Analysis
-
max time kernel
118s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 17:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe
-
Size
320KB
-
MD5
92d897a59fd5a79754d7121d65c50099
-
SHA1
85c9a32c9d1958e25a6d5195d807000c4bec6a0d
-
SHA256
0eec89ad2ef4d762139ae49842ff362be0d79cf66d55318154e6fbd416186197
-
SHA512
808fd7f0cab2e1893e0226a9bd571dd274d852947c6829a7c251a3e5751d9d9b13a7b125d04bbf2c48af41c8462e5c5b82587a8344f95d1eeb9b0e00f7e9bf75
-
SSDEEP
6144:RhYSJ/mlM4KY11lZE5Bp5+aWekEjWbjcSbcY+CA:Rtz4X1HkBp5DWekFbzs
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation ALWYW.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation UZHOKXF.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation OWSFTU.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation ARZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation HNCJNK.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation YHTUW.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation XQTS.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation SKYIZKU.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation GCCVY.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NPINLTZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation QIRT.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation LFONCL.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation GPYLNDB.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation YRZTZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation DHBKRKE.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation DMGSKR.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NABVGBR.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation PFERYSN.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation IOLCBK.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation QYNN.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation LRPLW.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation BST.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation NXQKNN.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation HKFSRRF.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation SUACAQP.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation TVU.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation SJMDQSY.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation YCLWCEF.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation ERAFV.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation VSFTBR.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation EOLBN.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation FBBUF.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation SXP.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation VAITP.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation CREA.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation AVUI.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation SHBGSO.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation UOS.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation MNXRNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation IIH.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation DOKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation TIMN.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation CDSI.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation ARW.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation RPVGS.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation UKASNER.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation AIDON.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation ZXR.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation CSVFLZY.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation VUD.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation DHV.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation MBTTNFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation UKFAH.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation DGD.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation PFOSBD.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation KLMKL.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation IOMEZAZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation ESPGD.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation SLLP.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation RLUWEEO.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation KECW.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation HPB.exe -
Executes dropped EXE 64 IoCs
pid Process 1816 SLLP.exe 404 DOKJ.exe 860 ERAFV.exe 3856 UKFAH.exe 5064 TVU.exe 3020 VAITP.exe 2792 SBSW.exe 3448 RMHELLR.exe 1264 ESPGD.exe 3560 SXP.exe 3088 HNCJNK.exe 2052 RLUWEEO.exe 396 DHBKRKE.exe 464 CREA.exe 4328 UKASNER.exe 3020 VIUBHIA.exe 4508 DGD.exe 376 THYVFD.exe 4232 GCCVY.exe 1804 AIDON.exe 4592 ALWYW.exe 676 UZHOKXF.exe 3452 RPVGS.exe 3120 VSFTBR.exe 2012 BLJIP.exe 4996 AGG.exe 1340 SJMDQSY.exe 5060 IOLCBK.exe 1632 ZXR.exe 3796 cmd.exe 3008 ROKXHV.exe 1000 QYNN.exe 1668 cmd.exe 4412 PFOSBD.exe 3528 TIMN.exe 3524 QYBEWK.exe 4868 KECW.exe 864 OWSFTU.exe 776 NPINLTZ.exe 2536 AVUI.exe 1912 VIZZOU.exe 5040 LRPLW.exe 2840 ARZ.exe 4508 PFERYSN.exe 3860 UIPF.exe 860 Conhost.exe 4956 EOLBN.exe 3088 YHTUW.exe 4876 cmd.exe 3512 LAF.exe 4568 DBHI.exe 5008 Conhost.exe 4872 YJYPG.exe 4360 BST.exe 1792 cmd.exe 3084 YGIDTL.exe 1688 WJHC.exe 3188 SHBGSO.exe 3636 HPB.exe 4312 WerFault.exe 3496 cmd.exe 1848 QBJX.exe 3472 QRGVXK.exe 4868 NXQKNN.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\AGG.exe.bat BLJIP.exe File opened for modification C:\windows\SysWOW64\TKRCGYC.exe SHBGSO.exe File created C:\windows\SysWOW64\NXQKNN.exe QRGVXK.exe File created C:\windows\SysWOW64\KLMKL.exe.bat ZSXZ.exe File created C:\windows\SysWOW64\CSVFLZY.exe Conhost.exe File created C:\windows\SysWOW64\SUACAQP.exe ARW.exe File created C:\windows\SysWOW64\XQTS.exe.bat CFGAEO.exe File opened for modification C:\windows\SysWOW64\FBBUF.exe XQTS.exe File created C:\windows\SysWOW64\CREA.exe DHBKRKE.exe File opened for modification C:\windows\SysWOW64\IOLCBK.exe SJMDQSY.exe File created C:\windows\SysWOW64\TKRCGYC.exe SHBGSO.exe File created C:\windows\SysWOW64\YGIDTL.exe.bat cmd.exe File opened for modification C:\windows\SysWOW64\CREA.exe DHBKRKE.exe File created C:\windows\SysWOW64\LAF.exe.bat cmd.exe File created C:\windows\SysWOW64\BST.exe.bat YJYPG.exe File created C:\windows\SysWOW64\HPB.exe VEYCQHZ.exe File opened for modification C:\windows\SysWOW64\MBTTNFQ.exe IOMEZAZ.exe File opened for modification C:\windows\SysWOW64\AGG.exe BLJIP.exe File created C:\windows\SysWOW64\TKRCGYC.exe.bat SHBGSO.exe File opened for modification C:\windows\SysWOW64\APAGK.exe UOS.exe File created C:\windows\SysWOW64\AGG.exe BLJIP.exe File created C:\windows\SysWOW64\LAF.exe cmd.exe File opened for modification C:\windows\SysWOW64\CSVFLZY.exe Conhost.exe File created C:\windows\SysWOW64\CDSI.exe.bat CFKB.exe File created C:\windows\SysWOW64\FBBUF.exe XQTS.exe File created C:\windows\SysWOW64\SLLP.exe.bat NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe File created C:\windows\SysWOW64\VAITP.exe TVU.exe File created C:\windows\SysWOW64\UKASNER.exe.bat CREA.exe File created C:\windows\SysWOW64\HPB.exe.bat VEYCQHZ.exe File opened for modification C:\windows\SysWOW64\VIUBHIA.exe UKASNER.exe File created C:\windows\SysWOW64\FHJYUUP.exe QYNN.exe File opened for modification C:\windows\SysWOW64\VEYCQHZ.exe WerFault.exe File created C:\windows\SysWOW64\IOLCBK.exe.bat SJMDQSY.exe File opened for modification C:\windows\SysWOW64\AKGCB.exe DMGSKR.exe File opened for modification C:\windows\SysWOW64\HPB.exe VEYCQHZ.exe File created C:\windows\SysWOW64\LFONCL.exe HKH.exe File opened for modification C:\windows\SysWOW64\VAITP.exe TVU.exe File created C:\windows\SysWOW64\UKASNER.exe CREA.exe File created C:\windows\SysWOW64\VIUBHIA.exe.bat UKASNER.exe File created C:\windows\SysWOW64\IOLCBK.exe SJMDQSY.exe File created C:\windows\SysWOW64\BST.exe YJYPG.exe File created C:\windows\SysWOW64\AKGCB.exe DMGSKR.exe File opened for modification C:\windows\SysWOW64\LAF.exe cmd.exe File created C:\windows\SysWOW64\AKGCB.exe.bat DMGSKR.exe File opened for modification C:\windows\SysWOW64\LFONCL.exe HKH.exe File created C:\windows\SysWOW64\SUACAQP.exe.bat ARW.exe File opened for modification C:\windows\SysWOW64\XQTS.exe CFGAEO.exe File created C:\windows\SysWOW64\SLLP.exe NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe File opened for modification C:\windows\SysWOW64\SLLP.exe NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe File created C:\windows\SysWOW64\VAITP.exe.bat TVU.exe File opened for modification C:\windows\SysWOW64\CDSI.exe CFKB.exe File opened for modification C:\windows\SysWOW64\OLMJWUE.exe LFONCL.exe File created C:\windows\SysWOW64\FBBUF.exe.bat XQTS.exe File opened for modification C:\windows\SysWOW64\UKFAH.exe ERAFV.exe File opened for modification C:\windows\SysWOW64\YIDHCMZ.exe UIPF.exe File created C:\windows\SysWOW64\NXQKNN.exe.bat QRGVXK.exe File created C:\windows\SysWOW64\YIDHCMZ.exe.bat UIPF.exe File opened for modification C:\windows\SysWOW64\YJYPG.exe Conhost.exe File opened for modification C:\windows\SysWOW64\YGIDTL.exe cmd.exe File created C:\windows\SysWOW64\KLMKL.exe ZSXZ.exe File created C:\windows\SysWOW64\VEYCQHZ.exe WerFault.exe File created C:\windows\SysWOW64\CREA.exe.bat DHBKRKE.exe File opened for modification C:\windows\SysWOW64\UKASNER.exe CREA.exe File created C:\windows\SysWOW64\YIDHCMZ.exe UIPF.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\RLUWEEO.exe HNCJNK.exe File opened for modification C:\windows\TIMN.exe PFOSBD.exe File opened for modification C:\windows\system\IOMEZAZ.exe YQGKR.exe File created C:\windows\SXP.exe ESPGD.exe File created C:\windows\system\VSFTBR.exe.bat RPVGS.exe File created C:\windows\ROKXHV.exe.bat cmd.exe File opened for modification C:\windows\system\LRPLW.exe VIZZOU.exe File created C:\windows\IIH.exe GPYLNDB.exe File created C:\windows\system\UZHOKXF.exe ALWYW.exe File created C:\windows\system\LRPLW.exe.bat VIZZOU.exe File created C:\windows\system\GPYLNDB.exe.bat YCLWCEF.exe File opened for modification C:\windows\system\THYVFD.exe DGD.exe File opened for modification C:\windows\system\DGBWB.exe CSVFLZY.exe File opened for modification C:\windows\HNCJNK.exe SXP.exe File opened for modification C:\windows\GCCVY.exe THYVFD.exe File created C:\windows\system\KECW.exe.bat QYBEWK.exe File opened for modification C:\windows\system\NPINLTZ.exe OWSFTU.exe File created C:\windows\WSDC.exe.bat YHTUW.exe File opened for modification C:\windows\CDKIVO.exe MNXRNH.exe File opened for modification C:\windows\system\CFKB.exe HKFSRRF.exe File created C:\windows\system\YCLWCEF.exe VUD.exe File created C:\windows\system\ARW.exe.bat IIH.exe File created C:\windows\MDL.exe BST.exe File created C:\windows\WJHC.exe.bat YGIDTL.exe File created C:\windows\IIH.exe.bat GPYLNDB.exe File created C:\windows\system\DHV.exe.bat SUACAQP.exe File created C:\windows\system\RLUWEEO.exe.bat HNCJNK.exe File created C:\windows\HKH.exe.bat BOV.exe File created C:\windows\AVUI.exe.bat NPINLTZ.exe File created C:\windows\system\YEWJAW.exe WerFault.exe File created C:\windows\system\LWFMSR.exe FBBUF.exe File opened for modification C:\windows\system\DOKJ.exe SLLP.exe File created C:\windows\UIPF.exe PFERYSN.exe File opened for modification C:\windows\WSDC.exe YHTUW.exe File created C:\windows\system\QRGVXK.exe QBJX.exe File created C:\windows\RMHELLR.exe.bat SBSW.exe File created C:\windows\system\QYBEWK.exe TIMN.exe File opened for modification C:\windows\system\ASDJV.exe YRZTZ.exe File created C:\windows\GCCVY.exe.bat THYVFD.exe File created C:\windows\system\ARZ.exe.bat LRPLW.exe File created C:\windows\system\QVBZLZ.exe.bat HPB.exe File opened for modification C:\windows\ALWYW.exe AIDON.exe File opened for modification C:\windows\system\RPVGS.exe UZHOKXF.exe File opened for modification C:\windows\system\VSFTBR.exe RPVGS.exe File opened for modification C:\windows\system\SHBGSO.exe WJHC.exe File opened for modification C:\windows\IIH.exe GPYLNDB.exe File created C:\windows\system\SKYIZKU.exe.bat NABVGBR.exe File created C:\windows\system\YRZTZ.exe.bat MBTTNFQ.exe File opened for modification C:\windows\system\TVU.exe UKFAH.exe File created C:\windows\WJHC.exe YGIDTL.exe File opened for modification C:\windows\DMGSKR.exe CDKIVO.exe File created C:\windows\system\DHV.exe SUACAQP.exe File created C:\windows\PFERYSN.exe ARZ.exe File created C:\windows\system\DGBWB.exe.bat CSVFLZY.exe File created C:\windows\AGDY.exe.bat WerFault.exe File opened for modification C:\windows\BOV.exe CDSI.exe File opened for modification C:\windows\system\ARW.exe IIH.exe File opened for modification C:\windows\DGD.exe VIUBHIA.exe File created C:\windows\system\VSFTBR.exe RPVGS.exe File opened for modification C:\windows\system\KIUPZM.exe WerFault.exe File created C:\windows\HNCJNK.exe SXP.exe File created C:\windows\QYNN.exe.bat ROKXHV.exe File created C:\windows\system\EOLBN.exe.bat Conhost.exe File created C:\windows\MYO.exe.bat DBHI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3492 3372 WerFault.exe 84 3040 1816 WerFault.exe 91 4496 404 WerFault.exe 97 4476 860 WerFault.exe 102 4932 3856 WerFault.exe 107 4272 5064 WerFault.exe 112 888 3020 WerFault.exe 117 4928 2792 WerFault.exe 122 2976 3448 WerFault.exe 127 1308 1264 WerFault.exe 132 3808 3560 WerFault.exe 137 4700 3088 WerFault.exe 142 4476 2052 WerFault.exe 147 3596 396 WerFault.exe 152 4464 464 WerFault.exe 157 3100 4328 WerFault.exe 162 3804 3020 WerFault.exe 167 876 4508 WerFault.exe 172 1788 376 WerFault.exe 177 4544 4232 WerFault.exe 182 2928 1804 WerFault.exe 187 2116 4592 WerFault.exe 192 2160 676 WerFault.exe 197 556 3452 WerFault.exe 202 3116 3120 WerFault.exe 207 3376 2012 WerFault.exe 212 972 4996 WerFault.exe 219 412 1340 WerFault.exe 224 4544 5060 WerFault.exe 229 1800 1632 WerFault.exe 234 1844 3796 WerFault.exe 239 1784 3008 WerFault.exe 244 4768 1000 WerFault.exe 249 2316 1668 WerFault.exe 254 4508 4412 WerFault.exe 259 4924 3528 WerFault.exe 264 2168 3524 WerFault.exe 269 2332 4868 WerFault.exe 274 1688 864 WerFault.exe 279 64 776 WerFault.exe 284 4572 2536 WerFault.exe 289 220 1912 WerFault.exe 294 2560 5040 WerFault.exe 300 5084 2840 WerFault.exe 305 4120 4508 WerFault.exe 310 2028 3860 WerFault.exe 315 2332 860 WerFault.exe 320 4364 4956 WerFault.exe 325 4604 3088 WerFault.exe 331 4572 4876 WerFault.exe 336 4320 3512 WerFault.exe 341 3832 4568 WerFault.exe 346 4376 5008 WerFault.exe 351 4596 4872 WerFault.exe 356 4140 4360 WerFault.exe 361 3444 1792 WerFault.exe 366 228 3084 WerFault.exe 371 3812 1688 WerFault.exe 376 2672 3188 WerFault.exe 381 4540 3636 WerFault.exe 386 2476 4312 WerFault.exe 391 4440 3496 WerFault.exe 396 440 1848 WerFault.exe 401 968 3472 WerFault.exe 406 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 1816 SLLP.exe 1816 SLLP.exe 404 DOKJ.exe 404 DOKJ.exe 860 ERAFV.exe 860 ERAFV.exe 3856 UKFAH.exe 3856 UKFAH.exe 5064 TVU.exe 5064 TVU.exe 3020 VAITP.exe 3020 VAITP.exe 2792 SBSW.exe 2792 SBSW.exe 3448 RMHELLR.exe 3448 RMHELLR.exe 1264 ESPGD.exe 1264 ESPGD.exe 3560 SXP.exe 3560 SXP.exe 3088 HNCJNK.exe 3088 HNCJNK.exe 2052 RLUWEEO.exe 2052 RLUWEEO.exe 396 DHBKRKE.exe 396 DHBKRKE.exe 464 CREA.exe 464 CREA.exe 4328 UKASNER.exe 4328 UKASNER.exe 3020 VIUBHIA.exe 3020 VIUBHIA.exe 4508 DGD.exe 4508 DGD.exe 376 THYVFD.exe 376 THYVFD.exe 4232 GCCVY.exe 4232 GCCVY.exe 1804 AIDON.exe 1804 AIDON.exe 4592 ALWYW.exe 4592 ALWYW.exe 676 UZHOKXF.exe 676 UZHOKXF.exe 3452 RPVGS.exe 3452 RPVGS.exe 3120 VSFTBR.exe 3120 VSFTBR.exe 2012 BLJIP.exe 2012 BLJIP.exe 4996 AGG.exe 4996 AGG.exe 1340 SJMDQSY.exe 1340 SJMDQSY.exe 5060 IOLCBK.exe 5060 IOLCBK.exe 1632 ZXR.exe 1632 ZXR.exe 3796 cmd.exe 3796 cmd.exe 3008 ROKXHV.exe 3008 ROKXHV.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 1816 SLLP.exe 1816 SLLP.exe 404 DOKJ.exe 404 DOKJ.exe 860 ERAFV.exe 860 ERAFV.exe 3856 UKFAH.exe 3856 UKFAH.exe 5064 TVU.exe 5064 TVU.exe 3020 VAITP.exe 3020 VAITP.exe 2792 SBSW.exe 2792 SBSW.exe 3448 RMHELLR.exe 3448 RMHELLR.exe 1264 ESPGD.exe 1264 ESPGD.exe 3560 SXP.exe 3560 SXP.exe 3088 HNCJNK.exe 3088 HNCJNK.exe 2052 RLUWEEO.exe 2052 RLUWEEO.exe 396 DHBKRKE.exe 396 DHBKRKE.exe 464 CREA.exe 464 CREA.exe 4328 UKASNER.exe 4328 UKASNER.exe 3020 VIUBHIA.exe 3020 VIUBHIA.exe 4508 DGD.exe 4508 DGD.exe 376 THYVFD.exe 376 THYVFD.exe 4232 GCCVY.exe 4232 GCCVY.exe 1804 AIDON.exe 1804 AIDON.exe 4592 ALWYW.exe 4592 ALWYW.exe 676 UZHOKXF.exe 676 UZHOKXF.exe 3452 RPVGS.exe 3452 RPVGS.exe 3120 VSFTBR.exe 3120 VSFTBR.exe 2012 BLJIP.exe 2012 BLJIP.exe 4996 AGG.exe 4996 AGG.exe 1340 SJMDQSY.exe 1340 SJMDQSY.exe 5060 IOLCBK.exe 5060 IOLCBK.exe 1632 ZXR.exe 1632 ZXR.exe 3796 cmd.exe 3796 cmd.exe 3008 ROKXHV.exe 3008 ROKXHV.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 2404 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 87 PID 3372 wrote to memory of 2404 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 87 PID 3372 wrote to memory of 2404 3372 NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe 87 PID 2404 wrote to memory of 1816 2404 cmd.exe 91 PID 2404 wrote to memory of 1816 2404 cmd.exe 91 PID 2404 wrote to memory of 1816 2404 cmd.exe 91 PID 1816 wrote to memory of 4788 1816 SLLP.exe 93 PID 1816 wrote to memory of 4788 1816 SLLP.exe 93 PID 1816 wrote to memory of 4788 1816 SLLP.exe 93 PID 4788 wrote to memory of 404 4788 cmd.exe 97 PID 4788 wrote to memory of 404 4788 cmd.exe 97 PID 4788 wrote to memory of 404 4788 cmd.exe 97 PID 404 wrote to memory of 1664 404 DOKJ.exe 98 PID 404 wrote to memory of 1664 404 DOKJ.exe 98 PID 404 wrote to memory of 1664 404 DOKJ.exe 98 PID 1664 wrote to memory of 860 1664 cmd.exe 102 PID 1664 wrote to memory of 860 1664 cmd.exe 102 PID 1664 wrote to memory of 860 1664 cmd.exe 102 PID 860 wrote to memory of 3528 860 ERAFV.exe 103 PID 860 wrote to memory of 3528 860 ERAFV.exe 103 PID 860 wrote to memory of 3528 860 ERAFV.exe 103 PID 3528 wrote to memory of 3856 3528 cmd.exe 107 PID 3528 wrote to memory of 3856 3528 cmd.exe 107 PID 3528 wrote to memory of 3856 3528 cmd.exe 107 PID 3856 wrote to memory of 408 3856 UKFAH.exe 108 PID 3856 wrote to memory of 408 3856 UKFAH.exe 108 PID 3856 wrote to memory of 408 3856 UKFAH.exe 108 PID 408 wrote to memory of 5064 408 cmd.exe 112 PID 408 wrote to memory of 5064 408 cmd.exe 112 PID 408 wrote to memory of 5064 408 cmd.exe 112 PID 5064 wrote to memory of 4560 5064 TVU.exe 113 PID 5064 wrote to memory of 4560 5064 TVU.exe 113 PID 5064 wrote to memory of 4560 5064 TVU.exe 113 PID 4560 wrote to memory of 3020 4560 cmd.exe 117 PID 4560 wrote to memory of 3020 4560 cmd.exe 117 PID 4560 wrote to memory of 3020 4560 cmd.exe 117 PID 3020 wrote to memory of 4836 3020 VAITP.exe 118 PID 3020 wrote to memory of 4836 3020 VAITP.exe 118 PID 3020 wrote to memory of 4836 3020 VAITP.exe 118 PID 4836 wrote to memory of 2792 4836 cmd.exe 122 PID 4836 wrote to memory of 2792 4836 cmd.exe 122 PID 4836 wrote to memory of 2792 4836 cmd.exe 122 PID 2792 wrote to memory of 1020 2792 SBSW.exe 123 PID 2792 wrote to memory of 1020 2792 SBSW.exe 123 PID 2792 wrote to memory of 1020 2792 SBSW.exe 123 PID 1020 wrote to memory of 3448 1020 cmd.exe 127 PID 1020 wrote to memory of 3448 1020 cmd.exe 127 PID 1020 wrote to memory of 3448 1020 cmd.exe 127 PID 3448 wrote to memory of 1000 3448 RMHELLR.exe 128 PID 3448 wrote to memory of 1000 3448 RMHELLR.exe 128 PID 3448 wrote to memory of 1000 3448 RMHELLR.exe 128 PID 1000 wrote to memory of 1264 1000 cmd.exe 132 PID 1000 wrote to memory of 1264 1000 cmd.exe 132 PID 1000 wrote to memory of 1264 1000 cmd.exe 132 PID 1264 wrote to memory of 3680 1264 ESPGD.exe 133 PID 1264 wrote to memory of 3680 1264 ESPGD.exe 133 PID 1264 wrote to memory of 3680 1264 ESPGD.exe 133 PID 3680 wrote to memory of 3560 3680 cmd.exe 137 PID 3680 wrote to memory of 3560 3680 cmd.exe 137 PID 3680 wrote to memory of 3560 3680 cmd.exe 137 PID 3560 wrote to memory of 4372 3560 SXP.exe 138 PID 3560 wrote to memory of 4372 3560 SXP.exe 138 PID 3560 wrote to memory of 4372 3560 SXP.exe 138 PID 4372 wrote to memory of 3088 4372 cmd.exe 142
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.92d897a59fd5a79754d7121d65c50099_JC.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SLLP.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\windows\SysWOW64\SLLP.exeC:\windows\system32\SLLP.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DOKJ.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\windows\system\DOKJ.exeC:\windows\system\DOKJ.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ERAFV.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\windows\ERAFV.exeC:\windows\ERAFV.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\windows\SysWOW64\UKFAH.exeC:\windows\system32\UKFAH.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TVU.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\windows\system\TVU.exeC:\windows\system\TVU.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VAITP.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\windows\SysWOW64\VAITP.exeC:\windows\system32\VAITP.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SBSW.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\windows\system\SBSW.exeC:\windows\system\SBSW.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RMHELLR.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\windows\RMHELLR.exeC:\windows\RMHELLR.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ESPGD.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\windows\ESPGD.exeC:\windows\ESPGD.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SXP.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\windows\SXP.exeC:\windows\SXP.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HNCJNK.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\windows\HNCJNK.exeC:\windows\HNCJNK.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RLUWEEO.exe.bat" "24⤵PID:1344
-
C:\windows\system\RLUWEEO.exeC:\windows\system\RLUWEEO.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DHBKRKE.exe.bat" "26⤵PID:4176
-
C:\windows\DHBKRKE.exeC:\windows\DHBKRKE.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CREA.exe.bat" "28⤵PID:5072
-
C:\windows\SysWOW64\CREA.exeC:\windows\system32\CREA.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKASNER.exe.bat" "30⤵PID:1784
-
C:\windows\SysWOW64\UKASNER.exeC:\windows\system32\UKASNER.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VIUBHIA.exe.bat" "32⤵PID:1904
-
C:\windows\SysWOW64\VIUBHIA.exeC:\windows\system32\VIUBHIA.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DGD.exe.bat" "34⤵PID:4604
-
C:\windows\DGD.exeC:\windows\DGD.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\THYVFD.exe.bat" "36⤵PID:5068
-
C:\windows\system\THYVFD.exeC:\windows\system\THYVFD.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GCCVY.exe.bat" "38⤵PID:2560
-
C:\windows\GCCVY.exeC:\windows\GCCVY.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AIDON.exe.bat" "40⤵PID:1512
-
C:\windows\AIDON.exeC:\windows\AIDON.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ALWYW.exe.bat" "42⤵PID:2808
-
C:\windows\ALWYW.exeC:\windows\ALWYW.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UZHOKXF.exe.bat" "44⤵PID:1764
-
C:\windows\system\UZHOKXF.exeC:\windows\system\UZHOKXF.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RPVGS.exe.bat" "46⤵PID:2820
-
C:\windows\system\RPVGS.exeC:\windows\system\RPVGS.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VSFTBR.exe.bat" "48⤵PID:2484
-
C:\windows\system\VSFTBR.exeC:\windows\system\VSFTBR.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BLJIP.exe.bat" "50⤵PID:4016
-
C:\windows\system\BLJIP.exeC:\windows\system\BLJIP.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AGG.exe.bat" "52⤵PID:3512
-
C:\windows\SysWOW64\AGG.exeC:\windows\system32\AGG.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SJMDQSY.exe.bat" "54⤵PID:1184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:2560
-
-
C:\windows\system\SJMDQSY.exeC:\windows\system\SJMDQSY.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IOLCBK.exe.bat" "56⤵PID:3524
-
C:\windows\SysWOW64\IOLCBK.exeC:\windows\system32\IOLCBK.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZXR.exe.bat" "58⤵PID:4256
-
C:\windows\ZXR.exeC:\windows\ZXR.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WIX.exe.bat" "60⤵PID:440
-
C:\windows\WIX.exeC:\windows\WIX.exe61⤵PID:3796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ROKXHV.exe.bat" "62⤵PID:4500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:2820
-
-
C:\windows\ROKXHV.exeC:\windows\ROKXHV.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QYNN.exe.bat" "64⤵PID:2484
-
C:\windows\QYNN.exeC:\windows\QYNN.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHJYUUP.exe.bat" "66⤵PID:4604
-
C:\windows\SysWOW64\FHJYUUP.exeC:\windows\system32\FHJYUUP.exe67⤵PID:1668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PFOSBD.exe.bat" "68⤵PID:4336
-
C:\windows\PFOSBD.exeC:\windows\PFOSBD.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TIMN.exe.bat" "70⤵PID:2672
-
C:\windows\TIMN.exeC:\windows\TIMN.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QYBEWK.exe.bat" "72⤵PID:3740
-
C:\windows\system\QYBEWK.exeC:\windows\system\QYBEWK.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KECW.exe.bat" "74⤵PID:1308
-
C:\windows\system\KECW.exeC:\windows\system\KECW.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OWSFTU.exe.bat" "76⤵PID:1828
-
C:\windows\system\OWSFTU.exeC:\windows\system\OWSFTU.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NPINLTZ.exe.bat" "78⤵PID:5004
-
C:\windows\system\NPINLTZ.exeC:\windows\system\NPINLTZ.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AVUI.exe.bat" "80⤵PID:4464
-
C:\windows\AVUI.exeC:\windows\AVUI.exe81⤵
- Checks computer location settings
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VIZZOU.exe.bat" "82⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3796 -
C:\windows\VIZZOU.exeC:\windows\VIZZOU.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LRPLW.exe.bat" "84⤵PID:2224
-
C:\windows\system\LRPLW.exeC:\windows\system\LRPLW.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ARZ.exe.bat" "86⤵PID:1876
-
C:\windows\system\ARZ.exeC:\windows\system\ARZ.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PFERYSN.exe.bat" "88⤵
- Executes dropped EXE
PID:1668 -
C:\windows\PFERYSN.exeC:\windows\PFERYSN.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UIPF.exe.bat" "90⤵PID:3060
-
C:\windows\UIPF.exeC:\windows\UIPF.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIDHCMZ.exe.bat" "92⤵PID:4856
-
C:\windows\SysWOW64\YIDHCMZ.exeC:\windows\system32\YIDHCMZ.exe93⤵PID:860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EOLBN.exe.bat" "94⤵PID:3004
-
C:\windows\system\EOLBN.exeC:\windows\system\EOLBN.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YHTUW.exe.bat" "96⤵PID:2552
-
C:\windows\YHTUW.exeC:\windows\YHTUW.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WSDC.exe.bat" "98⤵PID:4152
-
C:\windows\WSDC.exeC:\windows\WSDC.exe99⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAF.exe.bat" "100⤵PID:2484
-
C:\windows\SysWOW64\LAF.exeC:\windows\system32\LAF.exe101⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DBHI.exe.bat" "102⤵PID:4768
-
C:\windows\system\DBHI.exeC:\windows\system\DBHI.exe103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MYO.exe.bat" "104⤵PID:3900
-
C:\windows\MYO.exeC:\windows\MYO.exe105⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YJYPG.exe.bat" "106⤵PID:4404
-
C:\windows\SysWOW64\YJYPG.exeC:\windows\system32\YJYPG.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BST.exe.bat" "108⤵PID:2808
-
C:\windows\SysWOW64\BST.exeC:\windows\system32\BST.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MDL.exe.bat" "110⤵PID:2608
-
C:\windows\MDL.exeC:\windows\MDL.exe111⤵PID:1792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YGIDTL.exe.bat" "112⤵PID:1388
-
C:\windows\SysWOW64\YGIDTL.exeC:\windows\system32\YGIDTL.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WJHC.exe.bat" "114⤵PID:3864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:860
-
-
C:\windows\WJHC.exeC:\windows\WJHC.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SHBGSO.exe.bat" "116⤵PID:4560
-
C:\windows\system\SHBGSO.exeC:\windows\system\SHBGSO.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKRCGYC.exe.bat" "118⤵PID:3744
-
C:\windows\SysWOW64\TKRCGYC.exeC:\windows\system32\TKRCGYC.exe119⤵PID:3636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QVBZLZ.exe.bat" "120⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\windows\system\QVBZLZ.exeC:\windows\system\QVBZLZ.exe121⤵PID:4312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-