Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe
-
Size
384KB
-
MD5
ff8e69d8d611ed64251f1ba5a969ea2c
-
SHA1
a12775ea177ea1f4a257d79d17a5df34ac10dbf0
-
SHA256
de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd
-
SHA512
05b9da218ffa84f7732619bb3eab627210702c0d9141fd2390f97c677635455b0fbc8ba22cb0fe2e25cc2a16fc169e3f994ed834e44d0c096dece8737ff653ec
-
SSDEEP
6144:ZDqdVdWDHU1t/hBcJ9ENDEsCkEjiPISUOgW9X+hOGzC/NM:ZDqdHYSt/hB0qQkmZzcukG2/
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation AHBA.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LMZDK.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation CSAV.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation OQPCI.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation MOAKCEQ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation KYBPK.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation QMTOSCL.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation FUEBBIE.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation ADQXTZ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation UBOFX.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LQSG.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation SKNEZM.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LPLTREU.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation ONCPRY.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation IWX.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation VXEPG.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WSZR.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation FWXZ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation JJWK.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation YQEMY.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation UBE.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation IWCISX.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation JLYWWL.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WWVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation TSA.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation YDOKYRQ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation CQBNZX.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation VMOOJG.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation PVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation PWGXLV.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation KFXEPPM.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation NYJIYA.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation MTUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation AQVJCQA.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation ZYLP.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LHLZ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation TFNHDK.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WGN.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation RFV.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation RKFGPN.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation MVTXY.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation FER.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation GCN.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation QNAVSJE.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WWAYRAC.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation FQBXNA.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LZB.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LCR.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation ICY.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation XFU.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation KGSVJJ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation RQV.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation ASVML.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation EMQF.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation OFHM.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WAV.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation PVWCTO.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WWD.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation LXHLS.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WRUKQAZ.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation AXQAJX.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation XIQLCI.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation HGEF.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation FNWK.exe -
Executes dropped EXE 64 IoCs
pid Process 3780 LXHLS.exe 2344 CSAV.exe 3748 JVLN.exe 2716 NYJIYA.exe 3212 VMOOJG.exe 2980 RKNLDPF.exe 4884 XFYLJMV.exe 232 RQV.exe 1384 JJWK.exe 3244 FUEBBIE.exe 3956 ONCPRY.exe 3456 MCOKE.exe 4288 FQBXNA.exe 2548 ULLJ.exe 3832 KPSB.exe 3728 WHNTU.exe 2552 KCLFJJ.exe 4116 QNAVSJE.exe 4684 MTUZ.exe 4448 LZB.exe 2124 LCR.exe 2992 PKYQKI.exe 1368 EAGWU.exe 3536 MNSD.exe 3200 XWNRN.exe 4516 TWPU.exe 4936 SHMCJY.exe 2712 UUYA.exe 4404 OQPCI.exe 4232 EQYV.exe 2876 YDR.exe 1208 TJDYPQ.exe 1196 WWVZ.exe 900 TSA.exe 840 ADQXTZ.exe 4592 MOAKCEQ.exe 3024 OBS.exe 2180 FER.exe 2616 ASVML.exe 1440 KKFU.exe 2812 PVJ.exe 4420 WRUKQAZ.exe 4280 AHBA.exe 3200 SKNEZM.exe 3928 RNM.exe 3712 EQUUSV.exe 2720 GYK.exe 4264 IWX.exe 3376 GFSW.exe 1512 ICY.exe 3428 YDOKYRQ.exe 4444 XBAFLW.exe 3864 PWGXLV.exe 2080 XJXWF.exe 4528 KFXEPPM.exe 3304 VXEPG.exe 3720 KYBPK.exe 4072 ZTL.exe 2544 DUO.exe 888 UEMB.exe 764 JSS.exe 1684 NAYOV.exe 2564 AQVJCQA.exe 512 WWAYRAC.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\LZB.exe.bat MTUZ.exe File created C:\windows\SysWOW64\TJDYPQ.exe YDR.exe File created C:\windows\SysWOW64\TSA.exe WWVZ.exe File created C:\windows\SysWOW64\PWGXLV.exe.bat XBAFLW.exe File created C:\windows\SysWOW64\ASVML.exe FER.exe File created C:\windows\SysWOW64\KCLFJJ.exe WHNTU.exe File opened for modification C:\windows\SysWOW64\KCLFJJ.exe WHNTU.exe File created C:\windows\SysWOW64\ICY.exe GFSW.exe File created C:\windows\SysWOW64\JSS.exe UEMB.exe File created C:\windows\SysWOW64\DCVQQWM.exe CZR.exe File created C:\windows\SysWOW64\KFXEPPM.exe XJXWF.exe File opened for modification C:\windows\SysWOW64\WHNTU.exe KPSB.exe File created C:\windows\SysWOW64\YDR.exe EQYV.exe File opened for modification C:\windows\SysWOW64\VMOOJG.exe NYJIYA.exe File created C:\windows\SysWOW64\VMOOJG.exe.bat NYJIYA.exe File created C:\windows\SysWOW64\KPSB.exe.bat ULLJ.exe File opened for modification C:\windows\SysWOW64\QNAVSJE.exe KCLFJJ.exe File created C:\windows\SysWOW64\LZB.exe MTUZ.exe File opened for modification C:\windows\SysWOW64\XBAFLW.exe YDOKYRQ.exe File created C:\windows\SysWOW64\GCN.exe KWPDHA.exe File opened for modification C:\windows\SysWOW64\ICY.exe GFSW.exe File opened for modification C:\windows\SysWOW64\VWACA.exe KGSVJJ.exe File created C:\windows\SysWOW64\RQV.exe.bat XFYLJMV.exe File created C:\windows\SysWOW64\KPSB.exe ULLJ.exe File created C:\windows\SysWOW64\FER.exe.bat OBS.exe File created C:\windows\SysWOW64\XBAFLW.exe.bat YDOKYRQ.exe File created C:\windows\SysWOW64\WGN.exe.bat WAV.exe File opened for modification C:\windows\SysWOW64\DCVQQWM.exe CZR.exe File created C:\windows\SysWOW64\RKNLDPF.exe.bat VMOOJG.exe File created C:\windows\SysWOW64\RQV.exe XFYLJMV.exe File created C:\windows\SysWOW64\FER.exe OBS.exe File opened for modification C:\windows\SysWOW64\UUY.exe EMQF.exe File created C:\windows\SysWOW64\ZYLP.exe.bat TFNHDK.exe File opened for modification C:\windows\SysWOW64\KWPDHA.exe WGN.exe File opened for modification C:\windows\SysWOW64\FER.exe OBS.exe File opened for modification C:\windows\SysWOW64\KFXEPPM.exe XJXWF.exe File opened for modification C:\windows\SysWOW64\CSAV.exe LXHLS.exe File created C:\windows\SysWOW64\WRUKQAZ.exe PVJ.exe File created C:\windows\SysWOW64\IWX.exe.bat GYK.exe File created C:\windows\SysWOW64\WHNTU.exe KPSB.exe File created C:\windows\SysWOW64\SKNEZM.exe AHBA.exe File created C:\windows\SysWOW64\KYBPK.exe VXEPG.exe File created C:\windows\SysWOW64\KWPDHA.exe WGN.exe File created C:\windows\SysWOW64\DCVQQWM.exe.bat CZR.exe File created C:\windows\SysWOW64\QNAVSJE.exe KCLFJJ.exe File created C:\windows\SysWOW64\ASVML.exe.bat FER.exe File opened for modification C:\windows\SysWOW64\WRUKQAZ.exe PVJ.exe File created C:\windows\SysWOW64\IWX.exe GYK.exe File created C:\windows\SysWOW64\LPLTREU.exe AXQAJX.exe File opened for modification C:\windows\SysWOW64\EMQF.exe YQEMY.exe File created C:\windows\SysWOW64\ZYLP.exe TFNHDK.exe File opened for modification C:\windows\SysWOW64\WSZR.exe MVTXY.exe File created C:\windows\SysWOW64\RKNLDPF.exe VMOOJG.exe File created C:\windows\SysWOW64\QNAVSJE.exe.bat KCLFJJ.exe File opened for modification C:\windows\SysWOW64\SKNEZM.exe AHBA.exe File created C:\windows\SysWOW64\LPLTREU.exe.bat AXQAJX.exe File created C:\windows\SysWOW64\CSAV.exe.bat LXHLS.exe File opened for modification C:\windows\SysWOW64\GYK.exe EQUUSV.exe File created C:\windows\SysWOW64\XBAFLW.exe YDOKYRQ.exe File opened for modification C:\windows\SysWOW64\KYBPK.exe VXEPG.exe File created C:\windows\SysWOW64\KYBPK.exe.bat VXEPG.exe File created C:\windows\SysWOW64\UUY.exe.bat EMQF.exe File created C:\windows\SysWOW64\XFU.exe PAH.exe File created C:\windows\SysWOW64\FUGW.exe.bat VWACA.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\WWVZ.exe TJDYPQ.exe File opened for modification C:\windows\ZTL.exe KYBPK.exe File created C:\windows\XIQLCI.exe.bat XFU.exe File opened for modification C:\windows\system\FQBXNA.exe MCOKE.exe File created C:\windows\UUYA.exe SHMCJY.exe File created C:\windows\system\ULLJ.exe.bat FQBXNA.exe File opened for modification C:\windows\system\JLYWWL.exe KBI.exe File created C:\windows\PKYQKI.exe LCR.exe File opened for modification C:\windows\CQBNZX.exe LPLTREU.exe File created C:\windows\system\MCOKE.exe ONCPRY.exe File created C:\windows\system\LQSG.exe RFV.exe File opened for modification C:\windows\system\NAYOV.exe JSS.exe File created C:\windows\JVLN.exe CSAV.exe File created C:\windows\UUYA.exe.bat SHMCJY.exe File created C:\windows\system\AQVJCQA.exe NAYOV.exe File opened for modification C:\windows\HNNEZY.exe QNZZMH.exe File created C:\windows\PAH.exe.bat GCN.exe File created C:\windows\JJWK.exe ZVIYMIM.exe File created C:\windows\system\TWPU.exe XWNRN.exe File opened for modification C:\windows\SHMCJY.exe TWPU.exe File created C:\windows\KBI.exe.bat PVWCTO.exe File created C:\windows\system\LXHLS.exe de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe File created C:\windows\system\CZR.exe JLYWWL.exe File created C:\windows\system\MTUZ.exe.bat QNAVSJE.exe File opened for modification C:\windows\MNSD.exe EAGWU.exe File created C:\windows\system\NAYOV.exe JSS.exe File created C:\windows\system\WWAYRAC.exe AQVJCQA.exe File created C:\windows\TFNHDK.exe.bat UUY.exe File opened for modification C:\windows\LYY.exe HNNEZY.exe File opened for modification C:\windows\JVLN.exe CSAV.exe File created C:\windows\system\FQBXNA.exe.bat MCOKE.exe File created C:\windows\HGEF.exe.bat XIQLCI.exe File opened for modification C:\windows\RKFGPN.exe ACQI.exe File created C:\windows\system\WWD.exe.bat WSZR.exe File opened for modification C:\windows\system\NYJIYA.exe JVLN.exe File created C:\windows\EDTOK.exe CQBNZX.exe File created C:\windows\system\UBOFX.exe.bat LYY.exe File created C:\windows\system\FNWK.exe OFHM.exe File created C:\windows\KKFU.exe.bat ASVML.exe File created C:\windows\RNM.exe.bat SKNEZM.exe File created C:\windows\system\NAYOV.exe.bat JSS.exe File created C:\windows\LYY.exe.bat HNNEZY.exe File opened for modification C:\windows\LHLZ.exe LMZDK.exe File created C:\windows\system\XFYLJMV.exe RKNLDPF.exe File created C:\windows\PKYQKI.exe.bat LCR.exe File opened for modification C:\windows\system\TWPU.exe XWNRN.exe File created C:\windows\IWCISX.exe.bat UBE.exe File opened for modification C:\windows\system\ULLJ.exe FQBXNA.exe File opened for modification C:\windows\XWNRN.exe MNSD.exe File opened for modification C:\windows\KKFU.exe ASVML.exe File opened for modification C:\windows\system\OFHM.exe THVICMU.exe File opened for modification C:\windows\UUYA.exe SHMCJY.exe File created C:\windows\KKFU.exe ASVML.exe File opened for modification C:\windows\system\OQPCI.exe UUYA.exe File created C:\windows\system\OFHM.exe.bat THVICMU.exe File created C:\windows\PAH.exe GCN.exe File created C:\windows\IJU.exe.bat LQSG.exe File created C:\windows\JJWK.exe.bat ZVIYMIM.exe File created C:\windows\system\ONCPRY.exe FUEBBIE.exe File opened for modification C:\windows\AXQAJX.exe WWAYRAC.exe File created C:\windows\LHLZ.exe LMZDK.exe File opened for modification C:\windows\system\WXME.exe QXFRVRF.exe File created C:\windows\system\JLYWWL.exe.bat KBI.exe File opened for modification C:\windows\system\BVXWPA.exe NFD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4036 1572 WerFault.exe 80 4008 3780 WerFault.exe 88 1980 2344 WerFault.exe 94 1292 3748 WerFault.exe 99 2992 2716 WerFault.exe 104 1196 3212 WerFault.exe 109 4248 2980 WerFault.exe 114 1992 4884 WerFault.exe 119 908 232 WerFault.exe 124 4896 2324 WerFault.exe 129 3688 1384 WerFault.exe 134 2724 3244 WerFault.exe 139 2328 3956 WerFault.exe 144 2248 3456 WerFault.exe 149 3020 4288 WerFault.exe 154 4076 2548 WerFault.exe 159 2316 3832 WerFault.exe 164 4936 3728 WerFault.exe 169 1232 2552 WerFault.exe 174 2720 4116 WerFault.exe 179 2916 4684 WerFault.exe 184 2920 4448 WerFault.exe 189 2040 2124 WerFault.exe 194 1468 2992 WerFault.exe 199 3872 1368 WerFault.exe 204 856 3536 WerFault.exe 209 2664 3200 WerFault.exe 214 736 4516 WerFault.exe 219 5036 4936 WerFault.exe 224 3304 2712 WerFault.exe 229 1440 4404 WerFault.exe 236 4700 4232 WerFault.exe 241 3380 2876 WerFault.exe 246 3572 1208 WerFault.exe 251 684 1196 WerFault.exe 256 4960 900 WerFault.exe 261 3280 840 WerFault.exe 266 1324 4592 WerFault.exe 271 1236 3024 WerFault.exe 276 3004 2180 WerFault.exe 281 2668 2616 WerFault.exe 286 2112 1440 WerFault.exe 291 2124 2812 WerFault.exe 296 2420 4420 WerFault.exe 301 2316 4280 WerFault.exe 307 60 3200 WerFault.exe 312 1348 3928 WerFault.exe 317 4188 3712 WerFault.exe 322 2168 2720 WerFault.exe 327 5088 4264 WerFault.exe 332 924 3376 WerFault.exe 337 4376 1512 WerFault.exe 342 1648 3428 WerFault.exe 347 4960 4444 WerFault.exe 352 4520 3864 WerFault.exe 357 540 2080 WerFault.exe 362 3096 4528 WerFault.exe 367 4152 3304 WerFault.exe 372 4472 3720 WerFault.exe 377 4712 4072 WerFault.exe 382 4052 2544 WerFault.exe 387 3644 888 WerFault.exe 392 1352 764 WerFault.exe 397 5044 1684 WerFault.exe 402 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 3780 LXHLS.exe 3780 LXHLS.exe 2344 CSAV.exe 2344 CSAV.exe 3748 JVLN.exe 3748 JVLN.exe 2716 NYJIYA.exe 2716 NYJIYA.exe 3212 VMOOJG.exe 3212 VMOOJG.exe 2980 RKNLDPF.exe 2980 RKNLDPF.exe 4884 XFYLJMV.exe 4884 XFYLJMV.exe 2324 ZVIYMIM.exe 2324 ZVIYMIM.exe 1384 JJWK.exe 1384 JJWK.exe 3244 FUEBBIE.exe 3244 FUEBBIE.exe 3956 ONCPRY.exe 3956 ONCPRY.exe 3456 MCOKE.exe 3456 MCOKE.exe 4288 FQBXNA.exe 4288 FQBXNA.exe 2548 ULLJ.exe 2548 ULLJ.exe 3832 KPSB.exe 3832 KPSB.exe 3728 WHNTU.exe 3728 WHNTU.exe 2552 KCLFJJ.exe 2552 KCLFJJ.exe 4116 QNAVSJE.exe 4116 QNAVSJE.exe 4684 MTUZ.exe 4684 MTUZ.exe 4448 LZB.exe 4448 LZB.exe 2124 LCR.exe 2124 LCR.exe 2992 PKYQKI.exe 2992 PKYQKI.exe 1368 EAGWU.exe 1368 EAGWU.exe 3536 MNSD.exe 3536 MNSD.exe 3200 XWNRN.exe 3200 XWNRN.exe 4516 TWPU.exe 4516 TWPU.exe 4936 SHMCJY.exe 4936 SHMCJY.exe 2712 UUYA.exe 2712 UUYA.exe 4404 OQPCI.exe 4404 OQPCI.exe 4232 EQYV.exe 4232 EQYV.exe 2876 YDR.exe 2876 YDR.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 3780 LXHLS.exe 3780 LXHLS.exe 2344 CSAV.exe 2344 CSAV.exe 3748 JVLN.exe 3748 JVLN.exe 2716 NYJIYA.exe 2716 NYJIYA.exe 3212 VMOOJG.exe 3212 VMOOJG.exe 2980 RKNLDPF.exe 2980 RKNLDPF.exe 4884 XFYLJMV.exe 4884 XFYLJMV.exe 2324 ZVIYMIM.exe 2324 ZVIYMIM.exe 1384 JJWK.exe 1384 JJWK.exe 3244 FUEBBIE.exe 3244 FUEBBIE.exe 3956 ONCPRY.exe 3956 ONCPRY.exe 3456 MCOKE.exe 3456 MCOKE.exe 4288 FQBXNA.exe 4288 FQBXNA.exe 2548 ULLJ.exe 2548 ULLJ.exe 3832 KPSB.exe 3832 KPSB.exe 3728 WHNTU.exe 3728 WHNTU.exe 2552 KCLFJJ.exe 2552 KCLFJJ.exe 4116 QNAVSJE.exe 4116 QNAVSJE.exe 4684 MTUZ.exe 4684 MTUZ.exe 4448 LZB.exe 4448 LZB.exe 2124 LCR.exe 2124 LCR.exe 2992 PKYQKI.exe 2992 PKYQKI.exe 1368 EAGWU.exe 1368 EAGWU.exe 3536 MNSD.exe 3536 MNSD.exe 3200 XWNRN.exe 3200 XWNRN.exe 4516 TWPU.exe 4516 TWPU.exe 4936 SHMCJY.exe 4936 SHMCJY.exe 2712 UUYA.exe 2712 UUYA.exe 4404 OQPCI.exe 4404 OQPCI.exe 4232 EQYV.exe 4232 EQYV.exe 2876 YDR.exe 2876 YDR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1572 wrote to memory of 5012 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 84 PID 1572 wrote to memory of 5012 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 84 PID 1572 wrote to memory of 5012 1572 de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe 84 PID 5012 wrote to memory of 3780 5012 cmd.exe 88 PID 5012 wrote to memory of 3780 5012 cmd.exe 88 PID 5012 wrote to memory of 3780 5012 cmd.exe 88 PID 3780 wrote to memory of 1984 3780 LXHLS.exe 90 PID 3780 wrote to memory of 1984 3780 LXHLS.exe 90 PID 3780 wrote to memory of 1984 3780 LXHLS.exe 90 PID 1984 wrote to memory of 2344 1984 cmd.exe 94 PID 1984 wrote to memory of 2344 1984 cmd.exe 94 PID 1984 wrote to memory of 2344 1984 cmd.exe 94 PID 2344 wrote to memory of 4892 2344 CSAV.exe 95 PID 2344 wrote to memory of 4892 2344 CSAV.exe 95 PID 2344 wrote to memory of 4892 2344 CSAV.exe 95 PID 4892 wrote to memory of 3748 4892 cmd.exe 99 PID 4892 wrote to memory of 3748 4892 cmd.exe 99 PID 4892 wrote to memory of 3748 4892 cmd.exe 99 PID 3748 wrote to memory of 4372 3748 JVLN.exe 100 PID 3748 wrote to memory of 4372 3748 JVLN.exe 100 PID 3748 wrote to memory of 4372 3748 JVLN.exe 100 PID 4372 wrote to memory of 2716 4372 cmd.exe 104 PID 4372 wrote to memory of 2716 4372 cmd.exe 104 PID 4372 wrote to memory of 2716 4372 cmd.exe 104 PID 2716 wrote to memory of 2440 2716 NYJIYA.exe 105 PID 2716 wrote to memory of 2440 2716 NYJIYA.exe 105 PID 2716 wrote to memory of 2440 2716 NYJIYA.exe 105 PID 2440 wrote to memory of 3212 2440 cmd.exe 109 PID 2440 wrote to memory of 3212 2440 cmd.exe 109 PID 2440 wrote to memory of 3212 2440 cmd.exe 109 PID 3212 wrote to memory of 2124 3212 VMOOJG.exe 110 PID 3212 wrote to memory of 2124 3212 VMOOJG.exe 110 PID 3212 wrote to memory of 2124 3212 VMOOJG.exe 110 PID 2124 wrote to memory of 2980 2124 cmd.exe 114 PID 2124 wrote to memory of 2980 2124 cmd.exe 114 PID 2124 wrote to memory of 2980 2124 cmd.exe 114 PID 2980 wrote to memory of 184 2980 RKNLDPF.exe 115 PID 2980 wrote to memory of 184 2980 RKNLDPF.exe 115 PID 2980 wrote to memory of 184 2980 RKNLDPF.exe 115 PID 184 wrote to memory of 4884 184 cmd.exe 119 PID 184 wrote to memory of 4884 184 cmd.exe 119 PID 184 wrote to memory of 4884 184 cmd.exe 119 PID 4884 wrote to memory of 1800 4884 XFYLJMV.exe 120 PID 4884 wrote to memory of 1800 4884 XFYLJMV.exe 120 PID 4884 wrote to memory of 1800 4884 XFYLJMV.exe 120 PID 1800 wrote to memory of 232 1800 cmd.exe 124 PID 1800 wrote to memory of 232 1800 cmd.exe 124 PID 1800 wrote to memory of 232 1800 cmd.exe 124 PID 1172 wrote to memory of 2324 1172 cmd.exe 129 PID 1172 wrote to memory of 2324 1172 cmd.exe 129 PID 1172 wrote to memory of 2324 1172 cmd.exe 129 PID 2324 wrote to memory of 4172 2324 ZVIYMIM.exe 130 PID 2324 wrote to memory of 4172 2324 ZVIYMIM.exe 130 PID 2324 wrote to memory of 4172 2324 ZVIYMIM.exe 130 PID 4172 wrote to memory of 1384 4172 cmd.exe 134 PID 4172 wrote to memory of 1384 4172 cmd.exe 134 PID 4172 wrote to memory of 1384 4172 cmd.exe 134 PID 1384 wrote to memory of 3192 1384 JJWK.exe 135 PID 1384 wrote to memory of 3192 1384 JJWK.exe 135 PID 1384 wrote to memory of 3192 1384 JJWK.exe 135 PID 3192 wrote to memory of 3244 3192 cmd.exe 139 PID 3192 wrote to memory of 3244 3192 cmd.exe 139 PID 3192 wrote to memory of 3244 3192 cmd.exe 139 PID 3244 wrote to memory of 2012 3244 FUEBBIE.exe 140
Processes
-
C:\Users\Admin\AppData\Local\Temp\de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe"C:\Users\Admin\AppData\Local\Temp\de46ccaee070561b6ae8b94739e2ae09e473c73d5deeb1730535e9d385c7f3cd.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LXHLS.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\windows\system\LXHLS.exeC:\windows\system\LXHLS.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSAV.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\windows\SysWOW64\CSAV.exeC:\windows\system32\CSAV.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JVLN.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\windows\JVLN.exeC:\windows\JVLN.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NYJIYA.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\windows\system\NYJIYA.exeC:\windows\system\NYJIYA.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMOOJG.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\windows\SysWOW64\VMOOJG.exeC:\windows\system32\VMOOJG.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKNLDPF.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\windows\SysWOW64\RKNLDPF.exeC:\windows\system32\RKNLDPF.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XFYLJMV.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\windows\system\XFYLJMV.exeC:\windows\system\XFYLJMV.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RQV.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\windows\SysWOW64\RQV.exeC:\windows\system32\RQV.exe17⤵
- Checks computer location settings
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZVIYMIM.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\windows\SysWOW64\ZVIYMIM.exeC:\windows\system32\ZVIYMIM.exe19⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JJWK.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\windows\JJWK.exeC:\windows\JJWK.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FUEBBIE.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\windows\FUEBBIE.exeC:\windows\FUEBBIE.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ONCPRY.exe.bat" "24⤵PID:2012
-
C:\windows\system\ONCPRY.exeC:\windows\system\ONCPRY.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MCOKE.exe.bat" "26⤵PID:540
-
C:\windows\system\MCOKE.exeC:\windows\system\MCOKE.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FQBXNA.exe.bat" "28⤵PID:2372
-
C:\windows\system\FQBXNA.exeC:\windows\system\FQBXNA.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ULLJ.exe.bat" "30⤵PID:3320
-
C:\windows\system\ULLJ.exeC:\windows\system\ULLJ.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPSB.exe.bat" "32⤵PID:2312
-
C:\windows\SysWOW64\KPSB.exeC:\windows\system32\KPSB.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WHNTU.exe.bat" "34⤵PID:3156
-
C:\windows\SysWOW64\WHNTU.exeC:\windows\system32\WHNTU.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KCLFJJ.exe.bat" "36⤵PID:3460
-
C:\windows\SysWOW64\KCLFJJ.exeC:\windows\system32\KCLFJJ.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QNAVSJE.exe.bat" "38⤵PID:224
-
C:\windows\SysWOW64\QNAVSJE.exeC:\windows\system32\QNAVSJE.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MTUZ.exe.bat" "40⤵PID:4696
-
C:\windows\system\MTUZ.exeC:\windows\system\MTUZ.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "42⤵PID:2088
-
C:\windows\SysWOW64\LZB.exeC:\windows\system32\LZB.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCR.exe.bat" "44⤵PID:4756
-
C:\windows\SysWOW64\LCR.exeC:\windows\system32\LCR.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PKYQKI.exe.bat" "46⤵PID:2612
-
C:\windows\PKYQKI.exeC:\windows\PKYQKI.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EAGWU.exe.bat" "48⤵PID:2400
-
C:\windows\EAGWU.exeC:\windows\EAGWU.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNSD.exe.bat" "50⤵PID:4376
-
C:\windows\MNSD.exeC:\windows\MNSD.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XWNRN.exe.bat" "52⤵PID:1172
-
C:\windows\XWNRN.exeC:\windows\XWNRN.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TWPU.exe.bat" "54⤵PID:4328
-
C:\windows\system\TWPU.exeC:\windows\system\TWPU.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SHMCJY.exe.bat" "56⤵PID:1400
-
C:\windows\SHMCJY.exeC:\windows\SHMCJY.exe57⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUYA.exe.bat" "58⤵PID:2276
-
C:\windows\UUYA.exeC:\windows\UUYA.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OQPCI.exe.bat" "60⤵PID:2952
-
C:\windows\system\OQPCI.exeC:\windows\system\OQPCI.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQYV.exe.bat" "62⤵PID:3004
-
C:\windows\system\EQYV.exeC:\windows\system\EQYV.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDR.exe.bat" "64⤵PID:3376
-
C:\windows\SysWOW64\YDR.exeC:\windows\system32\YDR.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TJDYPQ.exe.bat" "66⤵PID:4044
-
C:\windows\SysWOW64\TJDYPQ.exeC:\windows\system32\TJDYPQ.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WWVZ.exe.bat" "68⤵PID:1284
-
C:\windows\WWVZ.exeC:\windows\WWVZ.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TSA.exe.bat" "70⤵PID:2064
-
C:\windows\SysWOW64\TSA.exeC:\windows\system32\TSA.exe71⤵
- Checks computer location settings
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ADQXTZ.exe.bat" "72⤵PID:3272
-
C:\windows\ADQXTZ.exeC:\windows\ADQXTZ.exe73⤵
- Checks computer location settings
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "74⤵PID:1084
-
C:\windows\system\MOAKCEQ.exeC:\windows\system\MOAKCEQ.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBS.exe.bat" "76⤵PID:3740
-
C:\windows\OBS.exeC:\windows\OBS.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FER.exe.bat" "78⤵PID:4208
-
C:\windows\SysWOW64\FER.exeC:\windows\system32\FER.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASVML.exe.bat" "80⤵PID:2928
-
C:\windows\SysWOW64\ASVML.exeC:\windows\system32\ASVML.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KKFU.exe.bat" "82⤵PID:2392
-
C:\windows\KKFU.exeC:\windows\KKFU.exe83⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PVJ.exe.bat" "84⤵PID:2288
-
C:\windows\system\PVJ.exeC:\windows\system\PVJ.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRUKQAZ.exe.bat" "86⤵PID:3968
-
C:\windows\SysWOW64\WRUKQAZ.exeC:\windows\system32\WRUKQAZ.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AHBA.exe.bat" "88⤵PID:1076
-
C:\windows\system\AHBA.exeC:\windows\system\AHBA.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNEZM.exe.bat" "90⤵PID:1004
-
C:\windows\SysWOW64\SKNEZM.exeC:\windows\system32\SKNEZM.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RNM.exe.bat" "92⤵PID:1616
-
C:\windows\RNM.exeC:\windows\RNM.exe93⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQUUSV.exe.bat" "94⤵PID:2664
-
C:\windows\system\EQUUSV.exeC:\windows\system\EQUUSV.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GYK.exe.bat" "96⤵PID:1300
-
C:\windows\SysWOW64\GYK.exeC:\windows\system32\GYK.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IWX.exe.bat" "98⤵PID:4932
-
C:\windows\SysWOW64\IWX.exeC:\windows\system32\IWX.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GFSW.exe.bat" "100⤵PID:1292
-
C:\windows\system\GFSW.exeC:\windows\system\GFSW.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICY.exe.bat" "102⤵PID:2468
-
C:\windows\SysWOW64\ICY.exeC:\windows\system32\ICY.exe103⤵
- Checks computer location settings
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDOKYRQ.exe.bat" "104⤵PID:3080
-
C:\windows\SysWOW64\YDOKYRQ.exeC:\windows\system32\YDOKYRQ.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBAFLW.exe.bat" "106⤵PID:1076
-
C:\windows\SysWOW64\XBAFLW.exeC:\windows\system32\XBAFLW.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PWGXLV.exe.bat" "108⤵PID:5056
-
C:\windows\SysWOW64\PWGXLV.exeC:\windows\system32\PWGXLV.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XJXWF.exe.bat" "110⤵PID:2988
-
C:\windows\system\XJXWF.exeC:\windows\system\XJXWF.exe111⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFXEPPM.exe.bat" "112⤵PID:3824
-
C:\windows\SysWOW64\KFXEPPM.exeC:\windows\system32\KFXEPPM.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VXEPG.exe.bat" "114⤵PID:4372
-
C:\windows\VXEPG.exeC:\windows\VXEPG.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYBPK.exe.bat" "116⤵PID:2712
-
C:\windows\SysWOW64\KYBPK.exeC:\windows\system32\KYBPK.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZTL.exe.bat" "118⤵PID:4508
-
C:\windows\ZTL.exeC:\windows\ZTL.exe119⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DUO.exe.bat" "120⤵PID:5112
-
C:\windows\system\DUO.exeC:\windows\system\DUO.exe121⤵
- Executes dropped EXE
PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-