Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 14:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e363be771314616a653cba4975637a4c.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e363be771314616a653cba4975637a4c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e363be771314616a653cba4975637a4c.exe
-
Size
320KB
-
MD5
e363be771314616a653cba4975637a4c
-
SHA1
aa14377449a6b83e30fa21a1208afdcbc5b5bfd0
-
SHA256
ef268c8b68b03063c8b802c381d1098f954cc6586eb2f66013bbf3ccec687abf
-
SHA512
440bb8192c3ba56ab740103a5e2f97b543bfe451626a59202529a782fb81abac165d421220a97ceaa58007207b7cb204c1d0261e6cf9d2226dce49dd18914609
-
SSDEEP
3072:tsFh2/HIdPOOjx/BM6C9yTqBnKp4ucfbLAbMYj4NfhANhirVkh34pLthEjQT68TU:tygOlq9y/FCbsbP2AkEjWbjcSbcY+CA
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation NDRXPXE.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation JKPT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation CHOSZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RZM.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WEPH.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UUY.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WTBBL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RLDY.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZQADOEQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DTXN.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation USUTUPT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QZTJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation MRC.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation GXRS.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RUBRYTF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UDYQTDP.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LAW.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DQGBQIH.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation XIOL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WCKLBLI.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FKANZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation MVGAUAZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LQR.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UUOUV.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation VPPIEBH.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation CEHNOYX.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IAOV.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DZJRBP.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FHAT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IEAUMP.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IYIGE.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation GXMI.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WIMW.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation JNSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BTTR.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation MLH.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BAWT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LAHDZY.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation EBZETZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation YMSI.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation XBJF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZIFVEEJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation REL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation COKS.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation YHOWO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IRDPM.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RWJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation KNHN.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BJPFDAO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation CMTAJX.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DGWMKX.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IVUSZRR.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UIJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation OMW.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation XRIVBN.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QMWAUB.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation GTRYPOK.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZAV.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation CQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LMO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation XNQPG.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LBCKAK.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation YCPF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DYGDAX.exe -
Executes dropped EXE 64 IoCs
pid Process 836 ZBEY.exe 4264 UPJPMR.exe 1056 OUKA.exe 1148 WAWH.exe 4568 CVAIS.exe 1864 ZWKK.exe 4560 WMXBL.exe 4972 IEAUMP.exe 3436 SMABL.exe 2692 LQR.exe 2364 RLDY.exe 1164 JLRDI.exe 2292 DGWMKX.exe 2324 PJH.exe 3752 GXRS.exe 3628 ZAV.exe 3928 FVH.exe 4512 KOIRGPL.exe 4396 GTBGWLG.exe 2160 LPGVFB.exe 4976 PXN.exe 3584 SSEF.exe 3084 PKO.exe 3132 NDRXPXE.exe 3944 RLYX.exe 4512 QWI.exe 3216 AUO.exe 3472 QKB.exe 3092 HSDEKI.exe 448 IVUSZRR.exe 4380 MVIVM.exe 1224 SYMTRY.exe 3360 EJWGAL.exe 3964 IRDPM.exe 3724 UUOUV.exe 2580 JKPT.exe 4464 ULEE.exe 1824 CQJ.exe 3532 RMU.exe 4960 PXXCKXM.exe 4156 CHOSZ.exe 2840 GPUA.exe 2864 FIX.exe 2548 YBMBDH.exe 4656 RWQXI.exe 3980 BTW.exe 3396 VPPIEBH.exe 5004 DUUWPZD.exe 1624 LAHDZY.exe 1828 UIJ.exe 2416 NBQ.exe 2628 MMBJDKF.exe 4936 WEKI.exe 400 BKDYXIP.exe 2068 OQPCI.exe 1836 WVHQKSU.exe 4152 HOXBB.exe 1516 DTXN.exe 3772 YHOWO.exe 2308 LMO.exe 1760 KNPX.exe 2112 DQGBQIH.exe 5004 NNGOHC.exe 460 CEHNOYX.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\LMO.exe YHOWO.exe File created C:\windows\SysWOW64\QEX.exe DGXJC.exe File created C:\windows\SysWOW64\RWJ.exe.bat HOHH.exe File created C:\windows\SysWOW64\FDRP.exe.bat NDCS.exe File created C:\windows\SysWOW64\KWWAL.exe.bat IYIGE.exe File created C:\windows\SysWOW64\XIS.exe.bat INBVO.exe File created C:\windows\SysWOW64\NBQ.exe UIJ.exe File created C:\windows\SysWOW64\BFI.exe CMTAJX.exe File created C:\windows\SysWOW64\CSVFLZY.exe.bat YCPF.exe File created C:\windows\SysWOW64\LAW.exe USUTUPT.exe File created C:\windows\SysWOW64\COKS.exe.bat IAFBJRE.exe File created C:\windows\SysWOW64\YHOWO.exe.bat DTXN.exe File created C:\windows\SysWOW64\NNGOHC.exe DQGBQIH.exe File created C:\windows\SysWOW64\OIGSBN.exe HSF.exe File created C:\windows\SysWOW64\FDRP.exe NDCS.exe File created C:\windows\SysWOW64\UUY.exe GZNY.exe File created C:\windows\SysWOW64\YCPF.exe UZRKZOI.exe File opened for modification C:\windows\SysWOW64\GXKK.exe YHJTX.exe File created C:\windows\SysWOW64\GXKK.exe.bat YHJTX.exe File created C:\windows\SysWOW64\LAHDZY.exe DUUWPZD.exe File opened for modification C:\windows\SysWOW64\QNXAQ.exe XNQPG.exe File created C:\windows\SysWOW64\QNXAQ.exe.bat XNQPG.exe File created C:\windows\SysWOW64\YCPF.exe.bat UZRKZOI.exe File created C:\windows\SysWOW64\GXKK.exe YHJTX.exe File opened for modification C:\windows\SysWOW64\UUY.exe GZNY.exe File created C:\windows\SysWOW64\LQR.exe.bat SMABL.exe File created C:\windows\SysWOW64\LAHDZY.exe.bat DUUWPZD.exe File created C:\windows\SysWOW64\UIJ.exe.bat LAHDZY.exe File created C:\windows\SysWOW64\DTXN.exe HOXBB.exe File created C:\windows\SysWOW64\SUDEA.exe.bat OMW.exe File created C:\windows\SysWOW64\DBNJ.exe.bat XGB.exe File opened for modification C:\windows\SysWOW64\ZIFVEEJ.exe LNCVQPT.exe File opened for modification C:\windows\SysWOW64\IEAUMP.exe WMXBL.exe File created C:\windows\SysWOW64\IAFBJRE.exe.bat LAW.exe File opened for modification C:\windows\SysWOW64\COHIWGO.exe BLRVHF.exe File created C:\windows\SysWOW64\ZIFVEEJ.exe.bat LNCVQPT.exe File created C:\windows\SysWOW64\IRDPM.exe.bat EJWGAL.exe File opened for modification C:\windows\SysWOW64\KNPX.exe LMO.exe File created C:\windows\SysWOW64\OIGSBN.exe.bat HSF.exe File opened for modification C:\windows\SysWOW64\INBVO.exe CRXUJ.exe File created C:\windows\SysWOW64\JLRDI.exe.bat RLDY.exe File opened for modification C:\windows\SysWOW64\DGWMKX.exe JLRDI.exe File opened for modification C:\windows\SysWOW64\UIJ.exe LAHDZY.exe File created C:\windows\SysWOW64\NBQ.exe.bat UIJ.exe File created C:\windows\SysWOW64\KNHN.exe VPUV.exe File created C:\windows\SysWOW64\XIOL.exe.bat EFKQM.exe File opened for modification C:\windows\SysWOW64\BFI.exe CMTAJX.exe File created C:\windows\SysWOW64\COHIWGO.exe.bat BLRVHF.exe File created C:\windows\SysWOW64\JLRDI.exe RLDY.exe File opened for modification C:\windows\SysWOW64\HSDEKI.exe QKB.exe File created C:\windows\SysWOW64\MVIVM.exe.bat IVUSZRR.exe File created C:\windows\SysWOW64\SYMTRY.exe MVIVM.exe File created C:\windows\SysWOW64\IRDPM.exe EJWGAL.exe File opened for modification C:\windows\SysWOW64\WVHQKSU.exe OQPCI.exe File created C:\windows\SysWOW64\DTXN.exe.bat HOXBB.exe File created C:\windows\SysWOW64\YHOWO.exe DTXN.exe File created C:\windows\SysWOW64\QKB.exe.bat AUO.exe File opened for modification C:\windows\SysWOW64\WTBBL.exe XIQLCI.exe File created C:\windows\SysWOW64\USUTUPT.exe.bat KUC.exe File created C:\windows\SysWOW64\IDJZT.exe BTTR.exe File created C:\windows\SysWOW64\JYHUE.exe UDYQTDP.exe File created C:\windows\SysWOW64\COKS.exe IAFBJRE.exe File opened for modification C:\windows\SysWOW64\COKS.exe IAFBJRE.exe File opened for modification C:\windows\SysWOW64\JLRDI.exe RLDY.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\KOIRGPL.exe FVH.exe File opened for modification C:\windows\system\DGXJC.exe CEHNOYX.exe File created C:\windows\system\PTDUMQ.exe.bat CJMVYF.exe File created C:\windows\system\EJWGAL.exe.bat SYMTRY.exe File created C:\windows\JKPT.exe.bat UUOUV.exe File created C:\windows\system\CMTAJX.exe.bat BJPFDAO.exe File created C:\windows\YPRSVH.exe DBNJ.exe File created C:\windows\system\DOD.exe KWWAL.exe File created C:\windows\system\CRXUJ.exe PGTW.exe File opened for modification C:\windows\system\CRXUJ.exe PGTW.exe File created C:\windows\system\OWFWYMN.exe.bat WTBBL.exe File created C:\windows\XGB.exe GTRYPOK.exe File created C:\windows\FMUHH.exe OEGKV.exe File created C:\windows\BLRVHF.exe.bat XIS.exe File opened for modification C:\windows\XRIVBN.exe RDXUVYZ.exe File created C:\windows\system\EFKQM.exe.bat RUBRYTF.exe File created C:\windows\system\VTQ.exe XIOL.exe File created C:\windows\NCT.exe YMSI.exe File opened for modification C:\windows\system\LPGVFB.exe GTBGWLG.exe File created C:\windows\system\GPUA.exe CHOSZ.exe File opened for modification C:\windows\CEHNOYX.exe NNGOHC.exe File opened for modification C:\windows\system\XUMQG.exe XRIVBN.exe File created C:\windows\VPUV.exe.bat QMWAUB.exe File opened for modification C:\windows\system\RUBRYTF.exe DWT.exe File opened for modification C:\windows\PKO.exe SSEF.exe File created C:\windows\system\CMTAJX.exe BJPFDAO.exe File opened for modification C:\windows\PUG.exe JYHUE.exe File created C:\windows\FKANZ.exe.bat VNVTKR.exe File created C:\windows\system\EFNPXTO.exe CSVFLZY.exe File created C:\windows\UPJPMR.exe ZBEY.exe File created C:\windows\QDTIGD.exe.bat JNSJ.exe File created C:\windows\DDJ.exe WIMW.exe File created C:\windows\system\OMW.exe.bat RWJ.exe File created C:\windows\system\ABZUN.exe QDTIGD.exe File opened for modification C:\windows\system\VNVTKR.exe WCKLBLI.exe File opened for modification C:\windows\CJMVYF.exe CDMGW.exe File created C:\windows\system\GXMI.exe DOD.exe File created C:\windows\system\VNVTKR.exe.bat WCKLBLI.exe File created C:\windows\GTBGWLG.exe.bat KOIRGPL.exe File created C:\windows\CEHNOYX.exe.bat NNGOHC.exe File created C:\windows\system\DGXJC.exe.bat CEHNOYX.exe File opened for modification C:\windows\system\IAOV.exe RZM.exe File created C:\windows\system\GXZGBT.exe.bat WEPH.exe File opened for modification C:\windows\system\BNWKOSQ.exe KNHN.exe File opened for modification C:\windows\UZRKZOI.exe PUG.exe File opened for modification C:\windows\ZWKK.exe CVAIS.exe File created C:\windows\system\LPGVFB.exe.bat GTBGWLG.exe File opened for modification C:\windows\JKPT.exe UUOUV.exe File opened for modification C:\windows\system\MMBJDKF.exe NBQ.exe File created C:\windows\UZRKZOI.exe.bat PUG.exe File opened for modification C:\windows\OEGKV.exe PTDUMQ.exe File opened for modification C:\windows\system\GXMI.exe DOD.exe File created C:\windows\SVR.exe.bat FKANZ.exe File created C:\windows\system\IAOV.exe.bat RZM.exe File opened for modification C:\windows\system\DWT.exe FDRP.exe File opened for modification C:\windows\system\VTQ.exe XIOL.exe File created C:\windows\system\VTQ.exe.bat XIOL.exe File opened for modification C:\windows\system\LBCKAK.exe QNXAQ.exe File opened for modification C:\windows\QDTIGD.exe JNSJ.exe File created C:\windows\XBJF.exe.bat ABZUN.exe File created C:\windows\system\QZTJ.exe COKS.exe File created C:\windows\system\MRC.exe QZTJ.exe File created C:\windows\RLYX.exe NDRXPXE.exe File created C:\windows\system\OQPCI.exe BKDYXIP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1400 64 WerFault.exe 82 4496 836 WerFault.exe 90 3016 4264 WerFault.exe 96 1840 1056 WerFault.exe 101 3804 1148 WerFault.exe 106 4764 4568 WerFault.exe 113 4372 1864 WerFault.exe 118 1400 4560 WerFault.exe 125 4012 4972 WerFault.exe 131 1684 3436 WerFault.exe 137 3764 2692 WerFault.exe 143 2876 2364 WerFault.exe 148 4656 1164 WerFault.exe 153 836 2292 WerFault.exe 158 1056 2324 WerFault.exe 164 2200 3752 WerFault.exe 169 2252 3628 WerFault.exe 174 4016 3928 WerFault.exe 179 2196 4512 WerFault.exe 185 3216 4396 WerFault.exe 190 1828 2160 WerFault.exe 195 2544 4976 WerFault.exe 200 220 3584 WerFault.exe 205 3608 3084 WerFault.exe 210 4016 3132 WerFault.exe 215 4300 3944 WerFault.exe 220 3316 4512 WerFault.exe 225 3724 3216 WerFault.exe 230 3664 3472 WerFault.exe 235 3484 3092 WerFault.exe 240 2812 448 WerFault.exe 245 4868 4380 WerFault.exe 250 3060 1224 WerFault.exe 255 4156 3360 WerFault.exe 260 1864 3964 WerFault.exe 266 3056 3724 WerFault.exe 271 3952 2580 WerFault.exe 276 1764 4464 WerFault.exe 281 4652 1824 WerFault.exe 286 1664 3532 WerFault.exe 291 4012 4960 WerFault.exe 296 1256 4156 WerFault.exe 301 1072 2840 WerFault.exe 306 1748 2864 WerFault.exe 311 2252 2548 WerFault.exe 316 1520 4656 WerFault.exe 321 4588 3980 WerFault.exe 327 2640 3396 WerFault.exe 332 3484 5004 WerFault.exe 337 2392 1624 WerFault.exe 342 2116 1828 WerFault.exe 347 528 2416 WerFault.exe 352 3068 2628 WerFault.exe 357 1524 4936 WerFault.exe 362 4012 400 WerFault.exe 367 876 2068 WerFault.exe 372 2876 1836 WerFault.exe 377 2300 4152 WerFault.exe 382 3628 1516 WerFault.exe 387 1936 3772 WerFault.exe 392 1752 2308 WerFault.exe 397 4644 1760 WerFault.exe 402 4824 2112 WerFault.exe 407 1624 5004 WerFault.exe 412 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 64 e363be771314616a653cba4975637a4c.exe 64 e363be771314616a653cba4975637a4c.exe 836 ZBEY.exe 836 ZBEY.exe 4264 UPJPMR.exe 4264 UPJPMR.exe 1056 OUKA.exe 1056 OUKA.exe 1148 WAWH.exe 1148 WAWH.exe 4568 CVAIS.exe 4568 CVAIS.exe 1864 ZWKK.exe 1864 ZWKK.exe 4560 WMXBL.exe 4560 WMXBL.exe 4972 IEAUMP.exe 4972 IEAUMP.exe 3436 SMABL.exe 3436 SMABL.exe 2692 LQR.exe 2692 LQR.exe 2364 RLDY.exe 2364 RLDY.exe 1164 JLRDI.exe 1164 JLRDI.exe 2292 DGWMKX.exe 2292 DGWMKX.exe 2324 PJH.exe 2324 PJH.exe 3752 GXRS.exe 3752 GXRS.exe 3628 ZAV.exe 3628 ZAV.exe 3928 FVH.exe 3928 FVH.exe 4512 KOIRGPL.exe 4512 KOIRGPL.exe 4396 GTBGWLG.exe 4396 GTBGWLG.exe 2160 LPGVFB.exe 2160 LPGVFB.exe 4976 PXN.exe 4976 PXN.exe 3584 SSEF.exe 3584 SSEF.exe 3084 PKO.exe 3084 PKO.exe 3132 NDRXPXE.exe 3132 NDRXPXE.exe 3944 RLYX.exe 3944 RLYX.exe 4512 QWI.exe 4512 QWI.exe 3216 AUO.exe 3216 AUO.exe 3472 QKB.exe 3472 QKB.exe 3092 HSDEKI.exe 3092 HSDEKI.exe 448 IVUSZRR.exe 448 IVUSZRR.exe 4380 MVIVM.exe 4380 MVIVM.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 64 e363be771314616a653cba4975637a4c.exe 64 e363be771314616a653cba4975637a4c.exe 836 ZBEY.exe 836 ZBEY.exe 4264 UPJPMR.exe 4264 UPJPMR.exe 1056 OUKA.exe 1056 OUKA.exe 1148 WAWH.exe 1148 WAWH.exe 4568 CVAIS.exe 4568 CVAIS.exe 1864 ZWKK.exe 1864 ZWKK.exe 4560 WMXBL.exe 4560 WMXBL.exe 4972 IEAUMP.exe 4972 IEAUMP.exe 3436 SMABL.exe 3436 SMABL.exe 2692 LQR.exe 2692 LQR.exe 2364 RLDY.exe 2364 RLDY.exe 1164 JLRDI.exe 1164 JLRDI.exe 2292 DGWMKX.exe 2292 DGWMKX.exe 2324 PJH.exe 2324 PJH.exe 3752 GXRS.exe 3752 GXRS.exe 3628 ZAV.exe 3628 ZAV.exe 3928 FVH.exe 3928 FVH.exe 4512 KOIRGPL.exe 4512 KOIRGPL.exe 4396 GTBGWLG.exe 4396 GTBGWLG.exe 2160 LPGVFB.exe 2160 LPGVFB.exe 4976 PXN.exe 4976 PXN.exe 3584 SSEF.exe 3584 SSEF.exe 3084 PKO.exe 3084 PKO.exe 3132 NDRXPXE.exe 3132 NDRXPXE.exe 3944 RLYX.exe 3944 RLYX.exe 4512 QWI.exe 4512 QWI.exe 3216 AUO.exe 3216 AUO.exe 3472 QKB.exe 3472 QKB.exe 3092 HSDEKI.exe 3092 HSDEKI.exe 448 IVUSZRR.exe 448 IVUSZRR.exe 4380 MVIVM.exe 4380 MVIVM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 3324 64 e363be771314616a653cba4975637a4c.exe 86 PID 64 wrote to memory of 3324 64 e363be771314616a653cba4975637a4c.exe 86 PID 64 wrote to memory of 3324 64 e363be771314616a653cba4975637a4c.exe 86 PID 3324 wrote to memory of 836 3324 cmd.exe 90 PID 3324 wrote to memory of 836 3324 cmd.exe 90 PID 3324 wrote to memory of 836 3324 cmd.exe 90 PID 836 wrote to memory of 4208 836 ZBEY.exe 92 PID 836 wrote to memory of 4208 836 ZBEY.exe 92 PID 836 wrote to memory of 4208 836 ZBEY.exe 92 PID 4208 wrote to memory of 4264 4208 cmd.exe 96 PID 4208 wrote to memory of 4264 4208 cmd.exe 96 PID 4208 wrote to memory of 4264 4208 cmd.exe 96 PID 4264 wrote to memory of 3984 4264 UPJPMR.exe 97 PID 4264 wrote to memory of 3984 4264 UPJPMR.exe 97 PID 4264 wrote to memory of 3984 4264 UPJPMR.exe 97 PID 3984 wrote to memory of 1056 3984 cmd.exe 101 PID 3984 wrote to memory of 1056 3984 cmd.exe 101 PID 3984 wrote to memory of 1056 3984 cmd.exe 101 PID 1056 wrote to memory of 1804 1056 OUKA.exe 102 PID 1056 wrote to memory of 1804 1056 OUKA.exe 102 PID 1056 wrote to memory of 1804 1056 OUKA.exe 102 PID 1804 wrote to memory of 1148 1804 cmd.exe 106 PID 1804 wrote to memory of 1148 1804 cmd.exe 106 PID 1804 wrote to memory of 1148 1804 cmd.exe 106 PID 1148 wrote to memory of 1356 1148 WAWH.exe 109 PID 1148 wrote to memory of 1356 1148 WAWH.exe 109 PID 1148 wrote to memory of 1356 1148 WAWH.exe 109 PID 1356 wrote to memory of 4568 1356 cmd.exe 113 PID 1356 wrote to memory of 4568 1356 cmd.exe 113 PID 1356 wrote to memory of 4568 1356 cmd.exe 113 PID 4568 wrote to memory of 3492 4568 CVAIS.exe 114 PID 4568 wrote to memory of 3492 4568 CVAIS.exe 114 PID 4568 wrote to memory of 3492 4568 CVAIS.exe 114 PID 3492 wrote to memory of 1864 3492 cmd.exe 118 PID 3492 wrote to memory of 1864 3492 cmd.exe 118 PID 3492 wrote to memory of 1864 3492 cmd.exe 118 PID 1864 wrote to memory of 1164 1864 ZWKK.exe 121 PID 1864 wrote to memory of 1164 1864 ZWKK.exe 121 PID 1864 wrote to memory of 1164 1864 ZWKK.exe 121 PID 1164 wrote to memory of 4560 1164 cmd.exe 125 PID 1164 wrote to memory of 4560 1164 cmd.exe 125 PID 1164 wrote to memory of 4560 1164 cmd.exe 125 PID 4560 wrote to memory of 3108 4560 WMXBL.exe 126 PID 4560 wrote to memory of 3108 4560 WMXBL.exe 126 PID 4560 wrote to memory of 3108 4560 WMXBL.exe 126 PID 3108 wrote to memory of 4972 3108 cmd.exe 131 PID 3108 wrote to memory of 4972 3108 cmd.exe 131 PID 3108 wrote to memory of 4972 3108 cmd.exe 131 PID 4972 wrote to memory of 4952 4972 IEAUMP.exe 133 PID 4972 wrote to memory of 4952 4972 IEAUMP.exe 133 PID 4972 wrote to memory of 4952 4972 IEAUMP.exe 133 PID 4952 wrote to memory of 3436 4952 cmd.exe 137 PID 4952 wrote to memory of 3436 4952 cmd.exe 137 PID 4952 wrote to memory of 3436 4952 cmd.exe 137 PID 3436 wrote to memory of 4460 3436 SMABL.exe 139 PID 3436 wrote to memory of 4460 3436 SMABL.exe 139 PID 3436 wrote to memory of 4460 3436 SMABL.exe 139 PID 4460 wrote to memory of 2692 4460 cmd.exe 143 PID 4460 wrote to memory of 2692 4460 cmd.exe 143 PID 4460 wrote to memory of 2692 4460 cmd.exe 143 PID 2692 wrote to memory of 3288 2692 LQR.exe 144 PID 2692 wrote to memory of 3288 2692 LQR.exe 144 PID 2692 wrote to memory of 3288 2692 LQR.exe 144 PID 3288 wrote to memory of 2364 3288 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\e363be771314616a653cba4975637a4c.exe"C:\Users\Admin\AppData\Local\Temp\e363be771314616a653cba4975637a4c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZBEY.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\windows\ZBEY.exeC:\windows\ZBEY.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UPJPMR.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\windows\UPJPMR.exeC:\windows\UPJPMR.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OUKA.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\windows\OUKA.exeC:\windows\OUKA.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WAWH.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\windows\WAWH.exeC:\windows\WAWH.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVAIS.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\windows\SysWOW64\CVAIS.exeC:\windows\system32\CVAIS.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZWKK.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\windows\ZWKK.exeC:\windows\ZWKK.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WMXBL.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\windows\WMXBL.exeC:\windows\WMXBL.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IEAUMP.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\windows\SysWOW64\IEAUMP.exeC:\windows\system32\IEAUMP.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SMABL.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\windows\system\SMABL.exeC:\windows\system\SMABL.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LQR.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\windows\SysWOW64\LQR.exeC:\windows\system32\LQR.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RLDY.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\windows\RLDY.exeC:\windows\RLDY.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLRDI.exe.bat" "24⤵PID:4732
-
C:\windows\SysWOW64\JLRDI.exeC:\windows\system32\JLRDI.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DGWMKX.exe.bat" "26⤵PID:880
-
C:\windows\SysWOW64\DGWMKX.exeC:\windows\system32\DGWMKX.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PJH.exe.bat" "28⤵PID:2792
-
C:\windows\system\PJH.exeC:\windows\system\PJH.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GXRS.exe.bat" "30⤵PID:4264
-
C:\windows\GXRS.exeC:\windows\GXRS.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZAV.exe.bat" "32⤵PID:4852
-
C:\windows\system\ZAV.exeC:\windows\system\ZAV.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FVH.exe.bat" "34⤵PID:1912
-
C:\windows\SysWOW64\FVH.exeC:\windows\system32\FVH.exe35⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KOIRGPL.exe.bat" "36⤵PID:2000
-
C:\windows\system\KOIRGPL.exeC:\windows\system\KOIRGPL.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GTBGWLG.exe.bat" "38⤵PID:3988
-
C:\windows\GTBGWLG.exeC:\windows\GTBGWLG.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LPGVFB.exe.bat" "40⤵PID:3872
-
C:\windows\system\LPGVFB.exeC:\windows\system\LPGVFB.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXN.exe.bat" "42⤵PID:2292
-
C:\windows\SysWOW64\PXN.exeC:\windows\system32\PXN.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SSEF.exe.bat" "44⤵PID:4012
-
C:\windows\SysWOW64\SSEF.exeC:\windows\system32\SSEF.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PKO.exe.bat" "46⤵PID:1296
-
C:\windows\PKO.exeC:\windows\PKO.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NDRXPXE.exe.bat" "48⤵PID:2300
-
C:\windows\SysWOW64\NDRXPXE.exeC:\windows\system32\NDRXPXE.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RLYX.exe.bat" "50⤵PID:1756
-
C:\windows\RLYX.exeC:\windows\RLYX.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWI.exe.bat" "52⤵PID:3460
-
C:\windows\SysWOW64\QWI.exeC:\windows\system32\QWI.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AUO.exe.bat" "54⤵PID:904
-
C:\windows\AUO.exeC:\windows\AUO.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QKB.exe.bat" "56⤵PID:3064
-
C:\windows\SysWOW64\QKB.exeC:\windows\system32\QKB.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSDEKI.exe.bat" "58⤵PID:3804
-
C:\windows\SysWOW64\HSDEKI.exeC:\windows\system32\HSDEKI.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IVUSZRR.exe.bat" "60⤵PID:2036
-
C:\windows\system\IVUSZRR.exeC:\windows\system\IVUSZRR.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVIVM.exe.bat" "62⤵PID:4408
-
C:\windows\SysWOW64\MVIVM.exeC:\windows\system32\MVIVM.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYMTRY.exe.bat" "64⤵PID:2252
-
C:\windows\SysWOW64\SYMTRY.exeC:\windows\system32\SYMTRY.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EJWGAL.exe.bat" "66⤵PID:4016
-
C:\windows\system\EJWGAL.exeC:\windows\system\EJWGAL.exe67⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IRDPM.exe.bat" "68⤵PID:4300
-
C:\windows\SysWOW64\IRDPM.exeC:\windows\system32\IRDPM.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUOUV.exe.bat" "70⤵PID:2640
-
C:\windows\UUOUV.exeC:\windows\UUOUV.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKPT.exe.bat" "72⤵PID:436
-
C:\windows\JKPT.exeC:\windows\JKPT.exe73⤵
- Checks computer location settings
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ULEE.exe.bat" "74⤵PID:2864
-
C:\windows\system\ULEE.exeC:\windows\system\ULEE.exe75⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CQJ.exe.bat" "76⤵PID:4876
-
C:\windows\CQJ.exeC:\windows\CQJ.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMU.exe.bat" "78⤵PID:3108
-
C:\windows\system\RMU.exeC:\windows\system\RMU.exe79⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXCKXM.exe.bat" "80⤵PID:4276
-
C:\windows\SysWOW64\PXXCKXM.exeC:\windows\system32\PXXCKXM.exe81⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CHOSZ.exe.bat" "82⤵PID:4452
-
C:\windows\CHOSZ.exeC:\windows\CHOSZ.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GPUA.exe.bat" "84⤵PID:2640
-
C:\windows\system\GPUA.exeC:\windows\system\GPUA.exe85⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FIX.exe.bat" "86⤵PID:2160
-
C:\windows\FIX.exeC:\windows\FIX.exe87⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YBMBDH.exe.bat" "88⤵PID:1404
-
C:\windows\system\YBMBDH.exeC:\windows\system\YBMBDH.exe89⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWQXI.exe.bat" "90⤵PID:3976
-
C:\windows\SysWOW64\RWQXI.exeC:\windows\system32\RWQXI.exe91⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BTW.exe.bat" "92⤵PID:460
-
C:\windows\system\BTW.exeC:\windows\system\BTW.exe93⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VPPIEBH.exe.bat" "94⤵PID:4300
-
C:\windows\VPPIEBH.exeC:\windows\VPPIEBH.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DUUWPZD.exe.bat" "96⤵PID:1788
-
C:\windows\system\DUUWPZD.exeC:\windows\system\DUUWPZD.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAHDZY.exe.bat" "98⤵PID:4120
-
C:\windows\SysWOW64\LAHDZY.exeC:\windows\system32\LAHDZY.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIJ.exe.bat" "100⤵PID:3284
-
C:\windows\SysWOW64\UIJ.exeC:\windows\system32\UIJ.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "102⤵PID:2300
-
C:\windows\SysWOW64\NBQ.exeC:\windows\system32\NBQ.exe103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MMBJDKF.exe.bat" "104⤵PID:4380
-
C:\windows\system\MMBJDKF.exeC:\windows\system\MMBJDKF.exe105⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WEKI.exe.bat" "106⤵PID:3596
-
C:\windows\WEKI.exeC:\windows\WEKI.exe107⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BKDYXIP.exe.bat" "108⤵PID:800
-
C:\windows\system\BKDYXIP.exeC:\windows\system\BKDYXIP.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OQPCI.exe.bat" "110⤵PID:4676
-
C:\windows\system\OQPCI.exeC:\windows\system\OQPCI.exe111⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVHQKSU.exe.bat" "112⤵PID:2168
-
C:\windows\SysWOW64\WVHQKSU.exeC:\windows\system32\WVHQKSU.exe113⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HOXBB.exe.bat" "114⤵PID:2784
-
C:\windows\system\HOXBB.exeC:\windows\system\HOXBB.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTXN.exe.bat" "116⤵PID:1840
-
C:\windows\SysWOW64\DTXN.exeC:\windows\system32\DTXN.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHOWO.exe.bat" "118⤵PID:2704
-
C:\windows\SysWOW64\YHOWO.exeC:\windows\system32\YHOWO.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMO.exe.bat" "120⤵PID:1160
-
C:\windows\SysWOW64\LMO.exeC:\windows\system32\LMO.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-