Malware Analysis Report

2025-01-23 05:23

Sample ID 240523-cgf3hshg4t
Target 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe
SHA256 89640cd301e0dfb7431636bd53acc1c8592659cd90f1e96b2ff75d85375b4be6
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89640cd301e0dfb7431636bd53acc1c8592659cd90f1e96b2ff75d85375b4be6

Threat Level: Known bad

The file 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:02

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:02

Reported

2024-05-23 02:05

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\SJXO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\SJXO.exe.bat C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
File created C:\windows\SysWOW64\SJXO.exe C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
File opened for modification C:\windows\SysWOW64\SJXO.exe C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
N/A N/A C:\windows\SysWOW64\SJXO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\SJXO.exe.bat" "

C:\windows\SysWOW64\SJXO.exe

C:\windows\system32\SJXO.exe

Network

N/A

Files

memory/2004-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\SJXO.exe.bat

MD5 819ce0785c98053481ee433d50a2763a
SHA1 f4ccde0bc421d75990b93a4cae275f2539b30c7e
SHA256 53228ffde4f1bacfac4a712d75072a64ea72de9c22c831e8580b7fc6d37bb948
SHA512 588adf201948ac6d7d0a59a8129de81b00e0102fe33c78834b69a3a2150b934a95be6d0e01d875216dbffe60735ba93251d5d309f936a7c124cf258e9696322d

memory/2004-12-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\SJXO.exe

MD5 66caf01ff9edaf99d973672b20b3e90b
SHA1 c9062634d2111bff910e71d7de72eec669436038
SHA256 ee615bfb1243e9621accb2b495b7aff52c0bfed7968c1995e0138c620b5de9f1
SHA512 0d5d1d90fcb8d8be6a83dca9f58b10b66bc3e84091acc6711dad9b3625c590f0e9098c2fea4c1ec0a9fa0ca297f0766e78ea18287b5fc08a256d0e28e3083fe2

memory/2116-15-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/2116-18-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/2632-20-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:02

Reported

2024-05-23 02:05

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\RQV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\AQN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\UNMH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\UJFLWR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\VGGBU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\LSV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MDEBXL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PQVCQFK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\WHNBUH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\YCFZYD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\YPDBPY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\QLOLKHL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\BER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\BDNSMHS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\KQFJZS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\KUVKZMC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\OKCK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\HFTWHIA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\IYLRDQX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\EESDJMD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\OCYXQU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\NRXZUYN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZUZMU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LAW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HMJSB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\YHW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SQXYEI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\VANUJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\WISKK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NZMGO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\RIUZRR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\BLD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\EPDPBM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\MICZW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\TRNH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\INKTUN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\SADDT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\FCBH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HLYKE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\GOVOZKF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\XGATNJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\DGHH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\CTA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\VRWYJJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\IPD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QVH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\OJKFIVS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\DCTVB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\BSXFM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LIRKT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\RIM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\QJIV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JMHZP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\ZHEMD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\XUYKDZG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\LAKE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\RHD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\NOGA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\UGNBMNH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\QCOU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HOYNK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\TFEHAZG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LWCVIBD.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\QLOLKHL.exe N/A
N/A N/A C:\windows\system\BER.exe N/A
N/A N/A C:\windows\system\HZDX.exe N/A
N/A N/A C:\windows\SysWOW64\EFV.exe N/A
N/A N/A C:\windows\system\KAMNLJ.exe N/A
N/A N/A C:\windows\WQFNGNI.exe N/A
N/A N/A C:\windows\YYOKNH.exe N/A
N/A N/A C:\windows\system\IZQPR.exe N/A
N/A N/A C:\windows\system\ZHEMD.exe N/A
N/A N/A C:\windows\system\AKUISF.exe N/A
N/A N/A C:\windows\SysWOW64\ANYM.exe N/A
N/A N/A C:\windows\system\OLY.exe N/A
N/A N/A C:\windows\SysWOW64\POOM.exe N/A
N/A N/A C:\windows\IGEW.exe N/A
N/A N/A C:\windows\system\QUR.exe N/A
N/A N/A C:\windows\SysWOW64\VHWTZGR.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\SysWOW64\RAHWQO.exe N/A
N/A N/A C:\windows\BQURYW.exe N/A
N/A N/A C:\windows\SysWOW64\HLYKE.exe N/A
N/A N/A C:\windows\SysWOW64\DWOIS.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\PSIXPNS.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\VSL.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\HLI.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\SysWOW64\OCYXQU.exe N/A
N/A N/A C:\windows\SysWOW64\LCIZUY.exe N/A
N/A N/A C:\windows\VANUJ.exe N/A
N/A N/A C:\windows\SysWOW64\MICZW.exe N/A
N/A N/A C:\windows\SysWOW64\QQI.exe N/A
N/A N/A C:\windows\system\BJLS.exe N/A
N/A N/A C:\windows\CHTBT.exe N/A
N/A N/A C:\windows\XUYKDZG.exe N/A
N/A N/A C:\windows\FACRGG.exe N/A
N/A N/A C:\windows\LAKE.exe N/A
N/A N/A C:\windows\TOX.exe N/A
N/A N/A C:\windows\system\TRNH.exe N/A
N/A N/A C:\windows\SysWOW64\VGGBU.exe N/A
N/A N/A C:\windows\SysWOW64\OJKFIVS.exe N/A
N/A N/A C:\windows\SysWOW64\JUADOYO.exe N/A
N/A N/A C:\windows\SysWOW64\RKB.exe N/A
N/A N/A C:\windows\SysWOW64\KDJ.exe N/A
N/A N/A C:\windows\system\FJDKX.exe N/A
N/A N/A C:\windows\CGBHEBP.exe N/A
N/A N/A C:\windows\SysWOW64\BUIK.exe N/A
N/A N/A C:\windows\system\LSV.exe N/A
N/A N/A C:\windows\HPGMHFV.exe N/A
N/A N/A C:\windows\system\BDNSMHS.exe N/A
N/A N/A C:\windows\SysWOW64\FTTSY.exe N/A
N/A N/A C:\windows\SysWOW64\YLJDI.exe N/A
N/A N/A C:\windows\system\NRGA.exe N/A
N/A N/A C:\windows\SysWOW64\APO.exe N/A
N/A N/A C:\windows\system\DCTVB.exe N/A
N/A N/A C:\windows\system\PNQAT.exe N/A
N/A N/A C:\windows\system\YVKFWRM.exe N/A
N/A N/A C:\windows\system\GBXMHP.exe N/A
N/A N/A C:\windows\system\OTG.exe N/A
N/A N/A C:\windows\SysWOW64\UGJ.exe N/A
N/A N/A C:\windows\MPLT.exe N/A
N/A N/A C:\windows\MNFVYRX.exe N/A
N/A N/A C:\windows\SysWOW64\UXOWLVM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\APO.exe.bat C:\windows\system\NRGA.exe N/A
File opened for modification C:\windows\SysWOW64\HOYNK.exe C:\windows\SysWOW64\VWVV.exe N/A
File created C:\windows\SysWOW64\MIMJV.exe.bat C:\windows\SQXYEI.exe N/A
File created C:\windows\SysWOW64\POOM.exe.bat C:\windows\system\OLY.exe N/A
File created C:\windows\SysWOW64\GNG.exe.bat C:\windows\system\PSIXPNS.exe N/A
File created C:\windows\SysWOW64\ALB.exe.bat C:\windows\SysWOW64\LIRKT.exe N/A
File created C:\windows\SysWOW64\YGIDTL.exe C:\windows\QADWJMS.exe N/A
File opened for modification C:\windows\SysWOW64\QHYQKZ.exe C:\windows\system\LCFBUET.exe N/A
File created C:\windows\SysWOW64\FTTSY.exe.bat C:\windows\system\BDNSMHS.exe N/A
File opened for modification C:\windows\SysWOW64\RKGT.exe C:\windows\SysWOW64\SADDT.exe N/A
File opened for modification C:\windows\SysWOW64\VGGBU.exe C:\windows\system\TRNH.exe N/A
File opened for modification C:\windows\SysWOW64\MDEBXL.exe C:\windows\SysWOW64\INKTUN.exe N/A
File created C:\windows\SysWOW64\SADDT.exe C:\windows\HHOSK.exe N/A
File created C:\windows\SysWOW64\LIRKT.exe C:\windows\BLD.exe N/A
File created C:\windows\SysWOW64\NZMGO.exe C:\windows\TMH.exe N/A
File created C:\windows\SysWOW64\YGIDTL.exe.bat C:\windows\QADWJMS.exe N/A
File created C:\windows\SysWOW64\LCIZUY.exe C:\windows\SysWOW64\OCYXQU.exe N/A
File created C:\windows\SysWOW64\MICZW.exe.bat C:\windows\VANUJ.exe N/A
File opened for modification C:\windows\SysWOW64\OJKFIVS.exe C:\windows\SysWOW64\VGGBU.exe N/A
File created C:\windows\SysWOW64\BUIK.exe.bat C:\windows\CGBHEBP.exe N/A
File opened for modification C:\windows\SysWOW64\NZMGO.exe C:\windows\TMH.exe N/A
File created C:\windows\SysWOW64\VWVV.exe C:\windows\SysWOW64\YGIDTL.exe N/A
File opened for modification C:\windows\SysWOW64\VHWTZGR.exe C:\windows\system\QUR.exe N/A
File created C:\windows\SysWOW64\MICZW.exe C:\windows\VANUJ.exe N/A
File created C:\windows\SysWOW64\LCIZUY.exe.bat C:\windows\SysWOW64\OCYXQU.exe N/A
File opened for modification C:\windows\SysWOW64\LCWO.exe C:\windows\WHNBUH.exe N/A
File created C:\windows\SysWOW64\UPWM.exe.bat C:\windows\system\DGHH.exe N/A
File opened for modification C:\windows\SysWOW64\LIRKT.exe C:\windows\BLD.exe N/A
File created C:\windows\SysWOW64\LIRKT.exe.bat C:\windows\BLD.exe N/A
File opened for modification C:\windows\SysWOW64\PILP.exe C:\windows\ZKXYQJX.exe N/A
File opened for modification C:\windows\SysWOW64\ANYM.exe C:\windows\system\AKUISF.exe N/A
File opened for modification C:\windows\SysWOW64\POOM.exe C:\windows\system\OLY.exe N/A
File created C:\windows\SysWOW64\LCWO.exe.bat C:\windows\WHNBUH.exe N/A
File created C:\windows\SysWOW64\UPWM.exe C:\windows\system\DGHH.exe N/A
File created C:\windows\SysWOW64\ZUZMU.exe C:\windows\HRWIPXB.exe N/A
File created C:\windows\SysWOW64\VHWTZGR.exe C:\windows\system\QUR.exe N/A
File opened for modification C:\windows\SysWOW64\BUIK.exe C:\windows\CGBHEBP.exe N/A
File created C:\windows\SysWOW64\UGJ.exe.bat C:\windows\system\OTG.exe N/A
File opened for modification C:\windows\SysWOW64\INKTUN.exe C:\windows\SysWOW64\CSYSOY.exe N/A
File created C:\windows\SysWOW64\TFZ.exe C:\windows\system\ACNNN.exe N/A
File created C:\windows\SysWOW64\TFZ.exe.bat C:\windows\system\ACNNN.exe N/A
File created C:\windows\SysWOW64\HMJSB.exe C:\windows\system\UJFLWR.exe N/A
File created C:\windows\SysWOW64\QQI.exe C:\windows\SysWOW64\MICZW.exe N/A
File created C:\windows\SysWOW64\KDJ.exe C:\windows\SysWOW64\RKB.exe N/A
File created C:\windows\SysWOW64\JUADOYO.exe.bat C:\windows\SysWOW64\OJKFIVS.exe N/A
File created C:\windows\SysWOW64\PQVCQFK.exe.bat C:\windows\SysWOW64\MDEBXL.exe N/A
File opened for modification C:\windows\SysWOW64\QVH.exe C:\windows\IPD.exe N/A
File created C:\windows\SysWOW64\MIMJV.exe C:\windows\SQXYEI.exe N/A
File created C:\windows\SysWOW64\ANYM.exe.bat C:\windows\system\AKUISF.exe N/A
File opened for modification C:\windows\SysWOW64\GNG.exe C:\windows\system\PSIXPNS.exe N/A
File opened for modification C:\windows\SysWOW64\CSYSOY.exe C:\windows\WRZE.exe N/A
File created C:\windows\SysWOW64\KZSAYR.exe C:\windows\RHD.exe N/A
File created C:\windows\SysWOW64\YSZPPT.exe.bat C:\windows\BSXFM.exe N/A
File created C:\windows\SysWOW64\WISKK.exe.bat C:\windows\SysWOW64\YSZPPT.exe N/A
File opened for modification C:\windows\SysWOW64\ALB.exe C:\windows\SysWOW64\LIRKT.exe N/A
File created C:\windows\SysWOW64\QVH.exe.bat C:\windows\IPD.exe N/A
File created C:\windows\SysWOW64\POOM.exe C:\windows\system\OLY.exe N/A
File opened for modification C:\windows\SysWOW64\UGJ.exe C:\windows\system\OTG.exe N/A
File created C:\windows\SysWOW64\RZKDH.exe.bat C:\windows\system\LYD.exe N/A
File opened for modification C:\windows\SysWOW64\HMJSB.exe C:\windows\system\UJFLWR.exe N/A
File opened for modification C:\windows\SysWOW64\UPWM.exe C:\windows\system\DGHH.exe N/A
File opened for modification C:\windows\SysWOW64\KDJ.exe C:\windows\SysWOW64\RKB.exe N/A
File created C:\windows\SysWOW64\CSYSOY.exe C:\windows\WRZE.exe N/A
File created C:\windows\SysWOW64\INKTUN.exe.bat C:\windows\SysWOW64\CSYSOY.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\system\YHW.exe.bat C:\windows\SysWOW64\NZPE.exe N/A
File created C:\windows\system\CTA.exe.bat C:\windows\system\SVUODN.exe N/A
File opened for modification C:\windows\VRGF.exe C:\windows\KYD.exe N/A
File opened for modification C:\windows\system\OTG.exe C:\windows\system\GBXMHP.exe N/A
File created C:\windows\system\KUL.exe C:\windows\system\IWFR.exe N/A
File created C:\windows\TMH.exe C:\windows\SysWOW64\ZUZMU.exe N/A
File created C:\windows\system\ACNNN.exe.bat C:\windows\SysWOW64\UPWM.exe N/A
File created C:\windows\system\FKQPY.exe.bat C:\windows\system\OKCK.exe N/A
File created C:\windows\system\QKNT.exe.bat C:\windows\SysWOW64\RZKDH.exe N/A
File created C:\windows\system\UGNBMNH.exe.bat C:\windows\system\UNMH.exe N/A
File created C:\windows\NQDRVI.exe C:\windows\VSL.exe N/A
File created C:\windows\system\SGGJ.exe C:\windows\KQFJZS.exe N/A
File created C:\windows\system\RYAXR.exe C:\windows\system\USCHC.exe N/A
File created C:\windows\NMV.exe C:\windows\SysWOW64\PQVCQFK.exe N/A
File opened for modification C:\windows\system\COAMS.exe C:\windows\system\AQN.exe N/A
File created C:\windows\system\IYLRDQX.exe C:\windows\SysWOW64\QVH.exe N/A
File created C:\windows\XQO.exe.bat C:\windows\IANTT.exe N/A
File created C:\windows\system\QUR.exe.bat C:\windows\IGEW.exe N/A
File opened for modification C:\windows\system\EESDJMD.exe C:\windows\HLI.exe N/A
File created C:\windows\QJIV.exe.bat C:\windows\system\MTCNWS.exe N/A
File created C:\windows\QLOLKHL.exe C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
File created C:\windows\system\QUTRO.exe C:\windows\system\KUL.exe N/A
File created C:\windows\system\MTCNWS.exe.bat C:\windows\system\CTA.exe N/A
File opened for modification C:\windows\system\YCFZYD.exe C:\windows\system\WEMFROA.exe N/A
File created C:\windows\system\YCFZYD.exe.bat C:\windows\system\WEMFROA.exe N/A
File opened for modification C:\windows\IANTT.exe C:\windows\TFEHAZG.exe N/A
File created C:\windows\system\AKUISF.exe C:\windows\system\ZHEMD.exe N/A
File opened for modification C:\windows\system\YVKFWRM.exe C:\windows\system\PNQAT.exe N/A
File created C:\windows\system\YVKFWRM.exe.bat C:\windows\system\PNQAT.exe N/A
File opened for modification C:\windows\IPD.exe C:\windows\system\NEMQZ.exe N/A
File created C:\windows\system\VRWYJJ.exe C:\windows\XQO.exe N/A
File opened for modification C:\windows\MPLT.exe C:\windows\SysWOW64\UGJ.exe N/A
File created C:\windows\system\XGATNJ.exe.bat C:\windows\SysWOW64\WISKK.exe N/A
File opened for modification C:\windows\system\IWFR.exe C:\windows\SysWOW64\TGESJEC.exe N/A
File created C:\windows\system\EPDPBM.exe.bat C:\windows\system\LMZMOWI.exe N/A
File created C:\windows\system\RQV.exe.bat C:\windows\SysWOW64\TPNIG.exe N/A
File created C:\windows\system\UNMH.exe.bat C:\windows\system\SFDLR.exe N/A
File created C:\windows\CHTBT.exe.bat C:\windows\system\BJLS.exe N/A
File created C:\windows\FACRGG.exe.bat C:\windows\XUYKDZG.exe N/A
File created C:\windows\MKOW.exe.bat C:\windows\SysWOW64\NZMGO.exe N/A
File opened for modification C:\windows\QIXEX.exe C:\windows\system\RQV.exe N/A
File created C:\windows\system\KUWGR.exe.bat C:\windows\SysWOW64\HMJSB.exe N/A
File created C:\windows\VVW.exe C:\windows\SysWOW64\UXOWLVM.exe N/A
File opened for modification C:\windows\BLD.exe C:\windows\SysWOW64\TFZ.exe N/A
File opened for modification C:\windows\ZDJCEZG.exe C:\windows\RIM.exe N/A
File opened for modification C:\windows\RHD.exe C:\windows\system\LMEOK.exe N/A
File created C:\windows\system\DGHH.exe.bat C:\windows\system\XGATNJ.exe N/A
File created C:\windows\system\ACNNN.exe C:\windows\SysWOW64\UPWM.exe N/A
File opened for modification C:\windows\system\QUTRO.exe C:\windows\system\KUL.exe N/A
File created C:\windows\ZOZFBP.exe.bat C:\windows\system\RIUZRR.exe N/A
File opened for modification C:\windows\system\ZHEMD.exe C:\windows\system\IZQPR.exe N/A
File created C:\windows\system\QUR.exe C:\windows\IGEW.exe N/A
File opened for modification C:\windows\VSL.exe C:\windows\SysWOW64\GNG.exe N/A
File created C:\windows\KUVKZMC.exe.bat C:\windows\system\YHW.exe N/A
File created C:\windows\system\LMZMOWI.exe C:\windows\QJIV.exe N/A
File created C:\windows\MNFVYRX.exe C:\windows\MPLT.exe N/A
File created C:\windows\system\SVUODN.exe.bat C:\windows\system\FKQPY.exe N/A
File created C:\windows\system\RQV.exe C:\windows\SysWOW64\TPNIG.exe N/A
File created C:\windows\VANUJ.exe.bat C:\windows\SysWOW64\LCIZUY.exe N/A
File opened for modification C:\windows\system\BDNSMHS.exe C:\windows\HPGMHFV.exe N/A
File created C:\windows\system\GBXMHP.exe C:\windows\system\YVKFWRM.exe N/A
File opened for modification C:\windows\VVW.exe C:\windows\SysWOW64\UXOWLVM.exe N/A
File created C:\windows\VJFSK.exe C:\windows\SysWOW64\GOVOZKF.exe N/A
File opened for modification C:\windows\system\DGHH.exe C:\windows\system\XGATNJ.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\QLOLKHL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BER.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\HZDX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\EFV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\KAMNLJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WQFNGNI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YYOKNH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\IZQPR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\ZHEMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\AKUISF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ANYM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OLY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\POOM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IGEW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QUR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\VHWTZGR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JNCQGQT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RAHWQO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\BQURYW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\HLYKE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DWOIS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QCOU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PSIXPNS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\GNG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VSL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NQDRVI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\HLI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EESDJMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\OCYXQU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LCIZUY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VANUJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\MICZW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\QQI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BJLS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CHTBT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XUYKDZG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FACRGG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LAKE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\TOX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\TRNH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\VGGBU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\OJKFIVS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JUADOYO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RKB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\KDJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FJDKX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CGBHEBP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BUIK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\LSV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\HPGMHFV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BDNSMHS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\FTTSY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\YLJDI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NRGA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\APO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\DCTVB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PNQAT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\YVKFWRM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\GBXMHP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OTG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UGJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\MPLT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\MNFVYRX.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
N/A N/A C:\windows\QLOLKHL.exe N/A
N/A N/A C:\windows\QLOLKHL.exe N/A
N/A N/A C:\windows\system\BER.exe N/A
N/A N/A C:\windows\system\BER.exe N/A
N/A N/A C:\windows\system\HZDX.exe N/A
N/A N/A C:\windows\system\HZDX.exe N/A
N/A N/A C:\windows\SysWOW64\EFV.exe N/A
N/A N/A C:\windows\SysWOW64\EFV.exe N/A
N/A N/A C:\windows\system\KAMNLJ.exe N/A
N/A N/A C:\windows\system\KAMNLJ.exe N/A
N/A N/A C:\windows\WQFNGNI.exe N/A
N/A N/A C:\windows\WQFNGNI.exe N/A
N/A N/A C:\windows\YYOKNH.exe N/A
N/A N/A C:\windows\YYOKNH.exe N/A
N/A N/A C:\windows\system\IZQPR.exe N/A
N/A N/A C:\windows\system\IZQPR.exe N/A
N/A N/A C:\windows\system\ZHEMD.exe N/A
N/A N/A C:\windows\system\ZHEMD.exe N/A
N/A N/A C:\windows\system\AKUISF.exe N/A
N/A N/A C:\windows\system\AKUISF.exe N/A
N/A N/A C:\windows\SysWOW64\ANYM.exe N/A
N/A N/A C:\windows\SysWOW64\ANYM.exe N/A
N/A N/A C:\windows\system\OLY.exe N/A
N/A N/A C:\windows\system\OLY.exe N/A
N/A N/A C:\windows\SysWOW64\POOM.exe N/A
N/A N/A C:\windows\SysWOW64\POOM.exe N/A
N/A N/A C:\windows\IGEW.exe N/A
N/A N/A C:\windows\IGEW.exe N/A
N/A N/A C:\windows\system\QUR.exe N/A
N/A N/A C:\windows\system\QUR.exe N/A
N/A N/A C:\windows\SysWOW64\VHWTZGR.exe N/A
N/A N/A C:\windows\SysWOW64\VHWTZGR.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\SysWOW64\RAHWQO.exe N/A
N/A N/A C:\windows\SysWOW64\RAHWQO.exe N/A
N/A N/A C:\windows\BQURYW.exe N/A
N/A N/A C:\windows\BQURYW.exe N/A
N/A N/A C:\windows\SysWOW64\HLYKE.exe N/A
N/A N/A C:\windows\SysWOW64\HLYKE.exe N/A
N/A N/A C:\windows\SysWOW64\DWOIS.exe N/A
N/A N/A C:\windows\SysWOW64\DWOIS.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\PSIXPNS.exe N/A
N/A N/A C:\windows\system\PSIXPNS.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\VSL.exe N/A
N/A N/A C:\windows\VSL.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\HLI.exe N/A
N/A N/A C:\windows\HLI.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\SysWOW64\OCYXQU.exe N/A
N/A N/A C:\windows\SysWOW64\OCYXQU.exe N/A
N/A N/A C:\windows\SysWOW64\LCIZUY.exe N/A
N/A N/A C:\windows\SysWOW64\LCIZUY.exe N/A
N/A N/A C:\windows\VANUJ.exe N/A
N/A N/A C:\windows\VANUJ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe N/A
N/A N/A C:\windows\QLOLKHL.exe N/A
N/A N/A C:\windows\QLOLKHL.exe N/A
N/A N/A C:\windows\system\BER.exe N/A
N/A N/A C:\windows\system\BER.exe N/A
N/A N/A C:\windows\system\HZDX.exe N/A
N/A N/A C:\windows\system\HZDX.exe N/A
N/A N/A C:\windows\SysWOW64\EFV.exe N/A
N/A N/A C:\windows\SysWOW64\EFV.exe N/A
N/A N/A C:\windows\system\KAMNLJ.exe N/A
N/A N/A C:\windows\system\KAMNLJ.exe N/A
N/A N/A C:\windows\WQFNGNI.exe N/A
N/A N/A C:\windows\WQFNGNI.exe N/A
N/A N/A C:\windows\YYOKNH.exe N/A
N/A N/A C:\windows\YYOKNH.exe N/A
N/A N/A C:\windows\system\IZQPR.exe N/A
N/A N/A C:\windows\system\IZQPR.exe N/A
N/A N/A C:\windows\system\ZHEMD.exe N/A
N/A N/A C:\windows\system\ZHEMD.exe N/A
N/A N/A C:\windows\system\AKUISF.exe N/A
N/A N/A C:\windows\system\AKUISF.exe N/A
N/A N/A C:\windows\SysWOW64\ANYM.exe N/A
N/A N/A C:\windows\SysWOW64\ANYM.exe N/A
N/A N/A C:\windows\system\OLY.exe N/A
N/A N/A C:\windows\system\OLY.exe N/A
N/A N/A C:\windows\SysWOW64\POOM.exe N/A
N/A N/A C:\windows\SysWOW64\POOM.exe N/A
N/A N/A C:\windows\IGEW.exe N/A
N/A N/A C:\windows\IGEW.exe N/A
N/A N/A C:\windows\system\QUR.exe N/A
N/A N/A C:\windows\system\QUR.exe N/A
N/A N/A C:\windows\SysWOW64\VHWTZGR.exe N/A
N/A N/A C:\windows\SysWOW64\VHWTZGR.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\JNCQGQT.exe N/A
N/A N/A C:\windows\SysWOW64\RAHWQO.exe N/A
N/A N/A C:\windows\SysWOW64\RAHWQO.exe N/A
N/A N/A C:\windows\BQURYW.exe N/A
N/A N/A C:\windows\BQURYW.exe N/A
N/A N/A C:\windows\SysWOW64\HLYKE.exe N/A
N/A N/A C:\windows\SysWOW64\HLYKE.exe N/A
N/A N/A C:\windows\SysWOW64\DWOIS.exe N/A
N/A N/A C:\windows\SysWOW64\DWOIS.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\PSIXPNS.exe N/A
N/A N/A C:\windows\system\PSIXPNS.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\VSL.exe N/A
N/A N/A C:\windows\VSL.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\NQDRVI.exe N/A
N/A N/A C:\windows\HLI.exe N/A
N/A N/A C:\windows\HLI.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\SysWOW64\OCYXQU.exe N/A
N/A N/A C:\windows\SysWOW64\OCYXQU.exe N/A
N/A N/A C:\windows\SysWOW64\LCIZUY.exe N/A
N/A N/A C:\windows\SysWOW64\LCIZUY.exe N/A
N/A N/A C:\windows\VANUJ.exe N/A
N/A N/A C:\windows\VANUJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\QLOLKHL.exe
PID 1944 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\QLOLKHL.exe
PID 1944 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\QLOLKHL.exe
PID 4828 wrote to memory of 836 N/A C:\windows\QLOLKHL.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 836 N/A C:\windows\QLOLKHL.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 836 N/A C:\windows\QLOLKHL.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\BER.exe
PID 836 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\BER.exe
PID 836 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\BER.exe
PID 2720 wrote to memory of 3076 N/A C:\windows\system\BER.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 3076 N/A C:\windows\system\BER.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 3076 N/A C:\windows\system\BER.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\HZDX.exe
PID 3076 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\HZDX.exe
PID 3076 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\HZDX.exe
PID 4284 wrote to memory of 1000 N/A C:\windows\system\HZDX.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1000 N/A C:\windows\system\HZDX.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1000 N/A C:\windows\system\HZDX.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EFV.exe
PID 1000 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EFV.exe
PID 1000 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EFV.exe
PID 2244 wrote to memory of 1908 N/A C:\windows\SysWOW64\EFV.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1908 N/A C:\windows\SysWOW64\EFV.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1908 N/A C:\windows\SysWOW64\EFV.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\KAMNLJ.exe
PID 1908 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\KAMNLJ.exe
PID 1908 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\KAMNLJ.exe
PID 3392 wrote to memory of 4080 N/A C:\windows\system\KAMNLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4080 N/A C:\windows\system\KAMNLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 4080 N/A C:\windows\system\KAMNLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\WQFNGNI.exe
PID 4080 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\WQFNGNI.exe
PID 4080 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\WQFNGNI.exe
PID 1716 wrote to memory of 4764 N/A C:\windows\WQFNGNI.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 4764 N/A C:\windows\WQFNGNI.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 4764 N/A C:\windows\WQFNGNI.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YYOKNH.exe
PID 4764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YYOKNH.exe
PID 4764 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YYOKNH.exe
PID 1348 wrote to memory of 956 N/A C:\windows\YYOKNH.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 956 N/A C:\windows\YYOKNH.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 956 N/A C:\windows\YYOKNH.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\IZQPR.exe
PID 956 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\IZQPR.exe
PID 956 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\IZQPR.exe
PID 3516 wrote to memory of 2276 N/A C:\windows\system\IZQPR.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2276 N/A C:\windows\system\IZQPR.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2276 N/A C:\windows\system\IZQPR.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ZHEMD.exe
PID 2276 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ZHEMD.exe
PID 2276 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ZHEMD.exe
PID 2360 wrote to memory of 2756 N/A C:\windows\system\ZHEMD.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2756 N/A C:\windows\system\ZHEMD.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2756 N/A C:\windows\system\ZHEMD.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\AKUISF.exe
PID 2756 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\AKUISF.exe
PID 2756 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\AKUISF.exe
PID 4504 wrote to memory of 1628 N/A C:\windows\system\AKUISF.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 1628 N/A C:\windows\system\AKUISF.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 1628 N/A C:\windows\system\AKUISF.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ANYM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QLOLKHL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4448 -ip 4448

C:\windows\QLOLKHL.exe

C:\windows\QLOLKHL.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 948

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BER.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 988

C:\windows\system\BER.exe

C:\windows\system\BER.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HZDX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2720 -ip 2720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 960

C:\windows\system\HZDX.exe

C:\windows\system\HZDX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4284 -ip 4284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1328

C:\windows\SysWOW64\EFV.exe

C:\windows\system32\EFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAMNLJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 976

C:\windows\system\KAMNLJ.exe

C:\windows\system\KAMNLJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WQFNGNI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 960

C:\windows\WQFNGNI.exe

C:\windows\WQFNGNI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YYOKNH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1716 -ip 1716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1296

C:\windows\YYOKNH.exe

C:\windows\YYOKNH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IZQPR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1336

C:\windows\system\IZQPR.exe

C:\windows\system\IZQPR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHEMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1288

C:\windows\system\ZHEMD.exe

C:\windows\system\ZHEMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AKUISF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1336

C:\windows\system\AKUISF.exe

C:\windows\system\AKUISF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANYM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 960

C:\windows\SysWOW64\ANYM.exe

C:\windows\system32\ANYM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OLY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1336

C:\windows\system\OLY.exe

C:\windows\system\OLY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\POOM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 872

C:\windows\SysWOW64\POOM.exe

C:\windows\system32\POOM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IGEW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2276 -ip 2276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1236

C:\windows\IGEW.exe

C:\windows\IGEW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QUR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1336

C:\windows\system\QUR.exe

C:\windows\system\QUR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHWTZGR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 960

C:\windows\SysWOW64\VHWTZGR.exe

C:\windows\system32\VHWTZGR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2056 -ip 2056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1292

C:\windows\JNCQGQT.exe

C:\windows\JNCQGQT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAHWQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2316 -ip 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1328

C:\windows\SysWOW64\RAHWQO.exe

C:\windows\system32\RAHWQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BQURYW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 988

C:\windows\BQURYW.exe

C:\windows\BQURYW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HLYKE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 872

C:\windows\SysWOW64\HLYKE.exe

C:\windows\system32\HLYKE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DWOIS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1688 -ip 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1328

C:\windows\SysWOW64\DWOIS.exe

C:\windows\system32\DWOIS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCOU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1264

C:\windows\system\QCOU.exe

C:\windows\system\QCOU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PSIXPNS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1260

C:\windows\system\PSIXPNS.exe

C:\windows\system\PSIXPNS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3080 -ip 3080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 960

C:\windows\SysWOW64\GNG.exe

C:\windows\system32\GNG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VSL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1292

C:\windows\VSL.exe

C:\windows\VSL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NQDRVI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1300

C:\windows\NQDRVI.exe

C:\windows\NQDRVI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HLI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4260 -ip 4260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 1296

C:\windows\HLI.exe

C:\windows\HLI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EESDJMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1336

C:\windows\system\EESDJMD.exe

C:\windows\system\EESDJMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCYXQU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1328

C:\windows\SysWOW64\OCYXQU.exe

C:\windows\system32\OCYXQU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCIZUY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1328

C:\windows\SysWOW64\LCIZUY.exe

C:\windows\system32\LCIZUY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VANUJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2684 -ip 2684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1324

C:\windows\VANUJ.exe

C:\windows\VANUJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MICZW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 820 -ip 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1328

C:\windows\SysWOW64\MICZW.exe

C:\windows\system32\MICZW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1308

C:\windows\SysWOW64\QQI.exe

C:\windows\system32\QQI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BJLS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1336

C:\windows\system\BJLS.exe

C:\windows\system\BJLS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CHTBT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 964

C:\windows\CHTBT.exe

C:\windows\CHTBT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XUYKDZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2692 -ip 2692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1352

C:\windows\XUYKDZG.exe

C:\windows\XUYKDZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FACRGG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1304

C:\windows\FACRGG.exe

C:\windows\FACRGG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LAKE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1304

C:\windows\LAKE.exe

C:\windows\LAKE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TOX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2416 -ip 2416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1296

C:\windows\TOX.exe

C:\windows\TOX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TRNH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 960

C:\windows\system\TRNH.exe

C:\windows\system\TRNH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VGGBU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1328

C:\windows\SysWOW64\VGGBU.exe

C:\windows\system32\VGGBU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJKFIVS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2396 -ip 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1328

C:\windows\SysWOW64\OJKFIVS.exe

C:\windows\system32\OJKFIVS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUADOYO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1240

C:\windows\SysWOW64\JUADOYO.exe

C:\windows\system32\JUADOYO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 960

C:\windows\SysWOW64\RKB.exe

C:\windows\system32\RKB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KDJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1300

C:\windows\SysWOW64\KDJ.exe

C:\windows\system32\KDJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FJDKX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4608 -ip 4608

C:\windows\system\FJDKX.exe

C:\windows\system\FJDKX.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 960

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 988

C:\windows\CGBHEBP.exe

C:\windows\CGBHEBP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUIK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 976

C:\windows\SysWOW64\BUIK.exe

C:\windows\system32\BUIK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LSV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1308

C:\windows\system\LSV.exe

C:\windows\system\LSV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HPGMHFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4292 -ip 4292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 988

C:\windows\HPGMHFV.exe

C:\windows\HPGMHFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDNSMHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 988

C:\windows\system\BDNSMHS.exe

C:\windows\system\BDNSMHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTTSY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2344 -ip 2344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1328

C:\windows\SysWOW64\FTTSY.exe

C:\windows\system32\FTTSY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLJDI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1256

C:\windows\SysWOW64\YLJDI.exe

C:\windows\system32\YLJDI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NRGA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1004

C:\windows\system\NRGA.exe

C:\windows\system\NRGA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\APO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1328

C:\windows\SysWOW64\APO.exe

C:\windows\system32\APO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DCTVB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 836 -ip 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 976

C:\windows\system\DCTVB.exe

C:\windows\system\DCTVB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PNQAT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1272

C:\windows\system\PNQAT.exe

C:\windows\system\PNQAT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YVKFWRM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 612 -ip 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1336

C:\windows\system\YVKFWRM.exe

C:\windows\system\YVKFWRM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1316

C:\windows\system\GBXMHP.exe

C:\windows\system\GBXMHP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OTG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 960

C:\windows\system\OTG.exe

C:\windows\system\OTG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UGJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 960

C:\windows\SysWOW64\UGJ.exe

C:\windows\system32\UGJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MPLT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1300

C:\windows\MPLT.exe

C:\windows\MPLT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MNFVYRX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1220 -ip 1220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 996

C:\windows\MNFVYRX.exe

C:\windows\MNFVYRX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXOWLVM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1328

C:\windows\SysWOW64\UXOWLVM.exe

C:\windows\system32\UXOWLVM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VVW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 988

C:\windows\VVW.exe

C:\windows\VVW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KQFJZS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1324

C:\windows\KQFJZS.exe

C:\windows\KQFJZS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGGJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1336

C:\windows\system\SGGJ.exe

C:\windows\system\SGGJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NRXZUYN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2176 -ip 2176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1296

C:\windows\NRXZUYN.exe

C:\windows\NRXZUYN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WRZE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1524 -ip 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1324

C:\windows\WRZE.exe

C:\windows\WRZE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSYSOY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1308

C:\windows\SysWOW64\CSYSOY.exe

C:\windows\system32\CSYSOY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INKTUN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 988

C:\windows\SysWOW64\INKTUN.exe

C:\windows\system32\INKTUN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDEBXL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1328

C:\windows\SysWOW64\MDEBXL.exe

C:\windows\system32\MDEBXL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PQVCQFK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1328

C:\windows\SysWOW64\PQVCQFK.exe

C:\windows\system32\PQVCQFK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NMV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1000 -ip 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 960

C:\windows\NMV.exe

C:\windows\NMV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GEK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2132 -ip 2132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 960

C:\windows\GEK.exe

C:\windows\GEK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HHOSK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 988

C:\windows\HHOSK.exe

C:\windows\HHOSK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SADDT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1240

C:\windows\SysWOW64\SADDT.exe

C:\windows\system32\SADDT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKGT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1328

C:\windows\SysWOW64\RKGT.exe

C:\windows\system32\RKGT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VTNBOQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3804 -ip 3804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1336

C:\windows\system\VTNBOQ.exe

C:\windows\system\VTNBOQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TLPRX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1316

C:\windows\system\TLPRX.exe

C:\windows\system\TLPRX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LMEOK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 960

C:\windows\system\LMEOK.exe

C:\windows\system\LMEOK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RHD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 872

C:\windows\RHD.exe

C:\windows\RHD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZSAYR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 960

C:\windows\SysWOW64\KZSAYR.exe

C:\windows\system32\KZSAYR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\USCHC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1300

C:\windows\system\USCHC.exe

C:\windows\system\USCHC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RYAXR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1336

C:\windows\system\RYAXR.exe

C:\windows\system\RYAXR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GOVOZKF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960

C:\windows\SysWOW64\GOVOZKF.exe

C:\windows\system32\GOVOZKF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VJFSK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3668 -ip 3668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1324

C:\windows\VJFSK.exe

C:\windows\VJFSK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WHNBUH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2764 -ip 2764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 872

C:\windows\WHNBUH.exe

C:\windows\WHNBUH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCWO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1308

C:\windows\SysWOW64\LCWO.exe

C:\windows\system32\LCWO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BSXFM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1324

C:\windows\BSXFM.exe

C:\windows\BSXFM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YSZPPT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3700 -ip 3700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1300

C:\windows\SysWOW64\YSZPPT.exe

C:\windows\system32\YSZPPT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WISKK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 960

C:\windows\SysWOW64\WISKK.exe

C:\windows\system32\WISKK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XGATNJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4292 -ip 4292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1316

C:\windows\system\XGATNJ.exe

C:\windows\system\XGATNJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DGHH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1308

C:\windows\system\DGHH.exe

C:\windows\system\DGHH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1308

C:\windows\SysWOW64\UPWM.exe

C:\windows\system32\UPWM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ACNNN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3884 -ip 3884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1336

C:\windows\system\ACNNN.exe

C:\windows\system\ACNNN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TFZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1264

C:\windows\SysWOW64\TFZ.exe

C:\windows\system32\TFZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BLD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 612 -ip 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1304

C:\windows\BLD.exe

C:\windows\BLD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LIRKT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4608 -ip 4608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 960

C:\windows\SysWOW64\LIRKT.exe

C:\windows\system32\LIRKT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3700 -ip 3700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 988

C:\windows\SysWOW64\ALB.exe

C:\windows\system32\ALB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGESJEC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1328

C:\windows\SysWOW64\TGESJEC.exe

C:\windows\system32\TGESJEC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IWFR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 988

C:\windows\system\IWFR.exe

C:\windows\system\IWFR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KUL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1336

C:\windows\system\KUL.exe

C:\windows\system\KUL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QUTRO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1336

C:\windows\system\QUTRO.exe

C:\windows\system\QUTRO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RIM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2188 -ip 2188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 960

C:\windows\RIM.exe

C:\windows\RIM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZDJCEZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1304

C:\windows\ZDJCEZG.exe

C:\windows\ZDJCEZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HRWIPXB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 960

C:\windows\HRWIPXB.exe

C:\windows\HRWIPXB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUZMU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 960

C:\windows\SysWOW64\ZUZMU.exe

C:\windows\system32\ZUZMU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TMH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1004

C:\windows\TMH.exe

C:\windows\TMH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZMGO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3128 -ip 3128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1356

C:\windows\SysWOW64\NZMGO.exe

C:\windows\system32\NZMGO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MKOW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2144 -ip 2144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 960

C:\windows\MKOW.exe

C:\windows\MKOW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QADWJMS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 960

C:\windows\QADWJMS.exe

C:\windows\QADWJMS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YGIDTL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4112 -ip 4112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1308

C:\windows\SysWOW64\YGIDTL.exe

C:\windows\system32\YGIDTL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWVV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 960

C:\windows\SysWOW64\VWVV.exe

C:\windows\system32\VWVV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HOYNK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1308

C:\windows\SysWOW64\HOYNK.exe

C:\windows\system32\HOYNK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WEMFROA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3804 -ip 3804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 964

C:\windows\system\WEMFROA.exe

C:\windows\system\WEMFROA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 956 -ip 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 988

C:\windows\system\YCFZYD.exe

C:\windows\system\YCFZYD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EXQALAY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1260

C:\windows\EXQALAY.exe

C:\windows\EXQALAY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIUZRR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2128 -ip 2128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1336

C:\windows\system\RIUZRR.exe

C:\windows\system\RIUZRR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZOZFBP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1244

C:\windows\ZOZFBP.exe

C:\windows\ZOZFBP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZPE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 960

C:\windows\SysWOW64\NZPE.exe

C:\windows\system32\NZPE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YHW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1316

C:\windows\system\YHW.exe

C:\windows\system\YHW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KUVKZMC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1324

C:\windows\KUVKZMC.exe

C:\windows\KUVKZMC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKCK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 988

C:\windows\system\OKCK.exe

C:\windows\system\OKCK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FKQPY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1336

C:\windows\system\FKQPY.exe

C:\windows\system\FKQPY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SVUODN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2396 -ip 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 988

C:\windows\system\SVUODN.exe

C:\windows\system\SVUODN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CTA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308

C:\windows\system\CTA.exe

C:\windows\system\CTA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MTCNWS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1308

C:\windows\system\MTCNWS.exe

C:\windows\system\MTCNWS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QJIV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3164 -ip 3164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 988

C:\windows\QJIV.exe

C:\windows\QJIV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LMZMOWI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2164 -ip 2164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1336

C:\windows\system\LMZMOWI.exe

C:\windows\system\LMZMOWI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EPDPBM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960

C:\windows\system\EPDPBM.exe

C:\windows\system\EPDPBM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TFEHAZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1324

C:\windows\TFEHAZG.exe

C:\windows\TFEHAZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IANTT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 872

C:\windows\IANTT.exe

C:\windows\IANTT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1304

C:\windows\XQO.exe

C:\windows\XQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VRWYJJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 960

C:\windows\system\VRWYJJ.exe

C:\windows\system\VRWYJJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JMHZP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1272

C:\windows\SysWOW64\JMHZP.exe

C:\windows\system32\JMHZP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FCBH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 988

C:\windows\FCBH.exe

C:\windows\FCBH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TPNIG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1264

C:\windows\SysWOW64\TPNIG.exe

C:\windows\system32\TPNIG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RQV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1364

C:\windows\system\RQV.exe

C:\windows\system\RQV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QIXEX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1296

C:\windows\QIXEX.exe

C:\windows\QIXEX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWCVIBD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 960

C:\windows\SysWOW64\LWCVIBD.exe

C:\windows\system32\LWCVIBD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZTJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 988

C:\windows\SysWOW64\TZTJ.exe

C:\windows\system32\TZTJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PHN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 960

C:\windows\PHN.exe

C:\windows\PHN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XUZGKIW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1296

C:\windows\XUZGKIW.exe

C:\windows\XUZGKIW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YPDBPY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3492 -ip 3492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1336

C:\windows\system\YPDBPY.exe

C:\windows\system\YPDBPY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANJW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1220

C:\windows\SysWOW64\ANJW.exe

C:\windows\system32\ANJW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AQN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1328

C:\windows\system\AQN.exe

C:\windows\system\AQN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\COAMS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 960

C:\windows\system\COAMS.exe

C:\windows\system\COAMS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DREP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 884

C:\windows\SysWOW64\DREP.exe

C:\windows\system32\DREP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JMQI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 988

C:\windows\SysWOW64\JMQI.exe

C:\windows\system32\JMQI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CFXT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 992

C:\windows\CFXT.exe

C:\windows\CFXT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HFTWHIA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1336

C:\windows\system\HFTWHIA.exe

C:\windows\system\HFTWHIA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JVMQOXQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2664 -ip 2664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1236

C:\windows\JVMQOXQ.exe

C:\windows\JVMQOXQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KYD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1004

C:\windows\KYD.exe

C:\windows\KYD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VRGF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2128 -ip 2128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1304

C:\windows\VRGF.exe

C:\windows\VRGF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OJVQU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1324

C:\windows\OJVQU.exe

C:\windows\OJVQU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NEMQZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1268

C:\windows\system\NEMQZ.exe

C:\windows\system\NEMQZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IPD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 960

C:\windows\IPD.exe

C:\windows\IPD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 960

C:\windows\SysWOW64\QVH.exe

C:\windows\system32\QVH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IYLRDQX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1248

C:\windows\system\IYLRDQX.exe

C:\windows\system\IYLRDQX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOURJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3844 -ip 3844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 988

C:\windows\system\YOURJ.exe

C:\windows\system\YOURJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LYD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1316

C:\windows\system\LYD.exe

C:\windows\system\LYD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZKDH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1328

C:\windows\SysWOW64\RZKDH.exe

C:\windows\system32\RZKDH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QKNT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 960

C:\windows\system\QKNT.exe

C:\windows\system\QKNT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KXSDSX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2276 -ip 2276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1328

C:\windows\SysWOW64\KXSDSX.exe

C:\windows\system32\KXSDSX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 880 -ip 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1256

C:\windows\SysWOW64\LAW.exe

C:\windows\system32\LAW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SQXYEI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 988

C:\windows\SQXYEI.exe

C:\windows\SQXYEI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIMJV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4320 -ip 4320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1328

C:\windows\SysWOW64\MIMJV.exe

C:\windows\system32\MIMJV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AEKCK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 364 -ip 364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1000

C:\windows\SysWOW64\AEKCK.exe

C:\windows\system32\AEKCK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NOGA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1324

C:\windows\NOGA.exe

C:\windows\NOGA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LCFBUET.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1316

C:\windows\system\LCFBUET.exe

C:\windows\system\LCFBUET.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QHYQKZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1240

C:\windows\SysWOW64\QHYQKZ.exe

C:\windows\system32\QHYQKZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SFDLR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3992 -ip 3992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1336

C:\windows\system\SFDLR.exe

C:\windows\system\SFDLR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UNMH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3532 -ip 3532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1304

C:\windows\system\UNMH.exe

C:\windows\system\UNMH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGNBMNH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1316

C:\windows\system\UGNBMNH.exe

C:\windows\system\UGNBMNH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UJFLWR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4980 -ip 4980

C:\windows\system\UJFLWR.exe

C:\windows\system\UJFLWR.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HMJSB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 960

C:\windows\SysWOW64\HMJSB.exe

C:\windows\system32\HMJSB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KUWGR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1356 -ip 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1272

C:\windows\system\KUWGR.exe

C:\windows\system\KUWGR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZKXYQJX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1324

C:\windows\ZKXYQJX.exe

C:\windows\ZKXYQJX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PILP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1328

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4448-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\QLOLKHL.exe.bat

MD5 3c99781f9478464953da1b7676ad724c
SHA1 72a1ca3190d2f087708fd3d51c764fbbd6a75587
SHA256 a804e186f827311f2ba4879cf106d436affe86c4f78015a81152a67748603a27
SHA512 8084c92fdf9eccbfb66c595fc75a28e687a1b62fd4997ce3a0732d49cd884bd7d6e606d426d13b7d5f9fc02bdb892221450d74b71e4cd502e96e57437acae394

C:\Windows\QLOLKHL.exe

MD5 c278a6e1932ff97390299898fdebb5ab
SHA1 40954480881de00d9add45d988ce3210112b3e61
SHA256 eb0f5a22679c4175d0a8d31189653480be2134c6d587291a54b503afd10944c7
SHA512 859d35dedb543bc9707394046c2126090473d4affd34d0ffa90b0bf1f9fe9928a907bd51c075f63c2ab1a460abb7735b341d8c3faba6f1935b2ec6205cc752c5

memory/4828-10-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\BER.exe

MD5 067c2e52f0dc90a82adb4871626ba281
SHA1 64b475937655f15fd630c153978884b2d339ede4
SHA256 323083302dc45220701a4475929c2d4be3c1816e0864e0c04087e7c55fe583c5
SHA512 35c12cfcc633fa4813c5432997cd210fa5f4c964ee572043d8f3537a30e54a771414b00e1352d3cbb094731cd34a6329155fc9827d1b0c473f4d49362befe1f1

C:\windows\system\BER.exe.bat

MD5 e1592069a207a74803e86c9cf75e91f9
SHA1 99b119b0352d3773dcf63b93bb392884337a9b2b
SHA256 53a93995e3f978914e067668b0111a31e593b7208e488944fb804258deca92a6
SHA512 a3e4b342f8b7d01e39dd2bd919cdd4a77f1c47de6648b8d193d4304fb20dea37ce94bf3dd1558049e30eccb38a63d1ec0a326730965dfe131c1c7ea7939b9d68

memory/2720-22-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4448-23-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\HZDX.exe.bat

MD5 66d6c2f3aa651beae99846ac95bece02
SHA1 170553b76ff48fcc1da066ed46ff7a29f996f6c1
SHA256 8abe0a04bdf2b4fc0b33a7f1dfd116775891009af7088abcba7706979daf91d7
SHA512 bd6806317ae109042fbb48dc04fc179ab2207f7c105caf6282b9214c3a22007cb548883800db19cf8361bc0b1e7e79214976ef4d9327bd6310a65154484089d6

memory/4284-33-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\HZDX.exe

MD5 2dbe81ac63470be2d5e1ad4a78fd93cf
SHA1 ca0cee8039466e47eaa156241bc9895210c3d83f
SHA256 95a98ac61fe324043e3f5f3bb34204f6c4f4d086ae3254619f0993f96e476af3
SHA512 7da85668a4ae1344d4bcda9a6cd9dafd06c3b5932916ec44fbbc3db863c0197780c5baf56d43e0266c860b254c24917ae7f9ffeb7b50ef7efd79426920a1bd80

memory/4828-35-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\EFV.exe.bat

MD5 d55b2444058f2c2a52bcf9ee29e6e7f1
SHA1 59e5f7ad691e9b43bfa93bd34750fcf6b219b545
SHA256 78ac79cfbe368a0330d27eda0004216e1851a291ca4861b2f9f20e8771be08e1
SHA512 df732b235e13e243021bd89a63c838d8b5cfccca6ba5be9d3f97d13afacf98692c07ae6714670ae9972920c2a462095c5cdf31e702f5f19fb71de95969dd4080

C:\Windows\SysWOW64\EFV.exe

MD5 bf67949c3e5f55f61f28aaf16e0dbaa2
SHA1 946ec5634f7068fdffc8733d4fcac388d3ef5801
SHA256 98f27924b02f9963b772c2c2b56bec1ac11efc757f9f4664209195dc13eccd64
SHA512 f7d111be1583ad199b53fdda3ba3f0086f2aeef572d42393ec2c4a72d489a537ab61aefef628b3b2b39be1209af16ed155585a2e13795f7bdfbec914498eb244

memory/2244-46-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2720-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\KAMNLJ.exe.bat

MD5 6b9d584d1731f71a17f5d6fb6bf22412
SHA1 d32d400d96c23dde9e374f3071b6d570241fc011
SHA256 1d3db1018de8e6bf2718f8294737ce598b6750b754d7ac5007c7b5f1675b2bb0
SHA512 d1898cb02c22d320f7f73ff345b1926bae9b7773f8ae25223feec0b8b5ca046b5712de920c172eec98668c064ebd704795e3479164904ad949f7af87c53d7a78

memory/4284-56-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3392-59-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\KAMNLJ.exe

MD5 66caf01ff9edaf99d973672b20b3e90b
SHA1 c9062634d2111bff910e71d7de72eec669436038
SHA256 ee615bfb1243e9621accb2b495b7aff52c0bfed7968c1995e0138c620b5de9f1
SHA512 0d5d1d90fcb8d8be6a83dca9f58b10b66bc3e84091acc6711dad9b3625c590f0e9098c2fea4c1ec0a9fa0ca297f0766e78ea18287b5fc08a256d0e28e3083fe2

C:\windows\WQFNGNI.exe.bat

MD5 d24842857e2891656c56051ed0cfac3a
SHA1 90fd406b69827654949d6eae035801602a373d18
SHA256 c8ea26a65e296d8a26ea174d1f984c196bb7f88ac9c2952e45f0ca8665e34e97
SHA512 a598a7b0eac1bdcc062e7a174f39d3ce3bdabce655288874faa0f6aa5ba4682510e133019b89c0dfaa579e495ef2d3c06c10ce2f9ab470a2bae8b10c2a0f8e4e

memory/1716-70-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2244-71-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\YYOKNH.exe.bat

MD5 a76461a41f9f99aad60aa02da152f653
SHA1 15477717be699f10d1235c7ac62baa4a3fccd272
SHA256 2242379ae8ef22a0ba39c7681eb40066377b57853fd7e6e888e43ad14f7a5800
SHA512 d8c2d350806155f6302f401c5e73a5a9663d673889763d2dc513309b170f6d29727c68329aa2ee27a306cf194bfbf64961e004026f8db76cfc10abf912eac15d

memory/3392-80-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1348-83-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\YYOKNH.exe

MD5 b6517986d3b91541fe7ddc56a746bee2
SHA1 c5b8e60c2688b6040aaa4527faefc5aa51e092ec
SHA256 dc6578bc3fc4799332b143bbee3335e5015c7ccc1c7d8de45ab7960cc17ef75b
SHA512 d543d71bc629666b1b7d49f1dcf951d807c397f1dfef21dc651a2bf0d51c67d852a129d4d0ae4cf907cfd417bf1771f7b745dcf92be64686b99a068de6a146a7

memory/1716-90-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\IZQPR.exe.bat

MD5 43daf3bfd936f56fccf6781d1dce466e
SHA1 c0c8e87c08a8da8b56aae874a9126432fb7244ee
SHA256 5489735f20f90a97640b53ac66fe0ebd2dbc06c9f07f2f8ba39aae2d69344e0c
SHA512 f519ea4415f51467cb29f5aaf2bedc58e4ed2316818fe71057d1245de429ec5baeef76126a103d8ee4befe524185709222465f088893f49cd88588120db05bf8

C:\windows\system\IZQPR.exe

MD5 96c60684ba2a2b4fe776c6f1b271dfe9
SHA1 541976716800aff7ab0d19bc3df68f0a6750373a
SHA256 ddd9005c4b351c40d47f00406624e094a0f14a17141588750dd726e7dc1dc462
SHA512 b92f0be40612c703476335a2066ecd7ace56a9e12315f18128ffdf269ad3572be45be99ac24e44daa21f44441e8c3412fec98a76547d16a4c7e16e32c2791a80

memory/3516-95-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1348-102-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\ZHEMD.exe.bat

MD5 2266d284cad6010f5612ff54c7127f26
SHA1 2857b90a383a386a2300897c044b78cb58834b32
SHA256 0ceda16a1e7c43a5b96d42726f5de2cebf744064332f009c6d3ba2d81dff50c2
SHA512 763838a73dc43acf099553eee3d3463adf1d6feb8de4c965c061fb1e7d5592cec92d98e50432c2d3646a71bf38dd9a669b72fd67826890b0c3c57a26bc8d5bda

C:\Windows\System\ZHEMD.exe

MD5 e642b48dfadb9b58ff06fefb1aaaca0c
SHA1 1b80de49ddf5abf36d05cd5ecffdd84ee0f5a18c
SHA256 df6ccf53f08cd3e4b3e8037c3c21f3d05be575b76028a313e0dc6ccaf4a687a9
SHA512 bc9f8fab6885700b245230a0981605fc500301ab5934f68a78f3dd312dda880f561a86c531c98109afc58e2c0452440dcaf0fbad49cb04007ced0fcc5d888c31

memory/2360-107-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3516-114-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\AKUISF.exe

MD5 7b81d6dcacdea84cecf8c360779e625e
SHA1 24942b6f1848876ad5898c996306dc00d52167c7
SHA256 2dbb81379d26a7b6ccb1f190d287713f965c4f2ec5ed7e5ead39ac5ba0813f00
SHA512 2399d101342aaa5be3f28e4f22e700a6bef86ca89d5fe050b6c80ce23cdd190dbc0b5746fc2ef4433505924eaeea4327a9a105c6a473a9539c2d0d7457a855c1

C:\windows\system\AKUISF.exe.bat

MD5 9ac95ca71f77bdd0ce8f078f7f598a82
SHA1 7a4a94f8779e75a308d5ca0ba205861266cb454e
SHA256 76c157826dbe60d6824bb0f976a3c38e19e2378c138a1207672ce56f24795a39
SHA512 ef3fc171a75e1a77fcd5e9d12e9fd3ddd515d2f89422ab0032c130b3ac9e5b6e79fe5aab3e4f3c514968122a8fe982586e4a84d8793857ab6ccbb6b04177e285

memory/4504-119-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2360-126-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\ANYM.exe.bat

MD5 a5967031359f36d9e94fcc21efa228f4
SHA1 0b56e8bab0bf594c3015a6bcc66b7c3b86a2b89e
SHA256 20c4c83774a01e76d4db0d64173039470cd290115d7fccfdde4015afabef4a75
SHA512 0bfe382181f14e3c022ed8ded25dd5ade18d798fdca3150307a74fdde9ee5d610978897a19dfc545321f369ab39d57ab6b5867d2c63a933f370a86e4bbf860ed

C:\Windows\SysWOW64\ANYM.exe

MD5 ae97ec129f832b4468885f074a83b0cf
SHA1 2b3b56b53456ddebc40a83163f4ae668fafa6ea6
SHA256 96f484471a9504336edeb17ac31eb6ce05a122bfe9155bf97f5c445af332bf10
SHA512 52d23ad9bbc2b25f86972992773a3cc9f517d939485d5debee66eaeb1b7df4259c5256e0b263e81d29a632501e62cb33d7cf617a1723a96bcd00c8a07eee4b08

memory/232-131-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4504-138-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\OLY.exe.bat

MD5 ef554f1e32917900917ac16467cfcafb
SHA1 397b523e846ef62eb491d92956ec9a3b5b53dcbc
SHA256 ee7753f3ac482285602ca08dfb54b82ef0a05baadd2d24f48f72242542681d6f
SHA512 3b77fa5f4f0a6255e24a51a1f7795c6f99ef69eb44afb721ee0e771abb0423c0d8b715d6066069b6c5248a84c97e57f14f49611c6e63e73647ae062be677d751

C:\Windows\System\OLY.exe

MD5 c9f9457d044c097aa006ccea5deac590
SHA1 00b17b16c338f9fa75e30b686015a2448daa4705
SHA256 484db3c68d2cc93c52f8f75495eb95db5a05fa469ee970f7dbc229251668bda4
SHA512 ca89163c54eb13fe321a4f8a3efa021fc8a67d692a26c9f2e341410686a7c6b2338475ca115b60f4b23783957bd3c5a0f82dc0ad58520c4e901bc960fb60443b

memory/4856-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\POOM.exe.bat

MD5 63e8c2a1b09d3f4effea15fb030fc7c1
SHA1 93568866e06275c0536397ddeb45b9b72bb77a01
SHA256 fa2f7efaae2cd3e72e4d2daea48c3ca263bea6c9ae63f48e150698e57fb22545
SHA512 a3ace9ce326444d847ef03f9ec4194ea581776585fe387dff0e90c5269011a0bea895de5233c4d68697482874e5bd540d05e28ddf65a561b9ebe4876c12a4d11

memory/2276-153-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\POOM.exe

MD5 60101c6cdd54b9de70004be230976e36
SHA1 f1b90975772a30253cac3b549ee7831a8ffea278
SHA256 345b8a46ae38484dbd00f7b2d4ba6d2223c739b9b70b0f4eb37d1b23be6dc97a
SHA512 0a5a39e3762d5513c0a0e0e8e95798949f8140bd7ac8d9232e5ea1a0acf96e6142e59dada5bf06189f5f50425d931d242c50fa4845c0a79f45f07975d4291d80

memory/232-154-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\IGEW.exe.bat

MD5 2e9e76798045742893dc3eb880e43107
SHA1 3f458b51241d9b53c7760508e4e99578ccff8728
SHA256 058d7605b8828166647f513ab09c809f592d8f24d3ecb46c378d4cb88f26006b
SHA512 37e8cbdf2b7f26999d02c99e2048fe65a2c82e60087585dbe9b8a474949795e06186f7fedde3cc262f59c551b7680d132a494f963021288ec63bc210a54aa4a4

memory/4856-166-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5020-167-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\QUR.exe.bat

MD5 558e9ddfbe7d42c84cca9d7f89bf2fb8
SHA1 1edbcfce95697e024b531402c0bd3d3fb02124b0
SHA256 85dc07f9c24cfb5c937c4965c8070d37aeb0f900ec1f178ca7bd894930e47f57
SHA512 ee54478faf4037e375b74067701e1f9c84f83fd740eda066b1a3ecc79017c1d5104518652da573b5dc8468e367f3fd32811f4895bb65dd7732ed18e23a642e3d

memory/2276-175-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4620-178-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\QUR.exe

MD5 e5fd8f5e1d85d112b0ee3694df45d8b9
SHA1 1aa9f2a2d7fbdc747e0b96678941801bba710891
SHA256 e26db9a7352d342055784ba9c8018eff8adf307e0a5d524c6204b10582929775
SHA512 5cedbc5b555bd2cd24e7241afbddf0e69fa87e5c61a3c5cc5211b9ea7aeb33a1ffe301df11a533728e15a3ac97c9040fc11e721d3b0e13eae3d151b23c2bcb1a

memory/5020-180-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\VHWTZGR.exe.bat

MD5 4c81ad6efedb25a0ddc82aa902afd2bf
SHA1 339d42da20fe2c7641994b0fd4e6e00fec2fafad
SHA256 f3be29a6d2176beef5e1324659a1128a6148ccdbd504823c57ead38d1be87e4c
SHA512 98102843de310c8fe9190026212a1a6f4071825db793f4384e74c28e1aaf062b21a822e54470be6c1a099d19336c8a7e8fabdc2d5dbf1f37434d68f103a3e3e1

C:\Windows\SysWOW64\VHWTZGR.exe

MD5 bc792ddd070a2eecbd341ba2966e11ec
SHA1 615f8176270d6bf71c7f0f0fa017240a066b1b7f
SHA256 2a92dc9f4bd0fa158ff8f5b4a69eff736b423d92f37689d5fa9d474631c5e636
SHA512 ccd395fa3ae1593c6e7cc310bc2ba19d78ab37a0867a0edcb00ab11c931b187a6a4c4b84d2a3df9b797028e443e33a368ee25c01c504b1bf4c8dbfbd6b7a1764

memory/2056-191-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4620-198-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\JNCQGQT.exe.bat

MD5 54242b1ce5a6c535a0929676fda4ad69
SHA1 71076c1a5795195a1a7d7ba4b98c7b2351b6c016
SHA256 140812ebe791339dc11379b633788adeb4bb31d57a70840c155e7288e562564f
SHA512 7bdac734c5a521a06f7fdfcc82e6f06d443feab87319ca59ffb87f2c027a7d1c0afc941f86f7ba91d80f7a972e922700eb1626ab147fff63453b3f8a80d109d6

memory/2316-203-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\JNCQGQT.exe

MD5 947988713a1a4542800a05f9eda06797
SHA1 4b0289d25b263befd726fca51b2679dd902ae754
SHA256 71eb0a219aa526bb120ef69041c39488d53d9e93ec6d48ed8934b2967f67a6bd
SHA512 d2d75dfadf0b10122fa10583716c0a5a1cfdd703af2a30bb1e546bd87f3c0beb72c32484add2c1f8fa82739a4ace9b99b3f1e237eba2d16eff11bf4d056ad56c

C:\windows\SysWOW64\RAHWQO.exe.bat

MD5 2a9ece55cde1a306907d071328b894b3
SHA1 c305e484c3b99c9d9bd345f73579904b08b74403
SHA256 4bf884e0aab596241069d575adce7ab8b2fb6cf05e6239b759d4b3800154404e
SHA512 9824619bbb42515bc0e33a3ec160143f03b16f5034dcc41e475ed946ec8bf753e05aec509193973dda8047c404aca27a238637fded33d76eaf7df2a89dc57248

memory/4980-213-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RAHWQO.exe

MD5 e9e608cd5a6ba8477a44e4522dc5b914
SHA1 7775a6b43e371dbb13f2ad90133e15abd4a96f21
SHA256 66c156d047c7f880145f7a9298c530e375f38af247bf5bcdce6b66f45c998c3d
SHA512 7fa1bcc55dbe27cdcbb0d54da8c455cfb2c48e6afbc416dd226a8d1ca601a217a305cc1b09628343b71fbcc0c969b9acbd26258f35d439a89767933143a9aaac

memory/2056-215-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2316-222-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\BQURYW.exe.bat

MD5 6eb784536ac9d6c20c571d2a79ed7b92
SHA1 cdaeb64c82cc0ef411dced0de41e9da8ecde1f24
SHA256 be591e589f84aa04bc8acc4d86bb4fc8ea1e4ee0b63c5c8c5e20e555debdcd29
SHA512 bed80d9920a6d11a7b2116db9b59fb5b9692a0c614014bbc026c9721c276b70b442dc41f9378126554ca71652d141ccfde00863a3fad8df587cc26e000cdb773

C:\Windows\BQURYW.exe

MD5 3e430436f78d4fe49f5538df819b24bf
SHA1 5829580a3e9ad6ab9cbf676c3217fd3f3f555e87
SHA256 50815e91b692a2d9551d11b346b1042908d3b5d4003e714ce3eebfe3179406b9
SHA512 bf32de2d0f82659925b60c4ea80b6c2cf72fc82f30d75d97119dd706552126945355ec4cb270b0682839e276296fca6cd11eb0fe73f84d9d8a21870e8cde6e0a

memory/3592-227-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4980-234-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\HLYKE.exe.bat

MD5 6ee932c2a944ece705d17cfa887dbecc
SHA1 a58566bd6a9c672ade6bbd699f62cccb15994ab0
SHA256 65cbe313885a87250c4cf75a8342ac3a84f4fad02b336fc8faf8fa6c22b9cf39
SHA512 6ee47ab1c8c6184033bcc42d7985761f6c7888ad6f5f24cab8e454f69ab8fcc2f8f2ac30aee3e5ae470c511c8b3994efcd40e4d3de18513ccbbcc6d4f65afb9c

C:\Windows\SysWOW64\HLYKE.exe

MD5 9cb2b56fc8b55867611a5f5872329387
SHA1 9852642fe9e5ae0ec318e7d8f659bb116bfff62e
SHA256 d066ea4c21753025702cf3c8c62a06cbfcb01ad353ce735b873b4c27c82daae0
SHA512 e886e5e9f5cc570d94823e90d5b9d03b1d1aee7b822cff0001274d89931bc8a9e10ea72bde179febeee0496be54f9cb2f51acae393911294ea5ee1def5e20cb9

memory/1688-239-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\DWOIS.exe.bat

MD5 64fb519a672a659f5ea97afe7665f210
SHA1 a1f3b4365f993f698f6e68e11fd8c65f8eb68bfe
SHA256 06533e4c5087a27dd05ea6bb3f91fbc3d9740173e32cde35869023ecadfd2e3d
SHA512 745492da7684751b10db3042f1929a784992296339b3fa664c60f5e44a213e70260d4db7e28fb3726189310e909f59a7a5ebd0eceeb616fa23d34183cc0554d8

C:\Windows\SysWOW64\DWOIS.exe

MD5 3d889471a4405234e75d9cb73479eb26
SHA1 18d9dc09d2745028254ec575814049ee4de5b392
SHA256 157bf69068e1f1a10a2329698c87fbeec64389934085b09f5d9b037ced9671c1
SHA512 95425a82d542b7dbb43b77a8e57fd68460c37eabb3ac1851047fba2cb2f2bd13426bb5f15ef4c612408a037ccd3d29fa653002fa219e65d86097c3ca20716fea

memory/3592-251-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3272-250-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\QCOU.exe.bat

MD5 d6a977983d0d3e59efa6ff4dc7ec0360
SHA1 ab13bf51dcd3c144b2b6549beca0dda70b1f51c4
SHA256 5b42fd687066692bf47a2db749ef89406d002c50ae79d408928b7e759969694d
SHA512 a37385b327b9a0b73f794e0a9352601b547984c5b8cbbaabda3a84d23329f30595d2b70241b85e245f12a57e9e9a79409d89e4189b0b940fa251d1b2d22d8694

memory/1216-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1688-261-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3080-269-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3272-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2748-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1216-278-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2936-287-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3080-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2748-295-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4260-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3592-305-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2936-306-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-314-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4260-315-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2244-323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3592-324-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-333-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2684-332-0x0000000000400000-0x0000000000439000-memory.dmp

memory/820-341-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2244-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2684-349-0x0000000000400000-0x0000000000439000-memory.dmp

memory/232-351-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3920-359-0x0000000000400000-0x0000000000439000-memory.dmp

memory/820-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3152-368-0x0000000000400000-0x0000000000439000-memory.dmp

memory/232-369-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3920-376-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2692-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3600-386-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3152-387-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4856-395-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2692-396-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2416-404-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3600-405-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3972-413-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4856-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2416-421-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4472-423-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2396-431-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3972-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4472-441-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4568-440-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4984-449-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2396-450-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4568-457-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1268-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4984-466-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4608-468-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1268-469-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1948-477-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3400-485-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4608-486-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1948-493-0x0000000000400000-0x0000000000439000-memory.dmp

memory/864-495-0x0000000000400000-0x0000000000439000-memory.dmp