Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 20:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe
-
Size
208KB
-
MD5
d2bc8adaeb18ec8f5894bc4a1657d1d0
-
SHA1
aa4fcfd5dbd72bbbd6d5cea3789d6dd16e0e6104
-
SHA256
07b6246eae5c01819475f3d1a0a10d4f7d6a50359260256f9ccaee686fa2d299
-
SHA512
bf299dae8e5055ee7b596bc84c70d6405616d3ff4de401c2cec53c2dfef4b2803c31c22e34fd49a6741b3974292744b1e12776edc4fd52958c757c125cf0aca0
-
SSDEEP
6144:arYTgEMnRNLPI3YHB9/vMYRbbdfHKPQEj:OBEIjU8IPQ
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CZW.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KOVOKBG.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LHFXM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XXMEZLO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation QAXAF.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TLAP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RWDEMCP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation HXXX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LHH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PMX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation IWMOUBO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WNNJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TTU.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YMKNNEC.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LVDY.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KFVF.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LQMEV.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OEPZSI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SYNTJGS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation BVVLATG.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NMVEWTK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation HKQWIAS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RKQJGW.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NFM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CKHUP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EOSGRCT.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation AKMTM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZYU.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CNE.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GJDWHS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZEKM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CVRDY.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EEM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ESYMCNV.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WEWDTS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XIBRE.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YWVPHA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XGTXI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WNWO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KHFT.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation IAMSKB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EMHKDCX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RILWQDT.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OHCBH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XHEGTRB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WSD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation AGF.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TTYVQ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TAIZL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation VVOXJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation FAMWMB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ERF.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation BRRU.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YQB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LCIZUY.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UKASNER.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation HKKAL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LARAXBL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JIEVB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation IUA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation BFPLZ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XJUN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YSK.exe -
Executes dropped EXE 64 IoCs
pid Process 1944 GGMKGTL.exe 4124 FRXAPH.exe 4560 YJFL.exe 5020 AHGFE.exe 2408 CKHUP.exe 2916 XXMEZLO.exe 1708 NILTZGJ.exe 3840 TIKH.exe 4944 OEPZSI.exe 4516 KBVOZJ.exe 1700 MZWQFG.exe 536 QPDQ.exe 3052 LCIZUY.exe 2072 RDP.exe 264 LQMEV.exe 3112 IVSU.exe 1180 XWB.exe 940 KHFT.exe 4640 GPABFSG.exe 3100 TAIZL.exe 1332 WNNJ.exe 3776 RASSGC.exe 4352 FGXPNM.exe 4984 ATC.exe 4612 TMXR.exe 2712 OHCBH.exe 3012 XHEGTRB.exe 3116 SVJP.exe 3596 SYNTJGS.exe 3480 YYU.exe 2536 JRXA.exe 2356 YWVPHA.exe 5084 JPYHPHA.exe 2712 GMEFWRU.exe 3060 MNMS.exe 3116 VVOXJ.exe 4292 BVVLATG.exe 5108 VJAU.exe 3476 XGTXI.exe 4736 WWAZ.exe 3132 MMZK.exe 1264 WUBPK.exe 1108 UKASNER.exe 1960 FDDLWT.exe 4772 JTJTI.exe 4912 GQPIP.exe 620 GEPWRA.exe 3496 ARU.exe 2408 SEFYR.exe 3352 ZUGXXSR.exe 2808 WSD.exe 2528 WVHQKSU.exe 1900 CVP.exe 2300 XJUN.exe 3376 PMX.exe 2508 VMFF.exe 8 EMHKDCX.exe 4288 WVJ.exe 4532 CVRDY.exe 3984 QAXAF.exe 2860 LOBJPLR.exe 3976 TTU.exe 4484 CHEQG.exe 4472 YMKNNEC.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\ATC.exe FGXPNM.exe File created C:\windows\SysWOW64\OHCBH.exe.bat TMXR.exe File created C:\windows\SysWOW64\YMKNNEC.exe.bat CHEQG.exe File opened for modification C:\windows\SysWOW64\NZMGO.exe HZETF.exe File created C:\windows\SysWOW64\VAR.exe.bat VVZSVEF.exe File created C:\windows\SysWOW64\YXNK.exe YSV.exe File created C:\windows\SysWOW64\WVJ.exe.bat EMHKDCX.exe File opened for modification C:\windows\SysWOW64\CHEQG.exe TTU.exe File created C:\windows\SysWOW64\ABUWG.exe YDBCZK.exe File created C:\windows\SysWOW64\PWWQG.exe.bat VAR.exe File created C:\windows\SysWOW64\UXVSE.exe ACQI.exe File created C:\windows\SysWOW64\LCIZUY.exe.bat QPDQ.exe File opened for modification C:\windows\SysWOW64\ATC.exe FGXPNM.exe File created C:\windows\SysWOW64\CVP.exe.bat WVHQKSU.exe File created C:\windows\SysWOW64\IAMSKB.exe NMPJ.exe File opened for modification C:\windows\SysWOW64\IAMSKB.exe NMPJ.exe File created C:\windows\SysWOW64\IAMSKB.exe.bat NMPJ.exe File opened for modification C:\windows\SysWOW64\CNE.exe WNWMLS.exe File opened for modification C:\windows\SysWOW64\EMHKDCX.exe VMFF.exe File opened for modification C:\windows\SysWOW64\LOG.exe FOYTF.exe File created C:\windows\SysWOW64\NZMGO.exe.bat HZETF.exe File opened for modification C:\windows\SysWOW64\TMXR.exe ATC.exe File created C:\windows\SysWOW64\TMXR.exe.bat ATC.exe File opened for modification C:\windows\SysWOW64\SEFYR.exe ARU.exe File created C:\windows\SysWOW64\FJIIED.exe.bat LVDY.exe File created C:\windows\SysWOW64\BSVGP.exe.bat VSNTGGN.exe File opened for modification C:\windows\SysWOW64\TLAP.exe ZQVGOIL.exe File created C:\windows\SysWOW64\ATC.exe.bat FGXPNM.exe File opened for modification C:\windows\SysWOW64\XJUN.exe CVP.exe File opened for modification C:\windows\SysWOW64\YMKNNEC.exe CHEQG.exe File opened for modification C:\windows\SysWOW64\ZQVGOIL.exe NXANGA.exe File opened for modification C:\windows\SysWOW64\HXXX.exe LARAXBL.exe File opened for modification C:\windows\SysWOW64\PVKF.exe LNDXRDB.exe File created C:\windows\SysWOW64\YXNK.exe.bat YSV.exe File created C:\windows\SysWOW64\ACQI.exe LHH.exe File created C:\windows\SysWOW64\WVHQKSU.exe.bat WSD.exe File created C:\windows\SysWOW64\JJHFGL.exe.bat AJFSVNP.exe File created C:\windows\SysWOW64\KLKLOWP.exe.bat ELDX.exe File created C:\windows\SysWOW64\UXVSE.exe.bat ACQI.exe File created C:\windows\SysWOW64\ZUGXXSR.exe.bat SEFYR.exe File created C:\windows\SysWOW64\ACQI.exe.bat LHH.exe File opened for modification C:\windows\SysWOW64\OHCBH.exe TMXR.exe File opened for modification C:\windows\SysWOW64\ABUWG.exe YDBCZK.exe File created C:\windows\SysWOW64\ZQVGOIL.exe NXANGA.exe File created C:\windows\SysWOW64\ELDX.exe.bat TSAEX.exe File opened for modification C:\windows\SysWOW64\LHH.exe UWQ.exe File opened for modification C:\windows\SysWOW64\FDDLWT.exe UKASNER.exe File created C:\windows\SysWOW64\NXANGA.exe.bat CFXUY.exe File created C:\windows\SysWOW64\CHEQG.exe.bat TTU.exe File created C:\windows\SysWOW64\YMKNNEC.exe CHEQG.exe File opened for modification C:\windows\SysWOW64\YKORFD.exe HWE.exe File opened for modification C:\windows\SysWOW64\AJFSVNP.exe KOVOKBG.exe File opened for modification C:\windows\SysWOW64\ZYU.exe GDU.exe File created C:\windows\SysWOW64\ZYU.exe.bat GDU.exe File opened for modification C:\windows\SysWOW64\YSV.exe LHFXM.exe File created C:\windows\SysWOW64\CVP.exe WVHQKSU.exe File created C:\windows\SysWOW64\XJUN.exe CVP.exe File created C:\windows\SysWOW64\VMFF.exe.bat PMX.exe File opened for modification C:\windows\SysWOW64\NMVEWTK.exe YREA.exe File opened for modification C:\windows\SysWOW64\BSVGP.exe VSNTGGN.exe File opened for modification C:\windows\SysWOW64\ELDX.exe TSAEX.exe File created C:\windows\SysWOW64\UWQ.exe.bat IOC.exe File opened for modification C:\windows\SysWOW64\MMZK.exe WWAZ.exe File created C:\windows\SysWOW64\UKASNER.exe.bat WUBPK.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\EOSGRCT.exe PTAU.exe File created C:\windows\system\MZWQFG.exe.bat KBVOZJ.exe File created C:\windows\system\PMX.exe XJUN.exe File created C:\windows\system\CVRDY.exe.bat WVJ.exe File created C:\windows\system\XGATNJ.exe.bat ABUWG.exe File created C:\windows\system\HRS.exe.bat VJLLJ.exe File created C:\windows\FAMWMB.exe EVMILO.exe File created C:\windows\HZETF.exe.bat CZW.exe File created C:\windows\system\AKMTM.exe.bat IPVHIFV.exe File created C:\windows\MNMS.exe.bat GMEFWRU.exe File created C:\windows\system\VSNTGGN.exe.bat NMVEWTK.exe File created C:\windows\system\VVZSVEF.exe.bat HSV.exe File created C:\windows\system\RILWQDT.exe.bat AKMTM.exe File created C:\windows\system\LHFXM.exe.bat IUA.exe File opened for modification C:\windows\system\HKQWIAS.exe YKORFD.exe File opened for modification C:\windows\GGMKGTL.exe d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe File opened for modification C:\windows\system\VVOXJ.exe MNMS.exe File created C:\windows\QAREA.exe.bat NFM.exe File opened for modification C:\windows\PTAU.exe JIEVB.exe File opened for modification C:\windows\NILTZGJ.exe XXMEZLO.exe File created C:\windows\NILTZGJ.exe.bat XXMEZLO.exe File opened for modification C:\windows\system\QAXAF.exe CVRDY.exe File created C:\windows\MYKDZY.exe BFPLZ.exe File opened for modification C:\windows\HWE.exe MJZPNZN.exe File created C:\windows\system\WNWO.exe.bat FAMWMB.exe File created C:\windows\GGMKGTL.exe.bat d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe File created C:\windows\system\WSD.exe ZUGXXSR.exe File opened for modification C:\windows\EEM.exe JJHFGL.exe File opened for modification C:\windows\ERF.exe PWWQG.exe File created C:\windows\system\BRRU.exe.bat ZEMKGSR.exe File opened for modification C:\windows\CFDRCU.exe WEWDTS.exe File opened for modification C:\windows\system\RILWQDT.exe AKMTM.exe File created C:\windows\GGMKGTL.exe d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe File created C:\windows\system\GMEFWRU.exe.bat JPYHPHA.exe File created C:\windows\system\WEWDTS.exe BRRU.exe File created C:\windows\system\XIBRE.exe CNE.exe File created C:\windows\YWVPHA.exe JRXA.exe File created C:\windows\ARU.exe GEPWRA.exe File opened for modification C:\windows\JFTCA.exe EEM.exe File created C:\windows\system\KHFT.exe.bat XWB.exe File opened for modification C:\windows\system\YSK.exe YMKNNEC.exe File created C:\windows\system\MJZPNZN.exe.bat YDBSXXL.exe File created C:\windows\system\QPDQ.exe.bat MZWQFG.exe File created C:\windows\RKQJGW.exe XWLAV.exe File created C:\windows\CZW.exe.bat LOG.exe File created C:\windows\system\HSV.exe IAMSKB.exe File opened for modification C:\windows\system\WEWDTS.exe BRRU.exe File created C:\windows\YQB.exe.bat WCWTIJM.exe File created C:\windows\TTU.exe.bat LOBJPLR.exe File opened for modification C:\windows\YQB.exe WCWTIJM.exe File opened for modification C:\windows\system\LHFXM.exe IUA.exe File opened for modification C:\windows\system\FOYTF.exe WNWO.exe File created C:\windows\system\HWPTBM.exe.bat BWH.exe File created C:\windows\system\HKQWIAS.exe YKORFD.exe File created C:\windows\system\NFM.exe NZMGO.exe File created C:\windows\system\LOBJPLR.exe.bat QAXAF.exe File created C:\windows\system\FOYTF.exe WNWO.exe File opened for modification C:\windows\system\TSAEX.exe EXQALAY.exe File created C:\windows\system\JTJTI.exe.bat FDDLWT.exe File opened for modification C:\windows\system\LOBJPLR.exe QAXAF.exe File created C:\windows\TTU.exe LOBJPLR.exe File opened for modification C:\windows\TTU.exe LOBJPLR.exe File created C:\windows\RKQJGW.exe.bat XWLAV.exe File created C:\windows\system\WNWMLS.exe UXVSE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 808 3640 WerFault.exe 83 2184 1944 WerFault.exe 90 232 4124 WerFault.exe 98 4732 4560 WerFault.exe 103 4336 5020 WerFault.exe 108 2680 2408 WerFault.exe 113 760 2916 WerFault.exe 120 4600 1708 WerFault.exe 126 3088 3840 WerFault.exe 132 3060 4944 WerFault.exe 137 8 4516 WerFault.exe 142 2340 1700 WerFault.exe 147 768 536 WerFault.exe 153 3440 3052 WerFault.exe 158 3588 2072 WerFault.exe 163 1576 264 WerFault.exe 167 1648 3112 WerFault.exe 175 1256 4384 WerFault.exe 180 2356 1180 WerFault.exe 185 1520 940 WerFault.exe 190 4036 4640 WerFault.exe 195 1872 3100 WerFault.exe 200 4340 1332 WerFault.exe 205 4872 3776 WerFault.exe 210 2800 4352 WerFault.exe 215 2808 4984 WerFault.exe 220 4460 4612 WerFault.exe 225 620 2712 WerFault.exe 230 3132 3012 WerFault.exe 235 1904 3116 WerFault.exe 240 3776 3596 WerFault.exe 245 2008 3480 WerFault.exe 250 2952 2536 WerFault.exe 255 4288 2356 WerFault.exe 259 3588 5084 WerFault.exe 265 1084 2712 WerFault.exe 270 1936 3060 WerFault.exe 275 1824 3116 WerFault.exe 280 3648 4292 WerFault.exe 285 2528 5108 WerFault.exe 290 1224 3476 WerFault.exe 295 2208 4736 WerFault.exe 301 1036 3132 WerFault.exe 306 2408 1264 WerFault.exe 311 4928 1108 WerFault.exe 316 448 1960 WerFault.exe 321 4880 4772 WerFault.exe 326 3092 4912 WerFault.exe 331 2760 620 WerFault.exe 336 1140 3496 WerFault.exe 342 4928 2408 WerFault.exe 348 4904 3352 WerFault.exe 353 220 2808 WerFault.exe 358 1576 2528 WerFault.exe 363 2896 1900 WerFault.exe 368 3112 2300 WerFault.exe 372 3712 3376 WerFault.exe 378 1992 2508 WerFault.exe 383 536 8 WerFault.exe 388 968 4288 WerFault.exe 393 1392 4532 WerFault.exe 398 1036 3984 WerFault.exe 403 4048 2860 WerFault.exe 408 2660 3976 WerFault.exe 413 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HXXX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ERF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CFDRCU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JFTCA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WEWDTS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YSV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SEFYR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WNWMLS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NILTZGJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OHCBH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XGTXI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CHEQG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GJDWHS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WUBPK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LVDY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AJFSVNP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJHFGL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TIKH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CFXUY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ESYMCNV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EOSGRCT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AKMTM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGXPNM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YDBSXXL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWLAV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXQALAY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UXVSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QAREA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ELDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GGMKGTL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XJUN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ABUWG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NXANGA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 1944 GGMKGTL.exe 1944 GGMKGTL.exe 4124 FRXAPH.exe 4124 FRXAPH.exe 4560 YJFL.exe 4560 YJFL.exe 5020 AHGFE.exe 5020 AHGFE.exe 2408 CKHUP.exe 2408 CKHUP.exe 2916 XXMEZLO.exe 2916 XXMEZLO.exe 1708 NILTZGJ.exe 1708 NILTZGJ.exe 3840 TIKH.exe 3840 TIKH.exe 4944 OEPZSI.exe 4944 OEPZSI.exe 4516 KBVOZJ.exe 4516 KBVOZJ.exe 1700 MZWQFG.exe 1700 MZWQFG.exe 536 QPDQ.exe 536 QPDQ.exe 3052 LCIZUY.exe 3052 LCIZUY.exe 2072 RDP.exe 2072 RDP.exe 264 LQMEV.exe 264 LQMEV.exe 4384 PMT.exe 4384 PMT.exe 1180 XWB.exe 1180 XWB.exe 940 KHFT.exe 940 KHFT.exe 4640 GPABFSG.exe 4640 GPABFSG.exe 3100 TAIZL.exe 3100 TAIZL.exe 1332 WNNJ.exe 1332 WNNJ.exe 3776 RASSGC.exe 3776 RASSGC.exe 4352 FGXPNM.exe 4352 FGXPNM.exe 4984 ATC.exe 4984 ATC.exe 4612 TMXR.exe 4612 TMXR.exe 2712 OHCBH.exe 2712 OHCBH.exe 3012 XHEGTRB.exe 3012 XHEGTRB.exe 3116 SVJP.exe 3116 SVJP.exe 3596 SYNTJGS.exe 3596 SYNTJGS.exe 3480 YYU.exe 3480 YYU.exe 2536 JRXA.exe 2536 JRXA.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 1944 GGMKGTL.exe 1944 GGMKGTL.exe 4124 FRXAPH.exe 4124 FRXAPH.exe 4560 YJFL.exe 4560 YJFL.exe 5020 AHGFE.exe 5020 AHGFE.exe 2408 CKHUP.exe 2408 CKHUP.exe 2916 XXMEZLO.exe 2916 XXMEZLO.exe 1708 NILTZGJ.exe 1708 NILTZGJ.exe 3840 TIKH.exe 3840 TIKH.exe 4944 OEPZSI.exe 4944 OEPZSI.exe 4516 KBVOZJ.exe 4516 KBVOZJ.exe 1700 MZWQFG.exe 1700 MZWQFG.exe 536 QPDQ.exe 536 QPDQ.exe 3052 LCIZUY.exe 3052 LCIZUY.exe 2072 RDP.exe 2072 RDP.exe 264 LQMEV.exe 264 LQMEV.exe 4384 PMT.exe 4384 PMT.exe 1180 XWB.exe 1180 XWB.exe 940 KHFT.exe 940 KHFT.exe 4640 GPABFSG.exe 4640 GPABFSG.exe 3100 TAIZL.exe 3100 TAIZL.exe 1332 WNNJ.exe 1332 WNNJ.exe 3776 RASSGC.exe 3776 RASSGC.exe 4352 FGXPNM.exe 4352 FGXPNM.exe 4984 ATC.exe 4984 ATC.exe 4612 TMXR.exe 4612 TMXR.exe 2712 OHCBH.exe 2712 OHCBH.exe 3012 XHEGTRB.exe 3012 XHEGTRB.exe 3116 SVJP.exe 3116 SVJP.exe 3596 SYNTJGS.exe 3596 SYNTJGS.exe 3480 YYU.exe 3480 YYU.exe 2536 JRXA.exe 2536 JRXA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3640 wrote to memory of 2776 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 87 PID 3640 wrote to memory of 2776 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 87 PID 3640 wrote to memory of 2776 3640 d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe 87 PID 2776 wrote to memory of 1944 2776 cmd.exe 90 PID 2776 wrote to memory of 1944 2776 cmd.exe 90 PID 2776 wrote to memory of 1944 2776 cmd.exe 90 PID 1944 wrote to memory of 4964 1944 GGMKGTL.exe 93 PID 1944 wrote to memory of 4964 1944 GGMKGTL.exe 93 PID 1944 wrote to memory of 4964 1944 GGMKGTL.exe 93 PID 4964 wrote to memory of 4124 4964 cmd.exe 98 PID 4964 wrote to memory of 4124 4964 cmd.exe 98 PID 4964 wrote to memory of 4124 4964 cmd.exe 98 PID 4124 wrote to memory of 448 4124 FRXAPH.exe 99 PID 4124 wrote to memory of 448 4124 FRXAPH.exe 99 PID 4124 wrote to memory of 448 4124 FRXAPH.exe 99 PID 448 wrote to memory of 4560 448 cmd.exe 103 PID 448 wrote to memory of 4560 448 cmd.exe 103 PID 448 wrote to memory of 4560 448 cmd.exe 103 PID 4560 wrote to memory of 2452 4560 YJFL.exe 104 PID 4560 wrote to memory of 2452 4560 YJFL.exe 104 PID 4560 wrote to memory of 2452 4560 YJFL.exe 104 PID 2452 wrote to memory of 5020 2452 cmd.exe 108 PID 2452 wrote to memory of 5020 2452 cmd.exe 108 PID 2452 wrote to memory of 5020 2452 cmd.exe 108 PID 5020 wrote to memory of 3280 5020 AHGFE.exe 109 PID 5020 wrote to memory of 3280 5020 AHGFE.exe 109 PID 5020 wrote to memory of 3280 5020 AHGFE.exe 109 PID 3280 wrote to memory of 2408 3280 cmd.exe 113 PID 3280 wrote to memory of 2408 3280 cmd.exe 113 PID 3280 wrote to memory of 2408 3280 cmd.exe 113 PID 2408 wrote to memory of 2896 2408 CKHUP.exe 116 PID 2408 wrote to memory of 2896 2408 CKHUP.exe 116 PID 2408 wrote to memory of 2896 2408 CKHUP.exe 116 PID 2896 wrote to memory of 2916 2896 cmd.exe 120 PID 2896 wrote to memory of 2916 2896 cmd.exe 120 PID 2896 wrote to memory of 2916 2896 cmd.exe 120 PID 2916 wrote to memory of 4472 2916 XXMEZLO.exe 121 PID 2916 wrote to memory of 4472 2916 XXMEZLO.exe 121 PID 2916 wrote to memory of 4472 2916 XXMEZLO.exe 121 PID 4472 wrote to memory of 1708 4472 cmd.exe 126 PID 4472 wrote to memory of 1708 4472 cmd.exe 126 PID 4472 wrote to memory of 1708 4472 cmd.exe 126 PID 1708 wrote to memory of 3728 1708 NILTZGJ.exe 128 PID 1708 wrote to memory of 3728 1708 NILTZGJ.exe 128 PID 1708 wrote to memory of 3728 1708 NILTZGJ.exe 128 PID 3728 wrote to memory of 3840 3728 cmd.exe 132 PID 3728 wrote to memory of 3840 3728 cmd.exe 132 PID 3728 wrote to memory of 3840 3728 cmd.exe 132 PID 3840 wrote to memory of 3400 3840 TIKH.exe 133 PID 3840 wrote to memory of 3400 3840 TIKH.exe 133 PID 3840 wrote to memory of 3400 3840 TIKH.exe 133 PID 3400 wrote to memory of 4944 3400 cmd.exe 137 PID 3400 wrote to memory of 4944 3400 cmd.exe 137 PID 3400 wrote to memory of 4944 3400 cmd.exe 137 PID 4944 wrote to memory of 3524 4944 OEPZSI.exe 138 PID 4944 wrote to memory of 3524 4944 OEPZSI.exe 138 PID 4944 wrote to memory of 3524 4944 OEPZSI.exe 138 PID 3524 wrote to memory of 4516 3524 cmd.exe 142 PID 3524 wrote to memory of 4516 3524 cmd.exe 142 PID 3524 wrote to memory of 4516 3524 cmd.exe 142 PID 4516 wrote to memory of 3312 4516 KBVOZJ.exe 143 PID 4516 wrote to memory of 3312 4516 KBVOZJ.exe 143 PID 4516 wrote to memory of 3312 4516 KBVOZJ.exe 143 PID 3312 wrote to memory of 1700 3312 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe"C:\Users\Admin\AppData\Local\Temp\d2bc8adaeb18ec8f5894bc4a1657d1d0N.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GGMKGTL.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\windows\GGMKGTL.exeC:\windows\GGMKGTL.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FRXAPH.exe.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\windows\system\FRXAPH.exeC:\windows\system\FRXAPH.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YJFL.exe.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\windows\YJFL.exeC:\windows\YJFL.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AHGFE.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\windows\AHGFE.exeC:\windows\AHGFE.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CKHUP.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\windows\system\CKHUP.exeC:\windows\system\CKHUP.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XXMEZLO.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\windows\system\XXMEZLO.exeC:\windows\system\XXMEZLO.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NILTZGJ.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\windows\NILTZGJ.exeC:\windows\NILTZGJ.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TIKH.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\windows\TIKH.exeC:\windows\TIKH.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OEPZSI.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\windows\system\OEPZSI.exeC:\windows\system\OEPZSI.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KBVOZJ.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\windows\system\KBVOZJ.exeC:\windows\system\KBVOZJ.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MZWQFG.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\windows\system\MZWQFG.exeC:\windows\system\MZWQFG.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPDQ.exe.bat" "24⤵PID:2968
-
C:\windows\system\QPDQ.exeC:\windows\system\QPDQ.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCIZUY.exe.bat" "26⤵PID:1676
-
C:\windows\SysWOW64\LCIZUY.exeC:\windows\system32\LCIZUY.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RDP.exe.bat" "28⤵PID:708
-
C:\windows\system\RDP.exeC:\windows\system\RDP.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LQMEV.exe.bat" "30⤵PID:1324
-
C:\windows\LQMEV.exeC:\windows\LQMEV.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IVSU.exe.bat" "32⤵PID:3524
-
C:\windows\IVSU.exeC:\windows\IVSU.exe33⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PMT.exe.bat" "34⤵PID:2208
-
C:\windows\PMT.exeC:\windows\PMT.exe35⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWB.exe.bat" "36⤵PID:2620
-
C:\windows\SysWOW64\XWB.exeC:\windows\system32\XWB.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KHFT.exe.bat" "38⤵PID:4836
-
C:\windows\system\KHFT.exeC:\windows\system\KHFT.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GPABFSG.exe.bat" "40⤵PID:3728
-
C:\windows\GPABFSG.exeC:\windows\GPABFSG.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAIZL.exe.bat" "42⤵PID:3956
-
C:\windows\SysWOW64\TAIZL.exeC:\windows\system32\TAIZL.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WNNJ.exe.bat" "44⤵PID:4944
-
C:\windows\system\WNNJ.exeC:\windows\system\WNNJ.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RASSGC.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\windows\RASSGC.exeC:\windows\RASSGC.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FGXPNM.exe.bat" "48⤵PID:2896
-
C:\windows\FGXPNM.exeC:\windows\FGXPNM.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATC.exe.bat" "50⤵PID:1536
-
C:\windows\SysWOW64\ATC.exeC:\windows\system32\ATC.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TMXR.exe.bat" "52⤵
- System Location Discovery: System Language Discovery
PID:3380 -
C:\windows\SysWOW64\TMXR.exeC:\windows\system32\TMXR.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHCBH.exe.bat" "54⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\windows\SysWOW64\OHCBH.exeC:\windows\system32\OHCBH.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XHEGTRB.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\windows\system\XHEGTRB.exeC:\windows\system\XHEGTRB.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SVJP.exe.bat" "58⤵PID:4560
-
C:\windows\SysWOW64\SVJP.exeC:\windows\system32\SVJP.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SYNTJGS.exe.bat" "60⤵PID:2300
-
C:\windows\SYNTJGS.exeC:\windows\SYNTJGS.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YYU.exe.bat" "62⤵PID:5112
-
C:\windows\YYU.exeC:\windows\YYU.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JRXA.exe.bat" "64⤵PID:2508
-
C:\windows\system\JRXA.exeC:\windows\system\JRXA.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YWVPHA.exe.bat" "66⤵PID:448
-
C:\windows\YWVPHA.exeC:\windows\YWVPHA.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JPYHPHA.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\windows\JPYHPHA.exeC:\windows\JPYHPHA.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GMEFWRU.exe.bat" "70⤵PID:2072
-
C:\windows\system\GMEFWRU.exeC:\windows\system\GMEFWRU.exe71⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNMS.exe.bat" "72⤵PID:4388
-
C:\windows\MNMS.exeC:\windows\MNMS.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VVOXJ.exe.bat" "74⤵PID:616
-
C:\windows\system\VVOXJ.exeC:\windows\system\VVOXJ.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BVVLATG.exe.bat" "76⤵PID:4872
-
C:\windows\BVVLATG.exeC:\windows\BVVLATG.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VJAU.exe.bat" "78⤵PID:1728
-
C:\windows\system\VJAU.exeC:\windows\system\VJAU.exe79⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XGTXI.exe.bat" "80⤵PID:1356
-
C:\windows\XGTXI.exeC:\windows\XGTXI.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WWAZ.exe.bat" "82⤵PID:3608
-
C:\windows\WWAZ.exeC:\windows\WWAZ.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMZK.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\windows\SysWOW64\MMZK.exeC:\windows\system32\MMZK.exe85⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUBPK.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\windows\SysWOW64\WUBPK.exeC:\windows\system32\WUBPK.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKASNER.exe.bat" "88⤵PID:4812
-
C:\windows\SysWOW64\UKASNER.exeC:\windows\system32\UKASNER.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDDLWT.exe.bat" "90⤵PID:2404
-
C:\windows\SysWOW64\FDDLWT.exeC:\windows\system32\FDDLWT.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JTJTI.exe.bat" "92⤵PID:8
-
C:\windows\system\JTJTI.exeC:\windows\system\JTJTI.exe93⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQPIP.exe.bat" "94⤵PID:4596
-
C:\windows\SysWOW64\GQPIP.exeC:\windows\system32\GQPIP.exe95⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GEPWRA.exe.bat" "96⤵PID:808
-
C:\windows\GEPWRA.exeC:\windows\GEPWRA.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ARU.exe.bat" "98⤵PID:4776
-
C:\windows\ARU.exeC:\windows\ARU.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEFYR.exe.bat" "100⤵PID:2708
-
C:\windows\SysWOW64\SEFYR.exeC:\windows\system32\SEFYR.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUGXXSR.exe.bat" "102⤵PID:2184
-
C:\windows\SysWOW64\ZUGXXSR.exeC:\windows\system32\ZUGXXSR.exe103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WSD.exe.bat" "104⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\windows\system\WSD.exeC:\windows\system\WSD.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVHQKSU.exe.bat" "106⤵PID:760
-
C:\windows\SysWOW64\WVHQKSU.exeC:\windows\system32\WVHQKSU.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CVP.exe.bat" "108⤵PID:4604
-
C:\windows\SysWOW64\CVP.exeC:\windows\system32\CVP.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJUN.exe.bat" "110⤵PID:1916
-
C:\windows\SysWOW64\XJUN.exeC:\windows\system32\XJUN.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PMX.exe.bat" "112⤵PID:5020
-
C:\windows\system\PMX.exeC:\windows\system\PMX.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMFF.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\windows\SysWOW64\VMFF.exeC:\windows\system32\VMFF.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EMHKDCX.exe.bat" "116⤵PID:2628
-
C:\windows\SysWOW64\EMHKDCX.exeC:\windows\system32\EMHKDCX.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVJ.exe.bat" "118⤵PID:2092
-
C:\windows\SysWOW64\WVJ.exeC:\windows\system32\WVJ.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CVRDY.exe.bat" "120⤵PID:4708
-
C:\windows\system\CVRDY.exeC:\windows\system\CVRDY.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-