Analysis Overview
SHA256
27f6e903ed0b57e2f6ce26edebb64eb7d298c23438eaee11a102b98994e6ccde
Threat Level: Known bad
The file virussign.com_27eee676babdd6aa1be84531f1f58910.vir was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops file in System32 directory
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 09:27
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 09:27
Reported
2024-06-02 09:30
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\ZRYPQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\OLQT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\FQFR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\NJKN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\XXSET.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\BANI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\KXUBA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\TXWR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\XBGQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\KMUGGVI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\YTTM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\LEEZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\VWCF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\HOU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\NJCWY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\FLFL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\DLKAQO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\IQWH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\VGE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\WTRURLR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PFDH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\WNIL.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\UAGBO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\LVJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\VMHDWT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\SDOW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\PVPG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\EDWXM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\NSHVP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\TETYY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\XLCM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\HUFRRSZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\OKVE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\DSFSGAE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\IBZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\LWHQG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\WAYSTXE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\OZAC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\OIQRD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\BHWHDT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\RGWAWD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\YYQJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\AROGBQ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\KAMDT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\WFVSSO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\ASRRUW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\MARFO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\BORABFJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\SysWOW64\HRPML.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\ZJHJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\BRCYI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\LXFBJU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\WRMGP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\IDEBMD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\FQR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\DOVLYNO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\TCTO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\RYQD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\OOFOHMO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\HOALD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\PWDOC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\PTU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\windows\system\NEAE.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\OAKOD.exe | C:\windows\SysWOW64\XXSET.exe | N/A |
| File created | C:\windows\SysWOW64\UPWM.exe.bat | C:\windows\MWNLDQI.exe | N/A |
| File created | C:\windows\SysWOW64\JSYD.exe.bat | C:\windows\system\AUEB.exe | N/A |
| File created | C:\windows\SysWOW64\JTA.exe.bat | C:\windows\IQWH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DUTQ.exe | C:\windows\PZH.exe | N/A |
| File created | C:\windows\SysWOW64\OLQT.exe.bat | C:\windows\system\CAFFC.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\BBFNFH.exe | C:\windows\system\HOU.exe | N/A |
| File created | C:\windows\SysWOW64\LXBFSK.exe.bat | C:\windows\SysWOW64\ENE.exe | N/A |
| File created | C:\windows\SysWOW64\AJWXU.exe.bat | C:\windows\SysWOW64\HRPML.exe | N/A |
| File created | C:\windows\SysWOW64\IBT.exe | C:\windows\system\FTYQG.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\XWYKO.exe | C:\windows\SysWOW64\NYGXXW.exe | N/A |
| File created | C:\windows\SysWOW64\FLFL.exe.bat | C:\windows\system\ASRRUW.exe | N/A |
| File created | C:\windows\SysWOW64\NYRS.exe | C:\windows\SysWOW64\FLFL.exe | N/A |
| File created | C:\windows\SysWOW64\DRAGISV.exe.bat | C:\windows\SysWOW64\IVWWY.exe | N/A |
| File created | C:\windows\SysWOW64\RGWAWD.exe | C:\windows\SysWOW64\DLKAQO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JSYD.exe | C:\windows\system\AUEB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\KXUBA.exe | C:\windows\SysWOW64\BZAA.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LEEZ.exe | C:\windows\YTTM.exe | N/A |
| File created | C:\windows\SysWOW64\LEEZ.exe.bat | C:\windows\YTTM.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\NIJDOQ.exe | C:\windows\system\DQRE.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\LPXRZQ.exe | C:\windows\system\ORYHIQX.exe | N/A |
| File created | C:\windows\SysWOW64\FLFL.exe | C:\windows\system\ASRRUW.exe | N/A |
| File created | C:\windows\SysWOW64\RGWAWD.exe.bat | C:\windows\SysWOW64\DLKAQO.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\MRTI.exe | C:\windows\XBGQ.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\JPG.exe | C:\windows\SysWOW64\LEEZ.exe | N/A |
| File created | C:\windows\SysWOW64\HRPML.exe.bat | C:\windows\system\VGE.exe | N/A |
| File created | C:\windows\SysWOW64\TVL.exe | C:\windows\TXWR.exe | N/A |
| File created | C:\windows\SysWOW64\UFNB.exe | C:\windows\SysWOW64\TSCDTB.exe | N/A |
| File created | C:\windows\SysWOW64\JTA.exe | C:\windows\IQWH.exe | N/A |
| File created | C:\windows\SysWOW64\LEEZ.exe | C:\windows\YTTM.exe | N/A |
| File created | C:\windows\SysWOW64\HRPML.exe | C:\windows\system\VGE.exe | N/A |
| File created | C:\windows\SysWOW64\FQUQOE.exe.bat | C:\windows\system\HYF.exe | N/A |
| File created | C:\windows\SysWOW64\NIJDOQ.exe.bat | C:\windows\system\DQRE.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\IGGU.exe | C:\windows\system\OKVE.exe | N/A |
| File created | C:\windows\SysWOW64\OLQT.exe | C:\windows\system\CAFFC.exe | N/A |
| File created | C:\windows\SysWOW64\TETYY.exe.bat | C:\windows\EDWXM.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\FLFL.exe | C:\windows\system\ASRRUW.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\YYQJ.exe | C:\windows\SysWOW64\OAKOD.exe | N/A |
| File created | C:\windows\SysWOW64\YYQJ.exe.bat | C:\windows\SysWOW64\OAKOD.exe | N/A |
| File created | C:\windows\SysWOW64\BZAA.exe.bat | C:\windows\HMV.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\VMHDWT.exe | C:\windows\IBZ.exe | N/A |
| File created | C:\windows\SysWOW64\NYGXXW.exe.bat | C:\windows\SysWOW64\PFDH.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\PVPG.exe | C:\windows\DSFSGAE.exe | N/A |
| File created | C:\windows\SysWOW64\MNKTF.exe | C:\windows\CPE.exe | N/A |
| File created | C:\windows\SysWOW64\TSCDTB.exe.bat | C:\windows\system\BSNGHK.exe | N/A |
| File created | C:\windows\SysWOW64\UFNB.exe.bat | C:\windows\SysWOW64\TSCDTB.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\DRAGISV.exe | C:\windows\SysWOW64\IVWWY.exe | N/A |
| File created | C:\windows\SysWOW64\DRAGISV.exe | C:\windows\SysWOW64\IVWWY.exe | N/A |
| File created | C:\windows\SysWOW64\DKJPHJ.exe | C:\windows\WRMGP.exe | N/A |
| File created | C:\windows\SysWOW64\DKJPHJ.exe.bat | C:\windows\WRMGP.exe | N/A |
| File created | C:\windows\SysWOW64\ICRGRCQ.exe.bat | C:\windows\BRCYI.exe | N/A |
| File created | C:\windows\SysWOW64\UPWM.exe | C:\windows\MWNLDQI.exe | N/A |
| File created | C:\windows\SysWOW64\TETYY.exe | C:\windows\EDWXM.exe | N/A |
| File created | C:\windows\SysWOW64\LPXRZQ.exe.bat | C:\windows\system\ORYHIQX.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\MNKTF.exe | C:\windows\CPE.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\OLQT.exe | C:\windows\system\CAFFC.exe | N/A |
| File created | C:\windows\SysWOW64\DLKAQO.exe | C:\windows\system\XLCM.exe | N/A |
| File created | C:\windows\SysWOW64\JAFAWJM.exe | C:\windows\system\UKQ.exe | N/A |
| File created | C:\windows\SysWOW64\AJWXU.exe | C:\windows\SysWOW64\HRPML.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\AJWXU.exe | C:\windows\SysWOW64\HRPML.exe | N/A |
| File created | C:\windows\SysWOW64\ASVML.exe | C:\windows\OZAC.exe | N/A |
| File created | C:\windows\SysWOW64\IBT.exe.bat | C:\windows\system\FTYQG.exe | N/A |
| File created | C:\windows\SysWOW64\YOSSFPH.exe | C:\windows\system\OVJSB.exe | N/A |
| File created | C:\windows\SysWOW64\NYRS.exe.bat | C:\windows\SysWOW64\FLFL.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\HMV.exe.bat | C:\windows\system\TTFBH.exe | N/A |
| File opened for modification | C:\windows\QKATKVI.exe | C:\windows\system\HUFRRSZ.exe | N/A |
| File opened for modification | C:\windows\CHH.exe | C:\windows\XGTXI.exe | N/A |
| File created | C:\windows\system\WTRURLR.exe.bat | C:\windows\system\OOFOHMO.exe | N/A |
| File opened for modification | C:\windows\VWCF.exe | C:\windows\system\WTRURLR.exe | N/A |
| File created | C:\windows\system\ORYHIQX.exe.bat | C:\windows\SysWOW64\TETYY.exe | N/A |
| File created | C:\windows\system\TTFBH.exe | C:\windows\VYGSCFR.exe | N/A |
| File created | C:\windows\MNSD.exe.bat | C:\windows\system\TKO.exe | N/A |
| File created | C:\windows\system\VGE.exe.bat | C:\windows\system\FQR.exe | N/A |
| File opened for modification | C:\windows\OIQRD.exe | C:\windows\SysWOW64\TVL.exe | N/A |
| File created | C:\windows\system\HOALD.exe.bat | C:\windows\NSHVP.exe | N/A |
| File created | C:\windows\system\MARFO.exe.bat | C:\windows\system\LXFBJU.exe | N/A |
| File opened for modification | C:\windows\VABXAI.exe | C:\windows\LPRP.exe | N/A |
| File created | C:\windows\CSYF.exe.bat | C:\windows\VABXAI.exe | N/A |
| File opened for modification | C:\windows\system\HUFRRSZ.exe | C:\windows\SysWOW64\ORC.exe | N/A |
| File created | C:\windows\system\CLFQ.exe | C:\windows\system\VVE.exe | N/A |
| File created | C:\windows\LCQ.exe | C:\windows\system\PWDOC.exe | N/A |
| File created | C:\windows\XBGQ.exe.bat | C:\windows\system\NEAE.exe | N/A |
| File opened for modification | C:\windows\OZAC.exe | C:\windows\SysWOW64\VMHDWT.exe | N/A |
| File created | C:\windows\system\HKQWIAS.exe | C:\windows\SZZ.exe | N/A |
| File created | C:\windows\system\VVE.exe | C:\windows\system\FQFR.exe | N/A |
| File created | C:\windows\system\HOALD.exe | C:\windows\NSHVP.exe | N/A |
| File created | C:\windows\WIX.exe | C:\windows\SysWOW64\ASVML.exe | N/A |
| File opened for modification | C:\windows\BRCYI.exe | C:\windows\ZJHJ.exe | N/A |
| File opened for modification | C:\windows\system\HYF.exe | C:\windows\TCTO.exe | N/A |
| File created | C:\windows\DSFSGAE.exe | C:\windows\system\YSRY.exe | N/A |
| File created | C:\windows\system\HOU.exe | C:\windows\SysWOW64\OLQT.exe | N/A |
| File opened for modification | C:\windows\system\VVE.exe | C:\windows\system\FQFR.exe | N/A |
| File created | C:\windows\APLPKJ.exe | C:\windows\SysWOW64\IMTEAGG.exe | N/A |
| File created | C:\windows\TXWR.exe | C:\windows\GUSLH.exe | N/A |
| File created | C:\windows\BANI.exe | C:\windows\SysWOW64\JSYD.exe | N/A |
| File created | C:\windows\BANI.exe.bat | C:\windows\SysWOW64\JSYD.exe | N/A |
| File created | C:\windows\system\CGFAL.exe.bat | C:\windows\system\VQPUIR.exe | N/A |
| File opened for modification | C:\windows\system\UAGBO.exe | C:\windows\QKATKVI.exe | N/A |
| File created | C:\windows\system\FQR.exe.bat | C:\windows\system\BPVMZ.exe | N/A |
| File opened for modification | C:\windows\SZZ.exe | C:\windows\SysWOW64\IBT.exe | N/A |
| File created | C:\windows\SZZ.exe.bat | C:\windows\SysWOW64\IBT.exe | N/A |
| File opened for modification | C:\windows\TXWR.exe | C:\windows\GUSLH.exe | N/A |
| File created | C:\windows\SZZ.exe | C:\windows\SysWOW64\IBT.exe | N/A |
| File created | C:\windows\VWCF.exe | C:\windows\system\WTRURLR.exe | N/A |
| File opened for modification | C:\windows\RYQD.exe | C:\windows\SysWOW64\NIJDOQ.exe | N/A |
| File created | C:\windows\system\BHEFEH.exe | C:\windows\SysWOW64\AJWXU.exe | N/A |
| File created | C:\windows\system\WAYMK.exe | C:\windows\WIX.exe | N/A |
| File created | C:\windows\BRCYI.exe.bat | C:\windows\ZJHJ.exe | N/A |
| File opened for modification | C:\windows\system\HJCT.exe | C:\windows\SysWOW64\BORABFJ.exe | N/A |
| File created | C:\windows\WGL.exe | C:\windows\system\ZRYPQ.exe | N/A |
| File opened for modification | C:\windows\system\XLCM.exe | C:\windows\WNIL.exe | N/A |
| File opened for modification | C:\windows\system\CGFAL.exe | C:\windows\system\VQPUIR.exe | N/A |
| File created | C:\windows\WRMGP.exe | C:\windows\SysWOW64\JTA.exe | N/A |
| File opened for modification | C:\windows\CPE.exe | C:\windows\SysWOW64\UPWM.exe | N/A |
| File created | C:\windows\RYQD.exe | C:\windows\SysWOW64\NIJDOQ.exe | N/A |
| File opened for modification | C:\windows\KMB.exe | C:\windows\RYQD.exe | N/A |
| File created | C:\windows\WNIL.exe | C:\windows\SysWOW64\BHWHDT.exe | N/A |
| File opened for modification | C:\windows\BANI.exe | C:\windows\SysWOW64\JSYD.exe | N/A |
| File opened for modification | C:\windows\system\VQPUIR.exe | C:\windows\SysWOW64\KXUBA.exe | N/A |
| File created | C:\windows\EDWXM.exe.bat | C:\windows\NVHAA.exe | N/A |
| File opened for modification | C:\windows\system\DOVLYNO.exe | C:\windows\system\CLFQ.exe | N/A |
| File created | C:\windows\system\PTU.exe | C:\windows\SysWOW64\JAFAWJM.exe | N/A |
| File created | C:\windows\CHH.exe | C:\windows\XGTXI.exe | N/A |
| File opened for modification | C:\windows\system\TKO.exe | C:\windows\system\KMUGGVI.exe | N/A |
| File opened for modification | C:\windows\system\WAYMK.exe | C:\windows\WIX.exe | N/A |
| File created | C:\windows\ZJHJ.exe | C:\windows\system\WAYMK.exe | N/A |
| File created | C:\windows\system\CLFQ.exe.bat | C:\windows\system\VVE.exe | N/A |
| File opened for modification | C:\windows\LCQ.exe | C:\windows\system\PWDOC.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHOT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 972 -ip 972
C:\windows\SysWOW64\VHOT.exe
C:\windows\system32\VHOT.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 996
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHWHDT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1004
C:\windows\SysWOW64\BHWHDT.exe
C:\windows\system32\BHWHDT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WNIL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2140 -ip 2140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1324
C:\windows\WNIL.exe
C:\windows\WNIL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\XLCM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1336
C:\windows\system\XLCM.exe
C:\windows\system\XLCM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLKAQO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1328
C:\windows\SysWOW64\DLKAQO.exe
C:\windows\system32\DLKAQO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RGWAWD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1840 -ip 1840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1328
C:\windows\SysWOW64\RGWAWD.exe
C:\windows\system32\RGWAWD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1220
C:\windows\SysWOW64\EEI.exe
C:\windows\system32\EEI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XXSET.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 964
C:\windows\SysWOW64\XXSET.exe
C:\windows\system32\XXSET.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OAKOD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 960
C:\windows\SysWOW64\OAKOD.exe
C:\windows\system32\OAKOD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YYQJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 988
C:\windows\SysWOW64\YYQJ.exe
C:\windows\system32\YYQJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KBAWTJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3032 -ip 3032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 976
C:\windows\KBAWTJ.exe
C:\windows\KBAWTJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\AROGBQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2060 -ip 2060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 960
C:\windows\AROGBQ.exe
C:\windows\AROGBQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\AUEB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1336
C:\windows\system\AUEB.exe
C:\windows\system\AUEB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JSYD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1420 -ip 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1264
C:\windows\SysWOW64\JSYD.exe
C:\windows\system32\JSYD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BANI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4728 -ip 4728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 960
C:\windows\BANI.exe
C:\windows\BANI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VYGSCFR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2276 -ip 2276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1252
C:\windows\VYGSCFR.exe
C:\windows\VYGSCFR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTFBH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3812 -ip 3812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1248
C:\windows\system\TTFBH.exe
C:\windows\system\TTFBH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\HMV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 856 -ip 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1292
C:\windows\HMV.exe
C:\windows\HMV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BZAA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1328
C:\windows\SysWOW64\BZAA.exe
C:\windows\system32\BZAA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KXUBA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 960
C:\windows\SysWOW64\KXUBA.exe
C:\windows\system32\KXUBA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VQPUIR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1304
C:\windows\system\VQPUIR.exe
C:\windows\system\VQPUIR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGFAL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1248
C:\windows\system\CGFAL.exe
C:\windows\system\CGFAL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IGMOCCB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1380 -ip 1380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1324
C:\windows\IGMOCCB.exe
C:\windows\IGMOCCB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ORC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3452 -ip 3452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 988
C:\windows\SysWOW64\ORC.exe
C:\windows\system32\ORC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HUFRRSZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 960
C:\windows\system\HUFRRSZ.exe
C:\windows\system\HUFRRSZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\QKATKVI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 948 -ip 948
C:\windows\QKATKVI.exe
C:\windows\QKATKVI.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1228
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UAGBO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1084 -ip 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1336
C:\windows\system\UAGBO.exe
C:\windows\system\UAGBO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IQWH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 804 -ip 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1288
C:\windows\IQWH.exe
C:\windows\IQWH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1204
C:\windows\SysWOW64\JTA.exe
C:\windows\system32\JTA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2860 -ip 2860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 960
C:\windows\WRMGP.exe
C:\windows\WRMGP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKJPHJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3396 -ip 3396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1268
C:\windows\SysWOW64\DKJPHJ.exe
C:\windows\system32\DKJPHJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\UKQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4976 -ip 4976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1280
C:\windows\system\UKQ.exe
C:\windows\system\UKQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAFAWJM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1148 -ip 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1308
C:\windows\SysWOW64\JAFAWJM.exe
C:\windows\system32\JAFAWJM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2232 -ip 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1316
C:\windows\system\PTU.exe
C:\windows\system\PTU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\PZH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 960
C:\windows\PZH.exe
C:\windows\PZH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUTQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1612 -ip 1612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1296
C:\windows\SysWOW64\DUTQ.exe
C:\windows\system32\DUTQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAMDT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4852 -ip 4852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 988
C:\windows\SysWOW64\KAMDT.exe
C:\windows\system32\KAMDT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SNRK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2060 -ip 2060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 960
C:\windows\SNRK.exe
C:\windows\SNRK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IDEBMD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 960
C:\windows\IDEBMD.exe
C:\windows\IDEBMD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\NEAE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4976 -ip 4976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1304
C:\windows\system\NEAE.exe
C:\windows\system\NEAE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XBGQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2936 -ip 2936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1260
C:\windows\XBGQ.exe
C:\windows\XBGQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MRTI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2232 -ip 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1296
C:\windows\SysWOW64\MRTI.exe
C:\windows\system32\MRTI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3664 -ip 3664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 960
C:\windows\SysWOW64\RFH.exe
C:\windows\system32\RFH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WFVSSO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1336
C:\windows\system\WFVSSO.exe
C:\windows\system\WFVSSO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LVJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1324
C:\windows\LVJ.exe
C:\windows\LVJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XGTXI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 960
C:\windows\XGTXI.exe
C:\windows\XGTXI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CHH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1296
C:\windows\CHH.exe
C:\windows\CHH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMUGGVI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1452 -ip 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 960
C:\windows\system\KMUGGVI.exe
C:\windows\system\KMUGGVI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\TKO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4748 -ip 4748
C:\windows\system\TKO.exe
C:\windows\system\TKO.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1004
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MNSD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2752 -ip 2752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 960
C:\windows\MNSD.exe
C:\windows\MNSD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJLN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4588 -ip 4588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 960
C:\windows\SysWOW64\LJLN.exe
C:\windows\system32\LJLN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\YTTM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4048 -ip 4048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1236
C:\windows\YTTM.exe
C:\windows\YTTM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LEEZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4316 -ip 4316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1292
C:\windows\SysWOW64\LEEZ.exe
C:\windows\system32\LEEZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1328
C:\windows\SysWOW64\JPG.exe
C:\windows\system32\JPG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPVMZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1248
C:\windows\system\BPVMZ.exe
C:\windows\system\BPVMZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3312 -ip 3312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 988
C:\windows\system\FQR.exe
C:\windows\system\FQR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VGE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1304
C:\windows\system\VGE.exe
C:\windows\system\VGE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRPML.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3264 -ip 3264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 960
C:\windows\SysWOW64\HRPML.exe
C:\windows\system32\HRPML.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJWXU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1328
C:\windows\SysWOW64\AJWXU.exe
C:\windows\system32\AJWXU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHEFEH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 224 -ip 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1336
C:\windows\system\BHEFEH.exe
C:\windows\system\BHEFEH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKVE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1132 -ip 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1308
C:\windows\system\OKVE.exe
C:\windows\system\OKVE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IGGU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4616 -ip 4616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1304
C:\windows\SysWOW64\IGGU.exe
C:\windows\system32\IGGU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\IBZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 960
C:\windows\IBZ.exe
C:\windows\IBZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1528 -ip 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 988
C:\windows\SysWOW64\VMHDWT.exe
C:\windows\system32\VMHDWT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OZAC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 464 -ip 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1236
C:\windows\OZAC.exe
C:\windows\OZAC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASVML.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1328
C:\windows\SysWOW64\ASVML.exe
C:\windows\system32\ASVML.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WIX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 988
C:\windows\WIX.exe
C:\windows\WIX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4072 -ip 4072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1264
C:\windows\system\WAYMK.exe
C:\windows\system\WAYMK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ZJHJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2724 -ip 2724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 960
C:\windows\ZJHJ.exe
C:\windows\ZJHJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\BRCYI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1324
C:\windows\BRCYI.exe
C:\windows\BRCYI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICRGRCQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1332
C:\windows\SysWOW64\ICRGRCQ.exe
C:\windows\system32\ICRGRCQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCBIDGY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 988
C:\windows\system\FCBIDGY.exe
C:\windows\system\FCBIDGY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXFBJU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 988
C:\windows\system\LXFBJU.exe
C:\windows\system\LXFBJU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\MARFO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 988
C:\windows\system\MARFO.exe
C:\windows\system\MARFO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FTYQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1316
C:\windows\system\FTYQG.exe
C:\windows\system\FTYQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IBT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1308
C:\windows\SysWOW64\IBT.exe
C:\windows\system32\IBT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SZZ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 960
C:\windows\SZZ.exe
C:\windows\SZZ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HKQWIAS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1544 -ip 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 960
C:\windows\system\HKQWIAS.exe
C:\windows\system\HKQWIAS.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TCTO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1004
C:\windows\TCTO.exe
C:\windows\TCTO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HYF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 988
C:\windows\system\HYF.exe
C:\windows\system\HYF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQUQOE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1308
C:\windows\SysWOW64\FQUQOE.exe
C:\windows\system32\FQUQOE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\MWNLDQI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1268
C:\windows\MWNLDQI.exe
C:\windows\MWNLDQI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPWM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1296
C:\windows\SysWOW64\UPWM.exe
C:\windows\system32\UPWM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CPE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 960
C:\windows\CPE.exe
C:\windows\CPE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MNKTF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1420 -ip 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1300
C:\windows\SysWOW64\MNKTF.exe
C:\windows\system32\MNKTF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\SYOI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 960
C:\windows\SYOI.exe
C:\windows\SYOI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\SDOW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4824 -ip 4824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 960
C:\windows\system\SDOW.exe
C:\windows\system\SDOW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZAXIR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1328
C:\windows\SysWOW64\YZAXIR.exe
C:\windows\system32\YZAXIR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VPUV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4552 -ip 4552
C:\windows\VPUV.exe
C:\windows\VPUV.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1316
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DCGC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3316 -ip 3316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 960
C:\windows\DCGC.exe
C:\windows\DCGC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFDH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 848 -ip 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1308
C:\windows\SysWOW64\PFDH.exe
C:\windows\system32\PFDH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2036 -ip 2036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1308
C:\windows\SysWOW64\NYGXXW.exe
C:\windows\system32\NYGXXW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWYKO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1256
C:\windows\SysWOW64\XWYKO.exe
C:\windows\system32\XWYKO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\GUSLH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 724 -ip 724
C:\windows\GUSLH.exe
C:\windows\GUSLH.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1324
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TXWR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3252 -ip 3252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1324
C:\windows\TXWR.exe
C:\windows\TXWR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TVL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1296
C:\windows\SysWOW64\TVL.exe
C:\windows\system32\TVL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\OIQRD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4892 -ip 4892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1288
C:\windows\OIQRD.exe
C:\windows\OIQRD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\TJE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2516 -ip 2516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1296
C:\windows\TJE.exe
C:\windows\TJE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BORABFJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1636 -ip 1636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1328
C:\windows\SysWOW64\BORABFJ.exe
C:\windows\system32\BORABFJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HJCT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1336
C:\windows\system\HJCT.exe
C:\windows\system\HJCT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSRY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 848 -ip 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 996
C:\windows\system\YSRY.exe
C:\windows\system\YSRY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\DSFSGAE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3204 -ip 3204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1204
C:\windows\DSFSGAE.exe
C:\windows\DSFSGAE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PVPG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1264
C:\windows\SysWOW64\PVPG.exe
C:\windows\system32\PVPG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOFOHMO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1316
C:\windows\system\OOFOHMO.exe
C:\windows\system\OOFOHMO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\WTRURLR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 800 -ip 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 960
C:\windows\system\WTRURLR.exe
C:\windows\system\WTRURLR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VWCF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1324
C:\windows\VWCF.exe
C:\windows\VWCF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSNGHK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2928 -ip 2928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1248
C:\windows\system\BSNGHK.exe
C:\windows\system\BSNGHK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TSCDTB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1216
C:\windows\SysWOW64\TSCDTB.exe
C:\windows\system32\TSCDTB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFNB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960
C:\windows\SysWOW64\UFNB.exe
C:\windows\system32\UFNB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRYPQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1036 -ip 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1336
C:\windows\system\ZRYPQ.exe
C:\windows\system\ZRYPQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WGL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4156 -ip 4156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 960
C:\windows\WGL.exe
C:\windows\WGL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWHQG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4904 -ip 4904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 976
C:\windows\SysWOW64\LWHQG.exe
C:\windows\system32\LWHQG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WAYSTXE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 960
C:\windows\WAYSTXE.exe
C:\windows\WAYSTXE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAFFC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1276
C:\windows\system\CAFFC.exe
C:\windows\system\CAFFC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLQT.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1264
C:\windows\SysWOW64\OLQT.exe
C:\windows\system32\OLQT.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOU.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2356 -ip 2356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1320
C:\windows\system\HOU.exe
C:\windows\system\HOU.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BBFNFH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4552 -ip 4552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1272
C:\windows\SysWOW64\BBFNFH.exe
C:\windows\system32\BBFNFH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\YRB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4472 -ip 4472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1248
C:\windows\system\YRB.exe
C:\windows\system\YRB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ENE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1264
C:\windows\SysWOW64\ENE.exe
C:\windows\system32\ENE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LXBFSK.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1544 -ip 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 988
C:\windows\SysWOW64\LXBFSK.exe
C:\windows\system32\LXBFSK.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NVHAA.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1324
C:\windows\NVHAA.exe
C:\windows\NVHAA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\EDWXM.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1324
C:\windows\EDWXM.exe
C:\windows\EDWXM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TETYY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1844 -ip 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960
C:\windows\SysWOW64\TETYY.exe
C:\windows\system32\TETYY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORYHIQX.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3748 -ip 3748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1336
C:\windows\system\ORYHIQX.exe
C:\windows\system\ORYHIQX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LPXRZQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1836 -ip 1836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1328
C:\windows\SysWOW64\LPXRZQ.exe
C:\windows\system32\LPXRZQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQRE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2244 -ip 2244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1336
C:\windows\system\DQRE.exe
C:\windows\system\DQRE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NIJDOQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 960
C:\windows\SysWOW64\NIJDOQ.exe
C:\windows\system32\NIJDOQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\RYQD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 444 -ip 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1324
C:\windows\RYQD.exe
C:\windows\RYQD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\KMB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3488 -ip 3488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1000
C:\windows\KMB.exe
C:\windows\KMB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LPRP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4744 -ip 4744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 960
C:\windows\LPRP.exe
C:\windows\LPRP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\VABXAI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3708 -ip 3708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1324
C:\windows\VABXAI.exe
C:\windows\VABXAI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\CSYF.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1324
C:\windows\CSYF.exe
C:\windows\CSYF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVJSB.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4616 -ip 4616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 960
C:\windows\system\OVJSB.exe
C:\windows\system\OVJSB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YOSSFPH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4824 -ip 4824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1308
C:\windows\SysWOW64\YOSSFPH.exe
C:\windows\system32\YOSSFPH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJCWY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2464 -ip 2464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1308
C:\windows\SysWOW64\NJCWY.exe
C:\windows\system32\NJCWY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ENBWL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3344 -ip 3344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1004
C:\windows\system\ENBWL.exe
C:\windows\system\ENBWL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQFR.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3464 -ip 3464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1336
C:\windows\system\FQFR.exe
C:\windows\system\FQFR.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\VVE.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 860 -ip 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 960
C:\windows\system\VVE.exe
C:\windows\system\VVE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\CLFQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1592 -ip 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1248
C:\windows\system\CLFQ.exe
C:\windows\system\CLFQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOVLYNO.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2524 -ip 2524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1316
C:\windows\system\DOVLYNO.exe
C:\windows\system\DOVLYNO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\WCUJDP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 544 -ip 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 960
C:\windows\WCUJDP.exe
C:\windows\WCUJDP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\XFGFI.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 960
C:\windows\XFGFI.exe
C:\windows\XFGFI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HCYSZH.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1528 -ip 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 960
C:\windows\system\HCYSZH.exe
C:\windows\system\HCYSZH.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BQC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2244 -ip 2244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1328
C:\windows\SysWOW64\BQC.exe
C:\windows\system32\BQC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IVWWY.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2764 -ip 2764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 960
C:\windows\SysWOW64\IVWWY.exe
C:\windows\system32\IVWWY.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRAGISV.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 872
C:\windows\SysWOW64\DRAGISV.exe
C:\windows\system32\DRAGISV.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NJKN.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1172
C:\windows\NJKN.exe
C:\windows\NJKN.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IMTEAGG.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1000
C:\windows\SysWOW64\IMTEAGG.exe
C:\windows\system32\IMTEAGG.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\APLPKJ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2232 -ip 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1324
C:\windows\APLPKJ.exe
C:\windows\APLPKJ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\NSHVP.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1300
C:\windows\NSHVP.exe
C:\windows\NSHVP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOALD.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2344 -ip 2344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 960
C:\windows\system\HOALD.exe
C:\windows\system\HOALD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KWWAL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1328
C:\windows\SysWOW64\KWWAL.exe
C:\windows\system32\KWWAL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWDOC.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1328
C:\windows\system\PWDOC.exe
C:\windows\system\PWDOC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\LCQ.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1608 -ip 1608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 960
C:\windows\LCQ.exe
C:\windows\LCQ.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system\ASRRUW.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1272
C:\windows\system\ASRRUW.exe
C:\windows\system\ASRRUW.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FLFL.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1328
C:\windows\SysWOW64\FLFL.exe
C:\windows\system32\FLFL.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYRS.exe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1328
C:\windows\SysWOW64\NYRS.exe
C:\windows\system32\NYRS.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/972-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\VHOT.exe.bat
| MD5 | 8e1cf4a71eb66872a173e911e0402599 |
| SHA1 | b41ad91338d838f97762803ef43fd3e068085675 |
| SHA256 | 71fc7844b4ddb4d3c13cba7ec82c3696ec75c3a88bfeed3e8ec0317b349bdc13 |
| SHA512 | d9db8f1c6345b63f8463ebe43fd8fe72fd56dbf8dc7b3b648fad57e74b15ac7e9d65a887dd8b3ba267b9ecd8d7f5edc466a0380922f36b992c73eddc88d656d1 |
C:\Windows\SysWOW64\VHOT.exe
| MD5 | 363415799eff2996bc7df008d64c2f3c |
| SHA1 | 45e3ef30b8e4f3283618d3046073b63d7600671b |
| SHA256 | e76e2bfc1591a0a8c884c8986ef7b77a33b59009b2fb9e04667aa4589effde0f |
| SHA512 | 7a733e51ae4e7f2a1db5133cddf7d359fc97118f4813df21d6e14d22d41a505785899316757b43d43fff873bfe503ea0cb865a476953a681a75341dca79729bb |
memory/4816-11-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\BHWHDT.exe
| MD5 | f9dce20ec33487d74b14ebd71aed18cb |
| SHA1 | cdf599ff0321593410da6ec855d9a4a01dd52f3e |
| SHA256 | 60e94ea7748b0e443f38fb8e713d38beaec08a1720b5419fd0555374e183c6c7 |
| SHA512 | a4dc5754141c40f04231ca84f8c39816b709bbbeffe060ddaf8a9e8b92d7c8f17d4509d809ea3302be84bf928ba047d1bc19b1a8bf66254c53c553588df36b1e |
C:\windows\SysWOW64\BHWHDT.exe.bat
| MD5 | 52133158ae3db9202e36d73cd6b942af |
| SHA1 | 21564863c0407be3ef284bf580943282e7c208e9 |
| SHA256 | 74a03c4d61b6fb2f2e3b011ec24fcc6f3a76c4be6d832e1427325d223befbd13 |
| SHA512 | 48eeb6cd49cd8ef4f5c3495c248695253abbfd6cafa971e8fa8695fb174301a61672367c02dbe27f477a03cf1fb52da5cf2db6578908d6bb64b6bc0450760a53 |
memory/2140-22-0x0000000000400000-0x0000000000439000-memory.dmp
memory/972-23-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\WNIL.exe.bat
| MD5 | 4c1fd981d80682bace4e34de10aed0d1 |
| SHA1 | 53049b0a366c5771ea21fbd3b6061969411bf71b |
| SHA256 | 12a56f3b5b388358a0836ce2fc630d0c5ef1dee6ccb85f1cf84e14320c1ea899 |
| SHA512 | 206253dbc1e0fa045f313d8b6324a8f6716538802f785244b81a9e25acb6a2641b89fce64c1cc749c01b3e723406bbc76bd76a8cc33901edc34dee6433d2d3e6 |
memory/4816-31-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\WNIL.exe
| MD5 | 4c3249bf7205a96999cda34c316dda3a |
| SHA1 | 23056c0424a9cd9336aeae564e7694fbe6e608fd |
| SHA256 | 859f24aa33b08c8d7d79a2e82148ca2f3c09a536479db73d670d65f1356de927 |
| SHA512 | e350b8ce98f15f2b3e5a9b921cecab2baac0db2f7f3f895ebf4687bda93174d143360a1484b975b708e427b156bc918e0bfbc4438ff1a8fb0096395862b451df |
memory/1040-35-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2140-42-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\XLCM.exe.bat
| MD5 | a294f4606f21ba55adbf7327b0115143 |
| SHA1 | 0587dc67c5ce6428947aca60090ee3a1e017cc7e |
| SHA256 | b0cb04c4e1e6517767b7f3ee5ff72a4a53628cc0f620a309e895732082f689d5 |
| SHA512 | 2d93460a6e1d9e952ac01f2d4dc0f7e849aca23592c7e65c79d77e22132bc31f3ca8b1592dc750f503c000fbb2d01b8ce9a84509ac82e533fad2769bf4824f04 |
C:\windows\system\XLCM.exe
| MD5 | d8d6e34ac96c39fe525702316e185009 |
| SHA1 | 1442f85207fdb3b4278891d2b80f477c1522e356 |
| SHA256 | a39a0d0086f213070070c16c4b6378fa55769d99bad27470727d0fc135ccc814 |
| SHA512 | 04df1a1d2503d62996c984fe1cb2926fcc5afb1c2f4a840d7ff39d06fd63e9cb937b8c070bb64edbe9beaedfe58b1a72de8082454c7e72b140d1ce137116a6de |
memory/2304-47-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\DLKAQO.exe.bat
| MD5 | bddfaf029ed42bb0d6c2f358644613af |
| SHA1 | 9ea52a272b39ad5fdae29c49d3516aaa6cd44992 |
| SHA256 | 3f153022e7a78f5a3e1a26e2a1e3040558beb2d8b87a1e1cf7c18b08a2d43b62 |
| SHA512 | cfc3327d15aed631368d616267d4b2d461c0d4febb76dffbd2cb1024274de9656ebd1852ceab855b2f07e122db516a1259bcb3a03c83f956036a9d4d788ce189 |
memory/1840-58-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\DLKAQO.exe
| MD5 | f785e601e242c6f1a1f646962146dd23 |
| SHA1 | 4c96cb8b62643d62dd83442305599eeae03e0320 |
| SHA256 | d92bc7fc2be9dd725616e771707f05d4121248c2aeb9199190ca035229cfc7bd |
| SHA512 | 060a8dbd1f10f51a047b7ca34a38df52b0688f8a326beb4375c1318455966dfd020b98f6e0ab55dacd822fcc56f592db2ad52549c4908d967b8b69d83ed94199 |
memory/1040-59-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2304-66-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\RGWAWD.exe.bat
| MD5 | 6c678eb4ab265a763280ed83ce3392b9 |
| SHA1 | d0f884d333b0e8fc02b125e39ef80d891f089b57 |
| SHA256 | ad68c167af6a00b5eb89cdb4958cbffe2c05ec59152657d6e77d6263029e88ec |
| SHA512 | 860c21993f889951920fe4834ec6fe71b224ecd81b100843fe6a39e403613cd953a02533c6aefd8add3be6af0540e7951ca60d961d76e2586777246e51d5b7cd |
C:\Windows\SysWOW64\RGWAWD.exe
| MD5 | 6d33aaf1d94eff2da7daad295887a4fc |
| SHA1 | 7ab5a793ee2afe5cd5cdab70b02c27aa6ba48d17 |
| SHA256 | 8db6f32d43e5f21fd55bf2d4e8b88a3a783c626effc4ae51d8824a0cb450fa99 |
| SHA512 | 6711ca368a236e2b8d586ec8bc344ce1f18d3a1447bfb2f67aea178e74bde6fe17bffe6124d17c2538b3efd3d394d951d34adb973112715a8b31a373ef39aceb |
memory/2200-71-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\EEI.exe.bat
| MD5 | 328bad44f91ecd2d3a346a756a7a697e |
| SHA1 | 16038e12f661073cd192135b787e26b647ca12a5 |
| SHA256 | 90cfe2765d0b88417d0909fae5e61f60e735a7b66a39e6901c2f3c20e0266ddb |
| SHA512 | 7dfd550c05244fc3cafb3b23aefde5367c9c93e0ff2f2e0d1dd264d4ee9064fbc9a39ca8eedaf1ad8d452e3c2a2e4870e7cf0ad48ed19a8139f9a36d0876a277 |
memory/1840-83-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4444-82-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\EEI.exe
| MD5 | 6c357c1962f62d6f8df69856cf1f1545 |
| SHA1 | c08cbc96ec2085251614b27b5ee96de70aed2dd0 |
| SHA256 | 7797fc0718b5fa7a937eb315d5cfe563f8b8529bc9425f373a5bed2d5df7cd16 |
| SHA512 | f910771b26d12f9ddc39fdeb7c6b307baf02720bafc42bd6e348ab99d60cc6983959f3cd1bedfd169de1ba05af9abf4268c978ddc7dc21ff0bab2b9ff54459dd |
C:\windows\SysWOW64\XXSET.exe.bat
| MD5 | 1ed5efb77ffed8ec30befd0f801e32c5 |
| SHA1 | 2ba728870e1df4cec8ef7344a8a6ef5e5042dbb4 |
| SHA256 | eeedb9788239e629dac39ea7c8f6062e48c083f2ea14ec59f5f5fa4aed2523c2 |
| SHA512 | 8635626e82ae27d81c83d8434de4b53db4265772b037dccd8ebd4f58937b8032c351f492568142b44ef5e1742d2b39262bb905510d05ecf381dd013df751e177 |
memory/2200-91-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\XXSET.exe
| MD5 | a81e9c5709ec0d980583aa3cebd3536c |
| SHA1 | 42f6bcce0164b1ec2f694a5a24f7a5e709fb6efb |
| SHA256 | 2ee3413342f0101d912d03d0d56836d3e0703494e0494e4261cd0860fec94295 |
| SHA512 | fa32698f6dd85e90df10fa5a55c4112bc26c13760ab5368fe29383a89888faeac123a6e8ea4e226eb2160db95eeabe5eaae2fdfd9b32ac681ffc4cd09ebf66a1 |
memory/3744-94-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\OAKOD.exe.bat
| MD5 | 5348b1a42b4b3e1631a40aaf93317718 |
| SHA1 | 57ebbdecb1375d376b87f2149935028e87673811 |
| SHA256 | 966b0faefb86116357ca773c6c2f380df4ea8310daf72284a71a27db1d62844a |
| SHA512 | b9415fdd9da26105794ceb885f871aae7748f8823fc9c6ec86db55fcfff81eef43f4666f8069ec3317ded46a076bb9acbd661e6ab194618cbbb30d254f7e2c58 |
memory/4444-106-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\OAKOD.exe
| MD5 | 570eab31d93441ecd9eb6ec3e1d77b98 |
| SHA1 | 7b6d740a05b102f9ca329508cf549d043cdaac21 |
| SHA256 | 19c1b95d1cf0dfd2fa6b8e7365e5bc30a3ec307a48855f1c28bca3b940c4a5fa |
| SHA512 | 079012f73618524d2a8dac78e56446abce0ebc63c418bfbf656804e4e14a3d14d08fb666699bb078c5dc491e93afe036499544451f27e7270b97cf3b9c50dc23 |
memory/4720-107-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3744-116-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3032-118-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\YYQJ.exe
| MD5 | 825b3b8ee6bca40b7478b3e51f2814cd |
| SHA1 | 30f9e54a7a01157fb99deebae2d4aa4f77fbbfaa |
| SHA256 | 5f6a3737c917d46ea325032479ee2cf9ab411eaeb7c6d884ca41f02d35bf05a7 |
| SHA512 | b0c4c6c1f365a7aee4c3ca9a09b6e0d363e35b271f3c80515b2d95159564305696064b818a5b0afbd59239cdf3d8f29615f7627bc651c982500886b71421220a |
C:\windows\SysWOW64\YYQJ.exe.bat
| MD5 | 512495ea367be7e34271721cc8266c15 |
| SHA1 | aeb51dc8048c6396c3086552a7adda75c243a49f |
| SHA256 | 9ff13885ddb467eefd2a0081f5d1b3da2c6142b72d2e8d9ed2a187f661bf5e97 |
| SHA512 | 3158163549f7b55496db30b50dcff74afda3033e13f252889e47100eea14577d96475c032e0130a5310de71a2a64d204efd6da21c5fee68407b46c44f4a1ff43 |
C:\windows\KBAWTJ.exe.bat
| MD5 | 20798fac7d3284536ff19c1b5033558a |
| SHA1 | a6aac9c99970d095675355e0f56031cb554ab74c |
| SHA256 | efde8f86f27d31c699c8cb9827e5325f365eca30fc34fc6526d297459039053a |
| SHA512 | 7407ebea9560a53549595c6980be3de95e46697d04b6f7ae55890b8de2a8dfc3203b53e692b65a9e82ed4c5363c33aab38f1efa598e946686391cc2da23943b0 |
C:\Windows\KBAWTJ.exe
| MD5 | a8cef133211bbadccf5862019f2cdd80 |
| SHA1 | d718d40dd4dea6036e32f55eff4c941dbf2af716 |
| SHA256 | aaabf6388945ee28dda8af78fb411039707159b17eac7422aa55645cbf14b0c7 |
| SHA512 | 03c872a319a4f2c58743b40efeddaf56066672c5dbaf7f804700fcb923c516e057bda6834ebcd965150d71f87432faa56eebd73e27a3d3de24b901bc4b5c3fbb |
memory/4720-130-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2060-129-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\AROGBQ.exe.bat
| MD5 | 05b1851d9bf7cf9184cea24464286d6d |
| SHA1 | 831ab34a4d9af4e21a8e1e0dd3290b113aa7fc4f |
| SHA256 | 5a82a9008bc0eaa8c1a18c0612d2b59bb55d6040452900c21632688b56d0b2ad |
| SHA512 | a6fdd1b489eb070d9f5edf1b26f67346f867e111910ed6e3c569d598ed08761118d6242cb3faa2357b88a2b7304ba50919931d0ebf75acc643fb9e69772149f2 |
C:\windows\AROGBQ.exe
| MD5 | 5c61d0d5c716077cbdb909da688d199e |
| SHA1 | 78f4f55a0cb28bafde9853f0b7f6b1b177e3d80c |
| SHA256 | ede753063f0e25921b47d978fdad24b49f913f81855825657345db9e0f84fa22 |
| SHA512 | 0c2441855c956255603aa650ddbf76193fa20771f6e89829633d5e4c89fb0d8474e2fd2c0310c7e01311a659638e7f47fe86222a33298c3445579d77fe6f8850 |
memory/4628-142-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3032-143-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\AUEB.exe.bat
| MD5 | cf2cdd6c826f2ed5f84b63d27da5f52e |
| SHA1 | 3b343ee842df3a221d50304e5703e135f3e5bb60 |
| SHA256 | 89a59cbe0c313f9a6824fa78623e2ff76850466c6cf2611f119ec592d2d926ee |
| SHA512 | b7a1bfc4a824072b2a6c6d018dce6586440ab7462ef5b5e519458fc7d21c1a64203d2991d7dcc4a5e19d5376c67b094806347354cc4d94a087ccd7d3f7e9a6be |
C:\windows\system\AUEB.exe
| MD5 | 94211ca3072e8fc3b44433a997b75940 |
| SHA1 | aaa3235ca9f02da04de0720f354c4a28c365ebe1 |
| SHA256 | 47387e22eea27478917ecec5749952cd18e9f05ef1c9352a76615d29aac7d2b9 |
| SHA512 | 3539419f933264914426fa539d42ca029b5eda58c96826f0409e8921fe25ab7dc075794efb10ed205e06878f7b3c60a7a5dd6bf7c4f2d7b3e24e5fd0bc4d2a77 |
memory/1420-154-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2060-155-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4628-162-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\JSYD.exe.bat
| MD5 | 2fbc73f28d620e835deb527b2321e5bd |
| SHA1 | 3e04b9d60619184c25e63ed08461e36db3627f7a |
| SHA256 | 30b431e0cf2ed3a481b38c0870ee0c38c9d8882cf777346b0d631a89ca368b8e |
| SHA512 | 890a75feb32edb81dcd5f1ec47a8a6eb59917ac516b608fd66379470b67a6543ee87ec13d4710e325004bce57314e531623917161fa6f8f3e8c8155efff82d62 |
C:\Windows\SysWOW64\JSYD.exe
| MD5 | 7e22f9e9c65962c851500086a0e1d39b |
| SHA1 | dfe44a2aef2f622bb31ee114fae18338e2d63aa7 |
| SHA256 | 78ab2196e48d9f30998761d6518d48694ad02d8c529819d884575cd13661234a |
| SHA512 | 431796df771b362567a685d1ba25d8a306a63fd0b99e543dc80661443fd4b6bfed1a99530cd01ab62f9a4972fff90ef9e18d64e7627dfc9c2c2ff03ca73bd41b |
memory/4728-167-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\BANI.exe.bat
| MD5 | d34b4990c449d1440bc28fcc8c1bb7da |
| SHA1 | 87ab45f8ca5ee9c5ea32e138b53c8d80c64a3553 |
| SHA256 | 43580184831e76de14f7f7b4267fa1f36f5a3eb61e4bccf512d2e2004484468f |
| SHA512 | c08a04465b3f0d271d94690da67a0b0015267afde312dbaf6e10ccbd429706bc329118950ec07184269f1bdbc0b3e1ac647ded6f7899b737a98694853dd3e4e0 |
C:\windows\BANI.exe
| MD5 | ed79b728d523497ea64d7d4298031405 |
| SHA1 | 4a3b655eeb6569ed6cdbf352f801c9cadc031039 |
| SHA256 | c5de26514d4a858e5fc288e11034b2694317bde1e8677fdb374f9f49dba436c4 |
| SHA512 | c4ab1d2c3e5ed6763a8c8aa0afd904ea91b48a26976fc630f39277500a2c6d75231dd439411da0e89236eb97c4fc91225d249657d1bbdab472087e550df47db4 |
memory/2276-179-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1420-178-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4728-186-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\VYGSCFR.exe.bat
| MD5 | 4b5fdf05081138e3795821e0bb9455bd |
| SHA1 | 45615fa35d0d37ed8e0d658ab272d2a6d4ff4b86 |
| SHA256 | ee85c374aa0ccccf33d7575bf7fcc260b6cb8869e87c3d876d834f6b851864b0 |
| SHA512 | 9bf187f4a6bd4c0218c7c2d7508a8765f6feba9b8df02dbc326a8129578c626832cb7b2a637ff53e4fbcf9d46a6fcdf462c22ac52bfb3f2e406c24d1c25c133e |
C:\Windows\VYGSCFR.exe
| MD5 | 6c8b14fe633739e9602be14842171f95 |
| SHA1 | 54b8692d4129dbb0336c81e7ac02cb1991a8d6bd |
| SHA256 | b300149c6e74e01589a18279a7db1b0980ea8613564c98d1866cd51f1c1e015f |
| SHA512 | 68446534b42dd0de9a4b606a5d64b17a2b18e55ab83da55b2323e73546ef7e6374a0309c37dfe9e8d7d23769fdf7c15dcbede97c17a4afcf59778bbc2bf8dcc8 |
memory/3812-190-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\TTFBH.exe.bat
| MD5 | bf91a2b1bfd6f97b2d677881c8e0ba88 |
| SHA1 | c693c3203d0e46c209ea890dfa63ba9a7bde719f |
| SHA256 | e4ea90daad2b03f724237843eb5187895569008b5c9fb97240a75a682de6d579 |
| SHA512 | 6f1d4fe5217dab68a4d278a145319762a0f93bf956a9b8c0a5c4a042dc33a9c797c6c08cbd3432e1df1b5d9c7cd44717e343b66d16cab445349dd4377e4f179e |
memory/2276-199-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\TTFBH.exe
| MD5 | da5b9a456977e5c51cc7d830b73347f5 |
| SHA1 | 9ae21350653f4275ba74cb76efed031dfa3ef39c |
| SHA256 | 6f3f2e6df5d9d4606308e83f5c2e0a01277887161248a310fd52003957714200 |
| SHA512 | 185954cfa773e4ee8012f9f95a73084b684946b3e75d8aa706b844ad6c70d662f8ed1b810af1b97ae8e5a3d5a5ba93ea3703188c118c5e41ba0342cff2b0e6c5 |
memory/856-203-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3812-204-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\HMV.exe.bat
| MD5 | c2859f3c4fa101b44a06ac29ffcc22c1 |
| SHA1 | 847965f21f7a669c8cb8f6fd00b61093c0e29737 |
| SHA256 | 98a2d4265fe729d71a81a51c580c0daa94da7d9ed89d7726d2108ab27f107d93 |
| SHA512 | 25e4be8fad9f3dc20296a60a1019d946ea660b3c9d4062531a02ff1eb82d83b7d6a1e1067ba01095347b1420bbae6573724da82d5e7d3ddde8ccc60aa37aa0a3 |
memory/3048-214-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\HMV.exe
| MD5 | eafa8bea42a12b8fcfcbec50ac52da3a |
| SHA1 | cecbf342febfca3ccc4ea1f3d63145f1aabb0dfd |
| SHA256 | e782e47006d4744d91549d94056dede3023a6c7a74504c9ee408f069da460439 |
| SHA512 | 246a0276a16a7fcfc394fd3eafdbd4349cc3d7134bb4eb8bf4cda135e099d57eba3a0916f8b65ea9db0a20f495b911d26caecf76517204b8763ee4a202b2f952 |
C:\windows\SysWOW64\BZAA.exe.bat
| MD5 | 41b29bdf821785ad217781b094be4d61 |
| SHA1 | e312cdc304d7e94b9416ff0caf43948ef56ec9e5 |
| SHA256 | 1a1a579484785dbc00cfecc58a330a2692f4e9db4cba73b20b90090d7c941e96 |
| SHA512 | acd563414de49c8fb7f10c269e5fc430d584a1d1d654145ad622df8b3ae4dcc307b91e552a31f10f75b97848b719f24300c9ce12ce07af65a3ac4ba93ad3d4cc |
memory/856-223-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\BZAA.exe
| MD5 | 7a18217e419c4f8c5a68a77340ea7886 |
| SHA1 | f1cf956b51d518512cb24150156fec9bbcda703d |
| SHA256 | 38aac0be8227600ddcd6cb59f2a5a1645da1c148727e972273004c6e460a51d7 |
| SHA512 | ed6cabe1aa992650da9ca52ea94bd3b19574a9d76bce5c9bee477ab4408a79062429e1b280fe4af998620ea0f04f074ae8021863a58d947f21de4c009dbbe59d |
memory/4628-227-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3048-234-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\SysWOW64\KXUBA.exe.bat
| MD5 | 041e6fbb7b06c38eb818239bad02bef6 |
| SHA1 | 3f9d1cb0d87c47ec83989c04626fd96433da3545 |
| SHA256 | 3a58ae47b82644ef3007633cf25d3a8849669caae62e91f5d4096817bb4d8874 |
| SHA512 | 40b3f3ad739a2922ffd3d4cf71d00c3fe567086fb7430944da76a5c0a5e7c6809a123b16fda4f0d6d5b7cabc9c0eeb5fbb9bea609ab0ce21d3436def280c5115 |
C:\Windows\SysWOW64\KXUBA.exe
| MD5 | 0cbb3f948dbaa8c93a15be0110277950 |
| SHA1 | bbc390e9e806dac8bba2920344e6c7ddd8dc37bd |
| SHA256 | 2c4245b4c651456c9825d49bae0253f9c47101fe3f96bee4c3d7ac38806fc4ed |
| SHA512 | 2bc1a61fd92d79a18244d8b96329181d3dde40b8e3a236520f91a503eba6e4a1e2acabcd86d6fff2d4e561ed2649103bc126c3dca4337e4e520c529bddc9840e |
memory/4968-239-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\VQPUIR.exe.bat
| MD5 | 3f3aaee9473521b2de9e8a933294c3b3 |
| SHA1 | 105f1ac05401ec8e89f0d5d729f75a3edc1941e6 |
| SHA256 | 26155688f63ba01d50b540136338fd648dd518e5e2455da4486aa9dfbeb576f6 |
| SHA512 | c19d401f5917c5a80e707a1cf79b1d0fa06a5641aedba18c1900acded4fe63e2f7cb443f6ca670d20a5ad3951e22dbc9e94a9c6f9f30bda4c589020cd6229d74 |
memory/4444-249-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\System\VQPUIR.exe
| MD5 | 6ea5a5d3f136b565faba64fd1ab6634a |
| SHA1 | 6643711775867189e6f382cebefc8655700c80cc |
| SHA256 | 91643ba5841c21202eaa7979f30a8586364710627d0001401a1f0e3e1fa84ad7 |
| SHA512 | 82b93aa6ed75e5c6caec5d1112f53384f42302b843de7722d29c4fbe9399b7d38abb1597e2a67a4cc45b0ede6118f61252258452cb707c9dc0edb78cf229ebe2 |
memory/4628-250-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4968-258-0x0000000000400000-0x0000000000439000-memory.dmp
C:\windows\system\CGFAL.exe.bat
| MD5 | 8e2848955e41b7175a978ce6929be0a8 |
| SHA1 | 958c5abb3904ca41ffbba10119ff7cfd70b034f8 |
| SHA256 | 2d4ecebaf6a790cbfd3a3e49a6d82d6500057bdbb0db5d854c836b0eb44feea0 |
| SHA512 | 5378303939dca06e680bc4dbaed6325804c7c747e8a3698076a1003aa5e3524703793f11f53a20e35d3a6ea706f4b18d128497a14850c111135e15d2fa0e2386 |
memory/1380-261-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3452-269-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4444-270-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1380-277-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3552-279-0x0000000000400000-0x0000000000439000-memory.dmp
memory/948-287-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3452-288-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3552-296-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1084-297-0x0000000000400000-0x0000000000439000-memory.dmp
memory/804-305-0x0000000000400000-0x0000000000439000-memory.dmp
memory/948-306-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1084-313-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3088-315-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2860-323-0x0000000000400000-0x0000000000439000-memory.dmp
memory/804-324-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3396-332-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3088-333-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4976-341-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2860-342-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3396-349-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1148-351-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2232-359-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4976-360-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4720-368-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1148-369-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2232-376-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1612-378-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4720-385-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4852-387-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1612-394-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2060-396-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3616-404-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4852-405-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4976-413-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2060-414-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3616-421-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2936-423-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2232-431-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4976-432-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2936-441-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3664-440-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4028-449-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2232-450-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3664-457-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4036-459-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3732-467-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4028-468-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4308-476-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4036-477-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1452-485-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3732-486-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4308-493-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4748-495-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 09:27
Reported
2024-06-02 09:30
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\HSRYAY.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\HSRYAY.exe | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
| File opened for modification | C:\windows\SysWOW64\HSRYAY.exe | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
| File created | C:\windows\SysWOW64\HSRYAY.exe.bat | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\HSRYAY.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\HSRYAY.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\HSRYAY.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\HSRYAY.exe.bat" "
C:\windows\SysWOW64\HSRYAY.exe
C:\windows\system32\HSRYAY.exe
Network
Files
memory/1728-0-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Windows\SysWOW64\HSRYAY.exe.bat
| MD5 | 4b0f610bf1667966002a02f46d7a1d51 |
| SHA1 | 85674de999191979cd04d677dfffe179458b064e |
| SHA256 | 18283876c013daf991475f554319c161959737e18f5eeb410bb73ca6a43946d0 |
| SHA512 | 40b8a947dbd18b651d9ebfcfcbb363a9ff9a9ac4a84bee629d2ae9c61dbeba20a2e5ce226f001fa34fbb83924d643790da848c846b658ee3d3502efdb727f88b |
memory/1728-12-0x0000000000400000-0x0000000000439000-memory.dmp
\Windows\SysWOW64\HSRYAY.exe
| MD5 | 363415799eff2996bc7df008d64c2f3c |
| SHA1 | 45e3ef30b8e4f3283618d3046073b63d7600671b |
| SHA256 | e76e2bfc1591a0a8c884c8986ef7b77a33b59009b2fb9e04667aa4589effde0f |
| SHA512 | 7a733e51ae4e7f2a1db5133cddf7d359fc97118f4813df21d6e14d22d41a505785899316757b43d43fff873bfe503ea0cb865a476953a681a75341dca79729bb |
memory/1036-16-0x00000000005D0000-0x0000000000609000-memory.dmp
memory/2532-19-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2532-20-0x0000000000400000-0x0000000000439000-memory.dmp