Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 09:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab8c72b7b65e2ef3797d4a65271044b1.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
ab8c72b7b65e2ef3797d4a65271044b1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ab8c72b7b65e2ef3797d4a65271044b1.exe
-
Size
208KB
-
MD5
ab8c72b7b65e2ef3797d4a65271044b1
-
SHA1
b7f70032936d0fc6f63037320762478cbcfc444f
-
SHA256
93437cc2e6ca48288b70a6582c9c56ae6d9ad28a68342b4dc1c551df481552f0
-
SHA512
e0075d557ee79086aa4aee0af031b0a060103cc35838727d78a6bafec0a9cb7d8bd247ad5521ba3d53044004e6c171503cafcc7724b494dcd0d2263fe86d9b80
-
SSDEEP
6144:jpk9w9HF/IUWfb1Ym4jrXlAa07QDyLkEjP:UwnMGKaYPLkU
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation YIFHCK.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation VXI.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation KEKWQRQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation CQEM.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation MLBI.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation OEPZSI.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ZMNO.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation AUTP.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation MZE.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation FJYTCMO.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation HYMOGKT.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation SEW.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation RVH.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DWFJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation TXTGXH.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation HRFNJS.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation OTCTGYF.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ZFUPCR.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ZRYPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation JRXA.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation KNWJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation CHOSZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ATENZWF.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation RHUCZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation WWF.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation EFFSEJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation QLNI.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation QES.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DCOU.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation XSSEDGK.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DRBVTF.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation IACYH.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation LRKL.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation HEBQV.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation XSX.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation UIXEMLN.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation CSRX.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation YREBPH.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation WLYNN.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation GFA.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation GAZL.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation XTWRJWT.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation BTFM.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation KYV.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation NWT.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation WKA.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation JFTCA.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation PIEK.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation AGTBPH.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation JKMRBA.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DOCOKSY.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation UWPRE.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation SNNJK.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation SLRR.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation MIMJV.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation OOTS.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation JKHUXO.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation PLEOV.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation WWHDV.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation GDEG.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation UYUHG.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ROXFP.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ZTWDS.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation WXYIC.exe -
Executes dropped EXE 64 IoCs
pid Process 1928 NFSQWH.exe 3500 NAIM.exe 1752 SLM.exe 3836 WTG.exe 4908 WLPU.exe 1156 JOL.exe 4640 RHUCZ.exe 4068 MUZLKOQ.exe 1356 MARALBK.exe 2932 BVIEW.exe 4500 BIASYA.exe 2040 WWF.exe 1288 BWNQR.exe 4412 FETQDNA.exe 3060 RWWI.exe 1844 TSBSW.exe 1752 TXTGXH.exe 3020 SNNJK.exe 680 SBNYU.exe 1364 YBU.exe 4616 JUPELJA.exe 3240 EHUO.exe 3980 ZSLM.exe 692 THEGIIS.exe 4220 FYLOUSO.exe 2056 QQO.exe 452 UYUHG.exe 1156 FRXAPH.exe 3736 FJYTCMO.exe 3824 WKA.exe 3956 RXFQQ.exe 528 NCKFXT.exe 1504 IQP.exe 4072 KOIRGPL.exe 4292 OEPZSI.exe 452 XEREWFC.exe 1132 SRWN.exe 4416 YREBPH.exe 4564 JKHUXO.exe 4028 EFLD.exe 2896 TAVHS.exe 2040 LWMLX.exe 3916 BZW.exe 2544 BEWM.exe 3656 DRBVTF.exe 3980 MFLNJC.exe 2684 ODEHIQB.exe 1868 LAKE.exe 4072 FVPOZA.exe 4032 PWRTKFU.exe 452 GJBLS.exe 1488 RCWE.exe 1444 KXI.exe 4076 VPDA.exe 2140 MCOKE.exe 1284 OAPMK.exe 2292 SIV.exe 4796 JRXA.exe 4100 HRFNJS.exe 3108 TZMN.exe 4000 CHOSZ.exe 676 IIVGIKJ.exe 4220 UAQ.exe 2476 YIFHCK.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\VVUUVSV.exe RFGU.exe File created C:\windows\SysWOW64\VVUUVSV.exe.bat RFGU.exe File created C:\windows\SysWOW64\JJHFGL.exe MLBI.exe File created C:\windows\SysWOW64\RVUKPE.exe JKMRBA.exe File created C:\windows\SysWOW64\HRFNJS.exe JRXA.exe File created C:\windows\SysWOW64\TZMN.exe.bat HRFNJS.exe File opened for modification C:\windows\SysWOW64\XTWRJWT.exe ZTWDS.exe File created C:\windows\SysWOW64\ISOXLLV.exe ECIPZTZ.exe File created C:\windows\SysWOW64\ANMXUJ.exe JCWHUX.exe File created C:\windows\SysWOW64\GMJC.exe MZE.exe File created C:\windows\SysWOW64\GMJC.exe.bat MZE.exe File opened for modification C:\windows\SysWOW64\OOTS.exe YLKGXQA.exe File created C:\windows\SysWOW64\TXTGXH.exe.bat TSBSW.exe File created C:\windows\SysWOW64\JUPELJA.exe YBU.exe File created C:\windows\SysWOW64\MLBI.exe.bat UIXEMLN.exe File created C:\windows\SysWOW64\JCWHUX.exe DCOU.exe File created C:\windows\SysWOW64\JCWHUX.exe.bat DCOU.exe File opened for modification C:\windows\SysWOW64\FYLOUSO.exe THEGIIS.exe File created C:\windows\SysWOW64\YJJSXR.exe DWFJ.exe File created C:\windows\SysWOW64\RFGU.exe.bat ZEM.exe File created C:\windows\SysWOW64\WXYIC.exe HCOWJIT.exe File opened for modification C:\windows\SysWOW64\ANMXUJ.exe JCWHUX.exe File created C:\windows\SysWOW64\WLPU.exe WTG.exe File opened for modification C:\windows\SysWOW64\WLPU.exe WTG.exe File created C:\windows\SysWOW64\FYLOUSO.exe THEGIIS.exe File created C:\windows\SysWOW64\MFLNJC.exe DRBVTF.exe File created C:\windows\SysWOW64\CQEM.exe QIXEX.exe File opened for modification C:\windows\SysWOW64\SEW.exe MEO.exe File opened for modification C:\windows\SysWOW64\EHUO.exe JUPELJA.exe File created C:\windows\SysWOW64\TZMN.exe HRFNJS.exe File created C:\windows\SysWOW64\RIHR.exe.bat RCHD.exe File opened for modification C:\windows\SysWOW64\BDQAOA.exe QLNI.exe File created C:\windows\SysWOW64\SIV.exe.bat OAPMK.exe File opened for modification C:\windows\SysWOW64\JLW.exe WIA.exe File opened for modification C:\windows\SysWOW64\VQBH.exe MQZBREN.exe File opened for modification C:\windows\SysWOW64\RVUKPE.exe JKMRBA.exe File opened for modification C:\windows\SysWOW64\CQEM.exe QIXEX.exe File created C:\windows\SysWOW64\XSA.exe SSA.exe File created C:\windows\SysWOW64\DXZWN.exe SEW.exe File opened for modification C:\windows\SysWOW64\TZMN.exe HRFNJS.exe File opened for modification C:\windows\SysWOW64\IACYH.exe DAU.exe File opened for modification C:\windows\SysWOW64\ATRVGCI.exe FGMMW.exe File created C:\windows\SysWOW64\JJHFGL.exe.bat MLBI.exe File created C:\windows\SysWOW64\WLPU.exe.bat WTG.exe File created C:\windows\SysWOW64\HRFNJS.exe.bat JRXA.exe File opened for modification C:\windows\SysWOW64\MQZBREN.exe RVUKPE.exe File opened for modification C:\windows\SysWOW64\BMAFVZF.exe KMYSKT.exe File created C:\windows\SysWOW64\IACYH.exe.bat DAU.exe File created C:\windows\SysWOW64\FZW.exe XTWRJWT.exe File created C:\windows\SysWOW64\SIV.exe OAPMK.exe File created C:\windows\SysWOW64\HCOWJIT.exe.bat VJLLJ.exe File created C:\windows\SysWOW64\JLW.exe WIA.exe File created C:\windows\SysWOW64\ANMXUJ.exe.bat JCWHUX.exe File created C:\windows\SysWOW64\VQBH.exe.bat MQZBREN.exe File opened for modification C:\windows\SysWOW64\JCWHUX.exe DCOU.exe File opened for modification C:\windows\SysWOW64\WWF.exe BIASYA.exe File created C:\windows\SysWOW64\WWF.exe.bat BIASYA.exe File created C:\windows\SysWOW64\BDQAOA.exe.bat QLNI.exe File created C:\windows\SysWOW64\RFGU.exe ZEM.exe File created C:\windows\SysWOW64\WXYIC.exe.bat HCOWJIT.exe File created C:\windows\SysWOW64\DXZWN.exe.bat SEW.exe File created C:\windows\SysWOW64\EHUO.exe.bat JUPELJA.exe File opened for modification C:\windows\SysWOW64\HEBQV.exe KYV.exe File created C:\windows\SysWOW64\HEBQV.exe.bat KYV.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\WTG.exe.bat SLM.exe File created C:\windows\JKHUXO.exe.bat YREBPH.exe File created C:\windows\system\BTFM.exe.bat GFA.exe File created C:\windows\system\OEPZSI.exe.bat KOIRGPL.exe File created C:\windows\JLDX.exe XSA.exe File created C:\windows\system\CIA.exe KNWJ.exe File created C:\windows\system\UWPRE.exe.bat WWHDV.exe File created C:\windows\system\WWHDV.exe JLDX.exe File created C:\windows\WZK.exe HEBQV.exe File created C:\windows\WZK.exe.bat HEBQV.exe File created C:\windows\BRH.exe SIFTQW.exe File created C:\windows\VWD.exe.bat ROXFP.exe File opened for modification C:\windows\VTY.exe SLRR.exe File opened for modification C:\windows\system\NFSQWH.exe ab8c72b7b65e2ef3797d4a65271044b1.exe File opened for modification C:\windows\system\EFLD.exe JKHUXO.exe File created C:\windows\system\TAVHS.exe.bat EFLD.exe File opened for modification C:\windows\HDVESID.exe FFBCLL.exe File created C:\windows\UYUHG.exe QQO.exe File created C:\windows\GJBLS.exe.bat PWRTKFU.exe File created C:\windows\system\QQO.exe.bat FYLOUSO.exe File opened for modification C:\windows\RHBQJ.exe EFFSEJ.exe File opened for modification C:\windows\system\VJLLJ.exe ATRVGCI.exe File opened for modification C:\windows\system\DWFJ.exe YWXVEP.exe File created C:\windows\system\LZGRN.exe.bat CQEM.exe File created C:\windows\system\CPV.exe LGTWS.exe File created C:\windows\system\IFDTBDQ.exe VVUUVSV.exe File created C:\windows\PLEOV.exe JLW.exe File created C:\windows\DPNG.exe.bat ZHGYIR.exe File created C:\windows\GBGIWNK.exe ZRYPQ.exe File created C:\windows\system\LWMLX.exe TAVHS.exe File created C:\windows\TKQ.exe.bat TEQ.exe File opened for modification C:\windows\system\GAZL.exe XSX.exe File created C:\windows\system\GAZL.exe.bat XSX.exe File opened for modification C:\windows\QLBI.exe KLTV.exe File created C:\windows\JKMRBA.exe.bat JFTCA.exe File created C:\windows\MEO.exe VTY.exe File created C:\windows\NSHVP.exe HSHHG.exe File created C:\windows\system\NFSQWH.exe.bat ab8c72b7b65e2ef3797d4a65271044b1.exe File created C:\windows\system\MUZLKOQ.exe.bat RHUCZ.exe File opened for modification C:\windows\BIASYA.exe BVIEW.exe File created C:\windows\system\KYV.exe.bat IACYH.exe File opened for modification C:\windows\system\OMJWXVP.exe QLBI.exe File created C:\windows\system\LXKZDAG.exe LRKL.exe File created C:\windows\system\RHUCZ.exe JOL.exe File created C:\windows\system\OMJWXVP.exe.bat QLBI.exe File created C:\windows\system\UIXEMLN.exe.bat CAVZ.exe File opened for modification C:\windows\GJWZD.exe VQBH.exe File created C:\windows\JFTCA.exe.bat PJP.exe File created C:\windows\system\BWNQR.exe WWF.exe File opened for modification C:\windows\system\BZW.exe LWMLX.exe File opened for modification C:\windows\BRH.exe SIFTQW.exe File created C:\windows\ZFUPCR.exe QES.exe File created C:\windows\UAQ.exe.bat IIVGIKJ.exe File created C:\windows\system\ROXFP.exe FYQ.exe File opened for modification C:\windows\NSHVP.exe HSHHG.exe File opened for modification C:\windows\system\JOL.exe WLPU.exe File created C:\windows\system\ZSLM.exe EHUO.exe File created C:\windows\RHBQJ.exe.bat EFFSEJ.exe File created C:\windows\XSX.exe TKQ.exe File opened for modification C:\windows\system\WWHDV.exe JLDX.exe File created C:\windows\system\EFLD.exe JKHUXO.exe File created C:\windows\CHOSZ.exe TZMN.exe File created C:\windows\system\TSBSW.exe.bat RWWI.exe File created C:\windows\UYUHG.exe.bat QQO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2204 3724 WerFault.exe 56 1332 1928 WerFault.exe 96 4280 3500 WerFault.exe 102 3824 1752 WerFault.exe 108 4276 3836 WerFault.exe 112 3748 4908 WerFault.exe 119 2228 1156 WerFault.exe 125 1704 4640 WerFault.exe 131 3228 4068 WerFault.exe 136 3752 1356 WerFault.exe 141 2496 2932 WerFault.exe 146 4320 4500 WerFault.exe 151 4968 2040 WerFault.exe 156 4536 1288 WerFault.exe 161 4280 4412 WerFault.exe 166 748 3060 WerFault.exe 171 4360 1844 WerFault.exe 176 3588 1752 WerFault.exe 181 4320 3020 WerFault.exe 186 2492 680 WerFault.exe 191 3320 1364 WerFault.exe 196 4144 4616 WerFault.exe 201 4068 3240 WerFault.exe 206 1108 3980 WerFault.exe 211 2496 692 WerFault.exe 216 716 4220 WerFault.exe 221 408 2056 WerFault.exe 226 4956 452 WerFault.exe 231 1244 1156 WerFault.exe 236 3344 3736 WerFault.exe 241 4288 3824 WerFault.exe 246 4456 3956 WerFault.exe 251 4872 528 WerFault.exe 256 3020 1504 WerFault.exe 261 2056 4072 WerFault.exe 266 4500 4292 WerFault.exe 271 2544 452 WerFault.exe 276 4912 1132 WerFault.exe 281 3876 4416 WerFault.exe 286 1812 4564 WerFault.exe 290 3720 4028 WerFault.exe 296 1284 2896 WerFault.exe 303 2492 2040 WerFault.exe 308 816 3916 WerFault.exe 313 3516 2544 WerFault.exe 318 2388 3656 WerFault.exe 323 2596 3980 WerFault.exe 329 784 2684 WerFault.exe 334 4688 1868 WerFault.exe 339 2228 4072 WerFault.exe 344 1324 4032 WerFault.exe 349 2444 452 WerFault.exe 354 3784 1488 WerFault.exe 359 4268 1444 WerFault.exe 364 1460 4076 WerFault.exe 369 2056 2140 WerFault.exe 374 3128 1284 WerFault.exe 379 2044 2292 WerFault.exe 384 5076 4796 WerFault.exe 389 1768 4100 WerFault.exe 394 3380 3108 WerFault.exe 399 3940 4000 WerFault.exe 404 1160 676 WerFault.exe 409 4956 4220 WerFault.exe 414 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 1928 NFSQWH.exe 1928 NFSQWH.exe 3500 NAIM.exe 3500 NAIM.exe 1752 SLM.exe 1752 SLM.exe 3836 WTG.exe 3836 WTG.exe 4908 WLPU.exe 4908 WLPU.exe 1156 JOL.exe 1156 JOL.exe 4640 RHUCZ.exe 4640 RHUCZ.exe 4068 MUZLKOQ.exe 4068 MUZLKOQ.exe 1356 MARALBK.exe 1356 MARALBK.exe 2932 BVIEW.exe 2932 BVIEW.exe 4500 BIASYA.exe 4500 BIASYA.exe 2040 WWF.exe 2040 WWF.exe 1288 BWNQR.exe 1288 BWNQR.exe 4412 FETQDNA.exe 4412 FETQDNA.exe 3060 RWWI.exe 3060 RWWI.exe 1844 TSBSW.exe 1844 TSBSW.exe 1752 TXTGXH.exe 1752 TXTGXH.exe 3020 SNNJK.exe 3020 SNNJK.exe 680 SBNYU.exe 680 SBNYU.exe 1364 YBU.exe 1364 YBU.exe 4616 JUPELJA.exe 4616 JUPELJA.exe 3240 EHUO.exe 3240 EHUO.exe 3980 ZSLM.exe 3980 ZSLM.exe 692 THEGIIS.exe 692 THEGIIS.exe 4220 FYLOUSO.exe 4220 FYLOUSO.exe 2056 QQO.exe 2056 QQO.exe 452 UYUHG.exe 452 UYUHG.exe 1156 FRXAPH.exe 1156 FRXAPH.exe 3736 FJYTCMO.exe 3736 FJYTCMO.exe 3824 WKA.exe 3824 WKA.exe 3956 RXFQQ.exe 3956 RXFQQ.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 1928 NFSQWH.exe 1928 NFSQWH.exe 3500 NAIM.exe 3500 NAIM.exe 1752 SLM.exe 1752 SLM.exe 3836 WTG.exe 3836 WTG.exe 4908 WLPU.exe 4908 WLPU.exe 1156 JOL.exe 1156 JOL.exe 4640 RHUCZ.exe 4640 RHUCZ.exe 4068 MUZLKOQ.exe 4068 MUZLKOQ.exe 1356 MARALBK.exe 1356 MARALBK.exe 2932 BVIEW.exe 2932 BVIEW.exe 4500 BIASYA.exe 4500 BIASYA.exe 2040 WWF.exe 2040 WWF.exe 1288 BWNQR.exe 1288 BWNQR.exe 4412 FETQDNA.exe 4412 FETQDNA.exe 3060 RWWI.exe 3060 RWWI.exe 1844 TSBSW.exe 1844 TSBSW.exe 1752 TXTGXH.exe 1752 TXTGXH.exe 3020 SNNJK.exe 3020 SNNJK.exe 680 SBNYU.exe 680 SBNYU.exe 1364 YBU.exe 1364 YBU.exe 4616 JUPELJA.exe 4616 JUPELJA.exe 3240 EHUO.exe 3240 EHUO.exe 3980 ZSLM.exe 3980 ZSLM.exe 692 THEGIIS.exe 692 THEGIIS.exe 4220 FYLOUSO.exe 4220 FYLOUSO.exe 2056 QQO.exe 2056 QQO.exe 452 UYUHG.exe 452 UYUHG.exe 1156 FRXAPH.exe 1156 FRXAPH.exe 3736 FJYTCMO.exe 3736 FJYTCMO.exe 3824 WKA.exe 3824 WKA.exe 3956 RXFQQ.exe 3956 RXFQQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3724 wrote to memory of 368 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 92 PID 3724 wrote to memory of 368 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 92 PID 3724 wrote to memory of 368 3724 ab8c72b7b65e2ef3797d4a65271044b1.exe 92 PID 368 wrote to memory of 1928 368 cmd.exe 96 PID 368 wrote to memory of 1928 368 cmd.exe 96 PID 368 wrote to memory of 1928 368 cmd.exe 96 PID 1928 wrote to memory of 2488 1928 NFSQWH.exe 98 PID 1928 wrote to memory of 2488 1928 NFSQWH.exe 98 PID 1928 wrote to memory of 2488 1928 NFSQWH.exe 98 PID 2488 wrote to memory of 3500 2488 cmd.exe 102 PID 2488 wrote to memory of 3500 2488 cmd.exe 102 PID 2488 wrote to memory of 3500 2488 cmd.exe 102 PID 3500 wrote to memory of 3728 3500 NAIM.exe 104 PID 3500 wrote to memory of 3728 3500 NAIM.exe 104 PID 3500 wrote to memory of 3728 3500 NAIM.exe 104 PID 3728 wrote to memory of 1752 3728 cmd.exe 108 PID 3728 wrote to memory of 1752 3728 cmd.exe 108 PID 3728 wrote to memory of 1752 3728 cmd.exe 108 PID 1752 wrote to memory of 548 1752 SLM.exe 109 PID 1752 wrote to memory of 548 1752 SLM.exe 109 PID 1752 wrote to memory of 548 1752 SLM.exe 109 PID 548 wrote to memory of 3836 548 cmd.exe 112 PID 548 wrote to memory of 3836 548 cmd.exe 112 PID 548 wrote to memory of 3836 548 cmd.exe 112 PID 3836 wrote to memory of 4984 3836 WTG.exe 115 PID 3836 wrote to memory of 4984 3836 WTG.exe 115 PID 3836 wrote to memory of 4984 3836 WTG.exe 115 PID 4984 wrote to memory of 4908 4984 cmd.exe 119 PID 4984 wrote to memory of 4908 4984 cmd.exe 119 PID 4984 wrote to memory of 4908 4984 cmd.exe 119 PID 4908 wrote to memory of 4072 4908 WLPU.exe 121 PID 4908 wrote to memory of 4072 4908 WLPU.exe 121 PID 4908 wrote to memory of 4072 4908 WLPU.exe 121 PID 4072 wrote to memory of 1156 4072 cmd.exe 125 PID 4072 wrote to memory of 1156 4072 cmd.exe 125 PID 4072 wrote to memory of 1156 4072 cmd.exe 125 PID 1156 wrote to memory of 4384 1156 JOL.exe 127 PID 1156 wrote to memory of 4384 1156 JOL.exe 127 PID 1156 wrote to memory of 4384 1156 JOL.exe 127 PID 4384 wrote to memory of 4640 4384 cmd.exe 131 PID 4384 wrote to memory of 4640 4384 cmd.exe 131 PID 4384 wrote to memory of 4640 4384 cmd.exe 131 PID 4640 wrote to memory of 1748 4640 RHUCZ.exe 132 PID 4640 wrote to memory of 1748 4640 RHUCZ.exe 132 PID 4640 wrote to memory of 1748 4640 RHUCZ.exe 132 PID 1748 wrote to memory of 4068 1748 cmd.exe 136 PID 1748 wrote to memory of 4068 1748 cmd.exe 136 PID 1748 wrote to memory of 4068 1748 cmd.exe 136 PID 4068 wrote to memory of 3344 4068 MUZLKOQ.exe 137 PID 4068 wrote to memory of 3344 4068 MUZLKOQ.exe 137 PID 4068 wrote to memory of 3344 4068 MUZLKOQ.exe 137 PID 3344 wrote to memory of 1356 3344 cmd.exe 141 PID 3344 wrote to memory of 1356 3344 cmd.exe 141 PID 3344 wrote to memory of 1356 3344 cmd.exe 141 PID 1356 wrote to memory of 232 1356 MARALBK.exe 142 PID 1356 wrote to memory of 232 1356 MARALBK.exe 142 PID 1356 wrote to memory of 232 1356 MARALBK.exe 142 PID 232 wrote to memory of 2932 232 cmd.exe 146 PID 232 wrote to memory of 2932 232 cmd.exe 146 PID 232 wrote to memory of 2932 232 cmd.exe 146 PID 2932 wrote to memory of 4636 2932 BVIEW.exe 147 PID 2932 wrote to memory of 4636 2932 BVIEW.exe 147 PID 2932 wrote to memory of 4636 2932 BVIEW.exe 147 PID 4636 wrote to memory of 4500 4636 cmd.exe 151
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab8c72b7b65e2ef3797d4a65271044b1.exe"C:\Users\Admin\AppData\Local\Temp\ab8c72b7b65e2ef3797d4a65271044b1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NFSQWH.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\windows\system\NFSQWH.exeC:\windows\system\NFSQWH.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NAIM.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\windows\system\NAIM.exeC:\windows\system\NAIM.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SLM.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\windows\SLM.exeC:\windows\SLM.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WTG.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\windows\system\WTG.exeC:\windows\system\WTG.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WLPU.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\windows\SysWOW64\WLPU.exeC:\windows\system32\WLPU.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JOL.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\windows\system\JOL.exeC:\windows\system\JOL.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RHUCZ.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\windows\system\RHUCZ.exeC:\windows\system\RHUCZ.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MUZLKOQ.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\windows\system\MUZLKOQ.exeC:\windows\system\MUZLKOQ.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MARALBK.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\windows\MARALBK.exeC:\windows\MARALBK.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVIEW.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\windows\SysWOW64\BVIEW.exeC:\windows\system32\BVIEW.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BIASYA.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\windows\BIASYA.exeC:\windows\BIASYA.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWF.exe.bat" "24⤵PID:1496
-
C:\windows\SysWOW64\WWF.exeC:\windows\system32\WWF.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BWNQR.exe.bat" "26⤵PID:4532
-
C:\windows\system\BWNQR.exeC:\windows\system\BWNQR.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FETQDNA.exe.bat" "28⤵PID:5088
-
C:\windows\system\FETQDNA.exeC:\windows\system\FETQDNA.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RWWI.exe.bat" "30⤵PID:3736
-
C:\windows\system\RWWI.exeC:\windows\system\RWWI.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TSBSW.exe.bat" "32⤵PID:3380
-
C:\windows\system\TSBSW.exeC:\windows\system\TSBSW.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TXTGXH.exe.bat" "34⤵PID:3956
-
C:\windows\SysWOW64\TXTGXH.exeC:\windows\system32\TXTGXH.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SNNJK.exe.bat" "36⤵PID:2120
-
C:\windows\SNNJK.exeC:\windows\SNNJK.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SBNYU.exe.bat" "38⤵PID:4664
-
C:\windows\system\SBNYU.exeC:\windows\system\SBNYU.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBU.exe.bat" "40⤵PID:4860
-
C:\windows\SysWOW64\YBU.exeC:\windows\system32\YBU.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUPELJA.exe.bat" "42⤵PID:368
-
C:\windows\SysWOW64\JUPELJA.exeC:\windows\system32\JUPELJA.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EHUO.exe.bat" "44⤵PID:4640
-
C:\windows\SysWOW64\EHUO.exeC:\windows\system32\EHUO.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSLM.exe.bat" "46⤵PID:1020
-
C:\windows\system\ZSLM.exeC:\windows\system\ZSLM.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\THEGIIS.exe.bat" "48⤵PID:2976
-
C:\windows\THEGIIS.exeC:\windows\THEGIIS.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYLOUSO.exe.bat" "50⤵PID:4508
-
C:\windows\SysWOW64\FYLOUSO.exeC:\windows\system32\FYLOUSO.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QQO.exe.bat" "52⤵PID:4916
-
C:\windows\system\QQO.exeC:\windows\system\QQO.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UYUHG.exe.bat" "54⤵PID:532
-
C:\windows\UYUHG.exeC:\windows\UYUHG.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FRXAPH.exe.bat" "56⤵PID:3272
-
C:\windows\system\FRXAPH.exeC:\windows\system\FRXAPH.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FJYTCMO.exe.bat" "58⤵PID:3064
-
C:\windows\FJYTCMO.exeC:\windows\FJYTCMO.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WKA.exe.bat" "60⤵PID:3596
-
C:\windows\system\WKA.exeC:\windows\system\WKA.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RXFQQ.exe.bat" "62⤵PID:4484
-
C:\windows\RXFQQ.exeC:\windows\RXFQQ.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKFXT.exe.bat" "64⤵PID:3884
-
C:\windows\SysWOW64\NCKFXT.exeC:\windows\system32\NCKFXT.exe65⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IQP.exe.bat" "66⤵PID:2660
-
C:\windows\IQP.exeC:\windows\IQP.exe67⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KOIRGPL.exe.bat" "68⤵PID:4276
-
C:\windows\system\KOIRGPL.exeC:\windows\system\KOIRGPL.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OEPZSI.exe.bat" "70⤵PID:1372
-
C:\windows\system\OEPZSI.exeC:\windows\system\OEPZSI.exe71⤵
- Checks computer location settings
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XEREWFC.exe.bat" "72⤵PID:4612
-
C:\windows\system\XEREWFC.exeC:\windows\system\XEREWFC.exe73⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SRWN.exe.bat" "74⤵PID:1288
-
C:\windows\system\SRWN.exeC:\windows\system\SRWN.exe75⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YREBPH.exe.bat" "76⤵PID:4100
-
C:\windows\system\YREBPH.exeC:\windows\system\YREBPH.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKHUXO.exe.bat" "78⤵PID:1416
-
C:\windows\JKHUXO.exeC:\windows\JKHUXO.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EFLD.exe.bat" "80⤵PID:1028
-
C:\windows\system\EFLD.exeC:\windows\system\EFLD.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TAVHS.exe.bat" "82⤵PID:1208
-
C:\windows\system\TAVHS.exeC:\windows\system\TAVHS.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LWMLX.exe.bat" "84⤵PID:2816
-
C:\windows\system\LWMLX.exeC:\windows\system\LWMLX.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BZW.exe.bat" "86⤵PID:3340
-
C:\windows\system\BZW.exeC:\windows\system\BZW.exe87⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BEWM.exe.bat" "88⤵PID:4644
-
C:\windows\system\BEWM.exeC:\windows\system\BEWM.exe89⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DRBVTF.exe.bat" "90⤵PID:1020
-
C:\windows\system\DRBVTF.exeC:\windows\system\DRBVTF.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MFLNJC.exe.bat" "92⤵PID:3784
-
C:\windows\SysWOW64\MFLNJC.exeC:\windows\system32\MFLNJC.exe93⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ODEHIQB.exe.bat" "94⤵PID:4396
-
C:\windows\ODEHIQB.exeC:\windows\ODEHIQB.exe95⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LAKE.exe.bat" "96⤵PID:2812
-
C:\windows\LAKE.exeC:\windows\LAKE.exe97⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FVPOZA.exe.bat" "98⤵PID:2764
-
C:\windows\system\FVPOZA.exeC:\windows\system\FVPOZA.exe99⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PWRTKFU.exe.bat" "100⤵PID:4516
-
C:\windows\SysWOW64\PWRTKFU.exeC:\windows\system32\PWRTKFU.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GJBLS.exe.bat" "102⤵PID:4680
-
C:\windows\GJBLS.exeC:\windows\GJBLS.exe103⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RCWE.exe.bat" "104⤵PID:4896
-
C:\windows\system\RCWE.exeC:\windows\system\RCWE.exe105⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KXI.exe.bat" "106⤵PID:4092
-
C:\windows\system\KXI.exeC:\windows\system\KXI.exe107⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VPDA.exe.bat" "108⤵PID:3544
-
C:\windows\VPDA.exeC:\windows\VPDA.exe109⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MCOKE.exe.bat" "110⤵PID:1356
-
C:\windows\system\MCOKE.exeC:\windows\system\MCOKE.exe111⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OAPMK.exe.bat" "112⤵PID:2860
-
C:\windows\system\OAPMK.exeC:\windows\system\OAPMK.exe113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIV.exe.bat" "114⤵PID:2744
-
C:\windows\SysWOW64\SIV.exeC:\windows\system32\SIV.exe115⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JRXA.exe.bat" "116⤵PID:2068
-
C:\windows\system\JRXA.exeC:\windows\system\JRXA.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRFNJS.exe.bat" "118⤵PID:1316
-
C:\windows\SysWOW64\HRFNJS.exeC:\windows\system32\HRFNJS.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZMN.exe.bat" "120⤵PID:2204
-
C:\windows\SysWOW64\TZMN.exeC:\windows\system32\TZMN.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-