Malware Analysis Report

2024-10-24 20:04

Sample ID 240531-az85xahd42
Target 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
SHA256 1e8d069ef4f60038201de6d82eae18114ba134740ceaae7b905afafe953ef38c
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e8d069ef4f60038201de6d82eae18114ba134740ceaae7b905afafe953ef38c

Threat Level: Known bad

The file 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 00:40

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 00:40

Reported

2024-05-31 00:42

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\TIXIEV.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\TIXIEV.exe.bat C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
File created C:\windows\SysWOW64\TIXIEV.exe C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
File opened for modification C:\windows\SysWOW64\TIXIEV.exe C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
N/A N/A C:\windows\SysWOW64\TIXIEV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\TIXIEV.exe.bat" "

C:\windows\SysWOW64\TIXIEV.exe

C:\windows\system32\TIXIEV.exe

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\TIXIEV.exe.bat

MD5 36f507fc95f1649271cc66af82a00418
SHA1 5ac5aa18215911ba8bb0280a844524962c9bd28d
SHA256 e89af3fd9adaa2784f35cd4c3d545b8cd7c58562ae32b91c8050890a01efc622
SHA512 2882c3c5fd16fd4b6ef54461a94471d237c874b3ba5d652e48fc39bb55374a2669c3aad0982b6a6e97895303162a887f23481babd40dab4471f177f1cee21a32

memory/2180-12-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\TIXIEV.exe

MD5 810ad89c962132a587c198452dee996d
SHA1 43319ff8dda9962689e70b6759aee1c1b250063b
SHA256 02e69b84aa26b9f96245a2a13259dab30f441a305ffa3ca54e6d0b9f53557e46
SHA512 a3250fa36b528c94df3f74d408d6d5e544aa6c10b4095fb630a699e275b5a23d9c0cd6f73310d2379bb7516d73f20a390536075aacdc7cbd41b117e8db5a8c94

memory/2136-18-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2136-19-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 00:40

Reported

2024-05-31 00:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UADSUM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\DMGXJB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\OXXC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\VLXYQYR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\OBDFK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XZHWEY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SSOSJOO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\MBVD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SQSM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\WGIHN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\XGFRU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\YIUCAZJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\UGC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\ECLOCB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\YYWCZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\ZUTQT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\RBYCXYC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\CXJX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\VENOOXQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\IFDTBDQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\KYWPYFU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\CPV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PTXSJF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NKNGATG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\OSGPF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\GRJL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\YMM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\ZSFT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\IKAXFN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\WEN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PXXHW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\RWEFHL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\PBJIE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\ZFUPCR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\AMKJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\WKIFQPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\IXGTVE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\ZAHI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YEDRND.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\AOUVIEU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\NQZSB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SZSCZY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\SUDD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HLL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\BMWO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\CYLLZV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\RMQO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\IUBJSTW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\RWCG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NBQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\KAQIGS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\GHRN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\CNQYXT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LRD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YPV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\YOIM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NTMVCPM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\BWRO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XONMRLN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UFRZBBD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\BDNSMHS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\system\MOAKCEQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\windows\ZYNPBT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\UADSUM.exe N/A
N/A N/A C:\windows\CNQYXT.exe N/A
N/A N/A C:\windows\VLXYQYR.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\VUUP.exe N/A
N/A N/A C:\windows\OUKA.exe N/A
N/A N/A C:\windows\PLSJD.exe N/A
N/A N/A C:\windows\SysWOW64\EAF.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\system\OBDFK.exe N/A
N/A N/A C:\windows\system\ZUTQT.exe N/A
N/A N/A C:\windows\system\TFIWM.exe N/A
N/A N/A C:\windows\SQSM.exe N/A
N/A N/A C:\windows\SysWOW64\YLEF.exe N/A
N/A N/A C:\windows\SysWOW64\GRJL.exe N/A
N/A N/A C:\windows\AHGFE.exe N/A
N/A N/A C:\windows\SysWOW64\CFLZ.exe N/A
N/A N/A C:\windows\JYBIE.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\GTBGWLG.exe N/A
N/A N/A C:\windows\SysWOW64\NOMHKZO.exe N/A
N/A N/A C:\windows\NMU.exe N/A
N/A N/A C:\windows\CIYJS.exe N/A
N/A N/A C:\windows\system\NQRJNK.exe N/A
N/A N/A C:\windows\system\YII.exe N/A
N/A N/A C:\windows\CYPIE.exe N/A
N/A N/A C:\windows\IUBJSTW.exe N/A
N/A N/A C:\windows\system\AMKJ.exe N/A
N/A N/A C:\windows\SysWOW64\RNZO.exe N/A
N/A N/A C:\windows\system\BVT.exe N/A
N/A N/A C:\windows\SysWOW64\JTN.exe N/A
N/A N/A C:\windows\SysWOW64\CORQL.exe N/A
N/A N/A C:\windows\system\BWRO.exe N/A
N/A N/A C:\windows\SysWOW64\IRDPM.exe N/A
N/A N/A C:\windows\system\PXKKSDQ.exe N/A
N/A N/A C:\windows\system\NQZSB.exe N/A
N/A N/A C:\windows\SysWOW64\XONMRLN.exe N/A
N/A N/A C:\windows\SysWOW64\RBYCXYC.exe N/A
N/A N/A C:\windows\system\RWCG.exe N/A
N/A N/A C:\windows\SZSCZY.exe N/A
N/A N/A C:\windows\SysWOW64\ANFJCW.exe N/A
N/A N/A C:\windows\system\BDNSMHS.exe N/A
N/A N/A C:\windows\SysWOW64\JQRYXFN.exe N/A
N/A N/A C:\windows\SysWOW64\RWEFHL.exe N/A
N/A N/A C:\windows\EBQJ.exe N/A
N/A N/A C:\windows\system\FEUMYZ.exe N/A
N/A N/A C:\windows\system\PCUZ.exe N/A
N/A N/A C:\windows\system\XIZG.exe N/A
N/A N/A C:\windows\LOHRBKB.exe N/A
N/A N/A C:\windows\SysWOW64\NBQ.exe N/A
N/A N/A C:\windows\SysWOW64\LRD.exe N/A
N/A N/A C:\windows\YXLWMOI.exe N/A
N/A N/A C:\windows\system\JPTHVPQ.exe N/A
N/A N/A C:\windows\system\HFGZ.exe N/A
N/A N/A C:\windows\system\PTTF.exe N/A
N/A N/A C:\windows\SysWOW64\EBUXUQQ.exe N/A
N/A N/A C:\windows\PBJIE.exe N/A
N/A N/A C:\windows\NRXZUYN.exe N/A
N/A N/A C:\windows\GUAD.exe N/A
N/A N/A C:\windows\GKIMJY.exe N/A
N/A N/A C:\windows\system\LQTBZU.exe N/A
N/A N/A C:\windows\system\MOAKCEQ.exe N/A
N/A N/A C:\windows\SysWOW64\OLOWJMZ.exe N/A
N/A N/A C:\windows\system\AOZKSZU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\windows\SysWOW64\ZSFT.exe C:\windows\system\XJXWF.exe N/A
File created C:\windows\SysWOW64\HMSWMS.exe C:\windows\ZYNPBT.exe N/A
File created C:\windows\SysWOW64\EAF.exe.bat C:\windows\PLSJD.exe N/A
File created C:\windows\SysWOW64\YLEF.exe C:\windows\SQSM.exe N/A
File created C:\windows\SysWOW64\RNZO.exe C:\windows\system\AMKJ.exe N/A
File opened for modification C:\windows\SysWOW64\OLOWJMZ.exe C:\windows\system\MOAKCEQ.exe N/A
File opened for modification C:\windows\SysWOW64\XZHWEY.exe C:\windows\SysWOW64\LJOW.exe N/A
File opened for modification C:\windows\SysWOW64\HLL.exe C:\windows\system\ECLOCB.exe N/A
File opened for modification C:\windows\SysWOW64\VUUP.exe C:\windows\SysWOW64\NTMVCPM.exe N/A
File opened for modification C:\windows\SysWOW64\NBQ.exe C:\windows\LOHRBKB.exe N/A
File created C:\windows\SysWOW64\ALB.exe.bat C:\windows\system\WGIHN.exe N/A
File created C:\windows\SysWOW64\HMSWMS.exe.bat C:\windows\ZYNPBT.exe N/A
File created C:\windows\SysWOW64\YPV.exe C:\windows\SysWOW64\EWG.exe N/A
File created C:\windows\SysWOW64\NOMHKZO.exe.bat C:\windows\GTBGWLG.exe N/A
File created C:\windows\SysWOW64\EGTAAQ.exe.bat C:\windows\UIN.exe N/A
File created C:\windows\SysWOW64\ALB.exe C:\windows\system\WGIHN.exe N/A
File opened for modification C:\windows\SysWOW64\CWIM.exe C:\windows\SysWOW64\HMSWMS.exe N/A
File created C:\windows\SysWOW64\XOV.exe.bat C:\windows\system\AOUVIEU.exe N/A
File created C:\windows\SysWOW64\ANFJCW.exe C:\windows\SZSCZY.exe N/A
File created C:\windows\SysWOW64\RZHISS.exe.bat C:\windows\system\IRF.exe N/A
File created C:\windows\SysWOW64\SIY.exe.bat C:\windows\ZFUPCR.exe N/A
File opened for modification C:\windows\SysWOW64\DRWIAO.exe C:\windows\ZAHI.exe N/A
File created C:\windows\SysWOW64\SUDD.exe.bat C:\windows\system\DECMQX.exe N/A
File created C:\windows\SysWOW64\LRD.exe.bat C:\windows\SysWOW64\NBQ.exe N/A
File created C:\windows\SysWOW64\JNLYPEJ.exe.bat C:\windows\system\OSGPF.exe N/A
File opened for modification C:\windows\SysWOW64\CYLLZV.exe C:\windows\SysWOW64\WDHS.exe N/A
File opened for modification C:\windows\SysWOW64\OSWI.exe C:\windows\SysWOW64\UFRZBBD.exe N/A
File created C:\windows\SysWOW64\HLL.exe.bat C:\windows\system\ECLOCB.exe N/A
File created C:\windows\SysWOW64\VUUP.exe.bat C:\windows\SysWOW64\NTMVCPM.exe N/A
File opened for modification C:\windows\SysWOW64\EAF.exe C:\windows\PLSJD.exe N/A
File opened for modification C:\windows\SysWOW64\RBYCXYC.exe C:\windows\SysWOW64\XONMRLN.exe N/A
File created C:\windows\SysWOW64\ANCZSFR.exe C:\windows\SysWOW64\SIY.exe N/A
File created C:\windows\SysWOW64\ANCZSFR.exe.bat C:\windows\SysWOW64\SIY.exe N/A
File opened for modification C:\windows\SysWOW64\CORQL.exe C:\windows\SysWOW64\JTN.exe N/A
File created C:\windows\SysWOW64\KYWPYFU.exe.bat C:\windows\system\XVAJTN.exe N/A
File opened for modification C:\windows\SysWOW64\UFRZBBD.exe C:\windows\GHRN.exe N/A
File created C:\windows\SysWOW64\OSWI.exe.bat C:\windows\SysWOW64\UFRZBBD.exe N/A
File created C:\windows\SysWOW64\RCNPDGV.exe.bat C:\windows\FZC.exe N/A
File created C:\windows\SysWOW64\NTMVCPM.exe C:\windows\VLXYQYR.exe N/A
File created C:\windows\SysWOW64\JQRYXFN.exe C:\windows\system\BDNSMHS.exe N/A
File created C:\windows\SysWOW64\EBUXUQQ.exe C:\windows\system\PTTF.exe N/A
File opened for modification C:\windows\SysWOW64\PXXHW.exe C:\windows\SysWOW64\YPV.exe N/A
File created C:\windows\SysWOW64\LJOW.exe.bat C:\windows\FOC.exe N/A
File created C:\windows\SysWOW64\IKAXFN.exe C:\windows\SysWOW64\BUZ.exe N/A
File created C:\windows\SysWOW64\HLL.exe C:\windows\system\ECLOCB.exe N/A
File opened for modification C:\windows\SysWOW64\LJOW.exe C:\windows\FOC.exe N/A
File created C:\windows\SysWOW64\ZSFT.exe C:\windows\system\XJXWF.exe N/A
File created C:\windows\SysWOW64\CFLZ.exe.bat C:\windows\AHGFE.exe N/A
File created C:\windows\SysWOW64\BUZ.exe.bat C:\windows\SysWOW64\THN.exe N/A
File created C:\windows\SysWOW64\DRWIAO.exe.bat C:\windows\ZAHI.exe N/A
File opened for modification C:\windows\SysWOW64\PTXSJF.exe C:\windows\YIUCAZJ.exe N/A
File created C:\windows\SysWOW64\XOV.exe C:\windows\system\AOUVIEU.exe N/A
File created C:\windows\SysWOW64\CFLZ.exe C:\windows\AHGFE.exe N/A
File created C:\windows\SysWOW64\NBQ.exe C:\windows\LOHRBKB.exe N/A
File created C:\windows\SysWOW64\UFRZBBD.exe.bat C:\windows\GHRN.exe N/A
File created C:\windows\SysWOW64\WDHS.exe C:\windows\system\QIWRN.exe N/A
File created C:\windows\SysWOW64\CYLLZV.exe C:\windows\SysWOW64\WDHS.exe N/A
File created C:\windows\SysWOW64\NKNGATG.exe.bat C:\windows\QUZWSEY.exe N/A
File created C:\windows\SysWOW64\RNZO.exe.bat C:\windows\system\AMKJ.exe N/A
File created C:\windows\SysWOW64\ZSFT.exe.bat C:\windows\system\XJXWF.exe N/A
File opened for modification C:\windows\SysWOW64\ANCZSFR.exe C:\windows\SysWOW64\SIY.exe N/A
File opened for modification C:\windows\SysWOW64\SUDD.exe C:\windows\system\DECMQX.exe N/A
File opened for modification C:\windows\SysWOW64\NKNGATG.exe C:\windows\QUZWSEY.exe N/A
File opened for modification C:\windows\SysWOW64\THN.exe C:\windows\CGLMKWX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\system\FEUMYZ.exe.bat C:\windows\EBQJ.exe N/A
File created C:\windows\LYRHRGZ.exe.bat C:\windows\SysWOW64\IKAXFN.exe N/A
File opened for modification C:\windows\PLSJD.exe C:\windows\OUKA.exe N/A
File created C:\windows\EBQJ.exe C:\windows\SysWOW64\RWEFHL.exe N/A
File opened for modification C:\windows\PBJIE.exe C:\windows\SysWOW64\EBUXUQQ.exe N/A
File created C:\windows\system\KMDA.exe C:\windows\YYWCZ.exe N/A
File created C:\windows\WTPTMQ.exe.bat C:\windows\SysWOW64\NKNGATG.exe N/A
File created C:\windows\PLSJD.exe.bat C:\windows\OUKA.exe N/A
File created C:\windows\system\ZUTQT.exe C:\windows\system\OBDFK.exe N/A
File opened for modification C:\windows\system\JPTHVPQ.exe C:\windows\YXLWMOI.exe N/A
File created C:\windows\system\PTTF.exe C:\windows\system\HFGZ.exe N/A
File created C:\windows\QUZWSEY.exe C:\windows\SysWOW64\ZEALHSJ.exe N/A
File created C:\windows\system\TFIWM.exe.bat C:\windows\system\ZUTQT.exe N/A
File created C:\windows\CIYJS.exe.bat C:\windows\NMU.exe N/A
File created C:\windows\DMGXJB.exe C:\windows\SysWOW64\XZHWEY.exe N/A
File created C:\windows\BPT.exe.bat C:\windows\SysWOW64\ZSFT.exe N/A
File opened for modification C:\windows\INST.exe C:\windows\system\WKIFQPT.exe N/A
File created C:\windows\system\SWZEK.exe.bat C:\windows\system\MBVD.exe N/A
File created C:\windows\system\IXGTVE.exe C:\windows\system\PKVD.exe N/A
File created C:\windows\system\NQZSB.exe.bat C:\windows\system\PXKKSDQ.exe N/A
File created C:\windows\PBJIE.exe C:\windows\SysWOW64\EBUXUQQ.exe N/A
File opened for modification C:\windows\NRXZUYN.exe C:\windows\PBJIE.exe N/A
File created C:\windows\system\RXFP.exe C:\windows\system\AOZKSZU.exe N/A
File opened for modification C:\windows\ROKXHV.exe C:\windows\CXJX.exe N/A
File opened for modification C:\windows\system\XGFRU.exe C:\windows\PBSLK.exe N/A
File opened for modification C:\windows\QUZWSEY.exe C:\windows\SysWOW64\ZEALHSJ.exe N/A
File opened for modification C:\windows\system\DECMQX.exe C:\windows\system\ELN.exe N/A
File opened for modification C:\windows\system\ECLOCB.exe C:\windows\BMWO.exe N/A
File created C:\windows\system\YII.exe.bat C:\windows\system\NQRJNK.exe N/A
File created C:\windows\NRXZUYN.exe C:\windows\PBJIE.exe N/A
File created C:\windows\system\WKIFQPT.exe C:\windows\SysWOW64\JAZP.exe N/A
File opened for modification C:\windows\system\IFDTBDQ.exe C:\windows\KFVF.exe N/A
File created C:\windows\system\XGFRU.exe.bat C:\windows\PBSLK.exe N/A
File created C:\windows\CNQYXT.exe.bat C:\windows\SysWOW64\UADSUM.exe N/A
File created C:\windows\system\HFGZ.exe C:\windows\system\JPTHVPQ.exe N/A
File created C:\windows\ROKXHV.exe.bat C:\windows\CXJX.exe N/A
File created C:\windows\system\ECLOCB.exe.bat C:\windows\BMWO.exe N/A
File opened for modification C:\windows\CNQYXT.exe C:\windows\SysWOW64\UADSUM.exe N/A
File opened for modification C:\windows\HEX.exe C:\windows\ROKXHV.exe N/A
File opened for modification C:\windows\KMYSKT.exe C:\windows\SysWOW64\CYLLZV.exe N/A
File opened for modification C:\windows\WTTR.exe C:\windows\system\UGC.exe N/A
File created C:\windows\system\XIZG.exe.bat C:\windows\system\PCUZ.exe N/A
File created C:\windows\CXJX.exe C:\windows\BUTBUY.exe N/A
File created C:\windows\ZYNPBT.exe.bat C:\windows\SysWOW64\ANCZSFR.exe N/A
File opened for modification C:\windows\YIUCAZJ.exe C:\windows\SysWOW64\JNLYPEJ.exe N/A
File created C:\windows\system\OBDFK.exe C:\windows\RMQO.exe N/A
File opened for modification C:\windows\system\LQTBZU.exe C:\windows\GKIMJY.exe N/A
File created C:\windows\CGLMKWX.exe.bat C:\windows\SysWOW64\KYWPYFU.exe N/A
File created C:\windows\system\KAQIGS.exe C:\windows\system\IXGTVE.exe N/A
File opened for modification C:\windows\RMQO.exe C:\windows\SysWOW64\EAF.exe N/A
File opened for modification C:\windows\SIHOXFY.exe C:\windows\SFRSIW.exe N/A
File opened for modification C:\windows\system\LXUFKVO.exe C:\windows\system\OXXC.exe N/A
File opened for modification C:\windows\CGLMKWX.exe C:\windows\SysWOW64\KYWPYFU.exe N/A
File opened for modification C:\windows\system\KAQIGS.exe C:\windows\system\IXGTVE.exe N/A
File created C:\windows\SQSM.exe.bat C:\windows\system\TFIWM.exe N/A
File created C:\windows\system\FEUMYZ.exe C:\windows\EBQJ.exe N/A
File opened for modification C:\windows\system\PCUZ.exe C:\windows\system\FEUMYZ.exe N/A
File created C:\windows\system\EDCP.exe.bat C:\windows\BPT.exe N/A
File created C:\windows\ZYNPBT.exe C:\windows\SysWOW64\ANCZSFR.exe N/A
File created C:\windows\system\AOZKSZU.exe C:\windows\SysWOW64\OLOWJMZ.exe N/A
File opened for modification C:\windows\VLXYQYR.exe C:\windows\CNQYXT.exe N/A
File created C:\windows\OUKA.exe.bat C:\windows\SysWOW64\VUUP.exe N/A
File opened for modification C:\windows\system\NQZSB.exe C:\windows\system\PXKKSDQ.exe N/A
File created C:\windows\system\XIZG.exe C:\windows\system\PCUZ.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UADSUM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CNQYXT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VLXYQYR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NTMVCPM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\VUUP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\OUKA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\PLSJD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\EAF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\RMQO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OBDFK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\ZUTQT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\TFIWM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SQSM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\YLEF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\GRJL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\DRS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\AHGFE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CFLZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JYBIE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EGJELZR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GTBGWLG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NOMHKZO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NMU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CIYJS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NQRJNK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\YII.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CYPIE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IUBJSTW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\AMKJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RNZO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BVT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JTN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\CORQL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BWRO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\IRDPM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PXKKSDQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NQZSB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XONMRLN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RBYCXYC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\RWCG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SZSCZY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ANFJCW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BDNSMHS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JQRYXFN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RWEFHL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\EBQJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FEUMYZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PCUZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XIZG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LOHRBKB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NBQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LRD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YXLWMOI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\JPTHVPQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\HFGZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PTTF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\EBUXUQQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\PBJIE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NRXZUYN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GUAD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GKIMJY.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\LQTBZU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\MOAKCEQ.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
N/A N/A C:\windows\SysWOW64\UADSUM.exe N/A
N/A N/A C:\windows\SysWOW64\UADSUM.exe N/A
N/A N/A C:\windows\CNQYXT.exe N/A
N/A N/A C:\windows\CNQYXT.exe N/A
N/A N/A C:\windows\VLXYQYR.exe N/A
N/A N/A C:\windows\VLXYQYR.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\VUUP.exe N/A
N/A N/A C:\windows\SysWOW64\VUUP.exe N/A
N/A N/A C:\windows\OUKA.exe N/A
N/A N/A C:\windows\OUKA.exe N/A
N/A N/A C:\windows\PLSJD.exe N/A
N/A N/A C:\windows\PLSJD.exe N/A
N/A N/A C:\windows\SysWOW64\EAF.exe N/A
N/A N/A C:\windows\SysWOW64\EAF.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\system\OBDFK.exe N/A
N/A N/A C:\windows\system\OBDFK.exe N/A
N/A N/A C:\windows\system\ZUTQT.exe N/A
N/A N/A C:\windows\system\ZUTQT.exe N/A
N/A N/A C:\windows\system\TFIWM.exe N/A
N/A N/A C:\windows\system\TFIWM.exe N/A
N/A N/A C:\windows\SQSM.exe N/A
N/A N/A C:\windows\SQSM.exe N/A
N/A N/A C:\windows\SysWOW64\YLEF.exe N/A
N/A N/A C:\windows\SysWOW64\YLEF.exe N/A
N/A N/A C:\windows\DRS.exe N/A
N/A N/A C:\windows\DRS.exe N/A
N/A N/A C:\windows\AHGFE.exe N/A
N/A N/A C:\windows\AHGFE.exe N/A
N/A N/A C:\windows\SysWOW64\CFLZ.exe N/A
N/A N/A C:\windows\SysWOW64\CFLZ.exe N/A
N/A N/A C:\windows\JYBIE.exe N/A
N/A N/A C:\windows\JYBIE.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\GTBGWLG.exe N/A
N/A N/A C:\windows\GTBGWLG.exe N/A
N/A N/A C:\windows\SysWOW64\NOMHKZO.exe N/A
N/A N/A C:\windows\SysWOW64\NOMHKZO.exe N/A
N/A N/A C:\windows\NMU.exe N/A
N/A N/A C:\windows\NMU.exe N/A
N/A N/A C:\windows\CIYJS.exe N/A
N/A N/A C:\windows\CIYJS.exe N/A
N/A N/A C:\windows\system\NQRJNK.exe N/A
N/A N/A C:\windows\system\NQRJNK.exe N/A
N/A N/A C:\windows\system\YII.exe N/A
N/A N/A C:\windows\system\YII.exe N/A
N/A N/A C:\windows\CYPIE.exe N/A
N/A N/A C:\windows\CYPIE.exe N/A
N/A N/A C:\windows\IUBJSTW.exe N/A
N/A N/A C:\windows\IUBJSTW.exe N/A
N/A N/A C:\windows\system\AMKJ.exe N/A
N/A N/A C:\windows\system\AMKJ.exe N/A
N/A N/A C:\windows\SysWOW64\RNZO.exe N/A
N/A N/A C:\windows\SysWOW64\RNZO.exe N/A
N/A N/A C:\windows\system\BVT.exe N/A
N/A N/A C:\windows\system\BVT.exe N/A
N/A N/A C:\windows\SysWOW64\JTN.exe N/A
N/A N/A C:\windows\SysWOW64\JTN.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe N/A
N/A N/A C:\windows\SysWOW64\UADSUM.exe N/A
N/A N/A C:\windows\SysWOW64\UADSUM.exe N/A
N/A N/A C:\windows\CNQYXT.exe N/A
N/A N/A C:\windows\CNQYXT.exe N/A
N/A N/A C:\windows\VLXYQYR.exe N/A
N/A N/A C:\windows\VLXYQYR.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\NTMVCPM.exe N/A
N/A N/A C:\windows\SysWOW64\VUUP.exe N/A
N/A N/A C:\windows\SysWOW64\VUUP.exe N/A
N/A N/A C:\windows\OUKA.exe N/A
N/A N/A C:\windows\OUKA.exe N/A
N/A N/A C:\windows\PLSJD.exe N/A
N/A N/A C:\windows\PLSJD.exe N/A
N/A N/A C:\windows\SysWOW64\EAF.exe N/A
N/A N/A C:\windows\SysWOW64\EAF.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\RMQO.exe N/A
N/A N/A C:\windows\system\OBDFK.exe N/A
N/A N/A C:\windows\system\OBDFK.exe N/A
N/A N/A C:\windows\system\ZUTQT.exe N/A
N/A N/A C:\windows\system\ZUTQT.exe N/A
N/A N/A C:\windows\system\TFIWM.exe N/A
N/A N/A C:\windows\system\TFIWM.exe N/A
N/A N/A C:\windows\SQSM.exe N/A
N/A N/A C:\windows\SQSM.exe N/A
N/A N/A C:\windows\SysWOW64\YLEF.exe N/A
N/A N/A C:\windows\SysWOW64\YLEF.exe N/A
N/A N/A C:\windows\DRS.exe N/A
N/A N/A C:\windows\DRS.exe N/A
N/A N/A C:\windows\AHGFE.exe N/A
N/A N/A C:\windows\AHGFE.exe N/A
N/A N/A C:\windows\SysWOW64\CFLZ.exe N/A
N/A N/A C:\windows\SysWOW64\CFLZ.exe N/A
N/A N/A C:\windows\JYBIE.exe N/A
N/A N/A C:\windows\JYBIE.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\system\EGJELZR.exe N/A
N/A N/A C:\windows\GTBGWLG.exe N/A
N/A N/A C:\windows\GTBGWLG.exe N/A
N/A N/A C:\windows\SysWOW64\NOMHKZO.exe N/A
N/A N/A C:\windows\SysWOW64\NOMHKZO.exe N/A
N/A N/A C:\windows\NMU.exe N/A
N/A N/A C:\windows\NMU.exe N/A
N/A N/A C:\windows\CIYJS.exe N/A
N/A N/A C:\windows\CIYJS.exe N/A
N/A N/A C:\windows\system\NQRJNK.exe N/A
N/A N/A C:\windows\system\NQRJNK.exe N/A
N/A N/A C:\windows\system\YII.exe N/A
N/A N/A C:\windows\system\YII.exe N/A
N/A N/A C:\windows\CYPIE.exe N/A
N/A N/A C:\windows\CYPIE.exe N/A
N/A N/A C:\windows\IUBJSTW.exe N/A
N/A N/A C:\windows\IUBJSTW.exe N/A
N/A N/A C:\windows\system\AMKJ.exe N/A
N/A N/A C:\windows\system\AMKJ.exe N/A
N/A N/A C:\windows\SysWOW64\RNZO.exe N/A
N/A N/A C:\windows\SysWOW64\RNZO.exe N/A
N/A N/A C:\windows\system\BVT.exe N/A
N/A N/A C:\windows\system\BVT.exe N/A
N/A N/A C:\windows\SysWOW64\JTN.exe N/A
N/A N/A C:\windows\SysWOW64\JTN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\UADSUM.exe
PID 1080 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\UADSUM.exe
PID 1080 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\UADSUM.exe
PID 3572 wrote to memory of 2896 N/A C:\windows\SysWOW64\UADSUM.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2896 N/A C:\windows\SysWOW64\UADSUM.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2896 N/A C:\windows\SysWOW64\UADSUM.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\CNQYXT.exe
PID 2896 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\CNQYXT.exe
PID 2896 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\CNQYXT.exe
PID 3900 wrote to memory of 1040 N/A C:\windows\CNQYXT.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1040 N/A C:\windows\CNQYXT.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 1040 N/A C:\windows\CNQYXT.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\VLXYQYR.exe
PID 1040 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\VLXYQYR.exe
PID 1040 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\VLXYQYR.exe
PID 2740 wrote to memory of 3892 N/A C:\windows\VLXYQYR.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3892 N/A C:\windows\VLXYQYR.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3892 N/A C:\windows\VLXYQYR.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NTMVCPM.exe
PID 3892 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NTMVCPM.exe
PID 3892 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NTMVCPM.exe
PID 2328 wrote to memory of 5092 N/A C:\windows\SysWOW64\NTMVCPM.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 5092 N/A C:\windows\SysWOW64\NTMVCPM.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 5092 N/A C:\windows\SysWOW64\NTMVCPM.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VUUP.exe
PID 5092 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VUUP.exe
PID 5092 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VUUP.exe
PID 3668 wrote to memory of 3232 N/A C:\windows\SysWOW64\VUUP.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 3232 N/A C:\windows\SysWOW64\VUUP.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 3232 N/A C:\windows\SysWOW64\VUUP.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\OUKA.exe
PID 3232 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\OUKA.exe
PID 3232 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\OUKA.exe
PID 4352 wrote to memory of 2220 N/A C:\windows\OUKA.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2220 N/A C:\windows\OUKA.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 2220 N/A C:\windows\OUKA.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PLSJD.exe
PID 2220 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PLSJD.exe
PID 2220 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PLSJD.exe
PID 4880 wrote to memory of 4020 N/A C:\windows\PLSJD.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4020 N/A C:\windows\PLSJD.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4020 N/A C:\windows\PLSJD.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EAF.exe
PID 4020 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EAF.exe
PID 4020 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EAF.exe
PID 1848 wrote to memory of 1844 N/A C:\windows\SysWOW64\EAF.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1844 N/A C:\windows\SysWOW64\EAF.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1844 N/A C:\windows\SysWOW64\EAF.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\RMQO.exe
PID 1844 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\RMQO.exe
PID 1844 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\RMQO.exe
PID 3568 wrote to memory of 756 N/A C:\windows\RMQO.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 756 N/A C:\windows\RMQO.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 756 N/A C:\windows\RMQO.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\OBDFK.exe
PID 756 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\OBDFK.exe
PID 756 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\OBDFK.exe
PID 2964 wrote to memory of 1884 N/A C:\windows\system\OBDFK.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1884 N/A C:\windows\system\OBDFK.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1884 N/A C:\windows\system\OBDFK.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\ZUTQT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UADSUM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4648 -ip 4648

C:\windows\SysWOW64\UADSUM.exe

C:\windows\system32\UADSUM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 948

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CNQYXT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 960

C:\windows\CNQYXT.exe

C:\windows\CNQYXT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VLXYQYR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1292

C:\windows\VLXYQYR.exe

C:\windows\VLXYQYR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTMVCPM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1004

C:\windows\SysWOW64\NTMVCPM.exe

C:\windows\system32\NTMVCPM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VUUP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2328 -ip 2328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1320

C:\windows\SysWOW64\VUUP.exe

C:\windows\system32\VUUP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OUKA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3668 -ip 3668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1324

C:\windows\OUKA.exe

C:\windows\OUKA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PLSJD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1236

C:\windows\PLSJD.exe

C:\windows\PLSJD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1328

C:\windows\SysWOW64\EAF.exe

C:\windows\system32\EAF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RMQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1292

C:\windows\RMQO.exe

C:\windows\RMQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OBDFK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1280

C:\windows\system\OBDFK.exe

C:\windows\system\OBDFK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUTQT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2964 -ip 2964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1336

C:\windows\system\ZUTQT.exe

C:\windows\system\ZUTQT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFIWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3132 -ip 3132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1276

C:\windows\system\TFIWM.exe

C:\windows\system\TFIWM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SQSM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1004

C:\windows\SQSM.exe

C:\windows\SQSM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLEF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 960

C:\windows\SysWOW64\YLEF.exe

C:\windows\system32\YLEF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GRJL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1328

C:\windows\SysWOW64\GRJL.exe

C:\windows\system32\GRJL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DRS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 960

C:\windows\DRS.exe

C:\windows\DRS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AHGFE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2280 -ip 2280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1236

C:\windows\AHGFE.exe

C:\windows\AHGFE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CFLZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1004

C:\windows\SysWOW64\CFLZ.exe

C:\windows\system32\CFLZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JYBIE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1256

C:\windows\JYBIE.exe

C:\windows\JYBIE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1264

C:\windows\system\EGJELZR.exe

C:\windows\system\EGJELZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GTBGWLG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 988

C:\windows\GTBGWLG.exe

C:\windows\GTBGWLG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOMHKZO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3200 -ip 3200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 988

C:\windows\SysWOW64\NOMHKZO.exe

C:\windows\system32\NOMHKZO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NMU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1324

C:\windows\NMU.exe

C:\windows\NMU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CIYJS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4052 -ip 4052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1292

C:\windows\CIYJS.exe

C:\windows\CIYJS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NQRJNK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1248

C:\windows\system\NQRJNK.exe

C:\windows\system\NQRJNK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YII.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1304

C:\windows\system\YII.exe

C:\windows\system\YII.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CYPIE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 960

C:\windows\CYPIE.exe

C:\windows\CYPIE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IUBJSTW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 960

C:\windows\IUBJSTW.exe

C:\windows\IUBJSTW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMKJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1336

C:\windows\system\AMKJ.exe

C:\windows\system\AMKJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3780 -ip 3780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1328

C:\windows\SysWOW64\RNZO.exe

C:\windows\system32\RNZO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BVT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 988

C:\windows\system\BVT.exe

C:\windows\system\BVT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1444 -ip 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1296

C:\windows\SysWOW64\JTN.exe

C:\windows\system32\JTN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CORQL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1328

C:\windows\SysWOW64\CORQL.exe

C:\windows\system32\CORQL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BWRO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1272

C:\windows\system\BWRO.exe

C:\windows\system\BWRO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IRDPM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 960

C:\windows\SysWOW64\IRDPM.exe

C:\windows\system32\IRDPM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXKKSDQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1176

C:\windows\system\PXKKSDQ.exe

C:\windows\system\PXKKSDQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NQZSB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 960

C:\windows\system\NQZSB.exe

C:\windows\system\NQZSB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XONMRLN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 988

C:\windows\SysWOW64\XONMRLN.exe

C:\windows\system32\XONMRLN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBYCXYC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1276

C:\windows\SysWOW64\RBYCXYC.exe

C:\windows\system32\RBYCXYC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1316

C:\windows\system\RWCG.exe

C:\windows\system\RWCG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SZSCZY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 960

C:\windows\SZSCZY.exe

C:\windows\SZSCZY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANFJCW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 960

C:\windows\SysWOW64\ANFJCW.exe

C:\windows\system32\ANFJCW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDNSMHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1248

C:\windows\system\BDNSMHS.exe

C:\windows\system\BDNSMHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQRYXFN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1864 -ip 1864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1248

C:\windows\SysWOW64\JQRYXFN.exe

C:\windows\system32\JQRYXFN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWEFHL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3304 -ip 3304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1292

C:\windows\SysWOW64\RWEFHL.exe

C:\windows\system32\RWEFHL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2132 -ip 2132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1304

C:\windows\EBQJ.exe

C:\windows\EBQJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FEUMYZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1336

C:\windows\system\FEUMYZ.exe

C:\windows\system\FEUMYZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PCUZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1004

C:\windows\system\PCUZ.exe

C:\windows\system\PCUZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XIZG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1336

C:\windows\system\XIZG.exe

C:\windows\system\XIZG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LOHRBKB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 960

C:\windows\LOHRBKB.exe

C:\windows\LOHRBKB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 960

C:\windows\SysWOW64\NBQ.exe

C:\windows\system32\NBQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 960

C:\windows\SysWOW64\LRD.exe

C:\windows\system32\LRD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YXLWMOI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1304

C:\windows\YXLWMOI.exe

C:\windows\YXLWMOI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 988

C:\windows\system\JPTHVPQ.exe

C:\windows\system\JPTHVPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HFGZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 988

C:\windows\system\HFGZ.exe

C:\windows\system\HFGZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTTF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1304

C:\windows\system\PTTF.exe

C:\windows\system\PTTF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBUXUQQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1328

C:\windows\SysWOW64\EBUXUQQ.exe

C:\windows\system32\EBUXUQQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PBJIE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1324

C:\windows\PBJIE.exe

C:\windows\PBJIE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NRXZUYN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1324

C:\windows\NRXZUYN.exe

C:\windows\NRXZUYN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GUAD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 532 -ip 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 988

C:\windows\GUAD.exe

C:\windows\GUAD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4512 -ip 4512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 976

C:\windows\GKIMJY.exe

C:\windows\GKIMJY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQTBZU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1336

C:\windows\system\LQTBZU.exe

C:\windows\system\LQTBZU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1316

C:\windows\system\MOAKCEQ.exe

C:\windows\system\MOAKCEQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLOWJMZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1328

C:\windows\SysWOW64\OLOWJMZ.exe

C:\windows\system32\OLOWJMZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOZKSZU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 976

C:\windows\system\AOZKSZU.exe

C:\windows\system\AOZKSZU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\RXFP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 960

C:\windows\system\RXFP.exe

C:\windows\system\RXFP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BUTBUY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2276 -ip 2276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1324

C:\windows\BUTBUY.exe

C:\windows\BUTBUY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CXJX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 112 -ip 112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1324

C:\windows\CXJX.exe

C:\windows\CXJX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ROKXHV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2024 -ip 2024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 988

C:\windows\ROKXHV.exe

C:\windows\ROKXHV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HEX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 960

C:\windows\HEX.exe

C:\windows\HEX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YMM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 988

C:\windows\system\YMM.exe

C:\windows\system\YMM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 696 -ip 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 960

C:\windows\VENOOXQ.exe

C:\windows\VENOOXQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAZP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1308

C:\windows\SysWOW64\JAZP.exe

C:\windows\system32\JAZP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKIFQPT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1304

C:\windows\system\WKIFQPT.exe

C:\windows\system\WKIFQPT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\INST.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1324

C:\windows\INST.exe

C:\windows\INST.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FOC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1316

C:\windows\FOC.exe

C:\windows\FOC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2808 -ip 2808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1272

C:\windows\SysWOW64\LJOW.exe

C:\windows\system32\LJOW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZHWEY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1272

C:\windows\SysWOW64\XZHWEY.exe

C:\windows\system32\XZHWEY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DMGXJB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1960 -ip 1960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1236

C:\windows\DMGXJB.exe

C:\windows\DMGXJB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KFVF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1324

C:\windows\KFVF.exe

C:\windows\KFVF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IFDTBDQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 960

C:\windows\system\IFDTBDQ.exe

C:\windows\system\IFDTBDQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\UIN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2556 -ip 2556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 872

C:\windows\UIN.exe

C:\windows\UIN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGTAAQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1328

C:\windows\SysWOW64\EGTAAQ.exe

C:\windows\system32\EGTAAQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJXWF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1608 -ip 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 872

C:\windows\system\XJXWF.exe

C:\windows\system\XJXWF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSFT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3200 -ip 3200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1300

C:\windows\SysWOW64\ZSFT.exe

C:\windows\system32\ZSFT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BPT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 960

C:\windows\BPT.exe

C:\windows\BPT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDCP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2720 -ip 2720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1272

C:\windows\system\EDCP.exe

C:\windows\system\EDCP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WGIHN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 960

C:\windows\system\WGIHN.exe

C:\windows\system\WGIHN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 988

C:\windows\SysWOW64\ALB.exe

C:\windows\system32\ALB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IRF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1336

C:\windows\system\IRF.exe

C:\windows\system\IRF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZHISS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 960

C:\windows\SysWOW64\RZHISS.exe

C:\windows\system32\RZHISS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 960

C:\windows\ZFUPCR.exe

C:\windows\ZFUPCR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 960

C:\windows\SysWOW64\SIY.exe

C:\windows\system32\SIY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANCZSFR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1912 -ip 1912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1240

C:\windows\SysWOW64\ANCZSFR.exe

C:\windows\system32\ANCZSFR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZYNPBT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1324

C:\windows\ZYNPBT.exe

C:\windows\ZYNPBT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HMSWMS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 960

C:\windows\SysWOW64\HMSWMS.exe

C:\windows\system32\HMSWMS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWIM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1240 -ip 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 960

C:\windows\SysWOW64\CWIM.exe

C:\windows\system32\CWIM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EMO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2172 -ip 2172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 960

C:\windows\system\EMO.exe

C:\windows\system\EMO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SSOSJOO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 752 -ip 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 988

C:\windows\SSOSJOO.exe

C:\windows\SSOSJOO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\JACXWFR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1248

C:\windows\system\JACXWFR.exe

C:\windows\system\JACXWFR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVAJTN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1336

C:\windows\system\XVAJTN.exe

C:\windows\system\XVAJTN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYWPYFU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1328

C:\windows\SysWOW64\KYWPYFU.exe

C:\windows\system32\KYWPYFU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CGLMKWX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3108 -ip 3108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 960

C:\windows\CGLMKWX.exe

C:\windows\CGLMKWX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1260

C:\windows\SysWOW64\THN.exe

C:\windows\system32\THN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4296 -ip 4296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1296

C:\windows\SysWOW64\BUZ.exe

C:\windows\system32\BUZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKAXFN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1256

C:\windows\SysWOW64\IKAXFN.exe

C:\windows\system32\IKAXFN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LYRHRGZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 960

C:\windows\LYRHRGZ.exe

C:\windows\LYRHRGZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MBVD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1884 -ip 1884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1336

C:\windows\system\MBVD.exe

C:\windows\system\MBVD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SWZEK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1316

C:\windows\system\SWZEK.exe

C:\windows\system\SWZEK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WEN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1252

C:\windows\WEN.exe

C:\windows\WEN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEPGAHO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1316

C:\windows\system\SEPGAHO.exe

C:\windows\system\SEPGAHO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKVD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 984 -ip 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1312

C:\windows\system\PKVD.exe

C:\windows\system\PKVD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXGTVE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2220 -ip 2220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 960

C:\windows\system\IXGTVE.exe

C:\windows\system\IXGTVE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAQIGS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1316

C:\windows\system\KAQIGS.exe

C:\windows\system\KAQIGS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PBSLK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 988

C:\windows\PBSLK.exe

C:\windows\PBSLK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XGFRU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 988

C:\windows\system\XGFRU.exe

C:\windows\system\XGFRU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EWG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1296

C:\windows\SysWOW64\EWG.exe

C:\windows\system32\EWG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YPV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 988

C:\windows\SysWOW64\YPV.exe

C:\windows\system32\YPV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXHW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2792 -ip 2792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1264

C:\windows\SysWOW64\PXXHW.exe

C:\windows\system32\PXXHW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KKGIH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 988

C:\windows\KKGIH.exe

C:\windows\KKGIH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZAHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1772 -ip 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 960

C:\windows\ZAHI.exe

C:\windows\ZAHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRWIAO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1328

C:\windows\SysWOW64\DRWIAO.exe

C:\windows\system32\DRWIAO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOIM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1336

C:\windows\system\YOIM.exe

C:\windows\system\YOIM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GHRN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1756 -ip 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 872

C:\windows\GHRN.exe

C:\windows\GHRN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFRZBBD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1644 -ip 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1300

C:\windows\SysWOW64\UFRZBBD.exe

C:\windows\system32\UFRZBBD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OSWI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1328

C:\windows\SysWOW64\OSWI.exe

C:\windows\system32\OSWI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RNNSX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1324

C:\windows\RNNSX.exe

C:\windows\RNNSX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2956 -ip 2956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1336

C:\windows\system\ELN.exe

C:\windows\system\ELN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 960

C:\windows\system\DECMQX.exe

C:\windows\system\DECMQX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUDD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1296

C:\windows\SysWOW64\SUDD.exe

C:\windows\system32\SUDD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZEALHSJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 960

C:\windows\SysWOW64\ZEALHSJ.exe

C:\windows\system32\ZEALHSJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QUZWSEY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1304

C:\windows\QUZWSEY.exe

C:\windows\QUZWSEY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NKNGATG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1316

C:\windows\SysWOW64\NKNGATG.exe

C:\windows\system32\NKNGATG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WTPTMQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 960

C:\windows\WTPTMQ.exe

C:\windows\WTPTMQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZBXHL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 988

C:\windows\system\ZBXHL.exe

C:\windows\system\ZBXHL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RJMNXBH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1292

C:\windows\RJMNXBH.exe

C:\windows\RJMNXBH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PUPD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1184

C:\windows\system\PUPD.exe

C:\windows\system\PUPD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BMWO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 532 -ip 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 872

C:\windows\BMWO.exe

C:\windows\BMWO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ECLOCB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 888

C:\windows\system\ECLOCB.exe

C:\windows\system\ECLOCB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HLL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1256

C:\windows\SysWOW64\HLL.exe

C:\windows\system32\HLL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YYWCZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3700 -ip 3700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 960

C:\windows\YYWCZ.exe

C:\windows\YYWCZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMDA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1336

C:\windows\system\KMDA.exe

C:\windows\system\KMDA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LGTWS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1324

C:\windows\LGTWS.exe

C:\windows\LGTWS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1316

C:\windows\system\CPV.exe

C:\windows\system\CPV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OSGPF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1316

C:\windows\system\OSGPF.exe

C:\windows\system\OSGPF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNLYPEJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 988

C:\windows\SysWOW64\JNLYPEJ.exe

C:\windows\system32\JNLYPEJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YIUCAZJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4536 -ip 4536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1008

C:\windows\YIUCAZJ.exe

C:\windows\YIUCAZJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PTXSJF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 988

C:\windows\SysWOW64\PTXSJF.exe

C:\windows\system32\PTXSJF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILMDAGO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 960

C:\windows\system\ILMDAGO.exe

C:\windows\system\ILMDAGO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SJSYHO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1324

C:\windows\SJSYHO.exe

C:\windows\SJSYHO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEDRND.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4452 -ip 4452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1328

C:\windows\SysWOW64\YEDRND.exe

C:\windows\system32\YEDRND.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFNBZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3552 -ip 3552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 884

C:\windows\SysWOW64\VFNBZ.exe

C:\windows\system32\VFNBZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QIWRN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1264

C:\windows\system\QIWRN.exe

C:\windows\system\QIWRN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WDHS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2736 -ip 2736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 960

C:\windows\SysWOW64\WDHS.exe

C:\windows\system32\WDHS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYLLZV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1328

C:\windows\SysWOW64\CYLLZV.exe

C:\windows\system32\CYLLZV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KMYSKT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1324

C:\windows\KMYSKT.exe

C:\windows\KMYSKT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FZC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2396 -ip 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1296

C:\windows\FZC.exe

C:\windows\FZC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCNPDGV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1444 -ip 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 960

C:\windows\SysWOW64\RCNPDGV.exe

C:\windows\system32\RCNPDGV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SFRSIW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1332

C:\windows\SFRSIW.exe

C:\windows\SFRSIW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SIHOXFY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 960

C:\windows\SIHOXFY.exe

C:\windows\SIHOXFY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOUVIEU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 988

C:\windows\system\AOUVIEU.exe

C:\windows\system\AOUVIEU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XOV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2560 -ip 2560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1304

C:\windows\SysWOW64\XOV.exe

C:\windows\system32\XOV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXXC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1248

C:\windows\system\OXXC.exe

C:\windows\system\OXXC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXUFKVO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1272

C:\windows\system\LXUFKVO.exe

C:\windows\system\LXUFKVO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VNZRRD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 988

C:\windows\VNZRRD.exe

C:\windows\VNZRRD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 960

C:\windows\system\UGC.exe

C:\windows\system\UGC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WTTR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1004

C:\windows\WTTR.exe

C:\windows\WTTR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYTFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1328

C:\windows\SysWOW64\WYTFV.exe

C:\windows\system32\WYTFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GEM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2172 -ip 2172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1336

C:\windows\system\GEM.exe

C:\windows\system\GEM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4648-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\UADSUM.exe.bat

MD5 9236e9f85bbe128a6556b9850ca0d11d
SHA1 2988fe6c6235cf47d9c8cf2b0b8de0dda5858cfc
SHA256 93a27d5c2829c9966307031d7d10e0a9f22118b98f626c798da406450e02c36c
SHA512 3788969254ac26ec3b5ec41292ad9a796cbe7ee1ee4de7dc2867dfc88a6cfc8d405404237de6648192c54283cf3187c4ca76adbb525597abd6dd23b64ed84f45

C:\Windows\SysWOW64\UADSUM.exe

MD5 4dc9d305b41895b16db44f462d73d3a0
SHA1 9f873d04447c5d4dbade34fcb9efeb530f52c8a3
SHA256 27da19dd3b8b299df5928bfc2dd7674234a8644fa865ea01bac48f5cd3232871
SHA512 4dcce55cdd007121aacee8b0393da7fe5f3fcf313f0107ae5a15c8013d4cd165d160872fffd5615948270bed57d0b52e2eab4139e2ff5ad61c31f902e0c95e67

memory/3572-11-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\CNQYXT.exe

MD5 4f78ae9bd028386a8dfc359c9833aea5
SHA1 cc68f68bf8f95ae62288c6f6fe19ab3c2040c2f0
SHA256 7de31126578c88412f5f91fd4e93320069280d8c3d2074c2d998c7651fabc45b
SHA512 98202c1e707f53e6e30adc012552923a9d2f6323ab42d4940f6282d69f32bdbc9e3c276d0ba4b4f05c4e91ae3fe0e791df3ddd303418eb4b9e69e73a684bf7d7

C:\windows\CNQYXT.exe.bat

MD5 bd4b5546daf59f3e9f2519243d46e379
SHA1 6e1cf4dbbfaa56867f4dba9e0c7547911228236b
SHA256 753fae491e32f1658d72e41882a4b171a21bb2fe3ab271af9d35897bd7fd0fe1
SHA512 0a6ea06e5fce33c9939069d862f58be1b31434b81ba696691e514813fac671b971feb82b7486acf2d1ec457beb0d51f899b7d80ca4a74882139b7f75b5d77298

memory/4648-20-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3900-22-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3572-24-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\VLXYQYR.exe.bat

MD5 eecb07c77e707a90a10b67bf802d221b
SHA1 e2f84b95bdafc73be81296f5067dc4888bfcff10
SHA256 7682c5d1604423cbb224bb571864f4c021edfc5da680ba26a78d24701371c836
SHA512 3410e0c19c6370d2b852a4c9928b939be981d41e104ecc274e1566a2dc44b88822341467fd20129337965f52ea3d6ec7a87a3ba196f67d77966e5b3737a6e123

C:\windows\VLXYQYR.exe

MD5 6e0573815f7c1db90c084ebe49244bde
SHA1 fb32eefccae64bdbfa4b0e6a74d4f7623c9b3100
SHA256 53043934c6c824ce8a8664fd6ab0b865fde1c56698fb02de22e0c537a72b0363
SHA512 d6102caa854436681fd307557321260bf30841088055b1e33957c7a559085a146844542c6fe0087063e352a30ee2a13d87b9aab142a3a8f84fb571961bd9824f

memory/2740-35-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NTMVCPM.exe.bat

MD5 405727e544cef76189babccb49fa80c4
SHA1 a64312b3522302be37e31f26d09892ccb0da02b7
SHA256 fb8d21c427ece42f08fb8cadc0dcf369e19ffd27d796dd1d6e4ec11c229cf859
SHA512 8458851fdd8d8a4b429cf28ba846d7562582cdaec3602ac07c89e4d58933fef6ee50730cf21b1fb98b4560b5717b141e2860c3fa78f2421528138621e2b8927e

memory/3900-44-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NTMVCPM.exe

MD5 9299daaf40b88b8a79d634e5cf9bb179
SHA1 76958fe5160f6c11894b04176301140b42c8c426
SHA256 d91a30bccea853cc3f8a9feee467a905d8b379c24f26dd9b8a7ac69487ef4596
SHA512 5d0eafad6cf58b2ba429e481de1ebb7c4bd8ac29f8a0a8337e156780d597b5ea262a826923ddf6b1f030d45f61458620a9e718569689c601bd9a02219abf671a

memory/2328-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\VUUP.exe.bat

MD5 3db21708b9c4459f3c7a23878cc3ea12
SHA1 039bf9e3854411f4da866d9e418afbdb1f511550
SHA256 ae6242e631eabcf114ab40340f939c1cb5ef839e723408d5e3f88f55eec3fda3
SHA512 0e73139e54c00c612866d92c59ffe006e92f21f4b21738ae41ffc2fcdd23b2c9960946a2384e45c89e4a1c95c58205ff38e59c9fb183d2e4969ee96c81241a44

C:\windows\SysWOW64\VUUP.exe

MD5 d64674a393f24a93cab290c17d4936e8
SHA1 704b5f0d65124b87e616ba949c48d522bf41a673
SHA256 e5bd766994c4ec448458eb3896e0076d068612ef9c2e54e36ffbc4d1fc6e3b7d
SHA512 48e6b5712210231e725247b1ea0b0ab60235b8a5899401a342475202670ce6eed7fcf9dd8ff08125288024627ea83b32ce066b94178f86a1c0e90495a4a5cf70

memory/3668-58-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2740-59-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\OUKA.exe.bat

MD5 86bbc44097cc0edf77d817748fb63a87
SHA1 23428ab4c28e904315c1bf11eaa0ad8c15e2e31f
SHA256 66d347c1ed74af33f2b83ba6df392f49b01fe0c44be98733b158f4d7dddcba17
SHA512 87a6a0a9ab3c37cc2c5dd6a879b66ba43bc32310bab720930e963a9e5282ebbf07a7df408d085b925faaa7564ab944d933dd637d2e7cb8428fcd9801685fb856

C:\Windows\OUKA.exe

MD5 46435e23c349a46583c2e80718bd9c08
SHA1 1729475887b07a5907c012f27eed71d0d404e7a8
SHA256 79fb615f83ead7f8d74c5f0c1e09eb7f4057e4168581a3094e8a3a0a7d922f59
SHA512 17207b1348f0d2898bd7c9cdad4d9aa183412388ff0e22baf45fb604ce26d826be80f7d309b42d6756980fa11a7637702c057a4e3fe2cbbdda54c69f85a52c8b

memory/2328-69-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4352-70-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3668-78-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\PLSJD.exe.bat

MD5 23644250187e0907adc477201b49a405
SHA1 f640a95ccd6ef9ff897bf15ad7377e6d2ababeda
SHA256 8370ab57c4861b89a4bf4278e6110bd48653ef7e00f29d62985debb2d943a671
SHA512 6f96fd1c18a94d7e3e5c87b84c65cb4cec1413a617ed9ad10bc63158ac29e7886fbce3c2d95c417fbe6830fe964111a0881ef331d54b850bced2991367f97e4c

C:\Windows\PLSJD.exe

MD5 025092e3608b59d6582e3b046bdb4b69
SHA1 3ff1a7a8ff873aa92e458e272e96f30ea10152f7
SHA256 a2bf3d641cae5b9108acf7a8d5564a1e8d0a2bc51b63784c911762a40cf53cad
SHA512 3d3bbc0b098bc444a87ff4a68f409791ce4341afcd68cb1aa8c5cbf8c8c1957a032255ac20a046c592a3d5af9b8ac0520ec41da42bcb82190fa1e62626edd854

memory/4880-83-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4352-90-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\EAF.exe.bat

MD5 193786671a9268a6a19dd01241a7a214
SHA1 61b18443db70968d1d11cbf9c42597acdafe2753
SHA256 c4fac27a8697921ca13f8b262d84d25a51f9efdc60d0470dbad0741f6f48df46
SHA512 e86663ca09daf2f033866aa523b4ec39d6915e2cdc86c7f15e60b9d98dc660521fc94b3fd859092cbb56e15d9e89ad4baefbc55067e60f849b5fdb9f959fce92

C:\Windows\SysWOW64\EAF.exe

MD5 a01265ab8d5713e0d036f1d47ab26254
SHA1 d2827f33d621f2b8145c60d156f3eae110e7b82b
SHA256 48b5bf54477696235006b4cb5551581894755b6334abde862ffad795e819d0d4
SHA512 0473d95cfbf2cceb5a0e9fe7bb7d8f02c73e5a3269ad9899b65030646edbc50775dcf292c06a47b0bd11744c35643f1e07c13a36117e535959eb237cda382d98

memory/1848-95-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\RMQO.exe.bat

MD5 b89973179199adde9cda321fa6cbde32
SHA1 eb074de042543ac30b5d3bb5c9e373e39b108269
SHA256 55adefc16a9977ed3d6424b42b2becaee454825a83c32fbcffebf81a6af5a9e8
SHA512 30d5784530b7185b68f64c6b02626911097d8f1a13c38f8aeca9b0cc1fe7289a85f770dcb4112eb3ea8d22a5bc1a8bbf5b157a38816a1ddb114d1eb33a113898

memory/4880-106-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\RMQO.exe

MD5 5c06cae98c7892f25db890696898c88e
SHA1 48ac78980287e5378249d0298ddb25d54cc91c60
SHA256 f0b8989ea5a3b4bb4ed4e2bb25437784d852335f79e636a2c1c24e7278ebd47a
SHA512 e23721b82272dd6cd7777bdabb6ada748cdbf304a64c6a1373659c8450ec7f0733b91d482a3bdc78fed5214401b5d9f44f89173e86df3212499676ad7d68f662

memory/3568-107-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\OBDFK.exe.bat

MD5 4260826aef18537c1ab5cdf6a22e9f91
SHA1 7e72a2172918629627122ded0444a75373022899
SHA256 b24af8092e27a2321f728257e529de05dc971a9e202f8faaf7ce97687fff0a04
SHA512 7330458a30d38e5673c0e75c9628c981bf11ed1066996543abc4d7b6707c1a7fd92d12680a49b2c5b9d97013a13a03e64d969c1932c82bfb1c75db72fa9d3ba4

memory/1848-115-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2964-119-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\ZUTQT.exe.bat

MD5 a77edaec99d6f68d7c30c834d4aa7c63
SHA1 3334b54f6aff6e5b2bf8871a4f96588a832005ae
SHA256 58a8fbc12d12324b235507e3a641cd8762e1dc29ab291ea5d333908465239f66
SHA512 5b09bc4f4fda1cdcd2bae5600602fea7a9e57942df7a389fe2eb72856cd7ea3e0c230c402a6361ccb35e75b79892ade4d8e305c30cfc53d6072cb11b0f5824b1

C:\Windows\System\ZUTQT.exe

MD5 b6644626a673e85a0cb0f5cb3cb5202e
SHA1 3515c2052569120dde01e151da890b946a87add4
SHA256 07bab942c9d46ed87fc123de9b797dfd79a68e8a864dc4793bae913ddca42cd6
SHA512 1b0211c0f51f9bbe1ae6c9dca6abe5ed88f8f09078c2874a3ce78a927c9e0a215340a459e9b3469d2b50090b7c96c565f2e0ad9e0617bf1071585864a222463d

memory/3132-130-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3568-131-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2964-138-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\TFIWM.exe.bat

MD5 4b2509a0bbc38a513863bf73666875a2
SHA1 5806350d42dc6d81119a76ff456500a203543eef
SHA256 d857efb402a3ced5f0a8fdf410552b99511ccd256aecf5348ac7328342f4a538
SHA512 ef6b1f8ca401bf24943ce58af52fe7c184a6bdf4995ac6a39c1851b6294b68b8ceab881abeac34d7176c711f7c13ab9883e3aed910de0eb3a23f24804c947de9

C:\Windows\System\TFIWM.exe

MD5 2c649acd8c353d40844d811331951835
SHA1 96b817318e3adc8f48fdb4809a04240b9e3bf7ae
SHA256 9095a7404e5d0e2c9cac19a9887fb1f7242d4795954234fa1c940cd177ad5ed5
SHA512 0c68546acf56f642ab56d7c4c7f8a5a864f8f75346a3f05a13ac3bee18dc81e53711fb31b27f647cc0b75563f74fb33e5b65e55fd19d5d6a2fecad8244ed3e69

memory/368-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SQSM.exe.bat

MD5 8c54a910541420429afac487c1844bdb
SHA1 004d669bab235aa0d230228ff2d2e1d5f817ba76
SHA256 ec526f4524c823fa3d743a4d7d29fa8551362b920c0312e0d668dad0381b83af
SHA512 4e4c3601c5a319b92e04c1cfb5c1c713a9cb7aea1c7d0a2109cbe70b455fa75df0a5cf9074282b394d86a72939ae791d02d4fdf1154815a33a6a8955b1150e7d

C:\Windows\SQSM.exe

MD5 7b6ad5db19a8421483d7c975c269377d
SHA1 fd4c6be32f9c8de758e078912d025fe282f12a75
SHA256 faaa442a177e2692e3a1f7358bfca808da2bbc977a1d9575c02350a906a68129
SHA512 bde02d3dacb5eabeac8a03014e1f23b1ba00007aa4d1e9c248b7a0e07465e99c97daf8a0f57537e34ada804b75f803d898c92f7983b00f356e3738f250af879f

memory/536-153-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3132-155-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\YLEF.exe.bat

MD5 c0bd583cb1f0ba64cf1c8c581a559b2e
SHA1 46994f3c854527208ac92c2118e10d472e7b96b8
SHA256 57ef7c2b786164431c8f480beaf6440fca20040b37c0d5b86ec9a10d835e0ff3
SHA512 87d86de10760b62c666207b9fde839598a4b30670929e5d8ead6e7379382e671dd296397afa85a1d4d970db4ca2e8537f957a97a5dca9dafd055b71dcfc5f5ae

C:\Windows\SysWOW64\YLEF.exe

MD5 6952fc00131be98632db4d382c9b7cf4
SHA1 2d59ead79c779a928f668b5509299cabac41102a
SHA256 57a3b15a11304e039436ad9e6273c059a86d2c83a71e97ffa0dae124e7632100
SHA512 4707c8900b067c1019e8fd28cd7f50976e9962567b7a34023f8f49d153b94df6ea75c14f28ccf11013367697159ddf0e47b35ba29b8b71b8b4a976f80fc88845

memory/4516-166-0x0000000000400000-0x0000000000439000-memory.dmp

memory/368-167-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\GRJL.exe.bat

MD5 cff1d60c0093c92b840317370b48a19c
SHA1 c6e615f23def1f147ba9f462c8f5944d0e7b5792
SHA256 9d4e4b3b017f63e4d8a6fc7560faa90ecd3c7d2070268a9cf7c9e0430f3d7e19
SHA512 5e403487a0e8ee44b684e9daee5e95e289c43c9755e92bfb2c91268705fb191ce3c6ad1e38c505a7428e5aa4ef08562fdd5d98e4806658cded905e51441c325d

C:\Windows\SysWOW64\GRJL.exe

MD5 032a44444744c2e4e2474f72e24df22b
SHA1 05a40f80cfbf2c35d9f0ba2b6c61c84295f6f9ef
SHA256 e61a62a80eb102edfc59996daf2e75cfb26929502d9962126451b71312179907
SHA512 6b4e97fd0c9455861df59bb04bfc6b03690b4732cbe39307561cc006d898064c0ef615b53159b7512d82c6f5765aaf9507dae31dcf1db26908979d0cb9313ba1

memory/4384-177-0x0000000000400000-0x0000000000439000-memory.dmp

memory/536-178-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2280-180-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4516-179-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4384-188-0x00000000027E0000-0x00000000028BB000-memory.dmp

memory/4384-189-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4384-187-0x0000000002700000-0x00000000027DB000-memory.dmp

C:\windows\AHGFE.exe.bat

MD5 6ef9f4808a4d8208edd6145063b04d5b
SHA1 5e87a7b83f29783dfa32832190d0f971ddcd09af
SHA256 6e3a60b128165fa992c3450910ed488994934d33656961e14eb689f3fe964b16
SHA512 b919c2bbd191312dda9f403e249a3ff5a19a6487a5204c4349f25379f584fe96ac73f2259229c29cbdf9b371107ad9a6d74a980a0f3127b699f911941c22c15e

C:\windows\AHGFE.exe

MD5 f6da00b07fd04887cb1a8d0cc49f5e60
SHA1 e160a0ad324c6869128e8d16b3bad9b345192dac
SHA256 f35606ad45d1e012548107d6281ca901ebbbea0d83274d7b79ad5f5272121e0c
SHA512 1b25e15838826ea2302dd59992197f9a50f0c9a7c899b148d1f7253e3ad3fe0ebf1c82af01aa98acc29ff4e6e542efded83671244fc01cc0d01cfe6bde70abbe

memory/756-194-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\CFLZ.exe.bat

MD5 768e5282375de2374874a7a80e20ed32
SHA1 4ddb2158ca3a84b9494939fde8941321f0084df7
SHA256 2febf430c0ec7431c2b5ccfbf1d233f822b81d965db6bb25495befe69894f8c3
SHA512 63a990c078d8d0c80e1218655165b7ec8d95fc15593c358768f1f133b40b44dc8eac10f35a439647158fdd896f2dcc146f14dde37a3db1eb928bb9e235972e22

C:\windows\SysWOW64\CFLZ.exe

MD5 dbdbfbbc2690c55f63e03363953f2d36
SHA1 1bb9a8c41cc76ea88d5503e4eba5fb1d27d93b1e
SHA256 d624a11f88ba24a52cb7454341fbb8b595e32d7bf70ef563115275216f40c042
SHA512 69e9815a7a3da6a78b7f81e4c8cf5a8495bd353e0c7c455dbd674f47008044c2880bd9732ffe2932b6b4b520e956eee80b82128261504ed8bdac6979a8ecd5f1

memory/4492-205-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2280-206-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\JYBIE.exe.bat

MD5 96e0aea5a7f4644c83e964da4845508e
SHA1 abc85e1e96ff15bffedce2e4104febccc3774f29
SHA256 bec1bde814de84b6ba4b9642810c2687f540e18a5c8b9e70da6d51e3fe30f38b
SHA512 9ce20233d8aadd87869f13e8679b8d543bc874127e7b025146fc5daf4fcd64bf59db1a2050dea5a3dc61655ad80b6c470463eb2b26116ab8bc986325d71b67fe

C:\windows\JYBIE.exe

MD5 30fa53391a4108fc69bac4b8b115bc03
SHA1 942797d04e7bd0e3ad7462b693bb3ba7f7acf0a7
SHA256 52937a8c98cbc74ac4c325e9953115abdb009605e78d1c378ce42f8b819c0475
SHA512 b3e3c79feab36b0cd3edea5d070e9b309a0c54dad3ba6dd3dc8eb5eb13a4fb31fadfd52a458d1b5388762f4412c14af96111fc579369e6046e6a126ee17ab8a6

memory/3900-217-0x0000000000400000-0x0000000000439000-memory.dmp

memory/756-218-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EGJELZR.exe.bat

MD5 4f2ec565b589aa6ba29fb189b00377d0
SHA1 0aef55638e1fd4b346e0a3dfc4a3c2344570a394
SHA256 3e198b9768108ade6f3dcd9ebf828af54e6943e57740826188d3fb02f0b569ae
SHA512 0ee7fa00f612021bff74bb6d0db3963d71112b03c57f442cc9a99d152db08f8006a432908922477268d601fae55f2d9d3780583869c59536c1b4a33d420a8d8b

memory/2864-229-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EGJELZR.exe

MD5 bea502785bd395a27eac13aed4ec5ffd
SHA1 7b7cd09628495f83d83fa5df833691608a51348b
SHA256 eb37b7156c4f3ff92d567779f96d8bd702479955a0935918de08dddcf03c1b8f
SHA512 80dcfad01c52cc40630451778467363f693a77a7191420a2d7a25608c4115f913fd159bcc63c07a28bfb945a5b2a16496b5e616f8cd85f45aec6a5f512599ef3

memory/4492-230-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\GTBGWLG.exe.bat

MD5 9d12b547ad0cb5bb84c6e887e57c3666
SHA1 0bb8be339dd31302f499b65bd7783c9431dceeda
SHA256 6d5464f9022e70c5fd48ced6998e59f4cfb9bf67e4dd034b6d1fd8793638484b
SHA512 92fb5e8f3ffe96ff7bcdeca075e4fd13465deeb7fc1fb398ab1d3a32f9b5129e5c567fc380d02040d18142129aea1527c607df3cf74dc76234ada8216862d6da

C:\Windows\GTBGWLG.exe

MD5 4f8b2730fab67133e048c08ff9d215ca
SHA1 67b18a403c8c2bf16eefb89f32df4380d0c54ac5
SHA256 3c6c17b3b48a38153f39324f7cd2d3096199040a9e9f70b2455b8ae6694cdde6
SHA512 44206650500f8013ddac03d4f3ae3b47ca95f383d8add7bf89c5f47386193eb706ac5bbae373046927a8177645c642f321fccf14cbc37a6849568bd9a63bff7e

memory/3200-240-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3900-242-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NOMHKZO.exe.bat

MD5 65085b40dc8ed3731406ad2c785d023c
SHA1 2285bd387f48584820ae84ec30fba2939de812b2
SHA256 cc59584e171e4229d58378aebaceb6850cf4d213df929789ef1cf05da1c3f730
SHA512 828d76c1b1e2b17c78ff961e135d4d0c8071e0988615f24acb8da07f0e7bee1070eab2afa8e04509fe58ecc06247d5062730f6ec2d7d7ef64ae2da8feefddcde

memory/536-252-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2864-254-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3200-261-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\NMU.exe.bat

MD5 f6e090fc8f98a67f359e9115d77db5e8
SHA1 95fdc2a109d83126aed9984fad29f9ecc21fe2de
SHA256 dd131cbc7bddebe28423c5247db638127620dc7856395b1026fd48a7365c91e7
SHA512 b0b8ee9152a364797659353fa1dfbedb4f5c0c1846bd77ccc679acebe8b0df71fb47ea1d6702bb8acfc6fe2cffe10ffb6deb78a3b55eaddd961cef98867ed94d

C:\Windows\NMU.exe

MD5 f8a0564cfa0ea91744ddc36712665cf6
SHA1 c8f713e52eccefce138260284c95dbfa76ddd430
SHA256 488a833c519411262ef958084114d13be4a1ee329e8460bad81afa26f6132259
SHA512 1812d146074a825eab65b60a0f7e6c26f37f348d213dd32df563bdbacb8b6ff728a9d5f5ca3290a08b297f4ac1981a118a6fbe29516fcc5269198efc4102fc22

memory/4052-265-0x0000000000400000-0x0000000000439000-memory.dmp

memory/536-272-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2644-274-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1936-282-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4052-283-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2644-290-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3040-292-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5068-300-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1936-301-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4492-309-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3040-310-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5068-317-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3780-319-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1476-327-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4492-328-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1444-336-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3780-337-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1476-344-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2120-346-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1012-354-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1444-355-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2120-363-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4232-362-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2364-372-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1012-371-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4232-379-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1036-381-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2364-388-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4200-390-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3244-398-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1036-399-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4200-406-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3708-408-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4272-416-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3244-417-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1484-425-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3708-426-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4272-434-0x0000000000400000-0x0000000000439000-memory.dmp

memory/528-435-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1484-442-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1864-444-0x0000000000400000-0x0000000000439000-memory.dmp

memory/528-451-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3304-453-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1864-460-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2132-462-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3304-469-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4668-471-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5092-479-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2132-480-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4892-488-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4668-489-0x0000000000400000-0x0000000000439000-memory.dmp