Analysis Overview
SHA256
cd9fb30ef57e1c6e3b294282f81f5aee65f508f4d63956dc36a6927164d68a8c
Threat Level: Known bad
The file 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 00:03
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 00:03
Reported
2024-05-31 00:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\IBAA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ZKLVYEF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SMLFOYR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\BWSWLO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\LIWM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\UVZKUQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\YFFBOQN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\DECMQX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\FPGPB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ZHJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\FQBXNA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\FWGC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\HTBFT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\ICAP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\JOCCOOO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ZOVE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ILSEMYY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\SQQCDI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\FSDAUQG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ZXUQQV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ACSVMO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\PAU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\MGQJMK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\OVGT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\HDB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\BJJSCPL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\FJNYEC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\LVZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\FWZFY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UXTWX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XWMSNF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\GDEL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\EXTK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\KXMJD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\LCFY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\NSIJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\VWI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\AECYJT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\QGCIPB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\VFXR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\JGKXF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ZTL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\FHXCVL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YBU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\EAMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\DPAQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\IIZQF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\WAYMK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YDGKHI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\BES.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\QRAEM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\SZXSYU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ZHVMU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\AWFBTJM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CBP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NYGXXW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\LPODS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\QVYEZM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\QJRIWB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\QSERSH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\BZJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\OPO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NNFZXAD.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\SysWOW64\AAZQRNG.exe | C:\windows\SysWOW64\GMGADAR.exe | N/A |
| File created | C:\windows\SysWOW64\OWPDSQ.exe | C:\windows\system\MYOBU.exe | N/A |
| File created | C:\windows\SysWOW64\BWSWLO.exe | C:\windows\SysWOW64\CYGTYBP.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\HSHHG.exe | C:\windows\system\SKYIZKU.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\YBU.exe | C:\windows\SysWOW64\KQE.exe | N/A |
| File created | C:\windows\SysWOW64\SMZ.exe | C:\windows\SysWOW64\SYM.exe | N/A |
| File created | C:\windows\SysWOW64\XWMSNF.exe | C:\windows\SysWOW64\NYGXXW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\OXTP.exe | C:\windows\SysWOW64\NZMGO.exe | N/A |
| File created | C:\windows\SysWOW64\GDEL.exe.bat | C:\windows\system\RIUZRR.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\UEER.exe | C:\windows\system\DECMQX.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\QGCIPB.exe | C:\windows\MYVICI.exe | N/A |
| File created | C:\windows\SysWOW64\HSHHG.exe | C:\windows\system\SKYIZKU.exe | N/A |
| File created | C:\windows\SysWOW64\XRUWVMJ.exe.bat | C:\windows\SysWOW64\LJOW.exe | N/A |
| File created | C:\windows\SysWOW64\SYM.exe.bat | C:\windows\SysWOW64\MJBO.exe | N/A |
| File created | C:\windows\SysWOW64\NYGXXW.exe.bat | C:\windows\SysWOW64\PFDH.exe | N/A |
| File created | C:\windows\SysWOW64\NZMGO.exe | C:\windows\system\VWI.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\XRUWVMJ.exe | C:\windows\SysWOW64\LJOW.exe | N/A |
| File created | C:\windows\SysWOW64\XWMSNF.exe.bat | C:\windows\SysWOW64\NYGXXW.exe | N/A |
| File created | C:\windows\SysWOW64\BWSWLO.exe.bat | C:\windows\SysWOW64\CYGTYBP.exe | N/A |
| File created | C:\windows\SysWOW64\ZSCG.exe | C:\windows\system\IIZQF.exe | N/A |
| File created | C:\windows\SysWOW64\SQQCDI.exe.bat | C:\windows\system\FTQQBWB.exe | N/A |
| File created | C:\windows\SysWOW64\FJNYEC.exe | C:\windows\system\AECIN.exe | N/A |
| File created | C:\windows\SysWOW64\UIGYXBA.exe.bat | C:\windows\SysWOW64\SKNEZM.exe | N/A |
| File created | C:\windows\SysWOW64\QGCIPB.exe | C:\windows\MYVICI.exe | N/A |
| File created | C:\windows\SysWOW64\AAZQRNG.exe | C:\windows\SysWOW64\GMGADAR.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RBCFS.exe | C:\windows\IBAA.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\SMZ.exe | C:\windows\SysWOW64\SYM.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JOCCOOO.exe | C:\windows\system\LVZ.exe | N/A |
| File created | C:\windows\SysWOW64\OVGT.exe.bat | C:\windows\YFFBOQN.exe | N/A |
| File created | C:\windows\SysWOW64\EVLDAFK.exe | C:\windows\HDB.exe | N/A |
| File created | C:\windows\SysWOW64\FBN.exe.bat | C:\windows\system\EGJELZR.exe | N/A |
| File created | C:\windows\SysWOW64\UXTWX.exe | C:\windows\system\XHGFQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\KKW.exe | C:\windows\SysWOW64\GCTXA.exe | N/A |
| File created | C:\windows\SysWOW64\QSERSH.exe | C:\windows\RVTWXUL.exe | N/A |
| File created | C:\windows\SysWOW64\QSERSH.exe.bat | C:\windows\RVTWXUL.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\IOLJY.exe | C:\windows\system\ZRYPQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\EVLDAFK.exe | C:\windows\HDB.exe | N/A |
| File created | C:\windows\SysWOW64\QWGPNGK.exe | C:\windows\HWEK.exe | N/A |
| File created | C:\windows\SysWOW64\SKNOQYC.exe | C:\windows\ZHJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\SKNOQYC.exe | C:\windows\ZHJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JCMLFYV.exe | C:\windows\LCFY.exe | N/A |
| File created | C:\windows\SysWOW64\HSHHG.exe.bat | C:\windows\system\SKYIZKU.exe | N/A |
| File created | C:\windows\SysWOW64\GCTXA.exe | C:\windows\system\LWHTPOV.exe | N/A |
| File created | C:\windows\SysWOW64\KUJQK.exe.bat | C:\windows\SysWOW64\RBCFS.exe | N/A |
| File created | C:\windows\SysWOW64\SKNOQYC.exe.bat | C:\windows\ZHJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LZB.exe | C:\windows\JBASKRC.exe | N/A |
| File created | C:\windows\SysWOW64\SKNEZM.exe | C:\windows\KEAPON.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\XWMSNF.exe | C:\windows\SysWOW64\NYGXXW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RDFP.exe | C:\windows\OPO.exe | N/A |
| File created | C:\windows\SysWOW64\WFRUKKA.exe | C:\windows\ZFHRYF.exe | N/A |
| File created | C:\windows\SysWOW64\WFRUKKA.exe.bat | C:\windows\ZFHRYF.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CPHI.exe | C:\windows\system\LGTL.exe | N/A |
| File created | C:\windows\SysWOW64\RBCFS.exe.bat | C:\windows\IBAA.exe | N/A |
| File created | C:\windows\SysWOW64\OXTP.exe | C:\windows\SysWOW64\NZMGO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\TBXB.exe | C:\windows\JBV.exe | N/A |
| File created | C:\windows\SysWOW64\CYGTYBP.exe | C:\windows\DOW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\GCTXA.exe | C:\windows\system\LWHTPOV.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\KUJQK.exe | C:\windows\SysWOW64\RBCFS.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\QSERSH.exe | C:\windows\RVTWXUL.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\FWGC.exe | C:\windows\SysWOW64\CBP.exe | N/A |
| File created | C:\windows\SysWOW64\PFDH.exe | C:\windows\SysWOW64\ZXUQQV.exe | N/A |
| File created | C:\windows\SysWOW64\EVLDAFK.exe.bat | C:\windows\HDB.exe | N/A |
| File created | C:\windows\SysWOW64\HXSZ.exe.bat | C:\windows\system\ICAP.exe | N/A |
| File created | C:\windows\SysWOW64\NZMGO.exe.bat | C:\windows\system\VWI.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\HWEK.exe.bat | C:\windows\SysWOW64\FBN.exe | N/A |
| File created | C:\windows\FSDAUQG.exe | C:\windows\SysWOW64\DUX.exe | N/A |
| File created | C:\windows\system\YCFZYD.exe | C:\windows\DPAQ.exe | N/A |
| File opened for modification | C:\windows\QUZWSEY.exe | C:\windows\NHIMZS.exe | N/A |
| File created | C:\windows\system\SKYIZKU.exe.bat | C:\windows\ZHVMU.exe | N/A |
| File created | C:\windows\system\FQH.exe.bat | C:\windows\system\PQMGB.exe | N/A |
| File created | C:\windows\YWYH.exe.bat | C:\windows\SysWOW64\YBU.exe | N/A |
| File opened for modification | C:\windows\system\IYBJ.exe | C:\windows\system\UBBXX.exe | N/A |
| File opened for modification | C:\windows\JBV.exe | C:\windows\system\LQSG.exe | N/A |
| File created | C:\windows\system\QIWRN.exe | C:\windows\OFMKV.exe | N/A |
| File created | C:\windows\system\KXMJD.exe | C:\windows\EJMIYHW.exe | N/A |
| File created | C:\windows\system\NSIJ.exe.bat | C:\windows\system\VFXR.exe | N/A |
| File opened for modification | C:\windows\system\AWFBTJM.exe | C:\windows\SysWOW64\ZSCG.exe | N/A |
| File created | C:\windows\system\QJRIWB.exe.bat | C:\windows\system\FQBXNA.exe | N/A |
| File opened for modification | C:\windows\VJSSA.exe | C:\windows\system\QJRIWB.exe | N/A |
| File created | C:\windows\JBASKRC.exe.bat | C:\windows\EAMX.exe | N/A |
| File created | C:\windows\YFFBOQN.exe.bat | C:\windows\system\DUXDAOR.exe | N/A |
| File created | C:\windows\GWUU.exe.bat | C:\windows\ILSEMYY.exe | N/A |
| File opened for modification | C:\windows\OPO.exe | C:\windows\IUCMKHD.exe | N/A |
| File opened for modification | C:\windows\system\BJJSCPL.exe | C:\windows\SysWOW64\NNFZXAD.exe | N/A |
| File created | C:\windows\system\WFHMAAL.exe | C:\windows\SysWOW64\HPGU.exe | N/A |
| File created | C:\windows\OFMKV.exe | C:\windows\system\CCB.exe | N/A |
| File created | C:\windows\system\FWZFY.exe | C:\windows\system\PGMOQ.exe | N/A |
| File opened for modification | C:\windows\BZJ.exe | C:\windows\KPGX.exe | N/A |
| File opened for modification | C:\windows\system\QUDY.exe | C:\windows\AECYJT.exe | N/A |
| File created | C:\windows\PZFZ.exe.bat | C:\windows\SysWOW64\OWPDSQ.exe | N/A |
| File created | C:\windows\JGKXF.exe.bat | C:\windows\SysWOW64\IEUBRSJ.exe | N/A |
| File created | C:\windows\system\DNW.exe.bat | C:\windows\system\VHJ.exe | N/A |
| File opened for modification | C:\windows\system\LVZ.exe | C:\windows\SysWOW64\OXTP.exe | N/A |
| File created | C:\windows\QBJX.exe | C:\windows\SysWOW64\GDEL.exe | N/A |
| File created | C:\windows\CHTUH.exe.bat | C:\windows\SysWOW64\IOLJY.exe | N/A |
| File created | C:\windows\QUZWSEY.exe | C:\windows\NHIMZS.exe | N/A |
| File created | C:\windows\HDB.exe.bat | C:\windows\QUZWSEY.exe | N/A |
| File created | C:\windows\SRO.exe | C:\windows\SysWOW64\DBNJ.exe | N/A |
| File created | C:\windows\system\AWFBTJM.exe | C:\windows\SysWOW64\ZSCG.exe | N/A |
| File opened for modification | C:\windows\EAMX.exe | C:\windows\LIWM.exe | N/A |
| File created | C:\windows\system\PGMOQ.exe | C:\windows\SysWOW64\HSHHG.exe | N/A |
| File opened for modification | C:\windows\system\UBBXX.exe | C:\windows\PAU.exe | N/A |
| File created | C:\windows\KWTKS.exe.bat | C:\windows\system\BJJSCPL.exe | N/A |
| File created | C:\windows\ZTL.exe.bat | C:\windows\VLEUR.exe | N/A |
| File created | C:\windows\system\VFXR.exe | C:\windows\SysWOW64\JCMLFYV.exe | N/A |
| File created | C:\windows\SMLFOYR.exe.bat | C:\windows\SysWOW64\XRUWVMJ.exe | N/A |
| File opened for modification | C:\windows\system\CCB.exe | C:\windows\PZFZ.exe | N/A |
| File created | C:\windows\ZHVMU.exe | C:\windows\SysWOW64\BWSWLO.exe | N/A |
| File created | C:\windows\XKCBQP.exe.bat | C:\windows\SysWOW64\COXR.exe | N/A |
| File created | C:\windows\SODA.exe | C:\windows\TVAKD.exe | N/A |
| File created | C:\windows\EXTK.exe | C:\windows\SysWOW64\UZFQFI.exe | N/A |
| File opened for modification | C:\windows\system\FTQQBWB.exe | C:\windows\SysWOW64\INXBLTG.exe | N/A |
| File created | C:\windows\PAU.exe.bat | C:\windows\CPJWXZ.exe | N/A |
| File opened for modification | C:\windows\XLR.exe | C:\windows\system\NSIJ.exe | N/A |
| File opened for modification | C:\windows\JGKXF.exe | C:\windows\SysWOW64\IEUBRSJ.exe | N/A |
| File created | C:\windows\VJSSA.exe | C:\windows\system\QJRIWB.exe | N/A |
| File created | C:\windows\system\BES.exe.bat | C:\windows\SysWOW64\XWMSNF.exe | N/A |
| File opened for modification | C:\windows\system\SZXSYU.exe | C:\windows\QBJX.exe | N/A |
| File opened for modification | C:\windows\PZFZ.exe | C:\windows\SysWOW64\OWPDSQ.exe | N/A |
| File opened for modification | C:\windows\ZHVMU.exe | C:\windows\SysWOW64\BWSWLO.exe | N/A |
| File created | C:\windows\system\EGJELZR.exe | C:\windows\AQDW.exe | N/A |
| File created | C:\windows\system\PRP.exe.bat | C:\windows\system\AWFBTJM.exe | N/A |
| File created | C:\windows\VLEUR.exe.bat | C:\windows\SysWOW64\AAWVCOW.exe | N/A |
| File created | C:\windows\ILSEMYY.exe | C:\windows\SysWOW64\EVLDAFK.exe | N/A |
| File created | C:\windows\KEAPON.exe | C:\windows\system\REL.exe | N/A |
| File opened for modification | C:\windows\FHXCVL.exe | C:\windows\MGQJMK.exe | N/A |
| File opened for modification | C:\windows\system\FWZFY.exe | C:\windows\system\PGMOQ.exe | N/A |
| File opened for modification | C:\windows\ZFHRYF.exe | C:\windows\XPOXARJ.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AKGRMX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 468 -ip 468
C:\windows\AKGRMX.exe
C:\windows\AKGRMX.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 996
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PQMGB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 988
C:\windows\system\PQMGB.exe
C:\windows\system\PQMGB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1336
C:\windows\system\FQH.exe
C:\windows\system\FQH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBLZPKE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1296
C:\windows\SysWOW64\SBLZPKE.exe
C:\windows\system32\SBLZPKE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FETQDNA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3592 -ip 3592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 960
C:\windows\system\FETQDNA.exe
C:\windows\system\FETQDNA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IUCMKHD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1324
C:\windows\IUCMKHD.exe
C:\windows\IUCMKHD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OPO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1324
C:\windows\OPO.exe
C:\windows\OPO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RDFP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 688 -ip 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1004
C:\windows\SysWOW64\RDFP.exe
C:\windows\system32\RDFP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 960
C:\windows\SysWOW64\KQE.exe
C:\windows\system32\KQE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 976
C:\windows\SysWOW64\YBU.exe
C:\windows\system32\YBU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YWYH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1324
C:\windows\YWYH.exe
C:\windows\YWYH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XPOXARJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4916 -ip 4916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 988
C:\windows\XPOXARJ.exe
C:\windows\XPOXARJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZFHRYF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 516 -ip 516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1324
C:\windows\ZFHRYF.exe
C:\windows\ZFHRYF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WFRUKKA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4360 -ip 4360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 960
C:\windows\SysWOW64\WFRUKKA.exe
C:\windows\system32\WFRUKKA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNFZXAD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1328
C:\windows\SysWOW64\NNFZXAD.exe
C:\windows\system32\NNFZXAD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BJJSCPL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1596 -ip 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 964
C:\windows\system\BJJSCPL.exe
C:\windows\system\BJJSCPL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KWTKS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 988
C:\windows\KWTKS.exe
C:\windows\KWTKS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EJMIYHW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1324
C:\windows\EJMIYHW.exe
C:\windows\EJMIYHW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KXMJD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1560 -ip 1560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1336
C:\windows\system\KXMJD.exe
C:\windows\system\KXMJD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKQQO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3820 -ip 3820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1272
C:\windows\system\SKQQO.exe
C:\windows\system\SKQQO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AQDW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1704 -ip 1704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1324
C:\windows\AQDW.exe
C:\windows\AQDW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1008
C:\windows\system\EGJELZR.exe
C:\windows\system\EGJELZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2944 -ip 2944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1328
C:\windows\SysWOW64\FBN.exe
C:\windows\system32\FBN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HWEK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3516 -ip 3516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1204
C:\windows\HWEK.exe
C:\windows\HWEK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWGPNGK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4144 -ip 4144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1328
C:\windows\SysWOW64\QWGPNGK.exe
C:\windows\system32\QWGPNGK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZKLVYEF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1044 -ip 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1236
C:\windows\ZKLVYEF.exe
C:\windows\ZKLVYEF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IIZQF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1248
C:\windows\system\IIZQF.exe
C:\windows\system\IIZQF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSCG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3192 -ip 3192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1260
C:\windows\SysWOW64\ZSCG.exe
C:\windows\system32\ZSCG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AWFBTJM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4084 -ip 4084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 988
C:\windows\system\AWFBTJM.exe
C:\windows\system\AWFBTJM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PRP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3264 -ip 3264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1304
C:\windows\system\PRP.exe
C:\windows\system\PRP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\COXR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4008 -ip 4008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 960
C:\windows\SysWOW64\COXR.exe
C:\windows\system32\COXR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XKCBQP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4360 -ip 4360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1324
C:\windows\XKCBQP.exe
C:\windows\XKCBQP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FPGPB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 960
C:\windows\FPGPB.exe
C:\windows\FPGPB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LPODS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1324
C:\windows\LPODS.exe
C:\windows\LPODS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TVAKD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2560 -ip 2560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 988
C:\windows\TVAKD.exe
C:\windows\TVAKD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SODA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 892 -ip 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1236
C:\windows\SODA.exe
C:\windows\SODA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LGTL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2552 -ip 2552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 988
C:\windows\system\LGTL.exe
C:\windows\system\LGTL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2232 -ip 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1308
C:\windows\SysWOW64\CPHI.exe
C:\windows\system32\CPHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZHJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3788 -ip 3788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1236
C:\windows\ZHJ.exe
C:\windows\ZHJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNOQYC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4064 -ip 4064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1328
C:\windows\SysWOW64\SKNOQYC.exe
C:\windows\system32\SKNOQYC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QVYEZM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1276
C:\windows\system\QVYEZM.exe
C:\windows\system\QVYEZM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQBXNA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2420 -ip 2420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1336
C:\windows\system\FQBXNA.exe
C:\windows\system\FQBXNA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2296 -ip 2296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 976
C:\windows\system\QJRIWB.exe
C:\windows\system\QJRIWB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VJSSA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4328 -ip 4328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1324
C:\windows\VJSSA.exe
C:\windows\VJSSA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XHGFQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1248
C:\windows\system\XHGFQ.exe
C:\windows\system\XHGFQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXTWX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 960
C:\windows\SysWOW64\UXTWX.exe
C:\windows\system32\UXTWX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LIWM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1460 -ip 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 976
C:\windows\LIWM.exe
C:\windows\LIWM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EAMX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 960
C:\windows\EAMX.exe
C:\windows\EAMX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JBASKRC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4616 -ip 4616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1324
C:\windows\JBASKRC.exe
C:\windows\JBASKRC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1328
C:\windows\SysWOW64\LZB.exe
C:\windows\system32\LZB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LCFY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1256
C:\windows\LCFY.exe
C:\windows\LCFY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCMLFYV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4760 -ip 4760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1324
C:\windows\SysWOW64\JCMLFYV.exe
C:\windows\system32\JCMLFYV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VFXR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4648 -ip 4648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1336
C:\windows\system\VFXR.exe
C:\windows\system\VFXR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NSIJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2624 -ip 2624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 960
C:\windows\system\NSIJ.exe
C:\windows\system\NSIJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XLR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 912 -ip 912
C:\windows\XLR.exe
C:\windows\XLR.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1292
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IEUBRSJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1604 -ip 1604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 960
C:\windows\SysWOW64\IEUBRSJ.exe
C:\windows\system32\IEUBRSJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JGKXF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1324
C:\windows\JGKXF.exe
C:\windows\JGKXF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZFQFI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2176 -ip 2176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 988
C:\windows\SysWOW64\UZFQFI.exe
C:\windows\system32\UZFQFI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2476 -ip 2476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 988
C:\windows\EXTK.exe
C:\windows\EXTK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RVTWXUL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4164 -ip 4164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1324
C:\windows\RVTWXUL.exe
C:\windows\RVTWXUL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSERSH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3052 -ip 3052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1328
C:\windows\SysWOW64\QSERSH.exe
C:\windows\system32\QSERSH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDPHS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4744 -ip 4744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1328
C:\windows\SysWOW64\PDPHS.exe
C:\windows\system32\PDPHS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1264
C:\windows\SysWOW64\CBP.exe
C:\windows\system32\CBP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWGC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1752 -ip 1752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 960
C:\windows\SysWOW64\FWGC.exe
C:\windows\system32\FWGC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VHJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1268
C:\windows\system\VHJ.exe
C:\windows\system\VHJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DNW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 988
C:\windows\system\DNW.exe
C:\windows\system\DNW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\INXBLTG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2944 -ip 2944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1304
C:\windows\SysWOW64\INXBLTG.exe
C:\windows\system32\INXBLTG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FTQQBWB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3332 -ip 3332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 988
C:\windows\system\FTQQBWB.exe
C:\windows\system\FTQQBWB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SQQCDI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4328 -ip 4328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1296
C:\windows\SysWOW64\SQQCDI.exe
C:\windows\system32\SQQCDI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AECIN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4244 -ip 4244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1316
C:\windows\system\AECIN.exe
C:\windows\system\AECIN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJNYEC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1616 -ip 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 988
C:\windows\SysWOW64\FJNYEC.exe
C:\windows\system32\FJNYEC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1296
C:\windows\SysWOW64\DUX.exe
C:\windows\system32\DUX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FSDAUQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2232 -ip 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1296
C:\windows\FSDAUQG.exe
C:\windows\FSDAUQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1436 -ip 1436
C:\windows\system\WAYMK.exe
C:\windows\system\WAYMK.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1000
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1328
C:\windows\SysWOW64\HTBFT.exe
C:\windows\system32\HTBFT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\REL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1336
C:\windows\system\REL.exe
C:\windows\system\REL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KEAPON.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1304
C:\windows\KEAPON.exe
C:\windows\KEAPON.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNEZM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1328
C:\windows\SysWOW64\SKNEZM.exe
C:\windows\system32\SKNEZM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIGYXBA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1332
C:\windows\SysWOW64\UIGYXBA.exe
C:\windows\system32\UIGYXBA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BSVGP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3740 -ip 3740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1008
C:\windows\SysWOW64\BSVGP.exe
C:\windows\system32\BSVGP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UVZKUQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1184 -ip 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960
C:\windows\UVZKUQ.exe
C:\windows\UVZKUQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDGKHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3376 -ip 3376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1004
C:\windows\SysWOW64\YDGKHI.exe
C:\windows\system32\YDGKHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4012 -ip 4012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1328
C:\windows\SysWOW64\LJOW.exe
C:\windows\system32\LJOW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRUWVMJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308
C:\windows\SysWOW64\XRUWVMJ.exe
C:\windows\system32\XRUWVMJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SMLFOYR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1716 -ip 1716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1296
C:\windows\SMLFOYR.exe
C:\windows\SMLFOYR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XFNISC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1308
C:\windows\system\XFNISC.exe
C:\windows\system\XFNISC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AVUI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3180 -ip 3180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 960
C:\windows\AVUI.exe
C:\windows\AVUI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MJBO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1044 -ip 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 976
C:\windows\SysWOW64\MJBO.exe
C:\windows\system32\MJBO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2944 -ip 2944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1328
C:\windows\SysWOW64\SYM.exe
C:\windows\system32\SYM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3880 -ip 3880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 960
C:\windows\SysWOW64\SMZ.exe
C:\windows\system32\SMZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ICAP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
C:\windows\system\ICAP.exe
C:\windows\system\ICAP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXSZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2760 -ip 2760
C:\windows\SysWOW64\HXSZ.exe
C:\windows\system32\HXSZ.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1312
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAWVCOW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1704 -ip 1704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1328
C:\windows\SysWOW64\AAWVCOW.exe
C:\windows\system32\AAWVCOW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VLEUR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1324
C:\windows\VLEUR.exe
C:\windows\VLEUR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZTL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3260 -ip 3260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 988
C:\windows\ZTL.exe
C:\windows\ZTL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LGS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 968 -ip 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 960
C:\windows\system\LGS.exe
C:\windows\system\LGS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KPGX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 960
C:\windows\KPGX.exe
C:\windows\KPGX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BZJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1384 -ip 1384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1324
C:\windows\BZJ.exe
C:\windows\BZJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZXUQQV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1256
C:\windows\SysWOW64\ZXUQQV.exe
C:\windows\system32\ZXUQQV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFDH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3776 -ip 3776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 960
C:\windows\SysWOW64\PFDH.exe
C:\windows\system32\PFDH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1604 -ip 1604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 988
C:\windows\SysWOW64\NYGXXW.exe
C:\windows\system32\NYGXXW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWMSNF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 324 -ip 324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1328
C:\windows\SysWOW64\XWMSNF.exe
C:\windows\system32\XWMSNF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 808 -ip 808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 960
C:\windows\system\BES.exe
C:\windows\system\BES.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VWI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1012 -ip 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 988
C:\windows\system\VWI.exe
C:\windows\system\VWI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZMGO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1472 -ip 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960
C:\windows\SysWOW64\NZMGO.exe
C:\windows\system32\NZMGO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXTP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1328
C:\windows\SysWOW64\OXTP.exe
C:\windows\system32\OXTP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LVZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 960
C:\windows\system\LVZ.exe
C:\windows\system\LVZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOCCOOO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5052 -ip 5052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 960
C:\windows\SysWOW64\JOCCOOO.exe
C:\windows\system32\JOCCOOO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XRTTC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 960
C:\windows\XRTTC.exe
C:\windows\XRTTC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QRAEM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1328
C:\windows\SysWOW64\QRAEM.exe
C:\windows\system32\QRAEM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DPAQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4124 -ip 4124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1324
C:\windows\DPAQ.exe
C:\windows\DPAQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 960
C:\windows\system\YCFZYD.exe
C:\windows\system\YCFZYD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFJD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2940 -ip 2940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 960
C:\windows\SysWOW64\ZFJD.exe
C:\windows\system32\ZFJD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RIUZRR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1120 -ip 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1336
C:\windows\system\RIUZRR.exe
C:\windows\system\RIUZRR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDEL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1600 -ip 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328
C:\windows\SysWOW64\GDEL.exe
C:\windows\system32\GDEL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QBJX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 988
C:\windows\QBJX.exe
C:\windows\QBJX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SZXSYU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1304
C:\windows\system\SZXSYU.exe
C:\windows\system\SZXSYU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AECYJT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1388 -ip 1388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1324
C:\windows\AECYJT.exe
C:\windows\AECYJT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QUDY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4796 -ip 4796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 960
C:\windows\system\QUDY.exe
C:\windows\system\QUDY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JNSJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4484 -ip 4484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 960
C:\windows\JNSJ.exe
C:\windows\JNSJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LLYDHQU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1300
C:\windows\LLYDHQU.exe
C:\windows\LLYDHQU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRYPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1336
C:\windows\system\ZRYPQ.exe
C:\windows\system\ZRYPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOLJY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2316 -ip 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1328
C:\windows\SysWOW64\IOLJY.exe
C:\windows\system32\IOLJY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CHTUH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4300 -ip 4300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1324
C:\windows\CHTUH.exe
C:\windows\CHTUH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ACSVMO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2216 -ip 2216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1324
C:\windows\ACSVMO.exe
C:\windows\ACSVMO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CPJWXZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3972 -ip 3972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 960
C:\windows\CPJWXZ.exe
C:\windows\CPJWXZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PAU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2456 -ip 2456
C:\windows\PAU.exe
C:\windows\PAU.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1324
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UBBXX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1472 -ip 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960
C:\windows\system\UBBXX.exe
C:\windows\system\UBBXX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IYBJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1304
C:\windows\system\IYBJ.exe
C:\windows\system\IYBJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4904 -ip 4904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1256
C:\windows\MGQJMK.exe
C:\windows\MGQJMK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FHXCVL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 940 -ip 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 960
C:\windows\FHXCVL.exe
C:\windows\FHXCVL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DUXDAOR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1312
C:\windows\system\DUXDAOR.exe
C:\windows\system\DUXDAOR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YFFBOQN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1624 -ip 1624
C:\windows\YFFBOQN.exe
C:\windows\YFFBOQN.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 988
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVGT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 680 -ip 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 960
C:\windows\SysWOW64\OVGT.exe
C:\windows\system32\OVGT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZOVE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2596 -ip 2596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1324
C:\windows\ZOVE.exe
C:\windows\ZOVE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1336
C:\windows\system\DECMQX.exe
C:\windows\system\DECMQX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UEER.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3484 -ip 3484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1296
C:\windows\SysWOW64\UEER.exe
C:\windows\system32\UEER.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NHIMZS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1316
C:\windows\NHIMZS.exe
C:\windows\NHIMZS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QUZWSEY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4008 -ip 4008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 988
C:\windows\QUZWSEY.exe
C:\windows\QUZWSEY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HDB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4916 -ip 4916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 960
C:\windows\HDB.exe
C:\windows\HDB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVLDAFK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1720 -ip 1720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 988
C:\windows\SysWOW64\EVLDAFK.exe
C:\windows\system32\EVLDAFK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ILSEMYY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1908 -ip 1908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1316
C:\windows\ILSEMYY.exe
C:\windows\ILSEMYY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GWUU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1256
C:\windows\GWUU.exe
C:\windows\GWUU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBNJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1328
C:\windows\SysWOW64\DBNJ.exe
C:\windows\system32\DBNJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SRO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 976
C:\windows\SRO.exe
C:\windows\SRO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RCQYA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4472 -ip 4472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1324
C:\windows\RCQYA.exe
C:\windows\RCQYA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MYVICI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1256
C:\windows\MYVICI.exe
C:\windows\MYVICI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGCIPB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1328
C:\windows\SysWOW64\QGCIPB.exe
C:\windows\system32\QGCIPB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQSG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 760 -ip 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1272
C:\windows\system\LQSG.exe
C:\windows\system\LQSG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JBV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4924 -ip 4924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 976
C:\windows\JBV.exe
C:\windows\JBV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TBXB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4572 -ip 4572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1328
C:\windows\SysWOW64\TBXB.exe
C:\windows\system32\TBXB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GMGADAR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1908 -ip 1908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1328
C:\windows\SysWOW64\GMGADAR.exe
C:\windows\system32\GMGADAR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAZQRNG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1328
C:\windows\SysWOW64\AAZQRNG.exe
C:\windows\system32\AAZQRNG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WFXNYW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3332 -ip 3332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 988
C:\windows\WFXNYW.exe
C:\windows\WFXNYW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELJUJV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1992 -ip 1992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1308
C:\windows\system\ELJUJV.exe
C:\windows\system\ELJUJV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MYOBU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1228
C:\windows\system\MYOBU.exe
C:\windows\system\MYOBU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OWPDSQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 992
C:\windows\SysWOW64\OWPDSQ.exe
C:\windows\system32\OWPDSQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PZFZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 880 -ip 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 872
C:\windows\PZFZ.exe
C:\windows\PZFZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CCB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1336
C:\windows\system\CCB.exe
C:\windows\system\CCB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OFMKV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2928 -ip 2928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1292
C:\windows\OFMKV.exe
C:\windows\OFMKV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QIWRN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4072 -ip 4072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1244
C:\windows\system\QIWRN.exe
C:\windows\system\QIWRN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DOW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2608 -ip 2608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 988
C:\windows\DOW.exe
C:\windows\DOW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYGTYBP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2956 -ip 2956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1304
C:\windows\SysWOW64\CYGTYBP.exe
C:\windows\system32\CYGTYBP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BWSWLO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1300
C:\windows\SysWOW64\BWSWLO.exe
C:\windows\system32\BWSWLO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZHVMU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1324
C:\windows\ZHVMU.exe
C:\windows\ZHVMU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SKYIZKU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1032 -ip 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1004
C:\windows\system\SKYIZKU.exe
C:\windows\system\SKYIZKU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSHHG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3752 -ip 3752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 960
C:\windows\SysWOW64\HSHHG.exe
C:\windows\system32\HSHHG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PGMOQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4008 -ip 4008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1336
C:\windows\system\PGMOQ.exe
C:\windows\system\PGMOQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FWZFY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 960
C:\windows\system\FWZFY.exe
C:\windows\system\FWZFY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LWHTPOV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2184 -ip 2184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1308
C:\windows\system\LWHTPOV.exe
C:\windows\system\LWHTPOV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GCTXA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1296
C:\windows\SysWOW64\GCTXA.exe
C:\windows\system32\GCTXA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1240
C:\windows\SysWOW64\KKW.exe
C:\windows\system32\KKW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPGU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2536 -ip 2536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1004
C:\windows\SysWOW64\HPGU.exe
C:\windows\system32\HPGU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WFHMAAL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1848 -ip 1848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1336
C:\windows\system\WFHMAAL.exe
C:\windows\system\WFHMAAL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YDUGH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 960
C:\windows\system\YDUGH.exe
C:\windows\system\YDUGH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IBAA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1260
C:\windows\IBAA.exe
C:\windows\IBAA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBCFS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 976
C:\windows\SysWOW64\RBCFS.exe
C:\windows\system32\RBCFS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUJQK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4072 -ip 4072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1328
C:\windows\SysWOW64\KUJQK.exe
C:\windows\system32\KUJQK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/468-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\AKGRMX.exe.bat
| MD5 | f061741ee67766c9704980b4aab1d931 |
| SHA1 | 7e4e5be8806b878b908b341f18e8ce3e412d08f8 |
| SHA256 | 6aebe995cde0785794e8e9d82c11e4d1915054608707eaa647d3902b9218e2cf |
| SHA512 | 6d78158ba4a6ac5ec1100be6f6f2ea70be62f30630404a7ad4da8e96913f766b090a19f69e704d9cefe1826171e4e3d9ac54a950fa3e180ab91aea75c662aeca |
C:\windows\AKGRMX.exe
| MD5 | b259376fd5c7f6c8a7229a8d380fa321 |
| SHA1 | 22615eb3f8a14ca367488dbb93e9551666c361e6 |
| SHA256 | ff864510eb7aab74f5dde7c69e24543fc01dac69cb767db7f16aa287d3ba8fa1 |
| SHA512 | 45110d14fa183293a7bd90e249e3360f38ed97643e014461f468fc9dd81119353f5eeb29f2fa9605ab6b788134038962da6be77cc71d23f54d899cb15807c78d |
memory/5092-11-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\PQMGB.exe
| MD5 | af6287c8bdf5d56f195a2d0737bc3eaf |
| SHA1 | 4e435f017803424be06d1c2b240cc364fa46f159 |
| SHA256 | 4aabcea6b8dff74148e559d42c7579a0391919b3ff9f8967407be85cba11646a |
| SHA512 | ffc036ef8387af4ddc70557cc717687073c05e244604c76d89f112d217b7091cff934d5328b93268ddf0b1fbcec455f69525cb534bfee040e055a9c3a9647647 |
C:\windows\system\PQMGB.exe.bat
| MD5 | ab63ecb4c40c8c0b21c0b69106e0b9ad |
| SHA1 | e0973d36f7a65651c7558eec7b86bc9c9e157acc |
| SHA256 | 8f922d55d76df32f54e79e8a985bd4a7800efa6a709dde98c31cb187a4288211 |
| SHA512 | e7860a02d58173c1df679055f6f399684a1270eb8030904968d46f9d0a1260be9326cb5a612d49ff1e8eaf8bb5de9638891309ddcd10eda6102249c852a96006 |
memory/4092-22-0x0000000000400000-0x0000000000439000-memory.dmp
memory/468-23-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\FQH.exe.bat
| MD5 | 792626b07dfbe1ab574f2e03506a2d55 |
| SHA1 | 3de3438785dd77cbd30d4d85feef01238f4a04ae |
| SHA256 | 2c2c342fdc683908956ddbd49a2c97b57f1de7e35e4a70779cbc4879dea2fe06 |
| SHA512 | af21736045c8b6627bcea28cb6ec188b8007816ec557e87a0bfa734022c07c212270a19000e36646cc859d25e02dc41c7cc9ec663fca250cb9a884b32a9cb366 |
memory/5092-31-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\FQH.exe
| MD5 | 1b7439fba2f7d791fd63b6284646835e |
| SHA1 | d916c1002c740d4bfab7174d43566c6df3e04140 |
| SHA256 | 7bdc21ab2a8548e2e060a2c19e1cb0de39b1a0da8f050efabfe4a1c56e4a23fa |
| SHA512 | 6c5235d1c59978e1fe6fe92db2995d08e26db471b8efc30c2587be9061a7e0a3e816d7d9c0bde28ad0a0e0d3b7a50eaa9fba655345126bfb5aafc1122448103c |
memory/1564-35-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\SBLZPKE.exe.bat
| MD5 | 541d91588b24bd4813dedff8d26f2cb9 |
| SHA1 | 7c9e1c911846474fe69f9deba6127667b17ed5f0 |
| SHA256 | 2032a4adb9b41a84a07787369364916b729c757109512574dcb7ab8fa0df7598 |
| SHA512 | a6a31894a9d63e3f777b73a1cf478eaf8563a34d4ab3625584c504319d3d17b88a10d80e7f3487298050fb145383967ddaad8a15219185e6e0231f9471f9ede6 |
C:\Windows\SysWOW64\SBLZPKE.exe
| MD5 | 59fe8d521fce03463f9a5d09880b5f0a |
| SHA1 | cce37b36c5d232200d20dc00c7accb5ca2798f8d |
| SHA256 | 33f42cb6a8245c2b4532f292ff18691fe31ab997f8974e5ce350d71ca213a602 |
| SHA512 | 620b95353acec1e33c9467daed4d13d5b7711a3dd665c24e904dd796e956dca681f6c6bf7b741cf0400b8ac4fc9a2aaee624692ca83949749abf8bc67c0f2d84 |
memory/3592-46-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4092-47-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1564-54-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\FETQDNA.exe.bat
| MD5 | a52c270b7605740372723138dcf1a2b2 |
| SHA1 | a08848757972ea70e4f78c445057b4f7250dec31 |
| SHA256 | 347f7718abfa0912088918c64934477ea6f2312d0b2bff6ff83ecec06fc14079 |
| SHA512 | 09bc239495d08a41dda51fe0fd199c2b2c7f17e6548122a69564983706953edf1ddce7407ff6d69c55b02b6f27c627770679931875d9c15adeb0716c918fcaaa |
memory/4380-59-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\FETQDNA.exe
| MD5 | 8dbdfc65a3f9dafe18e413b3bab2b67d |
| SHA1 | cde0cdb198538ca75658d899a2944c9b180a49cc |
| SHA256 | 5ffd02a6b16a078a6e51bab1d8f042fff6957eb7fcaa073a3b0fd359f9fb8607 |
| SHA512 | 986d7ff404167b8821e1dceb9b2b7cf3d5ca37481440f117236f40394ffc4271d6d5712803016dfed92d7e974da0d7f1165a2fc1aab73b0c5b36e1556435af3b |
C:\windows\IUCMKHD.exe.bat
| MD5 | ed83a811b3ca939ea6f3f626e2a46e73 |
| SHA1 | 02260b95e288bf2922bd634ab26dce85b0796ae6 |
| SHA256 | 2f4dc45c05602400713051fa7544d9cff815529fca3ad4179933c6d67c46bf04 |
| SHA512 | 213d6a92274f4bdbc0439b798b9e2daf1d35678db8defaf2e0fac8639b66edf8b0fe221d46a28d752a129987fdd2117de8c76516a5b183338133e724405a3463 |
C:\Windows\IUCMKHD.exe
| MD5 | bf27076b4c5c1047569a9218689dd6d4 |
| SHA1 | 6ffb0a7da29ed08f2091ca3dd3c68f022236838c |
| SHA256 | 4554afbc8c6732505de9e82eb2c7015d0ea22893b3d34733d8227ae94f4fc0b4 |
| SHA512 | f3db1a29f0273fb5ead5fec39cd631c28cc1e3874e34366b4ba528ed925cd5fab3697f92598c2967f7c62e8af1c187b0b1aff78916afea918ed47aeee4c9d2b0 |
memory/1680-70-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3592-71-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\OPO.exe.bat
| MD5 | 24e539331ebfefceaa2b1b01049a5a5d |
| SHA1 | 0eff4c2be99293ef0104ded7b5b3c35048a6051b |
| SHA256 | 2ee69853862f8bdb680c6ce920cedc26e3e7e6f4ba70fa7cd430ccac3a8cec27 |
| SHA512 | 6167569618566baf23de21eb386d3694956695043426057f73f7e185ea3a366c7f3a3b08f8de9a7c79186cc1747d0bae80e120c211fb4cb30e5e8e078a6e75ae |
memory/688-82-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\OPO.exe
| MD5 | a671a2496fd21d6c29cfdb35f257975d |
| SHA1 | 0c39a229a8e8e54dc5d8d179682918b2e6af10a9 |
| SHA256 | 9b993c3042aa7d76716a12b4dd559cec3db39f8aa716a3004fd20effc8e84802 |
| SHA512 | e3532191fafa9d505d02af22ef8aa7bb0b5edf206ef82cc3eb0aa5b7e221ceb95046f497bdfbf2fe9eee3e9f744efb3fa142a6a7474f54f5c816c505174e8bf0 |
memory/4380-83-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RDFP.exe.bat
| MD5 | a9804b03d3604d981016fb435fa62883 |
| SHA1 | 3e8ddeeab5093d0727b6b51818bc590f5fc2f32d |
| SHA256 | c2b28869ae7d34a946857cf046dcae9930baeba69a83620886cd76725cacccd7 |
| SHA512 | f6f33ae40fc0114bd95e5f5522881ebe35996499a3159ed231c629cf67b161033fa45bc263cca48a3665924acb1645163fba45794156b46dd174b3a3054388d3 |
C:\windows\SysWOW64\RDFP.exe
| MD5 | 0aa3de23ceed357abf4b19e148baf8d1 |
| SHA1 | a9407fa943d85ed56ba193f92677906eba8d9174 |
| SHA256 | c99654729efe307d1694dfdf1b054f4773e3396720a1ff544b74de5e2292e0cc |
| SHA512 | f341e68f5b36f0a99eb5f15d60687fe72d648bc813cce1694bbbd0ff13303a866bb79f0f6887d06fac63d646290d31b3c8615466b4d99849f6c85365c04b8f40 |
memory/1680-95-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1088-94-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\KQE.exe.bat
| MD5 | b0f3e1d813e900bef8f7fd7ad7159ab8 |
| SHA1 | a182e08a1a76ad34a3429132e5b0fef02f318669 |
| SHA256 | d5ab8fb48d44eeec97bdaa1d38986575b042324fa31fd0e074391ee0d4037463 |
| SHA512 | be8249637778908182d143a8b3921715cb15edbd915c81690db29ec810f39c22f7600e0fa7629dd0c46d5fb38791708377e448972683511082fbda6adad8d63b |
memory/688-106-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4444-107-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\YBU.exe.bat
| MD5 | 536ae8dea4b9b05ef5a8ecb444973c47 |
| SHA1 | 72a4192edde99c5c02ab8112dfe06ee9b8f3c497 |
| SHA256 | 31686b5c013a5c10c2dc8d9736e37177058c962f1e9658fb3e1d2cbac002cb16 |
| SHA512 | 0267f599efbc396053f89c8c1cf962b877843a80784807aadef43368b3bfa1dc71b85b9705e088b8050b2fa2d0fc23283a54ab7ddb4d10f5c9740b1a6d6571c0 |
memory/1088-119-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2448-118-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\YBU.exe
| MD5 | d823355c6867b129a486e36f0ab1575b |
| SHA1 | 03650ab4e93c58b21df9d9723f36ebb61a9830b2 |
| SHA256 | 924620a5e9848015a6942209fa55731b72501193665c3aa382cce659f43d4d83 |
| SHA512 | 6375f2efc0f88b5383241f35d761878b654fb72735ff59dde0c36d0241d7151310fc48b01ad92922aac08e6034b8f64954f40377704664e99296b5284ef202cb |
memory/4444-126-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\YWYH.exe.bat
| MD5 | 9917daa797f6195f31c9d98e08971b5d |
| SHA1 | b249b2f28c7a7a34e3f5383b8398c2f1c64ed17f |
| SHA256 | 68aeee2b67f45f9691350a69d96f3c28abd50bfc254302d1ed4b4a2486e8c55c |
| SHA512 | 013a18033da5df09d30aa4027be21db8395671facd25919793518d998516bf889b33e42b3dfadb65b80f02cee7e5ee771772edf207435562131c05e5e3940258 |
C:\windows\YWYH.exe
| MD5 | 196e87b66d5dcd3145fec77faa50eb5c |
| SHA1 | 1042f3f38e38b237339883eee5bc4aad9cd711b4 |
| SHA256 | 7edf0a007cb2a17d9b012bec7a1e26e0e4b45f8bbcf98f7b8a78d5dba4110938 |
| SHA512 | c44ee3935d020f6acfef7cf0d244929a461933a5ff27c9cc693267dce4c78450ba0fc96c75ca23addccc6be14881fd03f0e7412e69ef15ce1df3522ae0cdcc71 |
memory/4916-131-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2448-138-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\XPOXARJ.exe.bat
| MD5 | cda7b37425421590a5d591368fd06da1 |
| SHA1 | 17d26c9329394bf017755cc372cb81757d88f336 |
| SHA256 | d3ec91ab2cc01bf60256bad065182d14dea9677130681da7d6a8837d708e6567 |
| SHA512 | 3808d7d2dff5aa803aa4050ab80ae04a99c46df7616ad2f30076626ac4f1d94b409675300e9f35cbddc668e9fb4b698def50791ce2f0dd563d6f02bd99d44b98 |
C:\windows\XPOXARJ.exe
| MD5 | 88f914f571f81d6e46fc7d1dc099d871 |
| SHA1 | 54c34106f2c125daac99f132ea422757e9107ee0 |
| SHA256 | 48f19a17757543fb58821b934ef104721eee64b0a4ebaeb8a2858fd9ece1915e |
| SHA512 | 2c03bd00bf0ff5f8fa158880ee78bcc5d02b713fe625fa14619f28bcfc146ffbda1be18d4d7ae88f3d5ab1eedc84cb3833e9e72532ad9e6da5db1f7abfe8ff22 |
memory/516-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\ZFHRYF.exe.bat
| MD5 | c5b7a6e4323cea9986aebfc417a8ae42 |
| SHA1 | f870078c21445c4d5edededa64435c55059f5272 |
| SHA256 | f15dd8d762cd7a1fadf86bb5ea52dbb1c76333a6fda12e0ddebf0b9976f9d3e5 |
| SHA512 | 719fc4bfbe7f12aae70ba224df4c34e18ce2d2d2f6d35c09865adcfafa693aef71dd321f3fa156505f0ab4efccee2dac4e6dafae0f4f7ab8294aab88d599581e |
C:\Windows\ZFHRYF.exe
| MD5 | 6efa5678a993de3495aaf63082dab6ca |
| SHA1 | 6b108da33be1a7187aabcc6bd1c1dab29eeb131a |
| SHA256 | d465f770a32571659bd2a7c8761c1a3d41e04c997c41231447a0acfb4c4fdf7a |
| SHA512 | f00f458345259f0b306c095c23307525873043fc89571ca60af1ea1672c33d39c28ab809d6c93df4296606055d7a54a75db57cb83664ef76107118947810847f |
memory/4360-153-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4916-155-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\WFRUKKA.exe.bat
| MD5 | 830e2411f4e2622e50b5bac6f711a333 |
| SHA1 | c00ea86c9c59346ee4446bb766d728ec6f7f6276 |
| SHA256 | 0056b7515f854bb5b8737bc81b4c42ab75843c633fff2068d9732657b2eb529a |
| SHA512 | 2df0e8799fa52184fc566fca2025e25a2ea9ccc34d53a1a3f1aed48f6280de7a26bb9ddb130c18cbd8727965b3024228d52016386e05bce9f4c0f868988e0506 |
C:\Windows\SysWOW64\WFRUKKA.exe
| MD5 | 9478a0c3dbb13ed8a5bb3a544068e8ce |
| SHA1 | 2f923ac7137e5fa5815bba0e6d860c7778fac5e5 |
| SHA256 | 487a123cf552db328b4cd9927e14e7bab301d82e288baa5e53e6fc953f763d82 |
| SHA512 | 44603d9277da0ddeeccee0fab35aec7be42bb07769217efc5130dd326264a6fc184009a0e5a7773c5894b1b2b1687e488ac87ddc8f7b182bfd3bbd35c648b242 |
memory/316-165-0x0000000000400000-0x0000000000439000-memory.dmp
memory/516-167-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NNFZXAD.exe.bat
| MD5 | 9433fd7539bfc51fbc965e2d629fa60d |
| SHA1 | 97028f64a043f477dffdccd3b9f4a26007973e1f |
| SHA256 | ff663e4b8273a03410218a30bf384858904fae6af19db763828d461f567d508f |
| SHA512 | f58659e597d0237bc399b048877111638307f1d0e63a96d8e1d2a173935d6de0f6fc2eeb3eb1b43f8a3d874a80afefb08eff7961884b698606ec4b98449ebb03 |
memory/1596-178-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4360-179-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\BJJSCPL.exe.bat
| MD5 | 8208bf34e875225a0538388322880f64 |
| SHA1 | b9aa6c918e465d7b3e2c343ba57a112890fe1c9b |
| SHA256 | 45d6da0519b6d7a78357a8c72c0788b50c982623ca621827c7c763b165c90c9f |
| SHA512 | e7d1016cc66e638703c8ed47f773edd7668e854730a049f72c59306afcc687516c584ddaeebb3be757532ecd218b9e7bf36dd842b694796c61349a18665f7866 |
memory/316-187-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4864-191-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\BJJSCPL.exe
| MD5 | 6f65a889cad9272c4511d645b1b04dd0 |
| SHA1 | 609fe5f4c11f4ec5d4e9433a096301dba10ff5b0 |
| SHA256 | 646b12be81643ccde64d011a5d70d16b28d5e197c23161f048bd4192c7d25df2 |
| SHA512 | 5005a757a8e85d0341c6e6622b65de7cb443c26906e6b90e7b5fb84601b2e502d117165d70630323dcfad59e5603a6fd065ae1907798f1e9d97540fca88d3f61 |
memory/1596-199-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\KWTKS.exe.bat
| MD5 | fac526a7a050b1ae3b4e04cda73f134f |
| SHA1 | 5e168f3f74de1c693a5090e21ab6b2d7e1517cf1 |
| SHA256 | 0b890717b87c239f6cd91a753199c5f62e3e004c572a0e6ee5ad1fd44316b1b6 |
| SHA512 | 36a34b8380e0ffd2470a7e12ac64b04878a086ab0126ec68e481bf0b8399f09acdf077a4b78dc20d1fb570e3f185c034ec62495198e11f4453b51cbebdc53ffc |
C:\Windows\KWTKS.exe
| MD5 | 61d3a28556215c43c6677bfad5960f7e |
| SHA1 | d25c56e2a944a0545a4d21ed450ac434770c8ea8 |
| SHA256 | 24127f1a3045edb3c2c49c9354935703c92625b178553a5887e609c3d653fcc3 |
| SHA512 | 2263673d3eec9154c3fcd766cc65b401c578aa37fa36323239495d42b4b666deef37dbc62ebb8a15657102174f13274bd36e1c6d581932a409da0098a54361fb |
memory/4808-203-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4864-210-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\EJMIYHW.exe.bat
| MD5 | ace0af73f73669b978be49dd33b706dd |
| SHA1 | b2de8afae8a5db1a8aec7b7659f91b8361e6dabb |
| SHA256 | 46d2995c733dcd5788d730bebb37aeff996dcd8139bc1f2aa493f31fb91b86fa |
| SHA512 | 36d11c016a8b01316904b569931770cac81439e9810faa6cfeac4f12698dcfeb47c22e4fa7edf4de73f328b29d25bc71d3d37f6de26cb09f43546b39299349a4 |
C:\Windows\EJMIYHW.exe
| MD5 | 0a23c159d52c56027f915a6c6ee52b2a |
| SHA1 | 3020760825b032203c81027464e9b070bf35ab92 |
| SHA256 | 0a9f85a324395db744502e78e6f3bf091f8328e80c46a91e9a5364ba226f5ef4 |
| SHA512 | df91cbdf6eccd6f9fab55a2f5674166e77d585f19ea9c393f6efc0a1010c1febe46244902e96c6cef294dcf0794ce32309c2a10e441f4abb99844105c64ff661 |
memory/1560-215-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\KXMJD.exe.bat
| MD5 | 20765a3d38a5fc65631a6e3de09bd467 |
| SHA1 | 2bf5c856a0465a11d7973ded03105392c1d0ff86 |
| SHA256 | 1f7729c29bdd111931591acd5cd759c304fd29a4d5e0faa96257b887370c82eb |
| SHA512 | 0e9b7698f4a020fecec17ac0fd7e3488a11fd1aab2802a0e847d199c0c3c506071706bc8b24752270789760cf8fd57432eb3e455ee60eb9e1918b599c8862dd9 |
C:\Windows\System\KXMJD.exe
| MD5 | ad492378ed0813f187fca7f972f73a9b |
| SHA1 | f7e3ea2cb6dcc23db79ee520048e5ee1e1b2e906 |
| SHA256 | ad9d06cd8dd40eb0931709264338c55c679cba7a99923e2271b0da8f47aa2177 |
| SHA512 | 2805da67c5e17a5d6e2a4b63a962b6d025db667bf887033ac99ce9b0271dfdb2977f730aa37ad122bd9870f8d29ea9dbf266cc59f65e57721694726de2da48f9 |
memory/3820-226-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4808-227-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1560-234-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\SKQQO.exe.bat
| MD5 | b3d94b0190196744d5c71692697452bf |
| SHA1 | 8459e9e218ece1fb14e79291104ed2ac559199fc |
| SHA256 | bca3839d60662b403129d21f435dc59be952cbf9bb4aee34ea4b05f83197ab4a |
| SHA512 | 4bb0b8856c99c1a82f6709f09b8a277ae0804e0686348786fe8cc46ef24d91c2306988a3f9646e8c689d9d1b8cf364b91d3398ca96e579a58781db45617a5b69 |
C:\Windows\System\SKQQO.exe
| MD5 | ff2203818c45f5b472a9cd60a0651442 |
| SHA1 | 2f825cf730dab1d06b32dfcea7b951cc668d82e3 |
| SHA256 | dade9f8766b5c5c6750646ed25da996ae77bed5408a8a370542b6e1668d6e871 |
| SHA512 | 96ae4fb67f311f62f72cd301029819335628dbccbb23b898b57e766b9545af8f71001be11af92b14f7e2d6bce06792f6f3764e25831f6b5d015cae8744f3e139 |
memory/1704-238-0x0000000000400000-0x0000000000439000-memory.dmp
memory/316-239-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3820-240-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EGJELZR.exe.bat
| MD5 | 4f2ec565b589aa6ba29fb189b00377d0 |
| SHA1 | 0aef55638e1fd4b346e0a3dfc4a3c2344570a394 |
| SHA256 | 3e198b9768108ade6f3dcd9ebf828af54e6943e57740826188d3fb02f0b569ae |
| SHA512 | 0ee7fa00f612021bff74bb6d0db3963d71112b03c57f442cc9a99d152db08f8006a432908922477268d601fae55f2d9d3780583869c59536c1b4a33d420a8d8b |
C:\windows\system\EGJELZR.exe
| MD5 | d192b6a520453f06b58067a8bed7ca7d |
| SHA1 | 90182996fef2189855272a9b94bbbcba2b10d468 |
| SHA256 | 72fbc8f9b568152b901b6621aa92df60aa14e2f3eb410ff8bc3cea3cd0075ef4 |
| SHA512 | a0556a287587c4d0722d7e76e6935118b39b71d24f77dc0e788c844c1799b97ddfbca43b0ea378aa00ad866548d256cb449027ddf67396d92ca980cbfcdf1e50 |
memory/2944-251-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1704-252-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\FBN.exe.bat
| MD5 | 37abb6d8368a6e8e40e8380c3df4afe0 |
| SHA1 | 86cb5b6fb87f30759f5e850624ea6b490c059471 |
| SHA256 | 60787317703df6c93547f39a69c97ab61be9047b4a20c181fb53a78863d473e1 |
| SHA512 | 63602f3deb0fec4af0fca1ed983af018ae7d1886e36f460ca3b8bd1fde065819b18736d656ccdf2f53133be93d6e6e4b21af39090b9533f682a25300df8d03c1 |
memory/3516-263-0x0000000000400000-0x0000000000439000-memory.dmp
memory/316-260-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2944-270-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4144-272-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3516-279-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1044-281-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4144-288-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2496-290-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1044-297-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3192-299-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4084-307-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2496-308-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3264-316-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3192-317-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4008-325-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4084-326-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4360-334-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3264-335-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1500-343-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4008-344-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4360-351-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3388-353-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1500-360-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2560-362-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3388-369-0x0000000000400000-0x0000000000439000-memory.dmp
memory/892-371-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2560-378-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2552-380-0x0000000000400000-0x0000000000439000-memory.dmp
memory/892-388-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2232-389-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2552-397-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3788-398-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4064-406-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2232-407-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4496-415-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3788-416-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2420-424-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4064-425-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4496-432-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2296-434-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4328-443-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2420-442-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4812-451-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2296-452-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4328-459-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2336-461-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4812-468-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1460-470-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2672-478-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2336-479-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4616-487-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1460-488-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 00:03
Reported
2024-05-31 00:06
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\system\JJQLUUH.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\system\JJQLUUH.exe | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\windows\system\JJQLUUH.exe | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
| File created | C:\windows\system\JJQLUUH.exe.bat | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\system\JJQLUUH.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\system\JJQLUUH.exe | N/A |
| N/A | N/A | C:\windows\system\JJQLUUH.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\JJQLUUH.exe.bat" "
C:\windows\system\JJQLUUH.exe
C:\windows\system\JJQLUUH.exe
Network
Files
memory/1956-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\JJQLUUH.exe.bat
| MD5 | 719689086c256b1dc4251bb1b8233b6a |
| SHA1 | 4cfebb108f9f0d6d276d8d90757c0588ba7d7c32 |
| SHA256 | acbe151748a254b39b811b384264bed6320adf66691eda2d0affc40bbca3cd34 |
| SHA512 | 0662b51258a0a7c0bef3cd4a5e03787d551ea8fe006ff52e30e5c5aed04b7a0876d478ed5c983762ec946337c18c42c65f1010144e48b315e4b19d9caa3a0fb7 |
memory/1956-12-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2700-18-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\JJQLUUH.exe
| MD5 | 6b74cf62447d2f49a48893accd534a24 |
| SHA1 | b140b686cacd800e63cea568be1d114295b6230f |
| SHA256 | 78fd6e44f18d825414ef4d2eb50e1c45d5f295bbd133014f5053a678933fece8 |
| SHA512 | 46fcaead21a08a5ac60fdd17c15c62db1fd590ce08d612e7e79066e83871f0948977e0d35875644902690f93cb476325af6646d580f577ed5aa7fb7178c6d735 |
memory/2700-19-0x0000000000400000-0x0000000000439000-memory.dmp