Analysis
-
max time kernel
105s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2023 19:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
-
Size
289KB
-
MD5
b0b6edb20b72acd92b63d8fe04d56cab
-
SHA1
af933fcbaa1e7f5a87f122214f3e589bea1907b0
-
SHA256
475baa415b5eb059891d87c2f807c046dd64190404b624519028aac70763029e
-
SHA512
20c6f802266808a30e6e6271dc4daf84c0e09705d7d47a840a2f8ffc8314330dbdbb4625b62d0555a44068b0fa5f69b5901bfa3a4396c7cfadc65b9a40d76282
-
SSDEEP
3072:JihgCYCxVOuzCyk5mvQBohjiBGwOzI96cQkP3K4pLthECQT68VMJLaQljVvzUpz:JzbCxV5tvQ2hjiBGL1kECzJLaQVbU5
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GDBMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GNME.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation JBF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation QDMWN.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation DUPYHN.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GJZMVNL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NZRILH.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation TSF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation YZCOBOW.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation CFF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation OJUDB.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation HUMO.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ZLZ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation TIWLLSY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation OTMKZ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GRAYOW.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NIUU.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation MBYDMQT.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GUU.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation PKYQKI.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation EOF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation HWIW.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation CFCCXC.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation XISJVYC.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation RBYCXYC.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation IAOV.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation VAR.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation BRM.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation BKBBNY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation YFEGH.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NVTWL.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation DDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation BVZVP.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ODFEA.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation DVNRK.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation JRKI.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation PUAYFR.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GNG.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation BVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GZQRHOO.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ZLVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation KBNOC.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation KODQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FJSY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation OXVO.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation UOGGH.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation HOKJSZK.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation SZXKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation FYD.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation INXBLTG.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation GLY.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation AYJRQV.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation QNAVSJE.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation DELO.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ESCN.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation KMJMHQT.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation SGE.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation ALUVAD.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation UXPYQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation RVW.exe -
Executes dropped EXE 64 IoCs
pid Process 544 BKBBNY.exe 4648 NIUU.exe 4680 QDMWN.exe 4024 KBNOC.exe 1872 UXPYQJ.exe 432 DVNRK.exe 4760 XISJVYC.exe 4460 LDSRE.exe 2180 MBYDMQT.exe 4668 RCINYM.exe 1232 DUPYHN.exe 4952 GNG.exe 1112 ILTCE.exe 1140 NQDRVI.exe 4460 VEQYFO.exe 1716 AXTK.exe 2952 GUU.exe 3656 YFEGH.exe 2268 BVZVP.exe 4384 UOGGH.exe 1564 cmd.exe 2360 GJZMVNL.exe 1716 AXTK.exe 404 NVTWL.exe 1112 RVW.exe 4056 KODQ.exe 3472 JRKI.exe 3888 NZRILH.exe 224 DDQ.exe 2916 PLWHLX.exe 4332 RBYCXYC.exe 1628 HRFNJS.exe 1156 OXYBYMN.exe 2092 WerFault.exe 1272 QNAVSJE.exe 568 GDBMZ.exe 1660 DELO.exe 3408 WerFault.exe 3784 PKYQKI.exe 2264 BVJ.exe 4684 PSJPUY.exe 1148 HLFGQMV.exe 4676 FJSY.exe 3532 OJUDB.exe 4948 FSIIOQ.exe 5008 GNME.exe 4944 cmd.exe 3528 HOKJSZK.exe 4072 CUYUID.exe 1800 HUMO.exe 2732 WerFault.exe 228 INXBLTG.exe 1716 SZXKQ.exe 3096 cmd.exe 3512 cmd.exe 2720 cmd.exe 4872 HCEOZAL.exe 2452 FYD.exe 2348 Conhost.exe 2240 WerFault.exe 4908 GZQRHOO.exe 1716 SZXKQ.exe 3540 IAOV.exe 3996 WerFault.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\ZLVJ.exe.bat FXKLI.exe File opened for modification C:\windows\SysWOW64\GNG.exe DUPYHN.exe File created C:\windows\SysWOW64\IUMSM.exe VEQYFO.exe File opened for modification C:\windows\SysWOW64\BVZVP.exe YFEGH.exe File opened for modification C:\windows\SysWOW64\GDBMZ.exe QNAVSJE.exe File created C:\windows\SysWOW64\GDBMZ.exe.bat QNAVSJE.exe File created C:\windows\SysWOW64\KMJMHQT.exe.bat YZCOBOW.exe File opened for modification C:\windows\SysWOW64\CFF.exe KMJMHQT.exe File created C:\windows\SysWOW64\HOLFC.exe.bat ZLVJ.exe File created C:\windows\SysWOW64\RCINYM.exe MBYDMQT.exe File opened for modification C:\windows\SysWOW64\VEQYFO.exe NQDRVI.exe File opened for modification C:\windows\SysWOW64\BIMNRO.exe FYD.exe File opened for modification C:\windows\SysWOW64\HOLFC.exe ZLVJ.exe File created C:\windows\SysWOW64\QNAVSJE.exe.bat WerFault.exe File opened for modification C:\windows\SysWOW64\UOGGH.exe BVZVP.exe File created C:\windows\SysWOW64\UOGGH.exe.bat BVZVP.exe File opened for modification C:\windows\SysWOW64\QNAVSJE.exe WerFault.exe File created C:\windows\SysWOW64\XPA.exe WerFault.exe File opened for modification C:\windows\SysWOW64\RCINYM.exe MBYDMQT.exe File created C:\windows\SysWOW64\GNG.exe.bat DUPYHN.exe File created C:\windows\SysWOW64\RVW.exe NVTWL.exe File created C:\windows\SysWOW64\RBYCXYC.exe PLWHLX.exe File created C:\windows\SysWOW64\UYVGDZC.exe.bat INXBLTG.exe File created C:\windows\SysWOW64\DUPYHN.exe RCINYM.exe File opened for modification C:\windows\SysWOW64\LCE.exe OXYBYMN.exe File created C:\windows\SysWOW64\LCE.exe.bat OXYBYMN.exe File created C:\windows\SysWOW64\GLY.exe WWSZML.exe File created C:\windows\SysWOW64\VAR.exe.bat WerFault.exe File created C:\windows\SysWOW64\GTEQYVD.exe cmd.exe File created C:\windows\SysWOW64\FYD.exe.bat HCEOZAL.exe File opened for modification C:\windows\SysWOW64\GUU.exe AXTK.exe File created C:\windows\SysWOW64\KMJMHQT.exe YZCOBOW.exe File opened for modification C:\windows\SysWOW64\NZRILH.exe JRKI.exe File created C:\windows\SysWOW64\NZRILH.exe.bat JRKI.exe File opened for modification C:\windows\SysWOW64\GLY.exe WWSZML.exe File created C:\windows\SysWOW64\HOLFC.exe ZLVJ.exe File created C:\windows\SysWOW64\OXYBYMN.exe HRFNJS.exe File created C:\windows\SysWOW64\BOAXVAZ.exe DELO.exe File created C:\windows\SysWOW64\PSJPUY.exe.bat BVJ.exe File opened for modification C:\windows\SysWOW64\FYD.exe HCEOZAL.exe File created C:\windows\SysWOW64\LDSRE.exe XISJVYC.exe File created C:\windows\SysWOW64\VEQYFO.exe.bat NQDRVI.exe File created C:\windows\SysWOW64\GUU.exe AXTK.exe File opened for modification C:\windows\SysWOW64\WVHQKSU.exe GNME.exe File created C:\windows\SysWOW64\GNMLG.exe CFF.exe File created C:\windows\SysWOW64\VEQYFO.exe NQDRVI.exe File opened for modification C:\windows\SysWOW64\IUMSM.exe VEQYFO.exe File opened for modification C:\windows\SysWOW64\RBYCXYC.exe PLWHLX.exe File opened for modification C:\windows\SysWOW64\PSJPUY.exe BVJ.exe File created C:\windows\SysWOW64\DUPYHN.exe.bat RCINYM.exe File opened for modification C:\windows\SysWOW64\HRFNJS.exe RBYCXYC.exe File created C:\windows\SysWOW64\FJSY.exe.bat HLFGQMV.exe File opened for modification C:\windows\SysWOW64\KMJMHQT.exe YZCOBOW.exe File opened for modification C:\windows\SysWOW64\RVW.exe NVTWL.exe File created C:\windows\SysWOW64\GZQRHOO.exe.bat WerFault.exe File opened for modification C:\windows\SysWOW64\ZLVJ.exe FXKLI.exe File opened for modification C:\windows\SysWOW64\VAR.exe WerFault.exe File created C:\windows\SysWOW64\OXYBYMN.exe.bat HRFNJS.exe File created C:\windows\SysWOW64\WVHQKSU.exe GNME.exe File created C:\windows\SysWOW64\TIWLLSY.exe.bat ESCN.exe File opened for modification C:\windows\SysWOW64\GNMLG.exe CFF.exe File created C:\windows\SysWOW64\IUMSM.exe.bat VEQYFO.exe File created C:\windows\SysWOW64\GDBMZ.exe QNAVSJE.exe File opened for modification C:\windows\SysWOW64\GTEQYVD.exe cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\ZLZ.exe.bat WerFault.exe File created C:\windows\system\PUAYFR.exe.bat GLY.exe File opened for modification C:\windows\AYJRQV.exe WerFault.exe File created C:\windows\system\HWIW.exe.bat XEZXSIF.exe File opened for modification C:\windows\QDMWN.exe NIUU.exe File created C:\windows\NQDRVI.exe.bat ILTCE.exe File opened for modification C:\windows\system\RREJHV.exe SZXKQ.exe File created C:\windows\system\HCEOZAL.exe.bat cmd.exe File created C:\windows\CFCCXC.exe.bat WerFault.exe File created C:\windows\system\CUYUID.exe HOKJSZK.exe File created C:\windows\system\JOYUUM.exe Conhost.exe File created C:\windows\SZXKQ.exe.bat GZQRHOO.exe File created C:\windows\system\SXG.exe IAOV.exe File created C:\windows\ILTCE.exe GNG.exe File created C:\windows\system\GJZMVNL.exe cmd.exe File created C:\windows\system\BVJ.exe.bat PKYQKI.exe File opened for modification C:\windows\system\HOKJSZK.exe cmd.exe File created C:\windows\system\WWSZML.exe SGE.exe File opened for modification C:\windows\system\ESCN.exe UUOB.exe File created C:\windows\ODFEA.exe OZJBHDE.exe File opened for modification C:\windows\ODFEA.exe OZJBHDE.exe File created C:\windows\XEZXSIF.exe.bat HOLFC.exe File created C:\windows\IZZKL.exe.bat HWIW.exe File created C:\windows\MBYDMQT.exe LDSRE.exe File created C:\windows\system\NVTWL.exe AXTK.exe File created C:\windows\system\DELO.exe GDBMZ.exe File opened for modification C:\windows\system\CUYUID.exe HOKJSZK.exe File created C:\windows\system\IAOV.exe SZXKQ.exe File created C:\windows\OTMKZ.exe.bat TIWLLSY.exe File opened for modification C:\windows\GRAYOW.exe BRM.exe File created C:\windows\TSF.exe DSKBA.exe File created C:\windows\BKBBNY.exe.bat NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe File opened for modification C:\windows\HLFGQMV.exe PSJPUY.exe File created C:\windows\FSIIOQ.exe OJUDB.exe File created C:\windows\system\RREJHV.exe.bat SZXKQ.exe File opened for modification C:\windows\system\JRKI.exe KODQ.exe File opened for modification C:\windows\system\IZTG.exe cmd.exe File opened for modification C:\windows\MESKO.exe cmd.exe File created C:\windows\system\DSKBA.exe.bat GRAYOW.exe File created C:\windows\NIUU.exe.bat BKBBNY.exe File created C:\windows\KBNOC.exe QDMWN.exe File created C:\windows\UXPYQJ.exe.bat KBNOC.exe File created C:\windows\system\GJZMVNL.exe.bat cmd.exe File created C:\windows\XEZXSIF.exe HOLFC.exe File opened for modification C:\windows\DDQ.exe NZRILH.exe File opened for modification C:\windows\system\SRJKKQT.exe Conhost.exe File created C:\windows\system\SRJKKQT.exe.bat Conhost.exe File opened for modification C:\windows\system\HWIW.exe XEZXSIF.exe File created C:\windows\DVNRK.exe UXPYQJ.exe File created C:\windows\MBYDMQT.exe.bat LDSRE.exe File opened for modification C:\windows\system\GJZMVNL.exe cmd.exe File opened for modification C:\windows\system\AXTK.exe GJZMVNL.exe File opened for modification C:\windows\UUOB.exe PUAYFR.exe File created C:\windows\OTMKZ.exe TIWLLSY.exe File created C:\windows\system\HWIW.exe XEZXSIF.exe File opened for modification C:\windows\system\FYFBMRR.exe VAR.exe File created C:\windows\YFEGH.exe GUU.exe File opened for modification C:\windows\SZXKQ.exe GZQRHOO.exe File created C:\windows\system\IAOV.exe.bat SZXKQ.exe File created C:\windows\system\WWSZML.exe.bat SGE.exe File created C:\windows\system\DELO.exe.bat GDBMZ.exe File created C:\windows\system\GNME.exe.bat FSIIOQ.exe File created C:\windows\ODFEA.exe.bat OZJBHDE.exe File opened for modification C:\windows\HUMO.exe CUYUID.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4788 2960 WerFault.exe 84 4204 544 WerFault.exe 90 456 4648 WerFault.exe 98 2204 4680 WerFault.exe 103 2112 4024 WerFault.exe 108 3164 1872 WerFault.exe 113 4476 432 WerFault.exe 118 3628 4760 WerFault.exe 125 4648 4460 WerFault.exe 132 1664 2180 WerFault.exe 137 2112 4668 WerFault.exe 142 3832 1232 WerFault.exe 148 4860 4952 WerFault.exe 153 1984 1112 WerFault.exe 158 940 1140 WerFault.exe 162 4268 4460 WerFault.exe 170 3156 1716 WerFault.exe 174 1592 2952 WerFault.exe 180 3744 3656 WerFault.exe 185 3344 2268 WerFault.exe 191 2116 4384 WerFault.exe 196 1488 1564 WerFault.exe 201 1800 2360 WerFault.exe 206 3376 1716 WerFault.exe 211 228 404 WerFault.exe 216 4336 1112 WerFault.exe 221 4684 4056 WerFault.exe 226 1496 3472 WerFault.exe 231 4604 3888 WerFault.exe 237 3376 224 WerFault.exe 242 2732 2916 WerFault.exe 247 1140 4332 WerFault.exe 251 3316 1628 WerFault.exe 257 4684 1156 WerFault.exe 262 3692 2092 WerFault.exe 267 2528 1272 WerFault.exe 271 4132 568 WerFault.exe 277 228 1660 WerFault.exe 282 2472 3408 WerFault.exe 287 3344 3784 WerFault.exe 292 2580 2264 WerFault.exe 297 440 4684 WerFault.exe 302 4116 1148 WerFault.exe 307 4088 4676 WerFault.exe 312 4452 3532 WerFault.exe 317 4696 4948 WerFault.exe 322 940 5008 WerFault.exe 327 4860 4944 WerFault.exe 332 2092 3528 WerFault.exe 337 4532 4072 WerFault.exe 341 1572 1800 WerFault.exe 347 3200 2732 WerFault.exe 352 1292 228 WerFault.exe 357 3408 1716 WerFault.exe 362 4364 3096 WerFault.exe 367 1612 3512 WerFault.exe 372 5100 2720 WerFault.exe 377 4532 4872 WerFault.exe 382 2528 2452 WerFault.exe 387 636 2348 WerFault.exe 392 2832 2240 WerFault.exe 397 4032 4908 WerFault.exe 402 1496 1716 WerFault.exe 407 2580 3540 WerFault.exe 412 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 544 BKBBNY.exe 544 BKBBNY.exe 4648 NIUU.exe 4648 NIUU.exe 4680 QDMWN.exe 4680 QDMWN.exe 4024 KBNOC.exe 4024 KBNOC.exe 1872 UXPYQJ.exe 1872 UXPYQJ.exe 432 DVNRK.exe 432 DVNRK.exe 4760 XISJVYC.exe 4760 XISJVYC.exe 4460 LDSRE.exe 4460 LDSRE.exe 2180 MBYDMQT.exe 2180 MBYDMQT.exe 4668 RCINYM.exe 4668 RCINYM.exe 1232 DUPYHN.exe 1232 DUPYHN.exe 4952 GNG.exe 4952 GNG.exe 1112 ILTCE.exe 1112 ILTCE.exe 1140 NQDRVI.exe 1140 NQDRVI.exe 4460 VEQYFO.exe 4460 VEQYFO.exe 1716 AXTK.exe 1716 AXTK.exe 2952 GUU.exe 2952 GUU.exe 3656 YFEGH.exe 3656 YFEGH.exe 2268 BVZVP.exe 2268 BVZVP.exe 4384 UOGGH.exe 4384 UOGGH.exe 1564 cmd.exe 1564 cmd.exe 2360 GJZMVNL.exe 2360 GJZMVNL.exe 1716 AXTK.exe 1716 AXTK.exe 404 NVTWL.exe 404 NVTWL.exe 1112 RVW.exe 1112 RVW.exe 4056 KODQ.exe 4056 KODQ.exe 3472 JRKI.exe 3472 JRKI.exe 3888 NZRILH.exe 3888 NZRILH.exe 224 DDQ.exe 224 DDQ.exe 2916 PLWHLX.exe 2916 PLWHLX.exe 4332 RBYCXYC.exe 4332 RBYCXYC.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 544 BKBBNY.exe 544 BKBBNY.exe 4648 NIUU.exe 4648 NIUU.exe 4680 QDMWN.exe 4680 QDMWN.exe 4024 KBNOC.exe 4024 KBNOC.exe 1872 UXPYQJ.exe 1872 UXPYQJ.exe 432 DVNRK.exe 432 DVNRK.exe 4760 XISJVYC.exe 4760 XISJVYC.exe 4460 LDSRE.exe 4460 LDSRE.exe 2180 MBYDMQT.exe 2180 MBYDMQT.exe 4668 RCINYM.exe 4668 RCINYM.exe 1232 DUPYHN.exe 1232 DUPYHN.exe 4952 GNG.exe 4952 GNG.exe 1112 ILTCE.exe 1112 ILTCE.exe 1140 NQDRVI.exe 1140 NQDRVI.exe 4460 VEQYFO.exe 4460 VEQYFO.exe 1716 AXTK.exe 1716 AXTK.exe 2952 GUU.exe 2952 GUU.exe 3656 YFEGH.exe 3656 YFEGH.exe 2268 BVZVP.exe 2268 BVZVP.exe 4384 UOGGH.exe 4384 UOGGH.exe 1564 cmd.exe 1564 cmd.exe 2360 GJZMVNL.exe 2360 GJZMVNL.exe 1716 AXTK.exe 1716 AXTK.exe 404 NVTWL.exe 404 NVTWL.exe 1112 RVW.exe 1112 RVW.exe 4056 KODQ.exe 4056 KODQ.exe 3472 JRKI.exe 3472 JRKI.exe 3888 NZRILH.exe 3888 NZRILH.exe 224 DDQ.exe 224 DDQ.exe 2916 PLWHLX.exe 2916 PLWHLX.exe 4332 RBYCXYC.exe 4332 RBYCXYC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 1564 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 86 PID 2960 wrote to memory of 1564 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 86 PID 2960 wrote to memory of 1564 2960 NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe 86 PID 1564 wrote to memory of 544 1564 cmd.exe 90 PID 1564 wrote to memory of 544 1564 cmd.exe 90 PID 1564 wrote to memory of 544 1564 cmd.exe 90 PID 544 wrote to memory of 2776 544 BKBBNY.exe 94 PID 544 wrote to memory of 2776 544 BKBBNY.exe 94 PID 544 wrote to memory of 2776 544 BKBBNY.exe 94 PID 2776 wrote to memory of 4648 2776 cmd.exe 98 PID 2776 wrote to memory of 4648 2776 cmd.exe 98 PID 2776 wrote to memory of 4648 2776 cmd.exe 98 PID 4648 wrote to memory of 1628 4648 NIUU.exe 99 PID 4648 wrote to memory of 1628 4648 NIUU.exe 99 PID 4648 wrote to memory of 1628 4648 NIUU.exe 99 PID 1628 wrote to memory of 4680 1628 cmd.exe 103 PID 1628 wrote to memory of 4680 1628 cmd.exe 103 PID 1628 wrote to memory of 4680 1628 cmd.exe 103 PID 4680 wrote to memory of 4308 4680 QDMWN.exe 105 PID 4680 wrote to memory of 4308 4680 QDMWN.exe 105 PID 4680 wrote to memory of 4308 4680 QDMWN.exe 105 PID 4308 wrote to memory of 4024 4308 cmd.exe 108 PID 4308 wrote to memory of 4024 4308 cmd.exe 108 PID 4308 wrote to memory of 4024 4308 cmd.exe 108 PID 4024 wrote to memory of 1276 4024 KBNOC.exe 109 PID 4024 wrote to memory of 1276 4024 KBNOC.exe 109 PID 4024 wrote to memory of 1276 4024 KBNOC.exe 109 PID 1276 wrote to memory of 1872 1276 cmd.exe 113 PID 1276 wrote to memory of 1872 1276 cmd.exe 113 PID 1276 wrote to memory of 1872 1276 cmd.exe 113 PID 1872 wrote to memory of 3236 1872 UXPYQJ.exe 114 PID 1872 wrote to memory of 3236 1872 UXPYQJ.exe 114 PID 1872 wrote to memory of 3236 1872 UXPYQJ.exe 114 PID 3236 wrote to memory of 432 3236 cmd.exe 118 PID 3236 wrote to memory of 432 3236 cmd.exe 118 PID 3236 wrote to memory of 432 3236 cmd.exe 118 PID 432 wrote to memory of 4456 432 DVNRK.exe 121 PID 432 wrote to memory of 4456 432 DVNRK.exe 121 PID 432 wrote to memory of 4456 432 DVNRK.exe 121 PID 4456 wrote to memory of 4760 4456 cmd.exe 125 PID 4456 wrote to memory of 4760 4456 cmd.exe 125 PID 4456 wrote to memory of 4760 4456 cmd.exe 125 PID 4760 wrote to memory of 5028 4760 XISJVYC.exe 128 PID 4760 wrote to memory of 5028 4760 XISJVYC.exe 128 PID 4760 wrote to memory of 5028 4760 XISJVYC.exe 128 PID 5028 wrote to memory of 4460 5028 cmd.exe 132 PID 5028 wrote to memory of 4460 5028 cmd.exe 132 PID 5028 wrote to memory of 4460 5028 cmd.exe 132 PID 4460 wrote to memory of 3644 4460 LDSRE.exe 133 PID 4460 wrote to memory of 3644 4460 LDSRE.exe 133 PID 4460 wrote to memory of 3644 4460 LDSRE.exe 133 PID 3644 wrote to memory of 2180 3644 cmd.exe 137 PID 3644 wrote to memory of 2180 3644 cmd.exe 137 PID 3644 wrote to memory of 2180 3644 cmd.exe 137 PID 2180 wrote to memory of 2720 2180 MBYDMQT.exe 138 PID 2180 wrote to memory of 2720 2180 MBYDMQT.exe 138 PID 2180 wrote to memory of 2720 2180 MBYDMQT.exe 138 PID 2720 wrote to memory of 4668 2720 cmd.exe 142 PID 2720 wrote to memory of 4668 2720 cmd.exe 142 PID 2720 wrote to memory of 4668 2720 cmd.exe 142 PID 4668 wrote to memory of 4128 4668 RCINYM.exe 143 PID 4668 wrote to memory of 4128 4668 RCINYM.exe 143 PID 4668 wrote to memory of 4128 4668 RCINYM.exe 143 PID 4128 wrote to memory of 1232 4128 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BKBBNY.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\windows\BKBBNY.exeC:\windows\BKBBNY.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NIUU.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\windows\NIUU.exeC:\windows\NIUU.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QDMWN.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\windows\QDMWN.exeC:\windows\QDMWN.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KBNOC.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\windows\KBNOC.exeC:\windows\KBNOC.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UXPYQJ.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\windows\UXPYQJ.exeC:\windows\UXPYQJ.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DVNRK.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\windows\DVNRK.exeC:\windows\DVNRK.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XISJVYC.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\windows\system\XISJVYC.exeC:\windows\system\XISJVYC.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDSRE.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\windows\SysWOW64\LDSRE.exeC:\windows\system32\LDSRE.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MBYDMQT.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\windows\MBYDMQT.exeC:\windows\MBYDMQT.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCINYM.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\windows\SysWOW64\RCINYM.exeC:\windows\system32\RCINYM.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUPYHN.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\windows\SysWOW64\DUPYHN.exeC:\windows\system32\DUPYHN.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNG.exe.bat" "24⤵PID:4876
-
C:\windows\SysWOW64\GNG.exeC:\windows\system32\GNG.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ILTCE.exe.bat" "26⤵PID:2348
-
C:\windows\ILTCE.exeC:\windows\ILTCE.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQDRVI.exe.bat" "28⤵PID:2528
-
C:\windows\NQDRVI.exeC:\windows\NQDRVI.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VEQYFO.exe.bat" "30⤵PID:4680
-
C:\windows\SysWOW64\VEQYFO.exeC:\windows\system32\VEQYFO.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IUMSM.exe.bat" "32⤵PID:4344
-
C:\windows\SysWOW64\IUMSM.exeC:\windows\system32\IUMSM.exe33⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GUU.exe.bat" "34⤵PID:4980
-
C:\windows\SysWOW64\GUU.exeC:\windows\system32\GUU.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YFEGH.exe.bat" "36⤵PID:1196
-
C:\windows\YFEGH.exeC:\windows\YFEGH.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVZVP.exe.bat" "38⤵PID:224
-
C:\windows\SysWOW64\BVZVP.exeC:\windows\system32\BVZVP.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UOGGH.exe.bat" "40⤵PID:3788
-
C:\windows\SysWOW64\UOGGH.exeC:\windows\system32\UOGGH.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CEH.exe.bat" "42⤵PID:4512
-
C:\windows\CEH.exeC:\windows\CEH.exe43⤵PID:1564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GJZMVNL.exe.bat" "44⤵PID:3692
-
C:\windows\system\GJZMVNL.exeC:\windows\system\GJZMVNL.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AXTK.exe.bat" "46⤵PID:2108
-
C:\windows\system\AXTK.exeC:\windows\system\AXTK.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NVTWL.exe.bat" "48⤵PID:4604
-
C:\windows\system\NVTWL.exeC:\windows\system\NVTWL.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVW.exe.bat" "50⤵PID:456
-
C:\windows\SysWOW64\RVW.exeC:\windows\system32\RVW.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KODQ.exe.bat" "52⤵PID:3080
-
C:\windows\system\KODQ.exeC:\windows\system\KODQ.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JRKI.exe.bat" "54⤵PID:2500
-
C:\windows\system\JRKI.exeC:\windows\system\JRKI.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZRILH.exe.bat" "56⤵PID:2580
-
C:\windows\SysWOW64\NZRILH.exeC:\windows\system32\NZRILH.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DDQ.exe.bat" "58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\windows\DDQ.exeC:\windows\DDQ.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLWHLX.exe.bat" "60⤵PID:2132
-
C:\windows\SysWOW64\PLWHLX.exeC:\windows\system32\PLWHLX.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBYCXYC.exe.bat" "62⤵PID:1520
-
C:\windows\SysWOW64\RBYCXYC.exeC:\windows\system32\RBYCXYC.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRFNJS.exe.bat" "64⤵PID:3408
-
C:\windows\SysWOW64\HRFNJS.exeC:\windows\system32\HRFNJS.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXYBYMN.exe.bat" "66⤵PID:2500
-
C:\windows\SysWOW64\OXYBYMN.exeC:\windows\system32\OXYBYMN.exe67⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCE.exe.bat" "68⤵PID:4440
-
C:\windows\SysWOW64\LCE.exeC:\windows\system32\LCE.exe69⤵PID:2092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QNAVSJE.exe.bat" "70⤵PID:2936
-
C:\windows\SysWOW64\QNAVSJE.exeC:\windows\system32\QNAVSJE.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDBMZ.exe.bat" "72⤵PID:432
-
C:\windows\SysWOW64\GDBMZ.exeC:\windows\system32\GDBMZ.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DELO.exe.bat" "74⤵PID:456
-
C:\windows\system\DELO.exeC:\windows\system\DELO.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BOAXVAZ.exe.bat" "76⤵PID:2380
-
C:\windows\SysWOW64\BOAXVAZ.exeC:\windows\system32\BOAXVAZ.exe77⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PKYQKI.exe.bat" "78⤵PID:4792
-
C:\windows\PKYQKI.exeC:\windows\PKYQKI.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BVJ.exe.bat" "80⤵PID:3244
-
C:\windows\system\BVJ.exeC:\windows\system\BVJ.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSJPUY.exe.bat" "82⤵PID:1568
-
C:\windows\SysWOW64\PSJPUY.exeC:\windows\system32\PSJPUY.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HLFGQMV.exe.bat" "84⤵PID:820
-
C:\windows\HLFGQMV.exeC:\windows\HLFGQMV.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJSY.exe.bat" "86⤵PID:5116
-
C:\windows\SysWOW64\FJSY.exeC:\windows\system32\FJSY.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OJUDB.exe.bat" "88⤵PID:2528
-
C:\windows\system\OJUDB.exeC:\windows\system\OJUDB.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FSIIOQ.exe.bat" "90⤵PID:4132
-
C:\windows\FSIIOQ.exeC:\windows\FSIIOQ.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GNME.exe.bat" "92⤵PID:2756
-
C:\windows\system\GNME.exeC:\windows\system\GNME.exe93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVHQKSU.exe.bat" "94⤵PID:3236
-
C:\windows\SysWOW64\WVHQKSU.exeC:\windows\system32\WVHQKSU.exe95⤵PID:4944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HOKJSZK.exe.bat" "96⤵PID:2840
-
C:\windows\system\HOKJSZK.exeC:\windows\system\HOKJSZK.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CUYUID.exe.bat" "98⤵PID:3384
-
C:\windows\system\CUYUID.exeC:\windows\system\CUYUID.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HUMO.exe.bat" "100⤵PID:4752
-
C:\windows\HUMO.exeC:\windows\HUMO.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSYSOY.exe.bat" "102⤵PID:3824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:2380
-
-
C:\windows\SysWOW64\CSYSOY.exeC:\windows\system32\CSYSOY.exe103⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\INXBLTG.exe.bat" "104⤵PID:3164
-
C:\windows\SysWOW64\INXBLTG.exeC:\windows\system32\INXBLTG.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UYVGDZC.exe.bat" "106⤵PID:3216
-
C:\windows\SysWOW64\UYVGDZC.exeC:\windows\system32\UYVGDZC.exe107⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RREJHV.exe.bat" "108⤵PID:4668
-
C:\windows\system\RREJHV.exeC:\windows\system\RREJHV.exe109⤵PID:3096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IZTG.exe.bat" "110⤵PID:4128
-
C:\windows\system\IZTG.exeC:\windows\system\IZTG.exe111⤵PID:3512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MESKO.exe.bat" "112⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4944 -
C:\windows\MESKO.exeC:\windows\MESKO.exe113⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HCEOZAL.exe.bat" "114⤵PID:752
-
C:\windows\system\HCEOZAL.exeC:\windows\system\HCEOZAL.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYD.exe.bat" "116⤵PID:1924
-
C:\windows\SysWOW64\FYD.exeC:\windows\system32\FYD.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BIMNRO.exe.bat" "118⤵PID:4240
-
C:\windows\SysWOW64\BIMNRO.exeC:\windows\system32\BIMNRO.exe119⤵PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JOYUUM.exe.bat" "120⤵PID:4892
-
C:\windows\system\JOYUUM.exeC:\windows\system\JOYUUM.exe121⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-