Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 23:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe
-
Size
289KB
-
MD5
abebffab827f05fb44f8b40b23c15764
-
SHA1
a907312f51ac938af80cdbecf238c99147ad3208
-
SHA256
be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018
-
SHA512
07c101c70e05dfd6db8c2fe2780e8cfdb9be837f8bbb207636a863275a652008de0b423b3c1be6dd673d3c2421fac7a67e5ff21ae8d41702d1e30240b57e8859
-
SSDEEP
6144:9rYTgEMnRNL+I3YHBb/vMYRbbdfHKOkECzJLaQVbU5:BBrIdU8IOklJLJbU5
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation YSV.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ZNSRJD.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation VJSSA.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ROXFP.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation LXFBJU.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation QIK.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation HRS.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation FAUW.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ASPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ULLJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation NZO.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation SRWN.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation PBLPJWI.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation QYEF.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ESFXXS.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation OQX.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation CHH.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ANCZSFR.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation VWVV.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation QMAITJU.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation PPEWCU.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation JOOWAIX.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation KRXO.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation YLCGSB.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ZRYW.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation HQWD.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation AWGUCC.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation XMY.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation BDEXP.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation TSA.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation JCRJNKF.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation FBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation LLOM.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation IAMSKB.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation DDOICQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation LENH.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation GEUUYM.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation VWCF.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation VHSGMPF.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation TGHQCBR.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation UNBWQF.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation KAA.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation SWJC.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation IHPFE.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation CDSI.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation WKN.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation QQO.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation OXDZFQY.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation TOZZX.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation NJEVUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ATIO.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation LOG.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation SLWKGWX.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation EMJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation LYVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation NVBD.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation KXD.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation KXR.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation SZCIYT.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation GDIIAX.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation KLQTIOZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation LHFXM.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ZHFJOF.exe -
Executes dropped EXE 64 IoCs
pid Process 4796 MCJMWZ.exe 4824 TICILT.exe 380 MIRTUM.exe 4068 MZG.exe 3116 WKN.exe 2620 QQO.exe 4476 DTWYIK.exe 4280 ZRYW.exe 388 ZAV.exe 3644 HQWD.exe 376 QJU.exe 1276 SRWN.exe 1964 UNBWQF.exe 1592 MNPUDW.exe 5108 NDRXPXE.exe 4732 WJEEZV.exe 4028 PBLPJWI.exe 4344 HPLUBFF.exe 580 ASPQ.exe 2372 TKEB.exe 488 DDOICQ.exe 1944 AWGUCC.exe 4328 JUADOYO.exe 568 PPEWCU.exe 4344 ZNSRJD.exe 2720 ULLJ.exe 2644 VJSSA.exe 3012 NCBCX.exe 376 TXMDLCP.exe 968 DQW.exe 4524 CBHTXKB.exe 4552 VTOEHLJ.exe 4232 CHH.exe 4544 IHPFE.exe 1948 OUOOJC.exe 4320 FDPDF.exe 2604 MQW.exe 4708 JOOWAIX.exe 2640 AWQBE.exe 3656 ZHFJOF.exe 448 MNFVYRX.exe 1968 DNIHOVB.exe 3096 QYEF.exe 1412 GYZR.exe 3632 BJQQQCU.exe 3584 WRZE.exe 756 TSA.exe 3068 YIAY.exe 2644 DTLMJF.exe 2216 ROXFP.exe 3944 EMJ.exe 2696 XMY.exe 4108 ESFXXS.exe 684 OQX.exe 4940 ATIO.exe 2884 JBQ.exe 4524 VENOOXQ.exe 1496 OXDZFQY.exe 4324 LXFBJU.exe 3212 MLYZXH.exe 3612 LENH.exe 4284 IWX.exe 1988 FML.exe 2376 JCRJNKF.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\YSV.exe.bat LHFXM.exe File created C:\windows\SysWOW64\MZG.exe.bat MIRTUM.exe File created C:\windows\SysWOW64\MNPUDW.exe.bat UNBWQF.exe File opened for modification C:\windows\SysWOW64\TKEB.exe ASPQ.exe File opened for modification C:\windows\SysWOW64\JUADOYO.exe AWGUCC.exe File created C:\windows\SysWOW64\MZG.exe MIRTUM.exe File created C:\windows\SysWOW64\QMAITJU.exe.bat BDEXP.exe File created C:\windows\SysWOW64\KRXO.exe.bat CDSI.exe File opened for modification C:\windows\SysWOW64\CDSI.exe OIUPLD.exe File opened for modification C:\windows\SysWOW64\KRXO.exe CDSI.exe File created C:\windows\SysWOW64\HPLUBFF.exe.bat PBLPJWI.exe File created C:\windows\SysWOW64\JCRJNKF.exe FML.exe File opened for modification C:\windows\SysWOW64\OXNFZC.exe EZH.exe File created C:\windows\SysWOW64\FAUW.exe.bat UILWFNK.exe File created C:\windows\SysWOW64\CDSI.exe.bat OIUPLD.exe File opened for modification C:\windows\SysWOW64\DTWYIK.exe QQO.exe File created C:\windows\SysWOW64\HQWD.exe ZAV.exe File created C:\windows\SysWOW64\ESFXXS.exe.bat XMY.exe File created C:\windows\SysWOW64\VHSGMPF.exe.bat QMAITJU.exe File opened for modification C:\windows\SysWOW64\QMAITJU.exe BDEXP.exe File created C:\windows\SysWOW64\KRXO.exe CDSI.exe File opened for modification C:\windows\SysWOW64\YLCGSB.exe VCHRK.exe File created C:\windows\SysWOW64\GYZR.exe QYEF.exe File created C:\windows\SysWOW64\YIAY.exe TSA.exe File created C:\windows\SysWOW64\LOG.exe KLQTIOZ.exe File created C:\windows\SysWOW64\LOG.exe.bat KLQTIOZ.exe File created C:\windows\SysWOW64\IAMSKB.exe.bat VWCF.exe File created C:\windows\SysWOW64\BDEXP.exe YSLQ.exe File created C:\windows\SysWOW64\VCHRK.exe.bat CPITFLK.exe File created C:\windows\SysWOW64\DTWYIK.exe QQO.exe File created C:\windows\SysWOW64\OQX.exe ESFXXS.exe File opened for modification C:\windows\SysWOW64\IWX.exe LENH.exe File opened for modification C:\windows\SysWOW64\FML.exe IWX.exe File created C:\windows\SysWOW64\GDIIAX.exe VKNPS.exe File opened for modification C:\windows\SysWOW64\ASPQ.exe HPLUBFF.exe File created C:\windows\SysWOW64\TKEB.exe ASPQ.exe File created C:\windows\SysWOW64\ESFXXS.exe XMY.exe File created C:\windows\SysWOW64\MLYZXH.exe.bat LXFBJU.exe File created C:\windows\SysWOW64\MCJMWZ.exe be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe File created C:\windows\SysWOW64\MNPUDW.exe UNBWQF.exe File created C:\windows\SysWOW64\OXNFZC.exe.bat EZH.exe File opened for modification C:\windows\SysWOW64\FAUW.exe UILWFNK.exe File created C:\windows\SysWOW64\UILWFNK.exe SZCIYT.exe File opened for modification C:\windows\SysWOW64\GYZR.exe QYEF.exe File created C:\windows\SysWOW64\IWX.exe LENH.exe File opened for modification C:\windows\SysWOW64\RAUQZR.exe HRS.exe File created C:\windows\SysWOW64\NVBD.exe.bat LYVJ.exe File created C:\windows\SysWOW64\OXNFZC.exe EZH.exe File created C:\windows\SysWOW64\FAUW.exe UILWFNK.exe File opened for modification C:\windows\SysWOW64\BDEXP.exe YSLQ.exe File created C:\windows\SysWOW64\GDIIAX.exe.bat VKNPS.exe File opened for modification C:\windows\SysWOW64\HPLUBFF.exe PBLPJWI.exe File opened for modification C:\windows\SysWOW64\IAMSKB.exe VWCF.exe File opened for modification C:\windows\SysWOW64\VHSGMPF.exe QMAITJU.exe File opened for modification C:\windows\SysWOW64\GDIIAX.exe VKNPS.exe File created C:\windows\SysWOW64\ANCZSFR.exe.bat KXD.exe File created C:\windows\SysWOW64\TSCDTB.exe.bat IAMSKB.exe File created C:\windows\SysWOW64\AWQBE.exe.bat JOOWAIX.exe File opened for modification C:\windows\SysWOW64\NVBD.exe LYVJ.exe File opened for modification C:\windows\SysWOW64\TGHQCBR.exe YLCGSB.exe File created C:\windows\SysWOW64\GYZR.exe.bat QYEF.exe File created C:\windows\SysWOW64\FML.exe.bat IWX.exe File created C:\windows\SysWOW64\BDEXP.exe.bat YSLQ.exe File created C:\windows\SysWOW64\DTWYIK.exe.bat QQO.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\KAA.exe QIK.exe File created C:\windows\KLQTIOZ.exe ANCZSFR.exe File opened for modification C:\windows\system\SIKQ.exe GFA.exe File opened for modification C:\windows\VJSSA.exe ULLJ.exe File created C:\windows\IHPFE.exe CHH.exe File created C:\windows\NKEJIUV.exe.bat TOZZX.exe File created C:\windows\system\MIRTUM.exe TICILT.exe File created C:\windows\OUOOJC.exe IHPFE.exe File opened for modification C:\windows\system\DNIHOVB.exe MNFVYRX.exe File created C:\windows\CPITFLK.exe ZHMFPGV.exe File opened for modification C:\windows\WRZE.exe BJQQQCU.exe File opened for modification C:\windows\FBQ.exe KAA.exe File opened for modification C:\windows\ZHMFPGV.exe XJHKHXN.exe File opened for modification C:\windows\system\MIRTUM.exe TICILT.exe File created C:\windows\UNBWQF.exe SRWN.exe File created C:\windows\system\LHFXM.exe.bat KRXO.exe File created C:\windows\ZHMFPGV.exe.bat XJHKHXN.exe File created C:\windows\system\WKN.exe MZG.exe File created C:\windows\VJSSA.exe ULLJ.exe File created C:\windows\IHPFE.exe.bat CHH.exe File created C:\windows\system\YSLQ.exe.bat NKEJIUV.exe File opened for modification C:\windows\ZRYW.exe DTWYIK.exe File created C:\windows\system\ZAV.exe.bat ZRYW.exe File opened for modification C:\windows\system\EGQ.exe NYJ.exe File opened for modification C:\windows\system\ZAV.exe ZRYW.exe File created C:\windows\system\SLWKGWX.exe KFRDVYC.exe File opened for modification C:\windows\system\SLWKGWX.exe KFRDVYC.exe File opened for modification C:\windows\XEZXSIF.exe PYU.exe File created C:\windows\system\EGQ.exe.bat NYJ.exe File opened for modification C:\windows\system\JBQ.exe ATIO.exe File opened for modification C:\windows\system\EZH.exe LLOM.exe File created C:\windows\SZCIYT.exe NZO.exe File created C:\windows\NJEVUZ.exe TGHQCBR.exe File created C:\windows\system\MIRTUM.exe.bat TICILT.exe File created C:\windows\system\QQO.exe WKN.exe File opened for modification C:\windows\system\ROXFP.exe DTLMJF.exe File created C:\windows\system\LYVJ.exe RAUQZR.exe File opened for modification C:\windows\system\XJHKHXN.exe SIKQ.exe File opened for modification C:\windows\TICILT.exe MCJMWZ.exe File opened for modification C:\windows\PPEWCU.exe JUADOYO.exe File created C:\windows\VJSSA.exe.bat ULLJ.exe File created C:\windows\system\TOZZX.exe.bat TSCDTB.exe File created C:\windows\system\OIUPLD.exe GDIIAX.exe File created C:\windows\WJEEZV.exe NDRXPXE.exe File created C:\windows\CHH.exe.bat VTOEHLJ.exe File created C:\windows\system\ZHFJOF.exe AWQBE.exe File opened for modification C:\windows\system\NCBCX.exe VJSSA.exe File created C:\windows\system\EZH.exe.bat LLOM.exe File created C:\windows\DDOICQ.exe TKEB.exe File opened for modification C:\windows\BJQQQCU.exe GYZR.exe File created C:\windows\YIKE.exe.bat VHSGMPF.exe File opened for modification C:\windows\QYEF.exe DNIHOVB.exe File opened for modification C:\windows\system\LLOM.exe NVBD.exe File created C:\windows\system\SWJC.exe YIKE.exe File created C:\windows\CPITFLK.exe.bat ZHMFPGV.exe File created C:\windows\system\FDPDF.exe OUOOJC.exe File created C:\windows\MNFVYRX.exe ZHFJOF.exe File opened for modification C:\windows\system\HRS.exe GEUUYM.exe File opened for modification C:\windows\system\CBHTXKB.exe DQW.exe File created C:\windows\system\LXFBJU.exe OXDZFQY.exe File opened for modification C:\windows\VWCF.exe XEZXSIF.exe File opened for modification C:\windows\system\KXD.exe OXNFZC.exe File opened for modification C:\windows\system\SWJC.exe YIKE.exe File created C:\windows\system\WCKLBLI.exe.bat LJCSSKA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4660 1428 WerFault.exe 83 1696 4796 WerFault.exe 91 3344 4824 WerFault.exe 98 4224 380 WerFault.exe 103 4000 4068 WerFault.exe 108 4212 3116 WerFault.exe 113 4168 2620 WerFault.exe 118 4024 4476 WerFault.exe 123 2804 4280 WerFault.exe 128 2200 388 WerFault.exe 133 2120 3644 WerFault.exe 140 4708 376 WerFault.exe 147 1676 1276 WerFault.exe 151 4948 1964 WerFault.exe 157 2888 1592 WerFault.exe 163 4112 5108 WerFault.exe 168 4068 4732 WerFault.exe 173 1580 4028 WerFault.exe 180 1676 4344 WerFault.exe 185 5008 580 WerFault.exe 190 3532 2372 WerFault.exe 195 1388 488 WerFault.exe 200 2376 1944 WerFault.exe 205 4560 4328 WerFault.exe 210 2628 568 WerFault.exe 216 3856 4344 WerFault.exe 221 4544 2720 WerFault.exe 226 4068 2644 WerFault.exe 231 3592 3012 WerFault.exe 236 3320 376 WerFault.exe 241 2800 968 WerFault.exe 246 1272 4524 WerFault.exe 251 3856 4552 WerFault.exe 256 4828 4232 WerFault.exe 261 772 4544 WerFault.exe 266 4000 1948 WerFault.exe 271 4644 4320 WerFault.exe 276 4100 2604 WerFault.exe 281 4660 4708 WerFault.exe 286 1048 2640 WerFault.exe 291 4164 3656 WerFault.exe 296 2600 448 WerFault.exe 301 1012 1968 WerFault.exe 305 968 3096 WerFault.exe 311 4372 1412 WerFault.exe 315 2204 3632 WerFault.exe 321 380 3584 WerFault.exe 326 2776 756 WerFault.exe 331 1676 3068 WerFault.exe 336 4332 2644 WerFault.exe 341 2376 2216 WerFault.exe 346 4372 3944 WerFault.exe 351 1932 2696 WerFault.exe 356 1108 4108 WerFault.exe 361 2424 684 WerFault.exe 366 1456 4940 WerFault.exe 371 2668 2884 WerFault.exe 376 4024 4524 WerFault.exe 381 1944 1496 WerFault.exe 386 2116 4324 WerFault.exe 391 1188 3212 WerFault.exe 396 3144 3612 WerFault.exe 401 756 4284 WerFault.exe 406 1080 1988 WerFault.exe 411 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 4796 MCJMWZ.exe 4796 MCJMWZ.exe 4824 TICILT.exe 4824 TICILT.exe 380 MIRTUM.exe 380 MIRTUM.exe 4068 MZG.exe 4068 MZG.exe 3116 WKN.exe 3116 WKN.exe 2620 QQO.exe 2620 QQO.exe 4476 DTWYIK.exe 4476 DTWYIK.exe 4280 ZRYW.exe 4280 ZRYW.exe 388 ZAV.exe 388 ZAV.exe 3644 HQWD.exe 3644 HQWD.exe 376 QJU.exe 376 QJU.exe 1276 SRWN.exe 1276 SRWN.exe 1964 UNBWQF.exe 1964 UNBWQF.exe 1592 MNPUDW.exe 1592 MNPUDW.exe 5108 NDRXPXE.exe 5108 NDRXPXE.exe 4732 WJEEZV.exe 4732 WJEEZV.exe 4028 PBLPJWI.exe 4028 PBLPJWI.exe 4344 HPLUBFF.exe 4344 HPLUBFF.exe 580 ASPQ.exe 580 ASPQ.exe 2372 TKEB.exe 2372 TKEB.exe 488 DDOICQ.exe 488 DDOICQ.exe 1944 AWGUCC.exe 1944 AWGUCC.exe 4328 JUADOYO.exe 4328 JUADOYO.exe 568 PPEWCU.exe 568 PPEWCU.exe 4344 ZNSRJD.exe 4344 ZNSRJD.exe 2720 ULLJ.exe 2720 ULLJ.exe 2644 VJSSA.exe 2644 VJSSA.exe 3012 NCBCX.exe 3012 NCBCX.exe 376 TXMDLCP.exe 376 TXMDLCP.exe 968 DQW.exe 968 DQW.exe 4524 CBHTXKB.exe 4524 CBHTXKB.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 4796 MCJMWZ.exe 4796 MCJMWZ.exe 4824 TICILT.exe 4824 TICILT.exe 380 MIRTUM.exe 380 MIRTUM.exe 4068 MZG.exe 4068 MZG.exe 3116 WKN.exe 3116 WKN.exe 2620 QQO.exe 2620 QQO.exe 4476 DTWYIK.exe 4476 DTWYIK.exe 4280 ZRYW.exe 4280 ZRYW.exe 388 ZAV.exe 388 ZAV.exe 3644 HQWD.exe 3644 HQWD.exe 376 QJU.exe 376 QJU.exe 1276 SRWN.exe 1276 SRWN.exe 1964 UNBWQF.exe 1964 UNBWQF.exe 1592 MNPUDW.exe 1592 MNPUDW.exe 5108 NDRXPXE.exe 5108 NDRXPXE.exe 4732 WJEEZV.exe 4732 WJEEZV.exe 4028 PBLPJWI.exe 4028 PBLPJWI.exe 4344 HPLUBFF.exe 4344 HPLUBFF.exe 580 ASPQ.exe 580 ASPQ.exe 2372 TKEB.exe 2372 TKEB.exe 488 DDOICQ.exe 488 DDOICQ.exe 1944 AWGUCC.exe 1944 AWGUCC.exe 4328 JUADOYO.exe 4328 JUADOYO.exe 568 PPEWCU.exe 568 PPEWCU.exe 4344 ZNSRJD.exe 4344 ZNSRJD.exe 2720 ULLJ.exe 2720 ULLJ.exe 2644 VJSSA.exe 2644 VJSSA.exe 3012 NCBCX.exe 3012 NCBCX.exe 376 TXMDLCP.exe 376 TXMDLCP.exe 968 DQW.exe 968 DQW.exe 4524 CBHTXKB.exe 4524 CBHTXKB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 3668 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 87 PID 1428 wrote to memory of 3668 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 87 PID 1428 wrote to memory of 3668 1428 be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe 87 PID 3668 wrote to memory of 4796 3668 cmd.exe 91 PID 3668 wrote to memory of 4796 3668 cmd.exe 91 PID 3668 wrote to memory of 4796 3668 cmd.exe 91 PID 4796 wrote to memory of 2540 4796 MCJMWZ.exe 94 PID 4796 wrote to memory of 2540 4796 MCJMWZ.exe 94 PID 4796 wrote to memory of 2540 4796 MCJMWZ.exe 94 PID 2540 wrote to memory of 4824 2540 cmd.exe 98 PID 2540 wrote to memory of 4824 2540 cmd.exe 98 PID 2540 wrote to memory of 4824 2540 cmd.exe 98 PID 4824 wrote to memory of 1012 4824 TICILT.exe 99 PID 4824 wrote to memory of 1012 4824 TICILT.exe 99 PID 4824 wrote to memory of 1012 4824 TICILT.exe 99 PID 1012 wrote to memory of 380 1012 cmd.exe 103 PID 1012 wrote to memory of 380 1012 cmd.exe 103 PID 1012 wrote to memory of 380 1012 cmd.exe 103 PID 380 wrote to memory of 4236 380 MIRTUM.exe 104 PID 380 wrote to memory of 4236 380 MIRTUM.exe 104 PID 380 wrote to memory of 4236 380 MIRTUM.exe 104 PID 4236 wrote to memory of 4068 4236 cmd.exe 108 PID 4236 wrote to memory of 4068 4236 cmd.exe 108 PID 4236 wrote to memory of 4068 4236 cmd.exe 108 PID 4068 wrote to memory of 1092 4068 MZG.exe 109 PID 4068 wrote to memory of 1092 4068 MZG.exe 109 PID 4068 wrote to memory of 1092 4068 MZG.exe 109 PID 1092 wrote to memory of 3116 1092 cmd.exe 113 PID 1092 wrote to memory of 3116 1092 cmd.exe 113 PID 1092 wrote to memory of 3116 1092 cmd.exe 113 PID 3116 wrote to memory of 3992 3116 WKN.exe 114 PID 3116 wrote to memory of 3992 3116 WKN.exe 114 PID 3116 wrote to memory of 3992 3116 WKN.exe 114 PID 3992 wrote to memory of 2620 3992 cmd.exe 118 PID 3992 wrote to memory of 2620 3992 cmd.exe 118 PID 3992 wrote to memory of 2620 3992 cmd.exe 118 PID 2620 wrote to memory of 3088 2620 QQO.exe 119 PID 2620 wrote to memory of 3088 2620 QQO.exe 119 PID 2620 wrote to memory of 3088 2620 QQO.exe 119 PID 3088 wrote to memory of 4476 3088 cmd.exe 123 PID 3088 wrote to memory of 4476 3088 cmd.exe 123 PID 3088 wrote to memory of 4476 3088 cmd.exe 123 PID 4476 wrote to memory of 4380 4476 DTWYIK.exe 124 PID 4476 wrote to memory of 4380 4476 DTWYIK.exe 124 PID 4476 wrote to memory of 4380 4476 DTWYIK.exe 124 PID 4380 wrote to memory of 4280 4380 cmd.exe 128 PID 4380 wrote to memory of 4280 4380 cmd.exe 128 PID 4380 wrote to memory of 4280 4380 cmd.exe 128 PID 4280 wrote to memory of 2424 4280 ZRYW.exe 129 PID 4280 wrote to memory of 2424 4280 ZRYW.exe 129 PID 4280 wrote to memory of 2424 4280 ZRYW.exe 129 PID 2424 wrote to memory of 388 2424 cmd.exe 133 PID 2424 wrote to memory of 388 2424 cmd.exe 133 PID 2424 wrote to memory of 388 2424 cmd.exe 133 PID 388 wrote to memory of 1460 388 ZAV.exe 136 PID 388 wrote to memory of 1460 388 ZAV.exe 136 PID 388 wrote to memory of 1460 388 ZAV.exe 136 PID 1460 wrote to memory of 3644 1460 cmd.exe 140 PID 1460 wrote to memory of 3644 1460 cmd.exe 140 PID 1460 wrote to memory of 3644 1460 cmd.exe 140 PID 3644 wrote to memory of 3732 3644 HQWD.exe 143 PID 3644 wrote to memory of 3732 3644 HQWD.exe 143 PID 3644 wrote to memory of 3732 3644 HQWD.exe 143 PID 3732 wrote to memory of 376 3732 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe"C:\Users\Admin\AppData\Local\Temp\be977af4f3fd4e1fec9160d70e099198414f0d8fcdaffd0eca33d3746cfcb018.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MCJMWZ.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\windows\SysWOW64\MCJMWZ.exeC:\windows\system32\MCJMWZ.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TICILT.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\windows\TICILT.exeC:\windows\TICILT.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MIRTUM.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\windows\system\MIRTUM.exeC:\windows\system\MIRTUM.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZG.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\windows\SysWOW64\MZG.exeC:\windows\system32\MZG.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WKN.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\windows\system\WKN.exeC:\windows\system\WKN.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QQO.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\windows\system\QQO.exeC:\windows\system\QQO.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTWYIK.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\windows\SysWOW64\DTWYIK.exeC:\windows\system32\DTWYIK.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZRYW.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\windows\ZRYW.exeC:\windows\ZRYW.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZAV.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\windows\system\ZAV.exeC:\windows\system\ZAV.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQWD.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\windows\SysWOW64\HQWD.exeC:\windows\system32\HQWD.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QJU.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\windows\system\QJU.exeC:\windows\system\QJU.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SRWN.exe.bat" "24⤵PID:2304
-
C:\windows\system\SRWN.exeC:\windows\system\SRWN.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UNBWQF.exe.bat" "26⤵PID:1312
-
C:\windows\UNBWQF.exeC:\windows\UNBWQF.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MNPUDW.exe.bat" "28⤵PID:4360
-
C:\windows\SysWOW64\MNPUDW.exeC:\windows\system32\MNPUDW.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NDRXPXE.exe.bat" "30⤵PID:5008
-
C:\windows\SysWOW64\NDRXPXE.exeC:\windows\system32\NDRXPXE.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WJEEZV.exe.bat" "32⤵PID:1416
-
C:\windows\WJEEZV.exeC:\windows\WJEEZV.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PBLPJWI.exe.bat" "34⤵PID:3980
-
C:\windows\system\PBLPJWI.exeC:\windows\system\PBLPJWI.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPLUBFF.exe.bat" "36⤵PID:3144
-
C:\windows\SysWOW64\HPLUBFF.exeC:\windows\system32\HPLUBFF.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASPQ.exe.bat" "38⤵PID:376
-
C:\windows\SysWOW64\ASPQ.exeC:\windows\system32\ASPQ.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TKEB.exe.bat" "40⤵PID:1664
-
C:\windows\SysWOW64\TKEB.exeC:\windows\system32\TKEB.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DDOICQ.exe.bat" "42⤵PID:5000
-
C:\windows\DDOICQ.exeC:\windows\DDOICQ.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AWGUCC.exe.bat" "44⤵PID:3156
-
C:\windows\system\AWGUCC.exeC:\windows\system\AWGUCC.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUADOYO.exe.bat" "46⤵PID:3068
-
C:\windows\SysWOW64\JUADOYO.exeC:\windows\system32\JUADOYO.exe47⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PPEWCU.exe.bat" "48⤵PID:3960
-
C:\windows\PPEWCU.exeC:\windows\PPEWCU.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZNSRJD.exe.bat" "50⤵PID:1664
-
C:\windows\ZNSRJD.exeC:\windows\ZNSRJD.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ULLJ.exe.bat" "52⤵PID:4660
-
C:\windows\system\ULLJ.exeC:\windows\system\ULLJ.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VJSSA.exe.bat" "54⤵PID:3316
-
C:\windows\VJSSA.exeC:\windows\VJSSA.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NCBCX.exe.bat" "56⤵PID:2204
-
C:\windows\system\NCBCX.exeC:\windows\system\NCBCX.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TXMDLCP.exe.bat" "58⤵PID:2488
-
C:\windows\TXMDLCP.exeC:\windows\TXMDLCP.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DQW.exe.bat" "60⤵PID:3828
-
C:\windows\DQW.exeC:\windows\DQW.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CBHTXKB.exe.bat" "62⤵PID:4024
-
C:\windows\system\CBHTXKB.exeC:\windows\system\CBHTXKB.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VTOEHLJ.exe.bat" "64⤵PID:2188
-
C:\windows\VTOEHLJ.exeC:\windows\VTOEHLJ.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CHH.exe.bat" "66⤵PID:1340
-
C:\windows\CHH.exeC:\windows\CHH.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IHPFE.exe.bat" "68⤵PID:1048
-
C:\windows\IHPFE.exeC:\windows\IHPFE.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OUOOJC.exe.bat" "70⤵PID:3412
-
C:\windows\OUOOJC.exeC:\windows\OUOOJC.exe71⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FDPDF.exe.bat" "72⤵PID:3196
-
C:\windows\system\FDPDF.exeC:\windows\system\FDPDF.exe73⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MQW.exe.bat" "74⤵PID:1492
-
C:\windows\system\MQW.exeC:\windows\system\MQW.exe75⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JOOWAIX.exe.bat" "76⤵PID:5108
-
C:\windows\JOOWAIX.exeC:\windows\JOOWAIX.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWQBE.exe.bat" "78⤵PID:4028
-
C:\windows\SysWOW64\AWQBE.exeC:\windows\system32\AWQBE.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHFJOF.exe.bat" "80⤵PID:4916
-
C:\windows\system\ZHFJOF.exeC:\windows\system\ZHFJOF.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNFVYRX.exe.bat" "82⤵PID:3532
-
C:\windows\MNFVYRX.exeC:\windows\MNFVYRX.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DNIHOVB.exe.bat" "84⤵PID:3592
-
C:\windows\system\DNIHOVB.exeC:\windows\system\DNIHOVB.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QYEF.exe.bat" "86⤵PID:3004
-
C:\windows\QYEF.exeC:\windows\QYEF.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GYZR.exe.bat" "88⤵PID:4896
-
C:\windows\SysWOW64\GYZR.exeC:\windows\system32\GYZR.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BJQQQCU.exe.bat" "90⤵PID:1328
-
C:\windows\BJQQQCU.exeC:\windows\BJQQQCU.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WRZE.exe.bat" "92⤵PID:4308
-
C:\windows\WRZE.exeC:\windows\WRZE.exe93⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TSA.exe.bat" "94⤵PID:468
-
C:\windows\SysWOW64\TSA.exeC:\windows\system32\TSA.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIAY.exe.bat" "96⤵PID:2488
-
C:\windows\SysWOW64\YIAY.exeC:\windows\system32\YIAY.exe97⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DTLMJF.exe.bat" "98⤵PID:2172
-
C:\windows\system\DTLMJF.exeC:\windows\system\DTLMJF.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ROXFP.exe.bat" "100⤵PID:2884
-
C:\windows\system\ROXFP.exeC:\windows\system\ROXFP.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EMJ.exe.bat" "102⤵PID:2904
-
C:\windows\system\EMJ.exeC:\windows\system\EMJ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XMY.exe.bat" "104⤵PID:4916
-
C:\windows\system\XMY.exeC:\windows\system\XMY.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESFXXS.exe.bat" "106⤵PID:4764
-
C:\windows\SysWOW64\ESFXXS.exeC:\windows\system32\ESFXXS.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OQX.exe.bat" "108⤵PID:636
-
C:\windows\SysWOW64\OQX.exeC:\windows\system32\OQX.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ATIO.exe.bat" "110⤵PID:2524
-
C:\windows\system\ATIO.exeC:\windows\system\ATIO.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JBQ.exe.bat" "112⤵PID:448
-
C:\windows\system\JBQ.exeC:\windows\system\JBQ.exe113⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "114⤵PID:3068
-
C:\windows\VENOOXQ.exeC:\windows\VENOOXQ.exe115⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OXDZFQY.exe.bat" "116⤵PID:3236
-
C:\windows\system\OXDZFQY.exeC:\windows\system\OXDZFQY.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LXFBJU.exe.bat" "118⤵PID:488
-
C:\windows\system\LXFBJU.exeC:\windows\system\LXFBJU.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLYZXH.exe.bat" "120⤵PID:1764
-
C:\windows\SysWOW64\MLYZXH.exeC:\windows\system32\MLYZXH.exe121⤵
- Executes dropped EXE
PID:3212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-