Analysis Overview
SHA256
153ace730e381a1fc8d7de47a0191fdd1d381c13137ab5f81c7447707470d01f
Threat Level: Known bad
The file 38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 04:45
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 04:45
Reported
2024-06-02 04:48
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\ZRXM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\MGGV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\XRPYNA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\IXLDTXF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\JBDQNR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\IWEG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\GQO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\LFDDCZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\PXOX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\MGQJMK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\AOXW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\NIMZFAS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UKFAH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\JSBLDPX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\WUOHC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\IZTG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\FMEAXH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\EEPQG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\OLLVES.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\VLWVX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DLTKCT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\IXPXW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SPLPF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\BXGGG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\CGT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\IMJILHD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\TULOZVX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\QFPAPU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\LJZR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\JGRO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\TACEO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\APBJDO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PSLDWQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\XQC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\GMQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\XGDW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\MKBUE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\WBMNS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\VDVG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\QCOU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\GNG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\IZXW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\WQQBO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\FURYFT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\WXEMS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\GVXYGC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\QWDJRUZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\CPTDZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\LFC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NCKMOHW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\IPWTM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\HTBFT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\KXNFKL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\EXQPG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\IIDD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\VBEXNZO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\VVHB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\LZWUXOA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\CRAZLNW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\CCQCAE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\ZSNAAG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\system\DACA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\UIUDP.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\XUPAMF.exe | C:\windows\system\IZXW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\HTBFT.exe | C:\windows\SQSB.exe | N/A |
| File created | C:\windows\SysWOW64\QMIQTZ.exe.bat | C:\windows\SysWOW64\EEPQG.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\MIECLV.exe | C:\windows\system\APBJDO.exe | N/A |
| File created | C:\windows\SysWOW64\GNG.exe | C:\windows\LPTDEH.exe | N/A |
| File created | C:\windows\SysWOW64\UVU.exe.bat | C:\windows\SysWOW64\IIVGIKJ.exe | N/A |
| File created | C:\windows\SysWOW64\RWSIVSC.exe.bat | C:\windows\system\AOXW.exe | N/A |
| File created | C:\windows\SysWOW64\ZADV.exe | C:\windows\system\PCYBMD.exe | N/A |
| File created | C:\windows\SysWOW64\ROSHHHH.exe.bat | C:\windows\QLG.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DCDV.exe | C:\windows\ERAFV.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\XFJJH.exe | C:\windows\TULOZVX.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\SGV.exe | C:\windows\system\KDFZAIS.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NCKMOHW.exe | C:\windows\SysWOW64\RWXID.exe | N/A |
| File created | C:\windows\SysWOW64\LFC.exe.bat | C:\windows\system\FEUMYZ.exe | N/A |
| File created | C:\windows\SysWOW64\ONHNZKN.exe.bat | C:\windows\system\TACEO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\EGZXERJ.exe | C:\windows\SysWOW64\UIUDP.exe | N/A |
| File created | C:\windows\SysWOW64\PMSD.exe | C:\windows\GMQ.exe | N/A |
| File created | C:\windows\SysWOW64\NNGOHC.exe | C:\windows\FIUHWE.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\EOPLKEJ.exe | C:\windows\system\TBIN.exe | N/A |
| File created | C:\windows\SysWOW64\PSLDWQ.exe | C:\windows\ACKMYUH.exe | N/A |
| File created | C:\windows\SysWOW64\DLTKCT.exe.bat | C:\windows\XQC.exe | N/A |
| File created | C:\windows\SysWOW64\GODVJQ.exe | C:\windows\system\ERPBTH.exe | N/A |
| File created | C:\windows\SysWOW64\LJZR.exe | C:\windows\SysWOW64\SGV.exe | N/A |
| File created | C:\windows\SysWOW64\RWXID.exe | C:\windows\system\VDVG.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\UKFAH.exe | C:\windows\SysWOW64\DCDV.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\UVU.exe | C:\windows\SysWOW64\IIVGIKJ.exe | N/A |
| File created | C:\windows\SysWOW64\WOMC.exe | C:\windows\system\OIZVX.exe | N/A |
| File created | C:\windows\SysWOW64\EEPQG.exe.bat | C:\windows\FMEAXH.exe | N/A |
| File created | C:\windows\SysWOW64\MWXJWUL.exe.bat | C:\windows\TIQLZSO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NGTRFAW.exe | C:\windows\system\WXEMS.exe | N/A |
| File created | C:\windows\SysWOW64\DOHIJGW.exe | C:\windows\system\GVXYGC.exe | N/A |
| File created | C:\windows\SysWOW64\MIECLV.exe.bat | C:\windows\system\APBJDO.exe | N/A |
| File created | C:\windows\SysWOW64\DYF.exe.bat | C:\windows\SysWOW64\PSLDWQ.exe | N/A |
| File created | C:\windows\SysWOW64\RWSIVSC.exe | C:\windows\system\AOXW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\GNG.exe | C:\windows\LPTDEH.exe | N/A |
| File created | C:\windows\SysWOW64\DGYLHNZ.exe | C:\windows\GFO.exe | N/A |
| File created | C:\windows\SysWOW64\ZADV.exe.bat | C:\windows\system\PCYBMD.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DOHIJGW.exe | C:\windows\system\GVXYGC.exe | N/A |
| File created | C:\windows\SysWOW64\HHISQZ.exe | C:\windows\CCQCAE.exe | N/A |
| File created | C:\windows\SysWOW64\PMSD.exe.bat | C:\windows\GMQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\EEPQG.exe | C:\windows\FMEAXH.exe | N/A |
| File created | C:\windows\SysWOW64\JBDQNR.exe.bat | C:\windows\system\LQG.exe | N/A |
| File created | C:\windows\SysWOW64\GNG.exe.bat | C:\windows\LPTDEH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\TNMC.exe | C:\windows\LZZVM.exe | N/A |
| File created | C:\windows\SysWOW64\DOHIJGW.exe.bat | C:\windows\system\GVXYGC.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\IPWTM.exe | C:\windows\BFZLUUW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\SBOUEBP.exe | C:\windows\RYYYPZ.exe | N/A |
| File created | C:\windows\SysWOW64\HTBFT.exe | C:\windows\SQSB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RWXID.exe | C:\windows\system\VDVG.exe | N/A |
| File created | C:\windows\SysWOW64\ERKE.exe | C:\windows\SysWOW64\DOHIJGW.exe | N/A |
| File created | C:\windows\SysWOW64\EGZXERJ.exe | C:\windows\SysWOW64\UIUDP.exe | N/A |
| File created | C:\windows\SysWOW64\DLTKCT.exe | C:\windows\XQC.exe | N/A |
| File created | C:\windows\SysWOW64\SGV.exe | C:\windows\system\KDFZAIS.exe | N/A |
| File created | C:\windows\SysWOW64\ARMHE.exe.bat | C:\windows\system\SMHAUC.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JGRO.exe | C:\windows\system\EAH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LFC.exe | C:\windows\system\FEUMYZ.exe | N/A |
| File created | C:\windows\SysWOW64\EOPLKEJ.exe.bat | C:\windows\system\TBIN.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PSLDWQ.exe | C:\windows\ACKMYUH.exe | N/A |
| File created | C:\windows\SysWOW64\JBDQNR.exe | C:\windows\system\LQG.exe | N/A |
| File created | C:\windows\SysWOW64\JGRO.exe | C:\windows\system\EAH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\ERKE.exe | C:\windows\SysWOW64\DOHIJGW.exe | N/A |
| File created | C:\windows\SysWOW64\MIECLV.exe | C:\windows\system\APBJDO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\GODVJQ.exe | C:\windows\system\ERPBTH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DGYLHNZ.exe | C:\windows\GFO.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\system\LQG.exe | C:\windows\SysWOW64\DYF.exe | N/A |
| File created | C:\windows\system\CPTDZ.exe | C:\windows\NZSD.exe | N/A |
| File opened for modification | C:\windows\NRF.exe | C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe | N/A |
| File created | C:\windows\YBZJKF.exe.bat | C:\windows\system\QONDAHI.exe | N/A |
| File opened for modification | C:\windows\system\IZTG.exe | C:\windows\OQKRMSK.exe | N/A |
| File opened for modification | C:\windows\system\AFX.exe | C:\windows\system\ZCTU.exe | N/A |
| File opened for modification | C:\windows\system\ERNMRQQ.exe | C:\windows\system\WBMNS.exe | N/A |
| File created | C:\windows\GMQ.exe | C:\windows\system\WOK.exe | N/A |
| File opened for modification | C:\windows\SBHPA.exe | C:\windows\SysWOW64\DGYLHNZ.exe | N/A |
| File opened for modification | C:\windows\CRAZLNW.exe | C:\windows\system\IZTG.exe | N/A |
| File created | C:\windows\SQSB.exe.bat | C:\windows\SysWOW64\ONHNZKN.exe | N/A |
| File opened for modification | C:\windows\system\GGLMWEY.exe | C:\windows\SysWOW64\DLTKCT.exe | N/A |
| File created | C:\windows\NSHVP.exe | C:\windows\SysWOW64\YCGW.exe | N/A |
| File created | C:\windows\system\ZRXM.exe | C:\windows\system\EESDJMD.exe | N/A |
| File created | C:\windows\system\WXAHZ.exe | C:\windows\IMJILHD.exe | N/A |
| File created | C:\windows\TULOZVX.exe | C:\windows\GRCX.exe | N/A |
| File opened for modification | C:\windows\SPLPF.exe | C:\windows\NMPJ.exe | N/A |
| File created | C:\windows\LFDDCZ.exe | C:\windows\system\DRRPSBD.exe | N/A |
| File created | C:\windows\SBHPA.exe | C:\windows\SysWOW64\DGYLHNZ.exe | N/A |
| File created | C:\windows\system\ZHFJOF.exe.bat | C:\windows\SysWOW64\WUOHC.exe | N/A |
| File created | C:\windows\CRAZLNW.exe | C:\windows\system\IZTG.exe | N/A |
| File opened for modification | C:\windows\IMJILHD.exe | C:\windows\system\KBG.exe | N/A |
| File created | C:\windows\system\CDO.exe.bat | C:\windows\system\PXOX.exe | N/A |
| File created | C:\windows\LJTPZWA.exe | C:\windows\system\CDO.exe | N/A |
| File opened for modification | C:\windows\system\BBFVNVW.exe | C:\windows\ADXMD.exe | N/A |
| File opened for modification | C:\windows\system\SMHAUC.exe | C:\windows\ROZR.exe | N/A |
| File created | C:\windows\RYYYPZ.exe.bat | C:\windows\SysWOW64\IPWTM.exe | N/A |
| File created | C:\windows\XQC.exe.bat | C:\windows\SysWOW64\GQO.exe | N/A |
| File opened for modification | C:\windows\system\FGNLSBD.exe | C:\windows\system\MKBUE.exe | N/A |
| File created | C:\windows\system\DHV.exe.bat | C:\windows\SysWOW64\DCVQQWM.exe | N/A |
| File opened for modification | C:\windows\JSBLDPX.exe | C:\windows\FCVLZ.exe | N/A |
| File created | C:\windows\system\ZLZ.exe | C:\windows\CGT.exe | N/A |
| File created | C:\windows\system\GGLMWEY.exe.bat | C:\windows\SysWOW64\DLTKCT.exe | N/A |
| File created | C:\windows\system\ORHXD.exe | C:\windows\LJTPZWA.exe | N/A |
| File created | C:\windows\system\MUZLKOQ.exe.bat | C:\windows\YJIW.exe | N/A |
| File created | C:\windows\NMPJ.exe.bat | C:\windows\SysWOW64\VTYJNGR.exe | N/A |
| File created | C:\windows\system\UHJTMZ.exe | C:\windows\SysWOW64\VWMLU.exe | N/A |
| File opened for modification | C:\windows\system\AOXW.exe | C:\windows\system\YBSNVGK.exe | N/A |
| File created | C:\windows\system\GGLMWEY.exe | C:\windows\SysWOW64\DLTKCT.exe | N/A |
| File created | C:\windows\system\PHVYWY.exe.bat | C:\windows\SysWOW64\RWSIVSC.exe | N/A |
| File created | C:\windows\system\BBFVNVW.exe | C:\windows\ADXMD.exe | N/A |
| File created | C:\windows\GFO.exe.bat | C:\windows\SysWOW64\GNG.exe | N/A |
| File created | C:\windows\LNIBID.exe.bat | C:\windows\VSZ.exe | N/A |
| File created | C:\windows\RZMJPLQ.exe.bat | C:\windows\system\VBEXNZO.exe | N/A |
| File created | C:\windows\system\APBJDO.exe | C:\windows\system\WXAHZ.exe | N/A |
| File created | C:\windows\CFCCXC.exe | C:\windows\system\KXNFKL.exe | N/A |
| File created | C:\windows\SBHPA.exe.bat | C:\windows\SysWOW64\DGYLHNZ.exe | N/A |
| File opened for modification | C:\windows\system\VLWVX.exe | C:\windows\LNIBID.exe | N/A |
| File opened for modification | C:\windows\system\OIZVX.exe | C:\windows\SysWOW64\UVU.exe | N/A |
| File opened for modification | C:\windows\NIMZFAS.exe | C:\windows\LLHN.exe | N/A |
| File opened for modification | C:\windows\system\LQG.exe | C:\windows\SysWOW64\DYF.exe | N/A |
| File created | C:\windows\system\SHQF.exe | C:\windows\MGQJMK.exe | N/A |
| File created | C:\windows\LJTPZWA.exe.bat | C:\windows\system\CDO.exe | N/A |
| File created | C:\windows\GMQ.exe.bat | C:\windows\system\WOK.exe | N/A |
| File created | C:\windows\system\BXGGG.exe.bat | C:\windows\NCC.exe | N/A |
| File created | C:\windows\system\EAH.exe | C:\windows\LFDDCZ.exe | N/A |
| File created | C:\windows\system\AFX.exe.bat | C:\windows\system\ZCTU.exe | N/A |
| File created | C:\windows\OLLVES.exe | C:\windows\system\ZVKVFWB.exe | N/A |
| File created | C:\windows\system\IWEG.exe.bat | C:\windows\system\GYQUI.exe | N/A |
| File opened for modification | C:\windows\TRJA.exe | C:\windows\system\ORHXD.exe | N/A |
| File created | C:\windows\system\SMHAUC.exe | C:\windows\ROZR.exe | N/A |
| File created | C:\windows\NCC.exe.bat | C:\windows\SysWOW64\ARMHE.exe | N/A |
| File created | C:\windows\system\FEUMYZ.exe | C:\windows\XRPYNA.exe | N/A |
| File created | C:\windows\system\CAFFC.exe | C:\windows\CFCCXC.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NRF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3632 -ip 3632
C:\windows\NRF.exe
C:\windows\NRF.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1312
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YJIW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1304
C:\windows\YJIW.exe
C:\windows\YJIW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MUZLKOQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3448 -ip 3448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 988
C:\windows\system\MUZLKOQ.exe
C:\windows\system\MUZLKOQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EXQPG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 864 -ip 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1336
C:\windows\system\EXQPG.exe
C:\windows\system\EXQPG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXEMS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1356 -ip 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 960
C:\windows\system\WXEMS.exe
C:\windows\system\WXEMS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGTRFAW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1296
C:\windows\SysWOW64\NGTRFAW.exe
C:\windows\system32\NGTRFAW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ROZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3692 -ip 3692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960
C:\windows\ROZR.exe
C:\windows\ROZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SMHAUC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1264
C:\windows\system\SMHAUC.exe
C:\windows\system\SMHAUC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARMHE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 960
C:\windows\SysWOW64\ARMHE.exe
C:\windows\system32\ARMHE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NCC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1324
C:\windows\NCC.exe
C:\windows\NCC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BXGGG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1316
C:\windows\system\BXGGG.exe
C:\windows\system\BXGGG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VVHB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3704 -ip 3704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1324
C:\windows\VVHB.exe
C:\windows\VVHB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VDVG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2120 -ip 2120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1336
C:\windows\system\VDVG.exe
C:\windows\system\VDVG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWXID.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 640 -ip 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1240
C:\windows\SysWOW64\RWXID.exe
C:\windows\system32\RWXID.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKMOHW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2472 -ip 2472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1328
C:\windows\SysWOW64\NCKMOHW.exe
C:\windows\system32\NCKMOHW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRRPSBD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4984 -ip 4984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1004
C:\windows\system\DRRPSBD.exe
C:\windows\system\DRRPSBD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LFDDCZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5100 -ip 5100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 976
C:\windows\LFDDCZ.exe
C:\windows\LFDDCZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EAH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1316
C:\windows\system\EAH.exe
C:\windows\system\EAH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JGRO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 960
C:\windows\SysWOW64\JGRO.exe
C:\windows\system32\JGRO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLZAIWM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4920 -ip 4920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1316
C:\windows\system\WLZAIWM.exe
C:\windows\system\WLZAIWM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XGDW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1220 -ip 1220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1324
C:\windows\XGDW.exe
C:\windows\XGDW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCOU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4756 -ip 4756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 960
C:\windows\system\QCOU.exe
C:\windows\system\QCOU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LPTDEH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1304
C:\windows\LPTDEH.exe
C:\windows\LPTDEH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1412 -ip 1412
C:\windows\SysWOW64\GNG.exe
C:\windows\system32\GNG.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1328
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GFO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1852 -ip 1852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 960
C:\windows\GFO.exe
C:\windows\GFO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DGYLHNZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 960
C:\windows\SysWOW64\DGYLHNZ.exe
C:\windows\system32\DGYLHNZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SBHPA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1296
C:\windows\SBHPA.exe
C:\windows\SBHPA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\EESDJMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4796 -ip 4796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 960
C:\windows\system\EESDJMD.exe
C:\windows\system\EESDJMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRXM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1336
C:\windows\system\ZRXM.exe
C:\windows\system\ZRXM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VSZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1100 -ip 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1292
C:\windows\VSZ.exe
C:\windows\VSZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LNIBID.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 1256
C:\windows\LNIBID.exe
C:\windows\LNIBID.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VLWVX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1304
C:\windows\system\VLWVX.exe
C:\windows\system\VLWVX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NOARDBT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4084 -ip 4084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1324
C:\windows\NOARDBT.exe
C:\windows\NOARDBT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBEXNZO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1356 -ip 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 960
C:\windows\system\VBEXNZO.exe
C:\windows\system\VBEXNZO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RZMJPLQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2220 -ip 2220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1292
C:\windows\RZMJPLQ.exe
C:\windows\RZMJPLQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LMRA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2824 -ip 2824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1324
C:\windows\LMRA.exe
C:\windows\LMRA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PCYBMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1108 -ip 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 872
C:\windows\system\PCYBMD.exe
C:\windows\system\PCYBMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZADV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 688 -ip 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 960
C:\windows\SysWOW64\ZADV.exe
C:\windows\system32\ZADV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QLG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1544 -ip 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 960
C:\windows\QLG.exe
C:\windows\QLG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ROSHHHH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3364 -ip 3364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 960
C:\windows\SysWOW64\ROSHHHH.exe
C:\windows\system32\ROSHHHH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ERAFV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3528 -ip 3528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1252
C:\windows\ERAFV.exe
C:\windows\ERAFV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCDV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 884
C:\windows\SysWOW64\DCDV.exe
C:\windows\system32\DCDV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2240 -ip 2240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1256
C:\windows\SysWOW64\UKFAH.exe
C:\windows\system32\UKFAH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FCVLZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1840 -ip 1840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1292
C:\windows\FCVLZ.exe
C:\windows\FCVLZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JSBLDPX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4304 -ip 4304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 960
C:\windows\JSBLDPX.exe
C:\windows\JSBLDPX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MGGV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 960
C:\windows\system\MGGV.exe
C:\windows\system\MGGV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QONDAHI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 976
C:\windows\system\QONDAHI.exe
C:\windows\system\QONDAHI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YBZJKF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 988
C:\windows\YBZJKF.exe
C:\windows\YBZJKF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LZZVM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 208 -ip 208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1324
C:\windows\LZZVM.exe
C:\windows\LZZVM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TNMC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1328
C:\windows\SysWOW64\TNMC.exe
C:\windows\system32\TNMC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IIVGIKJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1144 -ip 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 960
C:\windows\SysWOW64\IIVGIKJ.exe
C:\windows\system32\IIVGIKJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UVU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1724 -ip 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 976
C:\windows\SysWOW64\UVU.exe
C:\windows\system32\UVU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OIZVX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4304 -ip 4304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 960
C:\windows\system\OIZVX.exe
C:\windows\system\OIZVX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOMC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1472 -ip 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960
C:\windows\SysWOW64\WOMC.exe
C:\windows\system32\WOMC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XRPYNA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1452 -ip 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1288
C:\windows\XRPYNA.exe
C:\windows\XRPYNA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FEUMYZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1396 -ip 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1336
C:\windows\system\FEUMYZ.exe
C:\windows\system\FEUMYZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1560 -ip 1560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 960
C:\windows\SysWOW64\LFC.exe
C:\windows\system32\LFC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IXLDTXF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3772 -ip 3772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1324
C:\windows\IXLDTXF.exe
C:\windows\IXLDTXF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GVXYGC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 976
C:\windows\system\GVXYGC.exe
C:\windows\system\GVXYGC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DOHIJGW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1664 -ip 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 980
C:\windows\SysWOW64\DOHIJGW.exe
C:\windows\system32\DOHIJGW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERKE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1308
C:\windows\SysWOW64\ERKE.exe
C:\windows\system32\ERKE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUOHC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3920 -ip 3920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1252
C:\windows\SysWOW64\WUOHC.exe
C:\windows\system32\WUOHC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHFJOF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3880 -ip 3880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1308
C:\windows\system\ZHFJOF.exe
C:\windows\system\ZHFJOF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BFZLUUW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1324
C:\windows\BFZLUUW.exe
C:\windows\BFZLUUW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPWTM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 800 -ip 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 960
C:\windows\SysWOW64\IPWTM.exe
C:\windows\system32\IPWTM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RYYYPZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1144 -ip 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1296
C:\windows\RYYYPZ.exe
C:\windows\RYYYPZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBOUEBP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1724 -ip 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1328
C:\windows\SysWOW64\SBOUEBP.exe
C:\windows\system32\SBOUEBP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGGJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 644 -ip 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 960
C:\windows\system\SGGJ.exe
C:\windows\system\SGGJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZWUXOA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1328
C:\windows\SysWOW64\LZWUXOA.exe
C:\windows\system32\LZWUXOA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IZXW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3336 -ip 3336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1336
C:\windows\system\IZXW.exe
C:\windows\system\IZXW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XUPAMF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1600 -ip 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328
C:\windows\SysWOW64\XUPAMF.exe
C:\windows\system32\XUPAMF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FIUHWE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4476 -ip 4476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1324
C:\windows\FIUHWE.exe
C:\windows\FIUHWE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNGOHC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 872
C:\windows\SysWOW64\NNGOHC.exe
C:\windows\system32\NNGOHC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OQKRMSK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3956 -ip 3956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1004
C:\windows\OQKRMSK.exe
C:\windows\OQKRMSK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IZTG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4336 -ip 4336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1248
C:\windows\system\IZTG.exe
C:\windows\system\IZTG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CRAZLNW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3736 -ip 3736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 960
C:\windows\CRAZLNW.exe
C:\windows\CRAZLNW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TACEO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4608 -ip 4608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1336
C:\windows\system\TACEO.exe
C:\windows\system\TACEO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ONHNZKN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 960
C:\windows\SysWOW64\ONHNZKN.exe
C:\windows\system32\ONHNZKN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SQSB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 960
C:\windows\SQSB.exe
C:\windows\SQSB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4188 -ip 4188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1296
C:\windows\SysWOW64\HTBFT.exe
C:\windows\system32\HTBFT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TBIN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1336
C:\windows\system\TBIN.exe
C:\windows\system\TBIN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EOPLKEJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 916 -ip 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 960
C:\windows\SysWOW64\EOPLKEJ.exe
C:\windows\system32\EOPLKEJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCTU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 988
C:\windows\system\ZCTU.exe
C:\windows\system\ZCTU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AFX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1312
C:\windows\system\AFX.exe
C:\windows\system\AFX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RNM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4976 -ip 4976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 960
C:\windows\RNM.exe
C:\windows\RNM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CGT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1324
C:\windows\CGT.exe
C:\windows\CGT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZLZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2276 -ip 2276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 988
C:\windows\system\ZLZ.exe
C:\windows\system\ZLZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WBMNS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3944 -ip 3944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 988
C:\windows\system\WBMNS.exe
C:\windows\system\WBMNS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERNMRQQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3392 -ip 3392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1336
C:\windows\system\ERNMRQQ.exe
C:\windows\system\ERNMRQQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CCQCAE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1324
C:\windows\CCQCAE.exe
C:\windows\CCQCAE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HHISQZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 960
C:\windows\SysWOW64\HHISQZ.exe
C:\windows\system32\HHISQZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LLHN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 432 -ip 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 988
C:\windows\LLHN.exe
C:\windows\LLHN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NIMZFAS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 988
C:\windows\NIMZFAS.exe
C:\windows\NIMZFAS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\QWDJRUZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 960
C:\windows\system\QWDJRUZ.exe
C:\windows\system\QWDJRUZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\FMEAXH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1184 -ip 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960
C:\windows\FMEAXH.exe
C:\windows\FMEAXH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEPQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1292
C:\windows\SysWOW64\EEPQG.exe
C:\windows\system32\EEPQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMIQTZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3888 -ip 3888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1328
C:\windows\SysWOW64\QMIQTZ.exe
C:\windows\system32\QMIQTZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZVKVFWB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2896 -ip 2896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 988
C:\windows\system\ZVKVFWB.exe
C:\windows\system\ZVKVFWB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OLLVES.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1252 -ip 1252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1324
C:\windows\OLLVES.exe
C:\windows\OLLVES.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WQQBO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1336
C:\windows\system\WQQBO.exe
C:\windows\system\WQQBO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KBG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1432 -ip 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1336
C:\windows\system\KBG.exe
C:\windows\system\KBG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IMJILHD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3484 -ip 3484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1260
C:\windows\IMJILHD.exe
C:\windows\IMJILHD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXAHZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 696 -ip 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1336
C:\windows\system\WXAHZ.exe
C:\windows\system\WXAHZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\APBJDO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3964 -ip 3964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1336
C:\windows\system\APBJDO.exe
C:\windows\system\APBJDO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIECLV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 960
C:\windows\SysWOW64\MIECLV.exe
C:\windows\system32\MIECLV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZSNAAG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 988
C:\windows\ZSNAAG.exe
C:\windows\ZSNAAG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HGZHK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 988
C:\windows\system\HGZHK.exe
C:\windows\system\HGZHK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GRCX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 988
C:\windows\GRCX.exe
C:\windows\GRCX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TULOZVX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1652 -ip 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1324
C:\windows\TULOZVX.exe
C:\windows\TULOZVX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XFJJH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4780 -ip 4780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 988
C:\windows\SysWOW64\XFJJH.exe
C:\windows\system32\XFJJH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SHZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4760 -ip 4760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 960
C:\windows\SHZ.exe
C:\windows\SHZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DACA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1716 -ip 1716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 976
C:\windows\system\DACA.exe
C:\windows\system\DACA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MNHH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 872
C:\windows\system\MNHH.exe
C:\windows\system\MNHH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TIQLZSO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1304
C:\windows\TIQLZSO.exe
C:\windows\TIQLZSO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MWXJWUL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 384 -ip 384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1308
C:\windows\SysWOW64\MWXJWUL.exe
C:\windows\system32\MWXJWUL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NZBN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 960
C:\windows\NZBN.exe
C:\windows\NZBN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ACKMYUH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1732 -ip 1732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1256
C:\windows\ACKMYUH.exe
C:\windows\ACKMYUH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSLDWQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2936 -ip 2936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1328
C:\windows\SysWOW64\PSLDWQ.exe
C:\windows\system32\PSLDWQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DYF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4768 -ip 4768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1328
C:\windows\SysWOW64\DYF.exe
C:\windows\system32\DYF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1476 -ip 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1336
C:\windows\system\LQG.exe
C:\windows\system\LQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBDQNR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1772 -ip 1772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1296
C:\windows\SysWOW64\JBDQNR.exe
C:\windows\system32\JBDQNR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTYJNGR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1328
C:\windows\SysWOW64\VTYJNGR.exe
C:\windows\system32\VTYJNGR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NMPJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4992 -ip 4992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1296
C:\windows\NMPJ.exe
C:\windows\NMPJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SPLPF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4156 -ip 4156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1004
C:\windows\SPLPF.exe
C:\windows\SPLPF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KVDCVUL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 960
C:\windows\KVDCVUL.exe
C:\windows\KVDCVUL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IIDD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1324
C:\windows\IIDD.exe
C:\windows\IIDD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GYQUI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 644 -ip 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1316
C:\windows\system\GYQUI.exe
C:\windows\system\GYQUI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IWEG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 988
C:\windows\system\IWEG.exe
C:\windows\system\IWEG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FURYFT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1336
C:\windows\system\FURYFT.exe
C:\windows\system\FURYFT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KXNFKL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1336
C:\windows\system\KXNFKL.exe
C:\windows\system\KXNFKL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CFCCXC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1324
C:\windows\CFCCXC.exe
C:\windows\CFCCXC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAFFC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 960
C:\windows\system\CAFFC.exe
C:\windows\system\CAFFC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIUDP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3800 -ip 3800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1308
C:\windows\SysWOW64\UIUDP.exe
C:\windows\system32\UIUDP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGZXERJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1256
C:\windows\SysWOW64\EGZXERJ.exe
C:\windows\system32\EGZXERJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1000
C:\windows\MGQJMK.exe
C:\windows\MGQJMK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SHQF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1460 -ip 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 960
C:\windows\system\SHQF.exe
C:\windows\system\SHQF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AUC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4912 -ip 4912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 960
C:\windows\SysWOW64\AUC.exe
C:\windows\system32\AUC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 960
C:\windows\SysWOW64\GQO.exe
C:\windows\system32\GQO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XQC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1252
C:\windows\XQC.exe
C:\windows\XQC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLTKCT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4780 -ip 4780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 960
C:\windows\SysWOW64\DLTKCT.exe
C:\windows\system32\DLTKCT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\GGLMWEY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3056 -ip 3056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1316
C:\windows\system\GGLMWEY.exe
C:\windows\system\GGLMWEY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWMLU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1328
C:\windows\SysWOW64\VWMLU.exe
C:\windows\system32\VWMLU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UHJTMZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1336
C:\windows\system\UHJTMZ.exe
C:\windows\system\UHJTMZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\JXKL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1296
C:\windows\JXKL.exe
C:\windows\JXKL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKBUE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 960
C:\windows\system\MKBUE.exe
C:\windows\system\MKBUE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FGNLSBD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3884 -ip 3884
C:\windows\system\FGNLSBD.exe
C:\windows\system\FGNLSBD.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1304
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERPBTH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2768 -ip 2768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1336
C:\windows\system\ERPBTH.exe
C:\windows\system\ERPBTH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GODVJQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 996
C:\windows\SysWOW64\GODVJQ.exe
C:\windows\system32\GODVJQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NZSD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1324
C:\windows\NZSD.exe
C:\windows\NZSD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPTDZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1336
C:\windows\system\CPTDZ.exe
C:\windows\system\CPTDZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KVGJK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4880 -ip 4880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1324
C:\windows\KVGJK.exe
C:\windows\KVGJK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YBSNVGK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1396 -ip 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1316
C:\windows\system\YBSNVGK.exe
C:\windows\system\YBSNVGK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOXW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1476 -ip 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1240
C:\windows\system\AOXW.exe
C:\windows\system\AOXW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWSIVSC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3516 -ip 3516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1328
C:\windows\SysWOW64\RWSIVSC.exe
C:\windows\system32\RWSIVSC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVYWY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3964 -ip 3964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1336
C:\windows\system\PHVYWY.exe
C:\windows\system\PHVYWY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QFPAPU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1052 -ip 1052
C:\windows\QFPAPU.exe
C:\windows\QFPAPU.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1300
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PQAQQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1324
C:\windows\PQAQQ.exe
C:\windows\PQAQQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDFZAIS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1316
C:\windows\system\KDFZAIS.exe
C:\windows\system\KDFZAIS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SGV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3056 -ip 3056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1332
C:\windows\SysWOW64\SGV.exe
C:\windows\system32\SGV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJZR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1328
C:\windows\SysWOW64\LJZR.exe
C:\windows\system32\LJZR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCVQQWM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1992 -ip 1992
C:\windows\SysWOW64\DCVQQWM.exe
C:\windows\system32\DCVQQWM.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1308
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DHV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4744 -ip 4744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1336
C:\windows\system\DHV.exe
C:\windows\system\DHV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXOX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2504 -ip 2504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1004
C:\windows\system\PXOX.exe
C:\windows\system\PXOX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CDO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 988
C:\windows\system\CDO.exe
C:\windows\system\CDO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LJTPZWA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3472 -ip 3472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 988
C:\windows\LJTPZWA.exe
C:\windows\LJTPZWA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORHXD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4188 -ip 4188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 988
C:\windows\system\ORHXD.exe
C:\windows\system\ORHXD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TRJA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 960
C:\windows\TRJA.exe
C:\windows\TRJA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXPXW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1384 -ip 1384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 988
C:\windows\system\IXPXW.exe
C:\windows\system\IXPXW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YCGW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 964 -ip 964
C:\windows\SysWOW64\YCGW.exe
C:\windows\system32\YCGW.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1104
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NSHVP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3600 -ip 3600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1248
C:\windows\NSHVP.exe
C:\windows\NSHVP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ADXMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 988
C:\windows\ADXMD.exe
C:\windows\ADXMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BBFVNVW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1836 -ip 1836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 960
C:\windows\system\BBFVNVW.exe
C:\windows\system\BBFVNVW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WOK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1448 -ip 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1264
C:\windows\system\WOK.exe
C:\windows\system\WOK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GMQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2896 -ip 2896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1260
C:\windows\GMQ.exe
C:\windows\GMQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMSD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3140 -ip 3140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1308
C:\windows\SysWOW64\PMSD.exe
C:\windows\system32\PMSD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BCLEW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5056 -ip 5056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 976
C:\windows\system\BCLEW.exe
C:\windows\system\BCLEW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/3632-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\NRF.exe.bat
| MD5 | f84c3fd02e00dda1ebc79e8e0fdc0745 |
| SHA1 | d7be0908306b5763c84b98bc5a3aeba9d69b6c42 |
| SHA256 | 7cf7834f7d14f78d8693447a4dcfde54d15b126e35738386dae033c56590c3f1 |
| SHA512 | 3075431efaab48ba73142f2325a854a387a81ec6a42c58d46faac26d405c3e721e046ad6c044e6e8f92cdfe533968248a7d38a050cbe392917b3e1077b17b060 |
C:\Windows\NRF.exe
| MD5 | 8dbc84fd7030d2652b4e33fd53448c71 |
| SHA1 | 4c7bb995066880e68b219519c047b278976ac534 |
| SHA256 | fe3b7ae53fbfbc4cbf6230833dcce7e3cbe7a68da7f698f71ee9d01255d7a450 |
| SHA512 | 36bdabf622ba74b39bb01204892c27787f54df6aa4e5e5c23639d7b5538d7d795230590f2de349833e17ef12c66f7bfccd4186d7be685cb65c0df41b20317334 |
memory/2304-11-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\YJIW.exe
| MD5 | 400a94cb5adeebb26dd72bee8dc496ba |
| SHA1 | 7e19fd378a0881127bdfeccda07afeb1e632773d |
| SHA256 | e584ecc17ff2d794d359c32ae4c60e9cdac00ae41b3015c1545bc9d4e8166a51 |
| SHA512 | c4b79f67910f5011859fb500587cd2d750717b71a6492a3c4a08efb27f1b34e6d9d1fd7e8e6b0774d6f2df2791f3f3d0d4d646d1307633940cb9461514a47a04 |
C:\windows\YJIW.exe.bat
| MD5 | e3285275de50129952580d3d7a0be61e |
| SHA1 | 18864f98b47f927721146c83a864e4e5d71f1fca |
| SHA256 | 3257b0353b6d6352570afe112a1b8275b782cb8f0fbb7213255b46f2637b5723 |
| SHA512 | 4d784363220f47ba09482f55bec743e0c9fb299c85f5bc759f9e8ff6acc9ccb26ef0425a525cf4b7453768fe02d412545c0d51406199c892e3937f5f2b8b40b6 |
memory/3448-22-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3632-23-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2304-24-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\MUZLKOQ.exe.bat
| MD5 | 406a7a74e9f818efda4a8d5ce0e88f03 |
| SHA1 | 09640e496c9967565fc8a589ff61fd98890e9c87 |
| SHA256 | 56eec42ae27e2a655e9128be750a2efb2c423ce5794605ad8cf1b8855b9a831c |
| SHA512 | 7a1b5d6eda4a64f7c9451360861f45829986299b27c8db26579f35fafe509128f8a2f2a36e0177cbeceacdd673d66b3af88596da3f3c76ef9a3ca8fca9af2c68 |
C:\windows\system\MUZLKOQ.exe
| MD5 | 945bdd0bb2c172ba851519e799b9efa5 |
| SHA1 | 2e8420a83ca48e5794500b8529a8d8460119b542 |
| SHA256 | 9d45dba6ab28dfbe04c3d73a63ba84e9f54a7b3b0c59eb8a3cf4bee9369376b1 |
| SHA512 | cb7c9b40043471caaa79832499639dbc1c1d14bfd92f6d027836e8436ad41f406ddcc68cb4127a7dc0931db230a7d3f0995bf2da4ab42e6cc733ad16b26a5510 |
memory/864-35-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EXQPG.exe.bat
| MD5 | 1fd5da68c9aa3c78db4f918288966266 |
| SHA1 | 8dd42ab3a586f515d0917e4934b6a2486f562c62 |
| SHA256 | 283e3036a70a4f400a11a7e86d2e473accf7a4485e7d35e9976fc73a111d46b6 |
| SHA512 | 51191a0cf60bfaace0b239aa7ca49b63cf661aab94058c5edf1d633fca2f21f6ea0f04241406a645aeef857e6c47ecb719fb8afdd7e1b31cc873e7391b9ee076 |
C:\windows\system\EXQPG.exe
| MD5 | e2b93c800e25def30cd04a598bca64d3 |
| SHA1 | 011d754f63dbe7d5a2cad23aa7977718fb096c91 |
| SHA256 | 2a5562ac2e3494dab2bcc1a4bcc761e6ae559a688c90ebe9eaa4fafc34eb65c9 |
| SHA512 | 68ca296a70d4a8a90c5c89d6ac81641a847b0f2914bf3740c1615caf9647e92fbf4ae54e83316cba0c030cc0d2ca022f3e2f7e57a06dce4c5c74596e3eee3297 |
memory/3448-46-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1356-47-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\WXEMS.exe.bat
| MD5 | 5abd00c4e3c301118ef9812fe3ed474f |
| SHA1 | 8dacee611e60d8ce874c7e955ad8af8494a18989 |
| SHA256 | 36c926c8454477b3e87e001390fccfa664877d1c974ab71ed05bd89f39583fed |
| SHA512 | be1cce14ca5cdab0ebdba735efd52a7e6a3f7a1a9188329f8650a73529a261e0bcd688ae13c9f201f3337278642c5b780d24407dcdecfadd03e16e54e03b1786 |
memory/1648-58-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\WXEMS.exe
| MD5 | 8e89516adfcc93206d7f1893d1bed6f3 |
| SHA1 | aad20c68434cd4a428fa129e815a8e57ac1545b9 |
| SHA256 | f46d7d7a5fddd6256b4decae75a30f138812f543bb847bf54dc9b3b340188164 |
| SHA512 | efa47e0c8725c425bad9b1f035578cd7f5dc306b42a2ab42ea41d16b5ef190fe98c1877c89a1a6cf91cab2de44307b968cd3c1ffd824afb7278bdc330204190e |
memory/864-59-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NGTRFAW.exe.bat
| MD5 | 685bf2af85a28d43e5cc4127d7f9fd54 |
| SHA1 | c9d4d997e8de7f9a70a6a24ace4128cee9188ed4 |
| SHA256 | 7e28bd18d12546696ec71fd22900cb5d600526d7b4654eedc366cb8d0561eace |
| SHA512 | ec0ae9319163bb8fa075f42b97296a1b6265e4e91413969e258bfdc1d02fb0ded64b9ecbe05b9a1faede83730e4cf6b6294f3e9217ffab67cc86e8144981d5b9 |
memory/1356-68-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NGTRFAW.exe
| MD5 | f98442932f5a101d2a0c1846fd6a6491 |
| SHA1 | 3f24f91a0ea505bf44b34f512401014c4cfd7815 |
| SHA256 | 778f40c310d91e5c3856f46a261728f2d318fb8e2733474787b2e7539f8d4be7 |
| SHA512 | d703bc8ed38eb5bddb45b0c9dbfa2e4645f934de63d5c4f57cc87bedc91eeb2e054c6e4137982484374fc21c6a0a67133962362d478f2c2875c88692d642309d |
memory/3692-71-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\ROZR.exe.bat
| MD5 | 0fcc09c2924916b77f99a6d1ff2166d4 |
| SHA1 | 28d98d02f8ccaa8059ff1efcec910e497c41f35b |
| SHA256 | 3121619e2e63a1798dba11bb297958b36f39a7109dcd6a737c52452afae57d10 |
| SHA512 | 99b98957fb3435b3a292d8159a8ec109d689b417c261e4d6b5f473403909ca3769e7a66916998b7969ebb03fb0496339d28fee591fca0a1df3355111d545729d |
C:\Windows\ROZR.exe
| MD5 | b259b1bc83294d3ec0a8621e61ed4695 |
| SHA1 | adbfc269c858feb2cccbe4361a20fd6cdbfc74f9 |
| SHA256 | 7c240a7dc808f42190b84fce33f4f7f18d7334aa162726afde0cfa21309fa6be |
| SHA512 | c0c00890bb58794931754c0f8ee19dad05b3dbfedb754158a1149b55a6e646acf5e0eae3a00b2547072a8daaa5776d79cc566b153ef214daa489182e774f3421 |
memory/368-81-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1648-83-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\SMHAUC.exe.bat
| MD5 | 9259c0c0be24a9270a8afdef76a11e12 |
| SHA1 | 94204528801c8b0b74e7ceaa5224ff3e2c80cfec |
| SHA256 | 8f216b6812903ec6725aed4291133005a44887455935e5be18de30317f3bd936 |
| SHA512 | b2dad8e247244490cad9bfb3c7ccf7591574cd0a1fb601e532e11c3848cd39b373a410600c2c5c18deeae7541025550d75e0d1e01666dc470b4ae6f1c7081f49 |
C:\windows\system\SMHAUC.exe
| MD5 | ba712e330e142dd45c8ec0b9479cb575 |
| SHA1 | 3df38c7e7f9cf120e377a5c98ff27098d17a7f25 |
| SHA256 | 39ecbe4d2aa40762ecb6824e75b3539352042f1461c892e143f2eb637c45caa7 |
| SHA512 | b2546cf443725363177b6e91574d6c00cbf627473d02b43924c10f081c48ef8c2666163bbea5d3bb4cdf685521d9e3c36a43fd866beab0febfa1ad3783c1571b |
memory/4752-94-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3692-95-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\ARMHE.exe.bat
| MD5 | 23cae0a7ecdc6442aa05a4284239b203 |
| SHA1 | 9af71a7badefc95a11572bc226a4579471c7dd48 |
| SHA256 | 9e9113b39f50768b3b02b0ddf9fb624e1f801a763d2686252c07e32524420df6 |
| SHA512 | c9910812672122efb113150f21158b3507ac9547b6a95cebcd7f3e93653fd8c39f2dfe1ff838d9f3af480b43ed7f4e6034716f1ca7159af9332f50ff39881393 |
C:\Windows\SysWOW64\ARMHE.exe
| MD5 | 7ecdf6dac26e8f13360b2715ae40acc4 |
| SHA1 | 03ac0dc649a208251cfb8eda010372871f6c0ebe |
| SHA256 | a7d7d32d7027a4c7f6e791a908f628f508de080563d28ac27b0a3b57cf1343bc |
| SHA512 | d16b9dbb1376ad93d2703ca1fca45f55549bf011e50c3e7b431f606f4af079ffde09b923a2d82a68fc77601de3fa0e49d21f215a6058bc94d6d1ad12779e5dd6 |
memory/4700-106-0x0000000000400000-0x0000000000439000-memory.dmp
memory/368-107-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\NCC.exe.bat
| MD5 | e1d2f5cae1f7f57f5ac24a745d673ecc |
| SHA1 | ccbd56cf89b97cec1afbcce452995ba74a22eba9 |
| SHA256 | 39fb2f886fde0a8ab02163a199c6b4b85ceb1ce274b4347894f964d200357677 |
| SHA512 | 0b79c299ecd4361592faf0e4c36cae1752baf1be937109ea5004c466c595c16779091cafe6e2ad89e5f8ef162805df23f43eb059c2890f55c096f64feb33cd96 |
memory/756-117-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4752-119-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\BXGGG.exe.bat
| MD5 | 1fb97dbbaf24e147381557f6866406ac |
| SHA1 | 2f1f98bc3e2401952759a378c825d2f640bda746 |
| SHA256 | 855cffcd6d79199da4fe346057ac030168bf6bbc50fa657a3778cc1ad5c19663 |
| SHA512 | f045f38156cd7f0360dcd3617991ae114e7e7a9429a48252b1687a58205a152547cf75e4934a2efb25c11fb75f51052abc9e15a9d00d9305c70b3fbfc3bd9e8d |
C:\Windows\System\BXGGG.exe
| MD5 | 9f2b7e2c8b71ee6c3285816641908dcd |
| SHA1 | 35917be4805df5db7ac96bb5e6d6f0d3fb022097 |
| SHA256 | 75bb26c46a3ebce19253ce667c1d1d7d18bc52a6a78b83c53cfc860c5acdd333 |
| SHA512 | 4ba5592bc90d5e06f9feb0db5f63bc5bc359d5ac094a35347c5d7b90ba4885d74371ac6e01beefe000f2532030fd6c994f1984dbf65068cb611d0684f8b2ad48 |
memory/3704-130-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4700-131-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\VVHB.exe
| MD5 | f69229016889b7b12869caca6c7a682c |
| SHA1 | 9d48b0466d58406567f3a231c419eb4fef752810 |
| SHA256 | d7d84ad1d0f3dfa1a5e5396bb6f370d75980037ebf818c5f61cb444843b1984e |
| SHA512 | c2d6d25b9cd4fa50f5b0f6832b89c3d58c79d386da7f6d8eae10385fb6b88cc632a5679d1c362ca6642371c5e98e56defa2da42458cfc47d8a31696c921f16c7 |
C:\windows\VVHB.exe.bat
| MD5 | a3f46e6cc77aa3b1f67cf358e994006d |
| SHA1 | 0807492636d2e48899744fe2132f1c6506c9c9e2 |
| SHA256 | 8535be8c7b6797ed05044c0119c7aa3e3b57ad77270b33134ca1fbc00f5d7678 |
| SHA512 | ea36df114e27f73647305b975ff6ab3510e34ce443064268804926e51bba94f57f62d4437afd892ed4312bcca416d10bf0ef3543a4c1ff99d3ecec5c96f5e310 |
memory/2120-142-0x0000000000400000-0x0000000000439000-memory.dmp
memory/756-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\VDVG.exe.bat
| MD5 | e6b76769e4ba10117d9a7681d2c3210d |
| SHA1 | 54df0c549617d92ca7605f30a0445884e6c2ccfe |
| SHA256 | ce833fad09b29d6db6a023680d846e8725a25247af840ccd6c71a0c50a8b940d |
| SHA512 | 73d89c249c6f456deae6fc5b57a5058a30061d677da444691a3eae5b0882b7038f97be56029113e917fd89da5d6dbeb00aa90ea29318215591776a7f4fcf12c3 |
C:\Windows\System\VDVG.exe
| MD5 | 614dda584cbf5626fb96c4b26290fdce |
| SHA1 | 7da03018721bab89726487aba589d504dc1c8913 |
| SHA256 | 4f7a48503d6992d3d5ea42b7d3fc2156bc4173a372f3b38005b1626c0894e3aa |
| SHA512 | 4dd1b670a07de771af02e8788cc79ab173d0d128a16ca2b430806773435d6b1a9639b2ce69cff352dbd7af1a084b7a3c06a8344773335afac4859ceede531c3a |
memory/640-154-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3704-155-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RWXID.exe.bat
| MD5 | 04fad82d2195f33d0299725efb691c6e |
| SHA1 | a6ea288701327349d422b3ad9eec5cc9b0daab13 |
| SHA256 | 1a83bc5d5b63f3045f3d56399e45b618ebe2aeb5c9109e505b8f40eaa8a10a94 |
| SHA512 | 50ab1f0d76db7630863a5c7c4fd53a599a0781e23cee1f800aed2e445c92e2311a1e4e23a56704c2940bb3dbb9716b39d2010c8b7061da69272c8ea16e0b4dfd |
memory/2120-163-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RWXID.exe
| MD5 | 050812ee9f57d71be3955de66a44d9cf |
| SHA1 | 66928d6e022060cb30594046b787072bc5038314 |
| SHA256 | 08712dc2137b7c651c066d51126e10af7d41917cfab159677316b58e2ac73b67 |
| SHA512 | d0ceaea4af7906e7cd0edaec3024730ff6c872b46502f35d5744b973da6c025732e0e3b973db51eb3d488d21c50dcd84126a34bcab2cd32d34c4a651c68caa86 |
memory/2472-167-0x0000000000400000-0x0000000000439000-memory.dmp
memory/640-174-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\NCKMOHW.exe.bat
| MD5 | 3a98d28424e90c57a8b7829aeaa64e4b |
| SHA1 | e2497065bc23d0419f18e11464e460350caf081e |
| SHA256 | f7134cb2726cdb74d6156034eac4e32adb73c9a636eb98d075fc18aa0378fc89 |
| SHA512 | 6b005f240eb425eb53beb61c93d05ca2f5bad06940b70a0422f84a8a7a78331e4269d79b51486778f464b882d43279fea69266e15859ea503f1ea1a028b53cc6 |
C:\Windows\SysWOW64\NCKMOHW.exe
| MD5 | 4c67f96f3a7da66ace2e2b6cc6934975 |
| SHA1 | d3f2dbb342236fa4fff472840712c6c9d5b7eb5e |
| SHA256 | 6aa2e10833ed77d55d9452069f5ffe2326ca0cebee911b996687ee8d8aa08f78 |
| SHA512 | b749fd7a2d9689e671c3617c82ae496167b0eb5a335f1ba273a07a2834296f9099abde0e841d84e78ae5398bed09beb7a384421ba00761f0790bf5fbc53b0caa |
memory/4984-179-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\DRRPSBD.exe.bat
| MD5 | be90bb015123273e1338e5dcc03ee93f |
| SHA1 | d5778ab8821e9c1beb6121dcff258b09154e2add |
| SHA256 | d18b935872ff3ef041bc2228fea13b221f699fa46978a39081a98b8c5b70930a |
| SHA512 | d69528e9dc370bb036954b74b8e97919ae690eb9294c533db0af38924f832ea4881094f69f80ea5d29a46eeb9e0fde13f9574086eab67e08f2c76e782bae9173 |
memory/2472-189-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5100-190-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\LFDDCZ.exe.bat
| MD5 | 20eb83525499a23b0a7eb6487ca8c7d4 |
| SHA1 | 3c8b56011d4ae993dedb4d069d745c865ffcf37b |
| SHA256 | dd4a63b2cdd19f6df55d4731083e553d5a9e6e7585c27a344c44676d4d857a87 |
| SHA512 | 6a70de00493752b410d294d2eac068e94fb02ed7eb1d5ec18af55bd3ccdcd14020c8bf18e2dcc4403640a8402889ed38ad770cac63e85744aa5ef679b19a7131 |
C:\Windows\LFDDCZ.exe
| MD5 | 37f1a375d49b7d482c1c8e6ef05719f3 |
| SHA1 | cfa562370d511e972dc8e2e5475c5cb7cedd9b72 |
| SHA256 | 48b2e38dc8f692f52a5cee3a5fad4e5596d48a00919cb04b2290a5f1ba5edf0f |
| SHA512 | 8a332aa37ec1aea32ac23c543e16ab52def6ef4c1fc44d47899383b13c904e5cab2f83840867eef54b5de89b6ea60cb07043de4a1c448085aa077cde5d660a69 |
memory/2096-202-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4984-203-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\EAH.exe.bat
| MD5 | b8b8c5736c163dcdadb0aa3cc5ccbacc |
| SHA1 | c330bd53af0fa2c0cb9c18211d26c64c746e11f5 |
| SHA256 | fd028ccaba6cbd3c92440468145beaefcf0eac3e82f63ec3f6e68f9843e652cb |
| SHA512 | 1a3a437bbf73b853c7f33af70428aa61b2798719d05df78dceaeb630e3ea2f6cf20874517593e698617abc824b888c50482da1fad965f67bdc4a6e74d5aec2e0 |
C:\Windows\System\EAH.exe
| MD5 | 36335887e5b495ec9c6a9d383eb7e102 |
| SHA1 | 051f348062a2a88a4ca27a9a9dd56ee4bc7528ce |
| SHA256 | 4112eaf13384230701d7ef9200001df44b78210e27c3ac674ce9b34ae6520139 |
| SHA512 | 60ddfc0c2174e3c7aa7fa452b08e06cc3b05632d33d91a9d6c839664057cb5f9aa2e567da707c623039fcf8fab7c6535b126df8b43910fdb7fe1a4674ea80815 |
memory/3496-214-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5100-215-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2096-222-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\JGRO.exe.bat
| MD5 | f11dd8cabe2ecf6ab3003e21cfb94e3b |
| SHA1 | 7b968be928dbc6b5a3efd93d56a3c67810aded80 |
| SHA256 | 2b59457b236be26fa198dde7178f723406b116c9ceedf8c64b98b7a31617ccef |
| SHA512 | 6b5648312c2961481c6b215df2d3b4b10d167665e3156c4da169cbdf9a8e103ba121dede34c246bfa2597f2e5ef213cadd1a5a28b62737f01994bd2e0cf82840 |
memory/4920-226-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\JGRO.exe
| MD5 | ba6bf41017874d68520f9bb2bb3e7234 |
| SHA1 | 81a6e39b2728e728dd0906b089ad98cc463f5b7c |
| SHA256 | 79e79dada980ec77427c2ee0f4c6d4000aa0cf37cf9662d3f04a389cac7cf527 |
| SHA512 | c6e96a5f8a2779a669ddf0757bf4a779215c809be76b46dcb2b20a148694333beb593427aa0203e7d89f2dc46bbd3f164695d45c8bb8de28f87851d616baa0de |
C:\windows\system\WLZAIWM.exe.bat
| MD5 | 5c4693c70b62b81e31b803aa2c906535 |
| SHA1 | c17e75ed7515baa3330ce3beeb40ef28e6f6c7f2 |
| SHA256 | f256b822fa855fd826af590158ffc286198bf55ca4a9e1f2e479432724a4d216 |
| SHA512 | fe768533057309f4efdd1facdeeaf402ee5cf58017cfeb70e5f845b114692f4a8bba9de85b4a6c211b9e13fcba59444df252ea8a39a0f297767c64b606d26d24 |
C:\Windows\System\WLZAIWM.exe
| MD5 | 2474768367c229f7ff4b44cc7de0db1a |
| SHA1 | 569135fd51688fab48bc3564eaf615740a770508 |
| SHA256 | 3bf9efd0fcb1bda40d1570983a856e46a39a667293c196e83f1eaba0a4ab250d |
| SHA512 | c5a429ada1098979a2dd58f3a8573d0ffc8c180b9f1d6c6c996a297916d2d8e9668a6fbdd6c880ee2c5f4e6df5d607e422ff916f63f15eaef5677d6185fcbd7b |
memory/1220-237-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3496-239-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\XGDW.exe.bat
| MD5 | 33707bd2b106818a8dd53ff1ecc3c2fd |
| SHA1 | 83c6572874bfd37603088d2f1d8cd2b72103cc4a |
| SHA256 | 7a16e5aadd99ff22cec96b75bece12f76f73326ed7b2f768d32a64d504694e71 |
| SHA512 | 40b656831a0638bd00dfdac092eb84ef8a7ee49ced5ea5d2c2168a8df70e0610520325c47a522a319099494335590421d38e57191cd146d2f506c023c48a2c3f |
C:\Windows\XGDW.exe
| MD5 | 0f022581823034a0cd683c02bb53912b |
| SHA1 | fbf8dee3db91f98f61f63c480f93a6cc716a67c1 |
| SHA256 | 0b0b33951ff1059e5a81add696b0f50ac9353b638332095b2712f6929836b3cd |
| SHA512 | e91952824d77781e6b2de4062d83349768b02715d69090a2cbba57aa3df5d92703443fc7b486b831612ecdd8418b45cac68db129071e772047da79f3e79125e6 |
memory/4756-249-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4920-251-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1220-258-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\QCOU.exe.bat
| MD5 | d6a977983d0d3e59efa6ff4dc7ec0360 |
| SHA1 | ab13bf51dcd3c144b2b6549beca0dda70b1f51c4 |
| SHA256 | 5b42fd687066692bf47a2db749ef89406d002c50ae79d408928b7e759969694d |
| SHA512 | a37385b327b9a0b73f794e0a9352601b547984c5b8cbbaabda3a84d23329f30595d2b70241b85e245f12a57e9e9a79409d89e4189b0b940fa251d1b2d22d8694 |
memory/4592-261-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4756-268-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1412-270-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4592-271-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1852-279-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4432-287-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1412-288-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1852-295-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1444-297-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4796-305-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4432-306-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1444-313-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1768-315-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4796-322-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1100-324-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1768-331-0x0000000000400000-0x0000000000439000-memory.dmp
memory/388-333-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4100-341-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1100-342-0x0000000000400000-0x0000000000439000-memory.dmp
memory/388-349-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4084-351-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4100-358-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1356-360-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4084-367-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2220-369-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1356-376-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2824-378-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2220-385-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1108-387-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2824-394-0x0000000000400000-0x0000000000439000-memory.dmp
memory/688-396-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1108-403-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1544-405-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3364-413-0x0000000000400000-0x0000000000439000-memory.dmp
memory/688-414-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1544-421-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3528-423-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3364-430-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2156-432-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3528-439-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2240-441-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2156-448-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1840-450-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2240-457-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4304-459-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1840-466-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4564-468-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4304-475-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3496-477-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4564-484-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4432-486-0x0000000000400000-0x0000000000439000-memory.dmp
memory/208-494-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3496-495-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 04:45
Reported
2024-06-02 04:48
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\PEZCIUI.exe | N/A |
| N/A | N/A | C:\windows\KPCTFR.exe | N/A |
| N/A | N/A | C:\windows\system\RMMGKB.exe | N/A |
| N/A | N/A | C:\windows\system\FMSMEI.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\JSPTD.exe | N/A |
| N/A | N/A | C:\windows\system\WXGTEX.exe | N/A |
| N/A | N/A | C:\windows\ILP.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\YDWNKP.exe | N/A |
| N/A | N/A | C:\windows\NYS.exe | N/A |
| N/A | N/A | C:\windows\system\FVXWW.exe | N/A |
| N/A | N/A | C:\windows\system\SJOVFJ.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\RWXGF.exe | N/A |
| N/A | N/A | C:\windows\system\BUP.exe | N/A |
| N/A | N/A | C:\windows\system\GOXH.exe | N/A |
| N/A | N/A | C:\windows\system\XCUZ.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\HMVRSN.exe | N/A |
| N/A | N/A | C:\windows\system\VMP.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\VUV.exe | N/A |
| N/A | N/A | C:\windows\YVN.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\LFD.exe | N/A |
| N/A | N/A | C:\windows\HFKRRE.exe | N/A |
| N/A | N/A | C:\windows\DQDTTZ.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\SysWOW64\JSPTD.exe | C:\windows\system\FMSMEI.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\RWXGF.exe | C:\windows\system\SJOVFJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\YDWNKP.exe | C:\windows\ILP.exe | N/A |
| File created | C:\windows\SysWOW64\RWXGF.exe.bat | C:\windows\system\SJOVFJ.exe | N/A |
| File created | C:\windows\SysWOW64\HMVRSN.exe.bat | C:\windows\system\XCUZ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\VUV.exe | C:\windows\system\VMP.exe | N/A |
| File created | C:\windows\SysWOW64\VUV.exe.bat | C:\windows\system\VMP.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LFD.exe | C:\windows\YVN.exe | N/A |
| File created | C:\windows\SysWOW64\JSPTD.exe.bat | C:\windows\system\FMSMEI.exe | N/A |
| File created | C:\windows\SysWOW64\YDWNKP.exe | C:\windows\ILP.exe | N/A |
| File created | C:\windows\SysWOW64\RWXGF.exe | C:\windows\system\SJOVFJ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\HMVRSN.exe | C:\windows\system\XCUZ.exe | N/A |
| File created | C:\windows\SysWOW64\LFD.exe | C:\windows\YVN.exe | N/A |
| File created | C:\windows\SysWOW64\LFD.exe.bat | C:\windows\YVN.exe | N/A |
| File created | C:\windows\SysWOW64\JSPTD.exe | C:\windows\system\FMSMEI.exe | N/A |
| File created | C:\windows\SysWOW64\YDWNKP.exe.bat | C:\windows\ILP.exe | N/A |
| File created | C:\windows\SysWOW64\HMVRSN.exe | C:\windows\system\XCUZ.exe | N/A |
| File created | C:\windows\SysWOW64\VUV.exe | C:\windows\system\VMP.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\system\GOXH.exe | C:\windows\system\BUP.exe | N/A |
| File created | C:\windows\HFKRRE.exe | C:\windows\SysWOW64\LFD.exe | N/A |
| File created | C:\windows\DQDTTZ.exe | C:\windows\HFKRRE.exe | N/A |
| File created | C:\windows\PEZCIUI.exe.bat | C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe | N/A |
| File created | C:\windows\system\FVXWW.exe | C:\windows\NYS.exe | N/A |
| File created | C:\windows\ILP.exe.bat | C:\windows\system\WXGTEX.exe | N/A |
| File opened for modification | C:\windows\NYS.exe | C:\windows\SysWOW64\YDWNKP.exe | N/A |
| File created | C:\windows\system\XCUZ.exe | C:\windows\system\GOXH.exe | N/A |
| File created | C:\windows\system\XCUZ.exe.bat | C:\windows\system\GOXH.exe | N/A |
| File created | C:\windows\YVN.exe | C:\windows\SysWOW64\VUV.exe | N/A |
| File opened for modification | C:\windows\PEZCIUI.exe | C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe | N/A |
| File created | C:\windows\system\RMMGKB.exe | C:\windows\KPCTFR.exe | N/A |
| File created | C:\windows\system\BUP.exe.bat | C:\windows\SysWOW64\RWXGF.exe | N/A |
| File created | C:\windows\system\WXGTEX.exe | C:\windows\SysWOW64\JSPTD.exe | N/A |
| File created | C:\windows\NYS.exe | C:\windows\SysWOW64\YDWNKP.exe | N/A |
| File created | C:\windows\system\GOXH.exe.bat | C:\windows\system\BUP.exe | N/A |
| File opened for modification | C:\windows\system\SJOVFJ.exe | C:\windows\system\FVXWW.exe | N/A |
| File created | C:\windows\system\BUP.exe | C:\windows\SysWOW64\RWXGF.exe | N/A |
| File created | C:\windows\ILP.exe | C:\windows\system\WXGTEX.exe | N/A |
| File opened for modification | C:\windows\ILP.exe | C:\windows\system\WXGTEX.exe | N/A |
| File created | C:\windows\NYS.exe.bat | C:\windows\SysWOW64\YDWNKP.exe | N/A |
| File opened for modification | C:\windows\system\FVXWW.exe | C:\windows\NYS.exe | N/A |
| File created | C:\windows\system\SJOVFJ.exe | C:\windows\system\FVXWW.exe | N/A |
| File opened for modification | C:\windows\system\XCUZ.exe | C:\windows\system\GOXH.exe | N/A |
| File created | C:\windows\system\FMSMEI.exe | C:\windows\system\RMMGKB.exe | N/A |
| File opened for modification | C:\windows\system\WXGTEX.exe | C:\windows\SysWOW64\JSPTD.exe | N/A |
| File opened for modification | C:\windows\DQDTTZ.exe | C:\windows\HFKRRE.exe | N/A |
| File opened for modification | C:\windows\system\RMMGKB.exe | C:\windows\KPCTFR.exe | N/A |
| File created | C:\windows\system\SJOVFJ.exe.bat | C:\windows\system\FVXWW.exe | N/A |
| File created | C:\windows\system\VMP.exe | C:\windows\SysWOW64\HMVRSN.exe | N/A |
| File opened for modification | C:\windows\system\VMP.exe | C:\windows\SysWOW64\HMVRSN.exe | N/A |
| File opened for modification | C:\windows\YVN.exe | C:\windows\SysWOW64\VUV.exe | N/A |
| File created | C:\windows\PEZCIUI.exe | C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\windows\KPCTFR.exe | C:\windows\PEZCIUI.exe | N/A |
| File opened for modification | C:\windows\system\FMSMEI.exe | C:\windows\system\RMMGKB.exe | N/A |
| File created | C:\windows\system\FMSMEI.exe.bat | C:\windows\system\RMMGKB.exe | N/A |
| File created | C:\windows\system\WXGTEX.exe.bat | C:\windows\SysWOW64\JSPTD.exe | N/A |
| File created | C:\windows\system\FVXWW.exe.bat | C:\windows\NYS.exe | N/A |
| File opened for modification | C:\windows\system\BUP.exe | C:\windows\SysWOW64\RWXGF.exe | N/A |
| File created | C:\windows\system\GOXH.exe | C:\windows\system\BUP.exe | N/A |
| File created | C:\windows\KPCTFR.exe.bat | C:\windows\PEZCIUI.exe | N/A |
| File created | C:\windows\system\RMMGKB.exe.bat | C:\windows\KPCTFR.exe | N/A |
| File opened for modification | C:\windows\HFKRRE.exe | C:\windows\SysWOW64\LFD.exe | N/A |
| File created | C:\windows\system\VMP.exe.bat | C:\windows\SysWOW64\HMVRSN.exe | N/A |
| File created | C:\windows\YVN.exe.bat | C:\windows\SysWOW64\VUV.exe | N/A |
| File created | C:\windows\DQDTTZ.exe.bat | C:\windows\HFKRRE.exe | N/A |
| File created | C:\windows\KPCTFR.exe | C:\windows\PEZCIUI.exe | N/A |
| File created | C:\windows\HFKRRE.exe.bat | C:\windows\SysWOW64\LFD.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\windows\PEZCIUI.exe | N/A |
| N/A | N/A | C:\windows\KPCTFR.exe | N/A |
| N/A | N/A | C:\windows\system\RMMGKB.exe | N/A |
| N/A | N/A | C:\windows\system\FMSMEI.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\JSPTD.exe | N/A |
| N/A | N/A | C:\windows\system\WXGTEX.exe | N/A |
| N/A | N/A | C:\windows\ILP.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\YDWNKP.exe | N/A |
| N/A | N/A | C:\windows\NYS.exe | N/A |
| N/A | N/A | C:\windows\system\FVXWW.exe | N/A |
| N/A | N/A | C:\windows\system\SJOVFJ.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\RWXGF.exe | N/A |
| N/A | N/A | C:\windows\system\BUP.exe | N/A |
| N/A | N/A | C:\windows\system\GOXH.exe | N/A |
| N/A | N/A | C:\windows\system\XCUZ.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\HMVRSN.exe | N/A |
| N/A | N/A | C:\windows\system\VMP.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\VUV.exe | N/A |
| N/A | N/A | C:\windows\YVN.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\LFD.exe | N/A |
| N/A | N/A | C:\windows\HFKRRE.exe | N/A |
| N/A | N/A | C:\windows\DQDTTZ.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\PEZCIUI.exe.bat" "
C:\windows\PEZCIUI.exe
C:\windows\PEZCIUI.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\KPCTFR.exe.bat" "
C:\windows\KPCTFR.exe
C:\windows\KPCTFR.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\RMMGKB.exe.bat" "
C:\windows\system\RMMGKB.exe
C:\windows\system\RMMGKB.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\FMSMEI.exe.bat" "
C:\windows\system\FMSMEI.exe
C:\windows\system\FMSMEI.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\JSPTD.exe.bat" "
C:\windows\SysWOW64\JSPTD.exe
C:\windows\system32\JSPTD.exe
C:\windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\WXGTEX.exe.bat" "
C:\windows\system\WXGTEX.exe
C:\windows\system\WXGTEX.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\ILP.exe.bat" "
C:\windows\ILP.exe
C:\windows\ILP.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\YDWNKP.exe.bat" "
C:\windows\SysWOW64\YDWNKP.exe
C:\windows\system32\YDWNKP.exe
C:\windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\NYS.exe.bat" "
C:\windows\NYS.exe
C:\windows\NYS.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\FVXWW.exe.bat" "
C:\windows\system\FVXWW.exe
C:\windows\system\FVXWW.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\SJOVFJ.exe.bat" "
C:\windows\system\SJOVFJ.exe
C:\windows\system\SJOVFJ.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\RWXGF.exe.bat" "
C:\windows\SysWOW64\RWXGF.exe
C:\windows\system32\RWXGF.exe
C:\windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\BUP.exe.bat" "
C:\windows\system\BUP.exe
C:\windows\system\BUP.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\GOXH.exe.bat" "
C:\windows\system\GOXH.exe
C:\windows\system\GOXH.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\XCUZ.exe.bat" "
C:\windows\system\XCUZ.exe
C:\windows\system\XCUZ.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\HMVRSN.exe.bat" "
C:\windows\SysWOW64\HMVRSN.exe
C:\windows\system32\HMVRSN.exe
C:\windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\VMP.exe.bat" "
C:\windows\system\VMP.exe
C:\windows\system\VMP.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\VUV.exe.bat" "
C:\windows\SysWOW64\VUV.exe
C:\windows\system32\VUV.exe
C:\windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\YVN.exe.bat" "
C:\windows\YVN.exe
C:\windows\YVN.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\LFD.exe.bat" "
C:\windows\SysWOW64\LFD.exe
C:\windows\system32\LFD.exe
C:\windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\HFKRRE.exe.bat" "
C:\windows\HFKRRE.exe
C:\windows\HFKRRE.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\DQDTTZ.exe.bat" "
C:\windows\DQDTTZ.exe
C:\windows\DQDTTZ.exe
Network
Files
memory/1936-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\PEZCIUI.exe.bat
| MD5 | 82de47b783ea245c80110f232740644a |
| SHA1 | 4c58ba60fabd88b2dede8a39e50f50ba7623057c |
| SHA256 | e8b24c60b8585566a6b105183dba6794ea2df550e3f6478f082bde5647a6373f |
| SHA512 | f6fe11c026b4c0349f99a0b0f51b5e2d5fd6a6e9b8458ecb41b1d5c0512a0e8810ce5d8005e0486123b271e06938d84fe85b0bde8f1c32326bbafe64a81a17d5 |
memory/1936-12-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\PEZCIUI.exe
| MD5 | e2b93c800e25def30cd04a598bca64d3 |
| SHA1 | 011d754f63dbe7d5a2cad23aa7977718fb096c91 |
| SHA256 | 2a5562ac2e3494dab2bcc1a4bcc761e6ae559a688c90ebe9eaa4fafc34eb65c9 |
| SHA512 | 68ca296a70d4a8a90c5c89d6ac81641a847b0f2914bf3740c1615caf9647e92fbf4ae54e83316cba0c030cc0d2ca022f3e2f7e57a06dce4c5c74596e3eee3297 |
memory/2616-16-0x0000000001C40000-0x0000000001C79000-memory.dmp
memory/2564-18-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2616-15-0x0000000001C40000-0x0000000001C79000-memory.dmp
C:\Windows\KPCTFR.exe
| MD5 | 7d916c6ecf46501cc5547e92278b8e6a |
| SHA1 | f8c344c086080e2c7e036814bb92e66d2e591a54 |
| SHA256 | 367658c9ffad8db43e20ef42d72941c1bdd1dbba5bc2d4c908e401a21ce84958 |
| SHA512 | a9e371dda8b71897e96170cddabd2cc8e33686cf1e11ac69b432d47aa3ee9f68dbd3d22974f3b84e561d27caf5965b6853e5ef9db283c4337fbba0eee3d59caf |
C:\Windows\KPCTFR.exe.bat
| MD5 | dc7186e918fe654dcc62b59078e3ef00 |
| SHA1 | d92da0276f55c8d52a26599c9a34d0736c6b7d88 |
| SHA256 | c5511d0bbcf207424a946c4565dd6528c0efa3ce6e3603c8b4a65f5c054791a1 |
| SHA512 | 141e0218c2ab5ee508965c08f337b73aef3f828fba04f6ee677d485acce461e57c236d39c3bb50202e5cc1bab9394a2281312ddb8bfda788c7f4f8f95863e657 |
memory/2564-30-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2596-36-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2720-35-0x0000000000830000-0x0000000000869000-memory.dmp
C:\Windows\KPCTFR.exe
| MD5 | 8e89516adfcc93206d7f1893d1bed6f3 |
| SHA1 | aad20c68434cd4a428fa129e815a8e57ac1545b9 |
| SHA256 | f46d7d7a5fddd6256b4decae75a30f138812f543bb847bf54dc9b3b340188164 |
| SHA512 | efa47e0c8725c425bad9b1f035578cd7f5dc306b42a2ab42ea41d16b5ef190fe98c1877c89a1a6cf91cab2de44307b968cd3c1ffd824afb7278bdc330204190e |
memory/2720-33-0x0000000000830000-0x0000000000869000-memory.dmp
C:\Windows\system\RMMGKB.exe.bat
| MD5 | 8271667bcb0dfe05ab3d1baa8268e503 |
| SHA1 | 801004c026821221fbdd43a624233071251e17b8 |
| SHA256 | b024334fa2abe82d50538c554fc018ab1001d7520ebebe8598f95bc8ba156d5b |
| SHA512 | aa99dc3bcc69860b3e70e08cd7b5782d697dc284ac50d2b10216f4730acd463f04c0a4a9efca1a96d77b4f7da52e08174733688c9e6693a3bb582d2abbebc299 |
memory/2596-48-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\system\RMMGKB.exe
| MD5 | f98442932f5a101d2a0c1846fd6a6491 |
| SHA1 | 3f24f91a0ea505bf44b34f512401014c4cfd7815 |
| SHA256 | 778f40c310d91e5c3856f46a261728f2d318fb8e2733474787b2e7539f8d4be7 |
| SHA512 | d703bc8ed38eb5bddb45b0c9dbfa2e4645f934de63d5c4f57cc87bedc91eeb2e054c6e4137982484374fc21c6a0a67133962362d478f2c2875c88692d642309d |
memory/2544-52-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\FMSMEI.exe.bat
| MD5 | 92f40a9b7b84390e927984bdcbab74fd |
| SHA1 | 183ab134dec1a879633796e3867686bd04ed04a8 |
| SHA256 | b45c937a3152701bd240d50475a24c9e55f8d969b1a404e3dee996431a7d77c1 |
| SHA512 | 37feab672ed895eacbb091f694e663ac77bd6613b7c6e198588747106d90f0c86a5c4bbddb5b638f0b150e7c8477f7655c4c11e66673ac3bb0f0463191e14ea6 |
memory/2992-66-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\FMSMEI.exe
| MD5 | ba712e330e142dd45c8ec0b9479cb575 |
| SHA1 | 3df38c7e7f9cf120e377a5c98ff27098d17a7f25 |
| SHA256 | 39ecbe4d2aa40762ecb6824e75b3539352042f1461c892e143f2eb637c45caa7 |
| SHA512 | b2546cf443725363177b6e91574d6c00cbf627473d02b43924c10f081c48ef8c2666163bbea5d3bb4cdf685521d9e3c36a43fd866beab0febfa1ad3783c1571b |
memory/2404-74-0x0000000000400000-0x0000000000439000-memory.dmp
memory/580-73-0x0000000000130000-0x0000000000169000-memory.dmp
memory/580-72-0x0000000000130000-0x0000000000169000-memory.dmp
memory/2404-86-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\JSPTD.exe.bat
| MD5 | eeb1d61ad6343d4f685dc2da6d70465f |
| SHA1 | efc4f06a602c79d319ee167a265b116410875c6b |
| SHA256 | 7b2a243dc8edaa51d5813037d7dc484d9fedb989d3c6d726971fe411644a6042 |
| SHA512 | 6b7e5a4b8b0198574f4c8d52826688d7808a7041c30b30b0e8e5dd6b4cea4b9f1edf7e39b5c4446ca06503ee8f7ca68874b520672998c02328d4c2e4196e6857 |
\Windows\SysWOW64\JSPTD.exe
| MD5 | 7ecdf6dac26e8f13360b2715ae40acc4 |
| SHA1 | 03ac0dc649a208251cfb8eda010372871f6c0ebe |
| SHA256 | a7d7d32d7027a4c7f6e791a908f628f508de080563d28ac27b0a3b57cf1343bc |
| SHA512 | d16b9dbb1376ad93d2703ca1fca45f55549bf011e50c3e7b431f606f4af079ffde09b923a2d82a68fc77601de3fa0e49d21f215a6058bc94d6d1ad12779e5dd6 |
memory/2824-90-0x0000000000170000-0x00000000001A9000-memory.dmp
memory/2144-93-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\WXGTEX.exe.bat
| MD5 | 85a26f8844ae9f4b5dda1238df5e7b86 |
| SHA1 | 6a2185e0600921b7b45aa6fa8ef1f07b1f658639 |
| SHA256 | 1da870846c4879cb65cfccf3fea6cca9b0f5fc1e5d0108a4d97f0d058857aecf |
| SHA512 | d301e004e79665e84bf6befb4caf1ed7a47fc4b424cbec11c030ce3207439fe36a876976aece9d585f1edfd81ae760091b4e451e3251785e429e573dcfc4b39a |
memory/2144-105-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\WXGTEX.exe
| MD5 | 9f2b7e2c8b71ee6c3285816641908dcd |
| SHA1 | 35917be4805df5db7ac96bb5e6d6f0d3fb022097 |
| SHA256 | 75bb26c46a3ebce19253ce667c1d1d7d18bc52a6a78b83c53cfc860c5acdd333 |
| SHA512 | 4ba5592bc90d5e06f9feb0db5f63bc5bc359d5ac094a35347c5d7b90ba4885d74371ac6e01beefe000f2532030fd6c994f1984dbf65068cb611d0684f8b2ad48 |
memory/812-110-0x0000000000180000-0x00000000001B9000-memory.dmp
memory/2332-123-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\ILP.exe.bat
| MD5 | 8706d2f3ca89923effeed12c1cf91663 |
| SHA1 | 8bee86bd427413455fcd7eecf0c9bbbbf6bd245a |
| SHA256 | 02d4555ce955a31fee409130bc9d1cc2de8b774277c9f9c46448e9cd14b16181 |
| SHA512 | 90b8b88db668f242c4f427ffc347d60655246b2507f3ec03257c2ecd205cab11e3ad587e5632bec2716c13e1abe8796a4c4a6d17ff8cfc89e3d450d0a6ea5544 |
C:\windows\ILP.exe
| MD5 | f69229016889b7b12869caca6c7a682c |
| SHA1 | 9d48b0466d58406567f3a231c419eb4fef752810 |
| SHA256 | d7d84ad1d0f3dfa1a5e5396bb6f370d75980037ebf818c5f61cb444843b1984e |
| SHA512 | c2d6d25b9cd4fa50f5b0f6832b89c3d58c79d386da7f6d8eae10385fb6b88cc632a5679d1c362ca6642371c5e98e56defa2da42458cfc47d8a31696c921f16c7 |
memory/2708-126-0x0000000000180000-0x00000000001B9000-memory.dmp
memory/1648-128-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\YDWNKP.exe.bat
| MD5 | f357c61cf965cfd2631ff47169b05aaa |
| SHA1 | 962ff7513657b1ea583c407fd8f6d18332b6b4fd |
| SHA256 | 8145afe44654f6c81b7494c5ed9a6eabb382e7400c672f673510e58140b78f9d |
| SHA512 | 6a1657f1c56b5474195f11ef31d7b8afdf5b448e0fd2a74cc45d4223c54992595c651c8c80a2906470fbddbb7f7102e13e41fcc0e155f6697d5a050d2dab01d4 |
memory/1648-140-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\SysWOW64\YDWNKP.exe
| MD5 | 614dda584cbf5626fb96c4b26290fdce |
| SHA1 | 7da03018721bab89726487aba589d504dc1c8913 |
| SHA256 | 4f7a48503d6992d3d5ea42b7d3fc2156bc4173a372f3b38005b1626c0894e3aa |
| SHA512 | 4dd1b670a07de771af02e8788cc79ab173d0d128a16ca2b430806773435d6b1a9639b2ce69cff352dbd7af1a084b7a3c06a8344773335afac4859ceede531c3a |
memory/2308-144-0x0000000000410000-0x0000000000449000-memory.dmp
C:\Windows\NYS.exe.bat
| MD5 | 8a0994dabdc439078ea5da58db74041d |
| SHA1 | a5121559eb708516844502ccca596108a5f58774 |
| SHA256 | 5fd5e82d7539a6e1bb25d9b15e22f62da7f52043190e3a4cc68e86de859319c6 |
| SHA512 | f169d3e2a0ecd55b95ebbaf05d24fea5f35d17a4d2ad3eea15d6457c8008ce717b7c3a38545c9ff76c4a7dd3332a355acf531c99f65804632550b18d1c0fb40a |
memory/3056-158-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\NYS.exe
| MD5 | 050812ee9f57d71be3955de66a44d9cf |
| SHA1 | 66928d6e022060cb30594046b787072bc5038314 |
| SHA256 | 08712dc2137b7c651c066d51126e10af7d41917cfab159677316b58e2ac73b67 |
| SHA512 | d0ceaea4af7906e7cd0edaec3024730ff6c872b46502f35d5744b973da6c025732e0e3b973db51eb3d488d21c50dcd84126a34bcab2cd32d34c4a651c68caa86 |
memory/780-161-0x0000000000130000-0x0000000000169000-memory.dmp
C:\Windows\system\FVXWW.exe.bat
| MD5 | 91089811c31396e531843299c332f20b |
| SHA1 | f9e98b6246d0a8ea6066e5794e312288b61f667a |
| SHA256 | 92212f98592c9b8afd28b1e5df28a94f78e50e55c07a3956b432673ae776fe3a |
| SHA512 | f11227157d7f8d6be70a107be92709d2c0fe9d24a417fcad739c67b9c961874ec74e08f5cb48b8c12dffbf2fe25b170d76d0f1ca87050ba292abb4b0b0a0b85c |
memory/2044-174-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\FVXWW.exe
| MD5 | 4c67f96f3a7da66ace2e2b6cc6934975 |
| SHA1 | d3f2dbb342236fa4fff472840712c6c9d5b7eb5e |
| SHA256 | 6aa2e10833ed77d55d9452069f5ffe2326ca0cebee911b996687ee8d8aa08f78 |
| SHA512 | b749fd7a2d9689e671c3617c82ae496167b0eb5a335f1ba273a07a2834296f9099abde0e841d84e78ae5398bed09beb7a384421ba00761f0790bf5fbc53b0caa |
memory/1976-181-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1148-180-0x0000000001C60000-0x0000000001C99000-memory.dmp
C:\Windows\system\SJOVFJ.exe.bat
| MD5 | 6e1b8690d54d6f92086e1edd40d8d5b1 |
| SHA1 | ade811560b54cdff64929ab9cc4a5b48911ef98a |
| SHA256 | 46a415433c8e382540211dd63169154ef953d83456efe0e284ec4259d8caea89 |
| SHA512 | 7febaa2fd702cb38b1868e250c3214a6b77a25f7e77fb32d56e7fa669a8846af05c24bfdce8c994310a25320c5f699a9184665422efb20a7b891b4e5bf36b1c5 |
memory/1976-193-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\system\SJOVFJ.exe
| MD5 | 37f1a375d49b7d482c1c8e6ef05719f3 |
| SHA1 | cfa562370d511e972dc8e2e5475c5cb7cedd9b72 |
| SHA256 | 48b2e38dc8f692f52a5cee3a5fad4e5596d48a00919cb04b2290a5f1ba5edf0f |
| SHA512 | 8a332aa37ec1aea32ac23c543e16ab52def6ef4c1fc44d47899383b13c904e5cab2f83840867eef54b5de89b6ea60cb07043de4a1c448085aa077cde5d660a69 |
memory/1972-197-0x0000000000170000-0x00000000001A9000-memory.dmp
memory/1820-200-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\RWXGF.exe.bat
| MD5 | a81153505f70848a30d4fdbd1a008dfa |
| SHA1 | 2377d0cdd0a4b3ecbf8396fa26277486db5ab58a |
| SHA256 | fa69b3342573332331f82b49d1c2bccdac896a3d7465a22cf3182c8a88b59e30 |
| SHA512 | f40de309e350b4b43612f37a511a25f67096f6208049743540f096d16cd1808449561e18778f83ff3551cff2af68191082db6de9a68f3d67f636b1bc6f854ccd |
memory/1820-212-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RWXGF.exe
| MD5 | 36335887e5b495ec9c6a9d383eb7e102 |
| SHA1 | 051f348062a2a88a4ca27a9a9dd56ee4bc7528ce |
| SHA256 | 4112eaf13384230701d7ef9200001df44b78210e27c3ac674ce9b34ae6520139 |
| SHA512 | 60ddfc0c2174e3c7aa7fa452b08e06cc3b05632d33d91a9d6c839664057cb5f9aa2e567da707c623039fcf8fab7c6535b126df8b43910fdb7fe1a4674ea80815 |
memory/2976-218-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\BUP.exe.bat
| MD5 | df0094e5c0472658a79ca3745f27e25d |
| SHA1 | 27178cc52585c39ee7208e0a6fd3066d5ef97c38 |
| SHA256 | 64caecf40894e6f4f7a072de19e886788e70c22612628d4d5724a76d0e04db80 |
| SHA512 | 7a78bf001317d184e7f848425fa9fddf2d76a160a27da491afbb3fc946ac00e6b76c5cd51b8b292036b65dadd3cff590e5e71091e1c944ed689926caa427cc53 |
memory/2976-230-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\BUP.exe
| MD5 | ba6bf41017874d68520f9bb2bb3e7234 |
| SHA1 | 81a6e39b2728e728dd0906b089ad98cc463f5b7c |
| SHA256 | 79e79dada980ec77427c2ee0f4c6d4000aa0cf37cf9662d3f04a389cac7cf527 |
| SHA512 | c6e96a5f8a2779a669ddf0757bf4a779215c809be76b46dcb2b20a148694333beb593427aa0203e7d89f2dc46bbd3f164695d45c8bb8de28f87851d616baa0de |
memory/1628-236-0x0000000000170000-0x00000000001A9000-memory.dmp
memory/1628-235-0x0000000000170000-0x00000000001A9000-memory.dmp
C:\Windows\system\GOXH.exe.bat
| MD5 | 174018b214c4307391ce6865b2a83522 |
| SHA1 | 2c83fe4c13bc864bae81358af99d0cb6ca5f747f |
| SHA256 | f483cd3df73674990e8341a9e9397d39496965dba95d87065ce4109512f7c78b |
| SHA512 | 233d83dfa805580d401488ec6d8cb3f36090cd75c66e139d9b9e3aaeec32b64722c859b8316a4641c2753d926323377d7d5e2a6a85fbab6fc2ef688e6ccddb84 |
memory/2952-249-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\system\GOXH.exe
| MD5 | 2474768367c229f7ff4b44cc7de0db1a |
| SHA1 | 569135fd51688fab48bc3564eaf615740a770508 |
| SHA256 | 3bf9efd0fcb1bda40d1570983a856e46a39a667293c196e83f1eaba0a4ab250d |
| SHA512 | c5a429ada1098979a2dd58f3a8573d0ffc8c180b9f1d6c6c996a297916d2d8e9668a6fbdd6c880ee2c5f4e6df5d607e422ff916f63f15eaef5677d6185fcbd7b |
memory/1340-255-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\XCUZ.exe.bat
| MD5 | afa3be5b56caf096fff5fbb9ca5839c6 |
| SHA1 | e22c15fab034245c3d741dc33270bf37abb5eafc |
| SHA256 | b947ef726cef3ebf341166b766fef907f9d205ab23c3218c6b4669115898c457 |
| SHA512 | 33c72ee2b536076b277c20f67b59c2977a42e4935ef1896f91aa83da8bbd00e9017b0933e160e7205fa1f7ec82a54051caca7be3a3a971cffbd229bdf3544b91 |
memory/1340-267-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\system\XCUZ.exe
| MD5 | 0f022581823034a0cd683c02bb53912b |
| SHA1 | fbf8dee3db91f98f61f63c480f93a6cc716a67c1 |
| SHA256 | 0b0b33951ff1059e5a81add696b0f50ac9353b638332095b2712f6929836b3cd |
| SHA512 | e91952824d77781e6b2de4062d83349768b02715d69090a2cbba57aa3df5d92703443fc7b486b831612ecdd8418b45cac68db129071e772047da79f3e79125e6 |
memory/3008-270-0x00000000001D0000-0x0000000000209000-memory.dmp
C:\Windows\SysWOW64\HMVRSN.exe.bat
| MD5 | db70a796a8fc6a7a9e5b196a51bd95cd |
| SHA1 | d74c2137220c5b8e4ad982da2f484ca46efb2af3 |
| SHA256 | e7bc4f94fa3ca8068b8c8201477674c2a48b82b1b5a1fffb28f22d3c91f18701 |
| SHA512 | 81692070a5115a473dc4b8b0754b5e3a9b85b1a2395459084ed8ed51a07abfd1124558e01132f757623e8176217296582576d50ef709b498c198fd617793b332 |
memory/2680-282-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2500-283-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2500-295-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\system\VMP.exe.bat
| MD5 | ff0cf24f524dc9e5bfa655c279689511 |
| SHA1 | c8c1f3d55050e37fc2ab03c52edfa92ef727d661 |
| SHA256 | 94cb8f6481be83954270dd87dc1e7e8deae920587831c262e490fb1ab4800000 |
| SHA512 | b4a72bce6dcdcef00a82d4b375645b998c75e665d345950bae59d3e9e8d3532aae880229fa3bfc272424a5198c4c64afcc013f4a1928152503e380542bfb27a3 |
memory/2380-297-0x0000000000130000-0x0000000000169000-memory.dmp
memory/2380-296-0x0000000000130000-0x0000000000169000-memory.dmp
C:\Windows\SysWOW64\VUV.exe.bat
| MD5 | 316a0a789fbaf67ce7bc255234c02d04 |
| SHA1 | c56a7b4d8f2788567eb34f117b945ae04584cab2 |
| SHA256 | 02a2f61f331dd695a502751fd3cb8b5795488df53d2f8a61c88f7fa4350b880e |
| SHA512 | b03d55d8e2f3947426263533a5864fcb39ae9443e5cc07e9c491e50e6234ca3b8c1550d70e2156cbc549bfca95e669c6ae7fdc1572c1d5f90453dbd964fad946 |
memory/532-309-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1956-310-0x00000000001F0000-0x0000000000229000-memory.dmp
memory/1020-311-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\YVN.exe.bat
| MD5 | aeec412ca6e34fcb84d9ebcdd0b03a12 |
| SHA1 | d5678d4baa88c41ccc2832ac984706989ffc3144 |
| SHA256 | 125734a8c762ed10be08c8ae5a55c1127ebdbe88330c996a3b9eb25b85378f72 |
| SHA512 | 2ad7a0474e7694b25a7e519d8ad396c35fcf65792c5eeb760a659950c37c1de66bd5614eea329b6ecd8d663cfce1c41974074ba9bdff05fbc6fb23b786c076ce |
memory/1020-323-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2172-324-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\LFD.exe.bat
| MD5 | 1b6826d96472ffc3016d576b685729a4 |
| SHA1 | 6886263250219bc8aa874da622cf5cdb02f48a40 |
| SHA256 | b089ac114396d650c9703109067ed4aa775629d1106e4848cb2b7a599a6832f6 |
| SHA512 | 6ca29dc51f250580a9028f6c78daca2d902e7fa684e94748a5a1ab670d430471de6b6cfcf75f0a30b6f65895e2a09985c87aa9c5137de6c810cf444e8a3a30ad |
memory/2172-336-0x0000000000400000-0x0000000000439000-memory.dmp
memory/944-338-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1168-337-0x0000000000170000-0x00000000001A9000-memory.dmp
C:\Windows\HFKRRE.exe.bat
| MD5 | 706c1808a3f3d93d1d74533058fdac62 |
| SHA1 | 814a9f43185074d39559fa2f899c7ce690004c64 |
| SHA256 | bcd2ae1bc32163151719bc9d88e8fc4ca35abc7f0da9b2023d906ca97c84fdbb |
| SHA512 | 93493fb6abe41921f980449cd95fd8e71313478aff77b93b4a3a546eb4865ce6b6a6647559d7176459e68cf024457ec1ffb51105d3e99b3d419ceb1c9b515ceb |
memory/944-350-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2332-352-0x0000000000400000-0x0000000000439000-memory.dmp
memory/760-351-0x0000000000150000-0x0000000000189000-memory.dmp
C:\Windows\DQDTTZ.exe.bat
| MD5 | bf76b8c658c6fb3df17075ceb3e6dd30 |
| SHA1 | 7f4a6d6d3d28cde1b28bc27e6f55c6fb6c8e53cc |
| SHA256 | a54585bfb1afd63edd51f38bae44622e042f71f8ce1b35175c35f3e22c416cfd |
| SHA512 | 3b5bc56c4560d09ec70f8444ca019c5a3c6104b37eb64e54d9805bca20a79bf14dd8f0ed6fd61789fd06e59c204001db60a2d6dff827616fd99da13bbed54069 |
memory/2332-364-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2300-365-0x00000000001D0000-0x0000000000209000-memory.dmp
memory/1784-366-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1784-367-0x0000000000400000-0x0000000000439000-memory.dmp