SCSH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SFWCQG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RQZSY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CIODI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\OBRWQV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\BHRIS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NPYIEYR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RSJV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QQPG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OAFOJW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NQDRVI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\KMRGV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UJXTLPE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\JEGFW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\UXJYEJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EQTXI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WDDQYI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JBDB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\PWPUOI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\MCVRVS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DKJPHJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JKR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\PYILVO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XLVSGN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\RYZBINV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\OESQYI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XEMVKNS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CFV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GVCGAC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XVRDMT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XBRROYU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CGBHEBP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\RWCG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZZTLWJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FMLL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FQOPGC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CVHEWXY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CBHTXKB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\ORNTK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BTW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\KCYWBL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WFIKKP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NDPNWJF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZLWVA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BICPQCB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\MBFA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\AZFLAVS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\PCOYL.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
N/A N/A C:\windows\system\EPMFZPU.exe N/A
N/A N/A C:\windows\system\EPMFZPU.exe N/A
N/A N/A C:\windows\system\EUM.exe N/A
N/A N/A C:\windows\system\EUM.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\SysWOW64\LDJKUMU.exe N/A
N/A N/A C:\windows\SysWOW64\LDJKUMU.exe N/A
N/A N/A C:\windows\IIBZLH.exe N/A
N/A N/A C:\windows\IIBZLH.exe N/A
N/A N/A C:\windows\system\HTEHT.exe N/A
N/A N/A C:\windows\system\HTEHT.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\VZYKNO.exe N/A
N/A N/A C:\windows\VZYKNO.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\DSDFZZG.exe N/A
N/A N/A C:\windows\DSDFZZG.exe N/A
N/A N/A C:\windows\SysWOW64\ISLT.exe N/A
N/A N/A C:\windows\SysWOW64\ISLT.exe N/A
N/A N/A C:\windows\SysWOW64\QGPZ.exe N/A
N/A N/A C:\windows\SysWOW64\QGPZ.exe N/A
N/A N/A C:\windows\AGREW.exe N/A
N/A N/A C:\windows\AGREW.exe N/A
N/A N/A C:\windows\system\EWYEIQB.exe N/A
N/A N/A C:\windows\system\EWYEIQB.exe N/A
N/A N/A C:\windows\ERCI.exe N/A
N/A N/A C:\windows\ERCI.exe N/A
N/A N/A C:\windows\system\SCSH.exe N/A
N/A N/A C:\windows\system\SCSH.exe N/A
N/A N/A C:\windows\SFWCQG.exe N/A
N/A N/A C:\windows\SFWCQG.exe N/A
N/A N/A C:\windows\SysWOW64\RQZSY.exe N/A
N/A N/A C:\windows\SysWOW64\RQZSY.exe N/A
N/A N/A C:\windows\SysWOW64\CIODI.exe N/A
N/A N/A C:\windows\SysWOW64\CIODI.exe N/A
N/A N/A C:\windows\OBRWQV.exe N/A
N/A N/A C:\windows\OBRWQV.exe N/A
N/A N/A C:\windows\BHRIS.exe N/A
N/A N/A C:\windows\BHRIS.exe N/A
N/A N/A C:\windows\SysWOW64\NPYIEYR.exe N/A
N/A N/A C:\windows\SysWOW64\NPYIEYR.exe N/A
N/A N/A C:\windows\SysWOW64\RSJV.exe N/A
N/A N/A C:\windows\SysWOW64\RSJV.exe N/A
N/A N/A C:\windows\system\QQPG.exe N/A
N/A N/A C:\windows\system\QQPG.exe N/A
N/A N/A C:\windows\system\OAFOJW.exe N/A
N/A N/A C:\windows\system\OAFOJW.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\KMRGV.exe N/A
N/A N/A C:\windows\KMRGV.exe N/A
N/A N/A C:\windows\SysWOW64\UJXTLPE.exe N/A
N/A N/A C:\windows\SysWOW64\UJXTLPE.exe N/A
N/A N/A C:\windows\system\JEGFW.exe N/A
N/A N/A C:\windows\system\JEGFW.exe N/A
N/A N/A C:\windows\system\UXJYEJ.exe N/A
N/A N/A C:\windows\system\UXJYEJ.exe N/A
N/A N/A C:\windows\system\EQTXI.exe N/A
N/A N/A C:\windows\system\EQTXI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe N/A
N/A N/A C:\windows\system\EPMFZPU.exe N/A
N/A N/A C:\windows\system\EPMFZPU.exe N/A
N/A N/A C:\windows\system\EUM.exe N/A
N/A N/A C:\windows\system\EUM.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\SysWOW64\LDJKUMU.exe N/A
N/A N/A C:\windows\SysWOW64\LDJKUMU.exe N/A
N/A N/A C:\windows\IIBZLH.exe N/A
N/A N/A C:\windows\IIBZLH.exe N/A
N/A N/A C:\windows\system\HTEHT.exe N/A
N/A N/A C:\windows\system\HTEHT.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\VZYKNO.exe N/A
N/A N/A C:\windows\VZYKNO.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\DSDFZZG.exe N/A
N/A N/A C:\windows\DSDFZZG.exe N/A
N/A N/A C:\windows\SysWOW64\ISLT.exe N/A
N/A N/A C:\windows\SysWOW64\ISLT.exe N/A
N/A N/A C:\windows\SysWOW64\QGPZ.exe N/A
N/A N/A C:\windows\SysWOW64\QGPZ.exe N/A
N/A N/A C:\windows\AGREW.exe N/A
N/A N/A C:\windows\AGREW.exe N/A
N/A N/A C:\windows\system\EWYEIQB.exe N/A
N/A N/A C:\windows\system\EWYEIQB.exe N/A
N/A N/A C:\windows\ERCI.exe N/A
N/A N/A C:\windows\ERCI.exe N/A
N/A N/A C:\windows\system\SCSH.exe N/A
N/A N/A C:\windows\system\SCSH.exe N/A
N/A N/A C:\windows\SFWCQG.exe N/A
N/A N/A C:\windows\SFWCQG.exe N/A
N/A N/A C:\windows\SysWOW64\RQZSY.exe N/A
N/A N/A C:\windows\SysWOW64\RQZSY.exe N/A
N/A N/A C:\windows\SysWOW64\CIODI.exe N/A
N/A N/A C:\windows\SysWOW64\CIODI.exe N/A
N/A N/A C:\windows\OBRWQV.exe N/A
N/A N/A C:\windows\OBRWQV.exe N/A
N/A N/A C:\windows\BHRIS.exe N/A
N/A N/A C:\windows\BHRIS.exe N/A
N/A N/A C:\windows\SysWOW64\NPYIEYR.exe N/A
N/A N/A C:\windows\SysWOW64\NPYIEYR.exe N/A
N/A N/A C:\windows\SysWOW64\RSJV.exe N/A
N/A N/A C:\windows\SysWOW64\RSJV.exe N/A
N/A N/A C:\windows\system\QQPG.exe N/A
N/A N/A C:\windows\system\QQPG.exe N/A
N/A N/A C:\windows\system\OAFOJW.exe N/A
N/A N/A C:\windows\system\OAFOJW.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\KMRGV.exe N/A
N/A N/A C:\windows\KMRGV.exe N/A
N/A N/A C:\windows\SysWOW64\UJXTLPE.exe N/A
N/A N/A C:\windows\SysWOW64\UJXTLPE.exe N/A
N/A N/A C:\windows\system\JEGFW.exe N/A
N/A N/A C:\windows\system\JEGFW.exe N/A
N/A N/A C:\windows\system\UXJYEJ.exe N/A
N/A N/A C:\windows\system\UXJYEJ.exe N/A
N/A N/A C:\windows\system\EQTXI.exe N/A
N/A N/A C:\windows\system\EQTXI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EPMFZPU.exe
PID 4320 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EPMFZPU.exe
PID 4320 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EPMFZPU.exe
PID 3672 wrote to memory of 1608 N/A C:\windows\system\EPMFZPU.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 1608 N/A C:\windows\system\EPMFZPU.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 1608 N/A C:\windows\system\EPMFZPU.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EUM.exe
PID 1608 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EUM.exe
PID 1608 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EUM.exe
PID 3568 wrote to memory of 4856 N/A C:\windows\system\EUM.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 4856 N/A C:\windows\system\EUM.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 4856 N/A C:\windows\system\EUM.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\AKGRMX.exe
PID 4856 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\AKGRMX.exe
PID 4856 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\AKGRMX.exe
PID 3620 wrote to memory of 2532 N/A C:\windows\AKGRMX.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2532 N/A C:\windows\AKGRMX.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2532 N/A C:\windows\AKGRMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\LDJKUMU.exe
PID 2532 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\LDJKUMU.exe
PID 2532 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\LDJKUMU.exe
PID 5112 wrote to memory of 392 N/A C:\windows\SysWOW64\LDJKUMU.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 392 N/A C:\windows\SysWOW64\LDJKUMU.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 392 N/A C:\windows\SysWOW64\LDJKUMU.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\IIBZLH.exe
PID 392 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\IIBZLH.exe
PID 392 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\IIBZLH.exe
PID 396 wrote to memory of 2876 N/A C:\windows\IIBZLH.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2876 N/A C:\windows\IIBZLH.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2876 N/A C:\windows\IIBZLH.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\HTEHT.exe
PID 2876 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\HTEHT.exe
PID 2876 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\HTEHT.exe
PID 3924 wrote to memory of 4320 N/A C:\windows\system\HTEHT.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4320 N/A C:\windows\system\HTEHT.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4320 N/A C:\windows\system\HTEHT.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NTMVCPM.exe
PID 4320 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NTMVCPM.exe
PID 4320 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NTMVCPM.exe
PID 3000 wrote to memory of 3816 N/A C:\windows\SysWOW64\NTMVCPM.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3816 N/A C:\windows\SysWOW64\NTMVCPM.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3816 N/A C:\windows\SysWOW64\NTMVCPM.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\VZYKNO.exe
PID 3816 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\VZYKNO.exe
PID 3816 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\VZYKNO.exe
PID 4464 wrote to memory of 4140 N/A C:\windows\VZYKNO.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4140 N/A C:\windows\VZYKNO.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4140 N/A C:\windows\VZYKNO.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NCC.exe
PID 4140 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NCC.exe
PID 4140 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NCC.exe
PID 4284 wrote to memory of 2268 N/A C:\windows\NCC.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2268 N/A C:\windows\NCC.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2268 N/A C:\windows\NCC.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DSDFZZG.exe
PID 2268 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DSDFZZG.exe
PID 2268 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\DSDFZZG.exe
PID 3352 wrote to memory of 3748 N/A C:\windows\DSDFZZG.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3748 N/A C:\windows\DSDFZZG.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3748 N/A C:\windows\DSDFZZG.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ISLT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe

"C:\Users\Admin\AppData\Local\Temp\437cb914aeb1fca0a714380ac400101e4e594a13fe245cf589b8a8bca3ae46ba.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPMFZPU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1996 -ip 1996

C:\windows\system\EPMFZPU.exe

C:\windows\system\EPMFZPU.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EUM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1308

C:\windows\system\EUM.exe

C:\windows\system\EUM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AKGRMX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 976

C:\windows\AKGRMX.exe

C:\windows\AKGRMX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDJKUMU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1328

C:\windows\SysWOW64\LDJKUMU.exe

C:\windows\system32\LDJKUMU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IIBZLH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 960

C:\windows\IIBZLH.exe

C:\windows\IIBZLH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HTEHT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 396 -ip 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1336

C:\windows\system\HTEHT.exe

C:\windows\system\HTEHT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTMVCPM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1300

C:\windows\SysWOW64\NTMVCPM.exe

C:\windows\system32\NTMVCPM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VZYKNO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3000 -ip 3000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1304

C:\windows\VZYKNO.exe

C:\windows\VZYKNO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NCC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1324

C:\windows\NCC.exe

C:\windows\NCC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DSDFZZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4284 -ip 4284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1292

C:\windows\DSDFZZG.exe

C:\windows\DSDFZZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ISLT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1328

C:\windows\SysWOW64\ISLT.exe

C:\windows\system32\ISLT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGPZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1328

C:\windows\SysWOW64\QGPZ.exe

C:\windows\system32\QGPZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AGREW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2988 -ip 2988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1324

C:\windows\AGREW.exe

C:\windows\AGREW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EWYEIQB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1336

C:\windows\system\EWYEIQB.exe

C:\windows\system\EWYEIQB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ERCI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4308 -ip 4308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1316

C:\windows\ERCI.exe

C:\windows\ERCI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SCSH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 976

C:\windows\system\SCSH.exe

C:\windows\system\SCSH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SFWCQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1324

C:\windows\SFWCQG.exe

C:\windows\SFWCQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RQZSY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1304

C:\windows\SysWOW64\RQZSY.exe

C:\windows\system32\RQZSY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CIODI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1328

C:\windows\SysWOW64\CIODI.exe

C:\windows\system32\CIODI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OBRWQV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3624 -ip 3624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 960

C:\windows\OBRWQV.exe

C:\windows\OBRWQV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BHRIS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1236

C:\windows\BHRIS.exe

C:\windows\BHRIS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NPYIEYR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1064 -ip 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 988

C:\windows\SysWOW64\NPYIEYR.exe

C:\windows\system32\NPYIEYR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSJV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1292

C:\windows\SysWOW64\RSJV.exe

C:\windows\system32\RSJV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QQPG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 384 -ip 384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1340

C:\windows\system\QQPG.exe

C:\windows\system\QQPG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OAFOJW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1540 -ip 1540

C:\windows\system\OAFOJW.exe

C:\windows\system\OAFOJW.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1336

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NQDRVI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1324

C:\windows\NQDRVI.exe

C:\windows\NQDRVI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KMRGV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 960

C:\windows\KMRGV.exe

C:\windows\KMRGV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJXTLPE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 960

C:\windows\SysWOW64\UJXTLPE.exe

C:\windows\system32\UJXTLPE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JEGFW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1076 -ip 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1336

C:\windows\system\JEGFW.exe

C:\windows\system\JEGFW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UXJYEJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1272

C:\windows\system\UXJYEJ.exe

C:\windows\system\UXJYEJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EQTXI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1012

C:\windows\system\EQTXI.exe

C:\windows\system\EQTXI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WDDQYI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1324

C:\windows\WDDQYI.exe

C:\windows\WDDQYI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JBDB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2376 -ip 2376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1236

C:\windows\JBDB.exe

C:\windows\JBDB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PWPUOI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1324

C:\windows\PWPUOI.exe

C:\windows\PWPUOI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MCVRVS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1328

C:\windows\MCVRVS.exe

C:\windows\MCVRVS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKJPHJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1292

C:\windows\SysWOW64\DKJPHJ.exe

C:\windows\system32\DKJPHJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JKR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 988

C:\windows\JKR.exe

C:\windows\JKR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PYILVO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1320

C:\windows\PYILVO.exe

C:\windows\PYILVO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLVSGN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3452 -ip 3452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1328

C:\windows\SysWOW64\XLVSGN.exe

C:\windows\system32\XLVSGN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYZBINV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 988

C:\windows\system\RYZBINV.exe

C:\windows\system\RYZBINV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OESQYI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4312 -ip 4312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1208

C:\windows\SysWOW64\OESQYI.exe

C:\windows\system32\OESQYI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XEMVKNS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1328

C:\windows\SysWOW64\XEMVKNS.exe

C:\windows\system32\XEMVKNS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1212 -ip 1212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 988

C:\windows\system\CFV.exe

C:\windows\system\CFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GVCGAC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 988

C:\windows\GVCGAC.exe

C:\windows\GVCGAC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XVRDMT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1328

C:\windows\SysWOW64\XVRDMT.exe

C:\windows\system32\XVRDMT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XBRROYU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 988

C:\windows\system\XBRROYU.exe

C:\windows\system\XBRROYU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1296

C:\windows\CGBHEBP.exe

C:\windows\CGBHEBP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1264

C:\windows\system\RWCG.exe

C:\windows\system\RWCG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZTLWJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3740 -ip 3740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1332

C:\windows\SysWOW64\ZZTLWJ.exe

C:\windows\system32\ZZTLWJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1264

C:\windows\system\FMLL.exe

C:\windows\system\FMLL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FQOPGC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 976

C:\windows\FQOPGC.exe

C:\windows\FQOPGC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVHEWXY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3616 -ip 3616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 964

C:\windows\SysWOW64\CVHEWXY.exe

C:\windows\system32\CVHEWXY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CBHTXKB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 960

C:\windows\system\CBHTXKB.exe

C:\windows\system\CBHTXKB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 972

C:\windows\system\ORNTK.exe

C:\windows\system\ORNTK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BTW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1312

C:\windows\system\BTW.exe

C:\windows\system\BTW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KCYWBL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1076 -ip 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 960

C:\windows\system\KCYWBL.exe

C:\windows\system\KCYWBL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WFIKKP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1260

C:\windows\WFIKKP.exe

C:\windows\WFIKKP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2428 -ip 2428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1012

C:\windows\system\NDPNWJF.exe

C:\windows\system\NDPNWJF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZLWVA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1004

C:\windows\ZLWVA.exe

C:\windows\ZLWVA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2576 -ip 2576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 976

C:\windows\SysWOW64\BICPQCB.exe

C:\windows\system32\BICPQCB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBFA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1328

C:\windows\SysWOW64\MBFA.exe

C:\windows\system32\MBFA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AZFLAVS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 872

C:\windows\system\AZFLAVS.exe

C:\windows\system\AZFLAVS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PCOYL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 960

C:\windows\SysWOW64\PCOYL.exe

C:\windows\system32\PCOYL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1928 -ip 1928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1304

C:\windows\SysWOW64\ESP.exe

C:\windows\system32\ESP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RVFOGO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1336

C:\windows\system\RVFOGO.exe

C:\windows\system\RVFOGO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VLAWJNH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1004

C:\windows\VLAWJNH.exe

C:\windows\VLAWJNH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDPHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 996

C:\windows\SysWOW64\PDPHS.exe

C:\windows\system32\PDPHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTOR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3596 -ip 3596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1328

C:\windows\SysWOW64\FTOR.exe

C:\windows\system32\FTOR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GWS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1308

C:\windows\system\GWS.exe

C:\windows\system\GWS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PWUSV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1320

C:\windows\PWUSV.exe

C:\windows\PWUSV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CHK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1248

C:\windows\system\CHK.exe

C:\windows\system\CHK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1324

C:\windows\GKIMJY.exe

C:\windows\GKIMJY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQTBZU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1308

C:\windows\system\LQTBZU.exe

C:\windows\system\LQTBZU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NOUVYRI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 744 -ip 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 960

C:\windows\NOUVYRI.exe

C:\windows\NOUVYRI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EWIBKIL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3452 -ip 3452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 960

C:\windows\EWIBKIL.exe

C:\windows\EWIBKIL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTGQRJN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 988

C:\windows\system\TTGQRJN.exe

C:\windows\system\TTGQRJN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJHPY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1152 -ip 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1328

C:\windows\SysWOW64\IJHPY.exe

C:\windows\system32\IJHPY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DFMYIFQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 960

C:\windows\SysWOW64\DFMYIFQ.exe

C:\windows\system32\DFMYIFQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKLXC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3712 -ip 3712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 960

C:\windows\SysWOW64\TKLXC.exe

C:\windows\system32\TKLXC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 980

C:\windows\SysWOW64\ZFK.exe

C:\windows\system32\ZFK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNRGL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1308

C:\windows\system\DNRGL.exe

C:\windows\system\DNRGL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRUKQAZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 988

C:\windows\SysWOW64\WRUKQAZ.exe

C:\windows\system32\WRUKQAZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WUYGEY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1336

C:\windows\system\WUYGEY.exe

C:\windows\system\WUYGEY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHJYUUP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1864 -ip 1864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 988

C:\windows\SysWOW64\FHJYUUP.exe

C:\windows\system32\FHJYUUP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ESLOUA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1336

C:\windows\system\ESLOUA.exe

C:\windows\system\ESLOUA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QAA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1328

C:\windows\SysWOW64\QAA.exe

C:\windows\system32\QAA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIUBK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1328

C:\windows\SysWOW64\ZIUBK.exe

C:\windows\system32\ZIUBK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQJB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 872

C:\windows\system\DQJB.exe

C:\windows\system\DQJB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDGKHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 960

C:\windows\SysWOW64\YDGKHI.exe

C:\windows\system32\YDGKHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YGR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 960

C:\windows\YGR.exe

C:\windows\YGR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IPTT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1336

C:\windows\system\IPTT.exe

C:\windows\system\IPTT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CCQCAE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 960

C:\windows\CCQCAE.exe

C:\windows\CCQCAE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UAQP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4304 -ip 4304

C:\windows\UAQP.exe

C:\windows\UAQP.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1316

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LKT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4400 -ip 4400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1308

C:\windows\SysWOW64\LKT.exe

C:\windows\system32\LKT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBAFLW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1328

C:\windows\SysWOW64\XBAFLW.exe

C:\windows\system32\XBAFLW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KYIR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1316

C:\windows\system\KYIR.exe

C:\windows\system\KYIR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BOGB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4652 -ip 4652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1340

C:\windows\system\BOGB.exe

C:\windows\system\BOGB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MHJMH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 960

C:\windows\MHJMH.exe

C:\windows\MHJMH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JMHJOSY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4320 -ip 4320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1316

C:\windows\system\JMHJOSY.exe

C:\windows\system\JMHJOSY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JFQLCWN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1328

C:\windows\SysWOW64\JFQLCWN.exe

C:\windows\system32\JFQLCWN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVRFATV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1328

C:\windows\SysWOW64\KVRFATV.exe

C:\windows\system32\KVRFATV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WNMYJBK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 628 -ip 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 960

C:\windows\system\WNMYJBK.exe

C:\windows\system\WNMYJBK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\STS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1324

C:\windows\STS.exe

C:\windows\STS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YTAIH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1328

C:\windows\SysWOW64\YTAIH.exe

C:\windows\system32\YTAIH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PJYLL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1328

C:\windows\SysWOW64\PJYLL.exe

C:\windows\system32\PJYLL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RHANRN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1336

C:\windows\system\RHANRN.exe

C:\windows\system\RHANRN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ESWMW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1336

C:\windows\system\ESWMW.exe

C:\windows\system\ESWMW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\APBJDO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 452 -ip 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1308

C:\windows\system\APBJDO.exe

C:\windows\system\APBJDO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIECLV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4304 -ip 4304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1328

C:\windows\SysWOW64\MIECLV.exe

C:\windows\system32\MIECLV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGDFXPE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1240

C:\windows\SysWOW64\CGDFXPE.exe

C:\windows\system32\CGDFXPE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 976

C:\windows\SysWOW64\NYGXXW.exe

C:\windows\system32\NYGXXW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EOF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1324

C:\windows\EOF.exe

C:\windows\EOF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RRJHOHD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1308

C:\windows\system\RRJHOHD.exe

C:\windows\system\RRJHOHD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CJM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1328

C:\windows\SysWOW64\CJM.exe

C:\windows\system32\CJM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NPPF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 988

C:\windows\NPPF.exe

C:\windows\NPPF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EAOV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2532 -ip 2532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1300

C:\windows\EAOV.exe

C:\windows\EAOV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DPNG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4312 -ip 4312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1324

C:\windows\DPNG.exe

C:\windows\DPNG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OIQRD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1324

C:\windows\OIQRD.exe

C:\windows\OIQRD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OTYSJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1316

C:\windows\system\OTYSJ.exe

C:\windows\system\OTYSJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQSUPS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1912 -ip 1912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1328

C:\windows\SysWOW64\QQSUPS.exe

C:\windows\system32\QQSUPS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOYXB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1272

C:\windows\system\OOYXB.exe

C:\windows\system\OOYXB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SWF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1304

C:\windows\SWF.exe

C:\windows\SWF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UULRVEN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1336

C:\windows\system\UULRVEN.exe

C:\windows\system\UULRVEN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RAQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2920 -ip 2920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1364

C:\windows\system\RAQO.exe

C:\windows\system\RAQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GQROI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 960

C:\windows\GQROI.exe

C:\windows\GQROI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3748 -ip 3748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 960

C:\windows\SysWOW64\KYY.exe

C:\windows\system32\KYY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGHK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 988

C:\windows\SysWOW64\NGHK.exe

C:\windows\system32\NGHK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CJQPNBE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 792 -ip 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 1336

C:\windows\system\CJQPNBE.exe

C:\windows\system\CJQPNBE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LJS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 960

C:\windows\system\LJS.exe

C:\windows\system\LJS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KUVKZMC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1300

C:\windows\KUVKZMC.exe

C:\windows\KUVKZMC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPEOK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1212 -ip 1212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1004

C:\windows\system\ZPEOK.exe

C:\windows\system\ZPEOK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CFNLRT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1304

C:\windows\CFNLRT.exe

C:\windows\CFNLRT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HIRJE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1308

C:\windows\system\HIRJE.exe

C:\windows\system\HIRJE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRYPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1336

C:\windows\system\ZRYPQ.exe

C:\windows\system\ZRYPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KJBHRJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 988

C:\windows\KJBHRJ.exe

C:\windows\KJBHRJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UHOUGR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4228 -ip 4228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1324

C:\windows\UHOUGR.exe

C:\windows\UHOUGR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QMZJO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 988

C:\windows\QMZJO.exe

C:\windows\QMZJO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPDPBM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 988

C:\windows\system\EPDPBM.exe

C:\windows\system\EPDPBM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NNI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1324

C:\windows\NNI.exe

C:\windows\NNI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IANTT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1296

C:\windows\IANTT.exe

C:\windows\IANTT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BDRP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1324

C:\windows\BDRP.exe

C:\windows\BDRP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JJRDA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4528 -ip 4528

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1316

C:\windows\system\JJRDA.exe

C:\windows\system\JJRDA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJYOR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1336

C:\windows\system\UJYOR.exe

C:\windows\system\UJYOR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YRFWWIP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1320

C:\windows\SysWOW64\YRFWWIP.exe

C:\windows\system32\YRFWWIP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PAH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1288

C:\windows\PAH.exe

C:\windows\PAH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCXSVQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4792 -ip 4792

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1328

C:\windows\SysWOW64\DCXSVQ.exe

C:\windows\system32\DCXSVQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DIQHXDI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 960

C:\windows\SysWOW64\DIQHXDI.exe

C:\windows\system32\DIQHXDI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLTKCT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 988

C:\windows\SysWOW64\DLTKCT.exe

C:\windows\system32\DLTKCT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARZHJD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 960

C:\windows\SysWOW64\ARZHJD.exe

C:\windows\system32\ARZHJD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GRH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 960

C:\windows\system\GRH.exe

C:\windows\system\GRH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AEMFD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1236

C:\windows\AEMFD.exe

C:\windows\AEMFD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EUSFPPX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 960

C:\windows\EUSFPPX.exe

C:\windows\EUSFPPX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KISNU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1296

C:\windows\KISNU.exe

C:\windows\KISNU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IIZBDUO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 960

C:\windows\system\IIZBDUO.exe

C:\windows\system\IIZBDUO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OIHPMPP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4636 -ip 4636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 960

C:\windows\SysWOW64\OIHPMPP.exe

C:\windows\system32\OIHPMPP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZBKA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3504 -ip 3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1008

C:\windows\ZBKA.exe

C:\windows\ZBKA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 964

C:\windows\SysWOW64\LRQ.exe

C:\windows\system32\LRQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CCHXGJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 964

C:\windows\SysWOW64\CCHXGJ.exe

C:\windows\system32\CCHXGJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WPM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1152 -ip 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1308

C:\windows\SysWOW64\WPM.exe

C:\windows\system32\WPM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKVTBV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1328

C:\windows\system\MKVTBV.exe

C:\windows\system\MKVTBV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MYVICI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 960

C:\windows\MYVICI.exe

C:\windows\MYVICI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IVB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1524 -ip 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1292

C:\windows\IVB.exe

C:\windows\IVB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RILXZP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1308

C:\windows\system\RILXZP.exe

C:\windows\system\RILXZP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NOY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 960

C:\windows\NOY.exe

C:\windows\NOY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FJPEPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1308

C:\windows\system\FJPEPQ.exe

C:\windows\system\FJPEPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JZWE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 960

C:\windows\SysWOW64\JZWE.exe

C:\windows\system32\JZWE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KUA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3704 -ip 3704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 988

C:\windows\KUA.exe

C:\windows\KUA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQFR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2476 -ip 2476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 872

C:\windows\system\FQFR.exe

C:\windows\system\FQFR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EANTE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4324 -ip 4324

C:\windows\SysWOW64\EANTE.exe

C:\windows\system32\EANTE.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1204

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZNSCHC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 960

C:\windows\ZNSCHC.exe

C:\windows\ZNSCHC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SBRAMEB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3420 -ip 3420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 988

C:\windows\system\SBRAMEB.exe

C:\windows\system\SBRAMEB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WRGI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1236

C:\windows\WRGI.exe

C:\windows\WRGI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MMPNJJY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1304

C:\windows\MMPNJJY.exe

C:\windows\MMPNJJY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCQE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1328

C:\windows\SysWOW64\BCQE.exe

C:\windows\system32\BCQE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1336

C:\windows\system\FKX.exe

C:\windows\system\FKX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NYJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1324

C:\windows\NYJ.exe

C:\windows\NYJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RGDAQU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1328

C:\windows\SysWOW64\RGDAQU.exe

C:\windows\system32\RGDAQU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IOSGCL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1288

C:\windows\IOSGCL.exe

C:\windows\IOSGCL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZERIOF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1300

C:\windows\SysWOW64\ZERIOF.exe

C:\windows\system32\ZERIOF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XPCYP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2576 -ip 2576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 960

C:\windows\SysWOW64\XPCYP.exe

C:\windows\system32\XPCYP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OMAB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4652 -ip 4652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 960

C:\windows\OMAB.exe

C:\windows\OMAB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YCGW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4640 -ip 4640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1328

C:\windows\SysWOW64\YCGW.exe

C:\windows\system32\YCGW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SYLFSM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1324

C:\windows\SYLFSM.exe

C:\windows\SYLFSM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IOMEZAZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2604 -ip 2604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1336

C:\windows\system\IOMEZAZ.exe

C:\windows\system\IOMEZAZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VQCVNLU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1296

C:\windows\VQCVNLU.exe

C:\windows\VQCVNLU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BMB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1336

C:\windows\system\BMB.exe

C:\windows\system\BMB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OWK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 960

C:\windows\OWK.exe

C:\windows\OWK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GXMI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1316

C:\windows\system\GXMI.exe

C:\windows\system\GXMI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RPPSK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2920 -ip 2920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 960

C:\windows\SysWOW64\RPPSK.exe

C:\windows\system32\RPPSK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EAX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2588 -ip 2588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 960

C:\windows\EAX.exe

C:\windows\EAX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OIZWJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 960

C:\windows\OIZWJ.exe

C:\windows\OIZWJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TBHKSOO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1248

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 193.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/1996-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EPMFZPU.exe.bat

MD5 e7dea36e83534c273dcb36effd8bd73e
SHA1 af9298ffc868961dba36b61d479b740a5e9da988
SHA256 be3091d53b5277454e49323b8344a8de5e22a3f3e09c5de22bd382c00f6b24f4
SHA512 f82b1a17601ee66ad812581536e5e46f9a635e46d1d476a0f23da6d40b9096b04cc4f4ab32bbea6476e76b92e0c1245a72d20253ba1a4ce505f83a2b1416f1f0

C:\Windows\System\EPMFZPU.exe

MD5 946399285501a6e0284a2db3e96a9f68
SHA1 45de53fbc9e986bf7e15a8435fd8d50f9c6cf7bf
SHA256 8a5fccb25f0cb352936d5991d658be274ac056083fc56ad8a51ba2fdaa218cbb
SHA512 167ac7269cf2d9b371805359c31bb239842efa256b62aa22c8e903cc833664821beef24cf76d8a44ba499ac5c66e0c1b5169950b3c161d943a8f1c3e7e8d8054

memory/3672-10-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\EUM.exe

MD5 3defc3151c1bed816337e01fa4af2c92
SHA1 81ebfe4bc581956cfa7234cac77cdeb0f2801b8b
SHA256 fe6901f8d699f6e1fb91cb32861a68d88c6c036bed63d7ff64e67b31a07c009a
SHA512 fb02978782f49011ae4b9afb1379041b1a14196604ec8d4dd75d89d197b3a7fa4f50347240bc6b8847381488cf3796b6b6faea95958af4eaa2fbc703f5f7dd4b

C:\windows\system\EUM.exe.bat

MD5 ba8a31164e396724fab1f8ffd4e77dee
SHA1 ce6c3c437211cdb348ba714f07ef906fcef37200
SHA256 b80082eefbf180df63eb505cd575428e639b758a470df45790bcc0623bebc780
SHA512 bb1949d0934e3c7991fe732efa539767616f71176939ce815a2a589d4003e6b8a3a1a9edbf5159a1be9e7668ca832f6f82d450bb3100ce37b8485c6b5386b34c

memory/3568-21-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1996-23-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3672-28-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\AKGRMX.exe.bat

MD5 f061741ee67766c9704980b4aab1d931
SHA1 7e4e5be8806b878b908b341f18e8ce3e412d08f8
SHA256 6aebe995cde0785794e8e9d82c11e4d1915054608707eaa647d3902b9218e2cf
SHA512 6d78158ba4a6ac5ec1100be6f6f2ea70be62f30630404a7ad4da8e96913f766b090a19f69e704d9cefe1826171e4e3d9ac54a950fa3e180ab91aea75c662aeca

C:\Windows\AKGRMX.exe

MD5 4a13c219719616dd3b21f44cf9f891b1
SHA1 66967d18448a352f85f5fe665d4faea42a648ad1
SHA256 6a1daa9b2346b64998fc914bd9bcff0083ce8adf2ef8aee6eb23273fd5649069
SHA512 725aa9cd3a4032dedf400851ce821ead0c18f569bc3aa3c291a1a4cad72e5804df97ef751bc47547f26e8c3eea7e00e55746bfc4bee1b4ff0455b5a2b2e5b763

memory/3620-34-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\LDJKUMU.exe.bat

MD5 413cc89e72807f162aa9d4dc1cc9fb79
SHA1 1fe768757240dc99c43fa0a5d778ee7d4ae72a30
SHA256 9f8261fb438172f83f32b9eadbfc6c12615a26362e3ea626355600e666834b5d
SHA512 ecf3d9169a2c6fc07aab96f320e8d4b89cdeaf92c3cc5db48a0f14ae512e74093f1082d14961dabd2fc1bba40561dda8279939621222032fa2def2683a63dd3b

C:\windows\SysWOW64\LDJKUMU.exe

MD5 5e6c4084a821fed70146f1798922ace8
SHA1 2f8745755a27cd2a68234f5095ac3ed627a4e5cd
SHA256 aad16376308835b5548745a89bcc5449ecf329c28f5cefbb7d3d7d60e6de9784
SHA512 c098c97c84043a407ae763d9d0d2aeb728b9378d7ded44e24964ed3edc0efa6cb688ebb0da7b299c60b3a0ce0931f0973341193fd33ed2538599577f818d2478

memory/5112-46-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3568-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\IIBZLH.exe.bat

MD5 def80c87bd94bc2890479262b1961a47
SHA1 ebe85824f9d9c7bbec23b63821bb7b8796be7e45
SHA256 5a5b0d8ed9e31bc8156f69f8c2e1eb95c104cdc32d1c0fd026ac33a434fa7ae2
SHA512 766dcb1eef81484883102d9a251b2c137927adb17b301b8a9bd188d1a4ee1f68e99ac880a589ff3a7bdaeaeaf96ae0d986a8ee77458748de2be5584f90ebbca3

memory/396-58-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\IIBZLH.exe

MD5 e899d4788e42036d1a07c6a1d0576744
SHA1 d8665d09c363d6cb145de102ff88c103008e70ae
SHA256 8620526e69e8bf0206c0ee1fc5f8912e0f7c5d5122816ff01883f680292b16a9
SHA512 a1a32c54e8240b4c347e1f4c3d89e12d78a17cfa13da573102da563359aed3b41f2d29fa64e27a5ff41b3d23200f5bfa5fe8ad994e7f67e77e20e252513ca1bc

memory/3620-59-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5112-66-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\HTEHT.exe.bat

MD5 21d365bb040a4d98ba07798d15fd656b
SHA1 28449a8cee224d537166735d186ccc9601523bd9
SHA256 371d3c3a15e6570cd54f0c293a1cdacf7397c31b7c9a1102ec00a433c14e0532
SHA512 c8e590cb589f3f2342a7f0052bda6a074e29b05f4e24fac95d26bdf2ce2b952c3a7c2b00728cf1ef61f5d9a8fddc5355f46941c5e40bbbef89f0bbd08da227c9

C:\Windows\System\HTEHT.exe

MD5 995eb65ff8353eff88fa0877bad4b281
SHA1 b5ad60bff2f0a31646b57b6e1655fb0b8e481cff
SHA256 f49a11044e05ae89f4768682346f5f1699c793cf31635079c744794b97501453
SHA512 21e4a068952664bd8c4caa68cdd5b823eb984af902c4ffbcd70e9c0df8ec73c3c872d72f24c3e5632d38b8530c3f2c0826380f16e62f4aabf0757e4439ec1bda

memory/3924-71-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NTMVCPM.exe.bat

MD5 405727e544cef76189babccb49fa80c4
SHA1 a64312b3522302be37e31f26d09892ccb0da02b7
SHA256 fb8d21c427ece42f08fb8cadc0dcf369e19ffd27d796dd1d6e4ec11c229cf859
SHA512 8458851fdd8d8a4b429cf28ba846d7562582cdaec3602ac07c89e4d58933fef6ee50730cf21b1fb98b4560b5717b141e2860c3fa78f2421528138621e2b8927e

memory/3000-82-0x0000000000400000-0x0000000000439000-memory.dmp

memory/396-83-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\VZYKNO.exe.bat

MD5 5220e0c13439d45e991a3b476b2a2bb8
SHA1 36a9b677c9dcb9160c7a1fda55c86cce775f12b6
SHA256 c4653aa9360608f84293b02b4c5606cd264eb7a1e708cfb2284106881c6ea2da
SHA512 095485773f8c6820fa92a92e688baf9a8901bfa75acc59446f5fb874df76b1ba1e0181785c201333dae9c90d1b36ae5773d5db8f703783beb9f3ff10324920ab

memory/3924-90-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\VZYKNO.exe

MD5 3b2cb1962ae8619f291f60c9a32719ed
SHA1 fbd08022cd1b42379ef77f88ffb9060995434cad
SHA256 b9d43ab0677a9ade870fabfe6eaf039ca12defc74393cd285e84ac9732142a31
SHA512 7484fddb1513d6a31a9b2756152cd80a31704c5a957e80ce16cd16e73485f47644d769c6d5356311c73b72984e6ce528c9bf72980151c0061cb3d235164cf3f9

memory/4464-95-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\NCC.exe.bat

MD5 e1d2f5cae1f7f57f5ac24a745d673ecc
SHA1 ccbd56cf89b97cec1afbcce452995ba74a22eba9
SHA256 39fb2f886fde0a8ab02163a199c6b4b85ceb1ce274b4347894f964d200357677
SHA512 0b79c299ecd4361592faf0e4c36cae1752baf1be937109ea5004c466c595c16779091cafe6e2ad89e5f8ef162805df23f43eb059c2890f55c096f64feb33cd96

C:\windows\NCC.exe

MD5 6369a3d5f7050b0bb4a238a0d38abfb0
SHA1 dd487122e7d7618e102cec932d0315c85d7ec30e
SHA256 6af5e98b16653893cb8aac59d23e6bb24d4af714f042290d050713c9b28a38e8
SHA512 04cb10943f3d34b3f1236d406f0666cf2489d43fbc4f673fb9e46f3a4c7ccdac1a4133f65dbda47eefd4d9b8a578370f83ce8e570e45a2470b5c42e84ca34f25

memory/4284-106-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3000-107-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4464-114-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\DSDFZZG.exe.bat

MD5 2134b505e5b309f4d2526cf7f48ecfcf
SHA1 ee09eb981e20eeae3ef0337cda257d5cf55a86c4
SHA256 9beea90570f223dd0e75842045c332aa6a47cf18ee61dcc46b5fc142a4229b70
SHA512 aad9b2688a4d517e20f07788468b723be36ceec5ae907a418aafd5e2ed650985850b52ef42f69b88e005815c716140a290e2b58b49a89f075c28b80ca69bc754

C:\Windows\DSDFZZG.exe

MD5 44d7b9dd791b642457c6c734706af2a7
SHA1 851b9e497774d82609c104b06be7d6705a02fadd
SHA256 c3db4dc5787b8c1264206a716667bd2c45ab1ef0eb7e4e85211d81c296234ba4
SHA512 83019b68638632407eb8f96bd4b87075f185ef11921bd78f419ccf3091148e9dede56dc0f11cf68c5465256d078916d8527c82835457f4ce628ee4edfee932f6

memory/3352-119-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\ISLT.exe.bat

MD5 8def13c4959fcbaf79faaa940d9f5374
SHA1 e770f2f848796168cd7600b739adb9ba0ed0e439
SHA256 563ffeec3c195359da970569463e4ddd1190910d993a9c7880752f03abe81150
SHA512 601ed4d7da2daf7632532e48ef397010f1e21a1dcfd6c440598ed43ef44b89f788d6920b973f1e08704f0b85641cae91459dc0c293c100bd428b23fb39c0fa8c

C:\Windows\SysWOW64\ISLT.exe

MD5 8f55709aa22648ef89405c92908a30ea
SHA1 6c7772752be64cab90578b4871947529cc87807a
SHA256 ae733d0bb0438cf7c198e98d1e04e0f33fcbeaebeff8e758d3da2d386992e698
SHA512 627c019ef9813aaa7e8cec7dba8ccfe8a8657480f43b1f260f63e2e7340d5b8e5e162f1ccd1d3f38bc0168d07c45bec3f3c47e49862703fe299ad7b8f5840e7a

memory/3904-130-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4284-131-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3352-138-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\QGPZ.exe.bat

MD5 1ce83e2272806e1cebd3f4946e4f3508
SHA1 cca1d6ec806a99637dfddc442bb1f0666ef59f1d
SHA256 fc4efc673745c81217947ca1a703b872cfc88d12ce93abf2e1603d038a3e6832
SHA512 a25c41f3fbd34b00206273fb78ba83c25b5688cf9063c138751c79977e9f146f6350be81377b0fa1647d11654e986766194c775927672b35ece82d70497c0848

C:\Windows\SysWOW64\QGPZ.exe

MD5 678dc562ec9a8df1aaff778cbcbf34ab
SHA1 f38cf7425be9aa55487c568da58b22486f767225
SHA256 546c45bbb5da34540770791ce85512b8e5757054c54ea44c7a717333e98ba90a
SHA512 349749dbc239000432584dccc990ed47f7353cd165dea7ea5b3dd6e3d6a9b422ede1179b62e210139713eec4c41c612dace8fd146e3bdebc14e71e32d54a8194

memory/2988-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\AGREW.exe.bat

MD5 e9e5fa6680d93eb6bf100c5edb06d3e6
SHA1 f3103b93e24732caf45579fca35b255955d02898
SHA256 5b0e55994f850ccd271d0d4924e5f6a533ee32afaa9ef5480fa2df9868914e3e
SHA512 42f7393d3e21e2708bc427d98f2e040012f014be672e8535a7eb2ec4a3791bb2618313687b4505a7e3cfc9c7f343a3600e3e0b31b0d804a43835926947d8b5c9

memory/4324-154-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3904-155-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EWYEIQB.exe.bat

MD5 78090cfd814593a6bec33fc1b1fcf8f7
SHA1 dc91b59fe8db672b8776b9d6619de92a8a6f5626
SHA256 9091ec264a7fc702a52d8e1b4b3bb49a63d26bc20293c39c8735531df8c4c970
SHA512 6314a9ce113d6f4858cf06d0b60a697d3f6228098b22f5e734bdcab3e1be2364b4ed22102a9d04ad2d171e3edc4531e672c542485b0b3a8fab890a04a3355af7

C:\Windows\System\EWYEIQB.exe

MD5 7919e63b36aff29f39c7041a6acfbc70
SHA1 7d0b01cdd4a59f43320a6eda5d8773af2d0a44af
SHA256 a41045c3cf09e03ef2ded70256bb6af9d496b8f778dc7173626001abc217ef45
SHA512 23f442d03eaa439dd27492955fadeed94c242c1f0e41e0815604bae071746ffc34704eee0657880de3a734299f85cb5aa368c24444a9ee2e611a8dad2b0b9404

memory/4308-166-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2988-167-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4324-174-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\ERCI.exe.bat

MD5 726978057fb743663319749e7a65571f
SHA1 4be751ea7afce932d70f49ece896c811b4f26c76
SHA256 bb2e0c6c9c2d8f9e6adccdfa16ee6e186c1bc5054da3af7e6b97163a693dd4b4
SHA512 9b9f83350726214f62920bf18e97769acd9a678975a1ad0305f1d31b29ec49b787aa7988f7753958bd7e35213d5bac47294d082cb3207fcb2088ea662452021c

C:\windows\ERCI.exe

MD5 fd28ed7fb76e3bee59bc8fb66daaebfb
SHA1 99bcd6e4b502a34cf4a07e2fcecef0d65cd792ec
SHA256 79f0d0a2fe276518e27ee1eefb24dd0ee3c7bb046efc558d2c0b6aea20a217d7
SHA512 c5e3e32facba4fde648a2334ea340750ed285b2f9cbcd4b0b8c49876c0782ff9f95a6afd5cd171ee373f51d120b825c20fd652954015279b8a1910f20bd0434a

memory/4448-178-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\SCSH.exe.bat

MD5 13857420f2bc76a0bc08fbb886fd38e4
SHA1 649aa92d24f0157bac607d1c64b8a59f0381f469
SHA256 7265903a13bb24ff1b5f8519ad0b59570a6741591b47b00be03a885d36f3e4ff
SHA512 c163ca478d98e87e0c4535f1a98ef2758ea24b4c24c0cfb3b6886280c2dee76466fb766affaf018f05647290114895715bc29139ccaf25aa34533c155658ca4f

C:\windows\system\SCSH.exe

MD5 598b27e1df10a7b5b4c2abc24dbcf92b
SHA1 91e89b86fbe2deca74cd05ed1e41ee08ca93cec6
SHA256 d3a8989cc62cdd173dc52774fba112ba4946ab5f443dd5f905f6e858ad9a9dc1
SHA512 3b5b0f0b6a653e44fc274f1fdac9b0c5bf5e2494ffbbef1f9184c55e1c52181f8bf6ef7a4e8a29c52b0e4702bd0d69400588d31df8e4f6e2baf3c46c25d84a04

memory/3312-190-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4308-191-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SFWCQG.exe.bat

MD5 665669de21022f87701db796a71af37d
SHA1 1e2a10ebc841dce028cde8e1b5ffd8b9972bb66c
SHA256 53f024bd18340d693b0c8430ec55895d572e5aefc551438e3fba6efc96e90032
SHA512 b67dc4a48c35ad06cb7839d241cd4b1303004b5fe5e4ed12e355b5771917d94d1cd794ed6fdbcaef879603e4984810cbe479f1d41468a2e2a1f047e5155652eb

C:\windows\SFWCQG.exe

MD5 99011faeda3e96ae5c5623e2bea52c3a
SHA1 bfc0c1607570fc517d3f54f2bebf511862ad0f3f
SHA256 c16a415c359114883ab93ddba42c5f2974a5824e17161b55ccb4afbad824ad35
SHA512 87300412a359031c8d93ed141c5c1d24a6c2f8455243d81c0e32d30010e4776ba283b509b0ef6143b0ba242e1c929d3c3872816c5a6e1cf4acac53d3512a243b

memory/4448-202-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1760-203-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RQZSY.exe.bat

MD5 261784823c505393240abe4b4e7f9930
SHA1 42b340130652f5c20b3e4501214c18cd65f8ae9c
SHA256 4060341e5a1b85b3eb32e0ba60d040a0c2edc86c6833e2f761a27dca9c057588
SHA512 8213e4ad36411cf5252512755032b95f00bed2f43af17124dc401bafbbb262e7db0929b5bf9c41ac966a01db921b4fe41a320790dbfe6d3689700b8f27495286

memory/1236-214-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3312-215-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1760-222-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\CIODI.exe.bat

MD5 a3014011c43e5e5e3bbdba4a54d209aa
SHA1 e4f510a8f7c7aed3af9986903f15f0063a55612a
SHA256 213c7a4ed6d7264d72d15fd4b5ad865a792531f8b3ad57e877e7030ad3f71d14
SHA512 e2289e75155e4044f024bb860d927dbbb9e90777010bd587ca76ef9f5ac495ba4e36aeb42999211523231e886c324845e15cd77fc16d8375f8e45a9d3874b931

memory/3624-227-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\CIODI.exe

MD5 e98d0e7cf2402e58950868d10d1f9eaf
SHA1 f20a577778ae8743d58a8d06b0ea6e46c916fd30
SHA256 59a6c15b4af7729eb2a6f54ed0a5b8d917e7f17e837cc971909eff05ab4d67be
SHA512 8be5f9c413c29d42a958f1b1303ea388f21410142eea9ab15d4b8f4ddce52bff738d618c42b476e2e13eca8c0bd6cbe5128fc8976e175763bdd3ec61a9b7d006

memory/1236-234-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\OBRWQV.exe.bat

MD5 653b559728b87d96f4b11b565009cafc
SHA1 fa5a4c07a0e561f58c185aa39214bbaa9dac3b9c
SHA256 e7fe4358ecd95bd5929587460f7b7360da9545e5205761015602e65427fd4bee
SHA512 2aa97af0c736f468adb17a0ae8ef627b6ac3e90604d17f6be4adf0fee8f851cc8366f2ff2f82f839801907fdb12b802806ecf2def6c685077093da1dd449fa92

C:\Windows\OBRWQV.exe

MD5 4d87da48bd44a98b67d442d916cfe256
SHA1 68bf600049154f20f6aa05693876231450235074
SHA256 8d031adea432996a94d766dd0492aee73f9cc7d80ac7001109399188df8640b7
SHA512 f5e8481a7b837f1ddac9b18ae5ab27aa9e75c04748dda35942b7217e0baea0ee03d1272eaf79b1b8d352cf299724a2730cadeda2ed2a15610b93cb657cc3b0fd

memory/2916-239-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\BHRIS.exe.bat

MD5 1f234c0c3efa23a898153c6df7a69c26
SHA1 30e7c89f6ea121f49fb8895bce39d6e7660d0ad4
SHA256 07f97524cdd16f549e4af36b4ed7f486ee228fc8f37cc751f21e27466d7c7cc4
SHA512 5b9cf5cb3884139847fa2ac6c6d63f9a10d8bea4d3e956a86bc6a02463cbb44f95c1e3340449d62daff758089c0b63449b24376f398b49b2d41421a4a2b8186b

memory/3624-248-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\BHRIS.exe

MD5 15663efd0229de8d88cdac29f7f5bd35
SHA1 37dcf9b1e4cfeeefb547052b8d029b6f41581418
SHA256 8c8097eaafa3fa162df14bfadd75cd13e1fff5cd1853b97e2a04af4c6287aba7
SHA512 971967c68686ca432626225d6e055ed03187a98a8b3104557f301d8888fa2b82e2e7fe264adcdd200410ff4c02ae3fe3abcd589ca7ea47364b4732cd54bf806c

memory/1064-251-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NPYIEYR.exe.bat

MD5 6618f918fef1ce366d28546d60376c07
SHA1 a2d8ace29d617c12c3222e8c80ef6ef71ec61635
SHA256 43313ee6c525ab8b643387316a11a15ea356d0b60d720837ef0de942a5310d2e
SHA512 d22cd904d805cd03e55831c44089712a8cc6b2348372d82ad32ea5cc8a21d5a978092369f6f96b01351627e90c30e425a8942f7628a4f6cf29bc3b5f1903d207

memory/2916-261-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1980-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1064-268-0x0000000000400000-0x0000000000439000-memory.dmp

memory/384-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1540-278-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1980-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/384-285-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4152-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/668-296-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1540-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4152-298-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3872-306-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1076-314-0x0000000000400000-0x0000000000439000-memory.dmp

memory/668-315-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3872-324-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1076-331-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4456-333-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-340-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4628-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2376-350-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4456-351-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2324-359-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4628-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2376-367-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1564-369-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2548-377-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2324-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1564-383-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2212-387-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3900-395-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2548-396-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3452-404-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2212-405-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4464-413-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3900-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3452-422-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4312-423-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4464-430-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4188-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1212-440-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4312-441-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4188-448-0x0000000000400000-0x0000000000439000-memory.dmp

memory/804-450-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3644-458-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1212-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/804-466-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3104-468-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3644-475-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1980-477-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3104-484-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4772-486-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3740-494-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1980-495-0x0000000000400000-0x0000000000439000-memory.dmp