Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 17:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6a8685f7425892be2bbb3693c9cc2d0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
f6a8685f7425892be2bbb3693c9cc2d0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f6a8685f7425892be2bbb3693c9cc2d0N.exe
-
Size
208KB
-
MD5
f6a8685f7425892be2bbb3693c9cc2d0
-
SHA1
84fe73492bc8a14490ff877d3a7668649ae031b2
-
SHA256
34d49b84b39668e6bae0b8d31c1954687e8693d60bccbeb996550bf26478af1d
-
SHA512
6cd756c731f9c86e57f46c959d26b1087eff2e95868057a2e57b0b0af599ed2b343b808fc0b2c0dc748d53f33abe07acb749e65bd9b7cb35867f38f5f3b3a7b5
-
SSDEEP
3072:egCB7gtsywfq4QlpmX3rw3q+i4NJ/ovWiLUXzPbEpLKYdP44NLthEjQT6:eg6g/wfelITZ89ovWiIjPbEpLKBQEj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation ZSICS.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation OOV.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation FRAZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation PLBE.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation AZQK.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation SSI.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation UJSDPT.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation YISRVE.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation OGIX.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation NZYLMHH.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation BORZPEB.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation HNJGRMC.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation MHJMH.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation HMSWMS.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation RDRBJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation ZJQMSK.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation HEBQV.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation NZHIGCP.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation KFNFNM.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation AMILOB.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation MKTUWQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation FLYPCKI.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation UWQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation VENOOXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation LLFGTD.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CWIM.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation QCWN.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation USHF.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation IWMOUBO.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation GTRYPOK.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation DOVLYNO.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation JGFDQH.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CHEQG.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation RAUQZR.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation MIECLV.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation VNT.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation EYVYTE.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CEEQZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CODOS.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CBKSI.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation RGXEL.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation PVKF.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation DUBAQF.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation FEK.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation UXDCEQW.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation LMET.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation AXCNWF.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation PPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation XIJEBDM.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation YDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation BJZDF.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation PSKKBHC.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation OSCFPCH.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CAU.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation ASFXLJE.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation QUYA.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation KYBPK.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation ELIXR.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation QGHG.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation PNOC.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation TZUWJWA.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation LHH.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation GJDWHS.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation CQEM.exe -
Executes dropped EXE 64 IoCs
pid Process 2776 DEJ.exe 4924 FRAZ.exe 4820 ZPT.exe 4412 ASFXLJE.exe 2548 PNOC.exe 4424 CYKA.exe 2216 ORNTK.exe 3708 ZJQMSK.exe 3008 SEU.exe 1236 FPD.exe 3872 YISRVE.exe 1748 MNSD.exe 1008 BICPQCB.exe 1492 HEBQV.exe 416 AWQBE.exe 4988 TZUWJWA.exe 1772 UUYA.exe 3808 LDMXBD.exe 4972 IDOIN.exe 3176 VGE.exe 3876 FEK.exe 4140 DZJT.exe 4820 PPQ.exe 3996 OATRB.exe 1080 ZSICS.exe 3196 QTKHVZ.exe 4984 NYCXMVW.exe 4924 CODOS.exe 1732 CHEQG.exe 4020 NZHIGCP.exe 1072 KFNFNM.exe 4060 XIJEBDM.exe 4660 FVVLLBH.exe 1040 QODWVCX.exe 2080 TBIN.exe 4124 CBKSI.exe 400 VENOOXQ.exe 4148 UPYEWD.exe 1080 OKD.exe 2476 WVEPU.exe 3720 LLFGTD.exe 3984 NJSAJL.exe 1312 ZBNTJTU.exe 4884 XZHWEY.exe 3160 QUYA.exe 3924 DFCYN.exe 5116 HNJGRMC.exe 4988 SGE.exe 3876 PLWOQOM.exe 1312 XRIVBN.exe 2184 MHJMH.exe 1628 HCOWJIT.exe 3200 RAUQZR.exe 3720 VIAY.exe 232 KYBPK.exe 4232 OGIX.exe 2016 WYRR.exe 1080 OBVUPR.exe 1084 OHVJRWL.exe 4280 UHCX.exe 1928 MIECLV.exe 4708 ELIXR.exe 3876 AVR.exe 4756 HMSWMS.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\HCOWJIT.exe MHJMH.exe File created C:\windows\SysWOW64\RAUQZR.exe.bat HCOWJIT.exe File created C:\windows\SysWOW64\KYBPK.exe VIAY.exe File opened for modification C:\windows\SysWOW64\ZCYSU.exe QCWN.exe File created C:\windows\SysWOW64\IWMOUBO.exe JGFDQH.exe File created C:\windows\SysWOW64\SJXY.exe GTRYPOK.exe File created C:\windows\SysWOW64\FEK.exe VGE.exe File created C:\windows\SysWOW64\PLWOQOM.exe.bat SGE.exe File created C:\windows\SysWOW64\CAU.exe MKTUWQ.exe File created C:\windows\SysWOW64\KMJMHQT.exe.bat CWIM.exe File created C:\windows\SysWOW64\HDPW.exe USHF.exe File created C:\windows\SysWOW64\VWEEYLY.exe RGXEL.exe File opened for modification C:\windows\SysWOW64\IWMOUBO.exe JGFDQH.exe File created C:\windows\SysWOW64\LMET.exe.bat BORZPEB.exe File opened for modification C:\windows\SysWOW64\LCOTQLC.exe AXCNWF.exe File opened for modification C:\windows\SysWOW64\DZJT.exe FEK.exe File opened for modification C:\windows\SysWOW64\AVR.exe ELIXR.exe File created C:\windows\SysWOW64\BICPQCB.exe.bat MNSD.exe File created C:\windows\SysWOW64\KFNFNM.exe NZHIGCP.exe File opened for modification C:\windows\SysWOW64\OGIX.exe KYBPK.exe File created C:\windows\SysWOW64\EYVYTE.exe.bat LDRU.exe File created C:\windows\SysWOW64\PVKF.exe.bat PLBE.exe File opened for modification C:\windows\SysWOW64\CQEM.exe FLYPCKI.exe File created C:\windows\SysWOW64\CQEM.exe.bat FLYPCKI.exe File created C:\windows\SysWOW64\AXCNWF.exe.bat WPIFTG.exe File created C:\windows\SysWOW64\PNOC.exe.bat ASFXLJE.exe File created C:\windows\SysWOW64\KYBPK.exe.bat VIAY.exe File created C:\windows\SysWOW64\OGIX.exe KYBPK.exe File created C:\windows\SysWOW64\OHVJRWL.exe.bat OBVUPR.exe File created C:\windows\SysWOW64\UWQ.exe IOC.exe File created C:\windows\SysWOW64\CNE.exe SXQN.exe File opened for modification C:\windows\SysWOW64\PLWOQOM.exe SGE.exe File created C:\windows\SysWOW64\HCOWJIT.exe MHJMH.exe File created C:\windows\SysWOW64\XIJEBDM.exe.bat KFNFNM.exe File opened for modification C:\windows\SysWOW64\MIECLV.exe UHCX.exe File created C:\windows\SysWOW64\LHH.exe UWQ.exe File created C:\windows\SysWOW64\VTSY.exe PSKKBHC.exe File opened for modification C:\windows\SysWOW64\BICPQCB.exe MNSD.exe File opened for modification C:\windows\SysWOW64\KFNFNM.exe NZHIGCP.exe File opened for modification C:\windows\SysWOW64\RGXEL.exe LLYDHQU.exe File opened for modification C:\windows\SysWOW64\LHH.exe UWQ.exe File opened for modification C:\windows\SysWOW64\HEBQV.exe BICPQCB.exe File created C:\windows\SysWOW64\HEBQV.exe.bat BICPQCB.exe File opened for modification C:\windows\SysWOW64\FVVLLBH.exe XIJEBDM.exe File created C:\windows\SysWOW64\MIECLV.exe UHCX.exe File opened for modification C:\windows\SysWOW64\XFLJN.exe OXJV.exe File created C:\windows\SysWOW64\ASFXLJE.exe ZPT.exe File opened for modification C:\windows\SysWOW64\FEK.exe VGE.exe File created C:\windows\SysWOW64\LMET.exe BORZPEB.exe File created C:\windows\SysWOW64\MIECLV.exe.bat UHCX.exe File opened for modification C:\windows\SysWOW64\KMJMHQT.exe CWIM.exe File created C:\windows\SysWOW64\TZUWJWA.exe AWQBE.exe File opened for modification C:\windows\SysWOW64\XIJEBDM.exe KFNFNM.exe File created C:\windows\SysWOW64\FVVLLBH.exe XIJEBDM.exe File created C:\windows\SysWOW64\WVEPU.exe.bat OKD.exe File opened for modification C:\windows\SysWOW64\KYBPK.exe VIAY.exe File opened for modification C:\windows\SysWOW64\CWIM.exe HMSWMS.exe File opened for modification C:\windows\SysWOW64\PNOC.exe ASFXLJE.exe File created C:\windows\SysWOW64\BICPQCB.exe MNSD.exe File opened for modification C:\windows\SysWOW64\AZQK.exe IWMOUBO.exe File created C:\windows\SysWOW64\PVKF.exe PLBE.exe File created C:\windows\SysWOW64\WGNN.exe.bat SYLFSM.exe File created C:\windows\SysWOW64\AVR.exe.bat ELIXR.exe File created C:\windows\SysWOW64\KMJMHQT.exe CWIM.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\HNJGRMC.exe DFCYN.exe File opened for modification C:\windows\system\YDQ.exe ONCEBS.exe File created C:\windows\GJDWHS.exe.bat ELJUJV.exe File created C:\windows\UJSDPT.exe RSMD.exe File created C:\windows\system\KZT.exe.bat UJSDPT.exe File created C:\windows\ZBNTJTU.exe NJSAJL.exe File created C:\windows\JYLWCAD.exe.bat YGIDTL.exe File created C:\windows\QJIV.exe VWEEYLY.exe File created C:\windows\GZJCPM.exe LMET.exe File created C:\windows\FZGLR.exe BJZDF.exe File created C:\windows\system\VGE.exe IDOIN.exe File opened for modification C:\windows\system\VIAY.exe RAUQZR.exe File opened for modification C:\windows\XCQEEW.exe PXDYUP.exe File opened for modification C:\windows\system\FFI.exe AZQK.exe File created C:\windows\GTRYPOK.exe YDQ.exe File created C:\windows\system\OXJV.exe IWCISX.exe File created C:\windows\PLBE.exe.bat EVVEDQ.exe File created C:\windows\QJIV.exe.bat VWEEYLY.exe File opened for modification C:\windows\system\NZYLMHH.exe OOV.exe File created C:\windows\system\FLYPCKI.exe VNT.exe File opened for modification C:\windows\UUYA.exe TZUWJWA.exe File opened for modification C:\windows\system\OATRB.exe PPQ.exe File opened for modification C:\windows\CBKSI.exe TBIN.exe File opened for modification C:\windows\system\NJSAJL.exe LLFGTD.exe File opened for modification C:\windows\ZBNTJTU.exe NJSAJL.exe File created C:\windows\system\ELJUJV.exe CNE.exe File created C:\windows\system\VGE.exe.bat IDOIN.exe File created C:\windows\system\OATRB.exe.bat PPQ.exe File created C:\windows\BAKOMBL.exe.bat XSVG.exe File created C:\windows\SYLFSM.exe LCOTQLC.exe File opened for modification C:\windows\SYLFSM.exe LCOTQLC.exe File created C:\windows\system\QUYA.exe.bat XZHWEY.exe File opened for modification C:\windows\BAKOMBL.exe XSVG.exe File created C:\windows\system\OXJV.exe.bat IWCISX.exe File created C:\windows\THAHKZN.exe DRZH.exe File created C:\windows\LLYDHQU.exe NVM.exe File created C:\windows\OSCFPCH.exe.bat NXYJ.exe File created C:\windows\system\IUFM.exe.bat CUFYBEM.exe File created C:\windows\FRAZ.exe.bat DEJ.exe File opened for modification C:\windows\system\CYKA.exe PNOC.exe File opened for modification C:\windows\system\DOVLYNO.exe GJDWHS.exe File opened for modification C:\windows\THAHKZN.exe DRZH.exe File opened for modification C:\windows\system\QJK.exe QGHG.exe File created C:\windows\VNT.exe.bat XCQEEW.exe File created C:\windows\system\FFI.exe AZQK.exe File created C:\windows\system\ONCEBS.exe.bat FFI.exe File created C:\windows\system\OATRB.exe PPQ.exe File created C:\windows\VENOOXQ.exe.bat CBKSI.exe File opened for modification C:\windows\OBVUPR.exe WYRR.exe File opened for modification C:\windows\IWCISX.exe CWUUJV.exe File opened for modification C:\windows\MNSD.exe YISRVE.exe File created C:\windows\system\ELIXR.exe.bat MIECLV.exe File created C:\windows\system\PXDYUP.exe NZYLMHH.exe File created C:\windows\AMILOB.exe JBSNO.exe File created C:\windows\NXYJ.exe.bat AMILOB.exe File created C:\windows\OBVUPR.exe WYRR.exe File created C:\windows\IWCISX.exe.bat CWUUJV.exe File opened for modification C:\windows\system\CEEQZ.exe DUBAQF.exe File created C:\windows\BPGG.exe.bat CEEQZ.exe File created C:\windows\system\YDQ.exe.bat ONCEBS.exe File opened for modification C:\windows\BJZDF.exe SJXY.exe File opened for modification C:\windows\system\AKO.exe FZGLR.exe File opened for modification C:\windows\IDOIN.exe LDMXBD.exe File created C:\windows\IDOIN.exe.bat LDMXBD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 5072 464 WerFault.exe 83 1984 2776 WerFault.exe 91 2412 4924 WerFault.exe 97 512 4820 WerFault.exe 102 1160 4412 WerFault.exe 109 4728 2548 WerFault.exe 114 3672 4424 WerFault.exe 121 3040 2216 WerFault.exe 126 2484 3708 WerFault.exe 131 4752 3008 WerFault.exe 137 4440 1236 WerFault.exe 142 1640 3872 WerFault.exe 147 1536 1748 WerFault.exe 152 1040 1008 WerFault.exe 158 5036 1492 WerFault.exe 163 744 416 WerFault.exe 168 3084 4988 WerFault.exe 173 4432 1772 WerFault.exe 179 1112 3808 WerFault.exe 184 3360 4972 WerFault.exe 189 4436 3176 WerFault.exe 194 2020 3876 WerFault.exe 199 3084 4140 WerFault.exe 204 4036 4820 WerFault.exe 208 3088 3996 WerFault.exe 214 3788 1080 WerFault.exe 218 3132 3196 WerFault.exe 224 3924 4984 WerFault.exe 229 2484 4924 WerFault.exe 234 1936 1732 WerFault.exe 239 1840 4020 WerFault.exe 244 3088 1072 WerFault.exe 249 1368 4060 WerFault.exe 254 4104 4660 WerFault.exe 259 544 1040 WerFault.exe 263 2484 2080 WerFault.exe 269 824 4124 WerFault.exe 274 2436 400 WerFault.exe 279 2184 4148 WerFault.exe 285 3416 1080 WerFault.exe 290 2500 2476 WerFault.exe 295 4008 3720 WerFault.exe 300 1044 3984 WerFault.exe 306 3024 1312 WerFault.exe 311 1940 4884 WerFault.exe 317 2348 3160 WerFault.exe 322 1412 3924 WerFault.exe 328 4664 5116 WerFault.exe 332 4912 4988 WerFault.exe 338 2192 3876 WerFault.exe 343 5076 1312 WerFault.exe 348 3468 2184 WerFault.exe 353 3040 1628 WerFault.exe 358 4680 3200 WerFault.exe 363 5092 3720 WerFault.exe 368 4412 232 WerFault.exe 373 3300 4232 WerFault.exe 378 4540 2016 WerFault.exe 383 1028 1080 WerFault.exe 388 2008 1084 WerFault.exe 393 5080 4280 WerFault.exe 398 5008 1928 WerFault.exe 403 3860 4708 WerFault.exe 408 1912 3876 WerFault.exe 413 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 2776 DEJ.exe 2776 DEJ.exe 4924 FRAZ.exe 4924 FRAZ.exe 4820 ZPT.exe 4820 ZPT.exe 4412 ASFXLJE.exe 4412 ASFXLJE.exe 2548 PNOC.exe 2548 PNOC.exe 4424 CYKA.exe 4424 CYKA.exe 2216 ORNTK.exe 2216 ORNTK.exe 3708 ZJQMSK.exe 3708 ZJQMSK.exe 3008 SEU.exe 3008 SEU.exe 1236 FPD.exe 1236 FPD.exe 3872 YISRVE.exe 3872 YISRVE.exe 1748 MNSD.exe 1748 MNSD.exe 1008 BICPQCB.exe 1008 BICPQCB.exe 1492 HEBQV.exe 1492 HEBQV.exe 416 AWQBE.exe 416 AWQBE.exe 4988 TZUWJWA.exe 4988 TZUWJWA.exe 1772 UUYA.exe 1772 UUYA.exe 3808 LDMXBD.exe 3808 LDMXBD.exe 4972 IDOIN.exe 4972 IDOIN.exe 3176 VGE.exe 3176 VGE.exe 3876 FEK.exe 3876 FEK.exe 4140 DZJT.exe 4140 DZJT.exe 4820 PPQ.exe 4820 PPQ.exe 3996 OATRB.exe 3996 OATRB.exe 1080 ZSICS.exe 1080 ZSICS.exe 3196 QTKHVZ.exe 3196 QTKHVZ.exe 4984 NYCXMVW.exe 4984 NYCXMVW.exe 4924 CODOS.exe 4924 CODOS.exe 1732 CHEQG.exe 1732 CHEQG.exe 4020 NZHIGCP.exe 4020 NZHIGCP.exe 1072 KFNFNM.exe 1072 KFNFNM.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 2776 DEJ.exe 2776 DEJ.exe 4924 FRAZ.exe 4924 FRAZ.exe 4820 ZPT.exe 4820 ZPT.exe 4412 ASFXLJE.exe 4412 ASFXLJE.exe 2548 PNOC.exe 2548 PNOC.exe 4424 CYKA.exe 4424 CYKA.exe 2216 ORNTK.exe 2216 ORNTK.exe 3708 ZJQMSK.exe 3708 ZJQMSK.exe 3008 SEU.exe 3008 SEU.exe 1236 FPD.exe 1236 FPD.exe 3872 YISRVE.exe 3872 YISRVE.exe 1748 MNSD.exe 1748 MNSD.exe 1008 BICPQCB.exe 1008 BICPQCB.exe 1492 HEBQV.exe 1492 HEBQV.exe 416 AWQBE.exe 416 AWQBE.exe 4988 TZUWJWA.exe 4988 TZUWJWA.exe 1772 UUYA.exe 1772 UUYA.exe 3808 LDMXBD.exe 3808 LDMXBD.exe 4972 IDOIN.exe 4972 IDOIN.exe 3176 VGE.exe 3176 VGE.exe 3876 FEK.exe 3876 FEK.exe 4140 DZJT.exe 4140 DZJT.exe 4820 PPQ.exe 4820 PPQ.exe 3996 OATRB.exe 3996 OATRB.exe 1080 ZSICS.exe 1080 ZSICS.exe 3196 QTKHVZ.exe 3196 QTKHVZ.exe 4984 NYCXMVW.exe 4984 NYCXMVW.exe 4924 CODOS.exe 4924 CODOS.exe 1732 CHEQG.exe 1732 CHEQG.exe 4020 NZHIGCP.exe 4020 NZHIGCP.exe 1072 KFNFNM.exe 1072 KFNFNM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 464 wrote to memory of 1760 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 87 PID 464 wrote to memory of 1760 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 87 PID 464 wrote to memory of 1760 464 f6a8685f7425892be2bbb3693c9cc2d0N.exe 87 PID 1760 wrote to memory of 2776 1760 cmd.exe 91 PID 1760 wrote to memory of 2776 1760 cmd.exe 91 PID 1760 wrote to memory of 2776 1760 cmd.exe 91 PID 2776 wrote to memory of 3348 2776 DEJ.exe 93 PID 2776 wrote to memory of 3348 2776 DEJ.exe 93 PID 2776 wrote to memory of 3348 2776 DEJ.exe 93 PID 3348 wrote to memory of 4924 3348 cmd.exe 97 PID 3348 wrote to memory of 4924 3348 cmd.exe 97 PID 3348 wrote to memory of 4924 3348 cmd.exe 97 PID 4924 wrote to memory of 3008 4924 FRAZ.exe 98 PID 4924 wrote to memory of 3008 4924 FRAZ.exe 98 PID 4924 wrote to memory of 3008 4924 FRAZ.exe 98 PID 3008 wrote to memory of 4820 3008 cmd.exe 102 PID 3008 wrote to memory of 4820 3008 cmd.exe 102 PID 3008 wrote to memory of 4820 3008 cmd.exe 102 PID 4820 wrote to memory of 1888 4820 ZPT.exe 105 PID 4820 wrote to memory of 1888 4820 ZPT.exe 105 PID 4820 wrote to memory of 1888 4820 ZPT.exe 105 PID 1888 wrote to memory of 4412 1888 cmd.exe 109 PID 1888 wrote to memory of 4412 1888 cmd.exe 109 PID 1888 wrote to memory of 4412 1888 cmd.exe 109 PID 4412 wrote to memory of 4920 4412 ASFXLJE.exe 111 PID 4412 wrote to memory of 4920 4412 ASFXLJE.exe 111 PID 4412 wrote to memory of 4920 4412 ASFXLJE.exe 111 PID 4920 wrote to memory of 2548 4920 cmd.exe 114 PID 4920 wrote to memory of 2548 4920 cmd.exe 114 PID 4920 wrote to memory of 2548 4920 cmd.exe 114 PID 2548 wrote to memory of 3808 2548 PNOC.exe 117 PID 2548 wrote to memory of 3808 2548 PNOC.exe 117 PID 2548 wrote to memory of 3808 2548 PNOC.exe 117 PID 3808 wrote to memory of 4424 3808 cmd.exe 121 PID 3808 wrote to memory of 4424 3808 cmd.exe 121 PID 3808 wrote to memory of 4424 3808 cmd.exe 121 PID 4424 wrote to memory of 4064 4424 CYKA.exe 122 PID 4424 wrote to memory of 4064 4424 CYKA.exe 122 PID 4424 wrote to memory of 4064 4424 CYKA.exe 122 PID 4064 wrote to memory of 2216 4064 cmd.exe 126 PID 4064 wrote to memory of 2216 4064 cmd.exe 126 PID 4064 wrote to memory of 2216 4064 cmd.exe 126 PID 2216 wrote to memory of 3176 2216 ORNTK.exe 127 PID 2216 wrote to memory of 3176 2216 ORNTK.exe 127 PID 2216 wrote to memory of 3176 2216 ORNTK.exe 127 PID 3176 wrote to memory of 3708 3176 cmd.exe 131 PID 3176 wrote to memory of 3708 3176 cmd.exe 131 PID 3176 wrote to memory of 3708 3176 cmd.exe 131 PID 3708 wrote to memory of 5104 3708 ZJQMSK.exe 133 PID 3708 wrote to memory of 5104 3708 ZJQMSK.exe 133 PID 3708 wrote to memory of 5104 3708 ZJQMSK.exe 133 PID 5104 wrote to memory of 3008 5104 cmd.exe 137 PID 5104 wrote to memory of 3008 5104 cmd.exe 137 PID 5104 wrote to memory of 3008 5104 cmd.exe 137 PID 3008 wrote to memory of 2020 3008 SEU.exe 138 PID 3008 wrote to memory of 2020 3008 SEU.exe 138 PID 3008 wrote to memory of 2020 3008 SEU.exe 138 PID 2020 wrote to memory of 1236 2020 cmd.exe 142 PID 2020 wrote to memory of 1236 2020 cmd.exe 142 PID 2020 wrote to memory of 1236 2020 cmd.exe 142 PID 1236 wrote to memory of 4028 1236 FPD.exe 143 PID 1236 wrote to memory of 4028 1236 FPD.exe 143 PID 1236 wrote to memory of 4028 1236 FPD.exe 143 PID 4028 wrote to memory of 3872 4028 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a8685f7425892be2bbb3693c9cc2d0N.exe"C:\Users\Admin\AppData\Local\Temp\f6a8685f7425892be2bbb3693c9cc2d0N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DEJ.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\windows\system\DEJ.exeC:\windows\system\DEJ.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FRAZ.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\windows\FRAZ.exeC:\windows\FRAZ.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPT.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\windows\SysWOW64\ZPT.exeC:\windows\system32\ZPT.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASFXLJE.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\windows\SysWOW64\ASFXLJE.exeC:\windows\system32\ASFXLJE.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNOC.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\windows\SysWOW64\PNOC.exeC:\windows\system32\PNOC.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CYKA.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\windows\system\CYKA.exeC:\windows\system\CYKA.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\windows\system\ORNTK.exeC:\windows\system\ORNTK.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJQMSK.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\windows\system\ZJQMSK.exeC:\windows\system\ZJQMSK.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEU.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\windows\SysWOW64\SEU.exeC:\windows\system32\SEU.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FPD.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\windows\FPD.exeC:\windows\FPD.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YISRVE.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\windows\YISRVE.exeC:\windows\YISRVE.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNSD.exe.bat" "24⤵PID:3280
-
C:\windows\MNSD.exeC:\windows\MNSD.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "26⤵PID:4064
-
C:\windows\SysWOW64\BICPQCB.exeC:\windows\system32\BICPQCB.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEBQV.exe.bat" "28⤵PID:3664
-
C:\windows\SysWOW64\HEBQV.exeC:\windows\system32\HEBQV.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWQBE.exe.bat" "30⤵PID:4584
-
C:\windows\SysWOW64\AWQBE.exeC:\windows\system32\AWQBE.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZUWJWA.exe.bat" "32⤵PID:3572
-
C:\windows\SysWOW64\TZUWJWA.exeC:\windows\system32\TZUWJWA.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUYA.exe.bat" "34⤵PID:3656
-
C:\windows\UUYA.exeC:\windows\UUYA.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDMXBD.exe.bat" "36⤵PID:4720
-
C:\windows\SysWOW64\LDMXBD.exeC:\windows\system32\LDMXBD.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IDOIN.exe.bat" "38⤵PID:4148
-
C:\windows\IDOIN.exeC:\windows\IDOIN.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VGE.exe.bat" "40⤵PID:464
-
C:\windows\system\VGE.exeC:\windows\system\VGE.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEK.exe.bat" "42⤵PID:2592
-
C:\windows\SysWOW64\FEK.exeC:\windows\system32\FEK.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DZJT.exe.bat" "44⤵PID:4124
-
C:\windows\SysWOW64\DZJT.exeC:\windows\system32\DZJT.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PPQ.exe.bat" "46⤵PID:4920
-
C:\windows\system\PPQ.exeC:\windows\system\PPQ.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OATRB.exe.bat" "48⤵PID:920
-
C:\windows\system\OATRB.exeC:\windows\system\OATRB.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSICS.exe.bat" "50⤵PID:3184
-
C:\windows\system\ZSICS.exeC:\windows\system\ZSICS.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QTKHVZ.exe.bat" "52⤵PID:4192
-
C:\windows\SysWOW64\QTKHVZ.exeC:\windows\system32\QTKHVZ.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NYCXMVW.exe.bat" "54⤵PID:4712
-
C:\windows\system\NYCXMVW.exeC:\windows\system\NYCXMVW.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CODOS.exe.bat" "56⤵PID:1128
-
C:\windows\system\CODOS.exeC:\windows\system\CODOS.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CHEQG.exe.bat" "58⤵PID:2336
-
C:\windows\SysWOW64\CHEQG.exeC:\windows\system32\CHEQG.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NZHIGCP.exe.bat" "60⤵PID:1236
-
C:\windows\system\NZHIGCP.exeC:\windows\system\NZHIGCP.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFNFNM.exe.bat" "62⤵PID:1640
-
C:\windows\SysWOW64\KFNFNM.exeC:\windows\system32\KFNFNM.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XIJEBDM.exe.bat" "64⤵PID:2284
-
C:\windows\SysWOW64\XIJEBDM.exeC:\windows\system32\XIJEBDM.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FVVLLBH.exe.bat" "66⤵PID:3664
-
C:\windows\SysWOW64\FVVLLBH.exeC:\windows\system32\FVVLLBH.exe67⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QODWVCX.exe.bat" "68⤵PID:1200
-
C:\windows\QODWVCX.exeC:\windows\QODWVCX.exe69⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TBIN.exe.bat" "70⤵PID:1372
-
C:\windows\system\TBIN.exeC:\windows\system\TBIN.exe71⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CBKSI.exe.bat" "72⤵PID:3944
-
C:\windows\CBKSI.exeC:\windows\CBKSI.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "74⤵PID:4684
-
C:\windows\VENOOXQ.exeC:\windows\VENOOXQ.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UPYEWD.exe.bat" "76⤵PID:2256
-
C:\windows\UPYEWD.exeC:\windows\UPYEWD.exe77⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKD.exe.bat" "78⤵PID:848
-
C:\windows\SysWOW64\OKD.exeC:\windows\system32\OKD.exe79⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVEPU.exe.bat" "80⤵PID:4968
-
C:\windows\SysWOW64\WVEPU.exeC:\windows\system32\WVEPU.exe81⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LLFGTD.exe.bat" "82⤵PID:464
-
C:\windows\system\LLFGTD.exeC:\windows\system\LLFGTD.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NJSAJL.exe.bat" "84⤵PID:732
-
C:\windows\system\NJSAJL.exeC:\windows\system\NJSAJL.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZBNTJTU.exe.bat" "86⤵PID:4520
-
C:\windows\ZBNTJTU.exeC:\windows\ZBNTJTU.exe87⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZHWEY.exe.bat" "88⤵PID:4020
-
C:\windows\SysWOW64\XZHWEY.exeC:\windows\system32\XZHWEY.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QUYA.exe.bat" "90⤵PID:3268
-
C:\windows\system\QUYA.exeC:\windows\system\QUYA.exe91⤵
- Checks computer location settings
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DFCYN.exe.bat" "92⤵PID:3412
-
C:\windows\system\DFCYN.exeC:\windows\system\DFCYN.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HNJGRMC.exe.bat" "94⤵PID:2500
-
C:\windows\HNJGRMC.exeC:\windows\HNJGRMC.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SGE.exe.bat" "96⤵PID:732
-
C:\windows\SGE.exeC:\windows\SGE.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLWOQOM.exe.bat" "98⤵PID:2020
-
C:\windows\SysWOW64\PLWOQOM.exeC:\windows\system32\PLWOQOM.exe99⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRIVBN.exe.bat" "100⤵PID:5088
-
C:\windows\XRIVBN.exeC:\windows\XRIVBN.exe101⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MHJMH.exe.bat" "102⤵PID:3724
-
C:\windows\MHJMH.exeC:\windows\MHJMH.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HCOWJIT.exe.bat" "104⤵PID:3512
-
C:\windows\SysWOW64\HCOWJIT.exeC:\windows\system32\HCOWJIT.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAUQZR.exe.bat" "106⤵PID:3416
-
C:\windows\SysWOW64\RAUQZR.exeC:\windows\system32\RAUQZR.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VIAY.exe.bat" "108⤵PID:2692
-
C:\windows\system\VIAY.exeC:\windows\system\VIAY.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYBPK.exe.bat" "110⤵PID:1560
-
C:\windows\SysWOW64\KYBPK.exeC:\windows\system32\KYBPK.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGIX.exe.bat" "112⤵PID:2484
-
C:\windows\SysWOW64\OGIX.exeC:\windows\system32\OGIX.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYRR.exe.bat" "114⤵PID:2524
-
C:\windows\SysWOW64\WYRR.exeC:\windows\system32\WYRR.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBVUPR.exe.bat" "116⤵PID:412
-
C:\windows\OBVUPR.exeC:\windows\OBVUPR.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHVJRWL.exe.bat" "118⤵PID:3468
-
C:\windows\SysWOW64\OHVJRWL.exeC:\windows\system32\OHVJRWL.exe119⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UHCX.exe.bat" "120⤵PID:3528
-
C:\windows\UHCX.exeC:\windows\UHCX.exe121⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-