Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 18:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
-
Size
208KB
-
MD5
6b1c274e0b37c953837c140a540294af
-
SHA1
6ef8f31ad0cf2e420daae5170f8f430a48eb6e6f
-
SHA256
2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2
-
SHA512
f1103734c2d0b9cef92a0f67c6938522aa2c643726c304ab4df7ab74cd10fc77c3c789c3bc52d26d48464a86c15e21463006ff86a436117de64f4f5aefebfd2e
-
SSDEEP
3072:AYkMRPgF8PIiUBKbTYPCxAHBQVEh+eNiboB4NLthEjQT67:AW4fUwPYYQOh+LCQEj9
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation FQH.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation LQSG.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation LLQS.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation ZFBVM.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation NJKN.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation LKCQUH.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DDZ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation YZAXIR.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation JNRMHG.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation OIQRD.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation QIXEX.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DSVNZF.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation WXWLKT.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation OLLWPTG.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation EPKTO.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation OWCW.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DNDQYM.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation YOLOUO.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation IBLFRCX.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation TRDYSR.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DECMQX.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation XHY.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation OZZ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation JGD.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation RVTWXUL.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation YVBNB.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation RAHWQO.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation WIX.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation XEUZLEM.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation YWIILCX.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation JXUWBAP.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation UDIONH.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation JTA.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation UVEICCI.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation ERSKZCA.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation VGVPV.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation QNXAQ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation JMNAJ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation YZZTQ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation QJKLS.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation RSA.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation NDULEN.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation GIU.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation DVCAT.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation GDBMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation QCQRM.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation ICP.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation XGG.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation YNZBXRU.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation FQZYIW.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation QBR.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation RUWRMTV.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation UZRKZOI.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation IYDHK.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation LXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation VKS.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation ZSLM.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation REBM.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation GKNFS.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation CHF.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation SUOZMHK.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation BSSHELB.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation EZQK.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation MPTI.exe -
Executes dropped EXE 64 IoCs
pid Process 2872 YZZTQ.exe 5092 CHF.exe 3612 YXHBFI.exe 1892 NTEVP.exe 2888 JBZDSI.exe 4836 YWIILCX.exe 2872 VBO.exe 4792 VHOT.exe 4532 VKS.exe 1568 UADSUM.exe 440 LKCQUH.exe 4360 QLJDDJI.exe 3836 FQH.exe 5076 QJKLS.exe 3400 WJSZBUB.exe 3600 NSU.exe 4992 DNDQYM.exe 4868 OFGJGUT.exe 1268 ZYBUGJ.exe 2732 IYDHK.exe 3636 HWW.exe 2752 CJBLP.exe 2192 TRDYSR.exe 632 ZSLM.exe 3236 ISFRF.exe 4876 RAHWQO.exe 3880 ZLP.exe 3204 WQV.exe 3256 YOB.exe 5060 OZZ.exe 3792 TEJUIA.exe 3068 ICP.exe 4960 ZKRX.exe 2308 DSYXFAW.exe 4616 DVCAT.exe 2872 POFTTFN.exe 4028 JBJ.exe 812 EXOMN.exe 3532 RZKK.exe 4424 PASYBQU.exe 1948 GIU.exe 4636 BVZVP.exe 912 MOUFXD.exe 4532 JTA.exe 1996 LJNXU.exe 4368 AMX.exe 1084 RNZO.exe 3168 NVTWL.exe 412 OYXSZCL.exe 3784 OQFTFOZ.exe 2244 YOLOUO.exe 3768 YULCWBD.exe 3316 NPUGH.exe 4248 WXWLKT.exe 3464 IFDT.exe 2872 TYGEF.exe 1604 OLLWPTG.exe 4636 ZDG.exe 4348 ZWP.exe 2196 BUIK.exe 4352 JEQD.exe 5012 DSVNZF.exe 4520 JSD.exe 3552 JGD.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\LJNXU.exe.bat JTA.exe File created C:\windows\SysWOW64\SABE.exe.bat JNRMHG.exe File created C:\windows\SysWOW64\RAHWQO.exe ISFRF.exe File opened for modification C:\windows\SysWOW64\ICP.exe TEJUIA.exe File created C:\windows\SysWOW64\HAPCPDX.exe YANXEX.exe File opened for modification C:\windows\SysWOW64\RAHWQO.exe ISFRF.exe File created C:\windows\SysWOW64\EWNJSGO.exe QMRCNP.exe File opened for modification C:\windows\SysWOW64\ZQADOEQ.exe TPSQECP.exe File created C:\windows\SysWOW64\WJSZBUB.exe.bat QJKLS.exe File created C:\windows\SysWOW64\RZKK.exe EXOMN.exe File created C:\windows\SysWOW64\OBWUX.exe KTP.exe File created C:\windows\SysWOW64\BLHJSPI.exe MIYF.exe File created C:\windows\SysWOW64\TVL.exe LPLTREU.exe File opened for modification C:\windows\SysWOW64\TEJUIA.exe OZZ.exe File created C:\windows\SysWOW64\YVBNB.exe.bat SABE.exe File opened for modification C:\windows\SysWOW64\IACYH.exe DAU.exe File created C:\windows\SysWOW64\JTA.exe MOUFXD.exe File created C:\windows\SysWOW64\PSWM.exe XPKITTG.exe File created C:\windows\SysWOW64\WJSZBUB.exe QJKLS.exe File created C:\windows\SysWOW64\ZYBUGJ.exe.bat OFGJGUT.exe File created C:\windows\SysWOW64\EXOMN.exe.bat JBJ.exe File created C:\windows\SysWOW64\KCIDD.exe.bat QOD.exe File created C:\windows\SysWOW64\ULJCTIX.exe FQZYIW.exe File opened for modification C:\windows\SysWOW64\LJNXU.exe JTA.exe File created C:\windows\SysWOW64\JNRMHG.exe.bat RSA.exe File created C:\windows\SysWOW64\DDZ.exe OIQRD.exe File opened for modification C:\windows\SysWOW64\ZYBUGJ.exe OFGJGUT.exe File opened for modification C:\windows\SysWOW64\XGG.exe FYELON.exe File created C:\windows\SysWOW64\DLTKCT.exe.bat QIXEX.exe File created C:\windows\SysWOW64\GDBMZ.exe JGD.exe File created C:\windows\SysWOW64\OBH.exe.bat RVBCHA.exe File created C:\windows\SysWOW64\EOAGW.exe DLWCIT.exe File created C:\windows\SysWOW64\JTA.exe.bat MOUFXD.exe File created C:\windows\SysWOW64\LPLTREU.exe NPDFI.exe File opened for modification C:\windows\SysWOW64\OQEG.exe TCZXHVP.exe File opened for modification C:\windows\SysWOW64\WYMT.exe BLHJSPI.exe File created C:\windows\SysWOW64\BUIK.exe ZWP.exe File opened for modification C:\windows\SysWOW64\LLRGC.exe JNM.exe File created C:\windows\SysWOW64\UVEICCI.exe.bat QNXAQ.exe File opened for modification C:\windows\SysWOW64\EWNJSGO.exe QMRCNP.exe File created C:\windows\SysWOW64\KTP.exe.bat GDBMZ.exe File created C:\windows\SysWOW64\GDBMZ.exe.bat JGD.exe File created C:\windows\SysWOW64\RUWRMTV.exe ERSKZCA.exe File opened for modification C:\windows\SysWOW64\WJSZBUB.exe QJKLS.exe File created C:\windows\SysWOW64\LLRGC.exe.bat JNM.exe File created C:\windows\SysWOW64\KUQC.exe BUWXB.exe File opened for modification C:\windows\SysWOW64\PSWM.exe XPKITTG.exe File created C:\windows\SysWOW64\RZKK.exe.bat EXOMN.exe File created C:\windows\SysWOW64\KBKCAE.exe ULJCTIX.exe File created C:\windows\SysWOW64\ULJCTIX.exe.bat FQZYIW.exe File created C:\windows\SysWOW64\ZYBUGJ.exe OFGJGUT.exe File created C:\windows\SysWOW64\BVZVP.exe.bat GIU.exe File created C:\windows\SysWOW64\RNZO.exe.bat AMX.exe File opened for modification C:\windows\SysWOW64\HMSWMS.exe WTXDD.exe File created C:\windows\SysWOW64\UADSUM.exe.bat VKS.exe File created C:\windows\SysWOW64\OQEG.exe TCZXHVP.exe File opened for modification C:\windows\SysWOW64\YXHBFI.exe CHF.exe File opened for modification C:\windows\SysWOW64\JBJ.exe POFTTFN.exe File opened for modification C:\windows\SysWOW64\OBWUX.exe KTP.exe File created C:\windows\SysWOW64\WLYX.exe IACYH.exe File created C:\windows\SysWOW64\XGG.exe.bat FYELON.exe File created C:\windows\SysWOW64\UADSUM.exe VKS.exe File created C:\windows\SysWOW64\DDZ.exe.bat OIQRD.exe File created C:\windows\SysWOW64\IACYH.exe.bat DAU.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\QBR.exe KBKCAE.exe File opened for modification C:\windows\system\SRJKKQT.exe SMJWID.exe File created C:\windows\JZBNY.exe XHY.exe File opened for modification C:\windows\system\NPINLTZ.exe JZBNY.exe File opened for modification C:\windows\system\REBM.exe VGVPV.exe File created C:\windows\system\GRH.exe DECMQX.exe File created C:\windows\system\YWIILCX.exe.bat JBZDSI.exe File opened for modification C:\windows\ATMXZQ.exe WLYX.exe File created C:\windows\QMRCNP.exe.bat WYMT.exe File created C:\windows\system\EZQK.exe SRJKKQT.exe File created C:\windows\QMMRNB.exe WRHH.exe File created C:\windows\VKS.exe.bat VHOT.exe File opened for modification C:\windows\RVTWXUL.exe GCQDON.exe File created C:\windows\HUUWAI.exe.bat BUUI.exe File created C:\windows\CZFU.exe.bat WDFU.exe File created C:\windows\JBZDSI.exe NTEVP.exe File opened for modification C:\windows\system\WWHDV.exe LDEK.exe File created C:\windows\system\YZZTQ.exe 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe File opened for modification C:\windows\WIX.exe QIQ.exe File created C:\windows\system\LLQS.exe.bat LXQ.exe File created C:\windows\system\DAU.exe.bat BCBJSPP.exe File created C:\windows\system\AZFLAVS.exe ATMXZQ.exe File opened for modification C:\windows\system\QXV.exe QMMRNB.exe File created C:\windows\system\ZSLM.exe TRDYSR.exe File created C:\windows\system\ZWP.exe ZDG.exe File created C:\windows\system\YULCWBD.exe YOLOUO.exe File created C:\windows\VGVPV.exe.bat TJUN.exe File opened for modification C:\windows\system\SZXSYU.exe JMNAJ.exe File created C:\windows\DLWCIT.exe LQSG.exe File created C:\windows\OZZ.exe.bat YOB.exe File created C:\windows\OWCW.exe DDZ.exe File opened for modification C:\windows\OWCW.exe DDZ.exe File created C:\windows\TRDYSR.exe.bat CJBLP.exe File created C:\windows\system\QBR.exe KBKCAE.exe File created C:\windows\system\OZJXIU.exe WQH.exe File opened for modification C:\windows\system\GKNFS.exe GEVRQ.exe File opened for modification C:\windows\system\AZFLAVS.exe ATMXZQ.exe File created C:\windows\WIX.exe QIQ.exe File opened for modification C:\windows\KJBHRJ.exe OBH.exe File created C:\windows\system\MIYF.exe RVTWXUL.exe File opened for modification C:\windows\ZDG.exe OLLWPTG.exe File created C:\windows\system\TJUN.exe YVXDEDE.exe File created C:\windows\MXIB.exe.bat VHBQV.exe File created C:\windows\system\GRH.exe.bat DECMQX.exe File opened for modification C:\windows\system\NTEVP.exe YXHBFI.exe File opened for modification C:\windows\system\VBO.exe YWIILCX.exe File created C:\windows\system\ZSLM.exe.bat TRDYSR.exe File created C:\windows\NJKN.exe EBIAJXJ.exe File opened for modification C:\windows\system\EBIAJXJ.exe YBANZ.exe File created C:\windows\system\ZWP.exe.bat ZDG.exe File created C:\windows\VGVPV.exe TJUN.exe File created C:\windows\system\QXV.exe.bat QMMRNB.exe File opened for modification C:\windows\WDFU.exe HIWHLW.exe File created C:\windows\WDFU.exe.bat HIWHLW.exe File opened for modification C:\windows\CZFU.exe WDFU.exe File created C:\windows\JXUWBAP.exe.bat EWNJSGO.exe File created C:\windows\HIWHLW.exe.bat LLQS.exe File opened for modification C:\windows\HIWHLW.exe LLQS.exe File opened for modification C:\windows\WQV.exe ZLP.exe File created C:\windows\system\NPINLTZ.exe.bat JZBNY.exe File created C:\windows\ATMXZQ.exe.bat WLYX.exe File opened for modification C:\windows\UUJV.exe AZFLAVS.exe File opened for modification C:\windows\KVGJK.exe YNZBXRU.exe File created C:\windows\system\ARLERYR.exe.bat REBM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4872 4620 WerFault.exe 86 3948 2872 WerFault.exe 98 4360 5092 WerFault.exe 104 4076 3612 WerFault.exe 109 4960 1892 WerFault.exe 115 2844 2888 WerFault.exe 120 3032 4836 WerFault.exe 125 2984 2872 WerFault.exe 130 5028 4792 WerFault.exe 136 4596 4532 WerFault.exe 141 4252 1568 WerFault.exe 148 1000 440 WerFault.exe 154 5104 4360 WerFault.exe 160 1896 3836 WerFault.exe 165 1688 5076 WerFault.exe 170 412 3400 WerFault.exe 175 3696 3600 WerFault.exe 181 5024 4992 WerFault.exe 186 4568 4868 WerFault.exe 191 3812 1268 WerFault.exe 196 2140 2732 WerFault.exe 203 3336 3636 WerFault.exe 208 4732 2752 WerFault.exe 213 2032 2192 WerFault.exe 218 4564 632 WerFault.exe 223 636 3236 WerFault.exe 228 5108 4876 WerFault.exe 233 3132 3880 WerFault.exe 237 1996 3204 WerFault.exe 243 4504 3256 WerFault.exe 248 3236 5060 WerFault.exe 253 2176 3792 WerFault.exe 258 4520 3068 WerFault.exe 262 2680 4960 WerFault.exe 268 4128 2308 WerFault.exe 273 1948 4616 WerFault.exe 278 436 2872 WerFault.exe 283 912 4028 WerFault.exe 288 3580 812 WerFault.exe 293 4584 3532 WerFault.exe 298 1316 4424 WerFault.exe 303 2176 1948 WerFault.exe 309 4208 4636 WerFault.exe 314 2188 912 WerFault.exe 319 4920 4532 WerFault.exe 324 2392 1996 WerFault.exe 329 1604 4368 WerFault.exe 334 3512 1084 WerFault.exe 340 1856 3168 WerFault.exe 345 3096 412 WerFault.exe 350 5028 3784 WerFault.exe 355 2532 2244 WerFault.exe 360 3068 3768 WerFault.exe 365 4588 3316 WerFault.exe 370 4920 4248 WerFault.exe 375 736 3464 WerFault.exe 380 3764 2872 WerFault.exe 385 3088 1604 WerFault.exe 390 2188 4636 WerFault.exe 395 312 4348 WerFault.exe 400 412 2196 WerFault.exe 405 3132 4352 WerFault.exe 410 5100 5012 WerFault.exe 415 4592 4520 WerFault.exe 420 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 2872 YZZTQ.exe 2872 YZZTQ.exe 5092 CHF.exe 5092 CHF.exe 3612 YXHBFI.exe 3612 YXHBFI.exe 1892 NTEVP.exe 1892 NTEVP.exe 2888 JBZDSI.exe 2888 JBZDSI.exe 4836 YWIILCX.exe 4836 YWIILCX.exe 2872 VBO.exe 2872 VBO.exe 4792 VHOT.exe 4792 VHOT.exe 4532 VKS.exe 4532 VKS.exe 1568 UADSUM.exe 1568 UADSUM.exe 440 LKCQUH.exe 440 LKCQUH.exe 4360 QLJDDJI.exe 4360 QLJDDJI.exe 3836 FQH.exe 3836 FQH.exe 5076 QJKLS.exe 5076 QJKLS.exe 3400 WJSZBUB.exe 3400 WJSZBUB.exe 3600 NSU.exe 3600 NSU.exe 4992 DNDQYM.exe 4992 DNDQYM.exe 4868 OFGJGUT.exe 4868 OFGJGUT.exe 1268 ZYBUGJ.exe 1268 ZYBUGJ.exe 2732 IYDHK.exe 2732 IYDHK.exe 3636 HWW.exe 3636 HWW.exe 2752 CJBLP.exe 2752 CJBLP.exe 2192 TRDYSR.exe 2192 TRDYSR.exe 632 ZSLM.exe 632 ZSLM.exe 3236 ISFRF.exe 3236 ISFRF.exe 4876 RAHWQO.exe 4876 RAHWQO.exe 3880 ZLP.exe 3880 ZLP.exe 3204 WQV.exe 3204 WQV.exe 3256 YOB.exe 3256 YOB.exe 5060 OZZ.exe 5060 OZZ.exe 3792 TEJUIA.exe 3792 TEJUIA.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 2872 YZZTQ.exe 2872 YZZTQ.exe 5092 CHF.exe 5092 CHF.exe 3612 YXHBFI.exe 3612 YXHBFI.exe 1892 NTEVP.exe 1892 NTEVP.exe 2888 JBZDSI.exe 2888 JBZDSI.exe 4836 YWIILCX.exe 4836 YWIILCX.exe 2872 VBO.exe 2872 VBO.exe 4792 VHOT.exe 4792 VHOT.exe 4532 VKS.exe 4532 VKS.exe 1568 UADSUM.exe 1568 UADSUM.exe 440 LKCQUH.exe 440 LKCQUH.exe 4360 QLJDDJI.exe 4360 QLJDDJI.exe 3836 FQH.exe 3836 FQH.exe 5076 QJKLS.exe 5076 QJKLS.exe 3400 WJSZBUB.exe 3400 WJSZBUB.exe 3600 NSU.exe 3600 NSU.exe 4992 DNDQYM.exe 4992 DNDQYM.exe 4868 OFGJGUT.exe 4868 OFGJGUT.exe 1268 ZYBUGJ.exe 1268 ZYBUGJ.exe 2732 IYDHK.exe 2732 IYDHK.exe 3636 HWW.exe 3636 HWW.exe 2752 CJBLP.exe 2752 CJBLP.exe 2192 TRDYSR.exe 2192 TRDYSR.exe 632 ZSLM.exe 632 ZSLM.exe 3236 ISFRF.exe 3236 ISFRF.exe 4876 RAHWQO.exe 4876 RAHWQO.exe 3880 ZLP.exe 3880 ZLP.exe 3204 WQV.exe 3204 WQV.exe 3256 YOB.exe 3256 YOB.exe 5060 OZZ.exe 5060 OZZ.exe 3792 TEJUIA.exe 3792 TEJUIA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4620 wrote to memory of 5048 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 94 PID 4620 wrote to memory of 5048 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 94 PID 4620 wrote to memory of 5048 4620 2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe 94 PID 5048 wrote to memory of 2872 5048 cmd.exe 98 PID 5048 wrote to memory of 2872 5048 cmd.exe 98 PID 5048 wrote to memory of 2872 5048 cmd.exe 98 PID 2872 wrote to memory of 3812 2872 YZZTQ.exe 100 PID 2872 wrote to memory of 3812 2872 YZZTQ.exe 100 PID 2872 wrote to memory of 3812 2872 YZZTQ.exe 100 PID 3812 wrote to memory of 5092 3812 cmd.exe 104 PID 3812 wrote to memory of 5092 3812 cmd.exe 104 PID 3812 wrote to memory of 5092 3812 cmd.exe 104 PID 5092 wrote to memory of 4332 5092 CHF.exe 105 PID 5092 wrote to memory of 4332 5092 CHF.exe 105 PID 5092 wrote to memory of 4332 5092 CHF.exe 105 PID 4332 wrote to memory of 3612 4332 cmd.exe 109 PID 4332 wrote to memory of 3612 4332 cmd.exe 109 PID 4332 wrote to memory of 3612 4332 cmd.exe 109 PID 3612 wrote to memory of 4716 3612 YXHBFI.exe 111 PID 3612 wrote to memory of 4716 3612 YXHBFI.exe 111 PID 3612 wrote to memory of 4716 3612 YXHBFI.exe 111 PID 4716 wrote to memory of 1892 4716 cmd.exe 115 PID 4716 wrote to memory of 1892 4716 cmd.exe 115 PID 4716 wrote to memory of 1892 4716 cmd.exe 115 PID 1892 wrote to memory of 1600 1892 NTEVP.exe 116 PID 1892 wrote to memory of 1600 1892 NTEVP.exe 116 PID 1892 wrote to memory of 1600 1892 NTEVP.exe 116 PID 1600 wrote to memory of 2888 1600 cmd.exe 120 PID 1600 wrote to memory of 2888 1600 cmd.exe 120 PID 1600 wrote to memory of 2888 1600 cmd.exe 120 PID 2888 wrote to memory of 2148 2888 JBZDSI.exe 121 PID 2888 wrote to memory of 2148 2888 JBZDSI.exe 121 PID 2888 wrote to memory of 2148 2888 JBZDSI.exe 121 PID 2148 wrote to memory of 4836 2148 cmd.exe 125 PID 2148 wrote to memory of 4836 2148 cmd.exe 125 PID 2148 wrote to memory of 4836 2148 cmd.exe 125 PID 4836 wrote to memory of 4412 4836 YWIILCX.exe 126 PID 4836 wrote to memory of 4412 4836 YWIILCX.exe 126 PID 4836 wrote to memory of 4412 4836 YWIILCX.exe 126 PID 4412 wrote to memory of 2872 4412 cmd.exe 130 PID 4412 wrote to memory of 2872 4412 cmd.exe 130 PID 4412 wrote to memory of 2872 4412 cmd.exe 130 PID 2872 wrote to memory of 2724 2872 VBO.exe 132 PID 2872 wrote to memory of 2724 2872 VBO.exe 132 PID 2872 wrote to memory of 2724 2872 VBO.exe 132 PID 2724 wrote to memory of 4792 2724 cmd.exe 136 PID 2724 wrote to memory of 4792 2724 cmd.exe 136 PID 2724 wrote to memory of 4792 2724 cmd.exe 136 PID 4792 wrote to memory of 5104 4792 VHOT.exe 137 PID 4792 wrote to memory of 5104 4792 VHOT.exe 137 PID 4792 wrote to memory of 5104 4792 VHOT.exe 137 PID 5104 wrote to memory of 4532 5104 cmd.exe 141 PID 5104 wrote to memory of 4532 5104 cmd.exe 141 PID 5104 wrote to memory of 4532 5104 cmd.exe 141 PID 4532 wrote to memory of 4492 4532 VKS.exe 144 PID 4532 wrote to memory of 4492 4532 VKS.exe 144 PID 4532 wrote to memory of 4492 4532 VKS.exe 144 PID 4492 wrote to memory of 1568 4492 cmd.exe 148 PID 4492 wrote to memory of 1568 4492 cmd.exe 148 PID 4492 wrote to memory of 1568 4492 cmd.exe 148 PID 1568 wrote to memory of 2288 1568 UADSUM.exe 149 PID 1568 wrote to memory of 2288 1568 UADSUM.exe 149 PID 1568 wrote to memory of 2288 1568 UADSUM.exe 149 PID 2288 wrote to memory of 440 2288 cmd.exe 154
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe"C:\Users\Admin\AppData\Local\Temp\2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YZZTQ.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\windows\system\YZZTQ.exeC:\windows\system\YZZTQ.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CHF.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\windows\system\CHF.exeC:\windows\system\CHF.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YXHBFI.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\windows\SysWOW64\YXHBFI.exeC:\windows\system32\YXHBFI.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NTEVP.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\windows\system\NTEVP.exeC:\windows\system\NTEVP.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JBZDSI.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\windows\JBZDSI.exeC:\windows\JBZDSI.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YWIILCX.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\windows\system\YWIILCX.exeC:\windows\system\YWIILCX.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VBO.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\windows\system\VBO.exeC:\windows\system\VBO.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHOT.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\windows\SysWOW64\VHOT.exeC:\windows\system32\VHOT.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VKS.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\windows\VKS.exeC:\windows\VKS.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UADSUM.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\windows\SysWOW64\UADSUM.exeC:\windows\system32\UADSUM.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LKCQUH.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\windows\system\LKCQUH.exeC:\windows\system\LKCQUH.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QLJDDJI.exe.bat" "24⤵PID:1756
-
C:\windows\system\QLJDDJI.exeC:\windows\system\QLJDDJI.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FQH.exe.bat" "26⤵PID:2800
-
C:\windows\system\FQH.exeC:\windows\system\FQH.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QJKLS.exe.bat" "28⤵PID:5108
-
C:\windows\QJKLS.exeC:\windows\QJKLS.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WJSZBUB.exe.bat" "30⤵PID:368
-
C:\windows\SysWOW64\WJSZBUB.exeC:\windows\system32\WJSZBUB.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NSU.exe.bat" "32⤵PID:4352
-
C:\windows\system\NSU.exeC:\windows\system\NSU.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DNDQYM.exe.bat" "34⤵PID:1316
-
C:\windows\SysWOW64\DNDQYM.exeC:\windows\system32\DNDQYM.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OFGJGUT.exe.bat" "36⤵PID:1672
-
C:\windows\system\OFGJGUT.exeC:\windows\system\OFGJGUT.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZYBUGJ.exe.bat" "38⤵PID:2244
-
C:\windows\SysWOW64\ZYBUGJ.exeC:\windows\system32\ZYBUGJ.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IYDHK.exe.bat" "40⤵PID:2676
-
C:\windows\IYDHK.exeC:\windows\IYDHK.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HWW.exe.bat" "42⤵PID:2984
-
C:\windows\HWW.exeC:\windows\HWW.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CJBLP.exe.bat" "44⤵PID:4848
-
C:\windows\system\CJBLP.exeC:\windows\system\CJBLP.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TRDYSR.exe.bat" "46⤵PID:3592
-
C:\windows\TRDYSR.exeC:\windows\TRDYSR.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSLM.exe.bat" "48⤵PID:4868
-
C:\windows\system\ZSLM.exeC:\windows\system\ZSLM.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ISFRF.exe.bat" "50⤵PID:4900
-
C:\windows\ISFRF.exeC:\windows\ISFRF.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAHWQO.exe.bat" "52⤵PID:4352
-
C:\windows\SysWOW64\RAHWQO.exeC:\windows\system32\RAHWQO.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZLP.exe.bat" "54⤵PID:1552
-
C:\windows\ZLP.exeC:\windows\ZLP.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WQV.exe.bat" "56⤵PID:4592
-
C:\windows\WQV.exeC:\windows\WQV.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YOB.exe.bat" "58⤵PID:2676
-
C:\windows\SysWOW64\YOB.exeC:\windows\system32\YOB.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OZZ.exe.bat" "60⤵PID:4920
-
C:\windows\OZZ.exeC:\windows\OZZ.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TEJUIA.exe.bat" "62⤵PID:2728
-
C:\windows\SysWOW64\TEJUIA.exeC:\windows\system32\TEJUIA.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICP.exe.bat" "64⤵PID:1884
-
C:\windows\SysWOW64\ICP.exeC:\windows\system32\ICP.exe65⤵
- Checks computer location settings
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZKRX.exe.bat" "66⤵PID:2460
-
C:\windows\system\ZKRX.exeC:\windows\system\ZKRX.exe67⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DSYXFAW.exe.bat" "68⤵PID:3200
-
C:\windows\system\DSYXFAW.exeC:\windows\system\DSYXFAW.exe69⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DVCAT.exe.bat" "70⤵PID:2624
-
C:\windows\system\DVCAT.exeC:\windows\system\DVCAT.exe71⤵
- Checks computer location settings
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\POFTTFN.exe.bat" "72⤵PID:3628
-
C:\windows\system\POFTTFN.exeC:\windows\system\POFTTFN.exe73⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBJ.exe.bat" "74⤵PID:2244
-
C:\windows\SysWOW64\JBJ.exeC:\windows\system32\JBJ.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EXOMN.exe.bat" "76⤵PID:4732
-
C:\windows\SysWOW64\EXOMN.exeC:\windows\system32\EXOMN.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZKK.exe.bat" "78⤵PID:4356
-
C:\windows\SysWOW64\RZKK.exeC:\windows\system32\RZKK.exe79⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PASYBQU.exe.bat" "80⤵PID:4084
-
C:\windows\SysWOW64\PASYBQU.exeC:\windows\system32\PASYBQU.exe81⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GIU.exe.bat" "82⤵PID:3244
-
C:\windows\GIU.exeC:\windows\GIU.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVZVP.exe.bat" "84⤵PID:1884
-
C:\windows\SysWOW64\BVZVP.exeC:\windows\system32\BVZVP.exe85⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MOUFXD.exe.bat" "86⤵PID:1532
-
C:\windows\MOUFXD.exeC:\windows\MOUFXD.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTA.exe.bat" "88⤵PID:1568
-
C:\windows\SysWOW64\JTA.exeC:\windows\system32\JTA.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJNXU.exe.bat" "90⤵PID:2732
-
C:\windows\SysWOW64\LJNXU.exeC:\windows\system32\LJNXU.exe91⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMX.exe.bat" "92⤵PID:3616
-
C:\windows\system\AMX.exeC:\windows\system\AMX.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "94⤵PID:2000
-
C:\windows\SysWOW64\RNZO.exeC:\windows\system32\RNZO.exe95⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NVTWL.exe.bat" "96⤵PID:4208
-
C:\windows\system\NVTWL.exeC:\windows\system\NVTWL.exe97⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYXSZCL.exe.bat" "98⤵PID:4588
-
C:\windows\SysWOW64\OYXSZCL.exeC:\windows\system32\OYXSZCL.exe99⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OQFTFOZ.exe.bat" "100⤵PID:4244
-
C:\windows\system\OQFTFOZ.exeC:\windows\system\OQFTFOZ.exe101⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YOLOUO.exe.bat" "102⤵PID:5076
-
C:\windows\system\YOLOUO.exeC:\windows\system\YOLOUO.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YULCWBD.exe.bat" "104⤵PID:3876
-
C:\windows\system\YULCWBD.exeC:\windows\system\YULCWBD.exe105⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NPUGH.exe.bat" "106⤵PID:3872
-
C:\windows\system\NPUGH.exeC:\windows\system\NPUGH.exe107⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXWLKT.exe.bat" "108⤵PID:3200
-
C:\windows\WXWLKT.exeC:\windows\WXWLKT.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IFDT.exe.bat" "110⤵PID:2464
-
C:\windows\SysWOW64\IFDT.exeC:\windows\system32\IFDT.exe111⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TYGEF.exe.bat" "112⤵PID:4548
-
C:\windows\system\TYGEF.exeC:\windows\system\TYGEF.exe113⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLLWPTG.exe.bat" "114⤵PID:2728
-
C:\windows\SysWOW64\OLLWPTG.exeC:\windows\system32\OLLWPTG.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZDG.exe.bat" "116⤵PID:4968
-
C:\windows\ZDG.exeC:\windows\ZDG.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZWP.exe.bat" "118⤵PID:1688
-
C:\windows\system\ZWP.exeC:\windows\system\ZWP.exe119⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUIK.exe.bat" "120⤵PID:3204
-
C:\windows\SysWOW64\BUIK.exeC:\windows\system32\BUIK.exe121⤵
- Executes dropped EXE
PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-