Malware Analysis Report

2024-10-24 20:04

Sample ID 240531-acj79sgc53
Target 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe
SHA256 cd9fb30ef57e1c6e3b294282f81f5aee65f508f4d63956dc36a6927164d68a8c
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd9fb30ef57e1c6e3b294282f81f5aee65f508f4d63956dc36a6927164d68a8c

Threat Level: Known bad

The file 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 00:03

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 00:03

Reported

2024-05-31 00:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\IBAA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ZKLVYEF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SMLFOYR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\BWSWLO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\LIWM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\UVZKUQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\YFFBOQN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\DECMQX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\FPGPB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ZHJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\FQBXNA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\FWGC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HTBFT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\ICAP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JOCCOOO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ZOVE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ILSEMYY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\SQQCDI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\FSDAUQG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZXUQQV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ACSVMO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\PAU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\MGQJMK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\OVGT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\HDB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\BJJSCPL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\FJNYEC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\LVZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\FWZFY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UXTWX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XWMSNF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\GDEL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\EXTK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\KXMJD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\LCFY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\NSIJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\VWI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\AECYJT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QGCIPB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\VFXR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\JGKXF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ZTL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\FHXCVL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YBU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\EAMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\DPAQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\IIZQF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\WAYMK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YDGKHI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\BES.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QRAEM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\SZXSYU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ZHVMU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\AWFBTJM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CBP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NYGXXW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\LPODS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\QVYEZM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\QJRIWB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\QSERSH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\BZJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\OPO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NNFZXAD.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\system\PQMGB.exe N/A
N/A N/A C:\windows\system\FQH.exe N/A
N/A N/A C:\windows\SysWOW64\SBLZPKE.exe N/A
N/A N/A C:\windows\system\FETQDNA.exe N/A
N/A N/A C:\windows\IUCMKHD.exe N/A
N/A N/A C:\windows\OPO.exe N/A
N/A N/A C:\windows\SysWOW64\RDFP.exe N/A
N/A N/A C:\windows\SysWOW64\KQE.exe N/A
N/A N/A C:\windows\SysWOW64\YBU.exe N/A
N/A N/A C:\windows\YWYH.exe N/A
N/A N/A C:\windows\XPOXARJ.exe N/A
N/A N/A C:\windows\ZFHRYF.exe N/A
N/A N/A C:\windows\SysWOW64\WFRUKKA.exe N/A
N/A N/A C:\windows\SysWOW64\NNFZXAD.exe N/A
N/A N/A C:\windows\system\BJJSCPL.exe N/A
N/A N/A C:\windows\KWTKS.exe N/A
N/A N/A C:\windows\EJMIYHW.exe N/A
N/A N/A C:\windows\system\KXMJD.exe N/A
N/A N/A C:\windows\system\SKQQO.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\SysWOW64\FBN.exe N/A
N/A N/A C:\windows\HWEK.exe N/A
N/A N/A C:\windows\SysWOW64\QWGPNGK.exe N/A
N/A N/A C:\windows\ZKLVYEF.exe N/A
N/A N/A C:\windows\system\IIZQF.exe N/A
N/A N/A C:\windows\SysWOW64\ZSCG.exe N/A
N/A N/A C:\windows\system\AWFBTJM.exe N/A
N/A N/A C:\windows\system\PRP.exe N/A
N/A N/A C:\windows\SysWOW64\COXR.exe N/A
N/A N/A C:\windows\XKCBQP.exe N/A
N/A N/A C:\windows\FPGPB.exe N/A
N/A N/A C:\windows\LPODS.exe N/A
N/A N/A C:\windows\TVAKD.exe N/A
N/A N/A C:\windows\SODA.exe N/A
N/A N/A C:\windows\system\LGTL.exe N/A
N/A N/A C:\windows\SysWOW64\CPHI.exe N/A
N/A N/A C:\windows\ZHJ.exe N/A
N/A N/A C:\windows\SysWOW64\SKNOQYC.exe N/A
N/A N/A C:\windows\system\QVYEZM.exe N/A
N/A N/A C:\windows\system\FQBXNA.exe N/A
N/A N/A C:\windows\system\QJRIWB.exe N/A
N/A N/A C:\windows\VJSSA.exe N/A
N/A N/A C:\windows\system\XHGFQ.exe N/A
N/A N/A C:\windows\SysWOW64\UXTWX.exe N/A
N/A N/A C:\windows\LIWM.exe N/A
N/A N/A C:\windows\EAMX.exe N/A
N/A N/A C:\windows\JBASKRC.exe N/A
N/A N/A C:\windows\SysWOW64\LZB.exe N/A
N/A N/A C:\windows\LCFY.exe N/A
N/A N/A C:\windows\SysWOW64\JCMLFYV.exe N/A
N/A N/A C:\windows\system\VFXR.exe N/A
N/A N/A C:\windows\system\NSIJ.exe N/A
N/A N/A C:\windows\XLR.exe N/A
N/A N/A C:\windows\SysWOW64\IEUBRSJ.exe N/A
N/A N/A C:\windows\JGKXF.exe N/A
N/A N/A C:\windows\SysWOW64\UZFQFI.exe N/A
N/A N/A C:\windows\EXTK.exe N/A
N/A N/A C:\windows\RVTWXUL.exe N/A
N/A N/A C:\windows\SysWOW64\QSERSH.exe N/A
N/A N/A C:\windows\SysWOW64\PDPHS.exe N/A
N/A N/A C:\windows\SysWOW64\CBP.exe N/A
N/A N/A C:\windows\SysWOW64\FWGC.exe N/A
N/A N/A C:\windows\system\VHJ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\windows\SysWOW64\AAZQRNG.exe C:\windows\SysWOW64\GMGADAR.exe N/A
File created C:\windows\SysWOW64\OWPDSQ.exe C:\windows\system\MYOBU.exe N/A
File created C:\windows\SysWOW64\BWSWLO.exe C:\windows\SysWOW64\CYGTYBP.exe N/A
File opened for modification C:\windows\SysWOW64\HSHHG.exe C:\windows\system\SKYIZKU.exe N/A
File opened for modification C:\windows\SysWOW64\YBU.exe C:\windows\SysWOW64\KQE.exe N/A
File created C:\windows\SysWOW64\SMZ.exe C:\windows\SysWOW64\SYM.exe N/A
File created C:\windows\SysWOW64\XWMSNF.exe C:\windows\SysWOW64\NYGXXW.exe N/A
File opened for modification C:\windows\SysWOW64\OXTP.exe C:\windows\SysWOW64\NZMGO.exe N/A
File created C:\windows\SysWOW64\GDEL.exe.bat C:\windows\system\RIUZRR.exe N/A
File opened for modification C:\windows\SysWOW64\UEER.exe C:\windows\system\DECMQX.exe N/A
File opened for modification C:\windows\SysWOW64\QGCIPB.exe C:\windows\MYVICI.exe N/A
File created C:\windows\SysWOW64\HSHHG.exe C:\windows\system\SKYIZKU.exe N/A
File created C:\windows\SysWOW64\XRUWVMJ.exe.bat C:\windows\SysWOW64\LJOW.exe N/A
File created C:\windows\SysWOW64\SYM.exe.bat C:\windows\SysWOW64\MJBO.exe N/A
File created C:\windows\SysWOW64\NYGXXW.exe.bat C:\windows\SysWOW64\PFDH.exe N/A
File created C:\windows\SysWOW64\NZMGO.exe C:\windows\system\VWI.exe N/A
File opened for modification C:\windows\SysWOW64\XRUWVMJ.exe C:\windows\SysWOW64\LJOW.exe N/A
File created C:\windows\SysWOW64\XWMSNF.exe.bat C:\windows\SysWOW64\NYGXXW.exe N/A
File created C:\windows\SysWOW64\BWSWLO.exe.bat C:\windows\SysWOW64\CYGTYBP.exe N/A
File created C:\windows\SysWOW64\ZSCG.exe C:\windows\system\IIZQF.exe N/A
File created C:\windows\SysWOW64\SQQCDI.exe.bat C:\windows\system\FTQQBWB.exe N/A
File created C:\windows\SysWOW64\FJNYEC.exe C:\windows\system\AECIN.exe N/A
File created C:\windows\SysWOW64\UIGYXBA.exe.bat C:\windows\SysWOW64\SKNEZM.exe N/A
File created C:\windows\SysWOW64\QGCIPB.exe C:\windows\MYVICI.exe N/A
File created C:\windows\SysWOW64\AAZQRNG.exe C:\windows\SysWOW64\GMGADAR.exe N/A
File opened for modification C:\windows\SysWOW64\RBCFS.exe C:\windows\IBAA.exe N/A
File opened for modification C:\windows\SysWOW64\SMZ.exe C:\windows\SysWOW64\SYM.exe N/A
File opened for modification C:\windows\SysWOW64\JOCCOOO.exe C:\windows\system\LVZ.exe N/A
File created C:\windows\SysWOW64\OVGT.exe.bat C:\windows\YFFBOQN.exe N/A
File created C:\windows\SysWOW64\EVLDAFK.exe C:\windows\HDB.exe N/A
File created C:\windows\SysWOW64\FBN.exe.bat C:\windows\system\EGJELZR.exe N/A
File created C:\windows\SysWOW64\UXTWX.exe C:\windows\system\XHGFQ.exe N/A
File opened for modification C:\windows\SysWOW64\KKW.exe C:\windows\SysWOW64\GCTXA.exe N/A
File created C:\windows\SysWOW64\QSERSH.exe C:\windows\RVTWXUL.exe N/A
File created C:\windows\SysWOW64\QSERSH.exe.bat C:\windows\RVTWXUL.exe N/A
File opened for modification C:\windows\SysWOW64\IOLJY.exe C:\windows\system\ZRYPQ.exe N/A
File opened for modification C:\windows\SysWOW64\EVLDAFK.exe C:\windows\HDB.exe N/A
File created C:\windows\SysWOW64\QWGPNGK.exe C:\windows\HWEK.exe N/A
File created C:\windows\SysWOW64\SKNOQYC.exe C:\windows\ZHJ.exe N/A
File opened for modification C:\windows\SysWOW64\SKNOQYC.exe C:\windows\ZHJ.exe N/A
File opened for modification C:\windows\SysWOW64\JCMLFYV.exe C:\windows\LCFY.exe N/A
File created C:\windows\SysWOW64\HSHHG.exe.bat C:\windows\system\SKYIZKU.exe N/A
File created C:\windows\SysWOW64\GCTXA.exe C:\windows\system\LWHTPOV.exe N/A
File created C:\windows\SysWOW64\KUJQK.exe.bat C:\windows\SysWOW64\RBCFS.exe N/A
File created C:\windows\SysWOW64\SKNOQYC.exe.bat C:\windows\ZHJ.exe N/A
File opened for modification C:\windows\SysWOW64\LZB.exe C:\windows\JBASKRC.exe N/A
File created C:\windows\SysWOW64\SKNEZM.exe C:\windows\KEAPON.exe N/A
File opened for modification C:\windows\SysWOW64\XWMSNF.exe C:\windows\SysWOW64\NYGXXW.exe N/A
File opened for modification C:\windows\SysWOW64\RDFP.exe C:\windows\OPO.exe N/A
File created C:\windows\SysWOW64\WFRUKKA.exe C:\windows\ZFHRYF.exe N/A
File created C:\windows\SysWOW64\WFRUKKA.exe.bat C:\windows\ZFHRYF.exe N/A
File opened for modification C:\windows\SysWOW64\CPHI.exe C:\windows\system\LGTL.exe N/A
File created C:\windows\SysWOW64\RBCFS.exe.bat C:\windows\IBAA.exe N/A
File created C:\windows\SysWOW64\OXTP.exe C:\windows\SysWOW64\NZMGO.exe N/A
File opened for modification C:\windows\SysWOW64\TBXB.exe C:\windows\JBV.exe N/A
File created C:\windows\SysWOW64\CYGTYBP.exe C:\windows\DOW.exe N/A
File opened for modification C:\windows\SysWOW64\GCTXA.exe C:\windows\system\LWHTPOV.exe N/A
File opened for modification C:\windows\SysWOW64\KUJQK.exe C:\windows\SysWOW64\RBCFS.exe N/A
File opened for modification C:\windows\SysWOW64\QSERSH.exe C:\windows\RVTWXUL.exe N/A
File opened for modification C:\windows\SysWOW64\FWGC.exe C:\windows\SysWOW64\CBP.exe N/A
File created C:\windows\SysWOW64\PFDH.exe C:\windows\SysWOW64\ZXUQQV.exe N/A
File created C:\windows\SysWOW64\EVLDAFK.exe.bat C:\windows\HDB.exe N/A
File created C:\windows\SysWOW64\HXSZ.exe.bat C:\windows\system\ICAP.exe N/A
File created C:\windows\SysWOW64\NZMGO.exe.bat C:\windows\system\VWI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\HWEK.exe.bat C:\windows\SysWOW64\FBN.exe N/A
File created C:\windows\FSDAUQG.exe C:\windows\SysWOW64\DUX.exe N/A
File created C:\windows\system\YCFZYD.exe C:\windows\DPAQ.exe N/A
File opened for modification C:\windows\QUZWSEY.exe C:\windows\NHIMZS.exe N/A
File created C:\windows\system\SKYIZKU.exe.bat C:\windows\ZHVMU.exe N/A
File created C:\windows\system\FQH.exe.bat C:\windows\system\PQMGB.exe N/A
File created C:\windows\YWYH.exe.bat C:\windows\SysWOW64\YBU.exe N/A
File opened for modification C:\windows\system\IYBJ.exe C:\windows\system\UBBXX.exe N/A
File opened for modification C:\windows\JBV.exe C:\windows\system\LQSG.exe N/A
File created C:\windows\system\QIWRN.exe C:\windows\OFMKV.exe N/A
File created C:\windows\system\KXMJD.exe C:\windows\EJMIYHW.exe N/A
File created C:\windows\system\NSIJ.exe.bat C:\windows\system\VFXR.exe N/A
File opened for modification C:\windows\system\AWFBTJM.exe C:\windows\SysWOW64\ZSCG.exe N/A
File created C:\windows\system\QJRIWB.exe.bat C:\windows\system\FQBXNA.exe N/A
File opened for modification C:\windows\VJSSA.exe C:\windows\system\QJRIWB.exe N/A
File created C:\windows\JBASKRC.exe.bat C:\windows\EAMX.exe N/A
File created C:\windows\YFFBOQN.exe.bat C:\windows\system\DUXDAOR.exe N/A
File created C:\windows\GWUU.exe.bat C:\windows\ILSEMYY.exe N/A
File opened for modification C:\windows\OPO.exe C:\windows\IUCMKHD.exe N/A
File opened for modification C:\windows\system\BJJSCPL.exe C:\windows\SysWOW64\NNFZXAD.exe N/A
File created C:\windows\system\WFHMAAL.exe C:\windows\SysWOW64\HPGU.exe N/A
File created C:\windows\OFMKV.exe C:\windows\system\CCB.exe N/A
File created C:\windows\system\FWZFY.exe C:\windows\system\PGMOQ.exe N/A
File opened for modification C:\windows\BZJ.exe C:\windows\KPGX.exe N/A
File opened for modification C:\windows\system\QUDY.exe C:\windows\AECYJT.exe N/A
File created C:\windows\PZFZ.exe.bat C:\windows\SysWOW64\OWPDSQ.exe N/A
File created C:\windows\JGKXF.exe.bat C:\windows\SysWOW64\IEUBRSJ.exe N/A
File created C:\windows\system\DNW.exe.bat C:\windows\system\VHJ.exe N/A
File opened for modification C:\windows\system\LVZ.exe C:\windows\SysWOW64\OXTP.exe N/A
File created C:\windows\QBJX.exe C:\windows\SysWOW64\GDEL.exe N/A
File created C:\windows\CHTUH.exe.bat C:\windows\SysWOW64\IOLJY.exe N/A
File created C:\windows\QUZWSEY.exe C:\windows\NHIMZS.exe N/A
File created C:\windows\HDB.exe.bat C:\windows\QUZWSEY.exe N/A
File created C:\windows\SRO.exe C:\windows\SysWOW64\DBNJ.exe N/A
File created C:\windows\system\AWFBTJM.exe C:\windows\SysWOW64\ZSCG.exe N/A
File opened for modification C:\windows\EAMX.exe C:\windows\LIWM.exe N/A
File created C:\windows\system\PGMOQ.exe C:\windows\SysWOW64\HSHHG.exe N/A
File opened for modification C:\windows\system\UBBXX.exe C:\windows\PAU.exe N/A
File created C:\windows\KWTKS.exe.bat C:\windows\system\BJJSCPL.exe N/A
File created C:\windows\ZTL.exe.bat C:\windows\VLEUR.exe N/A
File created C:\windows\system\VFXR.exe C:\windows\SysWOW64\JCMLFYV.exe N/A
File created C:\windows\SMLFOYR.exe.bat C:\windows\SysWOW64\XRUWVMJ.exe N/A
File opened for modification C:\windows\system\CCB.exe C:\windows\PZFZ.exe N/A
File created C:\windows\ZHVMU.exe C:\windows\SysWOW64\BWSWLO.exe N/A
File created C:\windows\XKCBQP.exe.bat C:\windows\SysWOW64\COXR.exe N/A
File created C:\windows\SODA.exe C:\windows\TVAKD.exe N/A
File created C:\windows\EXTK.exe C:\windows\SysWOW64\UZFQFI.exe N/A
File opened for modification C:\windows\system\FTQQBWB.exe C:\windows\SysWOW64\INXBLTG.exe N/A
File created C:\windows\PAU.exe.bat C:\windows\CPJWXZ.exe N/A
File opened for modification C:\windows\XLR.exe C:\windows\system\NSIJ.exe N/A
File opened for modification C:\windows\JGKXF.exe C:\windows\SysWOW64\IEUBRSJ.exe N/A
File created C:\windows\VJSSA.exe C:\windows\system\QJRIWB.exe N/A
File created C:\windows\system\BES.exe.bat C:\windows\SysWOW64\XWMSNF.exe N/A
File opened for modification C:\windows\system\SZXSYU.exe C:\windows\QBJX.exe N/A
File opened for modification C:\windows\PZFZ.exe C:\windows\SysWOW64\OWPDSQ.exe N/A
File opened for modification C:\windows\ZHVMU.exe C:\windows\SysWOW64\BWSWLO.exe N/A
File created C:\windows\system\EGJELZR.exe C:\windows\AQDW.exe N/A
File created C:\windows\system\PRP.exe.bat C:\windows\system\AWFBTJM.exe N/A
File created C:\windows\VLEUR.exe.bat C:\windows\SysWOW64\AAWVCOW.exe N/A
File created C:\windows\ILSEMYY.exe C:\windows\SysWOW64\EVLDAFK.exe N/A
File created C:\windows\KEAPON.exe C:\windows\system\REL.exe N/A
File opened for modification C:\windows\FHXCVL.exe C:\windows\MGQJMK.exe N/A
File opened for modification C:\windows\system\FWZFY.exe C:\windows\system\PGMOQ.exe N/A
File opened for modification C:\windows\ZFHRYF.exe C:\windows\XPOXARJ.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\AKGRMX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PQMGB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FQH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\SBLZPKE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FETQDNA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IUCMKHD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\OPO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RDFP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\KQE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\YBU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YWYH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XPOXARJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZFHRYF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\WFRUKKA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NNFZXAD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BJJSCPL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\KWTKS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\EJMIYHW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\KXMJD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\SKQQO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\AQDW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EGJELZR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\FBN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\HWEK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\QWGPNGK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZKLVYEF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\IIZQF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZSCG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\AWFBTJM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PRP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\COXR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XKCBQP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FPGPB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LPODS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\TVAKD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SODA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\LGTL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CPHI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ZHJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\SKNOQYC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QVYEZM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FQBXNA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QJRIWB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VJSSA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XHGFQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UXTWX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LIWM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\EAMX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JBASKRC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LZB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LCFY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JCMLFYV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VFXR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NSIJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XLR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\IEUBRSJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JGKXF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UZFQFI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\EXTK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\RVTWXUL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\QSERSH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\PDPHS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CBP.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\system\PQMGB.exe N/A
N/A N/A C:\windows\system\PQMGB.exe N/A
N/A N/A C:\windows\system\FQH.exe N/A
N/A N/A C:\windows\system\FQH.exe N/A
N/A N/A C:\windows\SysWOW64\SBLZPKE.exe N/A
N/A N/A C:\windows\SysWOW64\SBLZPKE.exe N/A
N/A N/A C:\windows\system\FETQDNA.exe N/A
N/A N/A C:\windows\system\FETQDNA.exe N/A
N/A N/A C:\windows\IUCMKHD.exe N/A
N/A N/A C:\windows\IUCMKHD.exe N/A
N/A N/A C:\windows\OPO.exe N/A
N/A N/A C:\windows\OPO.exe N/A
N/A N/A C:\windows\SysWOW64\RDFP.exe N/A
N/A N/A C:\windows\SysWOW64\RDFP.exe N/A
N/A N/A C:\windows\SysWOW64\KQE.exe N/A
N/A N/A C:\windows\SysWOW64\KQE.exe N/A
N/A N/A C:\windows\SysWOW64\YBU.exe N/A
N/A N/A C:\windows\SysWOW64\YBU.exe N/A
N/A N/A C:\windows\YWYH.exe N/A
N/A N/A C:\windows\YWYH.exe N/A
N/A N/A C:\windows\XPOXARJ.exe N/A
N/A N/A C:\windows\XPOXARJ.exe N/A
N/A N/A C:\windows\ZFHRYF.exe N/A
N/A N/A C:\windows\ZFHRYF.exe N/A
N/A N/A C:\windows\SysWOW64\WFRUKKA.exe N/A
N/A N/A C:\windows\SysWOW64\WFRUKKA.exe N/A
N/A N/A C:\windows\SysWOW64\NNFZXAD.exe N/A
N/A N/A C:\windows\SysWOW64\NNFZXAD.exe N/A
N/A N/A C:\windows\system\BJJSCPL.exe N/A
N/A N/A C:\windows\system\BJJSCPL.exe N/A
N/A N/A C:\windows\KWTKS.exe N/A
N/A N/A C:\windows\KWTKS.exe N/A
N/A N/A C:\windows\EJMIYHW.exe N/A
N/A N/A C:\windows\EJMIYHW.exe N/A
N/A N/A C:\windows\system\KXMJD.exe N/A
N/A N/A C:\windows\system\KXMJD.exe N/A
N/A N/A C:\windows\AQDW.exe N/A
N/A N/A C:\windows\AQDW.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\SysWOW64\FBN.exe N/A
N/A N/A C:\windows\SysWOW64\FBN.exe N/A
N/A N/A C:\windows\HWEK.exe N/A
N/A N/A C:\windows\HWEK.exe N/A
N/A N/A C:\windows\SysWOW64\QWGPNGK.exe N/A
N/A N/A C:\windows\SysWOW64\QWGPNGK.exe N/A
N/A N/A C:\windows\ZKLVYEF.exe N/A
N/A N/A C:\windows\ZKLVYEF.exe N/A
N/A N/A C:\windows\system\IIZQF.exe N/A
N/A N/A C:\windows\system\IIZQF.exe N/A
N/A N/A C:\windows\SysWOW64\ZSCG.exe N/A
N/A N/A C:\windows\SysWOW64\ZSCG.exe N/A
N/A N/A C:\windows\system\AWFBTJM.exe N/A
N/A N/A C:\windows\system\AWFBTJM.exe N/A
N/A N/A C:\windows\system\PRP.exe N/A
N/A N/A C:\windows\system\PRP.exe N/A
N/A N/A C:\windows\SysWOW64\COXR.exe N/A
N/A N/A C:\windows\SysWOW64\COXR.exe N/A
N/A N/A C:\windows\XKCBQP.exe N/A
N/A N/A C:\windows\XKCBQP.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\AKGRMX.exe N/A
N/A N/A C:\windows\system\PQMGB.exe N/A
N/A N/A C:\windows\system\PQMGB.exe N/A
N/A N/A C:\windows\system\FQH.exe N/A
N/A N/A C:\windows\system\FQH.exe N/A
N/A N/A C:\windows\SysWOW64\SBLZPKE.exe N/A
N/A N/A C:\windows\SysWOW64\SBLZPKE.exe N/A
N/A N/A C:\windows\system\FETQDNA.exe N/A
N/A N/A C:\windows\system\FETQDNA.exe N/A
N/A N/A C:\windows\IUCMKHD.exe N/A
N/A N/A C:\windows\IUCMKHD.exe N/A
N/A N/A C:\windows\OPO.exe N/A
N/A N/A C:\windows\OPO.exe N/A
N/A N/A C:\windows\SysWOW64\RDFP.exe N/A
N/A N/A C:\windows\SysWOW64\RDFP.exe N/A
N/A N/A C:\windows\SysWOW64\KQE.exe N/A
N/A N/A C:\windows\SysWOW64\KQE.exe N/A
N/A N/A C:\windows\SysWOW64\YBU.exe N/A
N/A N/A C:\windows\SysWOW64\YBU.exe N/A
N/A N/A C:\windows\YWYH.exe N/A
N/A N/A C:\windows\YWYH.exe N/A
N/A N/A C:\windows\XPOXARJ.exe N/A
N/A N/A C:\windows\XPOXARJ.exe N/A
N/A N/A C:\windows\ZFHRYF.exe N/A
N/A N/A C:\windows\ZFHRYF.exe N/A
N/A N/A C:\windows\SysWOW64\WFRUKKA.exe N/A
N/A N/A C:\windows\SysWOW64\WFRUKKA.exe N/A
N/A N/A C:\windows\SysWOW64\NNFZXAD.exe N/A
N/A N/A C:\windows\SysWOW64\NNFZXAD.exe N/A
N/A N/A C:\windows\system\BJJSCPL.exe N/A
N/A N/A C:\windows\system\BJJSCPL.exe N/A
N/A N/A C:\windows\KWTKS.exe N/A
N/A N/A C:\windows\KWTKS.exe N/A
N/A N/A C:\windows\EJMIYHW.exe N/A
N/A N/A C:\windows\EJMIYHW.exe N/A
N/A N/A C:\windows\system\KXMJD.exe N/A
N/A N/A C:\windows\system\KXMJD.exe N/A
N/A N/A C:\windows\AQDW.exe N/A
N/A N/A C:\windows\AQDW.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\SysWOW64\FBN.exe N/A
N/A N/A C:\windows\SysWOW64\FBN.exe N/A
N/A N/A C:\windows\HWEK.exe N/A
N/A N/A C:\windows\HWEK.exe N/A
N/A N/A C:\windows\SysWOW64\QWGPNGK.exe N/A
N/A N/A C:\windows\SysWOW64\QWGPNGK.exe N/A
N/A N/A C:\windows\ZKLVYEF.exe N/A
N/A N/A C:\windows\ZKLVYEF.exe N/A
N/A N/A C:\windows\system\IIZQF.exe N/A
N/A N/A C:\windows\system\IIZQF.exe N/A
N/A N/A C:\windows\SysWOW64\ZSCG.exe N/A
N/A N/A C:\windows\SysWOW64\ZSCG.exe N/A
N/A N/A C:\windows\system\AWFBTJM.exe N/A
N/A N/A C:\windows\system\AWFBTJM.exe N/A
N/A N/A C:\windows\system\PRP.exe N/A
N/A N/A C:\windows\system\PRP.exe N/A
N/A N/A C:\windows\SysWOW64\COXR.exe N/A
N/A N/A C:\windows\SysWOW64\COXR.exe N/A
N/A N/A C:\windows\XKCBQP.exe N/A
N/A N/A C:\windows\XKCBQP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\AKGRMX.exe
PID 1204 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\AKGRMX.exe
PID 1204 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\AKGRMX.exe
PID 5092 wrote to memory of 4780 N/A C:\windows\AKGRMX.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 4780 N/A C:\windows\AKGRMX.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 4780 N/A C:\windows\AKGRMX.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\PQMGB.exe
PID 4780 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\PQMGB.exe
PID 4780 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\PQMGB.exe
PID 4092 wrote to memory of 2368 N/A C:\windows\system\PQMGB.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2368 N/A C:\windows\system\PQMGB.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 2368 N/A C:\windows\system\PQMGB.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FQH.exe
PID 2368 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FQH.exe
PID 2368 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FQH.exe
PID 1564 wrote to memory of 2216 N/A C:\windows\system\FQH.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2216 N/A C:\windows\system\FQH.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2216 N/A C:\windows\system\FQH.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\SBLZPKE.exe
PID 2216 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\SBLZPKE.exe
PID 2216 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\SBLZPKE.exe
PID 3592 wrote to memory of 1428 N/A C:\windows\SysWOW64\SBLZPKE.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 1428 N/A C:\windows\SysWOW64\SBLZPKE.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 1428 N/A C:\windows\SysWOW64\SBLZPKE.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FETQDNA.exe
PID 1428 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FETQDNA.exe
PID 1428 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FETQDNA.exe
PID 4380 wrote to memory of 3820 N/A C:\windows\system\FETQDNA.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3820 N/A C:\windows\system\FETQDNA.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 3820 N/A C:\windows\system\FETQDNA.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\IUCMKHD.exe
PID 3820 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\IUCMKHD.exe
PID 3820 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\IUCMKHD.exe
PID 1680 wrote to memory of 3696 N/A C:\windows\IUCMKHD.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3696 N/A C:\windows\IUCMKHD.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3696 N/A C:\windows\IUCMKHD.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\OPO.exe
PID 3696 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\OPO.exe
PID 3696 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\OPO.exe
PID 688 wrote to memory of 1772 N/A C:\windows\OPO.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 1772 N/A C:\windows\OPO.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 1772 N/A C:\windows\OPO.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RDFP.exe
PID 1772 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RDFP.exe
PID 1772 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RDFP.exe
PID 1088 wrote to memory of 2612 N/A C:\windows\SysWOW64\RDFP.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2612 N/A C:\windows\SysWOW64\RDFP.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2612 N/A C:\windows\SysWOW64\RDFP.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\KQE.exe
PID 2612 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\KQE.exe
PID 2612 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\KQE.exe
PID 4444 wrote to memory of 5092 N/A C:\windows\SysWOW64\KQE.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 5092 N/A C:\windows\SysWOW64\KQE.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 5092 N/A C:\windows\SysWOW64\KQE.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YBU.exe
PID 5092 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YBU.exe
PID 5092 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YBU.exe
PID 2448 wrote to memory of 4960 N/A C:\windows\SysWOW64\YBU.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4960 N/A C:\windows\SysWOW64\YBU.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 4960 N/A C:\windows\SysWOW64\YBU.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YWYH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AKGRMX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 468 -ip 468

C:\windows\AKGRMX.exe

C:\windows\AKGRMX.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 996

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PQMGB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 988

C:\windows\system\PQMGB.exe

C:\windows\system\PQMGB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1336

C:\windows\system\FQH.exe

C:\windows\system\FQH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBLZPKE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1296

C:\windows\SysWOW64\SBLZPKE.exe

C:\windows\system32\SBLZPKE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FETQDNA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 960

C:\windows\system\FETQDNA.exe

C:\windows\system\FETQDNA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IUCMKHD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1324

C:\windows\IUCMKHD.exe

C:\windows\IUCMKHD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OPO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1324

C:\windows\OPO.exe

C:\windows\OPO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RDFP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1004

C:\windows\SysWOW64\RDFP.exe

C:\windows\system32\RDFP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 960

C:\windows\SysWOW64\KQE.exe

C:\windows\system32\KQE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 976

C:\windows\SysWOW64\YBU.exe

C:\windows\system32\YBU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YWYH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1324

C:\windows\YWYH.exe

C:\windows\YWYH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XPOXARJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4916 -ip 4916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 988

C:\windows\XPOXARJ.exe

C:\windows\XPOXARJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZFHRYF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1324

C:\windows\ZFHRYF.exe

C:\windows\ZFHRYF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WFRUKKA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 960

C:\windows\SysWOW64\WFRUKKA.exe

C:\windows\system32\WFRUKKA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNFZXAD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1328

C:\windows\SysWOW64\NNFZXAD.exe

C:\windows\system32\NNFZXAD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BJJSCPL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 964

C:\windows\system\BJJSCPL.exe

C:\windows\system\BJJSCPL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KWTKS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 988

C:\windows\KWTKS.exe

C:\windows\KWTKS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EJMIYHW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1324

C:\windows\EJMIYHW.exe

C:\windows\EJMIYHW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KXMJD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1560 -ip 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1336

C:\windows\system\KXMJD.exe

C:\windows\system\KXMJD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKQQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1272

C:\windows\system\SKQQO.exe

C:\windows\system\SKQQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AQDW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1704 -ip 1704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1324

C:\windows\AQDW.exe

C:\windows\AQDW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1008

C:\windows\system\EGJELZR.exe

C:\windows\system\EGJELZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2944 -ip 2944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1328

C:\windows\SysWOW64\FBN.exe

C:\windows\system32\FBN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HWEK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1204

C:\windows\HWEK.exe

C:\windows\HWEK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWGPNGK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1328

C:\windows\SysWOW64\QWGPNGK.exe

C:\windows\system32\QWGPNGK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZKLVYEF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1236

C:\windows\ZKLVYEF.exe

C:\windows\ZKLVYEF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IIZQF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1248

C:\windows\system\IIZQF.exe

C:\windows\system\IIZQF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSCG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3192 -ip 3192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1260

C:\windows\SysWOW64\ZSCG.exe

C:\windows\system32\ZSCG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AWFBTJM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 988

C:\windows\system\AWFBTJM.exe

C:\windows\system\AWFBTJM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PRP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1304

C:\windows\system\PRP.exe

C:\windows\system\PRP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\COXR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 960

C:\windows\SysWOW64\COXR.exe

C:\windows\system32\COXR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XKCBQP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1324

C:\windows\XKCBQP.exe

C:\windows\XKCBQP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FPGPB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 960

C:\windows\FPGPB.exe

C:\windows\FPGPB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LPODS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3388 -ip 3388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1324

C:\windows\LPODS.exe

C:\windows\LPODS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TVAKD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2560 -ip 2560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 988

C:\windows\TVAKD.exe

C:\windows\TVAKD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SODA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 892 -ip 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1236

C:\windows\SODA.exe

C:\windows\SODA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LGTL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2552 -ip 2552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 988

C:\windows\system\LGTL.exe

C:\windows\system\LGTL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1308

C:\windows\SysWOW64\CPHI.exe

C:\windows\system32\CPHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZHJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3788 -ip 3788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1236

C:\windows\ZHJ.exe

C:\windows\ZHJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNOQYC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4064 -ip 4064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1328

C:\windows\SysWOW64\SKNOQYC.exe

C:\windows\system32\SKNOQYC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QVYEZM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1276

C:\windows\system\QVYEZM.exe

C:\windows\system\QVYEZM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQBXNA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2420 -ip 2420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1336

C:\windows\system\FQBXNA.exe

C:\windows\system\FQBXNA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 976

C:\windows\system\QJRIWB.exe

C:\windows\system\QJRIWB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VJSSA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1324

C:\windows\VJSSA.exe

C:\windows\VJSSA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XHGFQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1248

C:\windows\system\XHGFQ.exe

C:\windows\system\XHGFQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXTWX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2336 -ip 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 960

C:\windows\SysWOW64\UXTWX.exe

C:\windows\system32\UXTWX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LIWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 976

C:\windows\LIWM.exe

C:\windows\LIWM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EAMX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2672 -ip 2672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 960

C:\windows\EAMX.exe

C:\windows\EAMX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JBASKRC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4616 -ip 4616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1324

C:\windows\JBASKRC.exe

C:\windows\JBASKRC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2884 -ip 2884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1328

C:\windows\SysWOW64\LZB.exe

C:\windows\system32\LZB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LCFY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3640 -ip 3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1256

C:\windows\LCFY.exe

C:\windows\LCFY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCMLFYV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1324

C:\windows\SysWOW64\JCMLFYV.exe

C:\windows\system32\JCMLFYV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFXR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4648 -ip 4648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1336

C:\windows\system\VFXR.exe

C:\windows\system\VFXR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSIJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 960

C:\windows\system\NSIJ.exe

C:\windows\system\NSIJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XLR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 912 -ip 912

C:\windows\XLR.exe

C:\windows\XLR.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1292

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IEUBRSJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 960

C:\windows\SysWOW64\IEUBRSJ.exe

C:\windows\system32\IEUBRSJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JGKXF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1324

C:\windows\JGKXF.exe

C:\windows\JGKXF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZFQFI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2176 -ip 2176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 988

C:\windows\SysWOW64\UZFQFI.exe

C:\windows\system32\UZFQFI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2476 -ip 2476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 988

C:\windows\EXTK.exe

C:\windows\EXTK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RVTWXUL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4164 -ip 4164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1324

C:\windows\RVTWXUL.exe

C:\windows\RVTWXUL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSERSH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3052 -ip 3052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1328

C:\windows\SysWOW64\QSERSH.exe

C:\windows\system32\QSERSH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDPHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1328

C:\windows\SysWOW64\PDPHS.exe

C:\windows\system32\PDPHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2228 -ip 2228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1264

C:\windows\SysWOW64\CBP.exe

C:\windows\system32\CBP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWGC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1752 -ip 1752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 960

C:\windows\SysWOW64\FWGC.exe

C:\windows\system32\FWGC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2396 -ip 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1268

C:\windows\system\VHJ.exe

C:\windows\system\VHJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 988

C:\windows\system\DNW.exe

C:\windows\system\DNW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INXBLTG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2944 -ip 2944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1304

C:\windows\SysWOW64\INXBLTG.exe

C:\windows\system32\INXBLTG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FTQQBWB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3332 -ip 3332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 988

C:\windows\system\FTQQBWB.exe

C:\windows\system\FTQQBWB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SQQCDI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1296

C:\windows\SysWOW64\SQQCDI.exe

C:\windows\system32\SQQCDI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AECIN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1316

C:\windows\system\AECIN.exe

C:\windows\system\AECIN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJNYEC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1616 -ip 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 988

C:\windows\SysWOW64\FJNYEC.exe

C:\windows\system32\FJNYEC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1296

C:\windows\SysWOW64\DUX.exe

C:\windows\system32\DUX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FSDAUQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1296

C:\windows\FSDAUQG.exe

C:\windows\FSDAUQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1436 -ip 1436

C:\windows\system\WAYMK.exe

C:\windows\system\WAYMK.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1328

C:\windows\SysWOW64\HTBFT.exe

C:\windows\system32\HTBFT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\REL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1336

C:\windows\system\REL.exe

C:\windows\system\REL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KEAPON.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1304

C:\windows\KEAPON.exe

C:\windows\KEAPON.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNEZM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1328

C:\windows\SysWOW64\SKNEZM.exe

C:\windows\system32\SKNEZM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIGYXBA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1332

C:\windows\SysWOW64\UIGYXBA.exe

C:\windows\system32\UIGYXBA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BSVGP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3740 -ip 3740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1008

C:\windows\SysWOW64\BSVGP.exe

C:\windows\system32\BSVGP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UVZKUQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960

C:\windows\UVZKUQ.exe

C:\windows\UVZKUQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDGKHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3376 -ip 3376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1004

C:\windows\SysWOW64\YDGKHI.exe

C:\windows\system32\YDGKHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1328

C:\windows\SysWOW64\LJOW.exe

C:\windows\system32\LJOW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRUWVMJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308

C:\windows\SysWOW64\XRUWVMJ.exe

C:\windows\system32\XRUWVMJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SMLFOYR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1716 -ip 1716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1296

C:\windows\SMLFOYR.exe

C:\windows\SMLFOYR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XFNISC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1308

C:\windows\system\XFNISC.exe

C:\windows\system\XFNISC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AVUI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3180 -ip 3180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 960

C:\windows\AVUI.exe

C:\windows\AVUI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MJBO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 976

C:\windows\SysWOW64\MJBO.exe

C:\windows\system32\MJBO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2944 -ip 2944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1328

C:\windows\SysWOW64\SYM.exe

C:\windows\system32\SYM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3880 -ip 3880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 960

C:\windows\SysWOW64\SMZ.exe

C:\windows\system32\SMZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICAP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960

C:\windows\system\ICAP.exe

C:\windows\system\ICAP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXSZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2760 -ip 2760

C:\windows\SysWOW64\HXSZ.exe

C:\windows\system32\HXSZ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1312

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAWVCOW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1704 -ip 1704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1328

C:\windows\SysWOW64\AAWVCOW.exe

C:\windows\system32\AAWVCOW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VLEUR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1324

C:\windows\VLEUR.exe

C:\windows\VLEUR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZTL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3260 -ip 3260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 988

C:\windows\ZTL.exe

C:\windows\ZTL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LGS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 960

C:\windows\system\LGS.exe

C:\windows\system\LGS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KPGX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3640 -ip 3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 960

C:\windows\KPGX.exe

C:\windows\KPGX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BZJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1384 -ip 1384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1324

C:\windows\BZJ.exe

C:\windows\BZJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZXUQQV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1256

C:\windows\SysWOW64\ZXUQQV.exe

C:\windows\system32\ZXUQQV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFDH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3776 -ip 3776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 960

C:\windows\SysWOW64\PFDH.exe

C:\windows\system32\PFDH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 988

C:\windows\SysWOW64\NYGXXW.exe

C:\windows\system32\NYGXXW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWMSNF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 324 -ip 324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1328

C:\windows\SysWOW64\XWMSNF.exe

C:\windows\system32\XWMSNF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 808 -ip 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 960

C:\windows\system\BES.exe

C:\windows\system\BES.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VWI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 988

C:\windows\system\VWI.exe

C:\windows\system\VWI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZMGO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1472 -ip 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960

C:\windows\SysWOW64\NZMGO.exe

C:\windows\system32\NZMGO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXTP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1328

C:\windows\SysWOW64\OXTP.exe

C:\windows\system32\OXTP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LVZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 960

C:\windows\system\LVZ.exe

C:\windows\system\LVZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOCCOOO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 960

C:\windows\SysWOW64\JOCCOOO.exe

C:\windows\system32\JOCCOOO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XRTTC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 960

C:\windows\XRTTC.exe

C:\windows\XRTTC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QRAEM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1328

C:\windows\SysWOW64\QRAEM.exe

C:\windows\system32\QRAEM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DPAQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4124 -ip 4124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1324

C:\windows\DPAQ.exe

C:\windows\DPAQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3532 -ip 3532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 960

C:\windows\system\YCFZYD.exe

C:\windows\system\YCFZYD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFJD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2940 -ip 2940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 960

C:\windows\SysWOW64\ZFJD.exe

C:\windows\system32\ZFJD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIUZRR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1120 -ip 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1336

C:\windows\system\RIUZRR.exe

C:\windows\system\RIUZRR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDEL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328

C:\windows\SysWOW64\GDEL.exe

C:\windows\system32\GDEL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QBJX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 988

C:\windows\QBJX.exe

C:\windows\QBJX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZXSYU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1304

C:\windows\system\SZXSYU.exe

C:\windows\system\SZXSYU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AECYJT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1388 -ip 1388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1324

C:\windows\AECYJT.exe

C:\windows\AECYJT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QUDY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4796 -ip 4796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 960

C:\windows\system\QUDY.exe

C:\windows\system\QUDY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JNSJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 960

C:\windows\JNSJ.exe

C:\windows\JNSJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LLYDHQU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1300

C:\windows\LLYDHQU.exe

C:\windows\LLYDHQU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRYPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1336

C:\windows\system\ZRYPQ.exe

C:\windows\system\ZRYPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOLJY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2316 -ip 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1328

C:\windows\SysWOW64\IOLJY.exe

C:\windows\system32\IOLJY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CHTUH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4300 -ip 4300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1324

C:\windows\CHTUH.exe

C:\windows\CHTUH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ACSVMO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1324

C:\windows\ACSVMO.exe

C:\windows\ACSVMO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CPJWXZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 960

C:\windows\CPJWXZ.exe

C:\windows\CPJWXZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PAU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2456 -ip 2456

C:\windows\PAU.exe

C:\windows\PAU.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1324

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UBBXX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1472 -ip 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960

C:\windows\system\UBBXX.exe

C:\windows\system\UBBXX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IYBJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1304

C:\windows\system\IYBJ.exe

C:\windows\system\IYBJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1256

C:\windows\MGQJMK.exe

C:\windows\MGQJMK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FHXCVL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 940 -ip 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 960

C:\windows\FHXCVL.exe

C:\windows\FHXCVL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DUXDAOR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1312

C:\windows\system\DUXDAOR.exe

C:\windows\system\DUXDAOR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YFFBOQN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1624 -ip 1624

C:\windows\YFFBOQN.exe

C:\windows\YFFBOQN.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 988

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVGT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 680 -ip 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 960

C:\windows\SysWOW64\OVGT.exe

C:\windows\system32\OVGT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZOVE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2596 -ip 2596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1324

C:\windows\ZOVE.exe

C:\windows\ZOVE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1336

C:\windows\system\DECMQX.exe

C:\windows\system\DECMQX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UEER.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1296

C:\windows\SysWOW64\UEER.exe

C:\windows\system32\UEER.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NHIMZS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1016 -ip 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1316

C:\windows\NHIMZS.exe

C:\windows\NHIMZS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QUZWSEY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 988

C:\windows\QUZWSEY.exe

C:\windows\QUZWSEY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HDB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4916 -ip 4916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 960

C:\windows\HDB.exe

C:\windows\HDB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVLDAFK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 988

C:\windows\SysWOW64\EVLDAFK.exe

C:\windows\system32\EVLDAFK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ILSEMYY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1316

C:\windows\ILSEMYY.exe

C:\windows\ILSEMYY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GWUU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1256

C:\windows\GWUU.exe

C:\windows\GWUU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBNJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1328

C:\windows\SysWOW64\DBNJ.exe

C:\windows\system32\DBNJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SRO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 976

C:\windows\SRO.exe

C:\windows\SRO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RCQYA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1324

C:\windows\RCQYA.exe

C:\windows\RCQYA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MYVICI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1256

C:\windows\MYVICI.exe

C:\windows\MYVICI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGCIPB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2980 -ip 2980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1328

C:\windows\SysWOW64\QGCIPB.exe

C:\windows\system32\QGCIPB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQSG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 760 -ip 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1272

C:\windows\system\LQSG.exe

C:\windows\system\LQSG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JBV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 976

C:\windows\JBV.exe

C:\windows\JBV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TBXB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1328

C:\windows\SysWOW64\TBXB.exe

C:\windows\system32\TBXB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GMGADAR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1328

C:\windows\SysWOW64\GMGADAR.exe

C:\windows\system32\GMGADAR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAZQRNG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1156 -ip 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1328

C:\windows\SysWOW64\AAZQRNG.exe

C:\windows\system32\AAZQRNG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WFXNYW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3332 -ip 3332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 988

C:\windows\WFXNYW.exe

C:\windows\WFXNYW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELJUJV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1992 -ip 1992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1308

C:\windows\system\ELJUJV.exe

C:\windows\system\ELJUJV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYOBU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1228

C:\windows\system\MYOBU.exe

C:\windows\system\MYOBU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OWPDSQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 992

C:\windows\SysWOW64\OWPDSQ.exe

C:\windows\system32\OWPDSQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PZFZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 880 -ip 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 872

C:\windows\PZFZ.exe

C:\windows\PZFZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3028 -ip 3028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1336

C:\windows\system\CCB.exe

C:\windows\system\CCB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OFMKV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1292

C:\windows\OFMKV.exe

C:\windows\OFMKV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QIWRN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1244

C:\windows\system\QIWRN.exe

C:\windows\system\QIWRN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DOW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2608 -ip 2608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 988

C:\windows\DOW.exe

C:\windows\DOW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYGTYBP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2956 -ip 2956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1304

C:\windows\SysWOW64\CYGTYBP.exe

C:\windows\system32\CYGTYBP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BWSWLO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1300

C:\windows\SysWOW64\BWSWLO.exe

C:\windows\system32\BWSWLO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZHVMU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1324

C:\windows\ZHVMU.exe

C:\windows\ZHVMU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKYIZKU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1004

C:\windows\system\SKYIZKU.exe

C:\windows\system\SKYIZKU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 960

C:\windows\SysWOW64\HSHHG.exe

C:\windows\system32\HSHHG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PGMOQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1336

C:\windows\system\PGMOQ.exe

C:\windows\system\PGMOQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FWZFY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 960

C:\windows\system\FWZFY.exe

C:\windows\system\FWZFY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LWHTPOV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1308

C:\windows\system\LWHTPOV.exe

C:\windows\system\LWHTPOV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GCTXA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1296

C:\windows\SysWOW64\GCTXA.exe

C:\windows\system32\GCTXA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1240

C:\windows\SysWOW64\KKW.exe

C:\windows\system32\KKW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPGU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1004

C:\windows\SysWOW64\HPGU.exe

C:\windows\system32\HPGU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WFHMAAL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1336

C:\windows\system\WFHMAAL.exe

C:\windows\system\WFHMAAL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDUGH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2980 -ip 2980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 960

C:\windows\system\YDUGH.exe

C:\windows\system\YDUGH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IBAA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1260

C:\windows\IBAA.exe

C:\windows\IBAA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBCFS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 976

C:\windows\SysWOW64\RBCFS.exe

C:\windows\system32\RBCFS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUJQK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1328

C:\windows\SysWOW64\KUJQK.exe

C:\windows\system32\KUJQK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/468-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\AKGRMX.exe.bat

MD5 f061741ee67766c9704980b4aab1d931
SHA1 7e4e5be8806b878b908b341f18e8ce3e412d08f8
SHA256 6aebe995cde0785794e8e9d82c11e4d1915054608707eaa647d3902b9218e2cf
SHA512 6d78158ba4a6ac5ec1100be6f6f2ea70be62f30630404a7ad4da8e96913f766b090a19f69e704d9cefe1826171e4e3d9ac54a950fa3e180ab91aea75c662aeca

C:\windows\AKGRMX.exe

MD5 b259376fd5c7f6c8a7229a8d380fa321
SHA1 22615eb3f8a14ca367488dbb93e9551666c361e6
SHA256 ff864510eb7aab74f5dde7c69e24543fc01dac69cb767db7f16aa287d3ba8fa1
SHA512 45110d14fa183293a7bd90e249e3360f38ed97643e014461f468fc9dd81119353f5eeb29f2fa9605ab6b788134038962da6be77cc71d23f54d899cb15807c78d

memory/5092-11-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\PQMGB.exe

MD5 af6287c8bdf5d56f195a2d0737bc3eaf
SHA1 4e435f017803424be06d1c2b240cc364fa46f159
SHA256 4aabcea6b8dff74148e559d42c7579a0391919b3ff9f8967407be85cba11646a
SHA512 ffc036ef8387af4ddc70557cc717687073c05e244604c76d89f112d217b7091cff934d5328b93268ddf0b1fbcec455f69525cb534bfee040e055a9c3a9647647

C:\windows\system\PQMGB.exe.bat

MD5 ab63ecb4c40c8c0b21c0b69106e0b9ad
SHA1 e0973d36f7a65651c7558eec7b86bc9c9e157acc
SHA256 8f922d55d76df32f54e79e8a985bd4a7800efa6a709dde98c31cb187a4288211
SHA512 e7860a02d58173c1df679055f6f399684a1270eb8030904968d46f9d0a1260be9326cb5a612d49ff1e8eaf8bb5de9638891309ddcd10eda6102249c852a96006

memory/4092-22-0x0000000000400000-0x0000000000439000-memory.dmp

memory/468-23-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\FQH.exe.bat

MD5 792626b07dfbe1ab574f2e03506a2d55
SHA1 3de3438785dd77cbd30d4d85feef01238f4a04ae
SHA256 2c2c342fdc683908956ddbd49a2c97b57f1de7e35e4a70779cbc4879dea2fe06
SHA512 af21736045c8b6627bcea28cb6ec188b8007816ec557e87a0bfa734022c07c212270a19000e36646cc859d25e02dc41c7cc9ec663fca250cb9a884b32a9cb366

memory/5092-31-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\FQH.exe

MD5 1b7439fba2f7d791fd63b6284646835e
SHA1 d916c1002c740d4bfab7174d43566c6df3e04140
SHA256 7bdc21ab2a8548e2e060a2c19e1cb0de39b1a0da8f050efabfe4a1c56e4a23fa
SHA512 6c5235d1c59978e1fe6fe92db2995d08e26db471b8efc30c2587be9061a7e0a3e816d7d9c0bde28ad0a0e0d3b7a50eaa9fba655345126bfb5aafc1122448103c

memory/1564-35-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\SBLZPKE.exe.bat

MD5 541d91588b24bd4813dedff8d26f2cb9
SHA1 7c9e1c911846474fe69f9deba6127667b17ed5f0
SHA256 2032a4adb9b41a84a07787369364916b729c757109512574dcb7ab8fa0df7598
SHA512 a6a31894a9d63e3f777b73a1cf478eaf8563a34d4ab3625584c504319d3d17b88a10d80e7f3487298050fb145383967ddaad8a15219185e6e0231f9471f9ede6

C:\Windows\SysWOW64\SBLZPKE.exe

MD5 59fe8d521fce03463f9a5d09880b5f0a
SHA1 cce37b36c5d232200d20dc00c7accb5ca2798f8d
SHA256 33f42cb6a8245c2b4532f292ff18691fe31ab997f8974e5ce350d71ca213a602
SHA512 620b95353acec1e33c9467daed4d13d5b7711a3dd665c24e904dd796e956dca681f6c6bf7b741cf0400b8ac4fc9a2aaee624692ca83949749abf8bc67c0f2d84

memory/3592-46-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4092-47-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1564-54-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\FETQDNA.exe.bat

MD5 a52c270b7605740372723138dcf1a2b2
SHA1 a08848757972ea70e4f78c445057b4f7250dec31
SHA256 347f7718abfa0912088918c64934477ea6f2312d0b2bff6ff83ecec06fc14079
SHA512 09bc239495d08a41dda51fe0fd199c2b2c7f17e6548122a69564983706953edf1ddce7407ff6d69c55b02b6f27c627770679931875d9c15adeb0716c918fcaaa

memory/4380-59-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\FETQDNA.exe

MD5 8dbdfc65a3f9dafe18e413b3bab2b67d
SHA1 cde0cdb198538ca75658d899a2944c9b180a49cc
SHA256 5ffd02a6b16a078a6e51bab1d8f042fff6957eb7fcaa073a3b0fd359f9fb8607
SHA512 986d7ff404167b8821e1dceb9b2b7cf3d5ca37481440f117236f40394ffc4271d6d5712803016dfed92d7e974da0d7f1165a2fc1aab73b0c5b36e1556435af3b

C:\windows\IUCMKHD.exe.bat

MD5 ed83a811b3ca939ea6f3f626e2a46e73
SHA1 02260b95e288bf2922bd634ab26dce85b0796ae6
SHA256 2f4dc45c05602400713051fa7544d9cff815529fca3ad4179933c6d67c46bf04
SHA512 213d6a92274f4bdbc0439b798b9e2daf1d35678db8defaf2e0fac8639b66edf8b0fe221d46a28d752a129987fdd2117de8c76516a5b183338133e724405a3463

C:\Windows\IUCMKHD.exe

MD5 bf27076b4c5c1047569a9218689dd6d4
SHA1 6ffb0a7da29ed08f2091ca3dd3c68f022236838c
SHA256 4554afbc8c6732505de9e82eb2c7015d0ea22893b3d34733d8227ae94f4fc0b4
SHA512 f3db1a29f0273fb5ead5fec39cd631c28cc1e3874e34366b4ba528ed925cd5fab3697f92598c2967f7c62e8af1c187b0b1aff78916afea918ed47aeee4c9d2b0

memory/1680-70-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3592-71-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\OPO.exe.bat

MD5 24e539331ebfefceaa2b1b01049a5a5d
SHA1 0eff4c2be99293ef0104ded7b5b3c35048a6051b
SHA256 2ee69853862f8bdb680c6ce920cedc26e3e7e6f4ba70fa7cd430ccac3a8cec27
SHA512 6167569618566baf23de21eb386d3694956695043426057f73f7e185ea3a366c7f3a3b08f8de9a7c79186cc1747d0bae80e120c211fb4cb30e5e8e078a6e75ae

memory/688-82-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\OPO.exe

MD5 a671a2496fd21d6c29cfdb35f257975d
SHA1 0c39a229a8e8e54dc5d8d179682918b2e6af10a9
SHA256 9b993c3042aa7d76716a12b4dd559cec3db39f8aa716a3004fd20effc8e84802
SHA512 e3532191fafa9d505d02af22ef8aa7bb0b5edf206ef82cc3eb0aa5b7e221ceb95046f497bdfbf2fe9eee3e9f744efb3fa142a6a7474f54f5c816c505174e8bf0

memory/4380-83-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RDFP.exe.bat

MD5 a9804b03d3604d981016fb435fa62883
SHA1 3e8ddeeab5093d0727b6b51818bc590f5fc2f32d
SHA256 c2b28869ae7d34a946857cf046dcae9930baeba69a83620886cd76725cacccd7
SHA512 f6f33ae40fc0114bd95e5f5522881ebe35996499a3159ed231c629cf67b161033fa45bc263cca48a3665924acb1645163fba45794156b46dd174b3a3054388d3

C:\windows\SysWOW64\RDFP.exe

MD5 0aa3de23ceed357abf4b19e148baf8d1
SHA1 a9407fa943d85ed56ba193f92677906eba8d9174
SHA256 c99654729efe307d1694dfdf1b054f4773e3396720a1ff544b74de5e2292e0cc
SHA512 f341e68f5b36f0a99eb5f15d60687fe72d648bc813cce1694bbbd0ff13303a866bb79f0f6887d06fac63d646290d31b3c8615466b4d99849f6c85365c04b8f40

memory/1680-95-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1088-94-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\KQE.exe.bat

MD5 b0f3e1d813e900bef8f7fd7ad7159ab8
SHA1 a182e08a1a76ad34a3429132e5b0fef02f318669
SHA256 d5ab8fb48d44eeec97bdaa1d38986575b042324fa31fd0e074391ee0d4037463
SHA512 be8249637778908182d143a8b3921715cb15edbd915c81690db29ec810f39c22f7600e0fa7629dd0c46d5fb38791708377e448972683511082fbda6adad8d63b

memory/688-106-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4444-107-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\YBU.exe.bat

MD5 536ae8dea4b9b05ef5a8ecb444973c47
SHA1 72a4192edde99c5c02ab8112dfe06ee9b8f3c497
SHA256 31686b5c013a5c10c2dc8d9736e37177058c962f1e9658fb3e1d2cbac002cb16
SHA512 0267f599efbc396053f89c8c1cf962b877843a80784807aadef43368b3bfa1dc71b85b9705e088b8050b2fa2d0fc23283a54ab7ddb4d10f5c9740b1a6d6571c0

memory/1088-119-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2448-118-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\YBU.exe

MD5 d823355c6867b129a486e36f0ab1575b
SHA1 03650ab4e93c58b21df9d9723f36ebb61a9830b2
SHA256 924620a5e9848015a6942209fa55731b72501193665c3aa382cce659f43d4d83
SHA512 6375f2efc0f88b5383241f35d761878b654fb72735ff59dde0c36d0241d7151310fc48b01ad92922aac08e6034b8f64954f40377704664e99296b5284ef202cb

memory/4444-126-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\YWYH.exe.bat

MD5 9917daa797f6195f31c9d98e08971b5d
SHA1 b249b2f28c7a7a34e3f5383b8398c2f1c64ed17f
SHA256 68aeee2b67f45f9691350a69d96f3c28abd50bfc254302d1ed4b4a2486e8c55c
SHA512 013a18033da5df09d30aa4027be21db8395671facd25919793518d998516bf889b33e42b3dfadb65b80f02cee7e5ee771772edf207435562131c05e5e3940258

C:\windows\YWYH.exe

MD5 196e87b66d5dcd3145fec77faa50eb5c
SHA1 1042f3f38e38b237339883eee5bc4aad9cd711b4
SHA256 7edf0a007cb2a17d9b012bec7a1e26e0e4b45f8bbcf98f7b8a78d5dba4110938
SHA512 c44ee3935d020f6acfef7cf0d244929a461933a5ff27c9cc693267dce4c78450ba0fc96c75ca23addccc6be14881fd03f0e7412e69ef15ce1df3522ae0cdcc71

memory/4916-131-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2448-138-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\XPOXARJ.exe.bat

MD5 cda7b37425421590a5d591368fd06da1
SHA1 17d26c9329394bf017755cc372cb81757d88f336
SHA256 d3ec91ab2cc01bf60256bad065182d14dea9677130681da7d6a8837d708e6567
SHA512 3808d7d2dff5aa803aa4050ab80ae04a99c46df7616ad2f30076626ac4f1d94b409675300e9f35cbddc668e9fb4b698def50791ce2f0dd563d6f02bd99d44b98

C:\windows\XPOXARJ.exe

MD5 88f914f571f81d6e46fc7d1dc099d871
SHA1 54c34106f2c125daac99f132ea422757e9107ee0
SHA256 48f19a17757543fb58821b934ef104721eee64b0a4ebaeb8a2858fd9ece1915e
SHA512 2c03bd00bf0ff5f8fa158880ee78bcc5d02b713fe625fa14619f28bcfc146ffbda1be18d4d7ae88f3d5ab1eedc84cb3833e9e72532ad9e6da5db1f7abfe8ff22

memory/516-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\ZFHRYF.exe.bat

MD5 c5b7a6e4323cea9986aebfc417a8ae42
SHA1 f870078c21445c4d5edededa64435c55059f5272
SHA256 f15dd8d762cd7a1fadf86bb5ea52dbb1c76333a6fda12e0ddebf0b9976f9d3e5
SHA512 719fc4bfbe7f12aae70ba224df4c34e18ce2d2d2f6d35c09865adcfafa693aef71dd321f3fa156505f0ab4efccee2dac4e6dafae0f4f7ab8294aab88d599581e

C:\Windows\ZFHRYF.exe

MD5 6efa5678a993de3495aaf63082dab6ca
SHA1 6b108da33be1a7187aabcc6bd1c1dab29eeb131a
SHA256 d465f770a32571659bd2a7c8761c1a3d41e04c997c41231447a0acfb4c4fdf7a
SHA512 f00f458345259f0b306c095c23307525873043fc89571ca60af1ea1672c33d39c28ab809d6c93df4296606055d7a54a75db57cb83664ef76107118947810847f

memory/4360-153-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4916-155-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\WFRUKKA.exe.bat

MD5 830e2411f4e2622e50b5bac6f711a333
SHA1 c00ea86c9c59346ee4446bb766d728ec6f7f6276
SHA256 0056b7515f854bb5b8737bc81b4c42ab75843c633fff2068d9732657b2eb529a
SHA512 2df0e8799fa52184fc566fca2025e25a2ea9ccc34d53a1a3f1aed48f6280de7a26bb9ddb130c18cbd8727965b3024228d52016386e05bce9f4c0f868988e0506

C:\Windows\SysWOW64\WFRUKKA.exe

MD5 9478a0c3dbb13ed8a5bb3a544068e8ce
SHA1 2f923ac7137e5fa5815bba0e6d860c7778fac5e5
SHA256 487a123cf552db328b4cd9927e14e7bab301d82e288baa5e53e6fc953f763d82
SHA512 44603d9277da0ddeeccee0fab35aec7be42bb07769217efc5130dd326264a6fc184009a0e5a7773c5894b1b2b1687e488ac87ddc8f7b182bfd3bbd35c648b242

memory/316-165-0x0000000000400000-0x0000000000439000-memory.dmp

memory/516-167-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NNFZXAD.exe.bat

MD5 9433fd7539bfc51fbc965e2d629fa60d
SHA1 97028f64a043f477dffdccd3b9f4a26007973e1f
SHA256 ff663e4b8273a03410218a30bf384858904fae6af19db763828d461f567d508f
SHA512 f58659e597d0237bc399b048877111638307f1d0e63a96d8e1d2a173935d6de0f6fc2eeb3eb1b43f8a3d874a80afefb08eff7961884b698606ec4b98449ebb03

memory/1596-178-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4360-179-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\BJJSCPL.exe.bat

MD5 8208bf34e875225a0538388322880f64
SHA1 b9aa6c918e465d7b3e2c343ba57a112890fe1c9b
SHA256 45d6da0519b6d7a78357a8c72c0788b50c982623ca621827c7c763b165c90c9f
SHA512 e7d1016cc66e638703c8ed47f773edd7668e854730a049f72c59306afcc687516c584ddaeebb3be757532ecd218b9e7bf36dd842b694796c61349a18665f7866

memory/316-187-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4864-191-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\BJJSCPL.exe

MD5 6f65a889cad9272c4511d645b1b04dd0
SHA1 609fe5f4c11f4ec5d4e9433a096301dba10ff5b0
SHA256 646b12be81643ccde64d011a5d70d16b28d5e197c23161f048bd4192c7d25df2
SHA512 5005a757a8e85d0341c6e6622b65de7cb443c26906e6b90e7b5fb84601b2e502d117165d70630323dcfad59e5603a6fd065ae1907798f1e9d97540fca88d3f61

memory/1596-199-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\KWTKS.exe.bat

MD5 fac526a7a050b1ae3b4e04cda73f134f
SHA1 5e168f3f74de1c693a5090e21ab6b2d7e1517cf1
SHA256 0b890717b87c239f6cd91a753199c5f62e3e004c572a0e6ee5ad1fd44316b1b6
SHA512 36a34b8380e0ffd2470a7e12ac64b04878a086ab0126ec68e481bf0b8399f09acdf077a4b78dc20d1fb570e3f185c034ec62495198e11f4453b51cbebdc53ffc

C:\Windows\KWTKS.exe

MD5 61d3a28556215c43c6677bfad5960f7e
SHA1 d25c56e2a944a0545a4d21ed450ac434770c8ea8
SHA256 24127f1a3045edb3c2c49c9354935703c92625b178553a5887e609c3d653fcc3
SHA512 2263673d3eec9154c3fcd766cc65b401c578aa37fa36323239495d42b4b666deef37dbc62ebb8a15657102174f13274bd36e1c6d581932a409da0098a54361fb

memory/4808-203-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4864-210-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\EJMIYHW.exe.bat

MD5 ace0af73f73669b978be49dd33b706dd
SHA1 b2de8afae8a5db1a8aec7b7659f91b8361e6dabb
SHA256 46d2995c733dcd5788d730bebb37aeff996dcd8139bc1f2aa493f31fb91b86fa
SHA512 36d11c016a8b01316904b569931770cac81439e9810faa6cfeac4f12698dcfeb47c22e4fa7edf4de73f328b29d25bc71d3d37f6de26cb09f43546b39299349a4

C:\Windows\EJMIYHW.exe

MD5 0a23c159d52c56027f915a6c6ee52b2a
SHA1 3020760825b032203c81027464e9b070bf35ab92
SHA256 0a9f85a324395db744502e78e6f3bf091f8328e80c46a91e9a5364ba226f5ef4
SHA512 df91cbdf6eccd6f9fab55a2f5674166e77d585f19ea9c393f6efc0a1010c1febe46244902e96c6cef294dcf0794ce32309c2a10e441f4abb99844105c64ff661

memory/1560-215-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\KXMJD.exe.bat

MD5 20765a3d38a5fc65631a6e3de09bd467
SHA1 2bf5c856a0465a11d7973ded03105392c1d0ff86
SHA256 1f7729c29bdd111931591acd5cd759c304fd29a4d5e0faa96257b887370c82eb
SHA512 0e9b7698f4a020fecec17ac0fd7e3488a11fd1aab2802a0e847d199c0c3c506071706bc8b24752270789760cf8fd57432eb3e455ee60eb9e1918b599c8862dd9

C:\Windows\System\KXMJD.exe

MD5 ad492378ed0813f187fca7f972f73a9b
SHA1 f7e3ea2cb6dcc23db79ee520048e5ee1e1b2e906
SHA256 ad9d06cd8dd40eb0931709264338c55c679cba7a99923e2271b0da8f47aa2177
SHA512 2805da67c5e17a5d6e2a4b63a962b6d025db667bf887033ac99ce9b0271dfdb2977f730aa37ad122bd9870f8d29ea9dbf266cc59f65e57721694726de2da48f9

memory/3820-226-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4808-227-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1560-234-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\SKQQO.exe.bat

MD5 b3d94b0190196744d5c71692697452bf
SHA1 8459e9e218ece1fb14e79291104ed2ac559199fc
SHA256 bca3839d60662b403129d21f435dc59be952cbf9bb4aee34ea4b05f83197ab4a
SHA512 4bb0b8856c99c1a82f6709f09b8a277ae0804e0686348786fe8cc46ef24d91c2306988a3f9646e8c689d9d1b8cf364b91d3398ca96e579a58781db45617a5b69

C:\Windows\System\SKQQO.exe

MD5 ff2203818c45f5b472a9cd60a0651442
SHA1 2f825cf730dab1d06b32dfcea7b951cc668d82e3
SHA256 dade9f8766b5c5c6750646ed25da996ae77bed5408a8a370542b6e1668d6e871
SHA512 96ae4fb67f311f62f72cd301029819335628dbccbb23b898b57e766b9545af8f71001be11af92b14f7e2d6bce06792f6f3764e25831f6b5d015cae8744f3e139

memory/1704-238-0x0000000000400000-0x0000000000439000-memory.dmp

memory/316-239-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3820-240-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EGJELZR.exe.bat

MD5 4f2ec565b589aa6ba29fb189b00377d0
SHA1 0aef55638e1fd4b346e0a3dfc4a3c2344570a394
SHA256 3e198b9768108ade6f3dcd9ebf828af54e6943e57740826188d3fb02f0b569ae
SHA512 0ee7fa00f612021bff74bb6d0db3963d71112b03c57f442cc9a99d152db08f8006a432908922477268d601fae55f2d9d3780583869c59536c1b4a33d420a8d8b

C:\windows\system\EGJELZR.exe

MD5 d192b6a520453f06b58067a8bed7ca7d
SHA1 90182996fef2189855272a9b94bbbcba2b10d468
SHA256 72fbc8f9b568152b901b6621aa92df60aa14e2f3eb410ff8bc3cea3cd0075ef4
SHA512 a0556a287587c4d0722d7e76e6935118b39b71d24f77dc0e788c844c1799b97ddfbca43b0ea378aa00ad866548d256cb449027ddf67396d92ca980cbfcdf1e50

memory/2944-251-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1704-252-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\FBN.exe.bat

MD5 37abb6d8368a6e8e40e8380c3df4afe0
SHA1 86cb5b6fb87f30759f5e850624ea6b490c059471
SHA256 60787317703df6c93547f39a69c97ab61be9047b4a20c181fb53a78863d473e1
SHA512 63602f3deb0fec4af0fca1ed983af018ae7d1886e36f460ca3b8bd1fde065819b18736d656ccdf2f53133be93d6e6e4b21af39090b9533f682a25300df8d03c1

memory/3516-263-0x0000000000400000-0x0000000000439000-memory.dmp

memory/316-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2944-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4144-272-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3516-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1044-281-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4144-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2496-290-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1044-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3192-299-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4084-307-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2496-308-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3264-316-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3192-317-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4008-325-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4084-326-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4360-334-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3264-335-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1500-343-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4008-344-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4360-351-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3388-353-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1500-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2560-362-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3388-369-0x0000000000400000-0x0000000000439000-memory.dmp

memory/892-371-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2560-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2552-380-0x0000000000400000-0x0000000000439000-memory.dmp

memory/892-388-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2232-389-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2552-397-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3788-398-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4064-406-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2232-407-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4496-415-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3788-416-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2420-424-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4064-425-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4496-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2296-434-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4328-443-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2420-442-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4812-451-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2296-452-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4328-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2336-461-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4812-468-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1460-470-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2672-478-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2336-479-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4616-487-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1460-488-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 00:03

Reported

2024-05-31 00:06

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\system\JJQLUUH.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\system\JJQLUUH.exe C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
File opened for modification C:\windows\system\JJQLUUH.exe C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
File created C:\windows\system\JJQLUUH.exe.bat C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe N/A
N/A N/A C:\windows\system\JJQLUUH.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\JJQLUUH.exe.bat" "

C:\windows\system\JJQLUUH.exe

C:\windows\system\JJQLUUH.exe

Network

N/A

Files

memory/1956-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\JJQLUUH.exe.bat

MD5 719689086c256b1dc4251bb1b8233b6a
SHA1 4cfebb108f9f0d6d276d8d90757c0588ba7d7c32
SHA256 acbe151748a254b39b811b384264bed6320adf66691eda2d0affc40bbca3cd34
SHA512 0662b51258a0a7c0bef3cd4a5e03787d551ea8fe006ff52e30e5c5aed04b7a0876d478ed5c983762ec946337c18c42c65f1010144e48b315e4b19d9caa3a0fb7

memory/1956-12-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2700-18-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\JJQLUUH.exe

MD5 6b74cf62447d2f49a48893accd534a24
SHA1 b140b686cacd800e63cea568be1d114295b6230f
SHA256 78fd6e44f18d825414ef4d2eb50e1c45d5f295bbd133014f5053a678933fece8
SHA512 46fcaead21a08a5ac60fdd17c15c62db1fd590ce08d612e7e79066e83871f0948977e0d35875644902690f93cb476325af6646d580f577ed5aa7fb7178c6d735

memory/2700-19-0x0000000000400000-0x0000000000439000-memory.dmp