Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 08:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe
-
Size
208KB
-
MD5
7356ea2db3e8937ffc9ee843c86cc9de
-
SHA1
7f340181e5797be63608a61c338bb31ab84724cc
-
SHA256
5c7449880a065072298ab9e1cb2bda484e56e4c6fd2348fe122f6a030017315c
-
SHA512
7f574e5214132f3cae1d8474ac19e3d57604b6f47661f364dd5b1e713154f8d39b13f84c5c3fefaf489afbee07a6aec6f4a1865d17fbb50d7c01ecfe6da7bd97
-
SSDEEP
3072:ToBBTxiK9TnPc/6sRH9N44jGvRdt4FC4pLthEjQT6j:TYBTxiKFPc/6yrw4ckEj1
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation SUG.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation XKNEKU.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CQBNZX.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation PAA.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation VVOXJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation BEEECH.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WINM.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation YCVBWZO.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ECVMD.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation EHLF.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation LTPH.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation SUYGTHS.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation UKWRY.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation KEYNOAO.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation DLQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation SCEITKE.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WGNN.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation NTV.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation XGVVFW.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation KPAAIIP.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation RXSNMUH.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation GAN.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation KXXD.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation NAD.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CBXLNBD.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation RUBPTFO.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ZNMH.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation OKD.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation SLIM.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation GEGVH.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation GGIV.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation UAP.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CEHNOYX.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation RXFP.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation JNNL.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation TYKKRW.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation IWHFXJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation GDBMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation IHPFE.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation IPYRF.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ZRKNYN.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CCYWWG.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation MRTI.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ORNTK.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation ZLZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CRY.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CHTUH.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation YIKE.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation OYJKAV.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation LQXJQCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation XYR.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation IOFR.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation TATP.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation NRUB.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation FLKTY.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation CSK.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation DRLMBE.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation OEY.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation NOSX.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation SRJKKQT.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation XBPBVQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation VEUK.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation QIIKZG.exe -
Executes dropped EXE 64 IoCs
pid Process 2004 JXN.exe 1308 OYJKAV.exe 1276 LGTL.exe 5108 QJP.exe 1248 CUZWJ.exe 2408 CPSHS.exe 4592 PAA.exe 4224 VVMZ.exe 4552 ETGA.exe 2404 BZMX.exe 4136 MRTI.exe 4488 CSK.exe 3828 VVOXJ.exe 1532 GDBMZ.exe 1656 ORNTK.exe 4884 SUYGTHS.exe 2352 IHPFE.exe 4512 VFXR.exe 4924 WINM.exe 2488 XGVVFW.exe 1848 PENI.exe 628 MEX.exe 4392 KPAAIIP.exe 3960 ZKYTFR.exe 4912 CSE.exe 5012 HOKJSZK.exe 1444 NOSX.exe 3200 HBD.exe 3908 SUG.exe 3976 EKZGLA.exe 2088 YXT.exe 3448 ETSF.exe 2004 CEHNOYX.exe 4984 ZEJPRU.exe 628 RXFP.exe 556 UKWRY.exe 2976 TVHHHHA.exe 4608 PVJ.exe 4516 NLW.exe 4292 HHBKD.exe 4588 OUNLRP.exe 3732 XSSX.exe 3352 OKD.exe 380 CGT.exe 2092 ZLZ.exe 1796 WWQ.exe 1940 IPTT.exe 3608 ZPAQ.exe 1616 JNNL.exe 2604 SLIM.exe 208 DDDEL.exe 4400 YYUGXZ.exe 4192 GEGVH.exe 4516 HRS.exe 3044 YCVBWZO.exe 3192 KNFO.exe 3864 STS.exe 2308 CRY.exe 2352 HRUKSI.exe 4400 JPZ.exe 3540 TNN.exe 3928 LQXJQCQ.exe 2372 GOXUAO.exe 4356 KEYNOAO.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\CDIIPO.exe YVBI.exe File opened for modification C:\windows\SysWOW64\MDFXHVI.exe WQOR.exe File created C:\windows\SysWOW64\BEPQCV.exe TYKKRW.exe File created C:\windows\SysWOW64\RMBX.exe.bat DRLMBE.exe File created C:\windows\SysWOW64\ETGA.exe.bat VVMZ.exe File created C:\windows\SysWOW64\OUNLRP.exe.bat HHBKD.exe File created C:\windows\SysWOW64\RLLRKKF.exe.bat CQBNZX.exe File opened for modification C:\windows\SysWOW64\HFA.exe EKJ.exe File opened for modification C:\windows\SysWOW64\NOSX.exe HOKJSZK.exe File created C:\windows\SysWOW64\ECVMD.exe GKK.exe File created C:\windows\SysWOW64\XNLO.exe PIGH.exe File created C:\windows\SysWOW64\BEPQCV.exe.bat TYKKRW.exe File created C:\windows\SysWOW64\DXZWN.exe.bat OHLE.exe File created C:\windows\SysWOW64\DRLMBE.exe VDYGRY.exe File created C:\windows\SysWOW64\OUNLRP.exe HHBKD.exe File created C:\windows\SysWOW64\JPZ.exe.bat HRUKSI.exe File created C:\windows\SysWOW64\IPYRF.exe VEUK.exe File created C:\windows\SysWOW64\MDFXHVI.exe WQOR.exe File created C:\windows\SysWOW64\QJP.exe LGTL.exe File created C:\windows\SysWOW64\CSK.exe.bat MRTI.exe File created C:\windows\SysWOW64\DDDEL.exe SLIM.exe File created C:\windows\SysWOW64\PIGH.exe CCYWWG.exe File created C:\windows\SysWOW64\APIFE.exe.bat OEY.exe File created C:\windows\SysWOW64\JNNL.exe ZPAQ.exe File created C:\windows\SysWOW64\UAP.exe LANZA.exe File created C:\windows\SysWOW64\QIIKZG.exe.bat RUBPTFO.exe File created C:\windows\SysWOW64\RMBX.exe DRLMBE.exe File created C:\windows\SysWOW64\NRUB.exe.bat LTPH.exe File opened for modification C:\windows\SysWOW64\JPZ.exe HRUKSI.exe File opened for modification C:\windows\SysWOW64\HLYSQTY.exe IBV.exe File opened for modification C:\windows\SysWOW64\UAP.exe LANZA.exe File created C:\windows\SysWOW64\GEGVH.exe.bat YYUGXZ.exe File created C:\windows\SysWOW64\QZXLG.exe.bat SCEITKE.exe File created C:\windows\SysWOW64\PILP.exe.bat ZKXYQJX.exe File created C:\windows\SysWOW64\XNLO.exe.bat PIGH.exe File created C:\windows\SysWOW64\SVBKHOD.exe.bat ZIHUB.exe File created C:\windows\SysWOW64\UKWRY.exe.bat RXFP.exe File opened for modification C:\windows\SysWOW64\DJKAJN.exe IOFR.exe File created C:\windows\SysWOW64\HLYSQTY.exe IBV.exe File created C:\windows\SysWOW64\PILP.exe ZKXYQJX.exe File opened for modification C:\windows\SysWOW64\NRUB.exe LTPH.exe File created C:\windows\SysWOW64\IPYRF.exe.bat VEUK.exe File opened for modification C:\windows\SysWOW64\QVXX.exe TPNIG.exe File created C:\windows\SysWOW64\SVBKHOD.exe ZIHUB.exe File created C:\windows\SysWOW64\RLLRKKF.exe CQBNZX.exe File created C:\windows\SysWOW64\WGNN.exe QFFZMJE.exe File created C:\windows\SysWOW64\JJQLFO.exe BEEECH.exe File opened for modification C:\windows\SysWOW64\LTPH.exe TATP.exe File created C:\windows\SysWOW64\PAA.exe.bat CPSHS.exe File created C:\windows\SysWOW64\NOSX.exe.bat HOKJSZK.exe File opened for modification C:\windows\SysWOW64\ZUZMU.exe KEYNOAO.exe File opened for modification C:\windows\SysWOW64\CRY.exe STS.exe File created C:\windows\SysWOW64\CDIIPO.exe.bat YVBI.exe File opened for modification C:\windows\SysWOW64\TPNIG.exe AKGCB.exe File created C:\windows\SysWOW64\QVXX.exe TPNIG.exe File created C:\windows\SysWOW64\NRUB.exe LTPH.exe File opened for modification C:\windows\SysWOW64\MRTI.exe BZMX.exe File opened for modification C:\windows\SysWOW64\PENI.exe XGVVFW.exe File opened for modification C:\windows\SysWOW64\UKWRY.exe RXFP.exe File created C:\windows\SysWOW64\OKD.exe XSSX.exe File created C:\windows\SysWOW64\DJKAJN.exe IOFR.exe File created C:\windows\SysWOW64\QIIKZG.exe RUBPTFO.exe File opened for modification C:\windows\SysWOW64\DXZWN.exe OHLE.exe File created C:\windows\SysWOW64\SUYGTHS.exe ORNTK.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\GAN.exe IPYRF.exe File opened for modification C:\windows\SUUZ.exe IWHFXJ.exe File opened for modification C:\windows\UTGFWWM.exe SVBKHOD.exe File created C:\windows\ZKXYQJX.exe.bat DNZBJZV.exe File created C:\windows\system\RPZ.exe.bat STGY.exe File opened for modification C:\windows\CBXLNBD.exe FLKTY.exe File created C:\windows\system\HOKJSZK.exe CSE.exe File created C:\windows\system\TVHHHHA.exe.bat UKWRY.exe File created C:\windows\system\FYS.exe CPJWXZ.exe File opened for modification C:\windows\CYK.exe RLLRKKF.exe File created C:\windows\system\SRJKKQT.exe.bat MWXJWUL.exe File created C:\windows\system\TVT.exe.bat BXBO.exe File created C:\windows\system\PVJ.exe.bat TVHHHHA.exe File opened for modification C:\windows\system\NLW.exe PVJ.exe File created C:\windows\system\TNN.exe.bat JPZ.exe File opened for modification C:\windows\ZRKNYN.exe DLQJ.exe File created C:\windows\EKJ.exe RMBX.exe File created C:\windows\GGIV.exe.bat RQZ.exe File created C:\windows\system\SGTGKZU.exe ADP.exe File created C:\windows\system\SGTGKZU.exe.bat ADP.exe File opened for modification C:\windows\system\ZLZ.exe CGT.exe File created C:\windows\system\ZPAQ.exe.bat IPTT.exe File created C:\windows\system\ORNTK.exe GDBMZ.exe File opened for modification C:\windows\IHPFE.exe SUYGTHS.exe File opened for modification C:\windows\EKJ.exe RMBX.exe File created C:\windows\system\HRUKSI.exe.bat CRY.exe File created C:\windows\system\TATP.exe.bat TVT.exe File created C:\windows\system\OYJKAV.exe JXN.exe File opened for modification C:\windows\system\LGTL.exe OYJKAV.exe File created C:\windows\HHBKD.exe.bat NLW.exe File created C:\windows\EFGGXTV.exe.bat CHTUH.exe File opened for modification C:\windows\GGIV.exe RQZ.exe File opened for modification C:\windows\system\IBV.exe QXDS.exe File created C:\windows\OHLE.exe.bat ZRKNYN.exe File created C:\windows\system\MEX.exe PENI.exe File created C:\windows\ZEJPRU.exe.bat CEHNOYX.exe File opened for modification C:\windows\GOXUAO.exe LQXJQCQ.exe File opened for modification C:\windows\BEEECH.exe NTV.exe File created C:\windows\system\KWRSJS.exe XYR.exe File created C:\windows\NCVWT.exe.bat SUUZ.exe File opened for modification C:\windows\system\JZZ.exe KBOE.exe File created C:\windows\system\HBD.exe.bat NOSX.exe File created C:\windows\system\RQZ.exe.bat FYS.exe File opened for modification C:\windows\SNACP.exe XZV.exe File created C:\windows\TYKKRW.exe.bat MDFXHVI.exe File created C:\windows\system\GKK.exe.bat HZVOL.exe File created C:\windows\system\QWPH.exe ROOKC.exe File created C:\windows\system\QWPH.exe.bat ROOKC.exe File opened for modification C:\windows\system\JXN.exe 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe File created C:\windows\system\CPSHS.exe.bat CUZWJ.exe File created C:\windows\system\WQOR.exe GAN.exe File opened for modification C:\windows\system\IOFR.exe CDIIPO.exe File created C:\windows\TYKKRW.exe MDFXHVI.exe File created C:\windows\system\ZIHUB.exe.bat DXZWN.exe File opened for modification C:\windows\system\STGY.exe DYXUTX.exe File opened for modification C:\windows\system\VVOXJ.exe CSK.exe File created C:\windows\SLIM.exe.bat JNNL.exe File created C:\windows\system\LQXJQCQ.exe TNN.exe File created C:\windows\HZVOL.exe XBPBVQ.exe File created C:\windows\system\VFXR.exe.bat IHPFE.exe File created C:\windows\system\PVJ.exe TVHHHHA.exe File opened for modification C:\windows\OUNK.exe GGIV.exe File opened for modification C:\windows\ZKXYQJX.exe DNZBJZV.exe File created C:\windows\NCVWT.exe SUUZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4628 4056 WerFault.exe 83 3548 2004 WerFault.exe 91 4948 1308 WerFault.exe 97 4292 1276 WerFault.exe 102 768 5108 WerFault.exe 107 1288 1248 WerFault.exe 112 1664 2408 WerFault.exe 119 2556 4592 WerFault.exe 124 3092 4224 WerFault.exe 131 1352 4552 WerFault.exe 136 3528 2404 WerFault.exe 141 2916 4136 WerFault.exe 147 1284 4488 WerFault.exe 152 4912 3828 WerFault.exe 157 4048 1532 WerFault.exe 163 3124 1656 WerFault.exe 169 3976 4884 WerFault.exe 174 1836 2352 WerFault.exe 179 4316 4512 WerFault.exe 184 2556 4924 WerFault.exe 189 1944 2488 WerFault.exe 194 4984 1848 WerFault.exe 199 444 628 WerFault.exe 204 116 4392 WerFault.exe 209 2688 3960 WerFault.exe 214 5080 4912 WerFault.exe 219 4864 5012 WerFault.exe 224 4568 1444 WerFault.exe 229 1276 3200 WerFault.exe 234 556 3908 WerFault.exe 239 1176 3976 WerFault.exe 244 4608 2088 WerFault.exe 249 2488 3448 WerFault.exe 255 4008 2004 WerFault.exe 260 3788 4984 WerFault.exe 265 3036 628 WerFault.exe 270 4668 556 WerFault.exe 275 2984 2976 WerFault.exe 281 1732 4608 WerFault.exe 286 2736 4516 WerFault.exe 291 1284 4292 WerFault.exe 296 2688 4588 WerFault.exe 302 3060 3732 WerFault.exe 307 416 3352 WerFault.exe 312 3292 380 WerFault.exe 316 4180 2092 WerFault.exe 322 1948 1796 WerFault.exe 327 4924 1940 WerFault.exe 332 2004 3608 WerFault.exe 337 1664 1616 WerFault.exe 342 4624 2604 WerFault.exe 347 2548 208 WerFault.exe 352 896 4400 WerFault.exe 357 1612 4192 WerFault.exe 362 1544 4516 WerFault.exe 367 800 3044 WerFault.exe 372 3076 3192 WerFault.exe 377 3588 3864 WerFault.exe 382 4680 2308 WerFault.exe 387 5068 2352 WerFault.exe 392 4896 4400 WerFault.exe 397 4516 3540 WerFault.exe 402 3760 3928 WerFault.exe 407 1828 2372 WerFault.exe 412 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOXUAO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ADJRB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MRTI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RXFP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QVXX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ECVMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DDDEL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZEJPRU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YIKE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CPJWXZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TVT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IHPFE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IWHFXJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSSX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SUG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GGIV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OHLE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XKNEKU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UAP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PVJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ETSF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DXZWN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HHBKD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVBKHOD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VDYGRY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VVOXJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language APIFE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 2004 JXN.exe 2004 JXN.exe 1308 OYJKAV.exe 1308 OYJKAV.exe 1276 LGTL.exe 1276 LGTL.exe 5108 QJP.exe 5108 QJP.exe 1248 CUZWJ.exe 1248 CUZWJ.exe 2408 CPSHS.exe 2408 CPSHS.exe 4592 PAA.exe 4592 PAA.exe 4224 VVMZ.exe 4224 VVMZ.exe 4552 ETGA.exe 4552 ETGA.exe 2404 BZMX.exe 2404 BZMX.exe 4136 MRTI.exe 4136 MRTI.exe 4488 CSK.exe 4488 CSK.exe 3828 VVOXJ.exe 3828 VVOXJ.exe 1532 GDBMZ.exe 1532 GDBMZ.exe 1656 ORNTK.exe 1656 ORNTK.exe 4884 SUYGTHS.exe 4884 SUYGTHS.exe 2352 IHPFE.exe 2352 IHPFE.exe 4512 VFXR.exe 4512 VFXR.exe 4924 WINM.exe 4924 WINM.exe 2488 XGVVFW.exe 2488 XGVVFW.exe 1848 PENI.exe 1848 PENI.exe 628 MEX.exe 628 MEX.exe 4392 KPAAIIP.exe 4392 KPAAIIP.exe 3960 ZKYTFR.exe 3960 ZKYTFR.exe 4912 CSE.exe 4912 CSE.exe 5012 HOKJSZK.exe 5012 HOKJSZK.exe 1444 NOSX.exe 1444 NOSX.exe 3200 HBD.exe 3200 HBD.exe 3908 SUG.exe 3908 SUG.exe 3976 EKZGLA.exe 3976 EKZGLA.exe 2088 YXT.exe 2088 YXT.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 2004 JXN.exe 2004 JXN.exe 1308 OYJKAV.exe 1308 OYJKAV.exe 1276 LGTL.exe 1276 LGTL.exe 5108 QJP.exe 5108 QJP.exe 1248 CUZWJ.exe 1248 CUZWJ.exe 2408 CPSHS.exe 2408 CPSHS.exe 4592 PAA.exe 4592 PAA.exe 4224 VVMZ.exe 4224 VVMZ.exe 4552 ETGA.exe 4552 ETGA.exe 2404 BZMX.exe 2404 BZMX.exe 4136 MRTI.exe 4136 MRTI.exe 4488 CSK.exe 4488 CSK.exe 3828 VVOXJ.exe 3828 VVOXJ.exe 1532 GDBMZ.exe 1532 GDBMZ.exe 1656 ORNTK.exe 1656 ORNTK.exe 4884 SUYGTHS.exe 4884 SUYGTHS.exe 2352 IHPFE.exe 2352 IHPFE.exe 4512 VFXR.exe 4512 VFXR.exe 4924 WINM.exe 4924 WINM.exe 2488 XGVVFW.exe 2488 XGVVFW.exe 1848 PENI.exe 1848 PENI.exe 628 MEX.exe 628 MEX.exe 4392 KPAAIIP.exe 4392 KPAAIIP.exe 3960 ZKYTFR.exe 3960 ZKYTFR.exe 4912 CSE.exe 4912 CSE.exe 5012 HOKJSZK.exe 5012 HOKJSZK.exe 1444 NOSX.exe 1444 NOSX.exe 3200 HBD.exe 3200 HBD.exe 3908 SUG.exe 3908 SUG.exe 3976 EKZGLA.exe 3976 EKZGLA.exe 2088 YXT.exe 2088 YXT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4056 wrote to memory of 5016 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 87 PID 4056 wrote to memory of 5016 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 87 PID 4056 wrote to memory of 5016 4056 7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe 87 PID 5016 wrote to memory of 2004 5016 cmd.exe 91 PID 5016 wrote to memory of 2004 5016 cmd.exe 91 PID 5016 wrote to memory of 2004 5016 cmd.exe 91 PID 2004 wrote to memory of 1936 2004 JXN.exe 93 PID 2004 wrote to memory of 1936 2004 JXN.exe 93 PID 2004 wrote to memory of 1936 2004 JXN.exe 93 PID 1936 wrote to memory of 1308 1936 cmd.exe 97 PID 1936 wrote to memory of 1308 1936 cmd.exe 97 PID 1936 wrote to memory of 1308 1936 cmd.exe 97 PID 1308 wrote to memory of 2836 1308 OYJKAV.exe 98 PID 1308 wrote to memory of 2836 1308 OYJKAV.exe 98 PID 1308 wrote to memory of 2836 1308 OYJKAV.exe 98 PID 2836 wrote to memory of 1276 2836 cmd.exe 102 PID 2836 wrote to memory of 1276 2836 cmd.exe 102 PID 2836 wrote to memory of 1276 2836 cmd.exe 102 PID 1276 wrote to memory of 2684 1276 LGTL.exe 103 PID 1276 wrote to memory of 2684 1276 LGTL.exe 103 PID 1276 wrote to memory of 2684 1276 LGTL.exe 103 PID 2684 wrote to memory of 5108 2684 cmd.exe 107 PID 2684 wrote to memory of 5108 2684 cmd.exe 107 PID 2684 wrote to memory of 5108 2684 cmd.exe 107 PID 5108 wrote to memory of 1708 5108 QJP.exe 108 PID 5108 wrote to memory of 1708 5108 QJP.exe 108 PID 5108 wrote to memory of 1708 5108 QJP.exe 108 PID 1708 wrote to memory of 1248 1708 cmd.exe 112 PID 1708 wrote to memory of 1248 1708 cmd.exe 112 PID 1708 wrote to memory of 1248 1708 cmd.exe 112 PID 1248 wrote to memory of 3056 1248 CUZWJ.exe 115 PID 1248 wrote to memory of 3056 1248 CUZWJ.exe 115 PID 1248 wrote to memory of 3056 1248 CUZWJ.exe 115 PID 3056 wrote to memory of 2408 3056 cmd.exe 119 PID 3056 wrote to memory of 2408 3056 cmd.exe 119 PID 3056 wrote to memory of 2408 3056 cmd.exe 119 PID 2408 wrote to memory of 3668 2408 CPSHS.exe 120 PID 2408 wrote to memory of 3668 2408 CPSHS.exe 120 PID 2408 wrote to memory of 3668 2408 CPSHS.exe 120 PID 3668 wrote to memory of 4592 3668 cmd.exe 124 PID 3668 wrote to memory of 4592 3668 cmd.exe 124 PID 3668 wrote to memory of 4592 3668 cmd.exe 124 PID 4592 wrote to memory of 4656 4592 PAA.exe 127 PID 4592 wrote to memory of 4656 4592 PAA.exe 127 PID 4592 wrote to memory of 4656 4592 PAA.exe 127 PID 4656 wrote to memory of 4224 4656 cmd.exe 131 PID 4656 wrote to memory of 4224 4656 cmd.exe 131 PID 4656 wrote to memory of 4224 4656 cmd.exe 131 PID 4224 wrote to memory of 4564 4224 VVMZ.exe 132 PID 4224 wrote to memory of 4564 4224 VVMZ.exe 132 PID 4224 wrote to memory of 4564 4224 VVMZ.exe 132 PID 4564 wrote to memory of 4552 4564 cmd.exe 136 PID 4564 wrote to memory of 4552 4564 cmd.exe 136 PID 4564 wrote to memory of 4552 4564 cmd.exe 136 PID 4552 wrote to memory of 2312 4552 ETGA.exe 137 PID 4552 wrote to memory of 2312 4552 ETGA.exe 137 PID 4552 wrote to memory of 2312 4552 ETGA.exe 137 PID 2312 wrote to memory of 2404 2312 cmd.exe 141 PID 2312 wrote to memory of 2404 2312 cmd.exe 141 PID 2312 wrote to memory of 2404 2312 cmd.exe 141 PID 2404 wrote to memory of 3864 2404 BZMX.exe 143 PID 2404 wrote to memory of 3864 2404 BZMX.exe 143 PID 2404 wrote to memory of 3864 2404 BZMX.exe 143 PID 3864 wrote to memory of 4136 3864 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7356ea2db3e8937ffc9ee843c86cc9de_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JXN.exe.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\windows\system\JXN.exeC:\windows\system\JXN.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OYJKAV.exe.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\windows\system\OYJKAV.exeC:\windows\system\OYJKAV.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGTL.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\windows\system\LGTL.exeC:\windows\system\LGTL.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJP.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\windows\SysWOW64\QJP.exeC:\windows\system32\QJP.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CUZWJ.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\windows\CUZWJ.exeC:\windows\CUZWJ.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CPSHS.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\windows\system\CPSHS.exeC:\windows\system\CPSHS.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PAA.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\windows\SysWOW64\PAA.exeC:\windows\system32\PAA.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VVMZ.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\windows\system\VVMZ.exeC:\windows\system\VVMZ.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ETGA.exe.bat" "18⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\windows\SysWOW64\ETGA.exeC:\windows\system32\ETGA.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BZMX.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\windows\system\BZMX.exeC:\windows\system\BZMX.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MRTI.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\windows\SysWOW64\MRTI.exeC:\windows\system32\MRTI.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSK.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\windows\SysWOW64\CSK.exeC:\windows\system32\CSK.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VVOXJ.exe.bat" "26⤵PID:1696
-
C:\windows\system\VVOXJ.exeC:\windows\system\VVOXJ.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDBMZ.exe.bat" "28⤵PID:4924
-
C:\windows\SysWOW64\GDBMZ.exeC:\windows\system32\GDBMZ.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "30⤵PID:2604
-
C:\windows\system\ORNTK.exeC:\windows\system\ORNTK.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUYGTHS.exe.bat" "32⤵PID:1256
-
C:\windows\SysWOW64\SUYGTHS.exeC:\windows\system32\SUYGTHS.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IHPFE.exe.bat" "34⤵PID:2984
-
C:\windows\IHPFE.exeC:\windows\IHPFE.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VFXR.exe.bat" "36⤵PID:4184
-
C:\windows\system\VFXR.exeC:\windows\system\VFXR.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WINM.exe.bat" "38⤵PID:472
-
C:\windows\system\WINM.exeC:\windows\system\WINM.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XGVVFW.exe.bat" "40⤵PID:956
-
C:\windows\system\XGVVFW.exeC:\windows\system\XGVVFW.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PENI.exe.bat" "42⤵PID:3984
-
C:\windows\SysWOW64\PENI.exeC:\windows\system32\PENI.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MEX.exe.bat" "44⤵PID:1100
-
C:\windows\system\MEX.exeC:\windows\system\MEX.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KPAAIIP.exe.bat" "46⤵PID:3668
-
C:\windows\system\KPAAIIP.exeC:\windows\system\KPAAIIP.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZKYTFR.exe.bat" "48⤵PID:2944
-
C:\windows\ZKYTFR.exeC:\windows\ZKYTFR.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CSE.exe.bat" "50⤵PID:3056
-
C:\windows\CSE.exeC:\windows\CSE.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HOKJSZK.exe.bat" "52⤵PID:416
-
C:\windows\system\HOKJSZK.exeC:\windows\system\HOKJSZK.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOSX.exe.bat" "54⤵PID:4580
-
C:\windows\SysWOW64\NOSX.exeC:\windows\system32\NOSX.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HBD.exe.bat" "56⤵PID:2208
-
C:\windows\system\HBD.exeC:\windows\system\HBD.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SUG.exe.bat" "58⤵PID:4984
-
C:\windows\SUG.exeC:\windows\SUG.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EKZGLA.exe.bat" "60⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\windows\system\EKZGLA.exeC:\windows\system\EKZGLA.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YXT.exe.bat" "62⤵PID:116
-
C:\windows\YXT.exeC:\windows\YXT.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ETSF.exe.bat" "64⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\windows\system\ETSF.exeC:\windows\system\ETSF.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CEHNOYX.exe.bat" "66⤵PID:4416
-
C:\windows\CEHNOYX.exeC:\windows\CEHNOYX.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZEJPRU.exe.bat" "68⤵PID:4516
-
C:\windows\ZEJPRU.exeC:\windows\ZEJPRU.exe69⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RXFP.exe.bat" "70⤵PID:1792
-
C:\windows\system\RXFP.exeC:\windows\system\RXFP.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKWRY.exe.bat" "72⤵PID:3540
-
C:\windows\SysWOW64\UKWRY.exeC:\windows\system32\UKWRY.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TVHHHHA.exe.bat" "74⤵PID:1364
-
C:\windows\system\TVHHHHA.exeC:\windows\system\TVHHHHA.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PVJ.exe.bat" "76⤵PID:3076
-
C:\windows\system\PVJ.exeC:\windows\system\PVJ.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NLW.exe.bat" "78⤵PID:3692
-
C:\windows\system\NLW.exeC:\windows\system\NLW.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HHBKD.exe.bat" "80⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\windows\HHBKD.exeC:\windows\HHBKD.exe81⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OUNLRP.exe.bat" "82⤵PID:1560
-
C:\windows\SysWOW64\OUNLRP.exeC:\windows\system32\OUNLRP.exe83⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XSSX.exe.bat" "84⤵PID:4372
-
C:\windows\system\XSSX.exeC:\windows\system\XSSX.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKD.exe.bat" "86⤵PID:3608
-
C:\windows\SysWOW64\OKD.exeC:\windows\system32\OKD.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CGT.exe.bat" "88⤵PID:1664
-
C:\windows\CGT.exeC:\windows\CGT.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZLZ.exe.bat" "90⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\windows\system\ZLZ.exeC:\windows\system\ZLZ.exe91⤵
- Checks computer location settings
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WWQ.exe.bat" "92⤵PID:1696
-
C:\windows\system\WWQ.exeC:\windows\system\WWQ.exe93⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IPTT.exe.bat" "94⤵PID:2724
-
C:\windows\system\IPTT.exeC:\windows\system\IPTT.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPAQ.exe.bat" "96⤵PID:4292
-
C:\windows\system\ZPAQ.exeC:\windows\system\ZPAQ.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNNL.exe.bat" "98⤵PID:3228
-
C:\windows\SysWOW64\JNNL.exeC:\windows\system32\JNNL.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SLIM.exe.bat" "100⤵PID:3656
-
C:\windows\SLIM.exeC:\windows\SLIM.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DDDEL.exe.bat" "102⤵PID:4804
-
C:\windows\SysWOW64\DDDEL.exeC:\windows\system32\DDDEL.exe103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YYUGXZ.exe.bat" "104⤵PID:1216
-
C:\windows\system\YYUGXZ.exeC:\windows\system\YYUGXZ.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GEGVH.exe.bat" "106⤵PID:4760
-
C:\windows\SysWOW64\GEGVH.exeC:\windows\system32\GEGVH.exe107⤵
- Checks computer location settings
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HRS.exe.bat" "108⤵PID:1532
-
C:\windows\system\HRS.exeC:\windows\system\HRS.exe109⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YCVBWZO.exe.bat" "110⤵PID:4896
-
C:\windows\YCVBWZO.exeC:\windows\YCVBWZO.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KNFO.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\windows\KNFO.exeC:\windows\KNFO.exe113⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\STS.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:3580 -
C:\windows\STS.exeC:\windows\STS.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRY.exe.bat" "116⤵PID:2556
-
C:\windows\SysWOW64\CRY.exeC:\windows\system32\CRY.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HRUKSI.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\windows\system\HRUKSI.exeC:\windows\system\HRUKSI.exe119⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPZ.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:4668 -
C:\windows\SysWOW64\JPZ.exeC:\windows\system32\JPZ.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-