Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 18:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe
-
Size
448KB
-
MD5
1814e854a41c0516715ebe41cd07f578
-
SHA1
9c94737a55acc11c2fcf87f802a3178fe8c26c32
-
SHA256
10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df
-
SHA512
f82be39689832fe57903218380352395371acb65d6a2f7294683d259abbf53d1c26df7f26b07d2b000ad8ddbf8dc981c4b07a13fba07bb3d1c96dc4efde26b12
-
SSDEEP
6144:C+1747/a+K159Blpqp/vxOnphFivR93adhwLkW52ASkEjWbjcSbcY+CaQdaFOY4q:N547MG93adhnfkFbz+xt4vF
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation JEZXI.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation LACFSL.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation IRRODK.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation GRYZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation RIJYXHE.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ELJB.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation YYOKNH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WXAW.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation UMZU.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation NEGFH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation XUWWN.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation MVOGEG.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation DRCRAG.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation HSRABRM.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation SMF.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation CGBHEBP.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation DAQCOV.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation OSMFWLO.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation MLK.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation JPXFDCA.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation EGVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation OJBIFAC.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation HWKVT.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation XYZPUSH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation TXDDHQM.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation QMRCNP.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation EPKTO.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation XVFRFF.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation JOPVPH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation CYYCXUA.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ZUHN.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation LENH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation YHH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation FHBD.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation YUTBGH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation CDSI.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation AWVDSFR.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WVUT.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ZZZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation DDYG.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation RHD.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation JKVQG.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation CCIYP.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation OQFTFOZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation FMLL.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation PCUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation KAAHH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation IOKN.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WEPH.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ACN.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation SWIGC.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation VOT.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation OFELYHS.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation RBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation LEX.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation QOD.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation HJCT.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation BJPFDAO.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation QXKZP.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation EYFWN.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation RBSGT.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation HDTQQQU.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WAVDI.exe -
Executes dropped EXE 64 IoCs
pid Process 616 ZLFSD.exe 3708 ZQFGE.exe 4668 WHA.exe 3476 SMF.exe 4240 EXQPG.exe 1840 CYYCXUA.exe 1600 ELJB.exe 1168 YYOKNH.exe 2252 RBSGT.exe 1724 SEICHH.exe 4508 CUVWX.exe 1516 KDEIEIA.exe 4868 SIROHGW.exe 3944 AWVDSFR.exe 2296 XBB.exe 1660 QPNQNK.exe 2536 DRRPSBD.exe 1780 WVUT.exe 460 OSMFWLO.exe 1484 NDXVXZ.exe 4812 JEZXI.exe 4332 IOKN.exe 3640 OPJBADQ.exe 4340 FZUR.exe 1168 LACFSL.exe 4252 VXHZZ.exe 2816 EGJELZR.exe 1896 XYZPUSH.exe 1656 ZWSJA.exe 1516 YHH.exe 2072 IFV.exe 2776 IIZQF.exe 3560 MQFQRFK.exe 1692 LBIGAL.exe 4416 RBQ.exe 1780 VMOOJG.exe 1724 JKI.exe 816 FPGPB.exe 2648 JXN.exe 2484 KAZL.exe 3428 OQFTFOZ.exe 4540 DGGLL.exe 2440 LMLZW.exe 1584 IRRODK.exe 784 EXJET.exe 2720 FANH.exe 1724 LNYA.exe 1060 HDTQQQU.exe 1984 CGBHEBP.exe 4696 RWCG.exe 2688 ZZTLWJ.exe 2176 FMLL.exe 2440 WAVDI.exe 1364 NVBWQB.exe 1412 YBMBDH.exe 560 LEX.exe 2380 UMZU.exe 1840 NEGFH.exe 3512 PCUZ.exe 3560 KPZIZA.exe 4652 DDYG.exe 3616 AJEELE.exe 3968 PZRVST.exe 3324 CJAMHW.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\LBIGAL.exe MQFQRFK.exe File created C:\windows\SysWOW64\JKVQG.exe NMVEWTK.exe File created C:\windows\SysWOW64\DRAGISV.exe.bat ZBUGWIH.exe File opened for modification C:\windows\SysWOW64\SMF.exe WHA.exe File created C:\windows\SysWOW64\YUTBGH.exe DEKMY.exe File opened for modification C:\windows\SysWOW64\WCWJJPB.exe SUIBE.exe File created C:\windows\SysWOW64\YDOKYRQ.exe EPKTO.exe File created C:\windows\SysWOW64\BJPFDAO.exe.bat HWKVT.exe File created C:\windows\SysWOW64\ZHDW.exe.bat BJPFDAO.exe File opened for modification C:\windows\SysWOW64\VMOOJG.exe RBQ.exe File created C:\windows\SysWOW64\TXDDHQM.exe.bat AFNS.exe File opened for modification C:\windows\SysWOW64\DBI.exe TDV.exe File created C:\windows\SysWOW64\XUPAMF.exe ZUHN.exe File created C:\windows\SysWOW64\XUPAMF.exe.bat ZUHN.exe File created C:\windows\SysWOW64\VMOOJG.exe.bat RBQ.exe File created C:\windows\SysWOW64\KXXD.exe.bat NWNAI.exe File created C:\windows\SysWOW64\OFELYHS.exe KXXD.exe File created C:\windows\SysWOW64\ALB.exe.bat EGVZ.exe File created C:\windows\SysWOW64\KMJMHQT.exe FBLQ.exe File created C:\windows\SysWOW64\ZHDW.exe BJPFDAO.exe File created C:\windows\SysWOW64\GAKNQS.exe HPZXPMY.exe File opened for modification C:\windows\SysWOW64\HSRABRM.exe WXAW.exe File created C:\windows\SysWOW64\UMZU.exe LEX.exe File created C:\windows\SysWOW64\FFHLFL.exe VHTQYCW.exe File created C:\windows\SysWOW64\KMJMHQT.exe.bat FBLQ.exe File opened for modification C:\windows\SysWOW64\HXPYAW.exe FHBD.exe File opened for modification C:\windows\SysWOW64\OIHPMPP.exe KAAHH.exe File opened for modification C:\windows\SysWOW64\JEZXI.exe NDXVXZ.exe File opened for modification C:\windows\SysWOW64\ZFK.exe DAQCOV.exe File created C:\windows\SysWOW64\HQJAIZY.exe ZCWUXBD.exe File opened for modification C:\windows\SysWOW64\VOT.exe WVIN.exe File created C:\windows\SysWOW64\HSRABRM.exe.bat WXAW.exe File created C:\windows\SysWOW64\PIEK.exe VVZSVEF.exe File created C:\windows\SysWOW64\HWKVT.exe ILIFSU.exe File created C:\windows\SysWOW64\CYYCXUA.exe.bat EXQPG.exe File created C:\windows\SysWOW64\PZRVST.exe AJEELE.exe File opened for modification C:\windows\SysWOW64\DRUKHS.exe QOD.exe File created C:\windows\SysWOW64\ALB.exe EGVZ.exe File opened for modification C:\windows\SysWOW64\ZCWUXBD.exe OKTBXL.exe File opened for modification C:\windows\SysWOW64\GAKNQS.exe HPZXPMY.exe File opened for modification C:\windows\SysWOW64\DRAGISV.exe ZBUGWIH.exe File created C:\windows\SysWOW64\AWVDSFR.exe.bat SIROHGW.exe File opened for modification C:\windows\SysWOW64\DGGLL.exe OQFTFOZ.exe File created C:\windows\SysWOW64\ZFK.exe.bat DAQCOV.exe File created C:\windows\SysWOW64\WVIN.exe.bat LNVYMO.exe File created C:\windows\SysWOW64\HWKVT.exe.bat ILIFSU.exe File created C:\windows\SysWOW64\FFHLFL.exe.bat VHTQYCW.exe File created C:\windows\SysWOW64\QJE.exe.bat QWDJRUZ.exe File created C:\windows\SysWOW64\HQJAIZY.exe.bat ZCWUXBD.exe File opened for modification C:\windows\SysWOW64\ZQFGE.exe ZLFSD.exe File created C:\windows\SysWOW64\ZQFGE.exe.bat ZLFSD.exe File created C:\windows\SysWOW64\CYYCXUA.exe EXQPG.exe File created C:\windows\SysWOW64\ZZTLWJ.exe RWCG.exe File created C:\windows\SysWOW64\PZRVST.exe.bat AJEELE.exe File created C:\windows\SysWOW64\ZQTZJ.exe.bat EIKKCJ.exe File opened for modification C:\windows\SysWOW64\EYFWN.exe UAAKFHC.exe File created C:\windows\SysWOW64\AWVDSFR.exe SIROHGW.exe File created C:\windows\SysWOW64\LBIGAL.exe.bat MQFQRFK.exe File opened for modification C:\windows\SysWOW64\ZXUQQV.exe YUTBGH.exe File created C:\windows\SysWOW64\FBLQ.exe.bat BTEQUFC.exe File created C:\windows\SysWOW64\HXPYAW.exe.bat FHBD.exe File opened for modification C:\windows\SysWOW64\OSMFWLO.exe WVUT.exe File opened for modification C:\windows\SysWOW64\LBIGAL.exe MQFQRFK.exe File created C:\windows\SysWOW64\ZZZ.exe LENH.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\KPZIZA.exe.bat PCUZ.exe File created C:\windows\JMOWTZD.exe BGBPIBH.exe File created C:\windows\LNYA.exe FANH.exe File opened for modification C:\windows\system\LMEOK.exe XJVQVKF.exe File created C:\windows\system\RIJYXHE.exe.bat ASKVT.exe File opened for modification C:\windows\system\XBB.exe AWVDSFR.exe File created C:\windows\system\DRRPSBD.exe.bat QPNQNK.exe File created C:\windows\system\RBQ.exe.bat LBIGAL.exe File opened for modification C:\windows\LMLZW.exe DGGLL.exe File created C:\windows\FANH.exe EXJET.exe File created C:\windows\VIZZOU.exe YDOKYRQ.exe File created C:\windows\MBT.exe JOPVPH.exe File created C:\windows\system\YOIM.exe.bat JYHUE.exe File created C:\windows\system\XBB.exe AWVDSFR.exe File created C:\windows\system\DDYG.exe.bat KPZIZA.exe File created C:\windows\system\VHTQYCW.exe.bat ZZZ.exe File opened for modification C:\windows\system\HJCT.exe MBT.exe File created C:\windows\system\KMDA.exe.bat PQYRTTY.exe File opened for modification C:\windows\system\LQTBZU.exe XUPAMF.exe File created C:\windows\RHD.exe.bat LMEOK.exe File created C:\windows\VIZZOU.exe.bat YDOKYRQ.exe File opened for modification C:\windows\DIT.exe VVP.exe File created C:\windows\system\KAAHH.exe ACN.exe File opened for modification C:\windows\system\EGJELZR.exe VXHZZ.exe File opened for modification C:\windows\system\YHH.exe ZWSJA.exe File created C:\windows\system\SUIBE.exe.bat JMOWTZD.exe File created C:\windows\system\QPNQNK.exe XBB.exe File created C:\windows\WAVDI.exe.bat FMLL.exe File opened for modification C:\windows\system\PCUZ.exe NEGFH.exe File created C:\windows\system\OKTBXL.exe.bat KMJMHQT.exe File opened for modification C:\windows\system\KAAHH.exe ACN.exe File opened for modification C:\windows\BGBPIBH.exe ADXMD.exe File opened for modification C:\windows\system\IOKN.exe JEZXI.exe File created C:\windows\system\ZWSJA.exe XYZPUSH.exe File opened for modification C:\windows\AJEELE.exe DDYG.exe File created C:\windows\system\EIKKCJ.exe.bat ZHDW.exe File opened for modification C:\windows\CCIYP.exe HSRABRM.exe File opened for modification C:\windows\system\HDTQQQU.exe LNYA.exe File created C:\windows\system\LQTBZU.exe.bat XUPAMF.exe File created C:\windows\system\HJCT.exe.bat MBT.exe File created C:\windows\system\CEB.exe JBXV.exe File created C:\windows\system\IIZQF.exe IFV.exe File opened for modification C:\windows\system\CTJOCR.exe ZGSNJ.exe File created C:\windows\PQYRTTY.exe CSYF.exe File created C:\windows\system\WXAW.exe OUKAQD.exe File opened for modification C:\windows\system\HPZXPMY.exe HXZWB.exe File created C:\windows\system\KAAHH.exe.bat ACN.exe File created C:\windows\MLK.exe.bat CCIYP.exe File created C:\windows\system\ZLFSD.exe.bat 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe File created C:\windows\system\NDXVXZ.exe.bat OSMFWLO.exe File created C:\windows\system\OQFTFOZ.exe KAZL.exe File created C:\windows\BTEQUFC.exe.bat DIT.exe File created C:\windows\CWUUJV.exe VOT.exe File created C:\windows\BGBPIBH.exe ADXMD.exe File opened for modification C:\windows\system\LACFSL.exe FZUR.exe File created C:\windows\system\LEX.exe.bat YBMBDH.exe File created C:\windows\OJBIFAC.exe.bat ALB.exe File created C:\windows\system\LXPXLM.exe.bat DRCRAG.exe File created C:\windows\CSYF.exe SVKL.exe File created C:\windows\system\CEB.exe.bat JBXV.exe File created C:\windows\system\WHA.exe.bat ZQFGE.exe File created C:\windows\system\LACFSL.exe.bat FZUR.exe File created C:\windows\GRYZ.exe GDX.exe File opened for modification C:\windows\system\QWDJRUZ.exe VIZZOU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 756 1828 WerFault.exe 81 4548 616 WerFault.exe 89 1020 3708 WerFault.exe 95 3280 4668 WerFault.exe 100 4824 3476 WerFault.exe 105 3700 4240 WerFault.exe 110 2072 1840 WerFault.exe 115 4248 1600 WerFault.exe 120 2796 1168 WerFault.exe 125 4832 2252 WerFault.exe 130 1164 1724 WerFault.exe 135 1916 4508 WerFault.exe 140 2464 1516 WerFault.exe 145 2384 4868 WerFault.exe 150 4396 3944 WerFault.exe 155 3428 2296 WerFault.exe 160 2404 1660 WerFault.exe 165 1416 2536 WerFault.exe 170 4796 1780 WerFault.exe 175 3896 460 WerFault.exe 180 4508 1484 WerFault.exe 185 1372 4812 WerFault.exe 190 560 4332 WerFault.exe 195 1952 3640 WerFault.exe 200 4256 4340 WerFault.exe 205 2324 1168 WerFault.exe 210 468 4252 WerFault.exe 215 784 2816 WerFault.exe 220 3324 1896 WerFault.exe 225 4320 1656 WerFault.exe 230 4876 1516 WerFault.exe 235 1280 2072 WerFault.exe 240 4672 2776 WerFault.exe 245 3124 3560 WerFault.exe 250 976 1692 WerFault.exe 255 4832 4416 WerFault.exe 260 1164 1780 WerFault.exe 267 2392 1724 WerFault.exe 271 1472 816 WerFault.exe 277 2424 2648 WerFault.exe 282 3432 2484 WerFault.exe 287 2212 3428 WerFault.exe 292 3124 4540 WerFault.exe 297 3620 2440 WerFault.exe 302 2604 1584 WerFault.exe 307 2928 784 WerFault.exe 312 4608 2720 WerFault.exe 317 2464 1724 WerFault.exe 323 1632 1060 WerFault.exe 328 3628 1984 WerFault.exe 333 3088 4696 WerFault.exe 338 1648 2688 WerFault.exe 343 5032 2176 WerFault.exe 348 3956 2440 WerFault.exe 353 3940 1364 WerFault.exe 358 444 1412 WerFault.exe 363 4868 560 WerFault.exe 367 2052 2380 WerFault.exe 373 184 1840 WerFault.exe 378 2460 3512 WerFault.exe 383 2404 3560 WerFault.exe 388 1528 4652 WerFault.exe 393 4772 3616 WerFault.exe 398 4292 3968 WerFault.exe 403 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 616 ZLFSD.exe 616 ZLFSD.exe 3708 ZQFGE.exe 3708 ZQFGE.exe 4668 WHA.exe 4668 WHA.exe 3476 SMF.exe 3476 SMF.exe 4240 EXQPG.exe 4240 EXQPG.exe 1840 CYYCXUA.exe 1840 CYYCXUA.exe 1600 ELJB.exe 1600 ELJB.exe 1168 YYOKNH.exe 1168 YYOKNH.exe 2252 RBSGT.exe 2252 RBSGT.exe 1724 SEICHH.exe 1724 SEICHH.exe 4508 CUVWX.exe 4508 CUVWX.exe 1516 KDEIEIA.exe 1516 KDEIEIA.exe 4868 SIROHGW.exe 4868 SIROHGW.exe 3944 AWVDSFR.exe 3944 AWVDSFR.exe 2296 XBB.exe 2296 XBB.exe 1660 QPNQNK.exe 1660 QPNQNK.exe 2536 DRRPSBD.exe 2536 DRRPSBD.exe 1780 WVUT.exe 1780 WVUT.exe 460 OSMFWLO.exe 460 OSMFWLO.exe 1484 NDXVXZ.exe 1484 NDXVXZ.exe 4812 JEZXI.exe 4812 JEZXI.exe 4332 IOKN.exe 4332 IOKN.exe 3640 OPJBADQ.exe 3640 OPJBADQ.exe 4340 FZUR.exe 4340 FZUR.exe 1168 LACFSL.exe 1168 LACFSL.exe 4252 VXHZZ.exe 4252 VXHZZ.exe 2816 EGJELZR.exe 2816 EGJELZR.exe 1896 XYZPUSH.exe 1896 XYZPUSH.exe 1656 ZWSJA.exe 1656 ZWSJA.exe 1516 YHH.exe 1516 YHH.exe 2072 IFV.exe 2072 IFV.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 616 ZLFSD.exe 616 ZLFSD.exe 3708 ZQFGE.exe 3708 ZQFGE.exe 4668 WHA.exe 4668 WHA.exe 3476 SMF.exe 3476 SMF.exe 4240 EXQPG.exe 4240 EXQPG.exe 1840 CYYCXUA.exe 1840 CYYCXUA.exe 1600 ELJB.exe 1600 ELJB.exe 1168 YYOKNH.exe 1168 YYOKNH.exe 2252 RBSGT.exe 2252 RBSGT.exe 1724 SEICHH.exe 1724 SEICHH.exe 4508 CUVWX.exe 4508 CUVWX.exe 1516 KDEIEIA.exe 1516 KDEIEIA.exe 4868 SIROHGW.exe 4868 SIROHGW.exe 3944 AWVDSFR.exe 3944 AWVDSFR.exe 2296 XBB.exe 2296 XBB.exe 1660 QPNQNK.exe 1660 QPNQNK.exe 2536 DRRPSBD.exe 2536 DRRPSBD.exe 1780 WVUT.exe 1780 WVUT.exe 460 OSMFWLO.exe 460 OSMFWLO.exe 1484 NDXVXZ.exe 1484 NDXVXZ.exe 4812 JEZXI.exe 4812 JEZXI.exe 4332 IOKN.exe 4332 IOKN.exe 3640 OPJBADQ.exe 3640 OPJBADQ.exe 4340 FZUR.exe 4340 FZUR.exe 1168 LACFSL.exe 1168 LACFSL.exe 4252 VXHZZ.exe 4252 VXHZZ.exe 2816 EGJELZR.exe 2816 EGJELZR.exe 1896 XYZPUSH.exe 1896 XYZPUSH.exe 1656 ZWSJA.exe 1656 ZWSJA.exe 1516 YHH.exe 1516 YHH.exe 2072 IFV.exe 2072 IFV.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1828 wrote to memory of 4876 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 85 PID 1828 wrote to memory of 4876 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 85 PID 1828 wrote to memory of 4876 1828 10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe 85 PID 4876 wrote to memory of 616 4876 cmd.exe 89 PID 4876 wrote to memory of 616 4876 cmd.exe 89 PID 4876 wrote to memory of 616 4876 cmd.exe 89 PID 616 wrote to memory of 1944 616 ZLFSD.exe 91 PID 616 wrote to memory of 1944 616 ZLFSD.exe 91 PID 616 wrote to memory of 1944 616 ZLFSD.exe 91 PID 1944 wrote to memory of 3708 1944 cmd.exe 95 PID 1944 wrote to memory of 3708 1944 cmd.exe 95 PID 1944 wrote to memory of 3708 1944 cmd.exe 95 PID 3708 wrote to memory of 2664 3708 ZQFGE.exe 96 PID 3708 wrote to memory of 2664 3708 ZQFGE.exe 96 PID 3708 wrote to memory of 2664 3708 ZQFGE.exe 96 PID 2664 wrote to memory of 4668 2664 cmd.exe 100 PID 2664 wrote to memory of 4668 2664 cmd.exe 100 PID 2664 wrote to memory of 4668 2664 cmd.exe 100 PID 4668 wrote to memory of 916 4668 WHA.exe 101 PID 4668 wrote to memory of 916 4668 WHA.exe 101 PID 4668 wrote to memory of 916 4668 WHA.exe 101 PID 916 wrote to memory of 3476 916 cmd.exe 105 PID 916 wrote to memory of 3476 916 cmd.exe 105 PID 916 wrote to memory of 3476 916 cmd.exe 105 PID 3476 wrote to memory of 784 3476 SMF.exe 106 PID 3476 wrote to memory of 784 3476 SMF.exe 106 PID 3476 wrote to memory of 784 3476 SMF.exe 106 PID 784 wrote to memory of 4240 784 cmd.exe 110 PID 784 wrote to memory of 4240 784 cmd.exe 110 PID 784 wrote to memory of 4240 784 cmd.exe 110 PID 4240 wrote to memory of 2772 4240 EXQPG.exe 111 PID 4240 wrote to memory of 2772 4240 EXQPG.exe 111 PID 4240 wrote to memory of 2772 4240 EXQPG.exe 111 PID 2772 wrote to memory of 1840 2772 cmd.exe 115 PID 2772 wrote to memory of 1840 2772 cmd.exe 115 PID 2772 wrote to memory of 1840 2772 cmd.exe 115 PID 1840 wrote to memory of 2628 1840 CYYCXUA.exe 116 PID 1840 wrote to memory of 2628 1840 CYYCXUA.exe 116 PID 1840 wrote to memory of 2628 1840 CYYCXUA.exe 116 PID 2628 wrote to memory of 1600 2628 cmd.exe 120 PID 2628 wrote to memory of 1600 2628 cmd.exe 120 PID 2628 wrote to memory of 1600 2628 cmd.exe 120 PID 1600 wrote to memory of 2212 1600 ELJB.exe 121 PID 1600 wrote to memory of 2212 1600 ELJB.exe 121 PID 1600 wrote to memory of 2212 1600 ELJB.exe 121 PID 2212 wrote to memory of 1168 2212 cmd.exe 125 PID 2212 wrote to memory of 1168 2212 cmd.exe 125 PID 2212 wrote to memory of 1168 2212 cmd.exe 125 PID 1168 wrote to memory of 2448 1168 YYOKNH.exe 126 PID 1168 wrote to memory of 2448 1168 YYOKNH.exe 126 PID 1168 wrote to memory of 2448 1168 YYOKNH.exe 126 PID 2448 wrote to memory of 2252 2448 cmd.exe 130 PID 2448 wrote to memory of 2252 2448 cmd.exe 130 PID 2448 wrote to memory of 2252 2448 cmd.exe 130 PID 2252 wrote to memory of 3028 2252 RBSGT.exe 131 PID 2252 wrote to memory of 3028 2252 RBSGT.exe 131 PID 2252 wrote to memory of 3028 2252 RBSGT.exe 131 PID 3028 wrote to memory of 1724 3028 cmd.exe 135 PID 3028 wrote to memory of 1724 3028 cmd.exe 135 PID 3028 wrote to memory of 1724 3028 cmd.exe 135 PID 1724 wrote to memory of 3212 1724 SEICHH.exe 136 PID 1724 wrote to memory of 3212 1724 SEICHH.exe 136 PID 1724 wrote to memory of 3212 1724 SEICHH.exe 136 PID 3212 wrote to memory of 4508 3212 cmd.exe 140
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe"C:\Users\Admin\AppData\Local\Temp\10b0759c671c5bd6e4dae62be9812c13f7cdd4d44e9e2ab1faa450492641b8df.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZLFSD.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\windows\system\ZLFSD.exeC:\windows\system\ZLFSD.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZQFGE.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\windows\SysWOW64\ZQFGE.exeC:\windows\system32\ZQFGE.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WHA.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\windows\system\WHA.exeC:\windows\system\WHA.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMF.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\windows\SysWOW64\SMF.exeC:\windows\system32\SMF.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EXQPG.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\windows\system\EXQPG.exeC:\windows\system\EXQPG.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CYYCXUA.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\windows\SysWOW64\CYYCXUA.exeC:\windows\system32\CYYCXUA.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ELJB.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\windows\system\ELJB.exeC:\windows\system\ELJB.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YYOKNH.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\windows\YYOKNH.exeC:\windows\YYOKNH.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RBSGT.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\windows\RBSGT.exeC:\windows\RBSGT.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEICHH.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\windows\SysWOW64\SEICHH.exeC:\windows\system32\SEICHH.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CUVWX.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\windows\CUVWX.exeC:\windows\CUVWX.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KDEIEIA.exe.bat" "24⤵PID:3960
-
C:\windows\system\KDEIEIA.exeC:\windows\system\KDEIEIA.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIROHGW.exe.bat" "26⤵PID:4432
-
C:\windows\SysWOW64\SIROHGW.exeC:\windows\system32\SIROHGW.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWVDSFR.exe.bat" "28⤵PID:1372
-
C:\windows\SysWOW64\AWVDSFR.exeC:\windows\system32\AWVDSFR.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XBB.exe.bat" "30⤵PID:4348
-
C:\windows\system\XBB.exeC:\windows\system\XBB.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPNQNK.exe.bat" "32⤵PID:3936
-
C:\windows\system\QPNQNK.exeC:\windows\system\QPNQNK.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DRRPSBD.exe.bat" "34⤵PID:1432
-
C:\windows\system\DRRPSBD.exeC:\windows\system\DRRPSBD.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUT.exe.bat" "36⤵PID:4964
-
C:\windows\system\WVUT.exeC:\windows\system\WVUT.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OSMFWLO.exe.bat" "38⤵PID:1368
-
C:\windows\SysWOW64\OSMFWLO.exeC:\windows\system32\OSMFWLO.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NDXVXZ.exe.bat" "40⤵PID:5004
-
C:\windows\system\NDXVXZ.exeC:\windows\system\NDXVXZ.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JEZXI.exe.bat" "42⤵PID:2808
-
C:\windows\SysWOW64\JEZXI.exeC:\windows\system32\JEZXI.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IOKN.exe.bat" "44⤵PID:2076
-
C:\windows\system\IOKN.exeC:\windows\system\IOKN.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OPJBADQ.exe.bat" "46⤵PID:4324
-
C:\windows\OPJBADQ.exeC:\windows\OPJBADQ.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FZUR.exe.bat" "48⤵PID:1060
-
C:\windows\FZUR.exeC:\windows\FZUR.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LACFSL.exe.bat" "50⤵PID:1008
-
C:\windows\system\LACFSL.exeC:\windows\system\LACFSL.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VXHZZ.exe.bat" "52⤵PID:4176
-
C:\windows\system\VXHZZ.exeC:\windows\system\VXHZZ.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "54⤵PID:2536
-
C:\windows\system\EGJELZR.exeC:\windows\system\EGJELZR.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XYZPUSH.exe.bat" "56⤵PID:4588
-
C:\windows\XYZPUSH.exeC:\windows\XYZPUSH.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZWSJA.exe.bat" "58⤵PID:1984
-
C:\windows\system\ZWSJA.exeC:\windows\system\ZWSJA.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YHH.exe.bat" "60⤵PID:3636
-
C:\windows\system\YHH.exeC:\windows\system\YHH.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IFV.exe.bat" "62⤵PID:4508
-
C:\windows\IFV.exeC:\windows\IFV.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IIZQF.exe.bat" "64⤵PID:2936
-
C:\windows\system\IIZQF.exeC:\windows\system\IIZQF.exe65⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MQFQRFK.exe.bat" "66⤵PID:2196
-
C:\windows\system\MQFQRFK.exeC:\windows\system\MQFQRFK.exe67⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBIGAL.exe.bat" "68⤵PID:1508
-
C:\windows\SysWOW64\LBIGAL.exeC:\windows\system32\LBIGAL.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RBQ.exe.bat" "70⤵PID:1648
-
C:\windows\system\RBQ.exeC:\windows\system\RBQ.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMOOJG.exe.bat" "72⤵PID:2364
-
C:\windows\SysWOW64\VMOOJG.exeC:\windows\system32\VMOOJG.exe73⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKI.exe.bat" "74⤵PID:4728
-
C:\windows\JKI.exeC:\windows\JKI.exe75⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FPGPB.exe.bat" "76⤵PID:2628
-
C:\windows\FPGPB.exeC:\windows\FPGPB.exe77⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JXN.exe.bat" "78⤵PID:5076
-
C:\windows\system\JXN.exeC:\windows\system\JXN.exe79⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAZL.exe.bat" "80⤵PID:2380
-
C:\windows\SysWOW64\KAZL.exeC:\windows\system32\KAZL.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OQFTFOZ.exe.bat" "82⤵PID:3336
-
C:\windows\system\OQFTFOZ.exeC:\windows\system\OQFTFOZ.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DGGLL.exe.bat" "84⤵PID:892
-
C:\windows\SysWOW64\DGGLL.exeC:\windows\system32\DGGLL.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LMLZW.exe.bat" "86⤵PID:4228
-
C:\windows\LMLZW.exeC:\windows\LMLZW.exe87⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IRRODK.exe.bat" "88⤵PID:4652
-
C:\windows\IRRODK.exeC:\windows\IRRODK.exe89⤵
- Checks computer location settings
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EXJET.exe.bat" "90⤵PID:916
-
C:\windows\system\EXJET.exeC:\windows\system\EXJET.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FANH.exe.bat" "92⤵PID:2016
-
C:\windows\FANH.exeC:\windows\FANH.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LNYA.exe.bat" "94⤵PID:264
-
C:\windows\LNYA.exeC:\windows\LNYA.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HDTQQQU.exe.bat" "96⤵PID:544
-
C:\windows\system\HDTQQQU.exeC:\windows\system\HDTQQQU.exe97⤵
- Checks computer location settings
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "98⤵PID:4524
-
C:\windows\CGBHEBP.exeC:\windows\CGBHEBP.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "100⤵PID:4176
-
C:\windows\system\RWCG.exeC:\windows\system\RWCG.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZTLWJ.exe.bat" "102⤵PID:4436
-
C:\windows\SysWOW64\ZZTLWJ.exeC:\windows\system32\ZZTLWJ.exe103⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "104⤵PID:520
-
C:\windows\system\FMLL.exeC:\windows\system\FMLL.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WAVDI.exe.bat" "106⤵PID:3136
-
C:\windows\WAVDI.exeC:\windows\WAVDI.exe107⤵
- Checks computer location settings
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NVBWQB.exe.bat" "108⤵PID:5056
-
C:\windows\system\NVBWQB.exeC:\windows\system\NVBWQB.exe109⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YBMBDH.exe.bat" "110⤵PID:4632
-
C:\windows\system\YBMBDH.exeC:\windows\system\YBMBDH.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LEX.exe.bat" "112⤵PID:4972
-
C:\windows\system\LEX.exeC:\windows\system\LEX.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMZU.exe.bat" "114⤵PID:3788
-
C:\windows\SysWOW64\UMZU.exeC:\windows\system32\UMZU.exe115⤵
- Checks computer location settings
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NEGFH.exe.bat" "116⤵PID:2448
-
C:\windows\NEGFH.exeC:\windows\NEGFH.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PCUZ.exe.bat" "118⤵PID:1644
-
C:\windows\system\PCUZ.exeC:\windows\system\PCUZ.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KPZIZA.exe.bat" "120⤵PID:5064
-
C:\windows\system\KPZIZA.exeC:\windows\system\KPZIZA.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-