Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 00:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b21c42a002b91ccfbc38cb8a3472a40N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
1b21c42a002b91ccfbc38cb8a3472a40N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
1b21c42a002b91ccfbc38cb8a3472a40N.exe
-
Size
208KB
-
MD5
1b21c42a002b91ccfbc38cb8a3472a40
-
SHA1
1bd65a22cd04391fac820e92ea624e455c14e86f
-
SHA256
a51471c346766e79a8385a5c717f79a80c4213581940fe87cf99edc69bd4300c
-
SHA512
6e1d7a33ac9cffe8b55e987ea53cc5144a0f504017858be20a01f3e4225788413b76bef164817b7c3345f74058288b829cd55cc232ceae8359c7bf2a2c894014
-
SSDEEP
3072:lW9CO41zW5pZJ5p50uvq2WKk9FYx+znSaGdjrozMYeCoZ398p4pLthEjQT65:liyz+vqfjY8OaAHoQYepZ3SpkEjP
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ZRH.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation UAQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation EDWI.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LEWHM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation QBBYMX.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation YDC.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation YRVV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation RMSNFCT.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CCIYP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation IHZL.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation RZM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation RJR.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation PCJVXR.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation GAN.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CQWMFF.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation TJHLW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation AMX.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation TIOBTY.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MTPFOUV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FFHLFL.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation NLN.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ZTWDS.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation JNNL.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation DEXER.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CBZYJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FXOJP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LYW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MUVQR.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ROXFP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MQSXNC.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation YKEFXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ONVIA.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation GRAYOW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation QVJIH.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation XCQEEW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation NHQU.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation GIGDOHP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation PKLYAOH.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MOVC.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation EVMILO.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CRFXSZG.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation PUFWM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation XCDWFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation SVKL.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation YOLOUO.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation DUUWPZD.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation XIJEBDM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation GOVOZKF.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FEMFT.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation YLDBEP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation SEFYR.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation XKGZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FZW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation UPGD.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation UHJTMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation SVJP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation SJXY.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation PYU.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation BHAFK.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation TKGZV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation VLQXHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation RZMJPLQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation RGTCOQX.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation SLRR.exe -
Executes dropped EXE 64 IoCs
pid Process 3084 AUMJU.exe 852 SCBGH.exe 1292 GIGDOHP.exe 2240 IGAYUEF.exe 3600 UYDQ.exe 2732 QWI.exe 4904 RZMJPLQ.exe 2364 AMX.exe 4336 BHAFK.exe 4072 KQC.exe 2208 QQKYF.exe 3884 MVIVM.exe 3244 YOLOUO.exe 3248 FEMFT.exe 3452 RMSNFCT.exe 3572 TKGZV.exe 4760 SVJP.exe 2360 VLQXHJ.exe 2060 WGTTV.exe 4808 RBYCXYC.exe 2340 CUB.exe 1604 ZRH.exe 2644 TNMC.exe 5016 ZNLPGSK.exe 1872 UAQ.exe 4268 ONVIA.exe 1132 EDWI.exe 4852 SJC.exe 3828 HELJZJ.exe 3952 PKLYAOH.exe 3368 DUUWPZD.exe 1720 JQT.exe 4744 YLDBEP.exe 2036 AJEELE.exe 4796 LBLOUF.exe 3404 GOQ.exe 4628 SEFYR.exe 4996 SKXMSK.exe 896 KNB.exe 2196 WVHQKSU.exe 4360 HOKJSZK.exe 4488 RBVB.exe 64 CUYUID.exe 5096 WHCDSDB.exe 2256 XKGZ.exe 3760 EFD.exe 2616 BLJIP.exe 896 HDRWGGO.exe 328 ZGVA.exe 2432 ROXFP.exe 4192 LBBOZTG.exe 3572 IHZL.exe 1412 RHBQJ.exe 348 XIJEBDM.exe 3020 ZFK.exe 1292 MQSXNC.exe 2824 ZTWDS.exe 3524 ZMXFGYG.exe 3452 FZW.exe 2576 RZM.exe 988 IAOV.exe 3992 RNYNNEU.exe 3364 EQUUSV.exe 4008 GOVOZKF.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\ARPBQZR.exe.bat PYU.exe File opened for modification C:\windows\SysWOW64\RZRGT.exe ARPBQZR.exe File created C:\windows\SysWOW64\QGDJY.exe.bat DEMKS.exe File opened for modification C:\windows\SysWOW64\ARPBQZR.exe PYU.exe File created C:\windows\SysWOW64\VAM.exe MAKTUNC.exe File created C:\windows\SysWOW64\WGTTV.exe VLQXHJ.exe File created C:\windows\SysWOW64\EDWI.exe.bat ONVIA.exe File created C:\windows\SysWOW64\JQT.exe.bat DUUWPZD.exe File created C:\windows\SysWOW64\XIJEBDM.exe RHBQJ.exe File opened for modification C:\windows\SysWOW64\BFF.exe GRAYOW.exe File created C:\windows\SysWOW64\RZM.exe FZW.exe File created C:\windows\SysWOW64\FFHLFL.exe.bat DHGIZO.exe File created C:\windows\SysWOW64\EASUC.exe.bat JNNL.exe File opened for modification C:\windows\SysWOW64\SVJP.exe TKGZV.exe File opened for modification C:\windows\SysWOW64\ZNLPGSK.exe TNMC.exe File opened for modification C:\windows\SysWOW64\JQT.exe DUUWPZD.exe File created C:\windows\SysWOW64\SEFYR.exe.bat GOQ.exe File created C:\windows\SysWOW64\XIJEBDM.exe.bat RHBQJ.exe File opened for modification C:\windows\SysWOW64\TIOBTY.exe XCQEEW.exe File opened for modification C:\windows\SysWOW64\KQC.exe BHAFK.exe File opened for modification C:\windows\SysWOW64\GOVOZKF.exe EQUUSV.exe File created C:\windows\SysWOW64\GEGVH.exe IEZ.exe File opened for modification C:\windows\SysWOW64\PUFWM.exe POEI.exe File created C:\windows\SysWOW64\QQKYF.exe KQC.exe File opened for modification C:\windows\SysWOW64\PKLYAOH.exe HELJZJ.exe File created C:\windows\SysWOW64\YDC.exe VQXXGZ.exe File created C:\windows\SysWOW64\YOSSFPH.exe.bat CJMVYF.exe File opened for modification C:\windows\SysWOW64\JZWE.exe DZO.exe File created C:\windows\SysWOW64\SEFYR.exe GOQ.exe File created C:\windows\SysWOW64\GOVOZKF.exe EQUUSV.exe File created C:\windows\SysWOW64\JNNL.exe FFHLFL.exe File created C:\windows\SysWOW64\QWI.exe UYDQ.exe File created C:\windows\SysWOW64\QWI.exe.bat UYDQ.exe File created C:\windows\SysWOW64\RBYCXYC.exe.bat WGTTV.exe File opened for modification C:\windows\SysWOW64\TNMC.exe ZRH.exe File created C:\windows\SysWOW64\TNMC.exe.bat ZRH.exe File created C:\windows\SysWOW64\BFF.exe.bat GRAYOW.exe File created C:\windows\SysWOW64\DEXER.exe QBBYMX.exe File created C:\windows\SysWOW64\WXI.exe.bat QXASNF.exe File created C:\windows\SysWOW64\RZRGT.exe ARPBQZR.exe File created C:\windows\SysWOW64\TIOBTY.exe.bat XCQEEW.exe File created C:\windows\SysWOW64\WGTTV.exe.bat VLQXHJ.exe File opened for modification C:\windows\SysWOW64\SJC.exe EDWI.exe File opened for modification C:\windows\SysWOW64\LBBOZTG.exe ROXFP.exe File created C:\windows\SysWOW64\GOVOZKF.exe.bat EQUUSV.exe File created C:\windows\SysWOW64\TYQKLOA.exe NYIW.exe File opened for modification C:\windows\SysWOW64\SEFYR.exe GOQ.exe File opened for modification C:\windows\SysWOW64\RJR.exe EGVZ.exe File created C:\windows\SysWOW64\RZRGT.exe.bat ARPBQZR.exe File created C:\windows\SysWOW64\UKD.exe YEFP.exe File opened for modification C:\windows\SysWOW64\PCIKLO.exe UPDB.exe File opened for modification C:\windows\SysWOW64\QWI.exe UYDQ.exe File created C:\windows\SysWOW64\WVHQKSU.exe KNB.exe File opened for modification C:\windows\SysWOW64\UKD.exe YEFP.exe File opened for modification C:\windows\SysWOW64\QQKYF.exe KQC.exe File opened for modification C:\windows\SysWOW64\EDWI.exe ONVIA.exe File opened for modification C:\windows\SysWOW64\SKXMSK.exe SEFYR.exe File created C:\windows\SysWOW64\QRAEM.exe TMUP.exe File created C:\windows\SysWOW64\SJXY.exe RGTCOQX.exe File opened for modification C:\windows\SysWOW64\TYQKLOA.exe NYIW.exe File created C:\windows\SysWOW64\HDRV.exe GAN.exe File opened for modification C:\windows\SysWOW64\VQXXGZ.exe FARUUNV.exe File created C:\windows\SysWOW64\IGAYUEF.exe.bat GIGDOHP.exe File opened for modification C:\windows\SysWOW64\MAKTUNC.exe PUFWM.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\NLN.exe TYQKLOA.exe File created C:\windows\system\WDAV.exe.bat WXI.exe File created C:\windows\RWI.exe.bat CBZYJ.exe File opened for modification C:\windows\MLK.exe CCIYP.exe File created C:\windows\MLK.exe.bat CCIYP.exe File opened for modification C:\windows\system\CUYUID.exe RBVB.exe File created C:\windows\XCQEEW.exe NCO.exe File created C:\windows\system\UHJTMZ.exe.bat XCDWFQ.exe File created C:\windows\MLV.exe FAMWMB.exe File opened for modification C:\windows\MLV.exe FAMWMB.exe File created C:\windows\system\PCJVXR.exe.bat CRFXSZG.exe File created C:\windows\system\SLRR.exe.bat MLK.exe File opened for modification C:\windows\GRAYOW.exe LEWHM.exe File created C:\windows\system\MQSXNC.exe.bat ZFK.exe File created C:\windows\EVMILO.exe.bat BFF.exe File opened for modification C:\windows\FAMWMB.exe EVMILO.exe File opened for modification C:\windows\CCIYP.exe NHQU.exe File created C:\windows\DEMKS.exe.bat SLRR.exe File created C:\windows\system\YLDBEP.exe JQT.exe File created C:\windows\system\IAOV.exe.bat RZM.exe File created C:\windows\system\CBZYJ.exe.bat HOU.exe File opened for modification C:\windows\XCQEEW.exe NCO.exe File created C:\windows\system\BLJIP.exe EFD.exe File opened for modification C:\windows\OLLVES.exe UPGD.exe File opened for modification C:\windows\EVMILO.exe BFF.exe File created C:\windows\system\NHQU.exe JZWE.exe File created C:\windows\system\SLRR.exe MLK.exe File created C:\windows\system\KOS.exe.bat PTNNCKX.exe File opened for modification C:\windows\RBVB.exe HOKJSZK.exe File created C:\windows\system\MQSXNC.exe ZFK.exe File opened for modification C:\windows\system\MQSXNC.exe ZFK.exe File created C:\windows\NLN.exe.bat TYQKLOA.exe File opened for modification C:\windows\TPX.exe RZRGT.exe File created C:\windows\system\QVJIH.exe.bat VAM.exe File opened for modification C:\windows\AJEELE.exe YLDBEP.exe File created C:\windows\system\WHXIW.exe DEXER.exe File created C:\windows\CCIYP.exe.bat NHQU.exe File opened for modification C:\windows\YKEFXQ.exe WUC.exe File created C:\windows\system\EQUUSV.exe RNYNNEU.exe File opened for modification C:\windows\EFD.exe XKGZ.exe File created C:\windows\ZGVA.exe.bat HDRWGGO.exe File opened for modification C:\windows\DEMKS.exe SLRR.exe File created C:\windows\system\WHCDSDB.exe CUYUID.exe File opened for modification C:\windows\VLQXHJ.exe SVJP.exe File opened for modification C:\windows\system\DUUWPZD.exe PKLYAOH.exe File created C:\windows\system\CUYUID.exe RBVB.exe File opened for modification C:\windows\NLN.exe TYQKLOA.exe File opened for modification C:\windows\system\QVJIH.exe VAM.exe File created C:\windows\system\MTPFOUV.exe QVJIH.exe File created C:\windows\SVKL.exe.bat SCKJ.exe File created C:\windows\system\UYDQ.exe.bat IGAYUEF.exe File opened for modification C:\windows\CUB.exe RBYCXYC.exe File opened for modification C:\windows\GOQ.exe LBLOUF.exe File created C:\windows\system\WHCDSDB.exe.bat CUYUID.exe File created C:\windows\PTNNCKX.exe.bat EASUC.exe File opened for modification C:\windows\system\UPGD.exe SAF.exe File created C:\windows\system\EGVZ.exe.bat OLLVES.exe File created C:\windows\QXASNF.exe.bat QRAEM.exe File opened for modification C:\windows\RMSNFCT.exe FEMFT.exe File opened for modification C:\windows\system\SLRR.exe MLK.exe File opened for modification C:\windows\RWI.exe CBZYJ.exe File created C:\windows\OLLVES.exe.bat UPGD.exe File created C:\windows\system\PYU.exe STOTAA.exe File created C:\windows\system\CBZYJ.exe HOU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3944 1444 WerFault.exe 82 1984 3084 WerFault.exe 90 2888 852 WerFault.exe 96 832 1292 WerFault.exe 101 376 2240 WerFault.exe 106 3052 3600 WerFault.exe 111 2972 2732 WerFault.exe 116 4280 4904 WerFault.exe 121 648 2364 WerFault.exe 126 2696 4336 WerFault.exe 131 3132 4072 WerFault.exe 136 4048 2208 WerFault.exe 141 3368 3884 WerFault.exe 146 1572 3244 WerFault.exe 151 884 3248 WerFault.exe 156 4800 3452 WerFault.exe 161 2164 3572 WerFault.exe 166 3992 4760 WerFault.exe 170 1176 2360 WerFault.exe 176 3148 2060 WerFault.exe 180 2948 4808 WerFault.exe 186 4320 2340 WerFault.exe 191 3800 1604 WerFault.exe 196 5072 2644 WerFault.exe 201 1312 5016 WerFault.exe 206 4404 1872 WerFault.exe 211 4984 4268 WerFault.exe 216 3136 1132 WerFault.exe 221 5092 4852 WerFault.exe 226 3348 3828 WerFault.exe 231 1512 3952 WerFault.exe 236 1520 3368 WerFault.exe 241 1316 1720 WerFault.exe 246 2924 4744 WerFault.exe 251 2556 2036 WerFault.exe 256 1772 4796 WerFault.exe 261 4324 3404 WerFault.exe 266 4376 4628 WerFault.exe 271 3200 4996 WerFault.exe 276 4356 896 WerFault.exe 282 1816 2196 WerFault.exe 288 3440 4360 WerFault.exe 293 2128 4488 WerFault.exe 298 360 64 WerFault.exe 303 3748 5096 WerFault.exe 308 4688 2256 WerFault.exe 314 4996 3760 WerFault.exe 319 5076 2616 WerFault.exe 324 1544 896 WerFault.exe 329 3820 328 WerFault.exe 334 2128 2432 WerFault.exe 339 4256 4192 WerFault.exe 344 4696 3572 WerFault.exe 349 2364 1412 WerFault.exe 353 1068 348 WerFault.exe 359 1704 3020 WerFault.exe 364 4408 1292 WerFault.exe 369 4036 2824 WerFault.exe 374 4744 3524 WerFault.exe 379 3108 3452 WerFault.exe 384 1536 2576 WerFault.exe 389 3572 988 WerFault.exe 394 1188 3992 WerFault.exe 399 2108 3364 WerFault.exe 404 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 3084 AUMJU.exe 3084 AUMJU.exe 852 SCBGH.exe 852 SCBGH.exe 1292 GIGDOHP.exe 1292 GIGDOHP.exe 2240 IGAYUEF.exe 2240 IGAYUEF.exe 3600 UYDQ.exe 3600 UYDQ.exe 2732 QWI.exe 2732 QWI.exe 4904 RZMJPLQ.exe 4904 RZMJPLQ.exe 2364 AMX.exe 2364 AMX.exe 4336 BHAFK.exe 4336 BHAFK.exe 4072 KQC.exe 4072 KQC.exe 2208 QQKYF.exe 2208 QQKYF.exe 3884 MVIVM.exe 3884 MVIVM.exe 3244 YOLOUO.exe 3244 YOLOUO.exe 3248 FEMFT.exe 3248 FEMFT.exe 3452 RMSNFCT.exe 3452 RMSNFCT.exe 3572 TKGZV.exe 3572 TKGZV.exe 4760 SVJP.exe 4760 SVJP.exe 2360 VLQXHJ.exe 2360 VLQXHJ.exe 2060 WGTTV.exe 2060 WGTTV.exe 4808 RBYCXYC.exe 4808 RBYCXYC.exe 2340 CUB.exe 2340 CUB.exe 1604 ZRH.exe 1604 ZRH.exe 2644 TNMC.exe 2644 TNMC.exe 5016 ZNLPGSK.exe 5016 ZNLPGSK.exe 1872 UAQ.exe 1872 UAQ.exe 4268 ONVIA.exe 4268 ONVIA.exe 1132 EDWI.exe 1132 EDWI.exe 4852 SJC.exe 4852 SJC.exe 3828 HELJZJ.exe 3828 HELJZJ.exe 3952 PKLYAOH.exe 3952 PKLYAOH.exe 3368 DUUWPZD.exe 3368 DUUWPZD.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 3084 AUMJU.exe 3084 AUMJU.exe 852 SCBGH.exe 852 SCBGH.exe 1292 GIGDOHP.exe 1292 GIGDOHP.exe 2240 IGAYUEF.exe 2240 IGAYUEF.exe 3600 UYDQ.exe 3600 UYDQ.exe 2732 QWI.exe 2732 QWI.exe 4904 RZMJPLQ.exe 4904 RZMJPLQ.exe 2364 AMX.exe 2364 AMX.exe 4336 BHAFK.exe 4336 BHAFK.exe 4072 KQC.exe 4072 KQC.exe 2208 QQKYF.exe 2208 QQKYF.exe 3884 MVIVM.exe 3884 MVIVM.exe 3244 YOLOUO.exe 3244 YOLOUO.exe 3248 FEMFT.exe 3248 FEMFT.exe 3452 RMSNFCT.exe 3452 RMSNFCT.exe 3572 TKGZV.exe 3572 TKGZV.exe 4760 SVJP.exe 4760 SVJP.exe 2360 VLQXHJ.exe 2360 VLQXHJ.exe 2060 WGTTV.exe 2060 WGTTV.exe 4808 RBYCXYC.exe 4808 RBYCXYC.exe 2340 CUB.exe 2340 CUB.exe 1604 ZRH.exe 1604 ZRH.exe 2644 TNMC.exe 2644 TNMC.exe 5016 ZNLPGSK.exe 5016 ZNLPGSK.exe 1872 UAQ.exe 1872 UAQ.exe 4268 ONVIA.exe 4268 ONVIA.exe 1132 EDWI.exe 1132 EDWI.exe 4852 SJC.exe 4852 SJC.exe 3828 HELJZJ.exe 3828 HELJZJ.exe 3952 PKLYAOH.exe 3952 PKLYAOH.exe 3368 DUUWPZD.exe 3368 DUUWPZD.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 3992 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 86 PID 1444 wrote to memory of 3992 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 86 PID 1444 wrote to memory of 3992 1444 1b21c42a002b91ccfbc38cb8a3472a40N.exe 86 PID 3992 wrote to memory of 3084 3992 cmd.exe 90 PID 3992 wrote to memory of 3084 3992 cmd.exe 90 PID 3992 wrote to memory of 3084 3992 cmd.exe 90 PID 3084 wrote to memory of 4852 3084 AUMJU.exe 92 PID 3084 wrote to memory of 4852 3084 AUMJU.exe 92 PID 3084 wrote to memory of 4852 3084 AUMJU.exe 92 PID 4852 wrote to memory of 852 4852 cmd.exe 96 PID 4852 wrote to memory of 852 4852 cmd.exe 96 PID 4852 wrote to memory of 852 4852 cmd.exe 96 PID 852 wrote to memory of 1900 852 SCBGH.exe 97 PID 852 wrote to memory of 1900 852 SCBGH.exe 97 PID 852 wrote to memory of 1900 852 SCBGH.exe 97 PID 1900 wrote to memory of 1292 1900 cmd.exe 101 PID 1900 wrote to memory of 1292 1900 cmd.exe 101 PID 1900 wrote to memory of 1292 1900 cmd.exe 101 PID 1292 wrote to memory of 2824 1292 GIGDOHP.exe 102 PID 1292 wrote to memory of 2824 1292 GIGDOHP.exe 102 PID 1292 wrote to memory of 2824 1292 GIGDOHP.exe 102 PID 2824 wrote to memory of 2240 2824 cmd.exe 106 PID 2824 wrote to memory of 2240 2824 cmd.exe 106 PID 2824 wrote to memory of 2240 2824 cmd.exe 106 PID 2240 wrote to memory of 3380 2240 IGAYUEF.exe 107 PID 2240 wrote to memory of 3380 2240 IGAYUEF.exe 107 PID 2240 wrote to memory of 3380 2240 IGAYUEF.exe 107 PID 3380 wrote to memory of 3600 3380 cmd.exe 111 PID 3380 wrote to memory of 3600 3380 cmd.exe 111 PID 3380 wrote to memory of 3600 3380 cmd.exe 111 PID 3600 wrote to memory of 2728 3600 UYDQ.exe 112 PID 3600 wrote to memory of 2728 3600 UYDQ.exe 112 PID 3600 wrote to memory of 2728 3600 UYDQ.exe 112 PID 2728 wrote to memory of 2732 2728 cmd.exe 116 PID 2728 wrote to memory of 2732 2728 cmd.exe 116 PID 2728 wrote to memory of 2732 2728 cmd.exe 116 PID 2732 wrote to memory of 2072 2732 QWI.exe 117 PID 2732 wrote to memory of 2072 2732 QWI.exe 117 PID 2732 wrote to memory of 2072 2732 QWI.exe 117 PID 2072 wrote to memory of 4904 2072 cmd.exe 121 PID 2072 wrote to memory of 4904 2072 cmd.exe 121 PID 2072 wrote to memory of 4904 2072 cmd.exe 121 PID 4904 wrote to memory of 4948 4904 RZMJPLQ.exe 122 PID 4904 wrote to memory of 4948 4904 RZMJPLQ.exe 122 PID 4904 wrote to memory of 4948 4904 RZMJPLQ.exe 122 PID 4948 wrote to memory of 2364 4948 cmd.exe 126 PID 4948 wrote to memory of 2364 4948 cmd.exe 126 PID 4948 wrote to memory of 2364 4948 cmd.exe 126 PID 2364 wrote to memory of 784 2364 AMX.exe 127 PID 2364 wrote to memory of 784 2364 AMX.exe 127 PID 2364 wrote to memory of 784 2364 AMX.exe 127 PID 784 wrote to memory of 4336 784 cmd.exe 131 PID 784 wrote to memory of 4336 784 cmd.exe 131 PID 784 wrote to memory of 4336 784 cmd.exe 131 PID 4336 wrote to memory of 4628 4336 BHAFK.exe 132 PID 4336 wrote to memory of 4628 4336 BHAFK.exe 132 PID 4336 wrote to memory of 4628 4336 BHAFK.exe 132 PID 4628 wrote to memory of 4072 4628 cmd.exe 136 PID 4628 wrote to memory of 4072 4628 cmd.exe 136 PID 4628 wrote to memory of 4072 4628 cmd.exe 136 PID 4072 wrote to memory of 2396 4072 KQC.exe 137 PID 4072 wrote to memory of 2396 4072 KQC.exe 137 PID 4072 wrote to memory of 2396 4072 KQC.exe 137 PID 2396 wrote to memory of 2208 2396 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b21c42a002b91ccfbc38cb8a3472a40N.exe"C:\Users\Admin\AppData\Local\Temp\1b21c42a002b91ccfbc38cb8a3472a40N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AUMJU.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\windows\AUMJU.exeC:\windows\AUMJU.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SCBGH.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\windows\SCBGH.exeC:\windows\SCBGH.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GIGDOHP.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\windows\GIGDOHP.exeC:\windows\GIGDOHP.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IGAYUEF.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\windows\SysWOW64\IGAYUEF.exeC:\windows\system32\IGAYUEF.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UYDQ.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\windows\system\UYDQ.exeC:\windows\system\UYDQ.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWI.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\windows\SysWOW64\QWI.exeC:\windows\system32\QWI.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RZMJPLQ.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\windows\RZMJPLQ.exeC:\windows\RZMJPLQ.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMX.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\windows\system\AMX.exeC:\windows\system\AMX.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BHAFK.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\windows\SysWOW64\BHAFK.exeC:\windows\system32\BHAFK.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQC.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\windows\SysWOW64\KQC.exeC:\windows\system32\KQC.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQKYF.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\windows\SysWOW64\QQKYF.exeC:\windows\system32\QQKYF.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVIVM.exe.bat" "24⤵PID:1904
-
C:\windows\SysWOW64\MVIVM.exeC:\windows\system32\MVIVM.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YOLOUO.exe.bat" "26⤵PID:4352
-
C:\windows\system\YOLOUO.exeC:\windows\system\YOLOUO.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FEMFT.exe.bat" "28⤵PID:1896
-
C:\windows\FEMFT.exeC:\windows\FEMFT.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RMSNFCT.exe.bat" "30⤵PID:2204
-
C:\windows\RMSNFCT.exeC:\windows\RMSNFCT.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TKGZV.exe.bat" "32⤵PID:3524
-
C:\windows\system\TKGZV.exeC:\windows\system\TKGZV.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVJP.exe.bat" "34⤵PID:4404
-
C:\windows\SysWOW64\SVJP.exeC:\windows\system32\SVJP.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLQXHJ.exe.bat" "36⤵PID:3420
-
C:\windows\VLQXHJ.exeC:\windows\VLQXHJ.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGTTV.exe.bat" "38⤵PID:1444
-
C:\windows\SysWOW64\WGTTV.exeC:\windows\system32\WGTTV.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBYCXYC.exe.bat" "40⤵PID:1188
-
C:\windows\SysWOW64\RBYCXYC.exeC:\windows\system32\RBYCXYC.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CUB.exe.bat" "42⤵PID:716
-
C:\windows\CUB.exeC:\windows\CUB.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRH.exe.bat" "44⤵PID:1276
-
C:\windows\system\ZRH.exeC:\windows\system\ZRH.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TNMC.exe.bat" "46⤵PID:3860
-
C:\windows\SysWOW64\TNMC.exeC:\windows\system32\TNMC.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZNLPGSK.exe.bat" "48⤵PID:608
-
C:\windows\SysWOW64\ZNLPGSK.exeC:\windows\system32\ZNLPGSK.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UAQ.exe.bat" "50⤵PID:4884
-
C:\windows\UAQ.exeC:\windows\UAQ.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ONVIA.exe.bat" "52⤵PID:4788
-
C:\windows\system\ONVIA.exeC:\windows\system\ONVIA.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EDWI.exe.bat" "54⤵PID:4916
-
C:\windows\SysWOW64\EDWI.exeC:\windows\system32\EDWI.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SJC.exe.bat" "56⤵PID:1412
-
C:\windows\SysWOW64\SJC.exeC:\windows\system32\SJC.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HELJZJ.exe.bat" "58⤵PID:1476
-
C:\windows\system\HELJZJ.exeC:\windows\system\HELJZJ.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PKLYAOH.exe.bat" "60⤵PID:3844
-
C:\windows\SysWOW64\PKLYAOH.exeC:\windows\system32\PKLYAOH.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DUUWPZD.exe.bat" "62⤵PID:4808
-
C:\windows\system\DUUWPZD.exeC:\windows\system\DUUWPZD.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQT.exe.bat" "64⤵PID:1900
-
C:\windows\SysWOW64\JQT.exeC:\windows\system32\JQT.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YLDBEP.exe.bat" "66⤵PID:2824
-
C:\windows\system\YLDBEP.exeC:\windows\system\YLDBEP.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AJEELE.exe.bat" "68⤵PID:1876
-
C:\windows\AJEELE.exeC:\windows\AJEELE.exe69⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LBLOUF.exe.bat" "70⤵PID:4500
-
C:\windows\LBLOUF.exeC:\windows\LBLOUF.exe71⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GOQ.exe.bat" "72⤵PID:2016
-
C:\windows\GOQ.exeC:\windows\GOQ.exe73⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEFYR.exe.bat" "74⤵PID:784
-
C:\windows\SysWOW64\SEFYR.exeC:\windows\system32\SEFYR.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKXMSK.exe.bat" "76⤵PID:3492
-
C:\windows\SysWOW64\SKXMSK.exeC:\windows\system32\SKXMSK.exe77⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KNB.exe.bat" "78⤵PID:4736
-
C:\windows\KNB.exeC:\windows\KNB.exe79⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVHQKSU.exe.bat" "80⤵PID:3380
-
C:\windows\SysWOW64\WVHQKSU.exeC:\windows\system32\WVHQKSU.exe81⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HOKJSZK.exe.bat" "82⤵PID:2296
-
C:\windows\system\HOKJSZK.exeC:\windows\system\HOKJSZK.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RBVB.exe.bat" "84⤵PID:4392
-
C:\windows\RBVB.exeC:\windows\RBVB.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CUYUID.exe.bat" "86⤵PID:4624
-
C:\windows\system\CUYUID.exeC:\windows\system\CUYUID.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:64 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WHCDSDB.exe.bat" "88⤵PID:368
-
C:\windows\system\WHCDSDB.exeC:\windows\system\WHCDSDB.exe89⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XKGZ.exe.bat" "90⤵PID:4760
-
C:\windows\XKGZ.exeC:\windows\XKGZ.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EFD.exe.bat" "92⤵PID:1320
-
C:\windows\EFD.exeC:\windows\EFD.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BLJIP.exe.bat" "94⤵PID:3844
-
C:\windows\system\BLJIP.exeC:\windows\system\BLJIP.exe95⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDRWGGO.exe.bat" "96⤵PID:2340
-
C:\windows\SysWOW64\HDRWGGO.exeC:\windows\system32\HDRWGGO.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZGVA.exe.bat" "98⤵PID:3244
-
C:\windows\ZGVA.exeC:\windows\ZGVA.exe99⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ROXFP.exe.bat" "100⤵PID:4524
-
C:\windows\system\ROXFP.exeC:\windows\system\ROXFP.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBBOZTG.exe.bat" "102⤵PID:1484
-
C:\windows\SysWOW64\LBBOZTG.exeC:\windows\system32\LBBOZTG.exe103⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IHZL.exe.bat" "104⤵PID:1644
-
C:\windows\system\IHZL.exeC:\windows\system\IHZL.exe105⤵
- Checks computer location settings
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RHBQJ.exe.bat" "106⤵PID:3556
-
C:\windows\RHBQJ.exeC:\windows\RHBQJ.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XIJEBDM.exe.bat" "108⤵PID:436
-
C:\windows\SysWOW64\XIJEBDM.exeC:\windows\system32\XIJEBDM.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFK.exe.bat" "110⤵PID:852
-
C:\windows\SysWOW64\ZFK.exeC:\windows\system32\ZFK.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MQSXNC.exe.bat" "112⤵PID:4996
-
C:\windows\system\MQSXNC.exeC:\windows\system\MQSXNC.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZTWDS.exe.bat" "114⤵PID:1504
-
C:\windows\system\ZTWDS.exeC:\windows\system\ZTWDS.exe115⤵
- Checks computer location settings
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZMXFGYG.exe.bat" "116⤵PID:1544
-
C:\windows\ZMXFGYG.exeC:\windows\ZMXFGYG.exe117⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FZW.exe.bat" "118⤵PID:4316
-
C:\windows\SysWOW64\FZW.exeC:\windows\system32\FZW.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZM.exe.bat" "120⤵PID:4284
-
C:\windows\SysWOW64\RZM.exeC:\windows\system32\RZM.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-