Malware Analysis Report

2024-10-16 04:40

Sample ID 240602-le6d3ahb9t
Target virussign.com_27eee676babdd6aa1be84531f1f58910.vir
SHA256 27f6e903ed0b57e2f6ce26edebb64eb7d298c23438eaee11a102b98994e6ccde
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27f6e903ed0b57e2f6ce26edebb64eb7d298c23438eaee11a102b98994e6ccde

Threat Level: Known bad

The file virussign.com_27eee676babdd6aa1be84531f1f58910.vir was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 09:27

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 09:27

Reported

2024-06-02 09:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\ZRYPQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\OLQT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\FQFR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\NJKN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\XXSET.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\BANI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\KXUBA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\TXWR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\XBGQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\KMUGGVI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\YTTM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LEEZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\VWCF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\HOU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\NJCWY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\FLFL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\DLKAQO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\IQWH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\VGE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\WTRURLR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PFDH.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\WNIL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\UAGBO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\LVJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\VMHDWT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\SDOW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\PVPG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\EDWXM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\NSHVP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\TETYY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\XLCM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\HUFRRSZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\OKVE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\DSFSGAE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\IBZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\LWHQG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\WAYSTXE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\OZAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\OIQRD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\BHWHDT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\RGWAWD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\YYQJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\AROGBQ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\KAMDT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\WFVSSO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\ASRRUW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\MARFO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\BORABFJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\SysWOW64\HRPML.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\ZJHJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\BRCYI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\LXFBJU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\WRMGP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\IDEBMD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\FQR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\DOVLYNO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\TCTO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\RYQD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\OOFOHMO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\HOALD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\PWDOC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\PTU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\windows\system\NEAE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\VHOT.exe N/A
N/A N/A C:\windows\SysWOW64\BHWHDT.exe N/A
N/A N/A C:\windows\WNIL.exe N/A
N/A N/A C:\windows\system\XLCM.exe N/A
N/A N/A C:\windows\SysWOW64\DLKAQO.exe N/A
N/A N/A C:\windows\SysWOW64\RGWAWD.exe N/A
N/A N/A C:\windows\SysWOW64\EEI.exe N/A
N/A N/A C:\windows\SysWOW64\XXSET.exe N/A
N/A N/A C:\windows\SysWOW64\OAKOD.exe N/A
N/A N/A C:\windows\SysWOW64\YYQJ.exe N/A
N/A N/A C:\windows\KBAWTJ.exe N/A
N/A N/A C:\windows\AROGBQ.exe N/A
N/A N/A C:\windows\system\AUEB.exe N/A
N/A N/A C:\windows\SysWOW64\JSYD.exe N/A
N/A N/A C:\windows\BANI.exe N/A
N/A N/A C:\windows\VYGSCFR.exe N/A
N/A N/A C:\windows\system\TTFBH.exe N/A
N/A N/A C:\windows\HMV.exe N/A
N/A N/A C:\windows\SysWOW64\BZAA.exe N/A
N/A N/A C:\windows\SysWOW64\KXUBA.exe N/A
N/A N/A C:\windows\system\VQPUIR.exe N/A
N/A N/A C:\windows\system\CGFAL.exe N/A
N/A N/A C:\windows\IGMOCCB.exe N/A
N/A N/A C:\windows\SysWOW64\ORC.exe N/A
N/A N/A C:\windows\system\HUFRRSZ.exe N/A
N/A N/A C:\windows\QKATKVI.exe N/A
N/A N/A C:\windows\system\UAGBO.exe N/A
N/A N/A C:\windows\IQWH.exe N/A
N/A N/A C:\windows\SysWOW64\JTA.exe N/A
N/A N/A C:\windows\WRMGP.exe N/A
N/A N/A C:\windows\SysWOW64\DKJPHJ.exe N/A
N/A N/A C:\windows\system\UKQ.exe N/A
N/A N/A C:\windows\SysWOW64\JAFAWJM.exe N/A
N/A N/A C:\windows\system\PTU.exe N/A
N/A N/A C:\windows\PZH.exe N/A
N/A N/A C:\windows\SysWOW64\DUTQ.exe N/A
N/A N/A C:\windows\SysWOW64\KAMDT.exe N/A
N/A N/A C:\windows\SNRK.exe N/A
N/A N/A C:\windows\IDEBMD.exe N/A
N/A N/A C:\windows\system\NEAE.exe N/A
N/A N/A C:\windows\XBGQ.exe N/A
N/A N/A C:\windows\SysWOW64\MRTI.exe N/A
N/A N/A C:\windows\SysWOW64\RFH.exe N/A
N/A N/A C:\windows\system\WFVSSO.exe N/A
N/A N/A C:\windows\LVJ.exe N/A
N/A N/A C:\windows\XGTXI.exe N/A
N/A N/A C:\windows\CHH.exe N/A
N/A N/A C:\windows\system\KMUGGVI.exe N/A
N/A N/A C:\windows\system\TKO.exe N/A
N/A N/A C:\windows\MNSD.exe N/A
N/A N/A C:\windows\SysWOW64\LJLN.exe N/A
N/A N/A C:\windows\YTTM.exe N/A
N/A N/A C:\windows\SysWOW64\LEEZ.exe N/A
N/A N/A C:\windows\SysWOW64\JPG.exe N/A
N/A N/A C:\windows\system\BPVMZ.exe N/A
N/A N/A C:\windows\system\FQR.exe N/A
N/A N/A C:\windows\system\VGE.exe N/A
N/A N/A C:\windows\SysWOW64\HRPML.exe N/A
N/A N/A C:\windows\SysWOW64\AJWXU.exe N/A
N/A N/A C:\windows\system\BHEFEH.exe N/A
N/A N/A C:\windows\system\OKVE.exe N/A
N/A N/A C:\windows\SysWOW64\IGGU.exe N/A
N/A N/A C:\windows\IBZ.exe N/A
N/A N/A C:\windows\SysWOW64\VMHDWT.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\OAKOD.exe C:\windows\SysWOW64\XXSET.exe N/A
File created C:\windows\SysWOW64\UPWM.exe.bat C:\windows\MWNLDQI.exe N/A
File created C:\windows\SysWOW64\JSYD.exe.bat C:\windows\system\AUEB.exe N/A
File created C:\windows\SysWOW64\JTA.exe.bat C:\windows\IQWH.exe N/A
File opened for modification C:\windows\SysWOW64\DUTQ.exe C:\windows\PZH.exe N/A
File created C:\windows\SysWOW64\OLQT.exe.bat C:\windows\system\CAFFC.exe N/A
File opened for modification C:\windows\SysWOW64\BBFNFH.exe C:\windows\system\HOU.exe N/A
File created C:\windows\SysWOW64\LXBFSK.exe.bat C:\windows\SysWOW64\ENE.exe N/A
File created C:\windows\SysWOW64\AJWXU.exe.bat C:\windows\SysWOW64\HRPML.exe N/A
File created C:\windows\SysWOW64\IBT.exe C:\windows\system\FTYQG.exe N/A
File opened for modification C:\windows\SysWOW64\XWYKO.exe C:\windows\SysWOW64\NYGXXW.exe N/A
File created C:\windows\SysWOW64\FLFL.exe.bat C:\windows\system\ASRRUW.exe N/A
File created C:\windows\SysWOW64\NYRS.exe C:\windows\SysWOW64\FLFL.exe N/A
File created C:\windows\SysWOW64\DRAGISV.exe.bat C:\windows\SysWOW64\IVWWY.exe N/A
File created C:\windows\SysWOW64\RGWAWD.exe C:\windows\SysWOW64\DLKAQO.exe N/A
File opened for modification C:\windows\SysWOW64\JSYD.exe C:\windows\system\AUEB.exe N/A
File opened for modification C:\windows\SysWOW64\KXUBA.exe C:\windows\SysWOW64\BZAA.exe N/A
File opened for modification C:\windows\SysWOW64\LEEZ.exe C:\windows\YTTM.exe N/A
File created C:\windows\SysWOW64\LEEZ.exe.bat C:\windows\YTTM.exe N/A
File opened for modification C:\windows\SysWOW64\NIJDOQ.exe C:\windows\system\DQRE.exe N/A
File opened for modification C:\windows\SysWOW64\LPXRZQ.exe C:\windows\system\ORYHIQX.exe N/A
File created C:\windows\SysWOW64\FLFL.exe C:\windows\system\ASRRUW.exe N/A
File created C:\windows\SysWOW64\RGWAWD.exe.bat C:\windows\SysWOW64\DLKAQO.exe N/A
File opened for modification C:\windows\SysWOW64\MRTI.exe C:\windows\XBGQ.exe N/A
File opened for modification C:\windows\SysWOW64\JPG.exe C:\windows\SysWOW64\LEEZ.exe N/A
File created C:\windows\SysWOW64\HRPML.exe.bat C:\windows\system\VGE.exe N/A
File created C:\windows\SysWOW64\TVL.exe C:\windows\TXWR.exe N/A
File created C:\windows\SysWOW64\UFNB.exe C:\windows\SysWOW64\TSCDTB.exe N/A
File created C:\windows\SysWOW64\JTA.exe C:\windows\IQWH.exe N/A
File created C:\windows\SysWOW64\LEEZ.exe C:\windows\YTTM.exe N/A
File created C:\windows\SysWOW64\HRPML.exe C:\windows\system\VGE.exe N/A
File created C:\windows\SysWOW64\FQUQOE.exe.bat C:\windows\system\HYF.exe N/A
File created C:\windows\SysWOW64\NIJDOQ.exe.bat C:\windows\system\DQRE.exe N/A
File opened for modification C:\windows\SysWOW64\IGGU.exe C:\windows\system\OKVE.exe N/A
File created C:\windows\SysWOW64\OLQT.exe C:\windows\system\CAFFC.exe N/A
File created C:\windows\SysWOW64\TETYY.exe.bat C:\windows\EDWXM.exe N/A
File opened for modification C:\windows\SysWOW64\FLFL.exe C:\windows\system\ASRRUW.exe N/A
File opened for modification C:\windows\SysWOW64\YYQJ.exe C:\windows\SysWOW64\OAKOD.exe N/A
File created C:\windows\SysWOW64\YYQJ.exe.bat C:\windows\SysWOW64\OAKOD.exe N/A
File created C:\windows\SysWOW64\BZAA.exe.bat C:\windows\HMV.exe N/A
File opened for modification C:\windows\SysWOW64\VMHDWT.exe C:\windows\IBZ.exe N/A
File created C:\windows\SysWOW64\NYGXXW.exe.bat C:\windows\SysWOW64\PFDH.exe N/A
File opened for modification C:\windows\SysWOW64\PVPG.exe C:\windows\DSFSGAE.exe N/A
File created C:\windows\SysWOW64\MNKTF.exe C:\windows\CPE.exe N/A
File created C:\windows\SysWOW64\TSCDTB.exe.bat C:\windows\system\BSNGHK.exe N/A
File created C:\windows\SysWOW64\UFNB.exe.bat C:\windows\SysWOW64\TSCDTB.exe N/A
File opened for modification C:\windows\SysWOW64\DRAGISV.exe C:\windows\SysWOW64\IVWWY.exe N/A
File created C:\windows\SysWOW64\DRAGISV.exe C:\windows\SysWOW64\IVWWY.exe N/A
File created C:\windows\SysWOW64\DKJPHJ.exe C:\windows\WRMGP.exe N/A
File created C:\windows\SysWOW64\DKJPHJ.exe.bat C:\windows\WRMGP.exe N/A
File created C:\windows\SysWOW64\ICRGRCQ.exe.bat C:\windows\BRCYI.exe N/A
File created C:\windows\SysWOW64\UPWM.exe C:\windows\MWNLDQI.exe N/A
File created C:\windows\SysWOW64\TETYY.exe C:\windows\EDWXM.exe N/A
File created C:\windows\SysWOW64\LPXRZQ.exe.bat C:\windows\system\ORYHIQX.exe N/A
File opened for modification C:\windows\SysWOW64\MNKTF.exe C:\windows\CPE.exe N/A
File opened for modification C:\windows\SysWOW64\OLQT.exe C:\windows\system\CAFFC.exe N/A
File created C:\windows\SysWOW64\DLKAQO.exe C:\windows\system\XLCM.exe N/A
File created C:\windows\SysWOW64\JAFAWJM.exe C:\windows\system\UKQ.exe N/A
File created C:\windows\SysWOW64\AJWXU.exe C:\windows\SysWOW64\HRPML.exe N/A
File opened for modification C:\windows\SysWOW64\AJWXU.exe C:\windows\SysWOW64\HRPML.exe N/A
File created C:\windows\SysWOW64\ASVML.exe C:\windows\OZAC.exe N/A
File created C:\windows\SysWOW64\IBT.exe.bat C:\windows\system\FTYQG.exe N/A
File created C:\windows\SysWOW64\YOSSFPH.exe C:\windows\system\OVJSB.exe N/A
File created C:\windows\SysWOW64\NYRS.exe.bat C:\windows\SysWOW64\FLFL.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\HMV.exe.bat C:\windows\system\TTFBH.exe N/A
File opened for modification C:\windows\QKATKVI.exe C:\windows\system\HUFRRSZ.exe N/A
File opened for modification C:\windows\CHH.exe C:\windows\XGTXI.exe N/A
File created C:\windows\system\WTRURLR.exe.bat C:\windows\system\OOFOHMO.exe N/A
File opened for modification C:\windows\VWCF.exe C:\windows\system\WTRURLR.exe N/A
File created C:\windows\system\ORYHIQX.exe.bat C:\windows\SysWOW64\TETYY.exe N/A
File created C:\windows\system\TTFBH.exe C:\windows\VYGSCFR.exe N/A
File created C:\windows\MNSD.exe.bat C:\windows\system\TKO.exe N/A
File created C:\windows\system\VGE.exe.bat C:\windows\system\FQR.exe N/A
File opened for modification C:\windows\OIQRD.exe C:\windows\SysWOW64\TVL.exe N/A
File created C:\windows\system\HOALD.exe.bat C:\windows\NSHVP.exe N/A
File created C:\windows\system\MARFO.exe.bat C:\windows\system\LXFBJU.exe N/A
File opened for modification C:\windows\VABXAI.exe C:\windows\LPRP.exe N/A
File created C:\windows\CSYF.exe.bat C:\windows\VABXAI.exe N/A
File opened for modification C:\windows\system\HUFRRSZ.exe C:\windows\SysWOW64\ORC.exe N/A
File created C:\windows\system\CLFQ.exe C:\windows\system\VVE.exe N/A
File created C:\windows\LCQ.exe C:\windows\system\PWDOC.exe N/A
File created C:\windows\XBGQ.exe.bat C:\windows\system\NEAE.exe N/A
File opened for modification C:\windows\OZAC.exe C:\windows\SysWOW64\VMHDWT.exe N/A
File created C:\windows\system\HKQWIAS.exe C:\windows\SZZ.exe N/A
File created C:\windows\system\VVE.exe C:\windows\system\FQFR.exe N/A
File created C:\windows\system\HOALD.exe C:\windows\NSHVP.exe N/A
File created C:\windows\WIX.exe C:\windows\SysWOW64\ASVML.exe N/A
File opened for modification C:\windows\BRCYI.exe C:\windows\ZJHJ.exe N/A
File opened for modification C:\windows\system\HYF.exe C:\windows\TCTO.exe N/A
File created C:\windows\DSFSGAE.exe C:\windows\system\YSRY.exe N/A
File created C:\windows\system\HOU.exe C:\windows\SysWOW64\OLQT.exe N/A
File opened for modification C:\windows\system\VVE.exe C:\windows\system\FQFR.exe N/A
File created C:\windows\APLPKJ.exe C:\windows\SysWOW64\IMTEAGG.exe N/A
File created C:\windows\TXWR.exe C:\windows\GUSLH.exe N/A
File created C:\windows\BANI.exe C:\windows\SysWOW64\JSYD.exe N/A
File created C:\windows\BANI.exe.bat C:\windows\SysWOW64\JSYD.exe N/A
File created C:\windows\system\CGFAL.exe.bat C:\windows\system\VQPUIR.exe N/A
File opened for modification C:\windows\system\UAGBO.exe C:\windows\QKATKVI.exe N/A
File created C:\windows\system\FQR.exe.bat C:\windows\system\BPVMZ.exe N/A
File opened for modification C:\windows\SZZ.exe C:\windows\SysWOW64\IBT.exe N/A
File created C:\windows\SZZ.exe.bat C:\windows\SysWOW64\IBT.exe N/A
File opened for modification C:\windows\TXWR.exe C:\windows\GUSLH.exe N/A
File created C:\windows\SZZ.exe C:\windows\SysWOW64\IBT.exe N/A
File created C:\windows\VWCF.exe C:\windows\system\WTRURLR.exe N/A
File opened for modification C:\windows\RYQD.exe C:\windows\SysWOW64\NIJDOQ.exe N/A
File created C:\windows\system\BHEFEH.exe C:\windows\SysWOW64\AJWXU.exe N/A
File created C:\windows\system\WAYMK.exe C:\windows\WIX.exe N/A
File created C:\windows\BRCYI.exe.bat C:\windows\ZJHJ.exe N/A
File opened for modification C:\windows\system\HJCT.exe C:\windows\SysWOW64\BORABFJ.exe N/A
File created C:\windows\WGL.exe C:\windows\system\ZRYPQ.exe N/A
File opened for modification C:\windows\system\XLCM.exe C:\windows\WNIL.exe N/A
File opened for modification C:\windows\system\CGFAL.exe C:\windows\system\VQPUIR.exe N/A
File created C:\windows\WRMGP.exe C:\windows\SysWOW64\JTA.exe N/A
File opened for modification C:\windows\CPE.exe C:\windows\SysWOW64\UPWM.exe N/A
File created C:\windows\RYQD.exe C:\windows\SysWOW64\NIJDOQ.exe N/A
File opened for modification C:\windows\KMB.exe C:\windows\RYQD.exe N/A
File created C:\windows\WNIL.exe C:\windows\SysWOW64\BHWHDT.exe N/A
File opened for modification C:\windows\BANI.exe C:\windows\SysWOW64\JSYD.exe N/A
File opened for modification C:\windows\system\VQPUIR.exe C:\windows\SysWOW64\KXUBA.exe N/A
File created C:\windows\EDWXM.exe.bat C:\windows\NVHAA.exe N/A
File opened for modification C:\windows\system\DOVLYNO.exe C:\windows\system\CLFQ.exe N/A
File created C:\windows\system\PTU.exe C:\windows\SysWOW64\JAFAWJM.exe N/A
File created C:\windows\CHH.exe C:\windows\XGTXI.exe N/A
File opened for modification C:\windows\system\TKO.exe C:\windows\system\KMUGGVI.exe N/A
File opened for modification C:\windows\system\WAYMK.exe C:\windows\WIX.exe N/A
File created C:\windows\ZJHJ.exe C:\windows\system\WAYMK.exe N/A
File created C:\windows\system\CLFQ.exe.bat C:\windows\system\VVE.exe N/A
File opened for modification C:\windows\LCQ.exe C:\windows\system\PWDOC.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\VHOT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BHWHDT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WNIL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\XLCM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DLKAQO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RGWAWD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\EEI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\XXSET.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\OAKOD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\YYQJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\KBAWTJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\AROGBQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\AUEB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JSYD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\BANI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\VYGSCFR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\TTFBH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\HMV.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\BZAA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\KXUBA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VQPUIR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\CGFAL.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IGMOCCB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\ORC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\HUFRRSZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\QKATKVI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\UAGBO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IQWH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JTA.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\WRMGP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DKJPHJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\UKQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JAFAWJM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\PTU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\PZH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\DUTQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\KAMDT.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SNRK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IDEBMD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\NEAE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XBGQ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\MRTI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\RFH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\WFVSSO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\LVJ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\XGTXI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\CHH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\KMUGGVI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\TKO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\MNSD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LJLN.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\YTTM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\LEEZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\JPG.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BPVMZ.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\FQR.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\VGE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\HRPML.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\AJWXU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\BHEFEH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\system\OKVE.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\IGGU.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\IBZ.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
N/A N/A C:\windows\SysWOW64\VHOT.exe N/A
N/A N/A C:\windows\SysWOW64\VHOT.exe N/A
N/A N/A C:\windows\SysWOW64\BHWHDT.exe N/A
N/A N/A C:\windows\SysWOW64\BHWHDT.exe N/A
N/A N/A C:\windows\WNIL.exe N/A
N/A N/A C:\windows\WNIL.exe N/A
N/A N/A C:\windows\system\XLCM.exe N/A
N/A N/A C:\windows\system\XLCM.exe N/A
N/A N/A C:\windows\SysWOW64\DLKAQO.exe N/A
N/A N/A C:\windows\SysWOW64\DLKAQO.exe N/A
N/A N/A C:\windows\SysWOW64\RGWAWD.exe N/A
N/A N/A C:\windows\SysWOW64\RGWAWD.exe N/A
N/A N/A C:\windows\SysWOW64\EEI.exe N/A
N/A N/A C:\windows\SysWOW64\EEI.exe N/A
N/A N/A C:\windows\SysWOW64\XXSET.exe N/A
N/A N/A C:\windows\SysWOW64\XXSET.exe N/A
N/A N/A C:\windows\SysWOW64\OAKOD.exe N/A
N/A N/A C:\windows\SysWOW64\OAKOD.exe N/A
N/A N/A C:\windows\SysWOW64\YYQJ.exe N/A
N/A N/A C:\windows\SysWOW64\YYQJ.exe N/A
N/A N/A C:\windows\KBAWTJ.exe N/A
N/A N/A C:\windows\KBAWTJ.exe N/A
N/A N/A C:\windows\AROGBQ.exe N/A
N/A N/A C:\windows\AROGBQ.exe N/A
N/A N/A C:\windows\system\AUEB.exe N/A
N/A N/A C:\windows\system\AUEB.exe N/A
N/A N/A C:\windows\SysWOW64\JSYD.exe N/A
N/A N/A C:\windows\SysWOW64\JSYD.exe N/A
N/A N/A C:\windows\BANI.exe N/A
N/A N/A C:\windows\BANI.exe N/A
N/A N/A C:\windows\VYGSCFR.exe N/A
N/A N/A C:\windows\VYGSCFR.exe N/A
N/A N/A C:\windows\system\TTFBH.exe N/A
N/A N/A C:\windows\system\TTFBH.exe N/A
N/A N/A C:\windows\HMV.exe N/A
N/A N/A C:\windows\HMV.exe N/A
N/A N/A C:\windows\SysWOW64\BZAA.exe N/A
N/A N/A C:\windows\SysWOW64\BZAA.exe N/A
N/A N/A C:\windows\SysWOW64\KXUBA.exe N/A
N/A N/A C:\windows\SysWOW64\KXUBA.exe N/A
N/A N/A C:\windows\system\VQPUIR.exe N/A
N/A N/A C:\windows\system\VQPUIR.exe N/A
N/A N/A C:\windows\system\CGFAL.exe N/A
N/A N/A C:\windows\system\CGFAL.exe N/A
N/A N/A C:\windows\IGMOCCB.exe N/A
N/A N/A C:\windows\IGMOCCB.exe N/A
N/A N/A C:\windows\SysWOW64\ORC.exe N/A
N/A N/A C:\windows\SysWOW64\ORC.exe N/A
N/A N/A C:\windows\system\HUFRRSZ.exe N/A
N/A N/A C:\windows\system\HUFRRSZ.exe N/A
N/A N/A C:\windows\QKATKVI.exe N/A
N/A N/A C:\windows\QKATKVI.exe N/A
N/A N/A C:\windows\system\UAGBO.exe N/A
N/A N/A C:\windows\system\UAGBO.exe N/A
N/A N/A C:\windows\IQWH.exe N/A
N/A N/A C:\windows\IQWH.exe N/A
N/A N/A C:\windows\SysWOW64\JTA.exe N/A
N/A N/A C:\windows\SysWOW64\JTA.exe N/A
N/A N/A C:\windows\WRMGP.exe N/A
N/A N/A C:\windows\WRMGP.exe N/A
N/A N/A C:\windows\SysWOW64\DKJPHJ.exe N/A
N/A N/A C:\windows\SysWOW64\DKJPHJ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
N/A N/A C:\windows\SysWOW64\VHOT.exe N/A
N/A N/A C:\windows\SysWOW64\VHOT.exe N/A
N/A N/A C:\windows\SysWOW64\BHWHDT.exe N/A
N/A N/A C:\windows\SysWOW64\BHWHDT.exe N/A
N/A N/A C:\windows\WNIL.exe N/A
N/A N/A C:\windows\WNIL.exe N/A
N/A N/A C:\windows\system\XLCM.exe N/A
N/A N/A C:\windows\system\XLCM.exe N/A
N/A N/A C:\windows\SysWOW64\DLKAQO.exe N/A
N/A N/A C:\windows\SysWOW64\DLKAQO.exe N/A
N/A N/A C:\windows\SysWOW64\RGWAWD.exe N/A
N/A N/A C:\windows\SysWOW64\RGWAWD.exe N/A
N/A N/A C:\windows\SysWOW64\EEI.exe N/A
N/A N/A C:\windows\SysWOW64\EEI.exe N/A
N/A N/A C:\windows\SysWOW64\XXSET.exe N/A
N/A N/A C:\windows\SysWOW64\XXSET.exe N/A
N/A N/A C:\windows\SysWOW64\OAKOD.exe N/A
N/A N/A C:\windows\SysWOW64\OAKOD.exe N/A
N/A N/A C:\windows\SysWOW64\YYQJ.exe N/A
N/A N/A C:\windows\SysWOW64\YYQJ.exe N/A
N/A N/A C:\windows\KBAWTJ.exe N/A
N/A N/A C:\windows\KBAWTJ.exe N/A
N/A N/A C:\windows\AROGBQ.exe N/A
N/A N/A C:\windows\AROGBQ.exe N/A
N/A N/A C:\windows\system\AUEB.exe N/A
N/A N/A C:\windows\system\AUEB.exe N/A
N/A N/A C:\windows\SysWOW64\JSYD.exe N/A
N/A N/A C:\windows\SysWOW64\JSYD.exe N/A
N/A N/A C:\windows\BANI.exe N/A
N/A N/A C:\windows\BANI.exe N/A
N/A N/A C:\windows\VYGSCFR.exe N/A
N/A N/A C:\windows\VYGSCFR.exe N/A
N/A N/A C:\windows\system\TTFBH.exe N/A
N/A N/A C:\windows\system\TTFBH.exe N/A
N/A N/A C:\windows\HMV.exe N/A
N/A N/A C:\windows\HMV.exe N/A
N/A N/A C:\windows\SysWOW64\BZAA.exe N/A
N/A N/A C:\windows\SysWOW64\BZAA.exe N/A
N/A N/A C:\windows\SysWOW64\KXUBA.exe N/A
N/A N/A C:\windows\SysWOW64\KXUBA.exe N/A
N/A N/A C:\windows\system\VQPUIR.exe N/A
N/A N/A C:\windows\system\VQPUIR.exe N/A
N/A N/A C:\windows\system\CGFAL.exe N/A
N/A N/A C:\windows\system\CGFAL.exe N/A
N/A N/A C:\windows\IGMOCCB.exe N/A
N/A N/A C:\windows\IGMOCCB.exe N/A
N/A N/A C:\windows\SysWOW64\ORC.exe N/A
N/A N/A C:\windows\SysWOW64\ORC.exe N/A
N/A N/A C:\windows\system\HUFRRSZ.exe N/A
N/A N/A C:\windows\system\HUFRRSZ.exe N/A
N/A N/A C:\windows\QKATKVI.exe N/A
N/A N/A C:\windows\QKATKVI.exe N/A
N/A N/A C:\windows\system\UAGBO.exe N/A
N/A N/A C:\windows\system\UAGBO.exe N/A
N/A N/A C:\windows\IQWH.exe N/A
N/A N/A C:\windows\IQWH.exe N/A
N/A N/A C:\windows\SysWOW64\JTA.exe N/A
N/A N/A C:\windows\SysWOW64\JTA.exe N/A
N/A N/A C:\windows\WRMGP.exe N/A
N/A N/A C:\windows\WRMGP.exe N/A
N/A N/A C:\windows\SysWOW64\DKJPHJ.exe N/A
N/A N/A C:\windows\SysWOW64\DKJPHJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VHOT.exe
PID 2128 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VHOT.exe
PID 2128 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\VHOT.exe
PID 4816 wrote to memory of 2624 N/A C:\windows\SysWOW64\VHOT.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2624 N/A C:\windows\SysWOW64\VHOT.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2624 N/A C:\windows\SysWOW64\VHOT.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\BHWHDT.exe
PID 2624 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\BHWHDT.exe
PID 2624 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\BHWHDT.exe
PID 2140 wrote to memory of 2100 N/A C:\windows\SysWOW64\BHWHDT.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2100 N/A C:\windows\SysWOW64\BHWHDT.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2100 N/A C:\windows\SysWOW64\BHWHDT.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\WNIL.exe
PID 2100 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\WNIL.exe
PID 2100 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\WNIL.exe
PID 1040 wrote to memory of 2276 N/A C:\windows\WNIL.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 2276 N/A C:\windows\WNIL.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 2276 N/A C:\windows\WNIL.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\XLCM.exe
PID 2276 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\XLCM.exe
PID 2276 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\system\XLCM.exe
PID 2304 wrote to memory of 2516 N/A C:\windows\system\XLCM.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2516 N/A C:\windows\system\XLCM.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2516 N/A C:\windows\system\XLCM.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\DLKAQO.exe
PID 2516 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\DLKAQO.exe
PID 2516 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\DLKAQO.exe
PID 1840 wrote to memory of 3388 N/A C:\windows\SysWOW64\DLKAQO.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 3388 N/A C:\windows\SysWOW64\DLKAQO.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 3388 N/A C:\windows\SysWOW64\DLKAQO.exe C:\Windows\SysWOW64\cmd.exe
PID 3388 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RGWAWD.exe
PID 3388 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RGWAWD.exe
PID 3388 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\RGWAWD.exe
PID 2200 wrote to memory of 212 N/A C:\windows\SysWOW64\RGWAWD.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 212 N/A C:\windows\SysWOW64\RGWAWD.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 212 N/A C:\windows\SysWOW64\RGWAWD.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EEI.exe
PID 212 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EEI.exe
PID 212 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\EEI.exe
PID 4444 wrote to memory of 3708 N/A C:\windows\SysWOW64\EEI.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3708 N/A C:\windows\SysWOW64\EEI.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3708 N/A C:\windows\SysWOW64\EEI.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\XXSET.exe
PID 3708 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\XXSET.exe
PID 3708 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\XXSET.exe
PID 3744 wrote to memory of 3172 N/A C:\windows\SysWOW64\XXSET.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 3172 N/A C:\windows\SysWOW64\XXSET.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 3172 N/A C:\windows\SysWOW64\XXSET.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\OAKOD.exe
PID 3172 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\OAKOD.exe
PID 3172 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\OAKOD.exe
PID 4720 wrote to memory of 3924 N/A C:\windows\SysWOW64\OAKOD.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3924 N/A C:\windows\SysWOW64\OAKOD.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 3924 N/A C:\windows\SysWOW64\OAKOD.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YYQJ.exe
PID 3924 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YYQJ.exe
PID 3924 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\SysWOW64\YYQJ.exe
PID 3032 wrote to memory of 3476 N/A C:\windows\SysWOW64\YYQJ.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3476 N/A C:\windows\SysWOW64\YYQJ.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3476 N/A C:\windows\SysWOW64\YYQJ.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\KBAWTJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHOT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 972 -ip 972

C:\windows\SysWOW64\VHOT.exe

C:\windows\system32\VHOT.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 996

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHWHDT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1004

C:\windows\SysWOW64\BHWHDT.exe

C:\windows\system32\BHWHDT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WNIL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2140 -ip 2140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1324

C:\windows\WNIL.exe

C:\windows\WNIL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\XLCM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1336

C:\windows\system\XLCM.exe

C:\windows\system\XLCM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLKAQO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1328

C:\windows\SysWOW64\DLKAQO.exe

C:\windows\system32\DLKAQO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RGWAWD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1840 -ip 1840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1328

C:\windows\SysWOW64\RGWAWD.exe

C:\windows\system32\RGWAWD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1220

C:\windows\SysWOW64\EEI.exe

C:\windows\system32\EEI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XXSET.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 964

C:\windows\SysWOW64\XXSET.exe

C:\windows\system32\XXSET.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OAKOD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 960

C:\windows\SysWOW64\OAKOD.exe

C:\windows\system32\OAKOD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YYQJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 988

C:\windows\SysWOW64\YYQJ.exe

C:\windows\system32\YYQJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KBAWTJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 976

C:\windows\KBAWTJ.exe

C:\windows\KBAWTJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\AROGBQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 960

C:\windows\AROGBQ.exe

C:\windows\AROGBQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\AUEB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1336

C:\windows\system\AUEB.exe

C:\windows\system\AUEB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JSYD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1264

C:\windows\SysWOW64\JSYD.exe

C:\windows\system32\JSYD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BANI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 960

C:\windows\BANI.exe

C:\windows\BANI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VYGSCFR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2276 -ip 2276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1252

C:\windows\VYGSCFR.exe

C:\windows\VYGSCFR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TTFBH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3812 -ip 3812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1248

C:\windows\system\TTFBH.exe

C:\windows\system\TTFBH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\HMV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 856 -ip 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1292

C:\windows\HMV.exe

C:\windows\HMV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BZAA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3048 -ip 3048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1328

C:\windows\SysWOW64\BZAA.exe

C:\windows\system32\BZAA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KXUBA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 960

C:\windows\SysWOW64\KXUBA.exe

C:\windows\system32\KXUBA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VQPUIR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1304

C:\windows\system\VQPUIR.exe

C:\windows\system\VQPUIR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CGFAL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1248

C:\windows\system\CGFAL.exe

C:\windows\system\CGFAL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IGMOCCB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1380 -ip 1380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1324

C:\windows\IGMOCCB.exe

C:\windows\IGMOCCB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ORC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3452 -ip 3452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 988

C:\windows\SysWOW64\ORC.exe

C:\windows\system32\ORC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HUFRRSZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3552 -ip 3552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 960

C:\windows\system\HUFRRSZ.exe

C:\windows\system\HUFRRSZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\QKATKVI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 948 -ip 948

C:\windows\QKATKVI.exe

C:\windows\QKATKVI.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1228

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UAGBO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1084 -ip 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1336

C:\windows\system\UAGBO.exe

C:\windows\system\UAGBO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IQWH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1288

C:\windows\IQWH.exe

C:\windows\IQWH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1204

C:\windows\SysWOW64\JTA.exe

C:\windows\system32\JTA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WRMGP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 960

C:\windows\WRMGP.exe

C:\windows\WRMGP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKJPHJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1268

C:\windows\SysWOW64\DKJPHJ.exe

C:\windows\system32\DKJPHJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\UKQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1280

C:\windows\system\UKQ.exe

C:\windows\system\UKQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAFAWJM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1148 -ip 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1308

C:\windows\SysWOW64\JAFAWJM.exe

C:\windows\system32\JAFAWJM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PTU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1316

C:\windows\system\PTU.exe

C:\windows\system\PTU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\PZH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 960

C:\windows\PZH.exe

C:\windows\PZH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUTQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1612 -ip 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1296

C:\windows\SysWOW64\DUTQ.exe

C:\windows\system32\DUTQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAMDT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 988

C:\windows\SysWOW64\KAMDT.exe

C:\windows\system32\KAMDT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SNRK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 960

C:\windows\SNRK.exe

C:\windows\SNRK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IDEBMD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3616 -ip 3616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 960

C:\windows\IDEBMD.exe

C:\windows\IDEBMD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\NEAE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1304

C:\windows\system\NEAE.exe

C:\windows\system\NEAE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XBGQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1260

C:\windows\XBGQ.exe

C:\windows\XBGQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MRTI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1296

C:\windows\SysWOW64\MRTI.exe

C:\windows\system32\MRTI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3664 -ip 3664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 960

C:\windows\SysWOW64\RFH.exe

C:\windows\system32\RFH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WFVSSO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1336

C:\windows\system\WFVSSO.exe

C:\windows\system\WFVSSO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LVJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4036 -ip 4036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1324

C:\windows\LVJ.exe

C:\windows\LVJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XGTXI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 960

C:\windows\XGTXI.exe

C:\windows\XGTXI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CHH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1296

C:\windows\CHH.exe

C:\windows\CHH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\KMUGGVI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 960

C:\windows\system\KMUGGVI.exe

C:\windows\system\KMUGGVI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\TKO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4748 -ip 4748

C:\windows\system\TKO.exe

C:\windows\system\TKO.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1004

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MNSD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2752 -ip 2752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 960

C:\windows\MNSD.exe

C:\windows\MNSD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJLN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 960

C:\windows\SysWOW64\LJLN.exe

C:\windows\system32\LJLN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\YTTM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4048 -ip 4048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1236

C:\windows\YTTM.exe

C:\windows\YTTM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LEEZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4316 -ip 4316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1292

C:\windows\SysWOW64\LEEZ.exe

C:\windows\system32\LEEZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1328

C:\windows\SysWOW64\JPG.exe

C:\windows\system32\JPG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BPVMZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1248

C:\windows\system\BPVMZ.exe

C:\windows\system\BPVMZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 988

C:\windows\system\FQR.exe

C:\windows\system\FQR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VGE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1304

C:\windows\system\VGE.exe

C:\windows\system\VGE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRPML.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 960

C:\windows\SysWOW64\HRPML.exe

C:\windows\system32\HRPML.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJWXU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1328

C:\windows\SysWOW64\AJWXU.exe

C:\windows\system32\AJWXU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BHEFEH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1336

C:\windows\system\BHEFEH.exe

C:\windows\system\BHEFEH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OKVE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1308

C:\windows\system\OKVE.exe

C:\windows\system\OKVE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IGGU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4616 -ip 4616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1304

C:\windows\SysWOW64\IGGU.exe

C:\windows\system32\IGGU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\IBZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 960

C:\windows\IBZ.exe

C:\windows\IBZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 988

C:\windows\SysWOW64\VMHDWT.exe

C:\windows\system32\VMHDWT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OZAC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 464 -ip 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1236

C:\windows\OZAC.exe

C:\windows\OZAC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASVML.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1328

C:\windows\SysWOW64\ASVML.exe

C:\windows\system32\ASVML.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WIX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 988

C:\windows\WIX.exe

C:\windows\WIX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1264

C:\windows\system\WAYMK.exe

C:\windows\system\WAYMK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ZJHJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 960

C:\windows\ZJHJ.exe

C:\windows\ZJHJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\BRCYI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1324

C:\windows\BRCYI.exe

C:\windows\BRCYI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICRGRCQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1332

C:\windows\SysWOW64\ICRGRCQ.exe

C:\windows\system32\ICRGRCQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FCBIDGY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4740 -ip 4740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 988

C:\windows\system\FCBIDGY.exe

C:\windows\system\FCBIDGY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\LXFBJU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 988

C:\windows\system\LXFBJU.exe

C:\windows\system\LXFBJU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\MARFO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 988

C:\windows\system\MARFO.exe

C:\windows\system\MARFO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FTYQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1316

C:\windows\system\FTYQG.exe

C:\windows\system\FTYQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IBT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1308

C:\windows\SysWOW64\IBT.exe

C:\windows\system32\IBT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SZZ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 960

C:\windows\SZZ.exe

C:\windows\SZZ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HKQWIAS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 960

C:\windows\system\HKQWIAS.exe

C:\windows\system\HKQWIAS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TCTO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1004

C:\windows\TCTO.exe

C:\windows\TCTO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HYF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 988

C:\windows\system\HYF.exe

C:\windows\system\HYF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQUQOE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1308

C:\windows\SysWOW64\FQUQOE.exe

C:\windows\system32\FQUQOE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\MWNLDQI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1268

C:\windows\MWNLDQI.exe

C:\windows\MWNLDQI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UPWM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1296

C:\windows\SysWOW64\UPWM.exe

C:\windows\system32\UPWM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CPE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 960

C:\windows\CPE.exe

C:\windows\CPE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\MNKTF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1300

C:\windows\SysWOW64\MNKTF.exe

C:\windows\system32\MNKTF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\SYOI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 960

C:\windows\SYOI.exe

C:\windows\SYOI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\SDOW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4824 -ip 4824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 960

C:\windows\system\SDOW.exe

C:\windows\system\SDOW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZAXIR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3388 -ip 3388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1328

C:\windows\SysWOW64\YZAXIR.exe

C:\windows\system32\YZAXIR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VPUV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4552 -ip 4552

C:\windows\VPUV.exe

C:\windows\VPUV.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1316

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DCGC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3316 -ip 3316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 960

C:\windows\DCGC.exe

C:\windows\DCGC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFDH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1308

C:\windows\SysWOW64\PFDH.exe

C:\windows\system32\PFDH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2036 -ip 2036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1308

C:\windows\SysWOW64\NYGXXW.exe

C:\windows\system32\NYGXXW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWYKO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1256

C:\windows\SysWOW64\XWYKO.exe

C:\windows\system32\XWYKO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\GUSLH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 724 -ip 724

C:\windows\GUSLH.exe

C:\windows\GUSLH.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1324

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TXWR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1324

C:\windows\TXWR.exe

C:\windows\TXWR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TVL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1296

C:\windows\SysWOW64\TVL.exe

C:\windows\system32\TVL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\OIQRD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1288

C:\windows\OIQRD.exe

C:\windows\OIQRD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\TJE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1296

C:\windows\TJE.exe

C:\windows\TJE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BORABFJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1636 -ip 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1328

C:\windows\SysWOW64\BORABFJ.exe

C:\windows\system32\BORABFJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HJCT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1336

C:\windows\system\HJCT.exe

C:\windows\system\HJCT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YSRY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 996

C:\windows\system\YSRY.exe

C:\windows\system\YSRY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\DSFSGAE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1204

C:\windows\DSFSGAE.exe

C:\windows\DSFSGAE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\PVPG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1264

C:\windows\SysWOW64\PVPG.exe

C:\windows\system32\PVPG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OOFOHMO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1316

C:\windows\system\OOFOHMO.exe

C:\windows\system\OOFOHMO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\WTRURLR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 800 -ip 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 960

C:\windows\system\WTRURLR.exe

C:\windows\system\WTRURLR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VWCF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1324

C:\windows\VWCF.exe

C:\windows\VWCF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\BSNGHK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1248

C:\windows\system\BSNGHK.exe

C:\windows\system\BSNGHK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TSCDTB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1216

C:\windows\SysWOW64\TSCDTB.exe

C:\windows\system32\TSCDTB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UFNB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 960

C:\windows\SysWOW64\UFNB.exe

C:\windows\system32\UFNB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRYPQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1036 -ip 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1336

C:\windows\system\ZRYPQ.exe

C:\windows\system\ZRYPQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WGL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4156 -ip 4156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 960

C:\windows\WGL.exe

C:\windows\WGL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWHQG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 976

C:\windows\SysWOW64\LWHQG.exe

C:\windows\system32\LWHQG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WAYSTXE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 960

C:\windows\WAYSTXE.exe

C:\windows\WAYSTXE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CAFFC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1276

C:\windows\system\CAFFC.exe

C:\windows\system\CAFFC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLQT.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1264

C:\windows\SysWOW64\OLQT.exe

C:\windows\system32\OLQT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOU.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2356 -ip 2356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1320

C:\windows\system\HOU.exe

C:\windows\system\HOU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BBFNFH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4552 -ip 4552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1272

C:\windows\SysWOW64\BBFNFH.exe

C:\windows\system32\BBFNFH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\YRB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1248

C:\windows\system\YRB.exe

C:\windows\system\YRB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\ENE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1264

C:\windows\SysWOW64\ENE.exe

C:\windows\system32\ENE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LXBFSK.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 988

C:\windows\SysWOW64\LXBFSK.exe

C:\windows\system32\LXBFSK.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NVHAA.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4740 -ip 4740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1324

C:\windows\NVHAA.exe

C:\windows\NVHAA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\EDWXM.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4748 -ip 4748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1324

C:\windows\EDWXM.exe

C:\windows\EDWXM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\TETYY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 960

C:\windows\SysWOW64\TETYY.exe

C:\windows\system32\TETYY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ORYHIQX.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3748 -ip 3748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1336

C:\windows\system\ORYHIQX.exe

C:\windows\system\ORYHIQX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\LPXRZQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1836 -ip 1836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1328

C:\windows\SysWOW64\LPXRZQ.exe

C:\windows\system32\LPXRZQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DQRE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1336

C:\windows\system\DQRE.exe

C:\windows\system\DQRE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NIJDOQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 960

C:\windows\SysWOW64\NIJDOQ.exe

C:\windows\system32\NIJDOQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\RYQD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1324

C:\windows\RYQD.exe

C:\windows\RYQD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\KMB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3488 -ip 3488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1000

C:\windows\KMB.exe

C:\windows\KMB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LPRP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 960

C:\windows\LPRP.exe

C:\windows\LPRP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\VABXAI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1324

C:\windows\VABXAI.exe

C:\windows\VABXAI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\CSYF.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1324

C:\windows\CSYF.exe

C:\windows\CSYF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\OVJSB.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4616 -ip 4616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 960

C:\windows\system\OVJSB.exe

C:\windows\system\OVJSB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\YOSSFPH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4824 -ip 4824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1308

C:\windows\SysWOW64\YOSSFPH.exe

C:\windows\system32\YOSSFPH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NJCWY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2464 -ip 2464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1308

C:\windows\SysWOW64\NJCWY.exe

C:\windows\system32\NJCWY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ENBWL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1004

C:\windows\system\ENBWL.exe

C:\windows\system\ENBWL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\FQFR.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3464 -ip 3464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1336

C:\windows\system\FQFR.exe

C:\windows\system\FQFR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\VVE.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 960

C:\windows\system\VVE.exe

C:\windows\system\VVE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\CLFQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1592 -ip 1592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1248

C:\windows\system\CLFQ.exe

C:\windows\system\CLFQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\DOVLYNO.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1316

C:\windows\system\DOVLYNO.exe

C:\windows\system\DOVLYNO.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\WCUJDP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 960

C:\windows\WCUJDP.exe

C:\windows\WCUJDP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\XFGFI.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 960

C:\windows\XFGFI.exe

C:\windows\XFGFI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HCYSZH.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 960

C:\windows\system\HCYSZH.exe

C:\windows\system\HCYSZH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\BQC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1328

C:\windows\SysWOW64\BQC.exe

C:\windows\system32\BQC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IVWWY.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2764 -ip 2764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 960

C:\windows\SysWOW64\IVWWY.exe

C:\windows\system32\IVWWY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRAGISV.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2796 -ip 2796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 872

C:\windows\SysWOW64\DRAGISV.exe

C:\windows\system32\DRAGISV.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NJKN.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3624 -ip 3624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1172

C:\windows\NJKN.exe

C:\windows\NJKN.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\IMTEAGG.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1000

C:\windows\SysWOW64\IMTEAGG.exe

C:\windows\system32\IMTEAGG.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\APLPKJ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1324

C:\windows\APLPKJ.exe

C:\windows\APLPKJ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\NSHVP.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1300

C:\windows\NSHVP.exe

C:\windows\NSHVP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\HOALD.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2344 -ip 2344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 960

C:\windows\system\HOALD.exe

C:\windows\system\HOALD.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KWWAL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1328

C:\windows\SysWOW64\KWWAL.exe

C:\windows\system32\KWWAL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\PWDOC.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1644 -ip 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1328

C:\windows\system\PWDOC.exe

C:\windows\system\PWDOC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\LCQ.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1608 -ip 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 960

C:\windows\LCQ.exe

C:\windows\LCQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system\ASRRUW.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4036 -ip 4036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1272

C:\windows\system\ASRRUW.exe

C:\windows\system\ASRRUW.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FLFL.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1328

C:\windows\SysWOW64\FLFL.exe

C:\windows\system32\FLFL.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYRS.exe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1328

C:\windows\SysWOW64\NYRS.exe

C:\windows\system32\NYRS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/972-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\VHOT.exe.bat

MD5 8e1cf4a71eb66872a173e911e0402599
SHA1 b41ad91338d838f97762803ef43fd3e068085675
SHA256 71fc7844b4ddb4d3c13cba7ec82c3696ec75c3a88bfeed3e8ec0317b349bdc13
SHA512 d9db8f1c6345b63f8463ebe43fd8fe72fd56dbf8dc7b3b648fad57e74b15ac7e9d65a887dd8b3ba267b9ecd8d7f5edc466a0380922f36b992c73eddc88d656d1

C:\Windows\SysWOW64\VHOT.exe

MD5 363415799eff2996bc7df008d64c2f3c
SHA1 45e3ef30b8e4f3283618d3046073b63d7600671b
SHA256 e76e2bfc1591a0a8c884c8986ef7b77a33b59009b2fb9e04667aa4589effde0f
SHA512 7a733e51ae4e7f2a1db5133cddf7d359fc97118f4813df21d6e14d22d41a505785899316757b43d43fff873bfe503ea0cb865a476953a681a75341dca79729bb

memory/4816-11-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\BHWHDT.exe

MD5 f9dce20ec33487d74b14ebd71aed18cb
SHA1 cdf599ff0321593410da6ec855d9a4a01dd52f3e
SHA256 60e94ea7748b0e443f38fb8e713d38beaec08a1720b5419fd0555374e183c6c7
SHA512 a4dc5754141c40f04231ca84f8c39816b709bbbeffe060ddaf8a9e8b92d7c8f17d4509d809ea3302be84bf928ba047d1bc19b1a8bf66254c53c553588df36b1e

C:\windows\SysWOW64\BHWHDT.exe.bat

MD5 52133158ae3db9202e36d73cd6b942af
SHA1 21564863c0407be3ef284bf580943282e7c208e9
SHA256 74a03c4d61b6fb2f2e3b011ec24fcc6f3a76c4be6d832e1427325d223befbd13
SHA512 48eeb6cd49cd8ef4f5c3495c248695253abbfd6cafa971e8fa8695fb174301a61672367c02dbe27f477a03cf1fb52da5cf2db6578908d6bb64b6bc0450760a53

memory/2140-22-0x0000000000400000-0x0000000000439000-memory.dmp

memory/972-23-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\WNIL.exe.bat

MD5 4c1fd981d80682bace4e34de10aed0d1
SHA1 53049b0a366c5771ea21fbd3b6061969411bf71b
SHA256 12a56f3b5b388358a0836ce2fc630d0c5ef1dee6ccb85f1cf84e14320c1ea899
SHA512 206253dbc1e0fa045f313d8b6324a8f6716538802f785244b81a9e25acb6a2641b89fce64c1cc749c01b3e723406bbc76bd76a8cc33901edc34dee6433d2d3e6

memory/4816-31-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\WNIL.exe

MD5 4c3249bf7205a96999cda34c316dda3a
SHA1 23056c0424a9cd9336aeae564e7694fbe6e608fd
SHA256 859f24aa33b08c8d7d79a2e82148ca2f3c09a536479db73d670d65f1356de927
SHA512 e350b8ce98f15f2b3e5a9b921cecab2baac0db2f7f3f895ebf4687bda93174d143360a1484b975b708e427b156bc918e0bfbc4438ff1a8fb0096395862b451df

memory/1040-35-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2140-42-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\XLCM.exe.bat

MD5 a294f4606f21ba55adbf7327b0115143
SHA1 0587dc67c5ce6428947aca60090ee3a1e017cc7e
SHA256 b0cb04c4e1e6517767b7f3ee5ff72a4a53628cc0f620a309e895732082f689d5
SHA512 2d93460a6e1d9e952ac01f2d4dc0f7e849aca23592c7e65c79d77e22132bc31f3ca8b1592dc750f503c000fbb2d01b8ce9a84509ac82e533fad2769bf4824f04

C:\windows\system\XLCM.exe

MD5 d8d6e34ac96c39fe525702316e185009
SHA1 1442f85207fdb3b4278891d2b80f477c1522e356
SHA256 a39a0d0086f213070070c16c4b6378fa55769d99bad27470727d0fc135ccc814
SHA512 04df1a1d2503d62996c984fe1cb2926fcc5afb1c2f4a840d7ff39d06fd63e9cb937b8c070bb64edbe9beaedfe58b1a72de8082454c7e72b140d1ce137116a6de

memory/2304-47-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\DLKAQO.exe.bat

MD5 bddfaf029ed42bb0d6c2f358644613af
SHA1 9ea52a272b39ad5fdae29c49d3516aaa6cd44992
SHA256 3f153022e7a78f5a3e1a26e2a1e3040558beb2d8b87a1e1cf7c18b08a2d43b62
SHA512 cfc3327d15aed631368d616267d4b2d461c0d4febb76dffbd2cb1024274de9656ebd1852ceab855b2f07e122db516a1259bcb3a03c83f956036a9d4d788ce189

memory/1840-58-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\DLKAQO.exe

MD5 f785e601e242c6f1a1f646962146dd23
SHA1 4c96cb8b62643d62dd83442305599eeae03e0320
SHA256 d92bc7fc2be9dd725616e771707f05d4121248c2aeb9199190ca035229cfc7bd
SHA512 060a8dbd1f10f51a047b7ca34a38df52b0688f8a326beb4375c1318455966dfd020b98f6e0ab55dacd822fcc56f592db2ad52549c4908d967b8b69d83ed94199

memory/1040-59-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2304-66-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\RGWAWD.exe.bat

MD5 6c678eb4ab265a763280ed83ce3392b9
SHA1 d0f884d333b0e8fc02b125e39ef80d891f089b57
SHA256 ad68c167af6a00b5eb89cdb4958cbffe2c05ec59152657d6e77d6263029e88ec
SHA512 860c21993f889951920fe4834ec6fe71b224ecd81b100843fe6a39e403613cd953a02533c6aefd8add3be6af0540e7951ca60d961d76e2586777246e51d5b7cd

C:\Windows\SysWOW64\RGWAWD.exe

MD5 6d33aaf1d94eff2da7daad295887a4fc
SHA1 7ab5a793ee2afe5cd5cdab70b02c27aa6ba48d17
SHA256 8db6f32d43e5f21fd55bf2d4e8b88a3a783c626effc4ae51d8824a0cb450fa99
SHA512 6711ca368a236e2b8d586ec8bc344ce1f18d3a1447bfb2f67aea178e74bde6fe17bffe6124d17c2538b3efd3d394d951d34adb973112715a8b31a373ef39aceb

memory/2200-71-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\EEI.exe.bat

MD5 328bad44f91ecd2d3a346a756a7a697e
SHA1 16038e12f661073cd192135b787e26b647ca12a5
SHA256 90cfe2765d0b88417d0909fae5e61f60e735a7b66a39e6901c2f3c20e0266ddb
SHA512 7dfd550c05244fc3cafb3b23aefde5367c9c93e0ff2f2e0d1dd264d4ee9064fbc9a39ca8eedaf1ad8d452e3c2a2e4870e7cf0ad48ed19a8139f9a36d0876a277

memory/1840-83-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4444-82-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\EEI.exe

MD5 6c357c1962f62d6f8df69856cf1f1545
SHA1 c08cbc96ec2085251614b27b5ee96de70aed2dd0
SHA256 7797fc0718b5fa7a937eb315d5cfe563f8b8529bc9425f373a5bed2d5df7cd16
SHA512 f910771b26d12f9ddc39fdeb7c6b307baf02720bafc42bd6e348ab99d60cc6983959f3cd1bedfd169de1ba05af9abf4268c978ddc7dc21ff0bab2b9ff54459dd

C:\windows\SysWOW64\XXSET.exe.bat

MD5 1ed5efb77ffed8ec30befd0f801e32c5
SHA1 2ba728870e1df4cec8ef7344a8a6ef5e5042dbb4
SHA256 eeedb9788239e629dac39ea7c8f6062e48c083f2ea14ec59f5f5fa4aed2523c2
SHA512 8635626e82ae27d81c83d8434de4b53db4265772b037dccd8ebd4f58937b8032c351f492568142b44ef5e1742d2b39262bb905510d05ecf381dd013df751e177

memory/2200-91-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\XXSET.exe

MD5 a81e9c5709ec0d980583aa3cebd3536c
SHA1 42f6bcce0164b1ec2f694a5a24f7a5e709fb6efb
SHA256 2ee3413342f0101d912d03d0d56836d3e0703494e0494e4261cd0860fec94295
SHA512 fa32698f6dd85e90df10fa5a55c4112bc26c13760ab5368fe29383a89888faeac123a6e8ea4e226eb2160db95eeabe5eaae2fdfd9b32ac681ffc4cd09ebf66a1

memory/3744-94-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\OAKOD.exe.bat

MD5 5348b1a42b4b3e1631a40aaf93317718
SHA1 57ebbdecb1375d376b87f2149935028e87673811
SHA256 966b0faefb86116357ca773c6c2f380df4ea8310daf72284a71a27db1d62844a
SHA512 b9415fdd9da26105794ceb885f871aae7748f8823fc9c6ec86db55fcfff81eef43f4666f8069ec3317ded46a076bb9acbd661e6ab194618cbbb30d254f7e2c58

memory/4444-106-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\OAKOD.exe

MD5 570eab31d93441ecd9eb6ec3e1d77b98
SHA1 7b6d740a05b102f9ca329508cf549d043cdaac21
SHA256 19c1b95d1cf0dfd2fa6b8e7365e5bc30a3ec307a48855f1c28bca3b940c4a5fa
SHA512 079012f73618524d2a8dac78e56446abce0ebc63c418bfbf656804e4e14a3d14d08fb666699bb078c5dc491e93afe036499544451f27e7270b97cf3b9c50dc23

memory/4720-107-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3744-116-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3032-118-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\YYQJ.exe

MD5 825b3b8ee6bca40b7478b3e51f2814cd
SHA1 30f9e54a7a01157fb99deebae2d4aa4f77fbbfaa
SHA256 5f6a3737c917d46ea325032479ee2cf9ab411eaeb7c6d884ca41f02d35bf05a7
SHA512 b0c4c6c1f365a7aee4c3ca9a09b6e0d363e35b271f3c80515b2d95159564305696064b818a5b0afbd59239cdf3d8f29615f7627bc651c982500886b71421220a

C:\windows\SysWOW64\YYQJ.exe.bat

MD5 512495ea367be7e34271721cc8266c15
SHA1 aeb51dc8048c6396c3086552a7adda75c243a49f
SHA256 9ff13885ddb467eefd2a0081f5d1b3da2c6142b72d2e8d9ed2a187f661bf5e97
SHA512 3158163549f7b55496db30b50dcff74afda3033e13f252889e47100eea14577d96475c032e0130a5310de71a2a64d204efd6da21c5fee68407b46c44f4a1ff43

C:\windows\KBAWTJ.exe.bat

MD5 20798fac7d3284536ff19c1b5033558a
SHA1 a6aac9c99970d095675355e0f56031cb554ab74c
SHA256 efde8f86f27d31c699c8cb9827e5325f365eca30fc34fc6526d297459039053a
SHA512 7407ebea9560a53549595c6980be3de95e46697d04b6f7ae55890b8de2a8dfc3203b53e692b65a9e82ed4c5363c33aab38f1efa598e946686391cc2da23943b0

C:\Windows\KBAWTJ.exe

MD5 a8cef133211bbadccf5862019f2cdd80
SHA1 d718d40dd4dea6036e32f55eff4c941dbf2af716
SHA256 aaabf6388945ee28dda8af78fb411039707159b17eac7422aa55645cbf14b0c7
SHA512 03c872a319a4f2c58743b40efeddaf56066672c5dbaf7f804700fcb923c516e057bda6834ebcd965150d71f87432faa56eebd73e27a3d3de24b901bc4b5c3fbb

memory/4720-130-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2060-129-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\AROGBQ.exe.bat

MD5 05b1851d9bf7cf9184cea24464286d6d
SHA1 831ab34a4d9af4e21a8e1e0dd3290b113aa7fc4f
SHA256 5a82a9008bc0eaa8c1a18c0612d2b59bb55d6040452900c21632688b56d0b2ad
SHA512 a6fdd1b489eb070d9f5edf1b26f67346f867e111910ed6e3c569d598ed08761118d6242cb3faa2357b88a2b7304ba50919931d0ebf75acc643fb9e69772149f2

C:\windows\AROGBQ.exe

MD5 5c61d0d5c716077cbdb909da688d199e
SHA1 78f4f55a0cb28bafde9853f0b7f6b1b177e3d80c
SHA256 ede753063f0e25921b47d978fdad24b49f913f81855825657345db9e0f84fa22
SHA512 0c2441855c956255603aa650ddbf76193fa20771f6e89829633d5e4c89fb0d8474e2fd2c0310c7e01311a659638e7f47fe86222a33298c3445579d77fe6f8850

memory/4628-142-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3032-143-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\AUEB.exe.bat

MD5 cf2cdd6c826f2ed5f84b63d27da5f52e
SHA1 3b343ee842df3a221d50304e5703e135f3e5bb60
SHA256 89a59cbe0c313f9a6824fa78623e2ff76850466c6cf2611f119ec592d2d926ee
SHA512 b7a1bfc4a824072b2a6c6d018dce6586440ab7462ef5b5e519458fc7d21c1a64203d2991d7dcc4a5e19d5376c67b094806347354cc4d94a087ccd7d3f7e9a6be

C:\windows\system\AUEB.exe

MD5 94211ca3072e8fc3b44433a997b75940
SHA1 aaa3235ca9f02da04de0720f354c4a28c365ebe1
SHA256 47387e22eea27478917ecec5749952cd18e9f05ef1c9352a76615d29aac7d2b9
SHA512 3539419f933264914426fa539d42ca029b5eda58c96826f0409e8921fe25ab7dc075794efb10ed205e06878f7b3c60a7a5dd6bf7c4f2d7b3e24e5fd0bc4d2a77

memory/1420-154-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2060-155-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4628-162-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\JSYD.exe.bat

MD5 2fbc73f28d620e835deb527b2321e5bd
SHA1 3e04b9d60619184c25e63ed08461e36db3627f7a
SHA256 30b431e0cf2ed3a481b38c0870ee0c38c9d8882cf777346b0d631a89ca368b8e
SHA512 890a75feb32edb81dcd5f1ec47a8a6eb59917ac516b608fd66379470b67a6543ee87ec13d4710e325004bce57314e531623917161fa6f8f3e8c8155efff82d62

C:\Windows\SysWOW64\JSYD.exe

MD5 7e22f9e9c65962c851500086a0e1d39b
SHA1 dfe44a2aef2f622bb31ee114fae18338e2d63aa7
SHA256 78ab2196e48d9f30998761d6518d48694ad02d8c529819d884575cd13661234a
SHA512 431796df771b362567a685d1ba25d8a306a63fd0b99e543dc80661443fd4b6bfed1a99530cd01ab62f9a4972fff90ef9e18d64e7627dfc9c2c2ff03ca73bd41b

memory/4728-167-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\BANI.exe.bat

MD5 d34b4990c449d1440bc28fcc8c1bb7da
SHA1 87ab45f8ca5ee9c5ea32e138b53c8d80c64a3553
SHA256 43580184831e76de14f7f7b4267fa1f36f5a3eb61e4bccf512d2e2004484468f
SHA512 c08a04465b3f0d271d94690da67a0b0015267afde312dbaf6e10ccbd429706bc329118950ec07184269f1bdbc0b3e1ac647ded6f7899b737a98694853dd3e4e0

C:\windows\BANI.exe

MD5 ed79b728d523497ea64d7d4298031405
SHA1 4a3b655eeb6569ed6cdbf352f801c9cadc031039
SHA256 c5de26514d4a858e5fc288e11034b2694317bde1e8677fdb374f9f49dba436c4
SHA512 c4ab1d2c3e5ed6763a8c8aa0afd904ea91b48a26976fc630f39277500a2c6d75231dd439411da0e89236eb97c4fc91225d249657d1bbdab472087e550df47db4

memory/2276-179-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1420-178-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4728-186-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\VYGSCFR.exe.bat

MD5 4b5fdf05081138e3795821e0bb9455bd
SHA1 45615fa35d0d37ed8e0d658ab272d2a6d4ff4b86
SHA256 ee85c374aa0ccccf33d7575bf7fcc260b6cb8869e87c3d876d834f6b851864b0
SHA512 9bf187f4a6bd4c0218c7c2d7508a8765f6feba9b8df02dbc326a8129578c626832cb7b2a637ff53e4fbcf9d46a6fcdf462c22ac52bfb3f2e406c24d1c25c133e

C:\Windows\VYGSCFR.exe

MD5 6c8b14fe633739e9602be14842171f95
SHA1 54b8692d4129dbb0336c81e7ac02cb1991a8d6bd
SHA256 b300149c6e74e01589a18279a7db1b0980ea8613564c98d1866cd51f1c1e015f
SHA512 68446534b42dd0de9a4b606a5d64b17a2b18e55ab83da55b2323e73546ef7e6374a0309c37dfe9e8d7d23769fdf7c15dcbede97c17a4afcf59778bbc2bf8dcc8

memory/3812-190-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\TTFBH.exe.bat

MD5 bf91a2b1bfd6f97b2d677881c8e0ba88
SHA1 c693c3203d0e46c209ea890dfa63ba9a7bde719f
SHA256 e4ea90daad2b03f724237843eb5187895569008b5c9fb97240a75a682de6d579
SHA512 6f1d4fe5217dab68a4d278a145319762a0f93bf956a9b8c0a5c4a042dc33a9c797c6c08cbd3432e1df1b5d9c7cd44717e343b66d16cab445349dd4377e4f179e

memory/2276-199-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\TTFBH.exe

MD5 da5b9a456977e5c51cc7d830b73347f5
SHA1 9ae21350653f4275ba74cb76efed031dfa3ef39c
SHA256 6f3f2e6df5d9d4606308e83f5c2e0a01277887161248a310fd52003957714200
SHA512 185954cfa773e4ee8012f9f95a73084b684946b3e75d8aa706b844ad6c70d662f8ed1b810af1b97ae8e5a3d5a5ba93ea3703188c118c5e41ba0342cff2b0e6c5

memory/856-203-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3812-204-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\HMV.exe.bat

MD5 c2859f3c4fa101b44a06ac29ffcc22c1
SHA1 847965f21f7a669c8cb8f6fd00b61093c0e29737
SHA256 98a2d4265fe729d71a81a51c580c0daa94da7d9ed89d7726d2108ab27f107d93
SHA512 25e4be8fad9f3dc20296a60a1019d946ea660b3c9d4062531a02ff1eb82d83b7d6a1e1067ba01095347b1420bbae6573724da82d5e7d3ddde8ccc60aa37aa0a3

memory/3048-214-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\HMV.exe

MD5 eafa8bea42a12b8fcfcbec50ac52da3a
SHA1 cecbf342febfca3ccc4ea1f3d63145f1aabb0dfd
SHA256 e782e47006d4744d91549d94056dede3023a6c7a74504c9ee408f069da460439
SHA512 246a0276a16a7fcfc394fd3eafdbd4349cc3d7134bb4eb8bf4cda135e099d57eba3a0916f8b65ea9db0a20f495b911d26caecf76517204b8763ee4a202b2f952

C:\windows\SysWOW64\BZAA.exe.bat

MD5 41b29bdf821785ad217781b094be4d61
SHA1 e312cdc304d7e94b9416ff0caf43948ef56ec9e5
SHA256 1a1a579484785dbc00cfecc58a330a2692f4e9db4cba73b20b90090d7c941e96
SHA512 acd563414de49c8fb7f10c269e5fc430d584a1d1d654145ad622df8b3ae4dcc307b91e552a31f10f75b97848b719f24300c9ce12ce07af65a3ac4ba93ad3d4cc

memory/856-223-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\BZAA.exe

MD5 7a18217e419c4f8c5a68a77340ea7886
SHA1 f1cf956b51d518512cb24150156fec9bbcda703d
SHA256 38aac0be8227600ddcd6cb59f2a5a1645da1c148727e972273004c6e460a51d7
SHA512 ed6cabe1aa992650da9ca52ea94bd3b19574a9d76bce5c9bee477ab4408a79062429e1b280fe4af998620ea0f04f074ae8021863a58d947f21de4c009dbbe59d

memory/4628-227-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3048-234-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\SysWOW64\KXUBA.exe.bat

MD5 041e6fbb7b06c38eb818239bad02bef6
SHA1 3f9d1cb0d87c47ec83989c04626fd96433da3545
SHA256 3a58ae47b82644ef3007633cf25d3a8849669caae62e91f5d4096817bb4d8874
SHA512 40b3f3ad739a2922ffd3d4cf71d00c3fe567086fb7430944da76a5c0a5e7c6809a123b16fda4f0d6d5b7cabc9c0eeb5fbb9bea609ab0ce21d3436def280c5115

C:\Windows\SysWOW64\KXUBA.exe

MD5 0cbb3f948dbaa8c93a15be0110277950
SHA1 bbc390e9e806dac8bba2920344e6c7ddd8dc37bd
SHA256 2c4245b4c651456c9825d49bae0253f9c47101fe3f96bee4c3d7ac38806fc4ed
SHA512 2bc1a61fd92d79a18244d8b96329181d3dde40b8e3a236520f91a503eba6e4a1e2acabcd86d6fff2d4e561ed2649103bc126c3dca4337e4e520c529bddc9840e

memory/4968-239-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\VQPUIR.exe.bat

MD5 3f3aaee9473521b2de9e8a933294c3b3
SHA1 105f1ac05401ec8e89f0d5d729f75a3edc1941e6
SHA256 26155688f63ba01d50b540136338fd648dd518e5e2455da4486aa9dfbeb576f6
SHA512 c19d401f5917c5a80e707a1cf79b1d0fa06a5641aedba18c1900acded4fe63e2f7cb443f6ca670d20a5ad3951e22dbc9e94a9c6f9f30bda4c589020cd6229d74

memory/4444-249-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\System\VQPUIR.exe

MD5 6ea5a5d3f136b565faba64fd1ab6634a
SHA1 6643711775867189e6f382cebefc8655700c80cc
SHA256 91643ba5841c21202eaa7979f30a8586364710627d0001401a1f0e3e1fa84ad7
SHA512 82b93aa6ed75e5c6caec5d1112f53384f42302b843de7722d29c4fbe9399b7d38abb1597e2a67a4cc45b0ede6118f61252258452cb707c9dc0edb78cf229ebe2

memory/4628-250-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4968-258-0x0000000000400000-0x0000000000439000-memory.dmp

C:\windows\system\CGFAL.exe.bat

MD5 8e2848955e41b7175a978ce6929be0a8
SHA1 958c5abb3904ca41ffbba10119ff7cfd70b034f8
SHA256 2d4ecebaf6a790cbfd3a3e49a6d82d6500057bdbb0db5d854c836b0eb44feea0
SHA512 5378303939dca06e680bc4dbaed6325804c7c747e8a3698076a1003aa5e3524703793f11f53a20e35d3a6ea706f4b18d128497a14850c111135e15d2fa0e2386

memory/1380-261-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3452-269-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4444-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1380-277-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3552-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/948-287-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3452-288-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3552-296-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1084-297-0x0000000000400000-0x0000000000439000-memory.dmp

memory/804-305-0x0000000000400000-0x0000000000439000-memory.dmp

memory/948-306-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1084-313-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3088-315-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2860-323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/804-324-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3396-332-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3088-333-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4976-341-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2860-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3396-349-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1148-351-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2232-359-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4976-360-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4720-368-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1148-369-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2232-376-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1612-378-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4720-385-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4852-387-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1612-394-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2060-396-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-404-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4852-405-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4976-413-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2060-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3616-421-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2936-423-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2232-431-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4976-432-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2936-441-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3664-440-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4028-449-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2232-450-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3664-457-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4036-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3732-467-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4028-468-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4308-476-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4036-477-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1452-485-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3732-486-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4308-493-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4748-495-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 09:27

Reported

2024-06-02 09:30

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\HSRYAY.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\SysWOW64\HSRYAY.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
File opened for modification C:\windows\SysWOW64\HSRYAY.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
File created C:\windows\SysWOW64\HSRYAY.exe.bat C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe N/A
N/A N/A C:\windows\SysWOW64\HSRYAY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_27eee676babdd6aa1be84531f1f58910.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\system32\HSRYAY.exe.bat" "

C:\windows\SysWOW64\HSRYAY.exe

C:\windows\system32\HSRYAY.exe

Network

N/A

Files

memory/1728-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\HSRYAY.exe.bat

MD5 4b0f610bf1667966002a02f46d7a1d51
SHA1 85674de999191979cd04d677dfffe179458b064e
SHA256 18283876c013daf991475f554319c161959737e18f5eeb410bb73ca6a43946d0
SHA512 40b8a947dbd18b651d9ebfcfcbb363a9ff9a9ac4a84bee629d2ae9c61dbeba20a2e5ce226f001fa34fbb83924d643790da848c846b658ee3d3502efdb727f88b

memory/1728-12-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\HSRYAY.exe

MD5 363415799eff2996bc7df008d64c2f3c
SHA1 45e3ef30b8e4f3283618d3046073b63d7600671b
SHA256 e76e2bfc1591a0a8c884c8986ef7b77a33b59009b2fb9e04667aa4589effde0f
SHA512 7a733e51ae4e7f2a1db5133cddf7d359fc97118f4813df21d6e14d22d41a505785899316757b43d43fff873bfe503ea0cb865a476953a681a75341dca79729bb

memory/1036-16-0x00000000005D0000-0x0000000000609000-memory.dmp

memory/2532-19-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2532-20-0x0000000000400000-0x0000000000439000-memory.dmp