Malware Analysis Report

2024-10-16 04:08

Sample ID 240602-fdmmnsca75
Target 38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe
SHA256 153ace730e381a1fc8d7de47a0191fdd1d381c13137ab5f81c7447707470d01f
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

153ace730e381a1fc8d7de47a0191fdd1d381c13137ab5f81c7447707470d01f

Threat Level: Known bad

The file 38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:45

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:45

Reported

2024-06-02 04:48

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\ZRXM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\MGGV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\XRPYNA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\IXLDTXF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JBDQNR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\IWEG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\GQO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\LFDDCZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\PXOX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\MGQJMK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\AOXW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\NIMZFAS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UKFAH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\JSBLDPX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\WUOHC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\IZTG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\FMEAXH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\EEPQG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\OLLVES.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\VLWVX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DLTKCT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\IXPXW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SPLPF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\BXGGG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\CGT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\IMJILHD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\TULOZVX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\QFPAPU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LJZR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\JGRO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\TACEO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\APBJDO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PSLDWQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\XQC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\GMQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\XGDW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\MKBUE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\WBMNS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\VDVG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\QCOU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\GNG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\IZXW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\WQQBO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\FURYFT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\WXEMS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\GVXYGC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\QWDJRUZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\CPTDZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LFC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NCKMOHW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\IPWTM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HTBFT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\KXNFKL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\EXQPG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\IIDD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\VBEXNZO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\VVHB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LZWUXOA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\CRAZLNW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\CCQCAE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\ZSNAAG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\system\DACA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\UIUDP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\NRF.exe N/A
N/A N/A C:\windows\YJIW.exe N/A
N/A N/A C:\windows\system\MUZLKOQ.exe N/A
N/A N/A C:\windows\system\EXQPG.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\SysWOW64\NGTRFAW.exe N/A
N/A N/A C:\windows\ROZR.exe N/A
N/A N/A C:\windows\system\SMHAUC.exe N/A
N/A N/A C:\windows\SysWOW64\ARMHE.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\system\BXGGG.exe N/A
N/A N/A C:\windows\VVHB.exe N/A
N/A N/A C:\windows\system\VDVG.exe N/A
N/A N/A C:\windows\SysWOW64\RWXID.exe N/A
N/A N/A C:\windows\SysWOW64\NCKMOHW.exe N/A
N/A N/A C:\windows\system\DRRPSBD.exe N/A
N/A N/A C:\windows\LFDDCZ.exe N/A
N/A N/A C:\windows\system\EAH.exe N/A
N/A N/A C:\windows\SysWOW64\JGRO.exe N/A
N/A N/A C:\windows\system\WLZAIWM.exe N/A
N/A N/A C:\windows\XGDW.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\LPTDEH.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\GFO.exe N/A
N/A N/A C:\windows\SysWOW64\DGYLHNZ.exe N/A
N/A N/A C:\windows\SBHPA.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\ZRXM.exe N/A
N/A N/A C:\windows\VSZ.exe N/A
N/A N/A C:\windows\LNIBID.exe N/A
N/A N/A C:\windows\system\VLWVX.exe N/A
N/A N/A C:\windows\NOARDBT.exe N/A
N/A N/A C:\windows\system\VBEXNZO.exe N/A
N/A N/A C:\windows\RZMJPLQ.exe N/A
N/A N/A C:\windows\LMRA.exe N/A
N/A N/A C:\windows\system\PCYBMD.exe N/A
N/A N/A C:\windows\SysWOW64\ZADV.exe N/A
N/A N/A C:\windows\QLG.exe N/A
N/A N/A C:\windows\SysWOW64\ROSHHHH.exe N/A
N/A N/A C:\windows\ERAFV.exe N/A
N/A N/A C:\windows\SysWOW64\DCDV.exe N/A
N/A N/A C:\windows\SysWOW64\UKFAH.exe N/A
N/A N/A C:\windows\FCVLZ.exe N/A
N/A N/A C:\windows\JSBLDPX.exe N/A
N/A N/A C:\windows\system\MGGV.exe N/A
N/A N/A C:\windows\system\QONDAHI.exe N/A
N/A N/A C:\windows\YBZJKF.exe N/A
N/A N/A C:\windows\LZZVM.exe N/A
N/A N/A C:\windows\SysWOW64\TNMC.exe N/A
N/A N/A C:\windows\SysWOW64\IIVGIKJ.exe N/A
N/A N/A C:\windows\SysWOW64\UVU.exe N/A
N/A N/A C:\windows\system\OIZVX.exe N/A
N/A N/A C:\windows\SysWOW64\WOMC.exe N/A
N/A N/A C:\windows\XRPYNA.exe N/A
N/A N/A C:\windows\system\FEUMYZ.exe N/A
N/A N/A C:\windows\SysWOW64\LFC.exe N/A
N/A N/A C:\windows\IXLDTXF.exe N/A
N/A N/A C:\windows\system\GVXYGC.exe N/A
N/A N/A C:\windows\SysWOW64\DOHIJGW.exe N/A
N/A N/A C:\windows\SysWOW64\ERKE.exe N/A
N/A N/A C:\windows\SysWOW64\WUOHC.exe N/A
N/A N/A C:\windows\system\ZHFJOF.exe N/A
N/A N/A C:\windows\BFZLUUW.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\XUPAMF.exe C:\windows\system\IZXW.exe N/A
File opened for modification C:\windows\SysWOW64\HTBFT.exe C:\windows\SQSB.exe N/A
File created C:\windows\SysWOW64\QMIQTZ.exe.bat C:\windows\SysWOW64\EEPQG.exe N/A
File opened for modification C:\windows\SysWOW64\MIECLV.exe C:\windows\system\APBJDO.exe N/A
File created C:\windows\SysWOW64\GNG.exe C:\windows\LPTDEH.exe N/A
File created C:\windows\SysWOW64\UVU.exe.bat C:\windows\SysWOW64\IIVGIKJ.exe N/A
File created C:\windows\SysWOW64\RWSIVSC.exe.bat C:\windows\system\AOXW.exe N/A
File created C:\windows\SysWOW64\ZADV.exe C:\windows\system\PCYBMD.exe N/A
File created C:\windows\SysWOW64\ROSHHHH.exe.bat C:\windows\QLG.exe N/A
File opened for modification C:\windows\SysWOW64\DCDV.exe C:\windows\ERAFV.exe N/A
File opened for modification C:\windows\SysWOW64\XFJJH.exe C:\windows\TULOZVX.exe N/A
File opened for modification C:\windows\SysWOW64\SGV.exe C:\windows\system\KDFZAIS.exe N/A
File opened for modification C:\windows\SysWOW64\NCKMOHW.exe C:\windows\SysWOW64\RWXID.exe N/A
File created C:\windows\SysWOW64\LFC.exe.bat C:\windows\system\FEUMYZ.exe N/A
File created C:\windows\SysWOW64\ONHNZKN.exe.bat C:\windows\system\TACEO.exe N/A
File opened for modification C:\windows\SysWOW64\EGZXERJ.exe C:\windows\SysWOW64\UIUDP.exe N/A
File created C:\windows\SysWOW64\PMSD.exe C:\windows\GMQ.exe N/A
File created C:\windows\SysWOW64\NNGOHC.exe C:\windows\FIUHWE.exe N/A
File opened for modification C:\windows\SysWOW64\EOPLKEJ.exe C:\windows\system\TBIN.exe N/A
File created C:\windows\SysWOW64\PSLDWQ.exe C:\windows\ACKMYUH.exe N/A
File created C:\windows\SysWOW64\DLTKCT.exe.bat C:\windows\XQC.exe N/A
File created C:\windows\SysWOW64\GODVJQ.exe C:\windows\system\ERPBTH.exe N/A
File created C:\windows\SysWOW64\LJZR.exe C:\windows\SysWOW64\SGV.exe N/A
File created C:\windows\SysWOW64\RWXID.exe C:\windows\system\VDVG.exe N/A
File opened for modification C:\windows\SysWOW64\UKFAH.exe C:\windows\SysWOW64\DCDV.exe N/A
File opened for modification C:\windows\SysWOW64\UVU.exe C:\windows\SysWOW64\IIVGIKJ.exe N/A
File created C:\windows\SysWOW64\WOMC.exe C:\windows\system\OIZVX.exe N/A
File created C:\windows\SysWOW64\EEPQG.exe.bat C:\windows\FMEAXH.exe N/A
File created C:\windows\SysWOW64\MWXJWUL.exe.bat C:\windows\TIQLZSO.exe N/A
File opened for modification C:\windows\SysWOW64\NGTRFAW.exe C:\windows\system\WXEMS.exe N/A
File created C:\windows\SysWOW64\DOHIJGW.exe C:\windows\system\GVXYGC.exe N/A
File created C:\windows\SysWOW64\MIECLV.exe.bat C:\windows\system\APBJDO.exe N/A
File created C:\windows\SysWOW64\DYF.exe.bat C:\windows\SysWOW64\PSLDWQ.exe N/A
File created C:\windows\SysWOW64\RWSIVSC.exe C:\windows\system\AOXW.exe N/A
File opened for modification C:\windows\SysWOW64\GNG.exe C:\windows\LPTDEH.exe N/A
File created C:\windows\SysWOW64\DGYLHNZ.exe C:\windows\GFO.exe N/A
File created C:\windows\SysWOW64\ZADV.exe.bat C:\windows\system\PCYBMD.exe N/A
File opened for modification C:\windows\SysWOW64\DOHIJGW.exe C:\windows\system\GVXYGC.exe N/A
File created C:\windows\SysWOW64\HHISQZ.exe C:\windows\CCQCAE.exe N/A
File created C:\windows\SysWOW64\PMSD.exe.bat C:\windows\GMQ.exe N/A
File opened for modification C:\windows\SysWOW64\EEPQG.exe C:\windows\FMEAXH.exe N/A
File created C:\windows\SysWOW64\JBDQNR.exe.bat C:\windows\system\LQG.exe N/A
File created C:\windows\SysWOW64\GNG.exe.bat C:\windows\LPTDEH.exe N/A
File opened for modification C:\windows\SysWOW64\TNMC.exe C:\windows\LZZVM.exe N/A
File created C:\windows\SysWOW64\DOHIJGW.exe.bat C:\windows\system\GVXYGC.exe N/A
File opened for modification C:\windows\SysWOW64\IPWTM.exe C:\windows\BFZLUUW.exe N/A
File opened for modification C:\windows\SysWOW64\SBOUEBP.exe C:\windows\RYYYPZ.exe N/A
File created C:\windows\SysWOW64\HTBFT.exe C:\windows\SQSB.exe N/A
File opened for modification C:\windows\SysWOW64\RWXID.exe C:\windows\system\VDVG.exe N/A
File created C:\windows\SysWOW64\ERKE.exe C:\windows\SysWOW64\DOHIJGW.exe N/A
File created C:\windows\SysWOW64\EGZXERJ.exe C:\windows\SysWOW64\UIUDP.exe N/A
File created C:\windows\SysWOW64\DLTKCT.exe C:\windows\XQC.exe N/A
File created C:\windows\SysWOW64\SGV.exe C:\windows\system\KDFZAIS.exe N/A
File created C:\windows\SysWOW64\ARMHE.exe.bat C:\windows\system\SMHAUC.exe N/A
File opened for modification C:\windows\SysWOW64\JGRO.exe C:\windows\system\EAH.exe N/A
File opened for modification C:\windows\SysWOW64\LFC.exe C:\windows\system\FEUMYZ.exe N/A
File created C:\windows\SysWOW64\EOPLKEJ.exe.bat C:\windows\system\TBIN.exe N/A
File opened for modification C:\windows\SysWOW64\PSLDWQ.exe C:\windows\ACKMYUH.exe N/A
File created C:\windows\SysWOW64\JBDQNR.exe C:\windows\system\LQG.exe N/A
File created C:\windows\SysWOW64\JGRO.exe C:\windows\system\EAH.exe N/A
File opened for modification C:\windows\SysWOW64\ERKE.exe C:\windows\SysWOW64\DOHIJGW.exe N/A
File created C:\windows\SysWOW64\MIECLV.exe C:\windows\system\APBJDO.exe N/A
File opened for modification C:\windows\SysWOW64\GODVJQ.exe C:\windows\system\ERPBTH.exe N/A
File opened for modification C:\windows\SysWOW64\DGYLHNZ.exe C:\windows\GFO.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\system\LQG.exe C:\windows\SysWOW64\DYF.exe N/A
File created C:\windows\system\CPTDZ.exe C:\windows\NZSD.exe N/A
File opened for modification C:\windows\NRF.exe C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
File created C:\windows\YBZJKF.exe.bat C:\windows\system\QONDAHI.exe N/A
File opened for modification C:\windows\system\IZTG.exe C:\windows\OQKRMSK.exe N/A
File opened for modification C:\windows\system\AFX.exe C:\windows\system\ZCTU.exe N/A
File opened for modification C:\windows\system\ERNMRQQ.exe C:\windows\system\WBMNS.exe N/A
File created C:\windows\GMQ.exe C:\windows\system\WOK.exe N/A
File opened for modification C:\windows\SBHPA.exe C:\windows\SysWOW64\DGYLHNZ.exe N/A
File opened for modification C:\windows\CRAZLNW.exe C:\windows\system\IZTG.exe N/A
File created C:\windows\SQSB.exe.bat C:\windows\SysWOW64\ONHNZKN.exe N/A
File opened for modification C:\windows\system\GGLMWEY.exe C:\windows\SysWOW64\DLTKCT.exe N/A
File created C:\windows\NSHVP.exe C:\windows\SysWOW64\YCGW.exe N/A
File created C:\windows\system\ZRXM.exe C:\windows\system\EESDJMD.exe N/A
File created C:\windows\system\WXAHZ.exe C:\windows\IMJILHD.exe N/A
File created C:\windows\TULOZVX.exe C:\windows\GRCX.exe N/A
File opened for modification C:\windows\SPLPF.exe C:\windows\NMPJ.exe N/A
File created C:\windows\LFDDCZ.exe C:\windows\system\DRRPSBD.exe N/A
File created C:\windows\SBHPA.exe C:\windows\SysWOW64\DGYLHNZ.exe N/A
File created C:\windows\system\ZHFJOF.exe.bat C:\windows\SysWOW64\WUOHC.exe N/A
File created C:\windows\CRAZLNW.exe C:\windows\system\IZTG.exe N/A
File opened for modification C:\windows\IMJILHD.exe C:\windows\system\KBG.exe N/A
File created C:\windows\system\CDO.exe.bat C:\windows\system\PXOX.exe N/A
File created C:\windows\LJTPZWA.exe C:\windows\system\CDO.exe N/A
File opened for modification C:\windows\system\BBFVNVW.exe C:\windows\ADXMD.exe N/A
File opened for modification C:\windows\system\SMHAUC.exe C:\windows\ROZR.exe N/A
File created C:\windows\RYYYPZ.exe.bat C:\windows\SysWOW64\IPWTM.exe N/A
File created C:\windows\XQC.exe.bat C:\windows\SysWOW64\GQO.exe N/A
File opened for modification C:\windows\system\FGNLSBD.exe C:\windows\system\MKBUE.exe N/A
File created C:\windows\system\DHV.exe.bat C:\windows\SysWOW64\DCVQQWM.exe N/A
File opened for modification C:\windows\JSBLDPX.exe C:\windows\FCVLZ.exe N/A
File created C:\windows\system\ZLZ.exe C:\windows\CGT.exe N/A
File created C:\windows\system\GGLMWEY.exe.bat C:\windows\SysWOW64\DLTKCT.exe N/A
File created C:\windows\system\ORHXD.exe C:\windows\LJTPZWA.exe N/A
File created C:\windows\system\MUZLKOQ.exe.bat C:\windows\YJIW.exe N/A
File created C:\windows\NMPJ.exe.bat C:\windows\SysWOW64\VTYJNGR.exe N/A
File created C:\windows\system\UHJTMZ.exe C:\windows\SysWOW64\VWMLU.exe N/A
File opened for modification C:\windows\system\AOXW.exe C:\windows\system\YBSNVGK.exe N/A
File created C:\windows\system\GGLMWEY.exe C:\windows\SysWOW64\DLTKCT.exe N/A
File created C:\windows\system\PHVYWY.exe.bat C:\windows\SysWOW64\RWSIVSC.exe N/A
File created C:\windows\system\BBFVNVW.exe C:\windows\ADXMD.exe N/A
File created C:\windows\GFO.exe.bat C:\windows\SysWOW64\GNG.exe N/A
File created C:\windows\LNIBID.exe.bat C:\windows\VSZ.exe N/A
File created C:\windows\RZMJPLQ.exe.bat C:\windows\system\VBEXNZO.exe N/A
File created C:\windows\system\APBJDO.exe C:\windows\system\WXAHZ.exe N/A
File created C:\windows\CFCCXC.exe C:\windows\system\KXNFKL.exe N/A
File created C:\windows\SBHPA.exe.bat C:\windows\SysWOW64\DGYLHNZ.exe N/A
File opened for modification C:\windows\system\VLWVX.exe C:\windows\LNIBID.exe N/A
File opened for modification C:\windows\system\OIZVX.exe C:\windows\SysWOW64\UVU.exe N/A
File opened for modification C:\windows\NIMZFAS.exe C:\windows\LLHN.exe N/A
File opened for modification C:\windows\system\LQG.exe C:\windows\SysWOW64\DYF.exe N/A
File created C:\windows\system\SHQF.exe C:\windows\MGQJMK.exe N/A
File created C:\windows\LJTPZWA.exe.bat C:\windows\system\CDO.exe N/A
File created C:\windows\GMQ.exe.bat C:\windows\system\WOK.exe N/A
File created C:\windows\system\BXGGG.exe.bat C:\windows\NCC.exe N/A
File created C:\windows\system\EAH.exe C:\windows\LFDDCZ.exe N/A
File created C:\windows\system\AFX.exe.bat C:\windows\system\ZCTU.exe N/A
File created C:\windows\OLLVES.exe C:\windows\system\ZVKVFWB.exe N/A
File created C:\windows\system\IWEG.exe.bat C:\windows\system\GYQUI.exe N/A
File opened for modification C:\windows\TRJA.exe C:\windows\system\ORHXD.exe N/A
File created C:\windows\system\SMHAUC.exe C:\windows\ROZR.exe N/A
File created C:\windows\NCC.exe.bat C:\windows\SysWOW64\ARMHE.exe N/A
File created C:\windows\system\FEUMYZ.exe C:\windows\XRPYNA.exe N/A
File created C:\windows\system\CAFFC.exe C:\windows\CFCCXC.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NRF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YJIW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\MUZLKOQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EXQPG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\WXEMS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NGTRFAW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ROZR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\SMHAUC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ARMHE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NCC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BXGGG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VVHB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VDVG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RWXID.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\NCKMOHW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\DRRPSBD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LFDDCZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EAH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JGRO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\WLZAIWM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XGDW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QCOU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LPTDEH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\GNG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\GFO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DGYLHNZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SBHPA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\EESDJMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\ZRXM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VSZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LNIBID.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VLWVX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\NOARDBT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VBEXNZO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\RZMJPLQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LMRA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PCYBMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ZADV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\QLG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ROSHHHH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\ERAFV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DCDV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UKFAH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\FCVLZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\JSBLDPX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\MGGV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\QONDAHI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YBZJKF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LZZVM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\TNMC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\IIVGIKJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\UVU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OIZVX.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\WOMC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XRPYNA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FEUMYZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LFC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IXLDTXF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\GVXYGC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DOHIJGW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ERKE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\WUOHC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\ZHFJOF.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
N/A N/A C:\windows\NRF.exe N/A
N/A N/A C:\windows\NRF.exe N/A
N/A N/A C:\windows\YJIW.exe N/A
N/A N/A C:\windows\YJIW.exe N/A
N/A N/A C:\windows\system\MUZLKOQ.exe N/A
N/A N/A C:\windows\system\MUZLKOQ.exe N/A
N/A N/A C:\windows\system\EXQPG.exe N/A
N/A N/A C:\windows\system\EXQPG.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\SysWOW64\NGTRFAW.exe N/A
N/A N/A C:\windows\SysWOW64\NGTRFAW.exe N/A
N/A N/A C:\windows\ROZR.exe N/A
N/A N/A C:\windows\ROZR.exe N/A
N/A N/A C:\windows\system\SMHAUC.exe N/A
N/A N/A C:\windows\system\SMHAUC.exe N/A
N/A N/A C:\windows\SysWOW64\ARMHE.exe N/A
N/A N/A C:\windows\SysWOW64\ARMHE.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\system\BXGGG.exe N/A
N/A N/A C:\windows\system\BXGGG.exe N/A
N/A N/A C:\windows\VVHB.exe N/A
N/A N/A C:\windows\VVHB.exe N/A
N/A N/A C:\windows\system\VDVG.exe N/A
N/A N/A C:\windows\system\VDVG.exe N/A
N/A N/A C:\windows\SysWOW64\RWXID.exe N/A
N/A N/A C:\windows\SysWOW64\RWXID.exe N/A
N/A N/A C:\windows\SysWOW64\NCKMOHW.exe N/A
N/A N/A C:\windows\SysWOW64\NCKMOHW.exe N/A
N/A N/A C:\windows\system\DRRPSBD.exe N/A
N/A N/A C:\windows\system\DRRPSBD.exe N/A
N/A N/A C:\windows\LFDDCZ.exe N/A
N/A N/A C:\windows\LFDDCZ.exe N/A
N/A N/A C:\windows\system\EAH.exe N/A
N/A N/A C:\windows\system\EAH.exe N/A
N/A N/A C:\windows\SysWOW64\JGRO.exe N/A
N/A N/A C:\windows\SysWOW64\JGRO.exe N/A
N/A N/A C:\windows\system\WLZAIWM.exe N/A
N/A N/A C:\windows\system\WLZAIWM.exe N/A
N/A N/A C:\windows\XGDW.exe N/A
N/A N/A C:\windows\XGDW.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\LPTDEH.exe N/A
N/A N/A C:\windows\LPTDEH.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\GFO.exe N/A
N/A N/A C:\windows\GFO.exe N/A
N/A N/A C:\windows\SysWOW64\DGYLHNZ.exe N/A
N/A N/A C:\windows\SysWOW64\DGYLHNZ.exe N/A
N/A N/A C:\windows\SBHPA.exe N/A
N/A N/A C:\windows\SBHPA.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\ZRXM.exe N/A
N/A N/A C:\windows\system\ZRXM.exe N/A
N/A N/A C:\windows\VSZ.exe N/A
N/A N/A C:\windows\VSZ.exe N/A
N/A N/A C:\windows\LNIBID.exe N/A
N/A N/A C:\windows\LNIBID.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
N/A N/A C:\windows\NRF.exe N/A
N/A N/A C:\windows\NRF.exe N/A
N/A N/A C:\windows\YJIW.exe N/A
N/A N/A C:\windows\YJIW.exe N/A
N/A N/A C:\windows\system\MUZLKOQ.exe N/A
N/A N/A C:\windows\system\MUZLKOQ.exe N/A
N/A N/A C:\windows\system\EXQPG.exe N/A
N/A N/A C:\windows\system\EXQPG.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\system\WXEMS.exe N/A
N/A N/A C:\windows\SysWOW64\NGTRFAW.exe N/A
N/A N/A C:\windows\SysWOW64\NGTRFAW.exe N/A
N/A N/A C:\windows\ROZR.exe N/A
N/A N/A C:\windows\ROZR.exe N/A
N/A N/A C:\windows\system\SMHAUC.exe N/A
N/A N/A C:\windows\system\SMHAUC.exe N/A
N/A N/A C:\windows\SysWOW64\ARMHE.exe N/A
N/A N/A C:\windows\SysWOW64\ARMHE.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\NCC.exe N/A
N/A N/A C:\windows\system\BXGGG.exe N/A
N/A N/A C:\windows\system\BXGGG.exe N/A
N/A N/A C:\windows\VVHB.exe N/A
N/A N/A C:\windows\VVHB.exe N/A
N/A N/A C:\windows\system\VDVG.exe N/A
N/A N/A C:\windows\system\VDVG.exe N/A
N/A N/A C:\windows\SysWOW64\RWXID.exe N/A
N/A N/A C:\windows\SysWOW64\RWXID.exe N/A
N/A N/A C:\windows\SysWOW64\NCKMOHW.exe N/A
N/A N/A C:\windows\SysWOW64\NCKMOHW.exe N/A
N/A N/A C:\windows\system\DRRPSBD.exe N/A
N/A N/A C:\windows\system\DRRPSBD.exe N/A
N/A N/A C:\windows\LFDDCZ.exe N/A
N/A N/A C:\windows\LFDDCZ.exe N/A
N/A N/A C:\windows\system\EAH.exe N/A
N/A N/A C:\windows\system\EAH.exe N/A
N/A N/A C:\windows\SysWOW64\JGRO.exe N/A
N/A N/A C:\windows\SysWOW64\JGRO.exe N/A
N/A N/A C:\windows\system\WLZAIWM.exe N/A
N/A N/A C:\windows\system\WLZAIWM.exe N/A
N/A N/A C:\windows\XGDW.exe N/A
N/A N/A C:\windows\XGDW.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\system\QCOU.exe N/A
N/A N/A C:\windows\LPTDEH.exe N/A
N/A N/A C:\windows\LPTDEH.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\SysWOW64\GNG.exe N/A
N/A N/A C:\windows\GFO.exe N/A
N/A N/A C:\windows\GFO.exe N/A
N/A N/A C:\windows\SysWOW64\DGYLHNZ.exe N/A
N/A N/A C:\windows\SysWOW64\DGYLHNZ.exe N/A
N/A N/A C:\windows\SBHPA.exe N/A
N/A N/A C:\windows\SBHPA.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\EESDJMD.exe N/A
N/A N/A C:\windows\system\ZRXM.exe N/A
N/A N/A C:\windows\system\ZRXM.exe N/A
N/A N/A C:\windows\VSZ.exe N/A
N/A N/A C:\windows\VSZ.exe N/A
N/A N/A C:\windows\LNIBID.exe N/A
N/A N/A C:\windows\LNIBID.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NRF.exe
PID 2132 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NRF.exe
PID 2132 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NRF.exe
PID 2304 wrote to memory of 2864 N/A C:\windows\NRF.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2864 N/A C:\windows\NRF.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2864 N/A C:\windows\NRF.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YJIW.exe
PID 2864 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YJIW.exe
PID 2864 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\YJIW.exe
PID 3448 wrote to memory of 4884 N/A C:\windows\YJIW.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4884 N/A C:\windows\YJIW.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4884 N/A C:\windows\YJIW.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\MUZLKOQ.exe
PID 4884 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\MUZLKOQ.exe
PID 4884 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\MUZLKOQ.exe
PID 864 wrote to memory of 1728 N/A C:\windows\system\MUZLKOQ.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1728 N/A C:\windows\system\MUZLKOQ.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1728 N/A C:\windows\system\MUZLKOQ.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EXQPG.exe
PID 1728 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EXQPG.exe
PID 1728 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\EXQPG.exe
PID 1356 wrote to memory of 4584 N/A C:\windows\system\EXQPG.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 4584 N/A C:\windows\system\EXQPG.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 4584 N/A C:\windows\system\EXQPG.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\WXEMS.exe
PID 4584 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\WXEMS.exe
PID 4584 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\WXEMS.exe
PID 1648 wrote to memory of 4348 N/A C:\windows\system\WXEMS.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4348 N/A C:\windows\system\WXEMS.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 4348 N/A C:\windows\system\WXEMS.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NGTRFAW.exe
PID 4348 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NGTRFAW.exe
PID 4348 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\NGTRFAW.exe
PID 3692 wrote to memory of 1340 N/A C:\windows\SysWOW64\NGTRFAW.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 1340 N/A C:\windows\SysWOW64\NGTRFAW.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 1340 N/A C:\windows\SysWOW64\NGTRFAW.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 368 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ROZR.exe
PID 1340 wrote to memory of 368 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ROZR.exe
PID 1340 wrote to memory of 368 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ROZR.exe
PID 368 wrote to memory of 2536 N/A C:\windows\ROZR.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2536 N/A C:\windows\ROZR.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2536 N/A C:\windows\ROZR.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\SMHAUC.exe
PID 2536 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\SMHAUC.exe
PID 2536 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\SMHAUC.exe
PID 4752 wrote to memory of 4320 N/A C:\windows\system\SMHAUC.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4320 N/A C:\windows\system\SMHAUC.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4320 N/A C:\windows\system\SMHAUC.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ARMHE.exe
PID 4320 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ARMHE.exe
PID 4320 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\ARMHE.exe
PID 4700 wrote to memory of 2428 N/A C:\windows\SysWOW64\ARMHE.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 2428 N/A C:\windows\SysWOW64\ARMHE.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 2428 N/A C:\windows\SysWOW64\ARMHE.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NCC.exe
PID 2428 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NCC.exe
PID 2428 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\NCC.exe
PID 756 wrote to memory of 3668 N/A C:\windows\NCC.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3668 N/A C:\windows\NCC.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3668 N/A C:\windows\NCC.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\BXGGG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NRF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3632 -ip 3632

C:\windows\NRF.exe

C:\windows\NRF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1312

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YJIW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1304

C:\windows\YJIW.exe

C:\windows\YJIW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MUZLKOQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3448 -ip 3448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 988

C:\windows\system\MUZLKOQ.exe

C:\windows\system\MUZLKOQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EXQPG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1336

C:\windows\system\EXQPG.exe

C:\windows\system\EXQPG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXEMS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1356 -ip 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 960

C:\windows\system\WXEMS.exe

C:\windows\system\WXEMS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGTRFAW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1296

C:\windows\SysWOW64\NGTRFAW.exe

C:\windows\system32\NGTRFAW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ROZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3692 -ip 3692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 960

C:\windows\ROZR.exe

C:\windows\ROZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SMHAUC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1264

C:\windows\system\SMHAUC.exe

C:\windows\system\SMHAUC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ARMHE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 960

C:\windows\SysWOW64\ARMHE.exe

C:\windows\system32\ARMHE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NCC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1324

C:\windows\NCC.exe

C:\windows\NCC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BXGGG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1316

C:\windows\system\BXGGG.exe

C:\windows\system\BXGGG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VVHB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3704 -ip 3704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1324

C:\windows\VVHB.exe

C:\windows\VVHB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VDVG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1336

C:\windows\system\VDVG.exe

C:\windows\system\VDVG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWXID.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 640 -ip 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1240

C:\windows\SysWOW64\RWXID.exe

C:\windows\system32\RWXID.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKMOHW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1328

C:\windows\SysWOW64\NCKMOHW.exe

C:\windows\system32\NCKMOHW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DRRPSBD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1004

C:\windows\system\DRRPSBD.exe

C:\windows\system\DRRPSBD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LFDDCZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5100 -ip 5100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 976

C:\windows\LFDDCZ.exe

C:\windows\LFDDCZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EAH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2096 -ip 2096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1316

C:\windows\system\EAH.exe

C:\windows\system\EAH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JGRO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3496 -ip 3496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 960

C:\windows\SysWOW64\JGRO.exe

C:\windows\system32\JGRO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WLZAIWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1316

C:\windows\system\WLZAIWM.exe

C:\windows\system\WLZAIWM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XGDW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1220 -ip 1220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1324

C:\windows\XGDW.exe

C:\windows\XGDW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QCOU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 960

C:\windows\system\QCOU.exe

C:\windows\system\QCOU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LPTDEH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1304

C:\windows\LPTDEH.exe

C:\windows\LPTDEH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1412 -ip 1412

C:\windows\SysWOW64\GNG.exe

C:\windows\system32\GNG.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1328

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GFO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1852 -ip 1852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 960

C:\windows\GFO.exe

C:\windows\GFO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DGYLHNZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 960

C:\windows\SysWOW64\DGYLHNZ.exe

C:\windows\system32\DGYLHNZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SBHPA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1444 -ip 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1296

C:\windows\SBHPA.exe

C:\windows\SBHPA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\EESDJMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4796 -ip 4796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 960

C:\windows\system\EESDJMD.exe

C:\windows\system\EESDJMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRXM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1336

C:\windows\system\ZRXM.exe

C:\windows\system\ZRXM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VSZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1100 -ip 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1292

C:\windows\VSZ.exe

C:\windows\VSZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LNIBID.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 388 -ip 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 1256

C:\windows\LNIBID.exe

C:\windows\LNIBID.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VLWVX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1304

C:\windows\system\VLWVX.exe

C:\windows\system\VLWVX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NOARDBT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1324

C:\windows\NOARDBT.exe

C:\windows\NOARDBT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VBEXNZO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1356 -ip 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 960

C:\windows\system\VBEXNZO.exe

C:\windows\system\VBEXNZO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RZMJPLQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2220 -ip 2220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1292

C:\windows\RZMJPLQ.exe

C:\windows\RZMJPLQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LMRA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2824 -ip 2824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1324

C:\windows\LMRA.exe

C:\windows\LMRA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PCYBMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 872

C:\windows\system\PCYBMD.exe

C:\windows\system\PCYBMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZADV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 960

C:\windows\SysWOW64\ZADV.exe

C:\windows\system32\ZADV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QLG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 960

C:\windows\QLG.exe

C:\windows\QLG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ROSHHHH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3364 -ip 3364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 960

C:\windows\SysWOW64\ROSHHHH.exe

C:\windows\system32\ROSHHHH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ERAFV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3528 -ip 3528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1252

C:\windows\ERAFV.exe

C:\windows\ERAFV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCDV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 884

C:\windows\SysWOW64\DCDV.exe

C:\windows\system32\DCDV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2240 -ip 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1256

C:\windows\SysWOW64\UKFAH.exe

C:\windows\system32\UKFAH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FCVLZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1840 -ip 1840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1292

C:\windows\FCVLZ.exe

C:\windows\FCVLZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JSBLDPX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4304 -ip 4304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 960

C:\windows\JSBLDPX.exe

C:\windows\JSBLDPX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MGGV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 960

C:\windows\system\MGGV.exe

C:\windows\system\MGGV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QONDAHI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3496 -ip 3496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 976

C:\windows\system\QONDAHI.exe

C:\windows\system\QONDAHI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YBZJKF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 988

C:\windows\YBZJKF.exe

C:\windows\YBZJKF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LZZVM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 208 -ip 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1324

C:\windows\LZZVM.exe

C:\windows\LZZVM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TNMC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1328

C:\windows\SysWOW64\TNMC.exe

C:\windows\system32\TNMC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IIVGIKJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 960

C:\windows\SysWOW64\IIVGIKJ.exe

C:\windows\system32\IIVGIKJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UVU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 976

C:\windows\SysWOW64\UVU.exe

C:\windows\system32\UVU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OIZVX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4304 -ip 4304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 960

C:\windows\system\OIZVX.exe

C:\windows\system\OIZVX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOMC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1472 -ip 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 960

C:\windows\SysWOW64\WOMC.exe

C:\windows\system32\WOMC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XRPYNA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1288

C:\windows\XRPYNA.exe

C:\windows\XRPYNA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FEUMYZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1396 -ip 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1336

C:\windows\system\FEUMYZ.exe

C:\windows\system\FEUMYZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LFC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1560 -ip 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 960

C:\windows\SysWOW64\LFC.exe

C:\windows\system32\LFC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IXLDTXF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3772 -ip 3772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1324

C:\windows\IXLDTXF.exe

C:\windows\IXLDTXF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GVXYGC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 976

C:\windows\system\GVXYGC.exe

C:\windows\system\GVXYGC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DOHIJGW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 980

C:\windows\SysWOW64\DOHIJGW.exe

C:\windows\system32\DOHIJGW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERKE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1308

C:\windows\SysWOW64\ERKE.exe

C:\windows\system32\ERKE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUOHC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1252

C:\windows\SysWOW64\WUOHC.exe

C:\windows\system32\WUOHC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHFJOF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3880 -ip 3880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1308

C:\windows\system\ZHFJOF.exe

C:\windows\system\ZHFJOF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BFZLUUW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1324

C:\windows\BFZLUUW.exe

C:\windows\BFZLUUW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPWTM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 800 -ip 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 960

C:\windows\SysWOW64\IPWTM.exe

C:\windows\system32\IPWTM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RYYYPZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1296

C:\windows\RYYYPZ.exe

C:\windows\RYYYPZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBOUEBP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1328

C:\windows\SysWOW64\SBOUEBP.exe

C:\windows\system32\SBOUEBP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SGGJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 960

C:\windows\system\SGGJ.exe

C:\windows\system\SGGJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZWUXOA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1328

C:\windows\SysWOW64\LZWUXOA.exe

C:\windows\system32\LZWUXOA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IZXW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3336 -ip 3336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1336

C:\windows\system\IZXW.exe

C:\windows\system\IZXW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XUPAMF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1328

C:\windows\SysWOW64\XUPAMF.exe

C:\windows\system32\XUPAMF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FIUHWE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1324

C:\windows\FIUHWE.exe

C:\windows\FIUHWE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNGOHC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 872

C:\windows\SysWOW64\NNGOHC.exe

C:\windows\system32\NNGOHC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OQKRMSK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3956 -ip 3956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1004

C:\windows\OQKRMSK.exe

C:\windows\OQKRMSK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IZTG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4336 -ip 4336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1248

C:\windows\system\IZTG.exe

C:\windows\system\IZTG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CRAZLNW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3736 -ip 3736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 960

C:\windows\CRAZLNW.exe

C:\windows\CRAZLNW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TACEO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4608 -ip 4608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1336

C:\windows\system\TACEO.exe

C:\windows\system\TACEO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ONHNZKN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 960

C:\windows\SysWOW64\ONHNZKN.exe

C:\windows\system32\ONHNZKN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SQSB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 960

C:\windows\SQSB.exe

C:\windows\SQSB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1296

C:\windows\SysWOW64\HTBFT.exe

C:\windows\system32\HTBFT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TBIN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2760 -ip 2760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1336

C:\windows\system\TBIN.exe

C:\windows\system\TBIN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EOPLKEJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 960

C:\windows\SysWOW64\EOPLKEJ.exe

C:\windows\system32\EOPLKEJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCTU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3256 -ip 3256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 988

C:\windows\system\ZCTU.exe

C:\windows\system\ZCTU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AFX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1312

C:\windows\system\AFX.exe

C:\windows\system\AFX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RNM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 960

C:\windows\RNM.exe

C:\windows\RNM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CGT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1324

C:\windows\CGT.exe

C:\windows\CGT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZLZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2276 -ip 2276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 988

C:\windows\system\ZLZ.exe

C:\windows\system\ZLZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WBMNS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 988

C:\windows\system\WBMNS.exe

C:\windows\system\WBMNS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERNMRQQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 1336

C:\windows\system\ERNMRQQ.exe

C:\windows\system\ERNMRQQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CCQCAE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1324

C:\windows\CCQCAE.exe

C:\windows\CCQCAE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HHISQZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 960

C:\windows\SysWOW64\HHISQZ.exe

C:\windows\system32\HHISQZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LLHN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 988

C:\windows\LLHN.exe

C:\windows\LLHN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NIMZFAS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 988

C:\windows\NIMZFAS.exe

C:\windows\NIMZFAS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\QWDJRUZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 960

C:\windows\system\QWDJRUZ.exe

C:\windows\system\QWDJRUZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\FMEAXH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 960

C:\windows\FMEAXH.exe

C:\windows\FMEAXH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEPQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1292

C:\windows\SysWOW64\EEPQG.exe

C:\windows\system32\EEPQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMIQTZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3888 -ip 3888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1328

C:\windows\SysWOW64\QMIQTZ.exe

C:\windows\system32\QMIQTZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZVKVFWB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2896 -ip 2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 988

C:\windows\system\ZVKVFWB.exe

C:\windows\system\ZVKVFWB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OLLVES.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1252 -ip 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1324

C:\windows\OLLVES.exe

C:\windows\OLLVES.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WQQBO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1336

C:\windows\system\WQQBO.exe

C:\windows\system\WQQBO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KBG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1432 -ip 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1336

C:\windows\system\KBG.exe

C:\windows\system\KBG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IMJILHD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1260

C:\windows\IMJILHD.exe

C:\windows\IMJILHD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WXAHZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 696 -ip 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1336

C:\windows\system\WXAHZ.exe

C:\windows\system\WXAHZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\APBJDO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3964 -ip 3964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1336

C:\windows\system\APBJDO.exe

C:\windows\system\APBJDO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIECLV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 960

C:\windows\SysWOW64\MIECLV.exe

C:\windows\system32\MIECLV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZSNAAG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 988

C:\windows\ZSNAAG.exe

C:\windows\ZSNAAG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HGZHK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 988

C:\windows\system\HGZHK.exe

C:\windows\system\HGZHK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GRCX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 988

C:\windows\GRCX.exe

C:\windows\GRCX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TULOZVX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1324

C:\windows\TULOZVX.exe

C:\windows\TULOZVX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XFJJH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 988

C:\windows\SysWOW64\XFJJH.exe

C:\windows\system32\XFJJH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SHZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 960

C:\windows\SHZ.exe

C:\windows\SHZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DACA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1716 -ip 1716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 976

C:\windows\system\DACA.exe

C:\windows\system\DACA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MNHH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 872

C:\windows\system\MNHH.exe

C:\windows\system\MNHH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TIQLZSO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4736 -ip 4736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1304

C:\windows\TIQLZSO.exe

C:\windows\TIQLZSO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MWXJWUL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 384 -ip 384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1308

C:\windows\SysWOW64\MWXJWUL.exe

C:\windows\system32\MWXJWUL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NZBN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 960

C:\windows\NZBN.exe

C:\windows\NZBN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ACKMYUH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1732 -ip 1732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1256

C:\windows\ACKMYUH.exe

C:\windows\ACKMYUH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSLDWQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1328

C:\windows\SysWOW64\PSLDWQ.exe

C:\windows\system32\PSLDWQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DYF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4768 -ip 4768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1328

C:\windows\SysWOW64\DYF.exe

C:\windows\system32\DYF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1336

C:\windows\system\LQG.exe

C:\windows\system\LQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBDQNR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1772 -ip 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1296

C:\windows\SysWOW64\JBDQNR.exe

C:\windows\system32\JBDQNR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTYJNGR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1328

C:\windows\SysWOW64\VTYJNGR.exe

C:\windows\system32\VTYJNGR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NMPJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1296

C:\windows\NMPJ.exe

C:\windows\NMPJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SPLPF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4156 -ip 4156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1004

C:\windows\SPLPF.exe

C:\windows\SPLPF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KVDCVUL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 960

C:\windows\KVDCVUL.exe

C:\windows\KVDCVUL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IIDD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1324

C:\windows\IIDD.exe

C:\windows\IIDD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GYQUI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1316

C:\windows\system\GYQUI.exe

C:\windows\system\GYQUI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IWEG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 988

C:\windows\system\IWEG.exe

C:\windows\system\IWEG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FURYFT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1336

C:\windows\system\FURYFT.exe

C:\windows\system\FURYFT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KXNFKL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1336

C:\windows\system\KXNFKL.exe

C:\windows\system\KXNFKL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CFCCXC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1324

C:\windows\CFCCXC.exe

C:\windows\CFCCXC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAFFC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 960

C:\windows\system\CAFFC.exe

C:\windows\system\CAFFC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIUDP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3800 -ip 3800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1308

C:\windows\SysWOW64\UIUDP.exe

C:\windows\system32\UIUDP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGZXERJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1256

C:\windows\SysWOW64\EGZXERJ.exe

C:\windows\system32\EGZXERJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MGQJMK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2092 -ip 2092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1000

C:\windows\MGQJMK.exe

C:\windows\MGQJMK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SHQF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 960

C:\windows\system\SHQF.exe

C:\windows\system\SHQF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AUC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 960

C:\windows\SysWOW64\AUC.exe

C:\windows\system32\AUC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 960

C:\windows\SysWOW64\GQO.exe

C:\windows\system32\GQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XQC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1252

C:\windows\XQC.exe

C:\windows\XQC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLTKCT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 960

C:\windows\SysWOW64\DLTKCT.exe

C:\windows\system32\DLTKCT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\GGLMWEY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1316

C:\windows\system\GGLMWEY.exe

C:\windows\system\GGLMWEY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWMLU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1016 -ip 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1328

C:\windows\SysWOW64\VWMLU.exe

C:\windows\system32\VWMLU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UHJTMZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2760 -ip 2760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1336

C:\windows\system\UHJTMZ.exe

C:\windows\system\UHJTMZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\JXKL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1296

C:\windows\JXKL.exe

C:\windows\JXKL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MKBUE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 960

C:\windows\system\MKBUE.exe

C:\windows\system\MKBUE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FGNLSBD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3884 -ip 3884

C:\windows\system\FGNLSBD.exe

C:\windows\system\FGNLSBD.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1304

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ERPBTH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2768 -ip 2768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1336

C:\windows\system\ERPBTH.exe

C:\windows\system\ERPBTH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\GODVJQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 996

C:\windows\SysWOW64\GODVJQ.exe

C:\windows\system32\GODVJQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NZSD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1324

C:\windows\NZSD.exe

C:\windows\NZSD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CPTDZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1336

C:\windows\system\CPTDZ.exe

C:\windows\system\CPTDZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KVGJK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1324

C:\windows\KVGJK.exe

C:\windows\KVGJK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YBSNVGK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1396 -ip 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1316

C:\windows\system\YBSNVGK.exe

C:\windows\system\YBSNVGK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AOXW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1240

C:\windows\system\AOXW.exe

C:\windows\system\AOXW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWSIVSC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1328

C:\windows\SysWOW64\RWSIVSC.exe

C:\windows\system32\RWSIVSC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVYWY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3964 -ip 3964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1336

C:\windows\system\PHVYWY.exe

C:\windows\system\PHVYWY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QFPAPU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1052 -ip 1052

C:\windows\QFPAPU.exe

C:\windows\QFPAPU.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1300

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PQAQQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1324

C:\windows\PQAQQ.exe

C:\windows\PQAQQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KDFZAIS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1316

C:\windows\system\KDFZAIS.exe

C:\windows\system\KDFZAIS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\SGV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1332

C:\windows\SysWOW64\SGV.exe

C:\windows\system32\SGV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJZR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2128 -ip 2128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1328

C:\windows\SysWOW64\LJZR.exe

C:\windows\system32\LJZR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCVQQWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1992 -ip 1992

C:\windows\SysWOW64\DCVQQWM.exe

C:\windows\system32\DCVQQWM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1308

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DHV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1336

C:\windows\system\DHV.exe

C:\windows\system\DHV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PXOX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1004

C:\windows\system\PXOX.exe

C:\windows\system\PXOX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CDO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 988

C:\windows\system\CDO.exe

C:\windows\system\CDO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LJTPZWA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3472 -ip 3472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 988

C:\windows\LJTPZWA.exe

C:\windows\LJTPZWA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORHXD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 988

C:\windows\system\ORHXD.exe

C:\windows\system\ORHXD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TRJA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 960

C:\windows\TRJA.exe

C:\windows\TRJA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\IXPXW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1384 -ip 1384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 988

C:\windows\system\IXPXW.exe

C:\windows\system\IXPXW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YCGW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 964 -ip 964

C:\windows\SysWOW64\YCGW.exe

C:\windows\system32\YCGW.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1104

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NSHVP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1248

C:\windows\NSHVP.exe

C:\windows\NSHVP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ADXMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 988

C:\windows\ADXMD.exe

C:\windows\ADXMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BBFVNVW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1836 -ip 1836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 960

C:\windows\system\BBFVNVW.exe

C:\windows\system\BBFVNVW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WOK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1448 -ip 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1264

C:\windows\system\WOK.exe

C:\windows\system\WOK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GMQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2896 -ip 2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1260

C:\windows\GMQ.exe

C:\windows\GMQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMSD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1308

C:\windows\SysWOW64\PMSD.exe

C:\windows\system32\PMSD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BCLEW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 976

C:\windows\system\BCLEW.exe

C:\windows\system\BCLEW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3632-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\NRF.exe.bat

MD5 f84c3fd02e00dda1ebc79e8e0fdc0745
SHA1 d7be0908306b5763c84b98bc5a3aeba9d69b6c42
SHA256 7cf7834f7d14f78d8693447a4dcfde54d15b126e35738386dae033c56590c3f1
SHA512 3075431efaab48ba73142f2325a854a387a81ec6a42c58d46faac26d405c3e721e046ad6c044e6e8f92cdfe533968248a7d38a050cbe392917b3e1077b17b060

C:\Windows\NRF.exe

MD5 8dbc84fd7030d2652b4e33fd53448c71
SHA1 4c7bb995066880e68b219519c047b278976ac534
SHA256 fe3b7ae53fbfbc4cbf6230833dcce7e3cbe7a68da7f698f71ee9d01255d7a450
SHA512 36bdabf622ba74b39bb01204892c27787f54df6aa4e5e5c23639d7b5538d7d795230590f2de349833e17ef12c66f7bfccd4186d7be685cb65c0df41b20317334

memory/2304-11-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\YJIW.exe

MD5 400a94cb5adeebb26dd72bee8dc496ba
SHA1 7e19fd378a0881127bdfeccda07afeb1e632773d
SHA256 e584ecc17ff2d794d359c32ae4c60e9cdac00ae41b3015c1545bc9d4e8166a51
SHA512 c4b79f67910f5011859fb500587cd2d750717b71a6492a3c4a08efb27f1b34e6d9d1fd7e8e6b0774d6f2df2791f3f3d0d4d646d1307633940cb9461514a47a04

C:\windows\YJIW.exe.bat

MD5 e3285275de50129952580d3d7a0be61e
SHA1 18864f98b47f927721146c83a864e4e5d71f1fca
SHA256 3257b0353b6d6352570afe112a1b8275b782cb8f0fbb7213255b46f2637b5723
SHA512 4d784363220f47ba09482f55bec743e0c9fb299c85f5bc759f9e8ff6acc9ccb26ef0425a525cf4b7453768fe02d412545c0d51406199c892e3937f5f2b8b40b6

memory/3448-22-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3632-23-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2304-24-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\MUZLKOQ.exe.bat

MD5 406a7a74e9f818efda4a8d5ce0e88f03
SHA1 09640e496c9967565fc8a589ff61fd98890e9c87
SHA256 56eec42ae27e2a655e9128be750a2efb2c423ce5794605ad8cf1b8855b9a831c
SHA512 7a1b5d6eda4a64f7c9451360861f45829986299b27c8db26579f35fafe509128f8a2f2a36e0177cbeceacdd673d66b3af88596da3f3c76ef9a3ca8fca9af2c68

C:\windows\system\MUZLKOQ.exe

MD5 945bdd0bb2c172ba851519e799b9efa5
SHA1 2e8420a83ca48e5794500b8529a8d8460119b542
SHA256 9d45dba6ab28dfbe04c3d73a63ba84e9f54a7b3b0c59eb8a3cf4bee9369376b1
SHA512 cb7c9b40043471caaa79832499639dbc1c1d14bfd92f6d027836e8436ad41f406ddcc68cb4127a7dc0931db230a7d3f0995bf2da4ab42e6cc733ad16b26a5510

memory/864-35-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EXQPG.exe.bat

MD5 1fd5da68c9aa3c78db4f918288966266
SHA1 8dd42ab3a586f515d0917e4934b6a2486f562c62
SHA256 283e3036a70a4f400a11a7e86d2e473accf7a4485e7d35e9976fc73a111d46b6
SHA512 51191a0cf60bfaace0b239aa7ca49b63cf661aab94058c5edf1d633fca2f21f6ea0f04241406a645aeef857e6c47ecb719fb8afdd7e1b31cc873e7391b9ee076

C:\windows\system\EXQPG.exe

MD5 e2b93c800e25def30cd04a598bca64d3
SHA1 011d754f63dbe7d5a2cad23aa7977718fb096c91
SHA256 2a5562ac2e3494dab2bcc1a4bcc761e6ae559a688c90ebe9eaa4fafc34eb65c9
SHA512 68ca296a70d4a8a90c5c89d6ac81641a847b0f2914bf3740c1615caf9647e92fbf4ae54e83316cba0c030cc0d2ca022f3e2f7e57a06dce4c5c74596e3eee3297

memory/3448-46-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1356-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\WXEMS.exe.bat

MD5 5abd00c4e3c301118ef9812fe3ed474f
SHA1 8dacee611e60d8ce874c7e955ad8af8494a18989
SHA256 36c926c8454477b3e87e001390fccfa664877d1c974ab71ed05bd89f39583fed
SHA512 be1cce14ca5cdab0ebdba735efd52a7e6a3f7a1a9188329f8650a73529a261e0bcd688ae13c9f201f3337278642c5b780d24407dcdecfadd03e16e54e03b1786

memory/1648-58-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\WXEMS.exe

MD5 8e89516adfcc93206d7f1893d1bed6f3
SHA1 aad20c68434cd4a428fa129e815a8e57ac1545b9
SHA256 f46d7d7a5fddd6256b4decae75a30f138812f543bb847bf54dc9b3b340188164
SHA512 efa47e0c8725c425bad9b1f035578cd7f5dc306b42a2ab42ea41d16b5ef190fe98c1877c89a1a6cf91cab2de44307b968cd3c1ffd824afb7278bdc330204190e

memory/864-59-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NGTRFAW.exe.bat

MD5 685bf2af85a28d43e5cc4127d7f9fd54
SHA1 c9d4d997e8de7f9a70a6a24ace4128cee9188ed4
SHA256 7e28bd18d12546696ec71fd22900cb5d600526d7b4654eedc366cb8d0561eace
SHA512 ec0ae9319163bb8fa075f42b97296a1b6265e4e91413969e258bfdc1d02fb0ded64b9ecbe05b9a1faede83730e4cf6b6294f3e9217ffab67cc86e8144981d5b9

memory/1356-68-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NGTRFAW.exe

MD5 f98442932f5a101d2a0c1846fd6a6491
SHA1 3f24f91a0ea505bf44b34f512401014c4cfd7815
SHA256 778f40c310d91e5c3856f46a261728f2d318fb8e2733474787b2e7539f8d4be7
SHA512 d703bc8ed38eb5bddb45b0c9dbfa2e4645f934de63d5c4f57cc87bedc91eeb2e054c6e4137982484374fc21c6a0a67133962362d478f2c2875c88692d642309d

memory/3692-71-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\ROZR.exe.bat

MD5 0fcc09c2924916b77f99a6d1ff2166d4
SHA1 28d98d02f8ccaa8059ff1efcec910e497c41f35b
SHA256 3121619e2e63a1798dba11bb297958b36f39a7109dcd6a737c52452afae57d10
SHA512 99b98957fb3435b3a292d8159a8ec109d689b417c261e4d6b5f473403909ca3769e7a66916998b7969ebb03fb0496339d28fee591fca0a1df3355111d545729d

C:\Windows\ROZR.exe

MD5 b259b1bc83294d3ec0a8621e61ed4695
SHA1 adbfc269c858feb2cccbe4361a20fd6cdbfc74f9
SHA256 7c240a7dc808f42190b84fce33f4f7f18d7334aa162726afde0cfa21309fa6be
SHA512 c0c00890bb58794931754c0f8ee19dad05b3dbfedb754158a1149b55a6e646acf5e0eae3a00b2547072a8daaa5776d79cc566b153ef214daa489182e774f3421

memory/368-81-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1648-83-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\SMHAUC.exe.bat

MD5 9259c0c0be24a9270a8afdef76a11e12
SHA1 94204528801c8b0b74e7ceaa5224ff3e2c80cfec
SHA256 8f216b6812903ec6725aed4291133005a44887455935e5be18de30317f3bd936
SHA512 b2dad8e247244490cad9bfb3c7ccf7591574cd0a1fb601e532e11c3848cd39b373a410600c2c5c18deeae7541025550d75e0d1e01666dc470b4ae6f1c7081f49

C:\windows\system\SMHAUC.exe

MD5 ba712e330e142dd45c8ec0b9479cb575
SHA1 3df38c7e7f9cf120e377a5c98ff27098d17a7f25
SHA256 39ecbe4d2aa40762ecb6824e75b3539352042f1461c892e143f2eb637c45caa7
SHA512 b2546cf443725363177b6e91574d6c00cbf627473d02b43924c10f081c48ef8c2666163bbea5d3bb4cdf685521d9e3c36a43fd866beab0febfa1ad3783c1571b

memory/4752-94-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3692-95-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\ARMHE.exe.bat

MD5 23cae0a7ecdc6442aa05a4284239b203
SHA1 9af71a7badefc95a11572bc226a4579471c7dd48
SHA256 9e9113b39f50768b3b02b0ddf9fb624e1f801a763d2686252c07e32524420df6
SHA512 c9910812672122efb113150f21158b3507ac9547b6a95cebcd7f3e93653fd8c39f2dfe1ff838d9f3af480b43ed7f4e6034716f1ca7159af9332f50ff39881393

C:\Windows\SysWOW64\ARMHE.exe

MD5 7ecdf6dac26e8f13360b2715ae40acc4
SHA1 03ac0dc649a208251cfb8eda010372871f6c0ebe
SHA256 a7d7d32d7027a4c7f6e791a908f628f508de080563d28ac27b0a3b57cf1343bc
SHA512 d16b9dbb1376ad93d2703ca1fca45f55549bf011e50c3e7b431f606f4af079ffde09b923a2d82a68fc77601de3fa0e49d21f215a6058bc94d6d1ad12779e5dd6

memory/4700-106-0x0000000000400000-0x0000000000439000-memory.dmp

memory/368-107-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\NCC.exe.bat

MD5 e1d2f5cae1f7f57f5ac24a745d673ecc
SHA1 ccbd56cf89b97cec1afbcce452995ba74a22eba9
SHA256 39fb2f886fde0a8ab02163a199c6b4b85ceb1ce274b4347894f964d200357677
SHA512 0b79c299ecd4361592faf0e4c36cae1752baf1be937109ea5004c466c595c16779091cafe6e2ad89e5f8ef162805df23f43eb059c2890f55c096f64feb33cd96

memory/756-117-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4752-119-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\BXGGG.exe.bat

MD5 1fb97dbbaf24e147381557f6866406ac
SHA1 2f1f98bc3e2401952759a378c825d2f640bda746
SHA256 855cffcd6d79199da4fe346057ac030168bf6bbc50fa657a3778cc1ad5c19663
SHA512 f045f38156cd7f0360dcd3617991ae114e7e7a9429a48252b1687a58205a152547cf75e4934a2efb25c11fb75f51052abc9e15a9d00d9305c70b3fbfc3bd9e8d

C:\Windows\System\BXGGG.exe

MD5 9f2b7e2c8b71ee6c3285816641908dcd
SHA1 35917be4805df5db7ac96bb5e6d6f0d3fb022097
SHA256 75bb26c46a3ebce19253ce667c1d1d7d18bc52a6a78b83c53cfc860c5acdd333
SHA512 4ba5592bc90d5e06f9feb0db5f63bc5bc359d5ac094a35347c5d7b90ba4885d74371ac6e01beefe000f2532030fd6c994f1984dbf65068cb611d0684f8b2ad48

memory/3704-130-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4700-131-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\VVHB.exe

MD5 f69229016889b7b12869caca6c7a682c
SHA1 9d48b0466d58406567f3a231c419eb4fef752810
SHA256 d7d84ad1d0f3dfa1a5e5396bb6f370d75980037ebf818c5f61cb444843b1984e
SHA512 c2d6d25b9cd4fa50f5b0f6832b89c3d58c79d386da7f6d8eae10385fb6b88cc632a5679d1c362ca6642371c5e98e56defa2da42458cfc47d8a31696c921f16c7

C:\windows\VVHB.exe.bat

MD5 a3f46e6cc77aa3b1f67cf358e994006d
SHA1 0807492636d2e48899744fe2132f1c6506c9c9e2
SHA256 8535be8c7b6797ed05044c0119c7aa3e3b57ad77270b33134ca1fbc00f5d7678
SHA512 ea36df114e27f73647305b975ff6ab3510e34ce443064268804926e51bba94f57f62d4437afd892ed4312bcca416d10bf0ef3543a4c1ff99d3ecec5c96f5e310

memory/2120-142-0x0000000000400000-0x0000000000439000-memory.dmp

memory/756-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\VDVG.exe.bat

MD5 e6b76769e4ba10117d9a7681d2c3210d
SHA1 54df0c549617d92ca7605f30a0445884e6c2ccfe
SHA256 ce833fad09b29d6db6a023680d846e8725a25247af840ccd6c71a0c50a8b940d
SHA512 73d89c249c6f456deae6fc5b57a5058a30061d677da444691a3eae5b0882b7038f97be56029113e917fd89da5d6dbeb00aa90ea29318215591776a7f4fcf12c3

C:\Windows\System\VDVG.exe

MD5 614dda584cbf5626fb96c4b26290fdce
SHA1 7da03018721bab89726487aba589d504dc1c8913
SHA256 4f7a48503d6992d3d5ea42b7d3fc2156bc4173a372f3b38005b1626c0894e3aa
SHA512 4dd1b670a07de771af02e8788cc79ab173d0d128a16ca2b430806773435d6b1a9639b2ce69cff352dbd7af1a084b7a3c06a8344773335afac4859ceede531c3a

memory/640-154-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3704-155-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RWXID.exe.bat

MD5 04fad82d2195f33d0299725efb691c6e
SHA1 a6ea288701327349d422b3ad9eec5cc9b0daab13
SHA256 1a83bc5d5b63f3045f3d56399e45b618ebe2aeb5c9109e505b8f40eaa8a10a94
SHA512 50ab1f0d76db7630863a5c7c4fd53a599a0781e23cee1f800aed2e445c92e2311a1e4e23a56704c2940bb3dbb9716b39d2010c8b7061da69272c8ea16e0b4dfd

memory/2120-163-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RWXID.exe

MD5 050812ee9f57d71be3955de66a44d9cf
SHA1 66928d6e022060cb30594046b787072bc5038314
SHA256 08712dc2137b7c651c066d51126e10af7d41917cfab159677316b58e2ac73b67
SHA512 d0ceaea4af7906e7cd0edaec3024730ff6c872b46502f35d5744b973da6c025732e0e3b973db51eb3d488d21c50dcd84126a34bcab2cd32d34c4a651c68caa86

memory/2472-167-0x0000000000400000-0x0000000000439000-memory.dmp

memory/640-174-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\NCKMOHW.exe.bat

MD5 3a98d28424e90c57a8b7829aeaa64e4b
SHA1 e2497065bc23d0419f18e11464e460350caf081e
SHA256 f7134cb2726cdb74d6156034eac4e32adb73c9a636eb98d075fc18aa0378fc89
SHA512 6b005f240eb425eb53beb61c93d05ca2f5bad06940b70a0422f84a8a7a78331e4269d79b51486778f464b882d43279fea69266e15859ea503f1ea1a028b53cc6

C:\Windows\SysWOW64\NCKMOHW.exe

MD5 4c67f96f3a7da66ace2e2b6cc6934975
SHA1 d3f2dbb342236fa4fff472840712c6c9d5b7eb5e
SHA256 6aa2e10833ed77d55d9452069f5ffe2326ca0cebee911b996687ee8d8aa08f78
SHA512 b749fd7a2d9689e671c3617c82ae496167b0eb5a335f1ba273a07a2834296f9099abde0e841d84e78ae5398bed09beb7a384421ba00761f0790bf5fbc53b0caa

memory/4984-179-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\DRRPSBD.exe.bat

MD5 be90bb015123273e1338e5dcc03ee93f
SHA1 d5778ab8821e9c1beb6121dcff258b09154e2add
SHA256 d18b935872ff3ef041bc2228fea13b221f699fa46978a39081a98b8c5b70930a
SHA512 d69528e9dc370bb036954b74b8e97919ae690eb9294c533db0af38924f832ea4881094f69f80ea5d29a46eeb9e0fde13f9574086eab67e08f2c76e782bae9173

memory/2472-189-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5100-190-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\LFDDCZ.exe.bat

MD5 20eb83525499a23b0a7eb6487ca8c7d4
SHA1 3c8b56011d4ae993dedb4d069d745c865ffcf37b
SHA256 dd4a63b2cdd19f6df55d4731083e553d5a9e6e7585c27a344c44676d4d857a87
SHA512 6a70de00493752b410d294d2eac068e94fb02ed7eb1d5ec18af55bd3ccdcd14020c8bf18e2dcc4403640a8402889ed38ad770cac63e85744aa5ef679b19a7131

C:\Windows\LFDDCZ.exe

MD5 37f1a375d49b7d482c1c8e6ef05719f3
SHA1 cfa562370d511e972dc8e2e5475c5cb7cedd9b72
SHA256 48b2e38dc8f692f52a5cee3a5fad4e5596d48a00919cb04b2290a5f1ba5edf0f
SHA512 8a332aa37ec1aea32ac23c543e16ab52def6ef4c1fc44d47899383b13c904e5cab2f83840867eef54b5de89b6ea60cb07043de4a1c448085aa077cde5d660a69

memory/2096-202-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4984-203-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\EAH.exe.bat

MD5 b8b8c5736c163dcdadb0aa3cc5ccbacc
SHA1 c330bd53af0fa2c0cb9c18211d26c64c746e11f5
SHA256 fd028ccaba6cbd3c92440468145beaefcf0eac3e82f63ec3f6e68f9843e652cb
SHA512 1a3a437bbf73b853c7f33af70428aa61b2798719d05df78dceaeb630e3ea2f6cf20874517593e698617abc824b888c50482da1fad965f67bdc4a6e74d5aec2e0

C:\Windows\System\EAH.exe

MD5 36335887e5b495ec9c6a9d383eb7e102
SHA1 051f348062a2a88a4ca27a9a9dd56ee4bc7528ce
SHA256 4112eaf13384230701d7ef9200001df44b78210e27c3ac674ce9b34ae6520139
SHA512 60ddfc0c2174e3c7aa7fa452b08e06cc3b05632d33d91a9d6c839664057cb5f9aa2e567da707c623039fcf8fab7c6535b126df8b43910fdb7fe1a4674ea80815

memory/3496-214-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5100-215-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2096-222-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\JGRO.exe.bat

MD5 f11dd8cabe2ecf6ab3003e21cfb94e3b
SHA1 7b968be928dbc6b5a3efd93d56a3c67810aded80
SHA256 2b59457b236be26fa198dde7178f723406b116c9ceedf8c64b98b7a31617ccef
SHA512 6b5648312c2961481c6b215df2d3b4b10d167665e3156c4da169cbdf9a8e103ba121dede34c246bfa2597f2e5ef213cadd1a5a28b62737f01994bd2e0cf82840

memory/4920-226-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\JGRO.exe

MD5 ba6bf41017874d68520f9bb2bb3e7234
SHA1 81a6e39b2728e728dd0906b089ad98cc463f5b7c
SHA256 79e79dada980ec77427c2ee0f4c6d4000aa0cf37cf9662d3f04a389cac7cf527
SHA512 c6e96a5f8a2779a669ddf0757bf4a779215c809be76b46dcb2b20a148694333beb593427aa0203e7d89f2dc46bbd3f164695d45c8bb8de28f87851d616baa0de

C:\windows\system\WLZAIWM.exe.bat

MD5 5c4693c70b62b81e31b803aa2c906535
SHA1 c17e75ed7515baa3330ce3beeb40ef28e6f6c7f2
SHA256 f256b822fa855fd826af590158ffc286198bf55ca4a9e1f2e479432724a4d216
SHA512 fe768533057309f4efdd1facdeeaf402ee5cf58017cfeb70e5f845b114692f4a8bba9de85b4a6c211b9e13fcba59444df252ea8a39a0f297767c64b606d26d24

C:\Windows\System\WLZAIWM.exe

MD5 2474768367c229f7ff4b44cc7de0db1a
SHA1 569135fd51688fab48bc3564eaf615740a770508
SHA256 3bf9efd0fcb1bda40d1570983a856e46a39a667293c196e83f1eaba0a4ab250d
SHA512 c5a429ada1098979a2dd58f3a8573d0ffc8c180b9f1d6c6c996a297916d2d8e9668a6fbdd6c880ee2c5f4e6df5d607e422ff916f63f15eaef5677d6185fcbd7b

memory/1220-237-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3496-239-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\XGDW.exe.bat

MD5 33707bd2b106818a8dd53ff1ecc3c2fd
SHA1 83c6572874bfd37603088d2f1d8cd2b72103cc4a
SHA256 7a16e5aadd99ff22cec96b75bece12f76f73326ed7b2f768d32a64d504694e71
SHA512 40b656831a0638bd00dfdac092eb84ef8a7ee49ced5ea5d2c2168a8df70e0610520325c47a522a319099494335590421d38e57191cd146d2f506c023c48a2c3f

C:\Windows\XGDW.exe

MD5 0f022581823034a0cd683c02bb53912b
SHA1 fbf8dee3db91f98f61f63c480f93a6cc716a67c1
SHA256 0b0b33951ff1059e5a81add696b0f50ac9353b638332095b2712f6929836b3cd
SHA512 e91952824d77781e6b2de4062d83349768b02715d69090a2cbba57aa3df5d92703443fc7b486b831612ecdd8418b45cac68db129071e772047da79f3e79125e6

memory/4756-249-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4920-251-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1220-258-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\QCOU.exe.bat

MD5 d6a977983d0d3e59efa6ff4dc7ec0360
SHA1 ab13bf51dcd3c144b2b6549beca0dda70b1f51c4
SHA256 5b42fd687066692bf47a2db749ef89406d002c50ae79d408928b7e759969694d
SHA512 a37385b327b9a0b73f794e0a9352601b547984c5b8cbbaabda3a84d23329f30595d2b70241b85e245f12a57e9e9a79409d89e4189b0b940fa251d1b2d22d8694

memory/4592-261-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4756-268-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1412-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4592-271-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1852-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4432-287-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1412-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1852-295-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1444-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4796-305-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4432-306-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1444-313-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1768-315-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4796-322-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1100-324-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1768-331-0x0000000000400000-0x0000000000439000-memory.dmp

memory/388-333-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4100-341-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1100-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/388-349-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4084-351-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4100-358-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1356-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4084-367-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2220-369-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1356-376-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2824-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2220-385-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1108-387-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2824-394-0x0000000000400000-0x0000000000439000-memory.dmp

memory/688-396-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1108-403-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1544-405-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3364-413-0x0000000000400000-0x0000000000439000-memory.dmp

memory/688-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1544-421-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3528-423-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3364-430-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2156-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3528-439-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2240-441-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2156-448-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1840-450-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2240-457-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4304-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1840-466-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4564-468-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4304-475-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3496-477-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4564-484-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4432-486-0x0000000000400000-0x0000000000439000-memory.dmp

memory/208-494-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3496-495-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:45

Reported

2024-06-02 04:48

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\windows\SysWOW64\JSPTD.exe C:\windows\system\FMSMEI.exe N/A
File opened for modification C:\windows\SysWOW64\RWXGF.exe C:\windows\system\SJOVFJ.exe N/A
File opened for modification C:\windows\SysWOW64\YDWNKP.exe C:\windows\ILP.exe N/A
File created C:\windows\SysWOW64\RWXGF.exe.bat C:\windows\system\SJOVFJ.exe N/A
File created C:\windows\SysWOW64\HMVRSN.exe.bat C:\windows\system\XCUZ.exe N/A
File opened for modification C:\windows\SysWOW64\VUV.exe C:\windows\system\VMP.exe N/A
File created C:\windows\SysWOW64\VUV.exe.bat C:\windows\system\VMP.exe N/A
File opened for modification C:\windows\SysWOW64\LFD.exe C:\windows\YVN.exe N/A
File created C:\windows\SysWOW64\JSPTD.exe.bat C:\windows\system\FMSMEI.exe N/A
File created C:\windows\SysWOW64\YDWNKP.exe C:\windows\ILP.exe N/A
File created C:\windows\SysWOW64\RWXGF.exe C:\windows\system\SJOVFJ.exe N/A
File opened for modification C:\windows\SysWOW64\HMVRSN.exe C:\windows\system\XCUZ.exe N/A
File created C:\windows\SysWOW64\LFD.exe C:\windows\YVN.exe N/A
File created C:\windows\SysWOW64\LFD.exe.bat C:\windows\YVN.exe N/A
File created C:\windows\SysWOW64\JSPTD.exe C:\windows\system\FMSMEI.exe N/A
File created C:\windows\SysWOW64\YDWNKP.exe.bat C:\windows\ILP.exe N/A
File created C:\windows\SysWOW64\HMVRSN.exe C:\windows\system\XCUZ.exe N/A
File created C:\windows\SysWOW64\VUV.exe C:\windows\system\VMP.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\system\GOXH.exe C:\windows\system\BUP.exe N/A
File created C:\windows\HFKRRE.exe C:\windows\SysWOW64\LFD.exe N/A
File created C:\windows\DQDTTZ.exe C:\windows\HFKRRE.exe N/A
File created C:\windows\PEZCIUI.exe.bat C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
File created C:\windows\system\FVXWW.exe C:\windows\NYS.exe N/A
File created C:\windows\ILP.exe.bat C:\windows\system\WXGTEX.exe N/A
File opened for modification C:\windows\NYS.exe C:\windows\SysWOW64\YDWNKP.exe N/A
File created C:\windows\system\XCUZ.exe C:\windows\system\GOXH.exe N/A
File created C:\windows\system\XCUZ.exe.bat C:\windows\system\GOXH.exe N/A
File created C:\windows\YVN.exe C:\windows\SysWOW64\VUV.exe N/A
File opened for modification C:\windows\PEZCIUI.exe C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
File created C:\windows\system\RMMGKB.exe C:\windows\KPCTFR.exe N/A
File created C:\windows\system\BUP.exe.bat C:\windows\SysWOW64\RWXGF.exe N/A
File created C:\windows\system\WXGTEX.exe C:\windows\SysWOW64\JSPTD.exe N/A
File created C:\windows\NYS.exe C:\windows\SysWOW64\YDWNKP.exe N/A
File created C:\windows\system\GOXH.exe.bat C:\windows\system\BUP.exe N/A
File opened for modification C:\windows\system\SJOVFJ.exe C:\windows\system\FVXWW.exe N/A
File created C:\windows\system\BUP.exe C:\windows\SysWOW64\RWXGF.exe N/A
File created C:\windows\ILP.exe C:\windows\system\WXGTEX.exe N/A
File opened for modification C:\windows\ILP.exe C:\windows\system\WXGTEX.exe N/A
File created C:\windows\NYS.exe.bat C:\windows\SysWOW64\YDWNKP.exe N/A
File opened for modification C:\windows\system\FVXWW.exe C:\windows\NYS.exe N/A
File created C:\windows\system\SJOVFJ.exe C:\windows\system\FVXWW.exe N/A
File opened for modification C:\windows\system\XCUZ.exe C:\windows\system\GOXH.exe N/A
File created C:\windows\system\FMSMEI.exe C:\windows\system\RMMGKB.exe N/A
File opened for modification C:\windows\system\WXGTEX.exe C:\windows\SysWOW64\JSPTD.exe N/A
File opened for modification C:\windows\DQDTTZ.exe C:\windows\HFKRRE.exe N/A
File opened for modification C:\windows\system\RMMGKB.exe C:\windows\KPCTFR.exe N/A
File created C:\windows\system\SJOVFJ.exe.bat C:\windows\system\FVXWW.exe N/A
File created C:\windows\system\VMP.exe C:\windows\SysWOW64\HMVRSN.exe N/A
File opened for modification C:\windows\system\VMP.exe C:\windows\SysWOW64\HMVRSN.exe N/A
File opened for modification C:\windows\YVN.exe C:\windows\SysWOW64\VUV.exe N/A
File created C:\windows\PEZCIUI.exe C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
File opened for modification C:\windows\KPCTFR.exe C:\windows\PEZCIUI.exe N/A
File opened for modification C:\windows\system\FMSMEI.exe C:\windows\system\RMMGKB.exe N/A
File created C:\windows\system\FMSMEI.exe.bat C:\windows\system\RMMGKB.exe N/A
File created C:\windows\system\WXGTEX.exe.bat C:\windows\SysWOW64\JSPTD.exe N/A
File created C:\windows\system\FVXWW.exe.bat C:\windows\NYS.exe N/A
File opened for modification C:\windows\system\BUP.exe C:\windows\SysWOW64\RWXGF.exe N/A
File created C:\windows\system\GOXH.exe C:\windows\system\BUP.exe N/A
File created C:\windows\KPCTFR.exe.bat C:\windows\PEZCIUI.exe N/A
File created C:\windows\system\RMMGKB.exe.bat C:\windows\KPCTFR.exe N/A
File opened for modification C:\windows\HFKRRE.exe C:\windows\SysWOW64\LFD.exe N/A
File created C:\windows\system\VMP.exe.bat C:\windows\SysWOW64\HMVRSN.exe N/A
File created C:\windows\YVN.exe.bat C:\windows\SysWOW64\VUV.exe N/A
File created C:\windows\DQDTTZ.exe.bat C:\windows\HFKRRE.exe N/A
File created C:\windows\KPCTFR.exe C:\windows\PEZCIUI.exe N/A
File created C:\windows\HFKRRE.exe.bat C:\windows\SysWOW64\LFD.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe N/A
N/A N/A C:\windows\PEZCIUI.exe N/A
N/A N/A C:\windows\PEZCIUI.exe N/A
N/A N/A C:\windows\KPCTFR.exe N/A
N/A N/A C:\windows\KPCTFR.exe N/A
N/A N/A C:\windows\system\RMMGKB.exe N/A
N/A N/A C:\windows\system\RMMGKB.exe N/A
N/A N/A C:\windows\system\FMSMEI.exe N/A
N/A N/A C:\windows\system\FMSMEI.exe N/A
N/A N/A C:\windows\SysWOW64\JSPTD.exe N/A
N/A N/A C:\windows\SysWOW64\JSPTD.exe N/A
N/A N/A C:\windows\system\WXGTEX.exe N/A
N/A N/A C:\windows\system\WXGTEX.exe N/A
N/A N/A C:\windows\ILP.exe N/A
N/A N/A C:\windows\ILP.exe N/A
N/A N/A C:\windows\SysWOW64\YDWNKP.exe N/A
N/A N/A C:\windows\SysWOW64\YDWNKP.exe N/A
N/A N/A C:\windows\NYS.exe N/A
N/A N/A C:\windows\NYS.exe N/A
N/A N/A C:\windows\system\FVXWW.exe N/A
N/A N/A C:\windows\system\FVXWW.exe N/A
N/A N/A C:\windows\system\SJOVFJ.exe N/A
N/A N/A C:\windows\system\SJOVFJ.exe N/A
N/A N/A C:\windows\SysWOW64\RWXGF.exe N/A
N/A N/A C:\windows\SysWOW64\RWXGF.exe N/A
N/A N/A C:\windows\system\BUP.exe N/A
N/A N/A C:\windows\system\BUP.exe N/A
N/A N/A C:\windows\system\GOXH.exe N/A
N/A N/A C:\windows\system\GOXH.exe N/A
N/A N/A C:\windows\system\XCUZ.exe N/A
N/A N/A C:\windows\system\XCUZ.exe N/A
N/A N/A C:\windows\SysWOW64\HMVRSN.exe N/A
N/A N/A C:\windows\SysWOW64\HMVRSN.exe N/A
N/A N/A C:\windows\system\VMP.exe N/A
N/A N/A C:\windows\system\VMP.exe N/A
N/A N/A C:\windows\SysWOW64\VUV.exe N/A
N/A N/A C:\windows\SysWOW64\VUV.exe N/A
N/A N/A C:\windows\YVN.exe N/A
N/A N/A C:\windows\YVN.exe N/A
N/A N/A C:\windows\SysWOW64\LFD.exe N/A
N/A N/A C:\windows\SysWOW64\LFD.exe N/A
N/A N/A C:\windows\HFKRRE.exe N/A
N/A N/A C:\windows\HFKRRE.exe N/A
N/A N/A C:\windows\DQDTTZ.exe N/A
N/A N/A C:\windows\DQDTTZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PEZCIUI.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PEZCIUI.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PEZCIUI.exe
PID 2616 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\PEZCIUI.exe
PID 2564 wrote to memory of 2720 N/A C:\windows\PEZCIUI.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2720 N/A C:\windows\PEZCIUI.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2720 N/A C:\windows\PEZCIUI.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2720 N/A C:\windows\PEZCIUI.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KPCTFR.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KPCTFR.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KPCTFR.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KPCTFR.exe
PID 2596 wrote to memory of 2544 N/A C:\windows\KPCTFR.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2544 N/A C:\windows\KPCTFR.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2544 N/A C:\windows\KPCTFR.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2544 N/A C:\windows\KPCTFR.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\RMMGKB.exe
PID 2544 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\RMMGKB.exe
PID 2544 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\RMMGKB.exe
PID 2544 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\RMMGKB.exe
PID 2992 wrote to memory of 580 N/A C:\windows\system\RMMGKB.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 580 N/A C:\windows\system\RMMGKB.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 580 N/A C:\windows\system\RMMGKB.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 580 N/A C:\windows\system\RMMGKB.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FMSMEI.exe
PID 580 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FMSMEI.exe
PID 580 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FMSMEI.exe
PID 580 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\FMSMEI.exe
PID 2404 wrote to memory of 2824 N/A C:\windows\system\FMSMEI.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2824 N/A C:\windows\system\FMSMEI.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2824 N/A C:\windows\system\FMSMEI.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2824 N/A C:\windows\system\FMSMEI.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\JSPTD.exe
PID 2824 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\JSPTD.exe
PID 2824 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\JSPTD.exe
PID 2824 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\JSPTD.exe
PID 2144 wrote to memory of 812 N/A C:\windows\SysWOW64\JSPTD.exe C:\windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 812 N/A C:\windows\SysWOW64\JSPTD.exe C:\windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 812 N/A C:\windows\SysWOW64\JSPTD.exe C:\windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 812 N/A C:\windows\SysWOW64\JSPTD.exe C:\windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2332 N/A C:\windows\SysWOW64\cmd.exe C:\windows\system\WXGTEX.exe
PID 812 wrote to memory of 2332 N/A C:\windows\SysWOW64\cmd.exe C:\windows\system\WXGTEX.exe
PID 812 wrote to memory of 2332 N/A C:\windows\SysWOW64\cmd.exe C:\windows\system\WXGTEX.exe
PID 812 wrote to memory of 2332 N/A C:\windows\SysWOW64\cmd.exe C:\windows\system\WXGTEX.exe
PID 2332 wrote to memory of 2708 N/A C:\windows\system\WXGTEX.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2708 N/A C:\windows\system\WXGTEX.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2708 N/A C:\windows\system\WXGTEX.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2708 N/A C:\windows\system\WXGTEX.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ILP.exe
PID 2708 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ILP.exe
PID 2708 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ILP.exe
PID 2708 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\ILP.exe
PID 1648 wrote to memory of 2308 N/A C:\windows\ILP.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2308 N/A C:\windows\ILP.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2308 N/A C:\windows\ILP.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2308 N/A C:\windows\ILP.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YDWNKP.exe
PID 2308 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YDWNKP.exe
PID 2308 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YDWNKP.exe
PID 2308 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YDWNKP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\38fe15b75ea7abc3575fb763ab610a40_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\PEZCIUI.exe.bat" "

C:\windows\PEZCIUI.exe

C:\windows\PEZCIUI.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\KPCTFR.exe.bat" "

C:\windows\KPCTFR.exe

C:\windows\KPCTFR.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\RMMGKB.exe.bat" "

C:\windows\system\RMMGKB.exe

C:\windows\system\RMMGKB.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\FMSMEI.exe.bat" "

C:\windows\system\FMSMEI.exe

C:\windows\system\FMSMEI.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\JSPTD.exe.bat" "

C:\windows\SysWOW64\JSPTD.exe

C:\windows\system32\JSPTD.exe

C:\windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\WXGTEX.exe.bat" "

C:\windows\system\WXGTEX.exe

C:\windows\system\WXGTEX.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\ILP.exe.bat" "

C:\windows\ILP.exe

C:\windows\ILP.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\YDWNKP.exe.bat" "

C:\windows\SysWOW64\YDWNKP.exe

C:\windows\system32\YDWNKP.exe

C:\windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\NYS.exe.bat" "

C:\windows\NYS.exe

C:\windows\NYS.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\FVXWW.exe.bat" "

C:\windows\system\FVXWW.exe

C:\windows\system\FVXWW.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\SJOVFJ.exe.bat" "

C:\windows\system\SJOVFJ.exe

C:\windows\system\SJOVFJ.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\RWXGF.exe.bat" "

C:\windows\SysWOW64\RWXGF.exe

C:\windows\system32\RWXGF.exe

C:\windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\BUP.exe.bat" "

C:\windows\system\BUP.exe

C:\windows\system\BUP.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\GOXH.exe.bat" "

C:\windows\system\GOXH.exe

C:\windows\system\GOXH.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\XCUZ.exe.bat" "

C:\windows\system\XCUZ.exe

C:\windows\system\XCUZ.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\HMVRSN.exe.bat" "

C:\windows\SysWOW64\HMVRSN.exe

C:\windows\system32\HMVRSN.exe

C:\windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system\VMP.exe.bat" "

C:\windows\system\VMP.exe

C:\windows\system\VMP.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\VUV.exe.bat" "

C:\windows\SysWOW64\VUV.exe

C:\windows\system32\VUV.exe

C:\windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\YVN.exe.bat" "

C:\windows\YVN.exe

C:\windows\YVN.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\LFD.exe.bat" "

C:\windows\SysWOW64\LFD.exe

C:\windows\system32\LFD.exe

C:\windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\HFKRRE.exe.bat" "

C:\windows\HFKRRE.exe

C:\windows\HFKRRE.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\DQDTTZ.exe.bat" "

C:\windows\DQDTTZ.exe

C:\windows\DQDTTZ.exe

Network

N/A

Files

memory/1936-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\PEZCIUI.exe.bat

MD5 82de47b783ea245c80110f232740644a
SHA1 4c58ba60fabd88b2dede8a39e50f50ba7623057c
SHA256 e8b24c60b8585566a6b105183dba6794ea2df550e3f6478f082bde5647a6373f
SHA512 f6fe11c026b4c0349f99a0b0f51b5e2d5fd6a6e9b8458ecb41b1d5c0512a0e8810ce5d8005e0486123b271e06938d84fe85b0bde8f1c32326bbafe64a81a17d5

memory/1936-12-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\PEZCIUI.exe

MD5 e2b93c800e25def30cd04a598bca64d3
SHA1 011d754f63dbe7d5a2cad23aa7977718fb096c91
SHA256 2a5562ac2e3494dab2bcc1a4bcc761e6ae559a688c90ebe9eaa4fafc34eb65c9
SHA512 68ca296a70d4a8a90c5c89d6ac81641a847b0f2914bf3740c1615caf9647e92fbf4ae54e83316cba0c030cc0d2ca022f3e2f7e57a06dce4c5c74596e3eee3297

memory/2616-16-0x0000000001C40000-0x0000000001C79000-memory.dmp

memory/2564-18-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2616-15-0x0000000001C40000-0x0000000001C79000-memory.dmp

C:\Windows\KPCTFR.exe

MD5 7d916c6ecf46501cc5547e92278b8e6a
SHA1 f8c344c086080e2c7e036814bb92e66d2e591a54
SHA256 367658c9ffad8db43e20ef42d72941c1bdd1dbba5bc2d4c908e401a21ce84958
SHA512 a9e371dda8b71897e96170cddabd2cc8e33686cf1e11ac69b432d47aa3ee9f68dbd3d22974f3b84e561d27caf5965b6853e5ef9db283c4337fbba0eee3d59caf

C:\Windows\KPCTFR.exe.bat

MD5 dc7186e918fe654dcc62b59078e3ef00
SHA1 d92da0276f55c8d52a26599c9a34d0736c6b7d88
SHA256 c5511d0bbcf207424a946c4565dd6528c0efa3ce6e3603c8b4a65f5c054791a1
SHA512 141e0218c2ab5ee508965c08f337b73aef3f828fba04f6ee677d485acce461e57c236d39c3bb50202e5cc1bab9394a2281312ddb8bfda788c7f4f8f95863e657

memory/2564-30-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2596-36-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2720-35-0x0000000000830000-0x0000000000869000-memory.dmp

C:\Windows\KPCTFR.exe

MD5 8e89516adfcc93206d7f1893d1bed6f3
SHA1 aad20c68434cd4a428fa129e815a8e57ac1545b9
SHA256 f46d7d7a5fddd6256b4decae75a30f138812f543bb847bf54dc9b3b340188164
SHA512 efa47e0c8725c425bad9b1f035578cd7f5dc306b42a2ab42ea41d16b5ef190fe98c1877c89a1a6cf91cab2de44307b968cd3c1ffd824afb7278bdc330204190e

memory/2720-33-0x0000000000830000-0x0000000000869000-memory.dmp

C:\Windows\system\RMMGKB.exe.bat

MD5 8271667bcb0dfe05ab3d1baa8268e503
SHA1 801004c026821221fbdd43a624233071251e17b8
SHA256 b024334fa2abe82d50538c554fc018ab1001d7520ebebe8598f95bc8ba156d5b
SHA512 aa99dc3bcc69860b3e70e08cd7b5782d697dc284ac50d2b10216f4730acd463f04c0a4a9efca1a96d77b4f7da52e08174733688c9e6693a3bb582d2abbebc299

memory/2596-48-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\system\RMMGKB.exe

MD5 f98442932f5a101d2a0c1846fd6a6491
SHA1 3f24f91a0ea505bf44b34f512401014c4cfd7815
SHA256 778f40c310d91e5c3856f46a261728f2d318fb8e2733474787b2e7539f8d4be7
SHA512 d703bc8ed38eb5bddb45b0c9dbfa2e4645f934de63d5c4f57cc87bedc91eeb2e054c6e4137982484374fc21c6a0a67133962362d478f2c2875c88692d642309d

memory/2544-52-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\FMSMEI.exe.bat

MD5 92f40a9b7b84390e927984bdcbab74fd
SHA1 183ab134dec1a879633796e3867686bd04ed04a8
SHA256 b45c937a3152701bd240d50475a24c9e55f8d969b1a404e3dee996431a7d77c1
SHA512 37feab672ed895eacbb091f694e663ac77bd6613b7c6e198588747106d90f0c86a5c4bbddb5b638f0b150e7c8477f7655c4c11e66673ac3bb0f0463191e14ea6

memory/2992-66-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\FMSMEI.exe

MD5 ba712e330e142dd45c8ec0b9479cb575
SHA1 3df38c7e7f9cf120e377a5c98ff27098d17a7f25
SHA256 39ecbe4d2aa40762ecb6824e75b3539352042f1461c892e143f2eb637c45caa7
SHA512 b2546cf443725363177b6e91574d6c00cbf627473d02b43924c10f081c48ef8c2666163bbea5d3bb4cdf685521d9e3c36a43fd866beab0febfa1ad3783c1571b

memory/2404-74-0x0000000000400000-0x0000000000439000-memory.dmp

memory/580-73-0x0000000000130000-0x0000000000169000-memory.dmp

memory/580-72-0x0000000000130000-0x0000000000169000-memory.dmp

memory/2404-86-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\JSPTD.exe.bat

MD5 eeb1d61ad6343d4f685dc2da6d70465f
SHA1 efc4f06a602c79d319ee167a265b116410875c6b
SHA256 7b2a243dc8edaa51d5813037d7dc484d9fedb989d3c6d726971fe411644a6042
SHA512 6b7e5a4b8b0198574f4c8d52826688d7808a7041c30b30b0e8e5dd6b4cea4b9f1edf7e39b5c4446ca06503ee8f7ca68874b520672998c02328d4c2e4196e6857

\Windows\SysWOW64\JSPTD.exe

MD5 7ecdf6dac26e8f13360b2715ae40acc4
SHA1 03ac0dc649a208251cfb8eda010372871f6c0ebe
SHA256 a7d7d32d7027a4c7f6e791a908f628f508de080563d28ac27b0a3b57cf1343bc
SHA512 d16b9dbb1376ad93d2703ca1fca45f55549bf011e50c3e7b431f606f4af079ffde09b923a2d82a68fc77601de3fa0e49d21f215a6058bc94d6d1ad12779e5dd6

memory/2824-90-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/2144-93-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\WXGTEX.exe.bat

MD5 85a26f8844ae9f4b5dda1238df5e7b86
SHA1 6a2185e0600921b7b45aa6fa8ef1f07b1f658639
SHA256 1da870846c4879cb65cfccf3fea6cca9b0f5fc1e5d0108a4d97f0d058857aecf
SHA512 d301e004e79665e84bf6befb4caf1ed7a47fc4b424cbec11c030ce3207439fe36a876976aece9d585f1edfd81ae760091b4e451e3251785e429e573dcfc4b39a

memory/2144-105-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\WXGTEX.exe

MD5 9f2b7e2c8b71ee6c3285816641908dcd
SHA1 35917be4805df5db7ac96bb5e6d6f0d3fb022097
SHA256 75bb26c46a3ebce19253ce667c1d1d7d18bc52a6a78b83c53cfc860c5acdd333
SHA512 4ba5592bc90d5e06f9feb0db5f63bc5bc359d5ac094a35347c5d7b90ba4885d74371ac6e01beefe000f2532030fd6c994f1984dbf65068cb611d0684f8b2ad48

memory/812-110-0x0000000000180000-0x00000000001B9000-memory.dmp

memory/2332-123-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\ILP.exe.bat

MD5 8706d2f3ca89923effeed12c1cf91663
SHA1 8bee86bd427413455fcd7eecf0c9bbbbf6bd245a
SHA256 02d4555ce955a31fee409130bc9d1cc2de8b774277c9f9c46448e9cd14b16181
SHA512 90b8b88db668f242c4f427ffc347d60655246b2507f3ec03257c2ecd205cab11e3ad587e5632bec2716c13e1abe8796a4c4a6d17ff8cfc89e3d450d0a6ea5544

C:\windows\ILP.exe

MD5 f69229016889b7b12869caca6c7a682c
SHA1 9d48b0466d58406567f3a231c419eb4fef752810
SHA256 d7d84ad1d0f3dfa1a5e5396bb6f370d75980037ebf818c5f61cb444843b1984e
SHA512 c2d6d25b9cd4fa50f5b0f6832b89c3d58c79d386da7f6d8eae10385fb6b88cc632a5679d1c362ca6642371c5e98e56defa2da42458cfc47d8a31696c921f16c7

memory/2708-126-0x0000000000180000-0x00000000001B9000-memory.dmp

memory/1648-128-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\YDWNKP.exe.bat

MD5 f357c61cf965cfd2631ff47169b05aaa
SHA1 962ff7513657b1ea583c407fd8f6d18332b6b4fd
SHA256 8145afe44654f6c81b7494c5ed9a6eabb382e7400c672f673510e58140b78f9d
SHA512 6a1657f1c56b5474195f11ef31d7b8afdf5b448e0fd2a74cc45d4223c54992595c651c8c80a2906470fbddbb7f7102e13e41fcc0e155f6697d5a050d2dab01d4

memory/1648-140-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\YDWNKP.exe

MD5 614dda584cbf5626fb96c4b26290fdce
SHA1 7da03018721bab89726487aba589d504dc1c8913
SHA256 4f7a48503d6992d3d5ea42b7d3fc2156bc4173a372f3b38005b1626c0894e3aa
SHA512 4dd1b670a07de771af02e8788cc79ab173d0d128a16ca2b430806773435d6b1a9639b2ce69cff352dbd7af1a084b7a3c06a8344773335afac4859ceede531c3a

memory/2308-144-0x0000000000410000-0x0000000000449000-memory.dmp

C:\Windows\NYS.exe.bat

MD5 8a0994dabdc439078ea5da58db74041d
SHA1 a5121559eb708516844502ccca596108a5f58774
SHA256 5fd5e82d7539a6e1bb25d9b15e22f62da7f52043190e3a4cc68e86de859319c6
SHA512 f169d3e2a0ecd55b95ebbaf05d24fea5f35d17a4d2ad3eea15d6457c8008ce717b7c3a38545c9ff76c4a7dd3332a355acf531c99f65804632550b18d1c0fb40a

memory/3056-158-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\NYS.exe

MD5 050812ee9f57d71be3955de66a44d9cf
SHA1 66928d6e022060cb30594046b787072bc5038314
SHA256 08712dc2137b7c651c066d51126e10af7d41917cfab159677316b58e2ac73b67
SHA512 d0ceaea4af7906e7cd0edaec3024730ff6c872b46502f35d5744b973da6c025732e0e3b973db51eb3d488d21c50dcd84126a34bcab2cd32d34c4a651c68caa86

memory/780-161-0x0000000000130000-0x0000000000169000-memory.dmp

C:\Windows\system\FVXWW.exe.bat

MD5 91089811c31396e531843299c332f20b
SHA1 f9e98b6246d0a8ea6066e5794e312288b61f667a
SHA256 92212f98592c9b8afd28b1e5df28a94f78e50e55c07a3956b432673ae776fe3a
SHA512 f11227157d7f8d6be70a107be92709d2c0fe9d24a417fcad739c67b9c961874ec74e08f5cb48b8c12dffbf2fe25b170d76d0f1ca87050ba292abb4b0b0a0b85c

memory/2044-174-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\FVXWW.exe

MD5 4c67f96f3a7da66ace2e2b6cc6934975
SHA1 d3f2dbb342236fa4fff472840712c6c9d5b7eb5e
SHA256 6aa2e10833ed77d55d9452069f5ffe2326ca0cebee911b996687ee8d8aa08f78
SHA512 b749fd7a2d9689e671c3617c82ae496167b0eb5a335f1ba273a07a2834296f9099abde0e841d84e78ae5398bed09beb7a384421ba00761f0790bf5fbc53b0caa

memory/1976-181-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1148-180-0x0000000001C60000-0x0000000001C99000-memory.dmp

C:\Windows\system\SJOVFJ.exe.bat

MD5 6e1b8690d54d6f92086e1edd40d8d5b1
SHA1 ade811560b54cdff64929ab9cc4a5b48911ef98a
SHA256 46a415433c8e382540211dd63169154ef953d83456efe0e284ec4259d8caea89
SHA512 7febaa2fd702cb38b1868e250c3214a6b77a25f7e77fb32d56e7fa669a8846af05c24bfdce8c994310a25320c5f699a9184665422efb20a7b891b4e5bf36b1c5

memory/1976-193-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\system\SJOVFJ.exe

MD5 37f1a375d49b7d482c1c8e6ef05719f3
SHA1 cfa562370d511e972dc8e2e5475c5cb7cedd9b72
SHA256 48b2e38dc8f692f52a5cee3a5fad4e5596d48a00919cb04b2290a5f1ba5edf0f
SHA512 8a332aa37ec1aea32ac23c543e16ab52def6ef4c1fc44d47899383b13c904e5cab2f83840867eef54b5de89b6ea60cb07043de4a1c448085aa077cde5d660a69

memory/1972-197-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/1820-200-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\RWXGF.exe.bat

MD5 a81153505f70848a30d4fdbd1a008dfa
SHA1 2377d0cdd0a4b3ecbf8396fa26277486db5ab58a
SHA256 fa69b3342573332331f82b49d1c2bccdac896a3d7465a22cf3182c8a88b59e30
SHA512 f40de309e350b4b43612f37a511a25f67096f6208049743540f096d16cd1808449561e18778f83ff3551cff2af68191082db6de9a68f3d67f636b1bc6f854ccd

memory/1820-212-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RWXGF.exe

MD5 36335887e5b495ec9c6a9d383eb7e102
SHA1 051f348062a2a88a4ca27a9a9dd56ee4bc7528ce
SHA256 4112eaf13384230701d7ef9200001df44b78210e27c3ac674ce9b34ae6520139
SHA512 60ddfc0c2174e3c7aa7fa452b08e06cc3b05632d33d91a9d6c839664057cb5f9aa2e567da707c623039fcf8fab7c6535b126df8b43910fdb7fe1a4674ea80815

memory/2976-218-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\BUP.exe.bat

MD5 df0094e5c0472658a79ca3745f27e25d
SHA1 27178cc52585c39ee7208e0a6fd3066d5ef97c38
SHA256 64caecf40894e6f4f7a072de19e886788e70c22612628d4d5724a76d0e04db80
SHA512 7a78bf001317d184e7f848425fa9fddf2d76a160a27da491afbb3fc946ac00e6b76c5cd51b8b292036b65dadd3cff590e5e71091e1c944ed689926caa427cc53

memory/2976-230-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\BUP.exe

MD5 ba6bf41017874d68520f9bb2bb3e7234
SHA1 81a6e39b2728e728dd0906b089ad98cc463f5b7c
SHA256 79e79dada980ec77427c2ee0f4c6d4000aa0cf37cf9662d3f04a389cac7cf527
SHA512 c6e96a5f8a2779a669ddf0757bf4a779215c809be76b46dcb2b20a148694333beb593427aa0203e7d89f2dc46bbd3f164695d45c8bb8de28f87851d616baa0de

memory/1628-236-0x0000000000170000-0x00000000001A9000-memory.dmp

memory/1628-235-0x0000000000170000-0x00000000001A9000-memory.dmp

C:\Windows\system\GOXH.exe.bat

MD5 174018b214c4307391ce6865b2a83522
SHA1 2c83fe4c13bc864bae81358af99d0cb6ca5f747f
SHA256 f483cd3df73674990e8341a9e9397d39496965dba95d87065ce4109512f7c78b
SHA512 233d83dfa805580d401488ec6d8cb3f36090cd75c66e139d9b9e3aaeec32b64722c859b8316a4641c2753d926323377d7d5e2a6a85fbab6fc2ef688e6ccddb84

memory/2952-249-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\system\GOXH.exe

MD5 2474768367c229f7ff4b44cc7de0db1a
SHA1 569135fd51688fab48bc3564eaf615740a770508
SHA256 3bf9efd0fcb1bda40d1570983a856e46a39a667293c196e83f1eaba0a4ab250d
SHA512 c5a429ada1098979a2dd58f3a8573d0ffc8c180b9f1d6c6c996a297916d2d8e9668a6fbdd6c880ee2c5f4e6df5d607e422ff916f63f15eaef5677d6185fcbd7b

memory/1340-255-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\XCUZ.exe.bat

MD5 afa3be5b56caf096fff5fbb9ca5839c6
SHA1 e22c15fab034245c3d741dc33270bf37abb5eafc
SHA256 b947ef726cef3ebf341166b766fef907f9d205ab23c3218c6b4669115898c457
SHA512 33c72ee2b536076b277c20f67b59c2977a42e4935ef1896f91aa83da8bbd00e9017b0933e160e7205fa1f7ec82a54051caca7be3a3a971cffbd229bdf3544b91

memory/1340-267-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\system\XCUZ.exe

MD5 0f022581823034a0cd683c02bb53912b
SHA1 fbf8dee3db91f98f61f63c480f93a6cc716a67c1
SHA256 0b0b33951ff1059e5a81add696b0f50ac9353b638332095b2712f6929836b3cd
SHA512 e91952824d77781e6b2de4062d83349768b02715d69090a2cbba57aa3df5d92703443fc7b486b831612ecdd8418b45cac68db129071e772047da79f3e79125e6

memory/3008-270-0x00000000001D0000-0x0000000000209000-memory.dmp

C:\Windows\SysWOW64\HMVRSN.exe.bat

MD5 db70a796a8fc6a7a9e5b196a51bd95cd
SHA1 d74c2137220c5b8e4ad982da2f484ca46efb2af3
SHA256 e7bc4f94fa3ca8068b8c8201477674c2a48b82b1b5a1fffb28f22d3c91f18701
SHA512 81692070a5115a473dc4b8b0754b5e3a9b85b1a2395459084ed8ed51a07abfd1124558e01132f757623e8176217296582576d50ef709b498c198fd617793b332

memory/2680-282-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2500-283-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2500-295-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\system\VMP.exe.bat

MD5 ff0cf24f524dc9e5bfa655c279689511
SHA1 c8c1f3d55050e37fc2ab03c52edfa92ef727d661
SHA256 94cb8f6481be83954270dd87dc1e7e8deae920587831c262e490fb1ab4800000
SHA512 b4a72bce6dcdcef00a82d4b375645b998c75e665d345950bae59d3e9e8d3532aae880229fa3bfc272424a5198c4c64afcc013f4a1928152503e380542bfb27a3

memory/2380-297-0x0000000000130000-0x0000000000169000-memory.dmp

memory/2380-296-0x0000000000130000-0x0000000000169000-memory.dmp

C:\Windows\SysWOW64\VUV.exe.bat

MD5 316a0a789fbaf67ce7bc255234c02d04
SHA1 c56a7b4d8f2788567eb34f117b945ae04584cab2
SHA256 02a2f61f331dd695a502751fd3cb8b5795488df53d2f8a61c88f7fa4350b880e
SHA512 b03d55d8e2f3947426263533a5864fcb39ae9443e5cc07e9c491e50e6234ca3b8c1550d70e2156cbc549bfca95e669c6ae7fdc1572c1d5f90453dbd964fad946

memory/532-309-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1956-310-0x00000000001F0000-0x0000000000229000-memory.dmp

memory/1020-311-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\YVN.exe.bat

MD5 aeec412ca6e34fcb84d9ebcdd0b03a12
SHA1 d5678d4baa88c41ccc2832ac984706989ffc3144
SHA256 125734a8c762ed10be08c8ae5a55c1127ebdbe88330c996a3b9eb25b85378f72
SHA512 2ad7a0474e7694b25a7e519d8ad396c35fcf65792c5eeb760a659950c37c1de66bd5614eea329b6ecd8d663cfce1c41974074ba9bdff05fbc6fb23b786c076ce

memory/1020-323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2172-324-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\LFD.exe.bat

MD5 1b6826d96472ffc3016d576b685729a4
SHA1 6886263250219bc8aa874da622cf5cdb02f48a40
SHA256 b089ac114396d650c9703109067ed4aa775629d1106e4848cb2b7a599a6832f6
SHA512 6ca29dc51f250580a9028f6c78daca2d902e7fa684e94748a5a1ab670d430471de6b6cfcf75f0a30b6f65895e2a09985c87aa9c5137de6c810cf444e8a3a30ad

memory/2172-336-0x0000000000400000-0x0000000000439000-memory.dmp

memory/944-338-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1168-337-0x0000000000170000-0x00000000001A9000-memory.dmp

C:\Windows\HFKRRE.exe.bat

MD5 706c1808a3f3d93d1d74533058fdac62
SHA1 814a9f43185074d39559fa2f899c7ce690004c64
SHA256 bcd2ae1bc32163151719bc9d88e8fc4ca35abc7f0da9b2023d906ca97c84fdbb
SHA512 93493fb6abe41921f980449cd95fd8e71313478aff77b93b4a3a546eb4865ce6b6a6647559d7176459e68cf024457ec1ffb51105d3e99b3d419ceb1c9b515ceb

memory/944-350-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2332-352-0x0000000000400000-0x0000000000439000-memory.dmp

memory/760-351-0x0000000000150000-0x0000000000189000-memory.dmp

C:\Windows\DQDTTZ.exe.bat

MD5 bf76b8c658c6fb3df17075ceb3e6dd30
SHA1 7f4a6d6d3d28cde1b28bc27e6f55c6fb6c8e53cc
SHA256 a54585bfb1afd63edd51f38bae44622e042f71f8ce1b35175c35f3e22c416cfd
SHA512 3b5bc56c4560d09ec70f8444ca019c5a3c6104b37eb64e54d9805bca20a79bf14dd8f0ed6fd61789fd06e59c204001db60a2d6dff827616fd99da13bbed54069

memory/2332-364-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2300-365-0x00000000001D0000-0x0000000000209000-memory.dmp

memory/1784-366-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1784-367-0x0000000000400000-0x0000000000439000-memory.dmp