Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebe43597656b129ec30f3b81688d48c0N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
ebe43597656b129ec30f3b81688d48c0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ebe43597656b129ec30f3b81688d48c0N.exe
-
Size
208KB
-
MD5
ebe43597656b129ec30f3b81688d48c0
-
SHA1
697a62161825f9c761621dfa4075372292c0f798
-
SHA256
268d5097cf3423f5aa8397512c98842af563acc36ad71663a7f1770b5d94c8de
-
SHA512
60dfc81e8b459d7e842a1503270f13f6833b386aef34b6f8f52b1c30068f2b5f5b45a42a2ca9e2e622701f150460b1eea75aa09ebc7e04b5aab6f88c768cdcf0
-
SSDEEP
3072:lGPFazIFjShsKSL27AfW+vald9FM1foaskhZcAE5MFxzC/zP4H4fjm5osl/9PYFO:lGtaEJFKSVva9FM1tD5LQEj9
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation UUYA.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HLGNN.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation OYNTU.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HASD.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation JZBNY.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CGL.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HLCKO.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation KXI.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation NDPNWJF.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MYXL.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation UHRT.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation IOQHF.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation PJPSM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation PJDYEZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HOKJSZK.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CPBPWTO.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation EWXRV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MAIV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CZB.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation AMHHHLG.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FNBTX.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation AFS.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation XMVICWM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HBFCM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LUICROZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HNPD.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation VVE.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation KENRXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation GMRWPTY.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ERKE.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation USJEGV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation WVRWQND.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation AOXW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation TQDZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation OXXC.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation VIUBHIA.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation DOHIJGW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HGTK.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ZCTU.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation BBC.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation EQUUSV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation BZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HBMUEO.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LXPXLM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation QQJCPY.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation TYLUM.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation VKRW.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MNXRNH.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MQCDP.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation XMXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation IPWSATD.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation JBQYEFJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FII.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation DFBDSV.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LNFE.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation JWXZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CNERQGY.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MBTTNFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MZGVMB.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation SJLBD.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation MDFXHVI.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ELN.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation EPYHZUD.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 VDFO.exe 2568 WTNXX.exe 2644 TYLUM.exe 740 NMQEOR.exe 3656 PJDYEZ.exe 2232 KXI.exe 1416 VPDA.exe 4424 UNK.exe 4340 VLQXHJ.exe 4868 PDFIZK.exe 2664 CGBHEBP.exe 4800 VJFK.exe 4788 ZZTLWJ.exe 2320 BPNNCYU.exe 1096 VKRW.exe 3280 QNAVSJE.exe 3588 ETIYC.exe 4968 XLPRM.exe 1152 GMRWPTY.exe 2540 AMHHHLG.exe 5116 SHKDMJ.exe 1568 NDPNWJF.exe 940 VIUBHIA.exe 4068 DOHIJGW.exe 2572 ERKE.exe 2112 NZMJA.exe 4972 TZUWJWA.exe 1756 UUYA.exe 4072 FNBTX.exe 2020 HLGNN.exe 4844 HOKJSZK.exe 4188 HGTK.exe 2528 ZHVPJ.exe 5024 CPBPWTO.exe 1368 GFIXI.exe 2708 ZIMT.exe 2328 OYNTU.exe 4664 UYVGDZC.exe 3816 MYXL.exe 1800 LRFNUB.exe 4028 PZZV.exe 744 IHZL.exe 60 PCE.exe 3196 WXBJSGY.exe 4452 DSYWCH.exe 3736 HASD.exe 1920 AIAU.exe 404 HEX.exe 1412 LMRWAB.exe 1708 SHOIK.exe 4408 ZCTU.exe 4504 BFVB.exe 4448 QAA.exe 1612 XVXARUH.exe 2416 EQUUSV.exe 3880 ZDND.exe 2812 TZRVEB.exe 3076 HBALSM.exe 4140 JZBNY.exe 4876 ZPAQ.exe 2948 KIDJK.exe 3428 QIK.exe 4380 KAA.exe 4552 EWXRV.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\AXAZUN.exe.bat SCDNSMK.exe File opened for modification C:\windows\SysWOW64\FEXAN.exe XJAODW.exe File created C:\windows\SysWOW64\UFRZBBD.exe.bat EPQHUF.exe File created C:\windows\SysWOW64\UQLJOV.exe UGC.exe File created C:\windows\SysWOW64\BFVB.exe ZCTU.exe File created C:\windows\SysWOW64\KIDJK.exe ZPAQ.exe File opened for modification C:\windows\SysWOW64\KIDJK.exe ZPAQ.exe File created C:\windows\SysWOW64\MDFXHVI.exe FII.exe File created C:\windows\SysWOW64\DHPOGRX.exe ZRJ.exe File created C:\windows\SysWOW64\VJFK.exe.bat CGBHEBP.exe File created C:\windows\SysWOW64\VJFK.exe CGBHEBP.exe File created C:\windows\SysWOW64\GLY.exe EWXRV.exe File created C:\windows\SysWOW64\UQLJOV.exe.bat UGC.exe File created C:\windows\SysWOW64\BBC.exe LLBE.exe File created C:\windows\SysWOW64\OWJGO.exe.bat HBMUEO.exe File opened for modification C:\windows\SysWOW64\UFRZBBD.exe EPQHUF.exe File created C:\windows\SysWOW64\QQJCPY.exe.bat USMNI.exe File created C:\windows\SysWOW64\QNAVSJE.exe VKRW.exe File opened for modification C:\windows\SysWOW64\SHKDMJ.exe AMHHHLG.exe File created C:\windows\SysWOW64\SHKDMJ.exe.bat AMHHHLG.exe File created C:\windows\SysWOW64\DSYWCH.exe WXBJSGY.exe File created C:\windows\SysWOW64\MQCDP.exe.bat AFS.exe File created C:\windows\SysWOW64\SCDNSMK.exe DMCV.exe File created C:\windows\SysWOW64\ISTVT.exe BXWJRW.exe File created C:\windows\SysWOW64\XSCDFS.exe.bat EPYHZUD.exe File opened for modification C:\windows\SysWOW64\VJFK.exe CGBHEBP.exe File created C:\windows\SysWOW64\XLPRM.exe ETIYC.exe File created C:\windows\SysWOW64\MYXL.exe.bat UYVGDZC.exe File created C:\windows\SysWOW64\DCVQQWM.exe IOQHF.exe File created C:\windows\SysWOW64\FYXA.exe.bat FKX.exe File opened for modification C:\windows\SysWOW64\JMQI.exe JZP.exe File created C:\windows\SysWOW64\QNAVSJE.exe.bat VKRW.exe File opened for modification C:\windows\SysWOW64\GLY.exe EWXRV.exe File created C:\windows\SysWOW64\HNPD.exe.bat DFBDSV.exe File created C:\windows\SysWOW64\UFRZBBD.exe EPQHUF.exe File created C:\windows\SysWOW64\MYXL.exe UYVGDZC.exe File opened for modification C:\windows\SysWOW64\IKWL.exe LUICROZ.exe File created C:\windows\SysWOW64\DFBDSV.exe IKWL.exe File created C:\windows\SysWOW64\UYVGDZC.exe OYNTU.exe File created C:\windows\SysWOW64\TZRVEB.exe ZDND.exe File opened for modification C:\windows\SysWOW64\ISTVT.exe BXWJRW.exe File opened for modification C:\windows\SysWOW64\AFS.exe WXLQTJ.exe File created C:\windows\SysWOW64\MDFXHVI.exe.bat FII.exe File opened for modification C:\windows\SysWOW64\XLPRM.exe ETIYC.exe File created C:\windows\SysWOW64\ERKE.exe.bat DOHIJGW.exe File created C:\windows\SysWOW64\FNBTX.exe UUYA.exe File opened for modification C:\windows\SysWOW64\BFVB.exe ZCTU.exe File opened for modification C:\windows\SysWOW64\MDFXHVI.exe FII.exe File opened for modification C:\windows\SysWOW64\DHPOGRX.exe ZRJ.exe File created C:\windows\SysWOW64\NZMJA.exe.bat ERKE.exe File opened for modification C:\windows\SysWOW64\DOHIJGW.exe VIUBHIA.exe File created C:\windows\SysWOW64\BFVB.exe.bat ZCTU.exe File created C:\windows\SysWOW64\TZRVEB.exe.bat ZDND.exe File created C:\windows\SysWOW64\AFS.exe.bat WXLQTJ.exe File opened for modification C:\windows\SysWOW64\YOFKOI.exe AOXW.exe File opened for modification C:\windows\SysWOW64\PJDYEZ.exe NMQEOR.exe File created C:\windows\SysWOW64\VIUBHIA.exe.bat NDPNWJF.exe File opened for modification C:\windows\SysWOW64\ZIMT.exe GFIXI.exe File created C:\windows\SysWOW64\YOFKOI.exe AOXW.exe File created C:\windows\SysWOW64\FNBTX.exe.bat UUYA.exe File opened for modification C:\windows\SysWOW64\UYVGDZC.exe OYNTU.exe File opened for modification C:\windows\SysWOW64\BBC.exe LLBE.exe File created C:\windows\SysWOW64\YOFKOI.exe.bat AOXW.exe File opened for modification C:\windows\SysWOW64\ZZTLWJ.exe VJFK.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\JBQYEFJ.exe.bat CGL.exe File created C:\windows\VPDA.exe.bat KXI.exe File created C:\windows\system\XMXQ.exe FEXAN.exe File created C:\windows\system\MNXRNH.exe HNPD.exe File created C:\windows\system\RMZJGC.exe.bat NWT.exe File created C:\windows\system\DQRE.exe XPKITTG.exe File created C:\windows\system\ZCTU.exe.bat SHOIK.exe File created C:\windows\OWCW.exe HBFCM.exe File created C:\windows\system\JWXZ.exe TOWIRS.exe File created C:\windows\system\EQUUSV.exe XVXARUH.exe File created C:\windows\system\PCE.exe IHZL.exe File created C:\windows\system\XMVICWM.exe.bat VOHN.exe File opened for modification C:\windows\TOWIRS.exe ELN.exe File created C:\windows\system\VVE.exe.bat JNX.exe File created C:\windows\system\DHV.exe.bat DCVQQWM.exe File created C:\windows\HGTK.exe.bat HOKJSZK.exe File created C:\windows\system\NDPNWJF.exe SHKDMJ.exe File opened for modification C:\windows\system\IHZL.exe PZZV.exe File opened for modification C:\windows\WXBJSGY.exe PCE.exe File created C:\windows\VKRW.exe.bat BPNNCYU.exe File created C:\windows\DMCV.exe XMVICWM.exe File created C:\windows\SJLBD.exe OWJGO.exe File opened for modification C:\windows\system\EPYHZUD.exe JMQI.exe File opened for modification C:\windows\system\LLBE.exe HDVESID.exe File created C:\windows\system\DQRE.exe.bat XPKITTG.exe File created C:\windows\system\AOXW.exe.bat QQJCPY.exe File created C:\windows\system\JJH.exe.bat HLCKO.exe File created C:\windows\GVTR.exe CNERQGY.exe File opened for modification C:\windows\VQCVNLU.exe GVTR.exe File opened for modification C:\windows\LCQ.exe OXXC.exe File opened for modification C:\windows\BPNNCYU.exe ZZTLWJ.exe File opened for modification C:\windows\IPWSATD.exe EHC.exe File created C:\windows\LUICROZ.exe.bat TYKKRW.exe File created C:\windows\system\HLGNN.exe.bat FNBTX.exe File opened for modification C:\windows\system\ZCTU.exe SHOIK.exe File created C:\windows\system\ZFQN.exe SJLBD.exe File created C:\windows\HGGEOGD.exe DQRE.exe File created C:\windows\system\PZZV.exe LRFNUB.exe File created C:\windows\HEX.exe AIAU.exe File created C:\windows\system\USJEGV.exe.bat ZFQN.exe File opened for modification C:\windows\system\JWXZ.exe TOWIRS.exe File created C:\windows\JZP.exe FRJUXU.exe File created C:\windows\LCQ.exe.bat OXXC.exe File created C:\windows\WXBJSGY.exe PCE.exe File created C:\windows\BPNNCYU.exe.bat ZZTLWJ.exe File opened for modification C:\windows\system\PYYSX.exe MQCDP.exe File created C:\windows\system\LLBE.exe HDVESID.exe File opened for modification C:\windows\DMCV.exe XMVICWM.exe File opened for modification C:\windows\system\HBMUEO.exe JBQYEFJ.exe File opened for modification C:\windows\system\ZFQN.exe SJLBD.exe File created C:\windows\system\LNFE.exe UFRZBBD.exe File created C:\windows\VDFO.exe ebe43597656b129ec30f3b81688d48c0N.exe File created C:\windows\FRJUXU.exe HGGEOGD.exe File opened for modification C:\windows\SJLBD.exe OWJGO.exe File created C:\windows\NMQEOR.exe.bat TYLUM.exe File created C:\windows\CGBHEBP.exe PDFIZK.exe File opened for modification C:\windows\system\AOXW.exe QQJCPY.exe File opened for modification C:\windows\system\OXXC.exe MBTTNFQ.exe File created C:\windows\system\KXI.exe.bat PJDYEZ.exe File opened for modification C:\windows\LMRWAB.exe HEX.exe File created C:\windows\system\KAA.exe.bat QIK.exe File opened for modification C:\windows\OWCW.exe HBFCM.exe File created C:\windows\WXBJSGY.exe.bat PCE.exe File opened for modification C:\windows\system\ZHVPJ.exe HGTK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 868 3200 WerFault.exe 82 5060 2032 WerFault.exe 90 384 2568 WerFault.exe 96 3504 2644 WerFault.exe 101 972 740 WerFault.exe 106 5040 3656 WerFault.exe 111 968 2232 WerFault.exe 116 2128 1416 WerFault.exe 121 1612 4424 WerFault.exe 126 2868 4340 WerFault.exe 131 1228 4868 WerFault.exe 136 1748 2664 WerFault.exe 141 3572 4800 WerFault.exe 146 224 4788 WerFault.exe 151 3608 2320 WerFault.exe 156 968 1096 WerFault.exe 161 2236 3280 WerFault.exe 166 1008 3588 WerFault.exe 170 2408 4968 WerFault.exe 176 1188 1152 WerFault.exe 181 3640 2540 WerFault.exe 186 1648 5116 WerFault.exe 191 4228 1568 WerFault.exe 196 1300 940 WerFault.exe 201 4044 4068 WerFault.exe 205 4412 2572 WerFault.exe 211 4624 2112 WerFault.exe 216 4340 4972 WerFault.exe 221 1512 1756 WerFault.exe 226 2932 4072 WerFault.exe 231 3724 2020 WerFault.exe 236 2440 4844 WerFault.exe 241 2052 4188 WerFault.exe 246 4304 2528 WerFault.exe 251 4224 5024 WerFault.exe 256 4404 1368 WerFault.exe 261 3520 2708 WerFault.exe 266 4432 2328 WerFault.exe 271 1748 4664 WerFault.exe 277 732 3816 WerFault.exe 283 1568 1800 WerFault.exe 288 224 4028 WerFault.exe 293 4076 744 WerFault.exe 298 4588 60 WerFault.exe 303 2112 3196 WerFault.exe 308 320 4452 WerFault.exe 313 3304 3736 WerFault.exe 318 3232 1920 WerFault.exe 323 4816 404 WerFault.exe 328 1976 1412 WerFault.exe 333 3212 1708 WerFault.exe 338 4444 4408 WerFault.exe 343 4332 4504 WerFault.exe 348 2268 4448 WerFault.exe 353 3716 1612 WerFault.exe 358 1700 2416 WerFault.exe 363 1748 3880 WerFault.exe 368 912 2812 WerFault.exe 373 224 3076 WerFault.exe 379 1764 4140 WerFault.exe 384 3156 4876 WerFault.exe 389 1096 2948 WerFault.exe 394 3716 3428 WerFault.exe 398 5048 4380 WerFault.exe 404 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3200 ebe43597656b129ec30f3b81688d48c0N.exe 3200 ebe43597656b129ec30f3b81688d48c0N.exe 2032 VDFO.exe 2032 VDFO.exe 2568 WTNXX.exe 2568 WTNXX.exe 2644 TYLUM.exe 2644 TYLUM.exe 740 NMQEOR.exe 740 NMQEOR.exe 3656 PJDYEZ.exe 3656 PJDYEZ.exe 2232 KXI.exe 2232 KXI.exe 1416 VPDA.exe 1416 VPDA.exe 4424 UNK.exe 4424 UNK.exe 4340 VLQXHJ.exe 4340 VLQXHJ.exe 4868 PDFIZK.exe 4868 PDFIZK.exe 2664 CGBHEBP.exe 2664 CGBHEBP.exe 4800 VJFK.exe 4800 VJFK.exe 4788 ZZTLWJ.exe 4788 ZZTLWJ.exe 2320 BPNNCYU.exe 2320 BPNNCYU.exe 1096 VKRW.exe 1096 VKRW.exe 3280 QNAVSJE.exe 3280 QNAVSJE.exe 3588 ETIYC.exe 3588 ETIYC.exe 4968 XLPRM.exe 4968 XLPRM.exe 1152 GMRWPTY.exe 1152 GMRWPTY.exe 2540 AMHHHLG.exe 2540 AMHHHLG.exe 5116 SHKDMJ.exe 5116 SHKDMJ.exe 1568 NDPNWJF.exe 1568 NDPNWJF.exe 940 VIUBHIA.exe 940 VIUBHIA.exe 4068 DOHIJGW.exe 4068 DOHIJGW.exe 2572 ERKE.exe 2572 ERKE.exe 2112 NZMJA.exe 2112 NZMJA.exe 4972 TZUWJWA.exe 4972 TZUWJWA.exe 1756 UUYA.exe 1756 UUYA.exe 4072 FNBTX.exe 4072 FNBTX.exe 2020 HLGNN.exe 2020 HLGNN.exe 4844 HOKJSZK.exe 4844 HOKJSZK.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3200 ebe43597656b129ec30f3b81688d48c0N.exe 3200 ebe43597656b129ec30f3b81688d48c0N.exe 2032 VDFO.exe 2032 VDFO.exe 2568 WTNXX.exe 2568 WTNXX.exe 2644 TYLUM.exe 2644 TYLUM.exe 740 NMQEOR.exe 740 NMQEOR.exe 3656 PJDYEZ.exe 3656 PJDYEZ.exe 2232 KXI.exe 2232 KXI.exe 1416 VPDA.exe 1416 VPDA.exe 4424 UNK.exe 4424 UNK.exe 4340 VLQXHJ.exe 4340 VLQXHJ.exe 4868 PDFIZK.exe 4868 PDFIZK.exe 2664 CGBHEBP.exe 2664 CGBHEBP.exe 4800 VJFK.exe 4800 VJFK.exe 4788 ZZTLWJ.exe 4788 ZZTLWJ.exe 2320 BPNNCYU.exe 2320 BPNNCYU.exe 1096 VKRW.exe 1096 VKRW.exe 3280 QNAVSJE.exe 3280 QNAVSJE.exe 3588 ETIYC.exe 3588 ETIYC.exe 4968 XLPRM.exe 4968 XLPRM.exe 1152 GMRWPTY.exe 1152 GMRWPTY.exe 2540 AMHHHLG.exe 2540 AMHHHLG.exe 5116 SHKDMJ.exe 5116 SHKDMJ.exe 1568 NDPNWJF.exe 1568 NDPNWJF.exe 940 VIUBHIA.exe 940 VIUBHIA.exe 4068 DOHIJGW.exe 4068 DOHIJGW.exe 2572 ERKE.exe 2572 ERKE.exe 2112 NZMJA.exe 2112 NZMJA.exe 4972 TZUWJWA.exe 4972 TZUWJWA.exe 1756 UUYA.exe 1756 UUYA.exe 4072 FNBTX.exe 4072 FNBTX.exe 2020 HLGNN.exe 2020 HLGNN.exe 4844 HOKJSZK.exe 4844 HOKJSZK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4048 3200 ebe43597656b129ec30f3b81688d48c0N.exe 86 PID 3200 wrote to memory of 4048 3200 ebe43597656b129ec30f3b81688d48c0N.exe 86 PID 3200 wrote to memory of 4048 3200 ebe43597656b129ec30f3b81688d48c0N.exe 86 PID 4048 wrote to memory of 2032 4048 cmd.exe 90 PID 4048 wrote to memory of 2032 4048 cmd.exe 90 PID 4048 wrote to memory of 2032 4048 cmd.exe 90 PID 2032 wrote to memory of 5048 2032 VDFO.exe 92 PID 2032 wrote to memory of 5048 2032 VDFO.exe 92 PID 2032 wrote to memory of 5048 2032 VDFO.exe 92 PID 5048 wrote to memory of 2568 5048 cmd.exe 96 PID 5048 wrote to memory of 2568 5048 cmd.exe 96 PID 5048 wrote to memory of 2568 5048 cmd.exe 96 PID 2568 wrote to memory of 1188 2568 WTNXX.exe 97 PID 2568 wrote to memory of 1188 2568 WTNXX.exe 97 PID 2568 wrote to memory of 1188 2568 WTNXX.exe 97 PID 1188 wrote to memory of 2644 1188 cmd.exe 101 PID 1188 wrote to memory of 2644 1188 cmd.exe 101 PID 1188 wrote to memory of 2644 1188 cmd.exe 101 PID 2644 wrote to memory of 3816 2644 TYLUM.exe 102 PID 2644 wrote to memory of 3816 2644 TYLUM.exe 102 PID 2644 wrote to memory of 3816 2644 TYLUM.exe 102 PID 3816 wrote to memory of 740 3816 cmd.exe 106 PID 3816 wrote to memory of 740 3816 cmd.exe 106 PID 3816 wrote to memory of 740 3816 cmd.exe 106 PID 740 wrote to memory of 756 740 NMQEOR.exe 107 PID 740 wrote to memory of 756 740 NMQEOR.exe 107 PID 740 wrote to memory of 756 740 NMQEOR.exe 107 PID 756 wrote to memory of 3656 756 cmd.exe 111 PID 756 wrote to memory of 3656 756 cmd.exe 111 PID 756 wrote to memory of 3656 756 cmd.exe 111 PID 3656 wrote to memory of 3140 3656 PJDYEZ.exe 112 PID 3656 wrote to memory of 3140 3656 PJDYEZ.exe 112 PID 3656 wrote to memory of 3140 3656 PJDYEZ.exe 112 PID 3140 wrote to memory of 2232 3140 cmd.exe 116 PID 3140 wrote to memory of 2232 3140 cmd.exe 116 PID 3140 wrote to memory of 2232 3140 cmd.exe 116 PID 2232 wrote to memory of 4464 2232 KXI.exe 117 PID 2232 wrote to memory of 4464 2232 KXI.exe 117 PID 2232 wrote to memory of 4464 2232 KXI.exe 117 PID 4464 wrote to memory of 1416 4464 cmd.exe 121 PID 4464 wrote to memory of 1416 4464 cmd.exe 121 PID 4464 wrote to memory of 1416 4464 cmd.exe 121 PID 1416 wrote to memory of 2140 1416 VPDA.exe 122 PID 1416 wrote to memory of 2140 1416 VPDA.exe 122 PID 1416 wrote to memory of 2140 1416 VPDA.exe 122 PID 2140 wrote to memory of 4424 2140 cmd.exe 126 PID 2140 wrote to memory of 4424 2140 cmd.exe 126 PID 2140 wrote to memory of 4424 2140 cmd.exe 126 PID 4424 wrote to memory of 4656 4424 UNK.exe 127 PID 4424 wrote to memory of 4656 4424 UNK.exe 127 PID 4424 wrote to memory of 4656 4424 UNK.exe 127 PID 4656 wrote to memory of 4340 4656 cmd.exe 131 PID 4656 wrote to memory of 4340 4656 cmd.exe 131 PID 4656 wrote to memory of 4340 4656 cmd.exe 131 PID 4340 wrote to memory of 3520 4340 VLQXHJ.exe 132 PID 4340 wrote to memory of 3520 4340 VLQXHJ.exe 132 PID 4340 wrote to memory of 3520 4340 VLQXHJ.exe 132 PID 3520 wrote to memory of 4868 3520 cmd.exe 136 PID 3520 wrote to memory of 4868 3520 cmd.exe 136 PID 3520 wrote to memory of 4868 3520 cmd.exe 136 PID 4868 wrote to memory of 100 4868 PDFIZK.exe 137 PID 4868 wrote to memory of 100 4868 PDFIZK.exe 137 PID 4868 wrote to memory of 100 4868 PDFIZK.exe 137 PID 100 wrote to memory of 2664 100 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebe43597656b129ec30f3b81688d48c0N.exe"C:\Users\Admin\AppData\Local\Temp\ebe43597656b129ec30f3b81688d48c0N.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VDFO.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\windows\VDFO.exeC:\windows\VDFO.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WTNXX.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\windows\WTNXX.exeC:\windows\WTNXX.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TYLUM.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\windows\TYLUM.exeC:\windows\TYLUM.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NMQEOR.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\windows\NMQEOR.exeC:\windows\NMQEOR.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PJDYEZ.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\windows\SysWOW64\PJDYEZ.exeC:\windows\system32\PJDYEZ.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KXI.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\windows\system\KXI.exeC:\windows\system\KXI.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VPDA.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\windows\VPDA.exeC:\windows\VPDA.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UNK.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\windows\UNK.exeC:\windows\UNK.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLQXHJ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\windows\VLQXHJ.exeC:\windows\VLQXHJ.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PDFIZK.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\windows\system\PDFIZK.exeC:\windows\system\PDFIZK.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\windows\CGBHEBP.exeC:\windows\CGBHEBP.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJFK.exe.bat" "24⤵PID:5076
-
C:\windows\SysWOW64\VJFK.exeC:\windows\system32\VJFK.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZTLWJ.exe.bat" "26⤵PID:4844
-
C:\windows\SysWOW64\ZZTLWJ.exeC:\windows\system32\ZZTLWJ.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BPNNCYU.exe.bat" "28⤵PID:3692
-
C:\windows\BPNNCYU.exeC:\windows\BPNNCYU.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VKRW.exe.bat" "30⤵PID:2728
-
C:\windows\VKRW.exeC:\windows\VKRW.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QNAVSJE.exe.bat" "32⤵PID:1940
-
C:\windows\SysWOW64\QNAVSJE.exeC:\windows\system32\QNAVSJE.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ETIYC.exe.bat" "34⤵PID:1764
-
C:\windows\ETIYC.exeC:\windows\ETIYC.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLPRM.exe.bat" "36⤵PID:5016
-
C:\windows\SysWOW64\XLPRM.exeC:\windows\system32\XLPRM.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GMRWPTY.exe.bat" "38⤵PID:3880
-
C:\windows\system\GMRWPTY.exeC:\windows\system\GMRWPTY.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMHHHLG.exe.bat" "40⤵PID:4824
-
C:\windows\system\AMHHHLG.exeC:\windows\system\AMHHHLG.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHKDMJ.exe.bat" "42⤵PID:1244
-
C:\windows\SysWOW64\SHKDMJ.exeC:\windows\system32\SHKDMJ.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "44⤵PID:1020
-
C:\windows\system\NDPNWJF.exeC:\windows\system\NDPNWJF.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VIUBHIA.exe.bat" "46⤵PID:3568
-
C:\windows\SysWOW64\VIUBHIA.exeC:\windows\system32\VIUBHIA.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DOHIJGW.exe.bat" "48⤵PID:4852
-
C:\windows\SysWOW64\DOHIJGW.exeC:\windows\system32\DOHIJGW.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERKE.exe.bat" "50⤵PID:2592
-
C:\windows\SysWOW64\ERKE.exeC:\windows\system32\ERKE.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZMJA.exe.bat" "52⤵PID:424
-
C:\windows\SysWOW64\NZMJA.exeC:\windows\system32\NZMJA.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZUWJWA.exe.bat" "54⤵PID:2396
-
C:\windows\SysWOW64\TZUWJWA.exeC:\windows\system32\TZUWJWA.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUYA.exe.bat" "56⤵PID:4496
-
C:\windows\UUYA.exeC:\windows\UUYA.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FNBTX.exe.bat" "58⤵PID:2392
-
C:\windows\SysWOW64\FNBTX.exeC:\windows\system32\FNBTX.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HLGNN.exe.bat" "60⤵PID:1920
-
C:\windows\system\HLGNN.exeC:\windows\system\HLGNN.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HOKJSZK.exe.bat" "62⤵PID:4828
-
C:\windows\system\HOKJSZK.exeC:\windows\system\HOKJSZK.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HGTK.exe.bat" "64⤵PID:5012
-
C:\windows\HGTK.exeC:\windows\HGTK.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHVPJ.exe.bat" "66⤵PID:3180
-
C:\windows\system\ZHVPJ.exeC:\windows\system\ZHVPJ.exe67⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CPBPWTO.exe.bat" "68⤵PID:3656
-
C:\windows\system\CPBPWTO.exeC:\windows\system\CPBPWTO.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GFIXI.exe.bat" "70⤵PID:4444
-
C:\windows\system\GFIXI.exeC:\windows\system\GFIXI.exe71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZIMT.exe.bat" "72⤵PID:4640
-
C:\windows\SysWOW64\ZIMT.exeC:\windows\system32\ZIMT.exe73⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OYNTU.exe.bat" "74⤵PID:2268
-
C:\windows\OYNTU.exeC:\windows\OYNTU.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UYVGDZC.exe.bat" "76⤵PID:4972
-
C:\windows\SysWOW64\UYVGDZC.exeC:\windows\system32\UYVGDZC.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MYXL.exe.bat" "78⤵PID:2932
-
C:\windows\SysWOW64\MYXL.exeC:\windows\system32\MYXL.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRFNUB.exe.bat" "80⤵PID:3024
-
C:\windows\SysWOW64\LRFNUB.exeC:\windows\system32\LRFNUB.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PZZV.exe.bat" "82⤵PID:1628
-
C:\windows\system\PZZV.exeC:\windows\system\PZZV.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IHZL.exe.bat" "84⤵PID:1304
-
C:\windows\system\IHZL.exeC:\windows\system\IHZL.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PCE.exe.bat" "86⤵PID:5040
-
C:\windows\system\PCE.exeC:\windows\system\PCE.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXBJSGY.exe.bat" "88⤵PID:3288
-
C:\windows\WXBJSGY.exeC:\windows\WXBJSGY.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DSYWCH.exe.bat" "90⤵PID:3752
-
C:\windows\SysWOW64\DSYWCH.exeC:\windows\system32\DSYWCH.exe91⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HASD.exe.bat" "92⤵PID:4480
-
C:\windows\SysWOW64\HASD.exeC:\windows\system32\HASD.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AIAU.exe.bat" "94⤵PID:4824
-
C:\windows\AIAU.exeC:\windows\AIAU.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HEX.exe.bat" "96⤵PID:4908
-
C:\windows\HEX.exeC:\windows\HEX.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LMRWAB.exe.bat" "98⤵PID:876
-
C:\windows\LMRWAB.exeC:\windows\LMRWAB.exe99⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHOIK.exe.bat" "100⤵PID:4800
-
C:\windows\SysWOW64\SHOIK.exeC:\windows\system32\SHOIK.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCTU.exe.bat" "102⤵PID:564
-
C:\windows\system\ZCTU.exeC:\windows\system\ZCTU.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFVB.exe.bat" "104⤵PID:4580
-
C:\windows\SysWOW64\BFVB.exeC:\windows\system32\BFVB.exe105⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QAA.exe.bat" "106⤵PID:3940
-
C:\windows\SysWOW64\QAA.exeC:\windows\system32\QAA.exe107⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XVXARUH.exe.bat" "108⤵PID:4476
-
C:\windows\XVXARUH.exeC:\windows\XVXARUH.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQUUSV.exe.bat" "110⤵PID:5008
-
C:\windows\system\EQUUSV.exeC:\windows\system\EQUUSV.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZDND.exe.bat" "112⤵PID:4340
-
C:\windows\ZDND.exeC:\windows\ZDND.exe113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZRVEB.exe.bat" "114⤵PID:4936
-
C:\windows\SysWOW64\TZRVEB.exeC:\windows\system32\TZRVEB.exe115⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HBALSM.exe.bat" "116⤵PID:2952
-
C:\windows\system\HBALSM.exeC:\windows\system\HBALSM.exe117⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JZBNY.exe.bat" "118⤵PID:972
-
C:\windows\JZBNY.exeC:\windows\JZBNY.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPAQ.exe.bat" "120⤵PID:2788
-
C:\windows\system\ZPAQ.exeC:\windows\system\ZPAQ.exe121⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-