Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2024 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
-
Size
208KB
-
MD5
5673111a1583acdb8e0c3c5d17c05b95
-
SHA1
69929b1fd9b78e0fbb953bd14aa4eb5685cdee33
-
SHA256
7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713
-
SHA512
20efdf7dbd1ea1250f5fef66e220906ecf249728b68f244056623f96a87412b762ac8013539ef6a7d777b0728a33c5b60bf1e3854eeee2864ab0c552abe9cda5
-
SSDEEP
6144:kr6hRlL9gwxweLSPlTvamqLC6/CQ0w0QEj:kOOw6dbqLC66o0Q
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation KVBLCX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WQPNGNR.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MKCTBFY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZPQYHJI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MAMI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ITNHTX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OBB.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LASXIK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OQIT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OMW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SCALV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZGSNJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation CMNPOSK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PCVCEI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation REMGTGR.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation NJOA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EYAWBQB.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BYFAX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZFBVM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TMEDDD.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation DYKEMY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation YGT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HGZHK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZERIOF.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BREBNQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UFU.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation NMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZPDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XEUZLEM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation AVANI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation DCAOXI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SMRGAX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UCAAWL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation USCHC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation JBXV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation COAMS.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VCLPRZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GLP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XEMUW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TWKKSN.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GMEETQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VEUK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OOPUAQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation INGTWD.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QHMVYT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UIBZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ONNHNF.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation AXQAJX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XPEX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ACT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation AWOCW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EQYV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GFAEP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UJVG.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XMY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation RREJHV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OKCK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EQJATI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VVPTYZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PWDOC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OXIHRQI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VUHMOTR.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation DLREBPP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation CNOAX.exe -
Executes dropped EXE 64 IoCs
pid Process 976 NQJ.exe 436 EQYV.exe 4660 QJBOY.exe 2784 MOGDFPL.exe 3756 MZHFTTA.exe 4296 OXIHRQI.exe 3148 DSSLK.exe 4024 YNXVMCF.exe 1524 OYNTU.exe 1164 TDFIKS.exe 3456 RREJHV.exe 3260 MMJ.exe 2476 SMRGAX.exe 960 XMY.exe 100 DAQCOV.exe 2136 YVUMYUO.exe 1464 LYLCM.exe 808 MBPGSVL.exe 744 HOTP.exe 4752 SHOIK.exe 3880 JUZ.exe 2140 EHEKC.exe 868 USCHC.exe 2792 PFHRMTC.exe 864 JBMA.exe 2192 XEUZLEM.exe 2564 OMW.exe 2476 BXF.exe 4948 BCF.exe 1236 HCMX.exe 3892 SVPQV.exe 3016 AGQRJFK.exe 2844 KOS.exe 4268 ZJBAXX.exe 1012 ZOCPHKX.exe 3328 VUHMOTR.exe 2772 QHMVYT.exe 4320 RKQZEJP.exe 2792 GFAEP.exe 2044 ATENZWF.exe 1804 AGF.exe 2588 VUBLL.exe 4388 GMEETQ.exe 1816 OXNFZC.exe 2452 ZPQYHJI.exe 1552 LIL.exe 3148 MLV.exe 2908 HGZHK.exe 1560 UJVG.exe 1660 NMZ.exe 2196 AXQAJX.exe 440 BST.exe 960 BXMSYA.exe 1376 FNA.exe 2960 QGVL.exe 2908 FBFPV.exe 4688 LWE.exe 212 ARVCTC.exe 2424 QHWC.exe 1476 KVBLCX.exe 3224 OLI.exe 1868 GLKQS.exe 836 DLREBPP.exe 512 PEM.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\FNA.exe BXMSYA.exe File created C:\windows\SysWOW64\FDM.exe.bat IXGTVE.exe File created C:\windows\SysWOW64\ZJBAXX.exe KOS.exe File opened for modification C:\windows\SysWOW64\ZOCPHKX.exe ZJBAXX.exe File created C:\windows\SysWOW64\BST.exe AXQAJX.exe File opened for modification C:\windows\SysWOW64\QAA.exe FHXCVL.exe File created C:\windows\SysWOW64\AOAF.exe RGYAWC.exe File created C:\windows\SysWOW64\BREBNQ.exe AOAF.exe File opened for modification C:\windows\SysWOW64\BDTDBB.exe VCLPRZ.exe File created C:\windows\SysWOW64\YMSNH.exe TLKZQ.exe File created C:\windows\SysWOW64\PFHRMTC.exe USCHC.exe File opened for modification C:\windows\SysWOW64\ZPQYHJI.exe OXNFZC.exe File created C:\windows\SysWOW64\UJVG.exe.bat HGZHK.exe File opened for modification C:\windows\SysWOW64\LWKVE.exe BYFAX.exe File created C:\windows\SysWOW64\VVPTYZ.exe.bat RFJ.exe File created C:\windows\SysWOW64\MOGDFPL.exe.bat QJBOY.exe File created C:\windows\SysWOW64\SHOIK.exe.bat HOTP.exe File created C:\windows\SysWOW64\LIL.exe.bat ZPQYHJI.exe File created C:\windows\SysWOW64\GQBM.exe QAA.exe File opened for modification C:\windows\SysWOW64\QJBOY.exe EQYV.exe File opened for modification C:\windows\SysWOW64\LIL.exe ZPQYHJI.exe File created C:\windows\SysWOW64\BREBNQ.exe.bat AOAF.exe File created C:\windows\SysWOW64\DCAOXI.exe BPVF.exe File created C:\windows\SysWOW64\NJOA.exe JSUTID.exe File opened for modification C:\windows\SysWOW64\XSY.exe RSRNYN.exe File created C:\windows\SysWOW64\ZSKQZD.exe.bat SPA.exe File opened for modification C:\windows\SysWOW64\ECJ.exe EKJ.exe File created C:\windows\SysWOW64\GLP.exe.bat DYKEMY.exe File created C:\windows\SysWOW64\VZQTBI.exe OJH.exe File opened for modification C:\windows\SysWOW64\ULOWCLK.exe VVPTYZ.exe File created C:\windows\SysWOW64\ABFRSMZ.exe ZFBVM.exe File created C:\windows\SysWOW64\UJVG.exe HGZHK.exe File opened for modification C:\windows\SysWOW64\WDOV.exe FDM.exe File created C:\windows\SysWOW64\KWPDHA.exe.bat BONYD.exe File created C:\windows\SysWOW64\LWKVE.exe.bat BYFAX.exe File created C:\windows\SysWOW64\ULOWCLK.exe VVPTYZ.exe File created C:\windows\SysWOW64\ZERIOF.exe.bat JJH.exe File created C:\windows\SysWOW64\QJBOY.exe EQYV.exe File created C:\windows\SysWOW64\ZPQYHJI.exe OXNFZC.exe File opened for modification C:\windows\SysWOW64\VVEPZ.exe LXY.exe File created C:\windows\SysWOW64\INGTWD.exe.bat REMGTGR.exe File opened for modification C:\windows\SysWOW64\YMSNH.exe TLKZQ.exe File created C:\windows\SysWOW64\VJIDTHL.exe.bat UGXHG.exe File created C:\windows\SysWOW64\BPVF.exe.bat NEMGZX.exe File opened for modification C:\windows\SysWOW64\GQBM.exe QAA.exe File created C:\windows\SysWOW64\ULOWCLK.exe.bat VVPTYZ.exe File opened for modification C:\windows\SysWOW64\AOAF.exe RGYAWC.exe File created C:\windows\SysWOW64\NEMGZX.exe VJIDTHL.exe File created C:\windows\SysWOW64\XEMUW.exe.bat IJUIDHZ.exe File opened for modification C:\windows\SysWOW64\INGTWD.exe REMGTGR.exe File created C:\windows\SysWOW64\PFHRMTC.exe.bat USCHC.exe File opened for modification C:\windows\SysWOW64\BCF.exe BXF.exe File created C:\windows\SysWOW64\ECJ.exe EKJ.exe File opened for modification C:\windows\SysWOW64\XEMUW.exe IJUIDHZ.exe File created C:\windows\SysWOW64\INGTWD.exe REMGTGR.exe File opened for modification C:\windows\SysWOW64\BFXDKTG.exe ACT.exe File created C:\windows\SysWOW64\VUBLL.exe.bat AGF.exe File created C:\windows\SysWOW64\DDW.exe LASXIK.exe File created C:\windows\SysWOW64\NEMGZX.exe.bat VJIDTHL.exe File opened for modification C:\windows\SysWOW64\OXNFZC.exe GMEETQ.exe File opened for modification C:\windows\SysWOW64\UJVG.exe HGZHK.exe File created C:\windows\SysWOW64\GQBM.exe.bat QAA.exe File opened for modification C:\windows\SysWOW64\JPGBE.exe OBB.exe File created C:\windows\SysWOW64\ABFRSMZ.exe.bat ZFBVM.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\BONYD.exe EQHBW.exe File opened for modification C:\windows\system\RSRNYN.exe RHIMKB.exe File created C:\windows\system\HCMX.exe.bat BCF.exe File created C:\windows\YUB.exe VEUK.exe File created C:\windows\system\AFSPCBZ.exe.bat LPRP.exe File opened for modification C:\windows\YUB.exe VEUK.exe File created C:\windows\SCALV.exe KXNFKL.exe File created C:\windows\YNXVMCF.exe DSSLK.exe File created C:\windows\system\QHWC.exe ARVCTC.exe File created C:\windows\UGXHG.exe.bat BDTDBB.exe File created C:\windows\system\MKCTBFY.exe.bat DCAOXI.exe File created C:\windows\LXY.exe.bat CPWQ.exe File created C:\windows\BXMSYA.exe BST.exe File created C:\windows\system\JBXV.exe.bat ULOWCLK.exe File created C:\windows\TLKZQ.exe NJOA.exe File created C:\windows\system\LASXIK.exe OUMA.exe File created C:\windows\system\ATENZWF.exe GFAEP.exe File opened for modification C:\windows\system\JJH.exe ABFRSMZ.exe File created C:\windows\GWBQZNJ.exe EYAWBQB.exe File created C:\windows\EKJ.exe XPEX.exe File opened for modification C:\windows\system\JUZ.exe SHOIK.exe File opened for modification C:\windows\WTTR.exe WQPNGNR.exe File created C:\windows\system\EYAWBQB.exe.bat DDW.exe File opened for modification C:\windows\system\YHQQCJJ.exe XEMUW.exe File opened for modification C:\windows\system\MEYLKFF.exe IWRLY.exe File created C:\windows\OXIHRQI.exe MZHFTTA.exe File opened for modification C:\windows\system\OUMA.exe BREBNQ.exe File created C:\windows\system\RSRNYN.exe.bat RHIMKB.exe File created C:\windows\system\LASXIK.exe.bat OUMA.exe File created C:\windows\UFU.exe.bat MPTI.exe File created C:\windows\system\ACT.exe CMAE.exe File created C:\windows\system\PHVYWY.exe.bat DZO.exe File created C:\windows\WRBV.exe.bat QQTIWT.exe File opened for modification C:\windows\PCVCEI.exe PWDOC.exe File created C:\windows\system\USCHC.exe.bat EHEKC.exe File opened for modification C:\windows\system\GFAEP.exe RKQZEJP.exe File created C:\windows\system\GFAEP.exe.bat RKQZEJP.exe File opened for modification C:\windows\system\USCHC.exe EHEKC.exe File created C:\windows\system\VRK.exe GWBQZNJ.exe File opened for modification C:\windows\system\MAMI.exe ONNHNF.exe File created C:\windows\TLKZQ.exe.bat NJOA.exe File created C:\windows\VIFWTVA.exe AVANI.exe File created C:\windows\FHXCVL.exe KWPDHA.exe File created C:\windows\CADLHB.exe.bat MKCTBFY.exe File created C:\windows\system\ACT.exe.bat CMAE.exe File created C:\windows\LPRP.exe.bat QUMGLFV.exe File created C:\windows\VIFWTVA.exe.bat AVANI.exe File created C:\windows\system\ZAEGRT.exe.bat GFA.exe File opened for modification C:\windows\system\TWKKSN.exe TTYO.exe File opened for modification C:\windows\TDFIKS.exe OYNTU.exe File opened for modification C:\windows\AGF.exe ATENZWF.exe File opened for modification C:\windows\system\SPA.exe PCVCEI.exe File created C:\windows\WTTR.exe WQPNGNR.exe File created C:\windows\system\NMZ.exe UJVG.exe File created C:\windows\system\JBXV.exe ULOWCLK.exe File opened for modification C:\windows\system\ACT.exe CMAE.exe File created C:\windows\system\BONYD.exe.bat EQHBW.exe File opened for modification C:\windows\system\OBB.exe ZGSNJ.exe File opened for modification C:\windows\system\GFA.exe AFSPCBZ.exe File created C:\windows\OQIT.exe VVEPZ.exe File opened for modification C:\windows\system\YGT.exe JDKTJ.exe File created C:\windows\system\JBMA.exe.bat PFHRMTC.exe File created C:\windows\system\SVPQV.exe HCMX.exe File created C:\windows\AXQAJX.exe.bat NMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 64 IoCs
pid pid_target Process procid_target 1728 5104 WerFault.exe 82 4416 976 WerFault.exe 90 3248 436 WerFault.exe 96 3292 4660 WerFault.exe 101 1552 2784 WerFault.exe 108 4316 3756 WerFault.exe 114 5064 4296 WerFault.exe 120 1752 3148 WerFault.exe 125 3956 4024 WerFault.exe 130 2772 1524 WerFault.exe 136 3164 1164 WerFault.exe 141 5020 3456 WerFault.exe 146 4484 3260 WerFault.exe 151 4844 2476 WerFault.exe 156 1764 960 WerFault.exe 162 1236 100 WerFault.exe 167 2432 2136 WerFault.exe 172 2860 1464 WerFault.exe 177 5016 808 WerFault.exe 183 4776 744 WerFault.exe 188 976 4752 WerFault.exe 193 4024 3880 WerFault.exe 198 3064 2140 WerFault.exe 203 4320 868 WerFault.exe 208 1460 2792 WerFault.exe 213 2844 864 WerFault.exe 218 744 2192 WerFault.exe 223 1012 2564 WerFault.exe 228 856 2476 WerFault.exe 233 3064 4948 WerFault.exe 238 4320 1236 WerFault.exe 243 3108 3892 WerFault.exe 248 4420 3016 WerFault.exe 253 3460 2844 WerFault.exe 258 4740 4268 WerFault.exe 263 4936 1012 WerFault.exe 268 2896 3328 WerFault.exe 273 1644 2772 WerFault.exe 278 4076 4320 WerFault.exe 283 3048 2792 WerFault.exe 287 1764 2044 WerFault.exe 294 3444 1804 WerFault.exe 299 2512 2588 WerFault.exe 304 1656 4388 WerFault.exe 310 1316 1816 WerFault.exe 315 2984 2452 WerFault.exe 320 4428 1552 WerFault.exe 326 1192 3148 WerFault.exe 331 1708 2908 WerFault.exe 337 3880 1560 WerFault.exe 342 1400 1660 WerFault.exe 347 1392 2196 WerFault.exe 352 4208 440 WerFault.exe 357 2340 960 WerFault.exe 362 100 1376 WerFault.exe 367 1120 2960 WerFault.exe 372 1784 2908 WerFault.exe 377 4160 4688 WerFault.exe 382 2256 212 WerFault.exe 387 1212 2424 WerFault.exe 392 4456 1476 WerFault.exe 397 2588 3224 WerFault.exe 402 2524 1868 WerFault.exe 407 4380 836 WerFault.exe 411 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AXQAJX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FHXCVL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EKJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IYIGE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQTIWT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTYO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FNA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ABFRSMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GLKQS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AVANI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ECJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GMEETQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OLI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PHVYWY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WQPNGNR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CUZL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VJIDTHL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MMJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VUBLL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VVPTYZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QJBOY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DREP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TWKKSN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XMY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZAEGRT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AOAF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEYLKFF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VUHMOTR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BXF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSRNYN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFAEP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QUMGLFV.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 976 NQJ.exe 976 NQJ.exe 436 EQYV.exe 436 EQYV.exe 4660 QJBOY.exe 4660 QJBOY.exe 2784 MOGDFPL.exe 2784 MOGDFPL.exe 3756 MZHFTTA.exe 3756 MZHFTTA.exe 4296 OXIHRQI.exe 4296 OXIHRQI.exe 3148 DSSLK.exe 3148 DSSLK.exe 4024 YNXVMCF.exe 4024 YNXVMCF.exe 1524 OYNTU.exe 1524 OYNTU.exe 1164 TDFIKS.exe 1164 TDFIKS.exe 3456 RREJHV.exe 3456 RREJHV.exe 3260 MMJ.exe 3260 MMJ.exe 2476 SMRGAX.exe 2476 SMRGAX.exe 960 XMY.exe 960 XMY.exe 100 DAQCOV.exe 100 DAQCOV.exe 2136 YVUMYUO.exe 2136 YVUMYUO.exe 1464 LYLCM.exe 1464 LYLCM.exe 808 MBPGSVL.exe 808 MBPGSVL.exe 744 HOTP.exe 744 HOTP.exe 4752 SHOIK.exe 4752 SHOIK.exe 3880 JUZ.exe 3880 JUZ.exe 2140 EHEKC.exe 2140 EHEKC.exe 868 USCHC.exe 868 USCHC.exe 2792 PFHRMTC.exe 2792 PFHRMTC.exe 864 JBMA.exe 864 JBMA.exe 2192 XEUZLEM.exe 2192 XEUZLEM.exe 2564 OMW.exe 2564 OMW.exe 2476 BXF.exe 2476 BXF.exe 4948 BCF.exe 4948 BCF.exe 1236 HCMX.exe 1236 HCMX.exe 3892 SVPQV.exe 3892 SVPQV.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 976 NQJ.exe 976 NQJ.exe 436 EQYV.exe 436 EQYV.exe 4660 QJBOY.exe 4660 QJBOY.exe 2784 MOGDFPL.exe 2784 MOGDFPL.exe 3756 MZHFTTA.exe 3756 MZHFTTA.exe 4296 OXIHRQI.exe 4296 OXIHRQI.exe 3148 DSSLK.exe 3148 DSSLK.exe 4024 YNXVMCF.exe 4024 YNXVMCF.exe 1524 OYNTU.exe 1524 OYNTU.exe 1164 TDFIKS.exe 1164 TDFIKS.exe 3456 RREJHV.exe 3456 RREJHV.exe 3260 MMJ.exe 3260 MMJ.exe 2476 SMRGAX.exe 2476 SMRGAX.exe 960 XMY.exe 960 XMY.exe 100 DAQCOV.exe 100 DAQCOV.exe 2136 YVUMYUO.exe 2136 YVUMYUO.exe 1464 LYLCM.exe 1464 LYLCM.exe 808 MBPGSVL.exe 808 MBPGSVL.exe 744 HOTP.exe 744 HOTP.exe 4752 SHOIK.exe 4752 SHOIK.exe 3880 JUZ.exe 3880 JUZ.exe 2140 EHEKC.exe 2140 EHEKC.exe 868 USCHC.exe 868 USCHC.exe 2792 PFHRMTC.exe 2792 PFHRMTC.exe 864 JBMA.exe 864 JBMA.exe 2192 XEUZLEM.exe 2192 XEUZLEM.exe 2564 OMW.exe 2564 OMW.exe 2476 BXF.exe 2476 BXF.exe 4948 BCF.exe 4948 BCF.exe 1236 HCMX.exe 1236 HCMX.exe 3892 SVPQV.exe 3892 SVPQV.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5104 wrote to memory of 4484 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 86 PID 5104 wrote to memory of 4484 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 86 PID 5104 wrote to memory of 4484 5104 7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe 86 PID 4484 wrote to memory of 976 4484 cmd.exe 90 PID 4484 wrote to memory of 976 4484 cmd.exe 90 PID 4484 wrote to memory of 976 4484 cmd.exe 90 PID 976 wrote to memory of 4920 976 NQJ.exe 92 PID 976 wrote to memory of 4920 976 NQJ.exe 92 PID 976 wrote to memory of 4920 976 NQJ.exe 92 PID 4920 wrote to memory of 436 4920 cmd.exe 96 PID 4920 wrote to memory of 436 4920 cmd.exe 96 PID 4920 wrote to memory of 436 4920 cmd.exe 96 PID 436 wrote to memory of 1524 436 EQYV.exe 97 PID 436 wrote to memory of 1524 436 EQYV.exe 97 PID 436 wrote to memory of 1524 436 EQYV.exe 97 PID 1524 wrote to memory of 4660 1524 cmd.exe 101 PID 1524 wrote to memory of 4660 1524 cmd.exe 101 PID 1524 wrote to memory of 4660 1524 cmd.exe 101 PID 4660 wrote to memory of 2736 4660 QJBOY.exe 104 PID 4660 wrote to memory of 2736 4660 QJBOY.exe 104 PID 4660 wrote to memory of 2736 4660 QJBOY.exe 104 PID 2736 wrote to memory of 2784 2736 cmd.exe 108 PID 2736 wrote to memory of 2784 2736 cmd.exe 108 PID 2736 wrote to memory of 2784 2736 cmd.exe 108 PID 2784 wrote to memory of 3456 2784 MOGDFPL.exe 109 PID 2784 wrote to memory of 3456 2784 MOGDFPL.exe 109 PID 2784 wrote to memory of 3456 2784 MOGDFPL.exe 109 PID 3456 wrote to memory of 3756 3456 cmd.exe 114 PID 3456 wrote to memory of 3756 3456 cmd.exe 114 PID 3456 wrote to memory of 3756 3456 cmd.exe 114 PID 3756 wrote to memory of 1808 3756 MZHFTTA.exe 116 PID 3756 wrote to memory of 1808 3756 MZHFTTA.exe 116 PID 3756 wrote to memory of 1808 3756 MZHFTTA.exe 116 PID 1808 wrote to memory of 4296 1808 cmd.exe 120 PID 1808 wrote to memory of 4296 1808 cmd.exe 120 PID 1808 wrote to memory of 4296 1808 cmd.exe 120 PID 4296 wrote to memory of 1696 4296 OXIHRQI.exe 121 PID 4296 wrote to memory of 1696 4296 OXIHRQI.exe 121 PID 4296 wrote to memory of 1696 4296 OXIHRQI.exe 121 PID 1696 wrote to memory of 3148 1696 cmd.exe 125 PID 1696 wrote to memory of 3148 1696 cmd.exe 125 PID 1696 wrote to memory of 3148 1696 cmd.exe 125 PID 3148 wrote to memory of 3220 3148 DSSLK.exe 126 PID 3148 wrote to memory of 3220 3148 DSSLK.exe 126 PID 3148 wrote to memory of 3220 3148 DSSLK.exe 126 PID 3220 wrote to memory of 4024 3220 cmd.exe 130 PID 3220 wrote to memory of 4024 3220 cmd.exe 130 PID 3220 wrote to memory of 4024 3220 cmd.exe 130 PID 4024 wrote to memory of 4268 4024 YNXVMCF.exe 131 PID 4024 wrote to memory of 4268 4024 YNXVMCF.exe 131 PID 4024 wrote to memory of 4268 4024 YNXVMCF.exe 131 PID 4268 wrote to memory of 1524 4268 cmd.exe 136 PID 4268 wrote to memory of 1524 4268 cmd.exe 136 PID 4268 wrote to memory of 1524 4268 cmd.exe 136 PID 1524 wrote to memory of 5112 1524 OYNTU.exe 137 PID 1524 wrote to memory of 5112 1524 OYNTU.exe 137 PID 1524 wrote to memory of 5112 1524 OYNTU.exe 137 PID 5112 wrote to memory of 1164 5112 cmd.exe 141 PID 5112 wrote to memory of 1164 5112 cmd.exe 141 PID 5112 wrote to memory of 1164 5112 cmd.exe 141 PID 1164 wrote to memory of 2036 1164 TDFIKS.exe 142 PID 1164 wrote to memory of 2036 1164 TDFIKS.exe 142 PID 1164 wrote to memory of 2036 1164 TDFIKS.exe 142 PID 2036 wrote to memory of 3456 2036 cmd.exe 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe"C:\Users\Admin\AppData\Local\Temp\7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQJ.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\windows\NQJ.exeC:\windows\NQJ.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQYV.exe.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\windows\system\EQYV.exeC:\windows\system\EQYV.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJBOY.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\windows\SysWOW64\QJBOY.exeC:\windows\system32\QJBOY.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MOGDFPL.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\windows\SysWOW64\MOGDFPL.exeC:\windows\system32\MOGDFPL.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MZHFTTA.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\windows\system\MZHFTTA.exeC:\windows\system\MZHFTTA.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OXIHRQI.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\windows\OXIHRQI.exeC:\windows\OXIHRQI.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DSSLK.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\windows\DSSLK.exeC:\windows\DSSLK.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YNXVMCF.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\windows\YNXVMCF.exeC:\windows\YNXVMCF.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OYNTU.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\windows\OYNTU.exeC:\windows\OYNTU.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TDFIKS.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\windows\TDFIKS.exeC:\windows\TDFIKS.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RREJHV.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\windows\system\RREJHV.exeC:\windows\system\RREJHV.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMJ.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\windows\SysWOW64\MMJ.exeC:\windows\system32\MMJ.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMRGAX.exe.bat" "26⤵PID:3016
-
C:\windows\SysWOW64\SMRGAX.exeC:\windows\system32\SMRGAX.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XMY.exe.bat" "28⤵PID:3048
-
C:\windows\system\XMY.exeC:\windows\system\XMY.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DAQCOV.exe.bat" "30⤵PID:632
-
C:\windows\system\DAQCOV.exeC:\windows\system\DAQCOV.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YVUMYUO.exe.bat" "32⤵PID:4636
-
C:\windows\YVUMYUO.exeC:\windows\YVUMYUO.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LYLCM.exe.bat" "34⤵PID:2180
-
C:\windows\LYLCM.exeC:\windows\LYLCM.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MBPGSVL.exe.bat" "36⤵PID:3468
-
C:\windows\system\MBPGSVL.exeC:\windows\system\MBPGSVL.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HOTP.exe.bat" "38⤵PID:3756
-
C:\windows\HOTP.exeC:\windows\HOTP.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHOIK.exe.bat" "40⤵PID:4812
-
C:\windows\SysWOW64\SHOIK.exeC:\windows\system32\SHOIK.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JUZ.exe.bat" "42⤵PID:4668
-
C:\windows\system\JUZ.exeC:\windows\system\JUZ.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EHEKC.exe.bat" "44⤵PID:3552
-
C:\windows\system\EHEKC.exeC:\windows\system\EHEKC.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\USCHC.exe.bat" "46⤵PID:4036
-
C:\windows\system\USCHC.exeC:\windows\system\USCHC.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFHRMTC.exe.bat" "48⤵PID:2308
-
C:\windows\SysWOW64\PFHRMTC.exeC:\windows\system32\PFHRMTC.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JBMA.exe.bat" "50⤵PID:3840
-
C:\windows\system\JBMA.exeC:\windows\system\JBMA.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XEUZLEM.exe.bat" "52⤵PID:4928
-
C:\windows\system\XEUZLEM.exeC:\windows\system\XEUZLEM.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OMW.exe.bat" "54⤵PID:4504
-
C:\windows\system\OMW.exeC:\windows\system\OMW.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BXF.exe.bat" "56⤵PID:1176
-
C:\windows\SysWOW64\BXF.exeC:\windows\system32\BXF.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCF.exe.bat" "58⤵PID:2420
-
C:\windows\SysWOW64\BCF.exeC:\windows\system32\BCF.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HCMX.exe.bat" "60⤵PID:4220
-
C:\windows\system\HCMX.exeC:\windows\system\HCMX.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SVPQV.exe.bat" "62⤵PID:1576
-
C:\windows\system\SVPQV.exeC:\windows\system\SVPQV.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AGQRJFK.exe.bat" "64⤵PID:2120
-
C:\windows\system\AGQRJFK.exeC:\windows\system\AGQRJFK.exe65⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KOS.exe.bat" "66⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\windows\system\KOS.exeC:\windows\system\KOS.exe67⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZJBAXX.exe.bat" "68⤵PID:1696
-
C:\windows\SysWOW64\ZJBAXX.exeC:\windows\system32\ZJBAXX.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZOCPHKX.exe.bat" "70⤵PID:1188
-
C:\windows\SysWOW64\ZOCPHKX.exeC:\windows\system32\ZOCPHKX.exe71⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VUHMOTR.exe.bat" "72⤵PID:436
-
C:\windows\VUHMOTR.exeC:\windows\VUHMOTR.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QHMVYT.exe.bat" "74⤵PID:2084
-
C:\windows\SysWOW64\QHMVYT.exeC:\windows\system32\QHMVYT.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RKQZEJP.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\windows\RKQZEJP.exeC:\windows\RKQZEJP.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GFAEP.exe.bat" "78⤵PID:1660
-
C:\windows\system\GFAEP.exeC:\windows\system\GFAEP.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ATENZWF.exe.bat" "80⤵PID:1088
-
C:\windows\system\ATENZWF.exeC:\windows\system\ATENZWF.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AGF.exe.bat" "82⤵PID:3460
-
C:\windows\AGF.exeC:\windows\AGF.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VUBLL.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:4532 -
C:\windows\SysWOW64\VUBLL.exeC:\windows\system32\VUBLL.exe85⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GMEETQ.exe.bat" "86⤵PID:1300
-
C:\windows\GMEETQ.exeC:\windows\GMEETQ.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXNFZC.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:3236 -
C:\windows\SysWOW64\OXNFZC.exeC:\windows\system32\OXNFZC.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZPQYHJI.exe.bat" "90⤵PID:1116
-
C:\windows\SysWOW64\ZPQYHJI.exeC:\windows\system32\ZPQYHJI.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LIL.exe.bat" "92⤵PID:1088
-
C:\windows\SysWOW64\LIL.exeC:\windows\system32\LIL.exe93⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MLV.exe.bat" "94⤵PID:4788
-
C:\windows\MLV.exeC:\windows\MLV.exe95⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HGZHK.exe.bat" "96⤵PID:4844
-
C:\windows\system\HGZHK.exeC:\windows\system\HGZHK.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJVG.exe.bat" "98⤵PID:3576
-
C:\windows\SysWOW64\UJVG.exeC:\windows\system32\UJVG.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NMZ.exe.bat" "100⤵PID:1644
-
C:\windows\system\NMZ.exeC:\windows\system\NMZ.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AXQAJX.exe.bat" "102⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\windows\AXQAJX.exeC:\windows\AXQAJX.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BST.exe.bat" "104⤵PID:1824
-
C:\windows\SysWOW64\BST.exeC:\windows\system32\BST.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BXMSYA.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\windows\BXMSYA.exeC:\windows\BXMSYA.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FNA.exe.bat" "108⤵PID:224
-
C:\windows\SysWOW64\FNA.exeC:\windows\system32\FNA.exe109⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QGVL.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\windows\QGVL.exeC:\windows\QGVL.exe111⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FBFPV.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\windows\system\FBFPV.exeC:\windows\system\FBFPV.exe113⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LWE.exe.bat" "114⤵PID:4536
-
C:\windows\system\LWE.exeC:\windows\system\LWE.exe115⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ARVCTC.exe.bat" "116⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\windows\system\ARVCTC.exeC:\windows\system\ARVCTC.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QHWC.exe.bat" "118⤵PID:2736
-
C:\windows\system\QHWC.exeC:\windows\system\QHWC.exe119⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KVBLCX.exe.bat" "120⤵PID:3060
-
C:\windows\system\KVBLCX.exeC:\windows\system\KVBLCX.exe121⤵
- Checks computer location settings
- Executes dropped EXE
PID:1476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-