Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 12:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe
-
Size
208KB
-
MD5
2b93ff0cad11881f1790a5d962226244
-
SHA1
4c982a0596fb0ce6c5c687f1cc7ab5da6999b497
-
SHA256
fdf1a01b76905fe49e32fb17783e5e8b55c31dc50cb13c7e8ea3be7b1dd9f74b
-
SHA512
bf854e6b32dd19f7e17fa62d51e6ddcfb5d4e698e068473d36e67a1e0f3a3ccd279bcb41e3bc5fca20eecb44deb504efa9bd8b1f85115bde9d21eddfe212d2a0
-
SSDEEP
3072:cnFrUMaGaDz14gq8GbwZhjvuVZsqEkeiS7SFnvGdUq1pilVu34NLthEjQT6j:cn6Mda2RbwnjWVZ1Y7pp1pil2QEj1
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation HNDYFMS.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation KEHUT.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation KRZNH.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation BNMNUXI.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation XYHPO.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation CZIDV.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation IOKHGMK.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation DCYSF.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation CQWLB.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation FPHETP.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation MKQVTRB.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation HMXNDP.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation WCUJDP.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation OCKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation LFIBKMR.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation LQB.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation FUQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation UGP.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation RLOAH.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation ZQDF.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation VWK.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation LBVNW.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation ZJBAXX.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation DFXYT.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation VSS.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation KAQIGS.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation LHVZTI.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation LZB.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation VMHDWT.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation MKZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation RVJYIY.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation TXIVN.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation VLAWJNH.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation YDBSXXL.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation UBKT.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation UXAQMI.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation RUFVXDA.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation QYOLNQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation XTQWE.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation KAAHH.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation DZO.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation CEXPY.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation MIOZF.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation NOMWHC.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation BIMDSUL.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation CHTUH.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation IYKEWI.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation GVXYGC.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation AJEELE.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation MZHFTTA.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation OYVMJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation VFRCOKA.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation RPZTNPA.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation HXMD.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation PJYLL.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation XWZAML.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation OWCW.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation KNSM.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation NYLVFJE.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation IQMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation DIQHXDI.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation IZEJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation YBLT.exe Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation CMQYQM.exe -
Executes dropped EXE 64 IoCs
pid Process 2256 MIOZF.exe 4496 UGP.exe 1520 EEPBL.exe 1472 JEQD.exe 3920 QURDWBV.exe 1620 LFIBKMR.exe 4372 IYKEWI.exe 2832 XBTI.exe 4016 LZB.exe 1064 RUFVXDA.exe 4528 MAZZI.exe 2908 NDPNWJF.exe 3944 GVXYGC.exe 2064 AJEELE.exe 2532 IOIKVK.exe 1108 EUBZ.exe 1076 MHNG.exe 968 ECLYW.exe 2744 VLAWJNH.exe 848 BGLXPJ.exe 4464 JLQDZI.exe 1188 MZHFTTA.exe 1784 WWVZ.exe 5096 VPX.exe 4156 ZSICS.exe 4412 ETSF.exe 2828 AYCUM.exe 4540 VMHDWT.exe 3940 TWKTF.exe 4380 NPZEOA.exe 2536 AVZQ.exe 3484 UNPBINO.exe 2376 QOQ.exe 5104 LBVNW.exe 1952 NOMWHC.exe 2828 MZX.exe 3416 AFKQBNZ.exe 1008 QYOLNQQ.exe 2964 YDBSXXL.exe 1888 UJLHOS.exe 1804 KZMZ.exe 3284 SMZ.exe 2348 FPHETP.exe 3488 WYJ.exe 1472 RLOAH.exe 972 ALQ.exe 1116 ZJBAXX.exe 1696 FEBJCAK.exe 2364 SHRAQLF.exe 892 BPT.exe 848 XABEIT.exe 4672 FGGKTR.exe 3584 NLTZDQ.exe 3612 PJYLL.exe 2128 XWZAML.exe 3812 RKD.exe 1560 QVGZFRI.exe 4472 DFXYT.exe 3204 HNDYFMS.exe 3960 XDEXE.exe 768 QWUIW.exe 2480 RUBRYTF.exe 2140 WerFault.exe 4260 GDDKS.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\JLQDZI.exe BGLXPJ.exe File created C:\windows\SysWOW64\PJYLL.exe.bat NLTZDQ.exe File created C:\windows\SysWOW64\MKQVTRB.exe CJOQQM.exe File created C:\windows\SysWOW64\CMQYQM.exe.bat UZLRFN.exe File opened for modification C:\windows\SysWOW64\XBTI.exe IYKEWI.exe File created C:\windows\SysWOW64\HYAGHEY.exe ZSN.exe File created C:\windows\SysWOW64\HYAGHEY.exe.bat ZSN.exe File created C:\windows\SysWOW64\QVGZFRI.exe RKD.exe File created C:\windows\SysWOW64\HPJWJP.exe.bat LFB.exe File created C:\windows\SysWOW64\EXTVTQ.exe.bat OCKJ.exe File created C:\windows\SysWOW64\UNPBINO.exe.bat AVZQ.exe File created C:\windows\SysWOW64\MVYVG.exe.bat MSUZAIL.exe File opened for modification C:\windows\SysWOW64\RUFVXDA.exe LZB.exe File opened for modification C:\windows\SysWOW64\HPJWJP.exe LFB.exe File created C:\windows\SysWOW64\KZMZ.exe.bat UJLHOS.exe File created C:\windows\SysWOW64\NYLVFJE.exe DIQHXDI.exe File created C:\windows\SysWOW64\BNMNUXI.exe.bat RPZTNPA.exe File created C:\windows\SysWOW64\URWS.exe FBV.exe File opened for modification C:\windows\SysWOW64\CQWLB.exe EXTVTQ.exe File created C:\windows\SysWOW64\RUFVXDA.exe LZB.exe File opened for modification C:\windows\SysWOW64\WYJ.exe FPHETP.exe File opened for modification C:\windows\SysWOW64\XPCYP.exe FUQ.exe File created C:\windows\SysWOW64\CQWLB.exe EXTVTQ.exe File opened for modification C:\windows\SysWOW64\HXMD.exe QPK.exe File created C:\windows\SysWOW64\TXIVN.exe LJDPC.exe File created C:\windows\SysWOW64\ALQ.exe.bat RLOAH.exe File opened for modification C:\windows\SysWOW64\ZJBAXX.exe ALQ.exe File opened for modification C:\windows\SysWOW64\DIQHXDI.exe YFFBOQN.exe File opened for modification C:\windows\SysWOW64\URWS.exe FBV.exe File opened for modification C:\windows\SysWOW64\NECAXTS.exe URWS.exe File opened for modification C:\windows\SysWOW64\EXTVTQ.exe OCKJ.exe File created C:\windows\SysWOW64\ZJBAXX.exe.bat ALQ.exe File created C:\windows\SysWOW64\FGGKTR.exe XABEIT.exe File opened for modification C:\windows\SysWOW64\MSUZAIL.exe TXIVN.exe File created C:\windows\SysWOW64\NFHODSF.exe.bat DHUC.exe File created C:\windows\SysWOW64\AVZQ.exe NPZEOA.exe File opened for modification C:\windows\SysWOW64\UNPBINO.exe AVZQ.exe File opened for modification C:\windows\SysWOW64\ALQ.exe RLOAH.exe File created C:\windows\SysWOW64\YINGWY.exe.bat BIMDSUL.exe File created C:\windows\SysWOW64\DIQHXDI.exe.bat YFFBOQN.exe File created C:\windows\SysWOW64\CDSI.exe HBCJLA.exe File created C:\windows\SysWOW64\RUFVXDA.exe.bat LZB.exe File created C:\windows\SysWOW64\ALQ.exe RLOAH.exe File created C:\windows\SysWOW64\PJYLL.exe NLTZDQ.exe File opened for modification C:\windows\SysWOW64\MKZ.exe LHVZTI.exe File created C:\windows\SysWOW64\VWK.exe cmd.exe File created C:\windows\SysWOW64\VMHDWT.exe.bat AYCUM.exe File created C:\windows\SysWOW64\MKQVTRB.exe.bat CJOQQM.exe File opened for modification C:\windows\SysWOW64\PWWQG.exe KAQIGS.exe File created C:\windows\SysWOW64\JLQDZI.exe.bat BGLXPJ.exe File opened for modification C:\windows\SysWOW64\MKQVTRB.exe CJOQQM.exe File created C:\windows\SysWOW64\FUQ.exe.bat VWK.exe File created C:\windows\SysWOW64\BNMNUXI.exe RPZTNPA.exe File opened for modification C:\windows\SysWOW64\EUBZ.exe IOIKVK.exe File opened for modification C:\windows\SysWOW64\UJLHOS.exe YDBSXXL.exe File created C:\windows\SysWOW64\CJOQQM.exe IOKHGMK.exe File created C:\windows\SysWOW64\RPZTNPA.exe WCUJDP.exe File created C:\windows\SysWOW64\ACCJO.exe.bat CRRTFR.exe File created C:\windows\SysWOW64\JEQD.exe EEPBL.exe File opened for modification C:\windows\SysWOW64\JEQD.exe EEPBL.exe File created C:\windows\SysWOW64\WYJ.exe FPHETP.exe File created C:\windows\SysWOW64\FUQ.exe VWK.exe File created C:\windows\SysWOW64\URWS.exe.bat FBV.exe File opened for modification C:\windows\SysWOW64\JLQDZI.exe BGLXPJ.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\MHNG.exe EUBZ.exe File opened for modification C:\windows\system\NPZEOA.exe TWKTF.exe File created C:\windows\UTGFWWM.exe OYVMJ.exe File created C:\windows\system\ECLYW.exe MHNG.exe File created C:\windows\XDEXE.exe.bat HNDYFMS.exe File opened for modification C:\windows\AQITDSF.exe GDDKS.exe File created C:\windows\LBVNW.exe.bat QOQ.exe File created C:\windows\CHTUH.exe KZM.exe File created C:\windows\system\TFQHJT.exe.bat MKZ.exe File created C:\windows\BPT.exe.bat SHRAQLF.exe File created C:\windows\system\HNDYFMS.exe DFXYT.exe File created C:\windows\URCNNX.exe JYVCVE.exe File opened for modification C:\windows\system\LFB.exe DZO.exe File created C:\windows\UGP.exe.bat MIOZF.exe File created C:\windows\BGLXPJ.exe.bat VLAWJNH.exe File created C:\windows\VPX.exe WWVZ.exe File opened for modification C:\windows\LBVNW.exe QOQ.exe File opened for modification C:\windows\system\UBKT.exe HYAGHEY.exe File created C:\windows\system\FBV.exe RQN.exe File created C:\windows\CZBTEKF.exe.bat CEXPY.exe File created C:\windows\HIDEQYB.exe MVYVG.exe File created C:\windows\LFIBKMR.exe.bat QURDWBV.exe File opened for modification C:\windows\system\HWIW.exe KEHUT.exe File created C:\windows\YFFBOQN.exe DZTPD.exe File opened for modification C:\windows\CZBTEKF.exe CEXPY.exe File opened for modification C:\windows\XDEXE.exe HNDYFMS.exe File opened for modification C:\windows\CHTUH.exe KZM.exe File created C:\windows\system\OWFWYMN.exe.bat NYLVFJE.exe File created C:\windows\system\HBCJLA.exe KAAHH.exe File created C:\windows\IYKEWI.exe LFIBKMR.exe File created C:\windows\MAZZI.exe.bat RUFVXDA.exe File created C:\windows\NOMWHC.exe LBVNW.exe File created C:\windows\QYOLNQQ.exe MVQQ.exe File created C:\windows\system\NGEABL.exe EXCVXFY.exe File created C:\windows\HIDEQYB.exe.bat MVYVG.exe File opened for modification C:\windows\AYCUM.exe ETSF.exe File created C:\windows\ZQDF.exe HMXNDP.exe File created C:\windows\ZQDF.exe.bat HMXNDP.exe File created C:\windows\system\UZLRFN.exe.bat BEHW.exe File created C:\windows\system\KRZNH.exe UDIONH.exe File created C:\windows\EEPBL.exe UGP.exe File opened for modification C:\windows\IYKEWI.exe LFIBKMR.exe File created C:\windows\NLTZDQ.exe FGGKTR.exe File created C:\windows\CHTUH.exe.bat KZM.exe File opened for modification C:\windows\system\BEHW.exe HIDEQYB.exe File created C:\windows\system\YDBSXXL.exe QYOLNQQ.exe File created C:\windows\FPHETP.exe.bat SMZ.exe File created C:\windows\WCUJDP.exe HMTK.exe File opened for modification C:\windows\WCUJDP.exe HMTK.exe File created C:\windows\system\UDIONH.exe.bat ZQDF.exe File created C:\windows\system\VCFPJA.exe.bat CZBTEKF.exe File opened for modification C:\windows\system\CRRTFR.exe YBLT.exe File created C:\windows\system\UXAQMI.exe CZIDV.exe File created C:\windows\system\MZHFTTA.exe JLQDZI.exe File created C:\windows\system\QWUIW.exe XDEXE.exe File created C:\windows\URCNNX.exe.bat JYVCVE.exe File opened for modification C:\windows\system\UDIONH.exe ZQDF.exe File created C:\windows\DHUC.exe CMQYQM.exe File created C:\windows\system\GVXYGC.exe NDPNWJF.exe File opened for modification C:\windows\system\MZX.exe NOMWHC.exe File created C:\windows\system\IOIKVK.exe AJEELE.exe File opened for modification C:\windows\OWCW.exe OTYSJ.exe File created C:\windows\system\OCKJ.exe NECAXTS.exe File created C:\windows\system\CRRTFR.exe YBLT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1028 1396 WerFault.exe 83 2076 2256 WerFault.exe 91 4272 4496 WerFault.exe 97 1932 1520 WerFault.exe 102 2036 1472 WerFault.exe 107 2456 3920 WerFault.exe 112 1856 1620 WerFault.exe 117 3404 4372 WerFault.exe 122 496 2832 WerFault.exe 127 2196 4016 WerFault.exe 132 4312 1064 WerFault.exe 137 2564 4528 WerFault.exe 142 3264 2908 WerFault.exe 147 5056 3944 WerFault.exe 152 1588 2064 WerFault.exe 157 4168 2532 WerFault.exe 162 1028 1108 WerFault.exe 167 3588 1076 WerFault.exe 172 4280 968 WerFault.exe 177 2068 2744 WerFault.exe 182 4452 848 WerFault.exe 187 3988 4464 WerFault.exe 192 3984 1188 WerFault.exe 197 4780 1784 WerFault.exe 202 3332 5096 WerFault.exe 207 2076 4156 WerFault.exe 212 2176 4412 WerFault.exe 217 4268 2828 WerFault.exe 222 2100 4540 WerFault.exe 227 4528 3940 WerFault.exe 232 3324 4380 WerFault.exe 237 1856 2536 WerFault.exe 242 3952 3484 WerFault.exe 247 3628 2376 WerFault.exe 254 572 5104 WerFault.exe 259 892 1952 WerFault.exe 264 3428 2828 WerFault.exe 269 1420 3416 WerFault.exe 274 3728 2480 WerFault.exe 279 3824 1008 WerFault.exe 284 2192 2964 WerFault.exe 289 4136 1888 WerFault.exe 294 1756 1804 WerFault.exe 300 2580 3284 WerFault.exe 305 4272 2348 WerFault.exe 310 2372 3488 WerFault.exe 315 4696 1472 WerFault.exe 320 1396 972 WerFault.exe 325 704 1116 WerFault.exe 330 4496 1696 WerFault.exe 335 1676 2364 WerFault.exe 340 2100 892 WerFault.exe 345 4540 848 WerFault.exe 350 3096 4672 WerFault.exe 355 4692 3584 WerFault.exe 360 1008 3612 WerFault.exe 365 4136 2128 WerFault.exe 369 1604 3812 WerFault.exe 375 3356 1560 WerFault.exe 380 3920 4472 WerFault.exe 385 4436 3204 WerFault.exe 390 820 3960 WerFault.exe 395 3876 768 WerFault.exe 400 1904 2480 WerFault.exe 405 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 2256 MIOZF.exe 2256 MIOZF.exe 4496 UGP.exe 4496 UGP.exe 1520 EEPBL.exe 1520 EEPBL.exe 1472 JEQD.exe 1472 JEQD.exe 3920 QURDWBV.exe 3920 QURDWBV.exe 1620 LFIBKMR.exe 1620 LFIBKMR.exe 4372 IYKEWI.exe 4372 IYKEWI.exe 2832 XBTI.exe 2832 XBTI.exe 4016 LZB.exe 4016 LZB.exe 1064 RUFVXDA.exe 1064 RUFVXDA.exe 4528 MAZZI.exe 4528 MAZZI.exe 2908 NDPNWJF.exe 2908 NDPNWJF.exe 3944 GVXYGC.exe 3944 GVXYGC.exe 2064 AJEELE.exe 2064 AJEELE.exe 2532 IOIKVK.exe 2532 IOIKVK.exe 1108 EUBZ.exe 1108 EUBZ.exe 1076 MHNG.exe 1076 MHNG.exe 968 ECLYW.exe 968 ECLYW.exe 2744 VLAWJNH.exe 2744 VLAWJNH.exe 848 BGLXPJ.exe 848 BGLXPJ.exe 4464 JLQDZI.exe 4464 JLQDZI.exe 1188 MZHFTTA.exe 1188 MZHFTTA.exe 1784 WWVZ.exe 1784 WWVZ.exe 5096 VPX.exe 5096 VPX.exe 4156 ZSICS.exe 4156 ZSICS.exe 4412 ETSF.exe 4412 ETSF.exe 2828 AYCUM.exe 2828 AYCUM.exe 4540 VMHDWT.exe 4540 VMHDWT.exe 3940 TWKTF.exe 3940 TWKTF.exe 4380 NPZEOA.exe 4380 NPZEOA.exe 2536 AVZQ.exe 2536 AVZQ.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 2256 MIOZF.exe 2256 MIOZF.exe 4496 UGP.exe 4496 UGP.exe 1520 EEPBL.exe 1520 EEPBL.exe 1472 JEQD.exe 1472 JEQD.exe 3920 QURDWBV.exe 3920 QURDWBV.exe 1620 LFIBKMR.exe 1620 LFIBKMR.exe 4372 IYKEWI.exe 4372 IYKEWI.exe 2832 XBTI.exe 2832 XBTI.exe 4016 LZB.exe 4016 LZB.exe 1064 RUFVXDA.exe 1064 RUFVXDA.exe 4528 MAZZI.exe 4528 MAZZI.exe 2908 NDPNWJF.exe 2908 NDPNWJF.exe 3944 GVXYGC.exe 3944 GVXYGC.exe 2064 AJEELE.exe 2064 AJEELE.exe 2532 IOIKVK.exe 2532 IOIKVK.exe 1108 EUBZ.exe 1108 EUBZ.exe 1076 MHNG.exe 1076 MHNG.exe 968 ECLYW.exe 968 ECLYW.exe 2744 VLAWJNH.exe 2744 VLAWJNH.exe 848 BGLXPJ.exe 848 BGLXPJ.exe 4464 JLQDZI.exe 4464 JLQDZI.exe 1188 MZHFTTA.exe 1188 MZHFTTA.exe 1784 WWVZ.exe 1784 WWVZ.exe 5096 VPX.exe 5096 VPX.exe 4156 ZSICS.exe 4156 ZSICS.exe 4412 ETSF.exe 4412 ETSF.exe 2828 AYCUM.exe 2828 AYCUM.exe 4540 VMHDWT.exe 4540 VMHDWT.exe 3940 TWKTF.exe 3940 TWKTF.exe 4380 NPZEOA.exe 4380 NPZEOA.exe 2536 AVZQ.exe 2536 AVZQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2128 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 87 PID 1396 wrote to memory of 2128 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 87 PID 1396 wrote to memory of 2128 1396 NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe 87 PID 2128 wrote to memory of 2256 2128 cmd.exe 91 PID 2128 wrote to memory of 2256 2128 cmd.exe 91 PID 2128 wrote to memory of 2256 2128 cmd.exe 91 PID 2256 wrote to memory of 3628 2256 MIOZF.exe 93 PID 2256 wrote to memory of 3628 2256 MIOZF.exe 93 PID 2256 wrote to memory of 3628 2256 MIOZF.exe 93 PID 3628 wrote to memory of 4496 3628 cmd.exe 97 PID 3628 wrote to memory of 4496 3628 cmd.exe 97 PID 3628 wrote to memory of 4496 3628 cmd.exe 97 PID 4496 wrote to memory of 4680 4496 UGP.exe 98 PID 4496 wrote to memory of 4680 4496 UGP.exe 98 PID 4496 wrote to memory of 4680 4496 UGP.exe 98 PID 4680 wrote to memory of 1520 4680 cmd.exe 102 PID 4680 wrote to memory of 1520 4680 cmd.exe 102 PID 4680 wrote to memory of 1520 4680 cmd.exe 102 PID 1520 wrote to memory of 4528 1520 EEPBL.exe 103 PID 1520 wrote to memory of 4528 1520 EEPBL.exe 103 PID 1520 wrote to memory of 4528 1520 EEPBL.exe 103 PID 4528 wrote to memory of 1472 4528 cmd.exe 107 PID 4528 wrote to memory of 1472 4528 cmd.exe 107 PID 4528 wrote to memory of 1472 4528 cmd.exe 107 PID 1472 wrote to memory of 2908 1472 JEQD.exe 108 PID 1472 wrote to memory of 2908 1472 JEQD.exe 108 PID 1472 wrote to memory of 2908 1472 JEQD.exe 108 PID 2908 wrote to memory of 3920 2908 cmd.exe 112 PID 2908 wrote to memory of 3920 2908 cmd.exe 112 PID 2908 wrote to memory of 3920 2908 cmd.exe 112 PID 3920 wrote to memory of 3356 3920 QURDWBV.exe 113 PID 3920 wrote to memory of 3356 3920 QURDWBV.exe 113 PID 3920 wrote to memory of 3356 3920 QURDWBV.exe 113 PID 3356 wrote to memory of 1620 3356 cmd.exe 117 PID 3356 wrote to memory of 1620 3356 cmd.exe 117 PID 3356 wrote to memory of 1620 3356 cmd.exe 117 PID 1620 wrote to memory of 2180 1620 LFIBKMR.exe 118 PID 1620 wrote to memory of 2180 1620 LFIBKMR.exe 118 PID 1620 wrote to memory of 2180 1620 LFIBKMR.exe 118 PID 2180 wrote to memory of 4372 2180 cmd.exe 122 PID 2180 wrote to memory of 4372 2180 cmd.exe 122 PID 2180 wrote to memory of 4372 2180 cmd.exe 122 PID 4372 wrote to memory of 4200 4372 IYKEWI.exe 123 PID 4372 wrote to memory of 4200 4372 IYKEWI.exe 123 PID 4372 wrote to memory of 4200 4372 IYKEWI.exe 123 PID 4200 wrote to memory of 2832 4200 cmd.exe 127 PID 4200 wrote to memory of 2832 4200 cmd.exe 127 PID 4200 wrote to memory of 2832 4200 cmd.exe 127 PID 2832 wrote to memory of 5104 2832 XBTI.exe 128 PID 2832 wrote to memory of 5104 2832 XBTI.exe 128 PID 2832 wrote to memory of 5104 2832 XBTI.exe 128 PID 5104 wrote to memory of 4016 5104 cmd.exe 132 PID 5104 wrote to memory of 4016 5104 cmd.exe 132 PID 5104 wrote to memory of 4016 5104 cmd.exe 132 PID 4016 wrote to memory of 3048 4016 LZB.exe 133 PID 4016 wrote to memory of 3048 4016 LZB.exe 133 PID 4016 wrote to memory of 3048 4016 LZB.exe 133 PID 3048 wrote to memory of 1064 3048 cmd.exe 137 PID 3048 wrote to memory of 1064 3048 cmd.exe 137 PID 3048 wrote to memory of 1064 3048 cmd.exe 137 PID 1064 wrote to memory of 984 1064 RUFVXDA.exe 138 PID 1064 wrote to memory of 984 1064 RUFVXDA.exe 138 PID 1064 wrote to memory of 984 1064 RUFVXDA.exe 138 PID 984 wrote to memory of 4528 984 cmd.exe 142
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2b93ff0cad11881f1790a5d962226244_JC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MIOZF.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\windows\system\MIOZF.exeC:\windows\system\MIOZF.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UGP.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\windows\UGP.exeC:\windows\UGP.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EEPBL.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\windows\EEPBL.exeC:\windows\EEPBL.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JEQD.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\windows\SysWOW64\JEQD.exeC:\windows\system32\JEQD.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QURDWBV.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\windows\system\QURDWBV.exeC:\windows\system\QURDWBV.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LFIBKMR.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\windows\LFIBKMR.exeC:\windows\LFIBKMR.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IYKEWI.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\windows\IYKEWI.exeC:\windows\IYKEWI.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBTI.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\windows\SysWOW64\XBTI.exeC:\windows\system32\XBTI.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\windows\SysWOW64\LZB.exeC:\windows\system32\LZB.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RUFVXDA.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\windows\SysWOW64\RUFVXDA.exeC:\windows\system32\RUFVXDA.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MAZZI.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\windows\MAZZI.exeC:\windows\MAZZI.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "24⤵PID:4888
-
C:\windows\system\NDPNWJF.exeC:\windows\system\NDPNWJF.exe25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GVXYGC.exe.bat" "26⤵PID:1096
-
C:\windows\system\GVXYGC.exeC:\windows\system\GVXYGC.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AJEELE.exe.bat" "28⤵PID:3416
-
C:\windows\AJEELE.exeC:\windows\AJEELE.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IOIKVK.exe.bat" "30⤵PID:3584
-
C:\windows\system\IOIKVK.exeC:\windows\system\IOIKVK.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUBZ.exe.bat" "32⤵PID:820
-
C:\windows\SysWOW64\EUBZ.exeC:\windows\system32\EUBZ.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MHNG.exe.bat" "34⤵PID:3444
-
C:\windows\MHNG.exeC:\windows\MHNG.exe35⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ECLYW.exe.bat" "36⤵PID:2736
-
C:\windows\system\ECLYW.exeC:\windows\system\ECLYW.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLAWJNH.exe.bat" "38⤵PID:3632
-
C:\windows\VLAWJNH.exeC:\windows\VLAWJNH.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BGLXPJ.exe.bat" "40⤵PID:4540
-
C:\windows\BGLXPJ.exeC:\windows\BGLXPJ.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLQDZI.exe.bat" "42⤵PID:1124
-
C:\windows\SysWOW64\JLQDZI.exeC:\windows\system32\JLQDZI.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MZHFTTA.exe.bat" "44⤵PID:3012
-
C:\windows\system\MZHFTTA.exeC:\windows\system\MZHFTTA.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WWVZ.exe.bat" "46⤵PID:980
-
C:\windows\WWVZ.exeC:\windows\WWVZ.exe47⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VPX.exe.bat" "48⤵PID:1144
-
C:\windows\VPX.exeC:\windows\VPX.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSICS.exe.bat" "50⤵PID:4984
-
C:\windows\system\ZSICS.exeC:\windows\system\ZSICS.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ETSF.exe.bat" "52⤵PID:4548
-
C:\windows\system\ETSF.exeC:\windows\system\ETSF.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AYCUM.exe.bat" "54⤵PID:5068
-
C:\windows\AYCUM.exeC:\windows\AYCUM.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "56⤵PID:1476
-
C:\windows\SysWOW64\VMHDWT.exeC:\windows\system32\VMHDWT.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TWKTF.exe.bat" "58⤵PID:1880
-
C:\windows\system\TWKTF.exeC:\windows\system\TWKTF.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NPZEOA.exe.bat" "60⤵PID:1824
-
C:\windows\system\NPZEOA.exeC:\windows\system\NPZEOA.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVZQ.exe.bat" "62⤵PID:3736
-
C:\windows\SysWOW64\AVZQ.exeC:\windows\system32\AVZQ.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UNPBINO.exe.bat" "64⤵PID:4172
-
C:\windows\SysWOW64\UNPBINO.exeC:\windows\system32\UNPBINO.exe65⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QOQ.exe.bat" "66⤵PID:3340
-
C:\windows\QOQ.exeC:\windows\QOQ.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LBVNW.exe.bat" "68⤵PID:1104
-
C:\windows\LBVNW.exeC:\windows\LBVNW.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NOMWHC.exe.bat" "70⤵PID:2804
-
C:\windows\NOMWHC.exeC:\windows\NOMWHC.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MZX.exe.bat" "72⤵PID:3172
-
C:\windows\system\MZX.exeC:\windows\system\MZX.exe73⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AFKQBNZ.exe.bat" "74⤵PID:1464
-
C:\windows\system\AFKQBNZ.exeC:\windows\system\AFKQBNZ.exe75⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MVQQ.exe.bat" "76⤵PID:4936
-
C:\windows\MVQQ.exeC:\windows\MVQQ.exe77⤵
- Drops file in Windows directory
PID:2480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QYOLNQQ.exe.bat" "78⤵PID:4100
-
C:\windows\QYOLNQQ.exeC:\windows\QYOLNQQ.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YDBSXXL.exe.bat" "80⤵PID:4172
-
C:\windows\system\YDBSXXL.exeC:\windows\system\YDBSXXL.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJLHOS.exe.bat" "82⤵PID:2208
-
C:\windows\SysWOW64\UJLHOS.exeC:\windows\system32\UJLHOS.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZMZ.exe.bat" "84⤵PID:1076
-
C:\windows\SysWOW64\KZMZ.exeC:\windows\system32\KZMZ.exe85⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SMZ.exe.bat" "86⤵PID:4688
-
C:\windows\SMZ.exeC:\windows\SMZ.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FPHETP.exe.bat" "88⤵PID:4844
-
C:\windows\FPHETP.exeC:\windows\FPHETP.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYJ.exe.bat" "90⤵PID:4716
-
C:\windows\SysWOW64\WYJ.exeC:\windows\system32\WYJ.exe91⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RLOAH.exe.bat" "92⤵PID:552
-
C:\windows\system\RLOAH.exeC:\windows\system\RLOAH.exe93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALQ.exe.bat" "94⤵PID:716
-
C:\windows\SysWOW64\ALQ.exeC:\windows\system32\ALQ.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZJBAXX.exe.bat" "96⤵PID:5060
-
C:\windows\SysWOW64\ZJBAXX.exeC:\windows\system32\ZJBAXX.exe97⤵
- Checks computer location settings
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FEBJCAK.exe.bat" "98⤵PID:2280
-
C:\windows\system\FEBJCAK.exeC:\windows\system\FEBJCAK.exe99⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SHRAQLF.exe.bat" "100⤵PID:4748
-
C:\windows\SHRAQLF.exeC:\windows\SHRAQLF.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BPT.exe.bat" "102⤵PID:660
-
C:\windows\BPT.exeC:\windows\BPT.exe103⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XABEIT.exe.bat" "104⤵PID:4168
-
C:\windows\XABEIT.exeC:\windows\XABEIT.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGGKTR.exe.bat" "106⤵PID:2036
-
C:\windows\SysWOW64\FGGKTR.exeC:\windows\system32\FGGKTR.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NLTZDQ.exe.bat" "108⤵PID:828
-
C:\windows\NLTZDQ.exeC:\windows\NLTZDQ.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PJYLL.exe.bat" "110⤵PID:3388
-
C:\windows\SysWOW64\PJYLL.exeC:\windows\system32\PJYLL.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XWZAML.exe.bat" "112⤵PID:5060
-
C:\windows\XWZAML.exeC:\windows\XWZAML.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RKD.exe.bat" "114⤵PID:4200
-
C:\windows\RKD.exeC:\windows\RKD.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QVGZFRI.exe.bat" "116⤵PID:4688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:4748
-
-
C:\windows\SysWOW64\QVGZFRI.exeC:\windows\system32\QVGZFRI.exe117⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DFXYT.exe.bat" "118⤵PID:4504
-
C:\windows\DFXYT.exeC:\windows\DFXYT.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HNDYFMS.exe.bat" "120⤵PID:4836
-
C:\windows\system\HNDYFMS.exeC:\windows\system\HNDYFMS.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-