Analysis Overview
SHA256
1e8d069ef4f60038201de6d82eae18114ba134740ceaae7b905afafe953ef38c
Threat Level: Known bad
The file 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 00:40
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 00:40
Reported
2024-05-31 00:42
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\TIXIEV.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\TIXIEV.exe.bat | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
| File created | C:\windows\SysWOW64\TIXIEV.exe | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\TIXIEV.exe | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\TIXIEV.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\TIXIEV.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\TIXIEV.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\TIXIEV.exe.bat" "
C:\windows\SysWOW64\TIXIEV.exe
C:\windows\system32\TIXIEV.exe
Network
Files
memory/2180-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\TIXIEV.exe.bat
| MD5 | 36f507fc95f1649271cc66af82a00418 |
| SHA1 | 5ac5aa18215911ba8bb0280a844524962c9bd28d |
| SHA256 | e89af3fd9adaa2784f35cd4c3d545b8cd7c58562ae32b91c8050890a01efc622 |
| SHA512 | 2882c3c5fd16fd4b6ef54461a94471d237c874b3ba5d652e48fc39bb55374a2669c3aad0982b6a6e97895303162a887f23481babd40dab4471f177f1cee21a32 |
memory/2180-12-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\SysWOW64\TIXIEV.exe
| MD5 | 810ad89c962132a587c198452dee996d |
| SHA1 | 43319ff8dda9962689e70b6759aee1c1b250063b |
| SHA256 | 02e69b84aa26b9f96245a2a13259dab30f441a305ffa3ca54e6d0b9f53557e46 |
| SHA512 | a3250fa36b528c94df3f74d408d6d5e544aa6c10b4095fb630a699e275b5a23d9c0cd6f73310d2379bb7516d73f20a390536075aacdc7cbd41b117e8db5a8c94 |
memory/2136-18-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2136-19-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 00:40
Reported
2024-05-31 00:42
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UADSUM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\DMGXJB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\OXXC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\VLXYQYR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\OBDFK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XZHWEY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SSOSJOO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\MBVD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SQSM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\WGIHN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\XGFRU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\YIUCAZJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\UGC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\ECLOCB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\YYWCZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\ZUTQT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\RBYCXYC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\CXJX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\VENOOXQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\IFDTBDQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\KYWPYFU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\CPV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PTXSJF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NKNGATG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\OSGPF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\GRJL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\YMM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\ZSFT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\IKAXFN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\WEN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PXXHW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\RWEFHL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\PBJIE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\ZFUPCR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\AMKJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\WKIFQPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\IXGTVE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\ZAHI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YEDRND.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\AOUVIEU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\NQZSB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SZSCZY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\SUDD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\HLL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\BMWO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\CYLLZV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\RMQO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\IUBJSTW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\RWCG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NBQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\KAQIGS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\GHRN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\CNQYXT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\LRD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YPV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\YOIM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NTMVCPM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\BWRO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XONMRLN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UFRZBBD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\BDNSMHS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\system\MOAKCEQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\windows\ZYNPBT.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\SysWOW64\ZSFT.exe | C:\windows\system\XJXWF.exe | N/A |
| File created | C:\windows\SysWOW64\HMSWMS.exe | C:\windows\ZYNPBT.exe | N/A |
| File created | C:\windows\SysWOW64\EAF.exe.bat | C:\windows\PLSJD.exe | N/A |
| File created | C:\windows\SysWOW64\YLEF.exe | C:\windows\SQSM.exe | N/A |
| File created | C:\windows\SysWOW64\RNZO.exe | C:\windows\system\AMKJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\OLOWJMZ.exe | C:\windows\system\MOAKCEQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\XZHWEY.exe | C:\windows\SysWOW64\LJOW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\HLL.exe | C:\windows\system\ECLOCB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\VUUP.exe | C:\windows\SysWOW64\NTMVCPM.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NBQ.exe | C:\windows\LOHRBKB.exe | N/A |
| File created | C:\windows\SysWOW64\ALB.exe.bat | C:\windows\system\WGIHN.exe | N/A |
| File created | C:\windows\SysWOW64\HMSWMS.exe.bat | C:\windows\ZYNPBT.exe | N/A |
| File created | C:\windows\SysWOW64\YPV.exe | C:\windows\SysWOW64\EWG.exe | N/A |
| File created | C:\windows\SysWOW64\NOMHKZO.exe.bat | C:\windows\GTBGWLG.exe | N/A |
| File created | C:\windows\SysWOW64\EGTAAQ.exe.bat | C:\windows\UIN.exe | N/A |
| File created | C:\windows\SysWOW64\ALB.exe | C:\windows\system\WGIHN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CWIM.exe | C:\windows\SysWOW64\HMSWMS.exe | N/A |
| File created | C:\windows\SysWOW64\XOV.exe.bat | C:\windows\system\AOUVIEU.exe | N/A |
| File created | C:\windows\SysWOW64\ANFJCW.exe | C:\windows\SZSCZY.exe | N/A |
| File created | C:\windows\SysWOW64\RZHISS.exe.bat | C:\windows\system\IRF.exe | N/A |
| File created | C:\windows\SysWOW64\SIY.exe.bat | C:\windows\ZFUPCR.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DRWIAO.exe | C:\windows\ZAHI.exe | N/A |
| File created | C:\windows\SysWOW64\SUDD.exe.bat | C:\windows\system\DECMQX.exe | N/A |
| File created | C:\windows\SysWOW64\LRD.exe.bat | C:\windows\SysWOW64\NBQ.exe | N/A |
| File created | C:\windows\SysWOW64\JNLYPEJ.exe.bat | C:\windows\system\OSGPF.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CYLLZV.exe | C:\windows\SysWOW64\WDHS.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\OSWI.exe | C:\windows\SysWOW64\UFRZBBD.exe | N/A |
| File created | C:\windows\SysWOW64\HLL.exe.bat | C:\windows\system\ECLOCB.exe | N/A |
| File created | C:\windows\SysWOW64\VUUP.exe.bat | C:\windows\SysWOW64\NTMVCPM.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\EAF.exe | C:\windows\PLSJD.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RBYCXYC.exe | C:\windows\SysWOW64\XONMRLN.exe | N/A |
| File created | C:\windows\SysWOW64\ANCZSFR.exe | C:\windows\SysWOW64\SIY.exe | N/A |
| File created | C:\windows\SysWOW64\ANCZSFR.exe.bat | C:\windows\SysWOW64\SIY.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\CORQL.exe | C:\windows\SysWOW64\JTN.exe | N/A |
| File created | C:\windows\SysWOW64\KYWPYFU.exe.bat | C:\windows\system\XVAJTN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\UFRZBBD.exe | C:\windows\GHRN.exe | N/A |
| File created | C:\windows\SysWOW64\OSWI.exe.bat | C:\windows\SysWOW64\UFRZBBD.exe | N/A |
| File created | C:\windows\SysWOW64\RCNPDGV.exe.bat | C:\windows\FZC.exe | N/A |
| File created | C:\windows\SysWOW64\NTMVCPM.exe | C:\windows\VLXYQYR.exe | N/A |
| File created | C:\windows\SysWOW64\JQRYXFN.exe | C:\windows\system\BDNSMHS.exe | N/A |
| File created | C:\windows\SysWOW64\EBUXUQQ.exe | C:\windows\system\PTTF.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PXXHW.exe | C:\windows\SysWOW64\YPV.exe | N/A |
| File created | C:\windows\SysWOW64\LJOW.exe.bat | C:\windows\FOC.exe | N/A |
| File created | C:\windows\SysWOW64\IKAXFN.exe | C:\windows\SysWOW64\BUZ.exe | N/A |
| File created | C:\windows\SysWOW64\HLL.exe | C:\windows\system\ECLOCB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LJOW.exe | C:\windows\FOC.exe | N/A |
| File created | C:\windows\SysWOW64\ZSFT.exe | C:\windows\system\XJXWF.exe | N/A |
| File created | C:\windows\SysWOW64\CFLZ.exe.bat | C:\windows\AHGFE.exe | N/A |
| File created | C:\windows\SysWOW64\BUZ.exe.bat | C:\windows\SysWOW64\THN.exe | N/A |
| File created | C:\windows\SysWOW64\DRWIAO.exe.bat | C:\windows\ZAHI.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PTXSJF.exe | C:\windows\YIUCAZJ.exe | N/A |
| File created | C:\windows\SysWOW64\XOV.exe | C:\windows\system\AOUVIEU.exe | N/A |
| File created | C:\windows\SysWOW64\CFLZ.exe | C:\windows\AHGFE.exe | N/A |
| File created | C:\windows\SysWOW64\NBQ.exe | C:\windows\LOHRBKB.exe | N/A |
| File created | C:\windows\SysWOW64\UFRZBBD.exe.bat | C:\windows\GHRN.exe | N/A |
| File created | C:\windows\SysWOW64\WDHS.exe | C:\windows\system\QIWRN.exe | N/A |
| File created | C:\windows\SysWOW64\CYLLZV.exe | C:\windows\SysWOW64\WDHS.exe | N/A |
| File created | C:\windows\SysWOW64\NKNGATG.exe.bat | C:\windows\QUZWSEY.exe | N/A |
| File created | C:\windows\SysWOW64\RNZO.exe.bat | C:\windows\system\AMKJ.exe | N/A |
| File created | C:\windows\SysWOW64\ZSFT.exe.bat | C:\windows\system\XJXWF.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ANCZSFR.exe | C:\windows\SysWOW64\SIY.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\SUDD.exe | C:\windows\system\DECMQX.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NKNGATG.exe | C:\windows\QUZWSEY.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\THN.exe | C:\windows\CGLMKWX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\system\FEUMYZ.exe.bat | C:\windows\EBQJ.exe | N/A |
| File created | C:\windows\LYRHRGZ.exe.bat | C:\windows\SysWOW64\IKAXFN.exe | N/A |
| File opened for modification | C:\windows\PLSJD.exe | C:\windows\OUKA.exe | N/A |
| File created | C:\windows\EBQJ.exe | C:\windows\SysWOW64\RWEFHL.exe | N/A |
| File opened for modification | C:\windows\PBJIE.exe | C:\windows\SysWOW64\EBUXUQQ.exe | N/A |
| File created | C:\windows\system\KMDA.exe | C:\windows\YYWCZ.exe | N/A |
| File created | C:\windows\WTPTMQ.exe.bat | C:\windows\SysWOW64\NKNGATG.exe | N/A |
| File created | C:\windows\PLSJD.exe.bat | C:\windows\OUKA.exe | N/A |
| File created | C:\windows\system\ZUTQT.exe | C:\windows\system\OBDFK.exe | N/A |
| File opened for modification | C:\windows\system\JPTHVPQ.exe | C:\windows\YXLWMOI.exe | N/A |
| File created | C:\windows\system\PTTF.exe | C:\windows\system\HFGZ.exe | N/A |
| File created | C:\windows\QUZWSEY.exe | C:\windows\SysWOW64\ZEALHSJ.exe | N/A |
| File created | C:\windows\system\TFIWM.exe.bat | C:\windows\system\ZUTQT.exe | N/A |
| File created | C:\windows\CIYJS.exe.bat | C:\windows\NMU.exe | N/A |
| File created | C:\windows\DMGXJB.exe | C:\windows\SysWOW64\XZHWEY.exe | N/A |
| File created | C:\windows\BPT.exe.bat | C:\windows\SysWOW64\ZSFT.exe | N/A |
| File opened for modification | C:\windows\INST.exe | C:\windows\system\WKIFQPT.exe | N/A |
| File created | C:\windows\system\SWZEK.exe.bat | C:\windows\system\MBVD.exe | N/A |
| File created | C:\windows\system\IXGTVE.exe | C:\windows\system\PKVD.exe | N/A |
| File created | C:\windows\system\NQZSB.exe.bat | C:\windows\system\PXKKSDQ.exe | N/A |
| File created | C:\windows\PBJIE.exe | C:\windows\SysWOW64\EBUXUQQ.exe | N/A |
| File opened for modification | C:\windows\NRXZUYN.exe | C:\windows\PBJIE.exe | N/A |
| File created | C:\windows\system\RXFP.exe | C:\windows\system\AOZKSZU.exe | N/A |
| File opened for modification | C:\windows\ROKXHV.exe | C:\windows\CXJX.exe | N/A |
| File opened for modification | C:\windows\system\XGFRU.exe | C:\windows\PBSLK.exe | N/A |
| File opened for modification | C:\windows\QUZWSEY.exe | C:\windows\SysWOW64\ZEALHSJ.exe | N/A |
| File opened for modification | C:\windows\system\DECMQX.exe | C:\windows\system\ELN.exe | N/A |
| File opened for modification | C:\windows\system\ECLOCB.exe | C:\windows\BMWO.exe | N/A |
| File created | C:\windows\system\YII.exe.bat | C:\windows\system\NQRJNK.exe | N/A |
| File created | C:\windows\NRXZUYN.exe | C:\windows\PBJIE.exe | N/A |
| File created | C:\windows\system\WKIFQPT.exe | C:\windows\SysWOW64\JAZP.exe | N/A |
| File opened for modification | C:\windows\system\IFDTBDQ.exe | C:\windows\KFVF.exe | N/A |
| File created | C:\windows\system\XGFRU.exe.bat | C:\windows\PBSLK.exe | N/A |
| File created | C:\windows\CNQYXT.exe.bat | C:\windows\SysWOW64\UADSUM.exe | N/A |
| File created | C:\windows\system\HFGZ.exe | C:\windows\system\JPTHVPQ.exe | N/A |
| File created | C:\windows\ROKXHV.exe.bat | C:\windows\CXJX.exe | N/A |
| File created | C:\windows\system\ECLOCB.exe.bat | C:\windows\BMWO.exe | N/A |
| File opened for modification | C:\windows\CNQYXT.exe | C:\windows\SysWOW64\UADSUM.exe | N/A |
| File opened for modification | C:\windows\HEX.exe | C:\windows\ROKXHV.exe | N/A |
| File opened for modification | C:\windows\KMYSKT.exe | C:\windows\SysWOW64\CYLLZV.exe | N/A |
| File opened for modification | C:\windows\WTTR.exe | C:\windows\system\UGC.exe | N/A |
| File created | C:\windows\system\XIZG.exe.bat | C:\windows\system\PCUZ.exe | N/A |
| File created | C:\windows\CXJX.exe | C:\windows\BUTBUY.exe | N/A |
| File created | C:\windows\ZYNPBT.exe.bat | C:\windows\SysWOW64\ANCZSFR.exe | N/A |
| File opened for modification | C:\windows\YIUCAZJ.exe | C:\windows\SysWOW64\JNLYPEJ.exe | N/A |
| File created | C:\windows\system\OBDFK.exe | C:\windows\RMQO.exe | N/A |
| File opened for modification | C:\windows\system\LQTBZU.exe | C:\windows\GKIMJY.exe | N/A |
| File created | C:\windows\CGLMKWX.exe.bat | C:\windows\SysWOW64\KYWPYFU.exe | N/A |
| File created | C:\windows\system\KAQIGS.exe | C:\windows\system\IXGTVE.exe | N/A |
| File opened for modification | C:\windows\RMQO.exe | C:\windows\SysWOW64\EAF.exe | N/A |
| File opened for modification | C:\windows\SIHOXFY.exe | C:\windows\SFRSIW.exe | N/A |
| File opened for modification | C:\windows\system\LXUFKVO.exe | C:\windows\system\OXXC.exe | N/A |
| File opened for modification | C:\windows\CGLMKWX.exe | C:\windows\SysWOW64\KYWPYFU.exe | N/A |
| File opened for modification | C:\windows\system\KAQIGS.exe | C:\windows\system\IXGTVE.exe | N/A |
| File created | C:\windows\SQSM.exe.bat | C:\windows\system\TFIWM.exe | N/A |
| File created | C:\windows\system\FEUMYZ.exe | C:\windows\EBQJ.exe | N/A |
| File opened for modification | C:\windows\system\PCUZ.exe | C:\windows\system\FEUMYZ.exe | N/A |
| File created | C:\windows\system\EDCP.exe.bat | C:\windows\BPT.exe | N/A |
| File created | C:\windows\ZYNPBT.exe | C:\windows\SysWOW64\ANCZSFR.exe | N/A |
| File created | C:\windows\system\AOZKSZU.exe | C:\windows\SysWOW64\OLOWJMZ.exe | N/A |
| File opened for modification | C:\windows\VLXYQYR.exe | C:\windows\CNQYXT.exe | N/A |
| File created | C:\windows\OUKA.exe.bat | C:\windows\SysWOW64\VUUP.exe | N/A |
| File opened for modification | C:\windows\system\NQZSB.exe | C:\windows\system\PXKKSDQ.exe | N/A |
| File created | C:\windows\system\XIZG.exe | C:\windows\system\PCUZ.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UADSUM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4648 -ip 4648
C:\windows\SysWOW64\UADSUM.exe
C:\windows\system32\UADSUM.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 948
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CNQYXT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 960
C:\windows\CNQYXT.exe
C:\windows\CNQYXT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VLXYQYR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1292
C:\windows\VLXYQYR.exe
C:\windows\VLXYQYR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTMVCPM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2740 -ip 2740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1004
C:\windows\SysWOW64\NTMVCPM.exe
C:\windows\system32\NTMVCPM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VUUP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1320
C:\windows\SysWOW64\VUUP.exe
C:\windows\system32\VUUP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OUKA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3668 -ip 3668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1324
C:\windows\OUKA.exe
C:\windows\OUKA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PLSJD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1236
C:\windows\PLSJD.exe
C:\windows\PLSJD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4880 -ip 4880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1328
C:\windows\SysWOW64\EAF.exe
C:\windows\system32\EAF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RMQO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1848 -ip 1848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1292
C:\windows\RMQO.exe
C:\windows\RMQO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OBDFK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1280
C:\windows\system\OBDFK.exe
C:\windows\system\OBDFK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUTQT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1336
C:\windows\system\ZUTQT.exe
C:\windows\system\ZUTQT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TFIWM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3132 -ip 3132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1276
C:\windows\system\TFIWM.exe
C:\windows\system\TFIWM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SQSM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1004
C:\windows\SQSM.exe
C:\windows\SQSM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLEF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 960
C:\windows\SysWOW64\YLEF.exe
C:\windows\system32\YLEF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GRJL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1328
C:\windows\SysWOW64\GRJL.exe
C:\windows\system32\GRJL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DRS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 960
C:\windows\DRS.exe
C:\windows\DRS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AHGFE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2280 -ip 2280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1236
C:\windows\AHGFE.exe
C:\windows\AHGFE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CFLZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1004
C:\windows\SysWOW64\CFLZ.exe
C:\windows\system32\CFLZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JYBIE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1256
C:\windows\JYBIE.exe
C:\windows\JYBIE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1264
C:\windows\system\EGJELZR.exe
C:\windows\system\EGJELZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GTBGWLG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 988
C:\windows\GTBGWLG.exe
C:\windows\GTBGWLG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOMHKZO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3200 -ip 3200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 988
C:\windows\SysWOW64\NOMHKZO.exe
C:\windows\system32\NOMHKZO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NMU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1324
C:\windows\NMU.exe
C:\windows\NMU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CIYJS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4052 -ip 4052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1292
C:\windows\CIYJS.exe
C:\windows\CIYJS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NQRJNK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1248
C:\windows\system\NQRJNK.exe
C:\windows\system\NQRJNK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YII.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1304
C:\windows\system\YII.exe
C:\windows\system\YII.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CYPIE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 960
C:\windows\CYPIE.exe
C:\windows\CYPIE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IUBJSTW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 960
C:\windows\IUBJSTW.exe
C:\windows\IUBJSTW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AMKJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1336
C:\windows\system\AMKJ.exe
C:\windows\system\AMKJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1328
C:\windows\SysWOW64\RNZO.exe
C:\windows\system32\RNZO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BVT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1476 -ip 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 988
C:\windows\system\BVT.exe
C:\windows\system\BVT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1296
C:\windows\SysWOW64\JTN.exe
C:\windows\system32\JTN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CORQL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2120 -ip 2120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1328
C:\windows\SysWOW64\CORQL.exe
C:\windows\system32\CORQL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BWRO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1012 -ip 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1272
C:\windows\system\BWRO.exe
C:\windows\system\BWRO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IRDPM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 960
C:\windows\SysWOW64\IRDPM.exe
C:\windows\system32\IRDPM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXKKSDQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1176
C:\windows\system\PXKKSDQ.exe
C:\windows\system\PXKKSDQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NQZSB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1036 -ip 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 960
C:\windows\system\NQZSB.exe
C:\windows\system\NQZSB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XONMRLN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4200 -ip 4200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 988
C:\windows\SysWOW64\XONMRLN.exe
C:\windows\system32\XONMRLN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBYCXYC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1276
C:\windows\SysWOW64\RBYCXYC.exe
C:\windows\system32\RBYCXYC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3708 -ip 3708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1316
C:\windows\system\RWCG.exe
C:\windows\system\RWCG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SZSCZY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 960
C:\windows\SZSCZY.exe
C:\windows\SZSCZY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANFJCW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 960
C:\windows\SysWOW64\ANFJCW.exe
C:\windows\system32\ANFJCW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BDNSMHS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1248
C:\windows\system\BDNSMHS.exe
C:\windows\system\BDNSMHS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQRYXFN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1864 -ip 1864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1248
C:\windows\SysWOW64\JQRYXFN.exe
C:\windows\system32\JQRYXFN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWEFHL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3304 -ip 3304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1292
C:\windows\SysWOW64\RWEFHL.exe
C:\windows\system32\RWEFHL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2132 -ip 2132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1304
C:\windows\EBQJ.exe
C:\windows\EBQJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FEUMYZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1336
C:\windows\system\FEUMYZ.exe
C:\windows\system\FEUMYZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PCUZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1004
C:\windows\system\PCUZ.exe
C:\windows\system\PCUZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XIZG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4892 -ip 4892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1336
C:\windows\system\XIZG.exe
C:\windows\system\XIZG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LOHRBKB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 960
C:\windows\LOHRBKB.exe
C:\windows\LOHRBKB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3152 -ip 3152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 960
C:\windows\SysWOW64\NBQ.exe
C:\windows\system32\NBQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 960
C:\windows\SysWOW64\LRD.exe
C:\windows\system32\LRD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YXLWMOI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1304
C:\windows\YXLWMOI.exe
C:\windows\YXLWMOI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 988
C:\windows\system\JPTHVPQ.exe
C:\windows\system\JPTHVPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HFGZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 988
C:\windows\system\HFGZ.exe
C:\windows\system\HFGZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTTF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2996 -ip 2996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1304
C:\windows\system\PTTF.exe
C:\windows\system\PTTF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBUXUQQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1328
C:\windows\SysWOW64\EBUXUQQ.exe
C:\windows\system32\EBUXUQQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PBJIE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1324
C:\windows\PBJIE.exe
C:\windows\PBJIE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NRXZUYN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1324
C:\windows\NRXZUYN.exe
C:\windows\NRXZUYN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GUAD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 532 -ip 532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 988
C:\windows\GUAD.exe
C:\windows\GUAD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 976
C:\windows\GKIMJY.exe
C:\windows\GKIMJY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQTBZU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1336
C:\windows\system\LQTBZU.exe
C:\windows\system\LQTBZU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1316
C:\windows\system\MOAKCEQ.exe
C:\windows\system\MOAKCEQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLOWJMZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1328
C:\windows\SysWOW64\OLOWJMZ.exe
C:\windows\system32\OLOWJMZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOZKSZU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 976
C:\windows\system\AOZKSZU.exe
C:\windows\system\AOZKSZU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\RXFP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1988 -ip 1988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 960
C:\windows\system\RXFP.exe
C:\windows\system\RXFP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BUTBUY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2276 -ip 2276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1324
C:\windows\BUTBUY.exe
C:\windows\BUTBUY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CXJX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 112 -ip 112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1324
C:\windows\CXJX.exe
C:\windows\CXJX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ROKXHV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2024 -ip 2024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 988
C:\windows\ROKXHV.exe
C:\windows\ROKXHV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HEX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 960
C:\windows\HEX.exe
C:\windows\HEX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YMM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 988
C:\windows\system\YMM.exe
C:\windows\system\YMM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 696 -ip 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 960
C:\windows\VENOOXQ.exe
C:\windows\VENOOXQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAZP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1308
C:\windows\SysWOW64\JAZP.exe
C:\windows\system32\JAZP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WKIFQPT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1304
C:\windows\system\WKIFQPT.exe
C:\windows\system\WKIFQPT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\INST.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1324
C:\windows\INST.exe
C:\windows\INST.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FOC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1316
C:\windows\FOC.exe
C:\windows\FOC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2808 -ip 2808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1272
C:\windows\SysWOW64\LJOW.exe
C:\windows\system32\LJOW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZHWEY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1272
C:\windows\SysWOW64\XZHWEY.exe
C:\windows\system32\XZHWEY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DMGXJB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1960 -ip 1960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1236
C:\windows\DMGXJB.exe
C:\windows\DMGXJB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KFVF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1324
C:\windows\KFVF.exe
C:\windows\KFVF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IFDTBDQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2068 -ip 2068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 960
C:\windows\system\IFDTBDQ.exe
C:\windows\system\IFDTBDQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\UIN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2556 -ip 2556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 872
C:\windows\UIN.exe
C:\windows\UIN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGTAAQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2748 -ip 2748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1328
C:\windows\SysWOW64\EGTAAQ.exe
C:\windows\system32\EGTAAQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XJXWF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1608 -ip 1608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 872
C:\windows\system\XJXWF.exe
C:\windows\system\XJXWF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSFT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3200 -ip 3200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1300
C:\windows\SysWOW64\ZSFT.exe
C:\windows\system32\ZSFT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BPT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 960
C:\windows\BPT.exe
C:\windows\BPT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EDCP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1272
C:\windows\system\EDCP.exe
C:\windows\system\EDCP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WGIHN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 960
C:\windows\system\WGIHN.exe
C:\windows\system\WGIHN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4216 -ip 4216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 988
C:\windows\SysWOW64\ALB.exe
C:\windows\system32\ALB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IRF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1336
C:\windows\system\IRF.exe
C:\windows\system\IRF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZHISS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 960
C:\windows\SysWOW64\RZHISS.exe
C:\windows\system32\RZHISS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 960
C:\windows\ZFUPCR.exe
C:\windows\ZFUPCR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1652 -ip 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 960
C:\windows\SysWOW64\SIY.exe
C:\windows\system32\SIY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANCZSFR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1912 -ip 1912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1240
C:\windows\SysWOW64\ANCZSFR.exe
C:\windows\system32\ANCZSFR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZYNPBT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3140 -ip 3140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1324
C:\windows\ZYNPBT.exe
C:\windows\ZYNPBT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HMSWMS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 960
C:\windows\SysWOW64\HMSWMS.exe
C:\windows\system32\HMSWMS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWIM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1240 -ip 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 960
C:\windows\SysWOW64\CWIM.exe
C:\windows\system32\CWIM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EMO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2172 -ip 2172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 960
C:\windows\system\EMO.exe
C:\windows\system\EMO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SSOSJOO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 752 -ip 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 988
C:\windows\SSOSJOO.exe
C:\windows\SSOSJOO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\JACXWFR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1248
C:\windows\system\JACXWFR.exe
C:\windows\system\JACXWFR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XVAJTN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2068 -ip 2068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1336
C:\windows\system\XVAJTN.exe
C:\windows\system\XVAJTN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYWPYFU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1328
C:\windows\SysWOW64\KYWPYFU.exe
C:\windows\system32\KYWPYFU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CGLMKWX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3108 -ip 3108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 960
C:\windows\CGLMKWX.exe
C:\windows\CGLMKWX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\THN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1260
C:\windows\SysWOW64\THN.exe
C:\windows\system32\THN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4296 -ip 4296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1296
C:\windows\SysWOW64\BUZ.exe
C:\windows\system32\BUZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKAXFN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4780 -ip 4780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1256
C:\windows\SysWOW64\IKAXFN.exe
C:\windows\system32\IKAXFN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LYRHRGZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2504 -ip 2504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 960
C:\windows\LYRHRGZ.exe
C:\windows\LYRHRGZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MBVD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1884 -ip 1884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1336
C:\windows\system\MBVD.exe
C:\windows\system\MBVD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SWZEK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1316
C:\windows\system\SWZEK.exe
C:\windows\system\SWZEK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WEN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1252
C:\windows\WEN.exe
C:\windows\WEN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SEPGAHO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1316
C:\windows\system\SEPGAHO.exe
C:\windows\system\SEPGAHO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PKVD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 984 -ip 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1312
C:\windows\system\PKVD.exe
C:\windows\system\PKVD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXGTVE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2220 -ip 2220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 960
C:\windows\system\IXGTVE.exe
C:\windows\system\IXGTVE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KAQIGS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2724 -ip 2724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1316
C:\windows\system\KAQIGS.exe
C:\windows\system\KAQIGS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PBSLK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 988
C:\windows\PBSLK.exe
C:\windows\PBSLK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XGFRU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 988
C:\windows\system\XGFRU.exe
C:\windows\system\XGFRU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EWG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1296
C:\windows\SysWOW64\EWG.exe
C:\windows\system32\EWG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YPV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4128 -ip 4128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 988
C:\windows\SysWOW64\YPV.exe
C:\windows\system32\YPV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXHW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2792 -ip 2792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1264
C:\windows\SysWOW64\PXXHW.exe
C:\windows\system32\PXXHW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KKGIH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 988
C:\windows\KKGIH.exe
C:\windows\KKGIH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZAHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1772 -ip 1772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 960
C:\windows\ZAHI.exe
C:\windows\ZAHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRWIAO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1328
C:\windows\SysWOW64\DRWIAO.exe
C:\windows\system32\DRWIAO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YOIM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1336
C:\windows\system\YOIM.exe
C:\windows\system\YOIM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GHRN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 872
C:\windows\GHRN.exe
C:\windows\GHRN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFRZBBD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1300
C:\windows\SysWOW64\UFRZBBD.exe
C:\windows\system32\UFRZBBD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OSWI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2524 -ip 2524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1328
C:\windows\SysWOW64\OSWI.exe
C:\windows\system32\OSWI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RNNSX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1324
C:\windows\RNNSX.exe
C:\windows\RNNSX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ELN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2956 -ip 2956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1336
C:\windows\system\ELN.exe
C:\windows\system\ELN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DECMQX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 960
C:\windows\system\DECMQX.exe
C:\windows\system\DECMQX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUDD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 224 -ip 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1296
C:\windows\SysWOW64\SUDD.exe
C:\windows\system32\SUDD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZEALHSJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 960
C:\windows\SysWOW64\ZEALHSJ.exe
C:\windows\system32\ZEALHSJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QUZWSEY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 1304
C:\windows\QUZWSEY.exe
C:\windows\QUZWSEY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NKNGATG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1316
C:\windows\SysWOW64\NKNGATG.exe
C:\windows\system32\NKNGATG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WTPTMQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 960
C:\windows\WTPTMQ.exe
C:\windows\WTPTMQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZBXHL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5004 -ip 5004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 988
C:\windows\system\ZBXHL.exe
C:\windows\system\ZBXHL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RJMNXBH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3936 -ip 3936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1292
C:\windows\RJMNXBH.exe
C:\windows\RJMNXBH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PUPD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1184
C:\windows\system\PUPD.exe
C:\windows\system\PUPD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BMWO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 532 -ip 532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 872
C:\windows\BMWO.exe
C:\windows\BMWO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ECLOCB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 888
C:\windows\system\ECLOCB.exe
C:\windows\system\ECLOCB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HLL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1256
C:\windows\SysWOW64\HLL.exe
C:\windows\system32\HLL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YYWCZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 960
C:\windows\YYWCZ.exe
C:\windows\YYWCZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMDA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3060 -ip 3060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1336
C:\windows\system\KMDA.exe
C:\windows\system\KMDA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LGTWS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1324
C:\windows\LGTWS.exe
C:\windows\LGTWS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1316
C:\windows\system\CPV.exe
C:\windows\system\CPV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OSGPF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1476 -ip 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1316
C:\windows\system\OSGPF.exe
C:\windows\system\OSGPF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNLYPEJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3556 -ip 3556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 988
C:\windows\SysWOW64\JNLYPEJ.exe
C:\windows\system32\JNLYPEJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YIUCAZJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1008
C:\windows\YIUCAZJ.exe
C:\windows\YIUCAZJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PTXSJF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3600 -ip 3600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 988
C:\windows\SysWOW64\PTXSJF.exe
C:\windows\system32\PTXSJF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ILMDAGO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 960
C:\windows\system\ILMDAGO.exe
C:\windows\system\ILMDAGO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SJSYHO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1324
C:\windows\SJSYHO.exe
C:\windows\SJSYHO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEDRND.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1328
C:\windows\SysWOW64\YEDRND.exe
C:\windows\system32\YEDRND.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VFNBZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 884
C:\windows\SysWOW64\VFNBZ.exe
C:\windows\system32\VFNBZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QIWRN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1264
C:\windows\system\QIWRN.exe
C:\windows\system\QIWRN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WDHS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2736 -ip 2736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 960
C:\windows\SysWOW64\WDHS.exe
C:\windows\system32\WDHS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYLLZV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1328
C:\windows\SysWOW64\CYLLZV.exe
C:\windows\system32\CYLLZV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KMYSKT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1324
C:\windows\KMYSKT.exe
C:\windows\KMYSKT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FZC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1296
C:\windows\FZC.exe
C:\windows\FZC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCNPDGV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 960
C:\windows\SysWOW64\RCNPDGV.exe
C:\windows\system32\RCNPDGV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SFRSIW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1332
C:\windows\SFRSIW.exe
C:\windows\SFRSIW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SIHOXFY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2836 -ip 2836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 960
C:\windows\SIHOXFY.exe
C:\windows\SIHOXFY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOUVIEU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 988
C:\windows\system\AOUVIEU.exe
C:\windows\system\AOUVIEU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XOV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2560 -ip 2560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1304
C:\windows\SysWOW64\XOV.exe
C:\windows\system32\XOV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OXXC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1248
C:\windows\system\OXXC.exe
C:\windows\system\OXXC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXUFKVO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1272
C:\windows\system\LXUFKVO.exe
C:\windows\system\LXUFKVO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VNZRRD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 988
C:\windows\VNZRRD.exe
C:\windows\VNZRRD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UGC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 960
C:\windows\system\UGC.exe
C:\windows\system\UGC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WTTR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3184 -ip 3184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1004
C:\windows\WTTR.exe
C:\windows\WTTR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYTFV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2712 -ip 2712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1328
C:\windows\SysWOW64\WYTFV.exe
C:\windows\system32\WYTFV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GEM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2172 -ip 2172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1336
C:\windows\system\GEM.exe
C:\windows\system\GEM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/4648-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\UADSUM.exe.bat
| MD5 | 9236e9f85bbe128a6556b9850ca0d11d |
| SHA1 | 2988fe6c6235cf47d9c8cf2b0b8de0dda5858cfc |
| SHA256 | 93a27d5c2829c9966307031d7d10e0a9f22118b98f626c798da406450e02c36c |
| SHA512 | 3788969254ac26ec3b5ec41292ad9a796cbe7ee1ee4de7dc2867dfc88a6cfc8d405404237de6648192c54283cf3187c4ca76adbb525597abd6dd23b64ed84f45 |
C:\Windows\SysWOW64\UADSUM.exe
| MD5 | 4dc9d305b41895b16db44f462d73d3a0 |
| SHA1 | 9f873d04447c5d4dbade34fcb9efeb530f52c8a3 |
| SHA256 | 27da19dd3b8b299df5928bfc2dd7674234a8644fa865ea01bac48f5cd3232871 |
| SHA512 | 4dcce55cdd007121aacee8b0393da7fe5f3fcf313f0107ae5a15c8013d4cd165d160872fffd5615948270bed57d0b52e2eab4139e2ff5ad61c31f902e0c95e67 |
memory/3572-11-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\CNQYXT.exe
| MD5 | 4f78ae9bd028386a8dfc359c9833aea5 |
| SHA1 | cc68f68bf8f95ae62288c6f6fe19ab3c2040c2f0 |
| SHA256 | 7de31126578c88412f5f91fd4e93320069280d8c3d2074c2d998c7651fabc45b |
| SHA512 | 98202c1e707f53e6e30adc012552923a9d2f6323ab42d4940f6282d69f32bdbc9e3c276d0ba4b4f05c4e91ae3fe0e791df3ddd303418eb4b9e69e73a684bf7d7 |
C:\windows\CNQYXT.exe.bat
| MD5 | bd4b5546daf59f3e9f2519243d46e379 |
| SHA1 | 6e1cf4dbbfaa56867f4dba9e0c7547911228236b |
| SHA256 | 753fae491e32f1658d72e41882a4b171a21bb2fe3ab271af9d35897bd7fd0fe1 |
| SHA512 | 0a6ea06e5fce33c9939069d862f58be1b31434b81ba696691e514813fac671b971feb82b7486acf2d1ec457beb0d51f899b7d80ca4a74882139b7f75b5d77298 |
memory/4648-20-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3900-22-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3572-24-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\VLXYQYR.exe.bat
| MD5 | eecb07c77e707a90a10b67bf802d221b |
| SHA1 | e2f84b95bdafc73be81296f5067dc4888bfcff10 |
| SHA256 | 7682c5d1604423cbb224bb571864f4c021edfc5da680ba26a78d24701371c836 |
| SHA512 | 3410e0c19c6370d2b852a4c9928b939be981d41e104ecc274e1566a2dc44b88822341467fd20129337965f52ea3d6ec7a87a3ba196f67d77966e5b3737a6e123 |
C:\windows\VLXYQYR.exe
| MD5 | 6e0573815f7c1db90c084ebe49244bde |
| SHA1 | fb32eefccae64bdbfa4b0e6a74d4f7623c9b3100 |
| SHA256 | 53043934c6c824ce8a8664fd6ab0b865fde1c56698fb02de22e0c537a72b0363 |
| SHA512 | d6102caa854436681fd307557321260bf30841088055b1e33957c7a559085a146844542c6fe0087063e352a30ee2a13d87b9aab142a3a8f84fb571961bd9824f |
memory/2740-35-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NTMVCPM.exe.bat
| MD5 | 405727e544cef76189babccb49fa80c4 |
| SHA1 | a64312b3522302be37e31f26d09892ccb0da02b7 |
| SHA256 | fb8d21c427ece42f08fb8cadc0dcf369e19ffd27d796dd1d6e4ec11c229cf859 |
| SHA512 | 8458851fdd8d8a4b429cf28ba846d7562582cdaec3602ac07c89e4d58933fef6ee50730cf21b1fb98b4560b5717b141e2860c3fa78f2421528138621e2b8927e |
memory/3900-44-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NTMVCPM.exe
| MD5 | 9299daaf40b88b8a79d634e5cf9bb179 |
| SHA1 | 76958fe5160f6c11894b04176301140b42c8c426 |
| SHA256 | d91a30bccea853cc3f8a9feee467a905d8b379c24f26dd9b8a7ac69487ef4596 |
| SHA512 | 5d0eafad6cf58b2ba429e481de1ebb7c4bd8ac29f8a0a8337e156780d597b5ea262a826923ddf6b1f030d45f61458620a9e718569689c601bd9a02219abf671a |
memory/2328-47-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\VUUP.exe.bat
| MD5 | 3db21708b9c4459f3c7a23878cc3ea12 |
| SHA1 | 039bf9e3854411f4da866d9e418afbdb1f511550 |
| SHA256 | ae6242e631eabcf114ab40340f939c1cb5ef839e723408d5e3f88f55eec3fda3 |
| SHA512 | 0e73139e54c00c612866d92c59ffe006e92f21f4b21738ae41ffc2fcdd23b2c9960946a2384e45c89e4a1c95c58205ff38e59c9fb183d2e4969ee96c81241a44 |
C:\windows\SysWOW64\VUUP.exe
| MD5 | d64674a393f24a93cab290c17d4936e8 |
| SHA1 | 704b5f0d65124b87e616ba949c48d522bf41a673 |
| SHA256 | e5bd766994c4ec448458eb3896e0076d068612ef9c2e54e36ffbc4d1fc6e3b7d |
| SHA512 | 48e6b5712210231e725247b1ea0b0ab60235b8a5899401a342475202670ce6eed7fcf9dd8ff08125288024627ea83b32ce066b94178f86a1c0e90495a4a5cf70 |
memory/3668-58-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2740-59-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\OUKA.exe.bat
| MD5 | 86bbc44097cc0edf77d817748fb63a87 |
| SHA1 | 23428ab4c28e904315c1bf11eaa0ad8c15e2e31f |
| SHA256 | 66d347c1ed74af33f2b83ba6df392f49b01fe0c44be98733b158f4d7dddcba17 |
| SHA512 | 87a6a0a9ab3c37cc2c5dd6a879b66ba43bc32310bab720930e963a9e5282ebbf07a7df408d085b925faaa7564ab944d933dd637d2e7cb8428fcd9801685fb856 |
C:\Windows\OUKA.exe
| MD5 | 46435e23c349a46583c2e80718bd9c08 |
| SHA1 | 1729475887b07a5907c012f27eed71d0d404e7a8 |
| SHA256 | 79fb615f83ead7f8d74c5f0c1e09eb7f4057e4168581a3094e8a3a0a7d922f59 |
| SHA512 | 17207b1348f0d2898bd7c9cdad4d9aa183412388ff0e22baf45fb604ce26d826be80f7d309b42d6756980fa11a7637702c057a4e3fe2cbbdda54c69f85a52c8b |
memory/2328-69-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4352-70-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3668-78-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\PLSJD.exe.bat
| MD5 | 23644250187e0907adc477201b49a405 |
| SHA1 | f640a95ccd6ef9ff897bf15ad7377e6d2ababeda |
| SHA256 | 8370ab57c4861b89a4bf4278e6110bd48653ef7e00f29d62985debb2d943a671 |
| SHA512 | 6f96fd1c18a94d7e3e5c87b84c65cb4cec1413a617ed9ad10bc63158ac29e7886fbce3c2d95c417fbe6830fe964111a0881ef331d54b850bced2991367f97e4c |
C:\Windows\PLSJD.exe
| MD5 | 025092e3608b59d6582e3b046bdb4b69 |
| SHA1 | 3ff1a7a8ff873aa92e458e272e96f30ea10152f7 |
| SHA256 | a2bf3d641cae5b9108acf7a8d5564a1e8d0a2bc51b63784c911762a40cf53cad |
| SHA512 | 3d3bbc0b098bc444a87ff4a68f409791ce4341afcd68cb1aa8c5cbf8c8c1957a032255ac20a046c592a3d5af9b8ac0520ec41da42bcb82190fa1e62626edd854 |
memory/4880-83-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4352-90-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\EAF.exe.bat
| MD5 | 193786671a9268a6a19dd01241a7a214 |
| SHA1 | 61b18443db70968d1d11cbf9c42597acdafe2753 |
| SHA256 | c4fac27a8697921ca13f8b262d84d25a51f9efdc60d0470dbad0741f6f48df46 |
| SHA512 | e86663ca09daf2f033866aa523b4ec39d6915e2cdc86c7f15e60b9d98dc660521fc94b3fd859092cbb56e15d9e89ad4baefbc55067e60f849b5fdb9f959fce92 |
C:\Windows\SysWOW64\EAF.exe
| MD5 | a01265ab8d5713e0d036f1d47ab26254 |
| SHA1 | d2827f33d621f2b8145c60d156f3eae110e7b82b |
| SHA256 | 48b5bf54477696235006b4cb5551581894755b6334abde862ffad795e819d0d4 |
| SHA512 | 0473d95cfbf2cceb5a0e9fe7bb7d8f02c73e5a3269ad9899b65030646edbc50775dcf292c06a47b0bd11744c35643f1e07c13a36117e535959eb237cda382d98 |
memory/1848-95-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\RMQO.exe.bat
| MD5 | b89973179199adde9cda321fa6cbde32 |
| SHA1 | eb074de042543ac30b5d3bb5c9e373e39b108269 |
| SHA256 | 55adefc16a9977ed3d6424b42b2becaee454825a83c32fbcffebf81a6af5a9e8 |
| SHA512 | 30d5784530b7185b68f64c6b02626911097d8f1a13c38f8aeca9b0cc1fe7289a85f770dcb4112eb3ea8d22a5bc1a8bbf5b157a38816a1ddb114d1eb33a113898 |
memory/4880-106-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\RMQO.exe
| MD5 | 5c06cae98c7892f25db890696898c88e |
| SHA1 | 48ac78980287e5378249d0298ddb25d54cc91c60 |
| SHA256 | f0b8989ea5a3b4bb4ed4e2bb25437784d852335f79e636a2c1c24e7278ebd47a |
| SHA512 | e23721b82272dd6cd7777bdabb6ada748cdbf304a64c6a1373659c8450ec7f0733b91d482a3bdc78fed5214401b5d9f44f89173e86df3212499676ad7d68f662 |
memory/3568-107-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\OBDFK.exe.bat
| MD5 | 4260826aef18537c1ab5cdf6a22e9f91 |
| SHA1 | 7e72a2172918629627122ded0444a75373022899 |
| SHA256 | b24af8092e27a2321f728257e529de05dc971a9e202f8faaf7ce97687fff0a04 |
| SHA512 | 7330458a30d38e5673c0e75c9628c981bf11ed1066996543abc4d7b6707c1a7fd92d12680a49b2c5b9d97013a13a03e64d969c1932c82bfb1c75db72fa9d3ba4 |
memory/1848-115-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2964-119-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\ZUTQT.exe.bat
| MD5 | a77edaec99d6f68d7c30c834d4aa7c63 |
| SHA1 | 3334b54f6aff6e5b2bf8871a4f96588a832005ae |
| SHA256 | 58a8fbc12d12324b235507e3a641cd8762e1dc29ab291ea5d333908465239f66 |
| SHA512 | 5b09bc4f4fda1cdcd2bae5600602fea7a9e57942df7a389fe2eb72856cd7ea3e0c230c402a6361ccb35e75b79892ade4d8e305c30cfc53d6072cb11b0f5824b1 |
C:\Windows\System\ZUTQT.exe
| MD5 | b6644626a673e85a0cb0f5cb3cb5202e |
| SHA1 | 3515c2052569120dde01e151da890b946a87add4 |
| SHA256 | 07bab942c9d46ed87fc123de9b797dfd79a68e8a864dc4793bae913ddca42cd6 |
| SHA512 | 1b0211c0f51f9bbe1ae6c9dca6abe5ed88f8f09078c2874a3ce78a927c9e0a215340a459e9b3469d2b50090b7c96c565f2e0ad9e0617bf1071585864a222463d |
memory/3132-130-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3568-131-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2964-138-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\TFIWM.exe.bat
| MD5 | 4b2509a0bbc38a513863bf73666875a2 |
| SHA1 | 5806350d42dc6d81119a76ff456500a203543eef |
| SHA256 | d857efb402a3ced5f0a8fdf410552b99511ccd256aecf5348ac7328342f4a538 |
| SHA512 | ef6b1f8ca401bf24943ce58af52fe7c184a6bdf4995ac6a39c1851b6294b68b8ceab881abeac34d7176c711f7c13ab9883e3aed910de0eb3a23f24804c947de9 |
C:\Windows\System\TFIWM.exe
| MD5 | 2c649acd8c353d40844d811331951835 |
| SHA1 | 96b817318e3adc8f48fdb4809a04240b9e3bf7ae |
| SHA256 | 9095a7404e5d0e2c9cac19a9887fb1f7242d4795954234fa1c940cd177ad5ed5 |
| SHA512 | 0c68546acf56f642ab56d7c4c7f8a5a864f8f75346a3f05a13ac3bee18dc81e53711fb31b27f647cc0b75563f74fb33e5b65e55fd19d5d6a2fecad8244ed3e69 |
memory/368-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SQSM.exe.bat
| MD5 | 8c54a910541420429afac487c1844bdb |
| SHA1 | 004d669bab235aa0d230228ff2d2e1d5f817ba76 |
| SHA256 | ec526f4524c823fa3d743a4d7d29fa8551362b920c0312e0d668dad0381b83af |
| SHA512 | 4e4c3601c5a319b92e04c1cfb5c1c713a9cb7aea1c7d0a2109cbe70b455fa75df0a5cf9074282b394d86a72939ae791d02d4fdf1154815a33a6a8955b1150e7d |
C:\Windows\SQSM.exe
| MD5 | 7b6ad5db19a8421483d7c975c269377d |
| SHA1 | fd4c6be32f9c8de758e078912d025fe282f12a75 |
| SHA256 | faaa442a177e2692e3a1f7358bfca808da2bbc977a1d9575c02350a906a68129 |
| SHA512 | bde02d3dacb5eabeac8a03014e1f23b1ba00007aa4d1e9c248b7a0e07465e99c97daf8a0f57537e34ada804b75f803d898c92f7983b00f356e3738f250af879f |
memory/536-153-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3132-155-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\YLEF.exe.bat
| MD5 | c0bd583cb1f0ba64cf1c8c581a559b2e |
| SHA1 | 46994f3c854527208ac92c2118e10d472e7b96b8 |
| SHA256 | 57ef7c2b786164431c8f480beaf6440fca20040b37c0d5b86ec9a10d835e0ff3 |
| SHA512 | 87d86de10760b62c666207b9fde839598a4b30670929e5d8ead6e7379382e671dd296397afa85a1d4d970db4ca2e8537f957a97a5dca9dafd055b71dcfc5f5ae |
C:\Windows\SysWOW64\YLEF.exe
| MD5 | 6952fc00131be98632db4d382c9b7cf4 |
| SHA1 | 2d59ead79c779a928f668b5509299cabac41102a |
| SHA256 | 57a3b15a11304e039436ad9e6273c059a86d2c83a71e97ffa0dae124e7632100 |
| SHA512 | 4707c8900b067c1019e8fd28cd7f50976e9962567b7a34023f8f49d153b94df6ea75c14f28ccf11013367697159ddf0e47b35ba29b8b71b8b4a976f80fc88845 |
memory/4516-166-0x0000000000400000-0x0000000000439000-memory.dmp
memory/368-167-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\GRJL.exe.bat
| MD5 | cff1d60c0093c92b840317370b48a19c |
| SHA1 | c6e615f23def1f147ba9f462c8f5944d0e7b5792 |
| SHA256 | 9d4e4b3b017f63e4d8a6fc7560faa90ecd3c7d2070268a9cf7c9e0430f3d7e19 |
| SHA512 | 5e403487a0e8ee44b684e9daee5e95e289c43c9755e92bfb2c91268705fb191ce3c6ad1e38c505a7428e5aa4ef08562fdd5d98e4806658cded905e51441c325d |
C:\Windows\SysWOW64\GRJL.exe
| MD5 | 032a44444744c2e4e2474f72e24df22b |
| SHA1 | 05a40f80cfbf2c35d9f0ba2b6c61c84295f6f9ef |
| SHA256 | e61a62a80eb102edfc59996daf2e75cfb26929502d9962126451b71312179907 |
| SHA512 | 6b4e97fd0c9455861df59bb04bfc6b03690b4732cbe39307561cc006d898064c0ef615b53159b7512d82c6f5765aaf9507dae31dcf1db26908979d0cb9313ba1 |
memory/4384-177-0x0000000000400000-0x0000000000439000-memory.dmp
memory/536-178-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2280-180-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4516-179-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4384-188-0x00000000027E0000-0x00000000028BB000-memory.dmp
memory/4384-189-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4384-187-0x0000000002700000-0x00000000027DB000-memory.dmp
C:\windows\AHGFE.exe.bat
| MD5 | 6ef9f4808a4d8208edd6145063b04d5b |
| SHA1 | 5e87a7b83f29783dfa32832190d0f971ddcd09af |
| SHA256 | 6e3a60b128165fa992c3450910ed488994934d33656961e14eb689f3fe964b16 |
| SHA512 | b919c2bbd191312dda9f403e249a3ff5a19a6487a5204c4349f25379f584fe96ac73f2259229c29cbdf9b371107ad9a6d74a980a0f3127b699f911941c22c15e |
C:\windows\AHGFE.exe
| MD5 | f6da00b07fd04887cb1a8d0cc49f5e60 |
| SHA1 | e160a0ad324c6869128e8d16b3bad9b345192dac |
| SHA256 | f35606ad45d1e012548107d6281ca901ebbbea0d83274d7b79ad5f5272121e0c |
| SHA512 | 1b25e15838826ea2302dd59992197f9a50f0c9a7c899b148d1f7253e3ad3fe0ebf1c82af01aa98acc29ff4e6e542efded83671244fc01cc0d01cfe6bde70abbe |
memory/756-194-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\CFLZ.exe.bat
| MD5 | 768e5282375de2374874a7a80e20ed32 |
| SHA1 | 4ddb2158ca3a84b9494939fde8941321f0084df7 |
| SHA256 | 2febf430c0ec7431c2b5ccfbf1d233f822b81d965db6bb25495befe69894f8c3 |
| SHA512 | 63a990c078d8d0c80e1218655165b7ec8d95fc15593c358768f1f133b40b44dc8eac10f35a439647158fdd896f2dcc146f14dde37a3db1eb928bb9e235972e22 |
C:\windows\SysWOW64\CFLZ.exe
| MD5 | dbdbfbbc2690c55f63e03363953f2d36 |
| SHA1 | 1bb9a8c41cc76ea88d5503e4eba5fb1d27d93b1e |
| SHA256 | d624a11f88ba24a52cb7454341fbb8b595e32d7bf70ef563115275216f40c042 |
| SHA512 | 69e9815a7a3da6a78b7f81e4c8cf5a8495bd353e0c7c455dbd674f47008044c2880bd9732ffe2932b6b4b520e956eee80b82128261504ed8bdac6979a8ecd5f1 |
memory/4492-205-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2280-206-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\JYBIE.exe.bat
| MD5 | 96e0aea5a7f4644c83e964da4845508e |
| SHA1 | abc85e1e96ff15bffedce2e4104febccc3774f29 |
| SHA256 | bec1bde814de84b6ba4b9642810c2687f540e18a5c8b9e70da6d51e3fe30f38b |
| SHA512 | 9ce20233d8aadd87869f13e8679b8d543bc874127e7b025146fc5daf4fcd64bf59db1a2050dea5a3dc61655ad80b6c470463eb2b26116ab8bc986325d71b67fe |
C:\windows\JYBIE.exe
| MD5 | 30fa53391a4108fc69bac4b8b115bc03 |
| SHA1 | 942797d04e7bd0e3ad7462b693bb3ba7f7acf0a7 |
| SHA256 | 52937a8c98cbc74ac4c325e9953115abdb009605e78d1c378ce42f8b819c0475 |
| SHA512 | b3e3c79feab36b0cd3edea5d070e9b309a0c54dad3ba6dd3dc8eb5eb13a4fb31fadfd52a458d1b5388762f4412c14af96111fc579369e6046e6a126ee17ab8a6 |
memory/3900-217-0x0000000000400000-0x0000000000439000-memory.dmp
memory/756-218-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EGJELZR.exe.bat
| MD5 | 4f2ec565b589aa6ba29fb189b00377d0 |
| SHA1 | 0aef55638e1fd4b346e0a3dfc4a3c2344570a394 |
| SHA256 | 3e198b9768108ade6f3dcd9ebf828af54e6943e57740826188d3fb02f0b569ae |
| SHA512 | 0ee7fa00f612021bff74bb6d0db3963d71112b03c57f442cc9a99d152db08f8006a432908922477268d601fae55f2d9d3780583869c59536c1b4a33d420a8d8b |
memory/2864-229-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EGJELZR.exe
| MD5 | bea502785bd395a27eac13aed4ec5ffd |
| SHA1 | 7b7cd09628495f83d83fa5df833691608a51348b |
| SHA256 | eb37b7156c4f3ff92d567779f96d8bd702479955a0935918de08dddcf03c1b8f |
| SHA512 | 80dcfad01c52cc40630451778467363f693a77a7191420a2d7a25608c4115f913fd159bcc63c07a28bfb945a5b2a16496b5e616f8cd85f45aec6a5f512599ef3 |
memory/4492-230-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\GTBGWLG.exe.bat
| MD5 | 9d12b547ad0cb5bb84c6e887e57c3666 |
| SHA1 | 0bb8be339dd31302f499b65bd7783c9431dceeda |
| SHA256 | 6d5464f9022e70c5fd48ced6998e59f4cfb9bf67e4dd034b6d1fd8793638484b |
| SHA512 | 92fb5e8f3ffe96ff7bcdeca075e4fd13465deeb7fc1fb398ab1d3a32f9b5129e5c567fc380d02040d18142129aea1527c607df3cf74dc76234ada8216862d6da |
C:\Windows\GTBGWLG.exe
| MD5 | 4f8b2730fab67133e048c08ff9d215ca |
| SHA1 | 67b18a403c8c2bf16eefb89f32df4380d0c54ac5 |
| SHA256 | 3c6c17b3b48a38153f39324f7cd2d3096199040a9e9f70b2455b8ae6694cdde6 |
| SHA512 | 44206650500f8013ddac03d4f3ae3b47ca95f383d8add7bf89c5f47386193eb706ac5bbae373046927a8177645c642f321fccf14cbc37a6849568bd9a63bff7e |
memory/3200-240-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3900-242-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NOMHKZO.exe.bat
| MD5 | 65085b40dc8ed3731406ad2c785d023c |
| SHA1 | 2285bd387f48584820ae84ec30fba2939de812b2 |
| SHA256 | cc59584e171e4229d58378aebaceb6850cf4d213df929789ef1cf05da1c3f730 |
| SHA512 | 828d76c1b1e2b17c78ff961e135d4d0c8071e0988615f24acb8da07f0e7bee1070eab2afa8e04509fe58ecc06247d5062730f6ec2d7d7ef64ae2da8feefddcde |
memory/536-252-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2864-254-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3200-261-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\NMU.exe.bat
| MD5 | f6e090fc8f98a67f359e9115d77db5e8 |
| SHA1 | 95fdc2a109d83126aed9984fad29f9ecc21fe2de |
| SHA256 | dd131cbc7bddebe28423c5247db638127620dc7856395b1026fd48a7365c91e7 |
| SHA512 | b0b8ee9152a364797659353fa1dfbedb4f5c0c1846bd77ccc679acebe8b0df71fb47ea1d6702bb8acfc6fe2cffe10ffb6deb78a3b55eaddd961cef98867ed94d |
C:\Windows\NMU.exe
| MD5 | f8a0564cfa0ea91744ddc36712665cf6 |
| SHA1 | c8f713e52eccefce138260284c95dbfa76ddd430 |
| SHA256 | 488a833c519411262ef958084114d13be4a1ee329e8460bad81afa26f6132259 |
| SHA512 | 1812d146074a825eab65b60a0f7e6c26f37f348d213dd32df563bdbacb8b6ff728a9d5f5ca3290a08b297f4ac1981a118a6fbe29516fcc5269198efc4102fc22 |
memory/4052-265-0x0000000000400000-0x0000000000439000-memory.dmp
memory/536-272-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2644-274-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1936-282-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4052-283-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2644-290-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3040-292-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5068-300-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1936-301-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4492-309-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3040-310-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5068-317-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3780-319-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1476-327-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4492-328-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1444-336-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3780-337-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1476-344-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2120-346-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1012-354-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1444-355-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2120-363-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4232-362-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2364-372-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1012-371-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4232-379-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1036-381-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2364-388-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4200-390-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3244-398-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1036-399-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4200-406-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3708-408-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4272-416-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3244-417-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1484-425-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3708-426-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4272-434-0x0000000000400000-0x0000000000439000-memory.dmp
memory/528-435-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1484-442-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1864-444-0x0000000000400000-0x0000000000439000-memory.dmp
memory/528-451-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3304-453-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1864-460-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2132-462-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3304-469-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4668-471-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5092-479-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2132-480-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4892-488-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4668-489-0x0000000000400000-0x0000000000439000-memory.dmp