Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2023, 14:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
-
Size
289KB
-
MD5
e8fd17e6d28f1406f23069fc57dcbccc
-
SHA1
84ed8ef932642a7ac4e14c5aaf574fcefb5fdde1
-
SHA256
66676967121a4a6c888272333421b82973cb9b8c58d85b56aaa64be3ab2149bc
-
SHA512
f245c1b7b65b9784ea24aa4c911082821a3acbf8b99ea90117b5b1d8355264e17e619b2017da8ce3c269a6e50bb40bd4c4b84bd7a74b92b84c8d361303447691
-
SSDEEP
6144:U5wLulwRBdtGFGo6YpO9sxkECzJLaQVbU5:zua7dtGFGn7GxklJLJbU5
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 58 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation DTXN.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation BEME.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation CORQL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation PNGCRHP.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation QJRIWB.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation TIZ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation DBLUBX.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation CFXUY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation RBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GKIMJY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation QPEMCAL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ADP.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation WSIS.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FKMCDLG.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation SHL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation MCVRVS.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GBOAWZV.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FBKXP.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation LAF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation VRM.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation WDDQYI.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FANH.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NZRHI.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NSDLXV.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation SHVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ICIPW.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation BFMIY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation UEER.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation LCE.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FESCFL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation VENOOXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation YVGFLPX.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation LTTG.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation KBDF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation JSII.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation KZHY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation QKB.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation APXLVC.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation WVIN.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation HQSCOL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation PYTU.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ZCYSU.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation MOQE.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation SUEHTHK.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation e8fd17e6d28f1406f23069fc57dcbccc_JC.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation EXJET.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation IDJZT.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NQRJNK.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation TUQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation HBQNQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation QAHG.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation TCBVE.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation THN.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation XBGQ.exe -
Executes dropped EXE 64 IoCs
pid Process 1296 NSDLXV.exe 4936 YVGFLPX.exe 3752 ADP.exe 4968 FKMCDLG.exe 2728 NQRJNK.exe 5104 WDDQYI.exe 2248 RBQ.exe 4464 MCVRVS.exe 1920 QKB.exe 4100 PNGCRHP.exe 2548 LTTG.exe 1664 CORQL.exe 4644 KBDF.exe 3052 EXJET.exe 3440 FANH.exe 1408 HQSCOL.exe 388 QJRIWB.exe 3244 XBGQ.exe 1772 TUQ.exe 2336 LCE.exe 1520 WerFault.exe 2116 MOQE.exe 1768 WerFault.exe 2700 cmd.exe 3372 ICIPW.exe 2228 WerFault.exe 2104 Conhost.exe 3612 Conhost.exe 1472 Conhost.exe 452 SUEHTHK.exe 1768 WerFault.exe 2096 PYTU.exe 2252 DTXN.exe 5036 HBQNQ.exe 4900 APXLVC.exe 3460 GKIMJY.exe 2744 WerFault.exe 4116 WerFault.exe 1856 Conhost.exe 4820 WerFault.exe 1800 SHVJ.exe 2100 TIZ.exe 64 cmd.exe 4752 IDJZT.exe 3328 FESCFL.exe 4772 VENOOXQ.exe 3232 QPEMCAL.exe 2472 JSII.exe 2728 WerFault.exe 4968 WerFault.exe 4196 GBOAWZV.exe 1660 WerFault.exe 2468 Conhost.exe 2696 QAHG.exe 4528 UEER.exe 4860 DBLUBX.exe 2056 NZRHI.exe 4928 CFXUY.exe 2200 WSIS.exe 3244 FBKXP.exe 3084 TCBVE.exe 216 SHL.exe 4080 KZHY.exe 3860 cmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\FKMCDLG.exe ADP.exe File created C:\windows\SysWOW64\KBDF.exe.bat CORQL.exe File opened for modification C:\windows\SysWOW64\JSII.exe QPEMCAL.exe File created C:\windows\SysWOW64\FKMCDLG.exe.bat ADP.exe File opened for modification C:\windows\SysWOW64\SZUBWNL.exe MOQE.exe File created C:\windows\SysWOW64\OCD.exe.bat Conhost.exe File created C:\windows\SysWOW64\SUEHTHK.exe.bat Conhost.exe File created C:\windows\SysWOW64\LAC.exe SHVJ.exe File created C:\windows\SysWOW64\UTJHP.exe QAHG.exe File created C:\windows\SysWOW64\WVIN.exe.bat TIZ.exe File created C:\windows\SysWOW64\QKB.exe.bat MCVRVS.exe File opened for modification C:\windows\SysWOW64\OCD.exe Conhost.exe File opened for modification C:\windows\SysWOW64\QWHKO.exe WerFault.exe File created C:\windows\SysWOW64\LAC.exe.bat SHVJ.exe File opened for modification C:\windows\SysWOW64\HOHH.exe JSII.exe File created C:\windows\SysWOW64\NZRHI.exe.bat DBLUBX.exe File created C:\windows\SysWOW64\NSDLXV.exe e8fd17e6d28f1406f23069fc57dcbccc_JC.exe File opened for modification C:\windows\SysWOW64\HQSCOL.exe FANH.exe File created C:\windows\SysWOW64\UHFO.exe.bat Conhost.exe File created C:\windows\SysWOW64\HOHH.exe JSII.exe File opened for modification C:\windows\SysWOW64\ZSSB.exe WerFault.exe File opened for modification C:\windows\SysWOW64\LAF.exe cmd.exe File created C:\windows\SysWOW64\WVIN.exe TIZ.exe File created C:\windows\SysWOW64\CORQL.exe.bat LTTG.exe File opened for modification C:\windows\SysWOW64\TUQ.exe XBGQ.exe File opened for modification C:\windows\SysWOW64\DTXN.exe PYTU.exe File opened for modification C:\windows\SysWOW64\UTJHP.exe QAHG.exe File created C:\windows\SysWOW64\FBKXP.exe.bat WSIS.exe File created C:\windows\SysWOW64\BST.exe.bat VRM.exe File created C:\windows\SysWOW64\LCE.exe.bat TUQ.exe File opened for modification C:\windows\SysWOW64\UHFO.exe Conhost.exe File created C:\windows\SysWOW64\DTXN.exe.bat PYTU.exe File created C:\windows\SysWOW64\DBLUBX.exe UEER.exe File created C:\windows\SysWOW64\NZRHI.exe DBLUBX.exe File created C:\windows\SysWOW64\QKB.exe MCVRVS.exe File created C:\windows\SysWOW64\TUQ.exe.bat XBGQ.exe File opened for modification C:\windows\SysWOW64\HEVHB.exe Conhost.exe File created C:\windows\SysWOW64\SHVJ.exe WerFault.exe File opened for modification C:\windows\SysWOW64\LAC.exe SHVJ.exe File created C:\windows\SysWOW64\IDJZT.exe.bat cmd.exe File opened for modification C:\windows\SysWOW64\KZHY.exe SHL.exe File created C:\windows\SysWOW64\ZCYSU.exe THN.exe File opened for modification C:\windows\SysWOW64\NSDLXV.exe e8fd17e6d28f1406f23069fc57dcbccc_JC.exe File created C:\windows\SysWOW64\TUQ.exe XBGQ.exe File created C:\windows\SysWOW64\QWHKO.exe WerFault.exe File created C:\windows\SysWOW64\HEVHB.exe.bat Conhost.exe File created C:\windows\SysWOW64\CORQL.exe LTTG.exe File created C:\windows\SysWOW64\HQSCOL.exe FANH.exe File created C:\windows\SysWOW64\LCE.exe TUQ.exe File opened for modification C:\windows\SysWOW64\SHVJ.exe WerFault.exe File opened for modification C:\windows\SysWOW64\DBLUBX.exe UEER.exe File created C:\windows\SysWOW64\KZHY.exe SHL.exe File created C:\windows\SysWOW64\KZHY.exe.bat SHL.exe File created C:\windows\SysWOW64\LAF.exe cmd.exe File opened for modification C:\windows\SysWOW64\ZCYSU.exe THN.exe File opened for modification C:\windows\SysWOW64\FBKXP.exe WSIS.exe File opened for modification C:\windows\SysWOW64\THN.exe WerFault.exe File created C:\windows\SysWOW64\ZCYSU.exe.bat THN.exe File created C:\windows\SysWOW64\UQINZX.exe.bat WVIN.exe File created C:\windows\SysWOW64\KBDF.exe CORQL.exe File created C:\windows\SysWOW64\HQSCOL.exe.bat FANH.exe File created C:\windows\SysWOW64\SZUBWNL.exe.bat MOQE.exe File created C:\windows\SysWOW64\IDJZT.exe cmd.exe File created C:\windows\SysWOW64\UTJHP.exe.bat QAHG.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\ADP.exe.bat YVGFLPX.exe File opened for modification C:\windows\UQK.exe SUEHTHK.exe File created C:\windows\system\KOI.exe WerFault.exe File opened for modification C:\windows\system\QJRIWB.exe HQSCOL.exe File opened for modification C:\windows\VENOOXQ.exe FESCFL.exe File created C:\windows\system\WSIS.exe.bat CFXUY.exe File created C:\windows\system\QJRIWB.exe.bat HQSCOL.exe File opened for modification C:\windows\HBQNQ.exe DTXN.exe File created C:\windows\QAHG.exe.bat Conhost.exe File created C:\windows\PBTO.exe WerFault.exe File created C:\windows\QAHG.exe Conhost.exe File created C:\windows\system\LVZ.exe.bat WerFault.exe File opened for modification C:\windows\system\NQRJNK.exe FKMCDLG.exe File opened for modification C:\windows\XBGQ.exe QJRIWB.exe File created C:\windows\FESCFL.exe IDJZT.exe File opened for modification C:\windows\GKIMJY.exe APXLVC.exe File created C:\windows\system\CVRDY.exe.bat GKIMJY.exe File created C:\windows\system\NGXEA.exe FBKXP.exe File opened for modification C:\windows\GERT.exe BFMIY.exe File created C:\windows\WDDQYI.exe.bat NQRJNK.exe File opened for modification C:\windows\FANH.exe EXJET.exe File created C:\windows\XBGQ.exe.bat QJRIWB.exe File created C:\windows\YUGU.exe WerFault.exe File created C:\windows\VENOOXQ.exe.bat FESCFL.exe File created C:\windows\system\RBQ.exe WDDQYI.exe File created C:\windows\system\PNGCRHP.exe QKB.exe File created C:\windows\HBQNQ.exe DTXN.exe File opened for modification C:\windows\system\JLSCWXP.exe WerFault.exe File created C:\windows\FESCFL.exe.bat IDJZT.exe File created C:\windows\VENOOXQ.exe FESCFL.exe File created C:\windows\system\EDRA.exe.bat ICIPW.exe File created C:\windows\XBGQ.exe QJRIWB.exe File created C:\windows\ICIPW.exe cmd.exe File created C:\windows\UQK.exe SUEHTHK.exe File created C:\windows\LTTG.exe PNGCRHP.exe File created C:\windows\LTTG.exe.bat PNGCRHP.exe File created C:\windows\FANH.exe.bat EXJET.exe File created C:\windows\APXLVC.exe.bat HBQNQ.exe File created C:\windows\system\NQRJNK.exe.bat FKMCDLG.exe File opened for modification C:\windows\system\PNGCRHP.exe QKB.exe File opened for modification C:\windows\PYTU.exe WerFault.exe File opened for modification C:\windows\FIX.exe LCE.exe File opened for modification C:\windows\GBOAWZV.exe WerFault.exe File opened for modification C:\windows\system\YHW.exe BEME.exe File created C:\windows\system\FQZYIW.exe.bat TIZ.exe File opened for modification C:\windows\system\RRJHOHD.exe cmd.exe File created C:\windows\MCVRVS.exe.bat RBQ.exe File created C:\windows\PYTU.exe.bat WerFault.exe File created C:\windows\system\RRJHOHD.exe cmd.exe File created C:\windows\GERT.exe BFMIY.exe File created C:\windows\TIZ.exe.bat ZCYSU.exe File created C:\windows\FANH.exe EXJET.exe File opened for modification C:\windows\PTRHRG.exe WerFault.exe File created C:\windows\CFXUY.exe.bat NZRHI.exe File opened for modification C:\windows\system\MXATCW.exe GBOAWZV.exe File created C:\windows\system\MXATCW.exe.bat GBOAWZV.exe File created C:\windows\system\QJRIWB.exe HQSCOL.exe File opened for modification C:\windows\system\EDRA.exe ICIPW.exe File opened for modification C:\windows\APXLVC.exe HBQNQ.exe File created C:\windows\PTRHRG.exe WerFault.exe File created C:\windows\system\WSIS.exe CFXUY.exe File created C:\windows\system\LVZ.exe WerFault.exe File opened for modification C:\windows\YVGFLPX.exe NSDLXV.exe File opened for modification C:\windows\MCVRVS.exe RBQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 64 2472 WerFault.exe 84 4740 1296 WerFault.exe 90 216 4936 WerFault.exe 96 2560 3752 WerFault.exe 102 1768 4968 WerFault.exe 107 2340 2728 WerFault.exe 112 764 5104 WerFault.exe 117 3944 2248 WerFault.exe 122 4488 4464 WerFault.exe 127 1836 1920 WerFault.exe 132 1584 4100 WerFault.exe 139 4928 2548 WerFault.exe 144 2480 1664 WerFault.exe 151 2104 4644 WerFault.exe 156 4552 3052 WerFault.exe 162 1296 3440 WerFault.exe 167 5108 1408 WerFault.exe 172 1044 388 WerFault.exe 178 2908 3244 WerFault.exe 183 4768 1772 WerFault.exe 188 2104 2336 WerFault.exe 193 3400 1520 WerFault.exe 199 1880 2116 WerFault.exe 205 4080 1768 WerFault.exe 210 4116 2700 WerFault.exe 215 3832 3372 WerFault.exe 220 1280 2228 WerFault.exe 226 3900 2104 WerFault.exe 231 3860 3612 WerFault.exe 236 4776 1472 WerFault.exe 241 4080 452 WerFault.exe 246 2592 1768 WerFault.exe 251 3476 2096 WerFault.exe 256 2772 2252 WerFault.exe 261 1520 5036 WerFault.exe 266 1752 4900 WerFault.exe 271 4580 3460 WerFault.exe 276 3404 2744 WerFault.exe 281 2060 4116 WerFault.exe 286 228 1856 WerFault.exe 291 3468 4820 WerFault.exe 296 3736 1800 WerFault.exe 301 1432 2100 WerFault.exe 306 1572 64 WerFault.exe 311 1772 4752 WerFault.exe 316 4176 3328 WerFault.exe 321 4112 4772 WerFault.exe 326 1524 3232 WerFault.exe 331 2568 2472 WerFault.exe 336 2228 2728 WerFault.exe 341 3992 4968 WerFault.exe 346 3244 4196 WerFault.exe 351 3712 1660 WerFault.exe 356 3096 2468 WerFault.exe 361 3912 2696 WerFault.exe 366 3944 4528 WerFault.exe 371 5100 4860 WerFault.exe 376 4020 2056 WerFault.exe 381 364 4928 WerFault.exe 386 2816 2200 WerFault.exe 391 4484 3244 WerFault.exe 396 1856 3084 WerFault.exe 401 4820 216 WerFault.exe 406 4848 4080 WerFault.exe 411 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 1296 NSDLXV.exe 1296 NSDLXV.exe 4936 YVGFLPX.exe 4936 YVGFLPX.exe 3752 ADP.exe 3752 ADP.exe 4968 FKMCDLG.exe 4968 FKMCDLG.exe 2728 NQRJNK.exe 2728 NQRJNK.exe 5104 WDDQYI.exe 5104 WDDQYI.exe 2248 RBQ.exe 2248 RBQ.exe 4464 MCVRVS.exe 4464 MCVRVS.exe 1920 QKB.exe 1920 QKB.exe 4100 PNGCRHP.exe 4100 PNGCRHP.exe 2548 LTTG.exe 2548 LTTG.exe 1664 CORQL.exe 1664 CORQL.exe 4644 KBDF.exe 4644 KBDF.exe 3052 EXJET.exe 3052 EXJET.exe 3440 FANH.exe 3440 FANH.exe 1408 HQSCOL.exe 1408 HQSCOL.exe 388 QJRIWB.exe 388 QJRIWB.exe 3244 XBGQ.exe 3244 XBGQ.exe 1772 TUQ.exe 1772 TUQ.exe 2336 LCE.exe 2336 LCE.exe 1520 WerFault.exe 1520 WerFault.exe 2116 MOQE.exe 2116 MOQE.exe 1768 WerFault.exe 1768 WerFault.exe 2700 cmd.exe 2700 cmd.exe 3372 ICIPW.exe 3372 ICIPW.exe 2228 WerFault.exe 2228 WerFault.exe 2104 Conhost.exe 2104 Conhost.exe 3612 Conhost.exe 3612 Conhost.exe 1472 Conhost.exe 1472 Conhost.exe 452 SUEHTHK.exe 452 SUEHTHK.exe 1768 WerFault.exe 1768 WerFault.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 1296 NSDLXV.exe 1296 NSDLXV.exe 4936 YVGFLPX.exe 4936 YVGFLPX.exe 3752 ADP.exe 3752 ADP.exe 4968 FKMCDLG.exe 4968 FKMCDLG.exe 2728 NQRJNK.exe 2728 NQRJNK.exe 5104 WDDQYI.exe 5104 WDDQYI.exe 2248 RBQ.exe 2248 RBQ.exe 4464 MCVRVS.exe 4464 MCVRVS.exe 1920 QKB.exe 1920 QKB.exe 4100 PNGCRHP.exe 4100 PNGCRHP.exe 2548 LTTG.exe 2548 LTTG.exe 1664 CORQL.exe 1664 CORQL.exe 4644 KBDF.exe 4644 KBDF.exe 3052 EXJET.exe 3052 EXJET.exe 3440 FANH.exe 3440 FANH.exe 1408 HQSCOL.exe 1408 HQSCOL.exe 388 QJRIWB.exe 388 QJRIWB.exe 3244 XBGQ.exe 3244 XBGQ.exe 1772 TUQ.exe 1772 TUQ.exe 2336 LCE.exe 2336 LCE.exe 1520 WerFault.exe 1520 WerFault.exe 2116 MOQE.exe 2116 MOQE.exe 1768 WerFault.exe 1768 WerFault.exe 2700 cmd.exe 2700 cmd.exe 3372 ICIPW.exe 3372 ICIPW.exe 2228 WerFault.exe 2228 WerFault.exe 2104 Conhost.exe 2104 Conhost.exe 3612 Conhost.exe 3612 Conhost.exe 1472 Conhost.exe 1472 Conhost.exe 452 SUEHTHK.exe 452 SUEHTHK.exe 1768 WerFault.exe 1768 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 4036 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 86 PID 2472 wrote to memory of 4036 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 86 PID 2472 wrote to memory of 4036 2472 e8fd17e6d28f1406f23069fc57dcbccc_JC.exe 86 PID 4036 wrote to memory of 1296 4036 cmd.exe 90 PID 4036 wrote to memory of 1296 4036 cmd.exe 90 PID 4036 wrote to memory of 1296 4036 cmd.exe 90 PID 1296 wrote to memory of 3328 1296 NSDLXV.exe 92 PID 1296 wrote to memory of 3328 1296 NSDLXV.exe 92 PID 1296 wrote to memory of 3328 1296 NSDLXV.exe 92 PID 3328 wrote to memory of 4936 3328 cmd.exe 96 PID 3328 wrote to memory of 4936 3328 cmd.exe 96 PID 3328 wrote to memory of 4936 3328 cmd.exe 96 PID 4936 wrote to memory of 3840 4936 YVGFLPX.exe 97 PID 4936 wrote to memory of 3840 4936 YVGFLPX.exe 97 PID 4936 wrote to memory of 3840 4936 YVGFLPX.exe 97 PID 3840 wrote to memory of 3752 3840 cmd.exe 102 PID 3840 wrote to memory of 3752 3840 cmd.exe 102 PID 3840 wrote to memory of 3752 3840 cmd.exe 102 PID 3752 wrote to memory of 2116 3752 ADP.exe 103 PID 3752 wrote to memory of 2116 3752 ADP.exe 103 PID 3752 wrote to memory of 2116 3752 ADP.exe 103 PID 2116 wrote to memory of 4968 2116 cmd.exe 107 PID 2116 wrote to memory of 4968 2116 cmd.exe 107 PID 2116 wrote to memory of 4968 2116 cmd.exe 107 PID 4968 wrote to memory of 2388 4968 FKMCDLG.exe 108 PID 4968 wrote to memory of 2388 4968 FKMCDLG.exe 108 PID 4968 wrote to memory of 2388 4968 FKMCDLG.exe 108 PID 2388 wrote to memory of 2728 2388 cmd.exe 112 PID 2388 wrote to memory of 2728 2388 cmd.exe 112 PID 2388 wrote to memory of 2728 2388 cmd.exe 112 PID 2728 wrote to memory of 1664 2728 NQRJNK.exe 113 PID 2728 wrote to memory of 1664 2728 NQRJNK.exe 113 PID 2728 wrote to memory of 1664 2728 NQRJNK.exe 113 PID 1664 wrote to memory of 5104 1664 cmd.exe 117 PID 1664 wrote to memory of 5104 1664 cmd.exe 117 PID 1664 wrote to memory of 5104 1664 cmd.exe 117 PID 5104 wrote to memory of 2908 5104 WDDQYI.exe 118 PID 5104 wrote to memory of 2908 5104 WDDQYI.exe 118 PID 5104 wrote to memory of 2908 5104 WDDQYI.exe 118 PID 2908 wrote to memory of 2248 2908 cmd.exe 122 PID 2908 wrote to memory of 2248 2908 cmd.exe 122 PID 2908 wrote to memory of 2248 2908 cmd.exe 122 PID 2248 wrote to memory of 1096 2248 RBQ.exe 123 PID 2248 wrote to memory of 1096 2248 RBQ.exe 123 PID 2248 wrote to memory of 1096 2248 RBQ.exe 123 PID 1096 wrote to memory of 4464 1096 cmd.exe 127 PID 1096 wrote to memory of 4464 1096 cmd.exe 127 PID 1096 wrote to memory of 4464 1096 cmd.exe 127 PID 4464 wrote to memory of 4664 4464 MCVRVS.exe 128 PID 4464 wrote to memory of 4664 4464 MCVRVS.exe 128 PID 4464 wrote to memory of 4664 4464 MCVRVS.exe 128 PID 4664 wrote to memory of 1920 4664 cmd.exe 132 PID 4664 wrote to memory of 1920 4664 cmd.exe 132 PID 4664 wrote to memory of 1920 4664 cmd.exe 132 PID 1920 wrote to memory of 3328 1920 QKB.exe 136 PID 1920 wrote to memory of 3328 1920 QKB.exe 136 PID 1920 wrote to memory of 3328 1920 QKB.exe 136 PID 3328 wrote to memory of 4100 3328 cmd.exe 139 PID 3328 wrote to memory of 4100 3328 cmd.exe 139 PID 3328 wrote to memory of 4100 3328 cmd.exe 139 PID 4100 wrote to memory of 4868 4100 PNGCRHP.exe 141 PID 4100 wrote to memory of 4868 4100 PNGCRHP.exe 141 PID 4100 wrote to memory of 4868 4100 PNGCRHP.exe 141 PID 4868 wrote to memory of 2548 4868 cmd.exe 144
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8fd17e6d28f1406f23069fc57dcbccc_JC.exe"C:\Users\Admin\AppData\Local\Temp\e8fd17e6d28f1406f23069fc57dcbccc_JC.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NSDLXV.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\windows\SysWOW64\NSDLXV.exeC:\windows\system32\NSDLXV.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YVGFLPX.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\windows\YVGFLPX.exeC:\windows\YVGFLPX.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ADP.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\windows\ADP.exeC:\windows\ADP.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FKMCDLG.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\windows\SysWOW64\FKMCDLG.exeC:\windows\system32\FKMCDLG.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NQRJNK.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\windows\system\NQRJNK.exeC:\windows\system\NQRJNK.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WDDQYI.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\windows\WDDQYI.exeC:\windows\WDDQYI.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RBQ.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\windows\system\RBQ.exeC:\windows\system\RBQ.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MCVRVS.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\windows\MCVRVS.exeC:\windows\MCVRVS.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QKB.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\windows\SysWOW64\QKB.exeC:\windows\system32\QKB.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PNGCRHP.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\windows\system\PNGCRHP.exeC:\windows\system\PNGCRHP.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LTTG.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\windows\LTTG.exeC:\windows\LTTG.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CORQL.exe.bat" "24⤵PID:2368
-
C:\windows\SysWOW64\CORQL.exeC:\windows\system32\CORQL.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KBDF.exe.bat" "26⤵PID:4920
-
C:\windows\SysWOW64\KBDF.exeC:\windows\system32\KBDF.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EXJET.exe.bat" "28⤵PID:5032
-
C:\windows\system\EXJET.exeC:\windows\system\EXJET.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FANH.exe.bat" "30⤵PID:2060
-
C:\windows\FANH.exeC:\windows\FANH.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQSCOL.exe.bat" "32⤵PID:4208
-
C:\windows\SysWOW64\HQSCOL.exeC:\windows\system32\HQSCOL.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "34⤵PID:2316
-
C:\windows\system\QJRIWB.exeC:\windows\system\QJRIWB.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XBGQ.exe.bat" "36⤵PID:4652
-
C:\windows\XBGQ.exeC:\windows\XBGQ.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUQ.exe.bat" "38⤵PID:1752
-
C:\windows\SysWOW64\TUQ.exeC:\windows\system32\TUQ.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCE.exe.bat" "40⤵PID:3164
-
C:\windows\SysWOW64\LCE.exeC:\windows\system32\LCE.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FIX.exe.bat" "42⤵PID:312
-
C:\windows\FIX.exeC:\windows\FIX.exe43⤵PID:1520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MOQE.exe.bat" "44⤵PID:828
-
C:\windows\system\MOQE.exeC:\windows\system\MOQE.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SZUBWNL.exe.bat" "46⤵PID:2780
-
C:\windows\SysWOW64\SZUBWNL.exeC:\windows\system32\SZUBWNL.exe47⤵PID:1768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YUGU.exe.bat" "48⤵PID:3840
-
C:\windows\YUGU.exeC:\windows\YUGU.exe49⤵PID:2700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ICIPW.exe.bat" "50⤵PID:4020
-
C:\windows\ICIPW.exeC:\windows\ICIPW.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EDRA.exe.bat" "52⤵PID:3404
-
C:\windows\system\EDRA.exeC:\windows\system\EDRA.exe53⤵PID:2228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PTRHRG.exe.bat" "54⤵PID:4036
-
C:\windows\PTRHRG.exeC:\windows\PTRHRG.exe55⤵PID:2104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UHFO.exe.bat" "56⤵PID:2648
-
C:\windows\SysWOW64\UHFO.exeC:\windows\system32\UHFO.exe57⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCD.exe.bat" "58⤵PID:4592
-
C:\windows\SysWOW64\OCD.exeC:\windows\system32\OCD.exe59⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUEHTHK.exe.bat" "60⤵PID:3752
-
C:\windows\SysWOW64\SUEHTHK.exeC:\windows\system32\SUEHTHK.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UQK.exe.bat" "62⤵PID:2040
-
C:\windows\UQK.exeC:\windows\UQK.exe63⤵PID:1768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PYTU.exe.bat" "64⤵PID:3676
-
C:\windows\PYTU.exeC:\windows\PYTU.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTXN.exe.bat" "66⤵PID:4488
-
C:\windows\SysWOW64\DTXN.exeC:\windows\system32\DTXN.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HBQNQ.exe.bat" "68⤵PID:4788
-
C:\windows\HBQNQ.exeC:\windows\HBQNQ.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\APXLVC.exe.bat" "70⤵PID:4840
-
C:\windows\APXLVC.exeC:\windows\APXLVC.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "72⤵PID:828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
C:\windows\GKIMJY.exeC:\windows\GKIMJY.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CVRDY.exe.bat" "74⤵PID:2576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\windows\system\CVRDY.exeC:\windows\system\CVRDY.exe75⤵PID:2744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JLSCWXP.exe.bat" "76⤵PID:1872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
C:\windows\system\JLSCWXP.exeC:\windows\system\JLSCWXP.exe77⤵PID:4116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWHKO.exe.bat" "78⤵PID:2468
-
C:\windows\SysWOW64\QWHKO.exeC:\windows\system32\QWHKO.exe79⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEVHB.exe.bat" "80⤵PID:4744
-
C:\windows\SysWOW64\HEVHB.exeC:\windows\system32\HEVHB.exe81⤵PID:4820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHVJ.exe.bat" "82⤵PID:1724
-
C:\windows\SysWOW64\SHVJ.exeC:\windows\system32\SHVJ.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAC.exe.bat" "84⤵PID:4220
-
C:\windows\SysWOW64\LAC.exeC:\windows\system32\LAC.exe85⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FQZYIW.exe.bat" "86⤵PID:2756
-
C:\windows\system\FQZYIW.exeC:\windows\system\FQZYIW.exe87⤵PID:64
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IDJZT.exe.bat" "88⤵PID:3984
-
C:\windows\SysWOW64\IDJZT.exeC:\windows\system32\IDJZT.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FESCFL.exe.bat" "90⤵PID:3368
-
C:\windows\FESCFL.exeC:\windows\FESCFL.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "92⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2700 -
C:\windows\VENOOXQ.exeC:\windows\VENOOXQ.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QPEMCAL.exe.bat" "94⤵PID:216
-
C:\windows\SysWOW64\QPEMCAL.exeC:\windows\system32\QPEMCAL.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JSII.exe.bat" "96⤵PID:4300
-
C:\windows\SysWOW64\JSII.exeC:\windows\system32\JSII.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HOHH.exe.bat" "98⤵PID:1388
-
C:\windows\SysWOW64\HOHH.exeC:\windows\system32\HOHH.exe99⤵PID:2728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PBTO.exe.bat" "100⤵PID:3856
-
C:\windows\PBTO.exeC:\windows\PBTO.exe101⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GBOAWZV.exe.bat" "102⤵PID:764
-
C:\windows\GBOAWZV.exeC:\windows\GBOAWZV.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MXATCW.exe.bat" "104⤵PID:3252
-
C:\windows\system\MXATCW.exeC:\windows\system\MXATCW.exe105⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSSB.exe.bat" "106⤵PID:312
-
C:\windows\SysWOW64\ZSSB.exeC:\windows\system32\ZSSB.exe107⤵PID:2468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QAHG.exe.bat" "108⤵PID:5016
-
C:\windows\QAHG.exeC:\windows\QAHG.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UTJHP.exe.bat" "110⤵PID:2768
-
C:\windows\SysWOW64\UTJHP.exeC:\windows\system32\UTJHP.exe111⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBLUBX.exe.bat" "112⤵PID:2940
-
C:\windows\SysWOW64\DBLUBX.exeC:\windows\system32\DBLUBX.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZRHI.exe.bat" "114⤵PID:2020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:3752
-
-
C:\windows\SysWOW64\NZRHI.exeC:\windows\system32\NZRHI.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CFXUY.exe.bat" "116⤵PID:3972
-
C:\windows\CFXUY.exeC:\windows\CFXUY.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WSIS.exe.bat" "118⤵PID:2976
-
C:\windows\system\WSIS.exeC:\windows\system\WSIS.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBKXP.exe.bat" "120⤵PID:548
-
C:\windows\SysWOW64\FBKXP.exeC:\windows\system32\FBKXP.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-