Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 12:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc0885eba0c879235bed533a6f0f7090N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
fc0885eba0c879235bed533a6f0f7090N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
fc0885eba0c879235bed533a6f0f7090N.exe
-
Size
208KB
-
MD5
fc0885eba0c879235bed533a6f0f7090
-
SHA1
28f117ede24743638a466b6e1cbb470c15019557
-
SHA256
364d5f7c22b563605a1e0cf3dc36adfd0efa3d3be2606c45ffa7fbc2a7d3151b
-
SHA512
dda3f02ca39421962b9e127556e7503503ccb6f324e687846fa89995de89cea4cc7ad5e772ece0102422efe8c4eb43c56017f2d58311901005072ce436d55c95
-
SSDEEP
6144:arYTgEMnRNLPI3YHB9/vMYRbbdfHKuQEj:OBEIjU8IuQ
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RYBY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MQXVV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation LARAXBL.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RSRN.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GPABFSG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TEQ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WIX.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GTR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AKMTM.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation UMS.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XAVHE.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation QHMVYT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SCDNSMK.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CNR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation QNTZAHH.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation BMNVV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation QLG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation THB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XWKDLV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RSPSR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RDXUVYZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VOJW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation fc0885eba0c879235bed533a6f0f7090N.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation YUUXDJU.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation EIJOVI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DXRR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FQOFWA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MPBNLJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation LAAFSVT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WTSV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PLBOKOW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation INZPD.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JEMY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TLBMJRF.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation YWVGTGP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JCMLFYV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GMODY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TXBZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JVLN.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HDMYYUE.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation LYVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation IAMSKB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FDUY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RZZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ERFDD.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation POCJSBS.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation YPYDIM.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation IBXFI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WRU.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PRLZBRB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation YTEG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OHWXJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation EQTXI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FGXPNM.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FQOPGC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PPIUV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RGNFKP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OMTURZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VENOOXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation UEMB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WGQRU.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VFRCOKA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JSBLDPX.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VPX.exe -
Executes dropped EXE 64 IoCs
pid Process 1940 UMS.exe 2616 HPB.exe 1604 JNCQGQT.exe 3084 LQEXQEN.exe 4352 ETVAVIW.exe 3476 TONNG.exe 2280 OBRWQV.exe 2616 BMNVV.exe 3048 KMPIYRQ.exe 4036 FXYYNUL.exe 3676 EIJOVI.exe 3440 RSRN.exe 1116 KNVJPB.exe 4064 LRZM.exe 1948 NOMHKZO.exe 4644 VUE.exe 4908 ZKLVYEF.exe 4004 YUUXDJU.exe 656 EQTXI.exe 456 JVLN.exe 1600 CYPIE.exe 1940 YWVGTGP.exe 2232 RZZJ.exe 1172 GPABFSG.exe 2080 HSDEKI.exe 1708 HDMYYUE.exe 1860 QLG.exe 4920 FGXPNM.exe 4792 JJWK.exe 1592 THB.exe 3712 MPBNLJ.exe 4948 TKGZV.exe 3004 LSGQ.exe 3588 JSBLDPX.exe 1664 YNYYNQ.exe 2156 LBRP.exe 1136 VZEJ.exe 2484 XWKDLV.exe 4936 DXRR.exe 4012 DCSG.exe 3552 FQOPGC.exe 4556 WFVSSO.exe 3868 YIFHCK.exe 4984 NYGY.exe 1116 JOA.exe 2112 PPIUV.exe 4008 JCMLFYV.exe 4820 GHK.exe 4324 MISO.exe 3532 XAVHE.exe 1380 GBXMHP.exe 4576 SJEUTH.exe 752 CRGZXFG.exe 1704 TEQ.exe 4344 RSPSR.exe 740 IFAKHB.exe 2812 TXDDHQM.exe 456 CGXITO.exe 5004 SBOUEBP.exe 4568 IMEKDVT.exe 4564 YHOWO.exe 4824 GMODY.exe 4324 VPX.exe 60 LAAFSVT.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\ETVAVIW.exe LQEXQEN.exe File created C:\windows\SysWOW64\HSDEKI.exe GPABFSG.exe File opened for modification C:\windows\SysWOW64\JCMLFYV.exe PPIUV.exe File opened for modification C:\windows\SysWOW64\GHK.exe JCMLFYV.exe File created C:\windows\SysWOW64\SCDNSMK.exe YPYDIM.exe File opened for modification C:\windows\SysWOW64\CTSINGZ.exe NYIW.exe File created C:\windows\SysWOW64\VOJW.exe.bat POCJSBS.exe File created C:\windows\SysWOW64\MPBNLJ.exe THB.exe File created C:\windows\SysWOW64\GHK.exe JCMLFYV.exe File created C:\windows\SysWOW64\CGDFXPE.exe.bat TXBZ.exe File created C:\windows\SysWOW64\KMPIYRQ.exe.bat BMNVV.exe File created C:\windows\SysWOW64\DXRR.exe XWKDLV.exe File opened for modification C:\windows\SysWOW64\KBE.exe RYBY.exe File created C:\windows\SysWOW64\TXBZ.exe ECSVBX.exe File opened for modification C:\windows\SysWOW64\HWKVT.exe HQKH.exe File opened for modification C:\windows\SysWOW64\OGS.exe WGQRU.exe File opened for modification C:\windows\SysWOW64\OIHPMPP.exe ZNXCBCP.exe File created C:\windows\SysWOW64\LQEXQEN.exe JNCQGQT.exe File opened for modification C:\windows\SysWOW64\KMPIYRQ.exe BMNVV.exe File created C:\windows\SysWOW64\JCMLFYV.exe.bat PPIUV.exe File opened for modification C:\windows\SysWOW64\GMODY.exe YHOWO.exe File opened for modification C:\windows\SysWOW64\PGJAFQQ.exe JFKMW.exe File opened for modification C:\windows\SysWOW64\VOJW.exe POCJSBS.exe File created C:\windows\SysWOW64\LQEXQEN.exe.bat JNCQGQT.exe File opened for modification C:\windows\SysWOW64\BMNVV.exe OBRWQV.exe File created C:\windows\SysWOW64\SBOUEBP.exe CGXITO.exe File created C:\windows\SysWOW64\JFKMW.exe.bat WUGNRE.exe File created C:\windows\SysWOW64\UILWFNK.exe.bat PHDJW.exe File created C:\windows\SysWOW64\OHWXJ.exe SCEITKE.exe File created C:\windows\SysWOW64\VOJW.exe POCJSBS.exe File created C:\windows\SysWOW64\UILWFNK.exe PHDJW.exe File opened for modification C:\windows\SysWOW64\ETVAVIW.exe LQEXQEN.exe File opened for modification C:\windows\SysWOW64\HSDEKI.exe GPABFSG.exe File opened for modification C:\windows\SysWOW64\NYGY.exe YIFHCK.exe File opened for modification C:\windows\SysWOW64\EGLTV.exe PLBOKOW.exe File created C:\windows\SysWOW64\GXQ.exe VENOOXQ.exe File opened for modification C:\windows\SysWOW64\QHMVYT.exe HHKQNOE.exe File created C:\windows\SysWOW64\OIHPMPP.exe ZNXCBCP.exe File created C:\windows\SysWOW64\HSDEKI.exe.bat GPABFSG.exe File created C:\windows\SysWOW64\TXDDHQM.exe IFAKHB.exe File created C:\windows\SysWOW64\CRGZXFG.exe.bat SJEUTH.exe File opened for modification C:\windows\SysWOW64\GXQ.exe VENOOXQ.exe File opened for modification C:\windows\SysWOW64\GTR.exe FQOFWA.exe File created C:\windows\SysWOW64\HQKH.exe RVBCHA.exe File opened for modification C:\windows\SysWOW64\HQKH.exe RVBCHA.exe File created C:\windows\SysWOW64\HWKVT.exe.bat HQKH.exe File created C:\windows\SysWOW64\IGL.exe CGDFXPE.exe File created C:\windows\SysWOW64\UUY.exe.bat DJI.exe File opened for modification C:\windows\SysWOW64\RSU.exe CCTYP.exe File opened for modification C:\windows\SysWOW64\CRGZXFG.exe SJEUTH.exe File created C:\windows\SysWOW64\OGS.exe.bat WGQRU.exe File created C:\windows\SysWOW64\IAMSKB.exe.bat SJLBD.exe File opened for modification C:\windows\SysWOW64\VUE.exe NOMHKZO.exe File created C:\windows\SysWOW64\YNYYNQ.exe JSBLDPX.exe File created C:\windows\SysWOW64\CGDFXPE.exe TXBZ.exe File created C:\windows\SysWOW64\YPYDIM.exe.bat XMVICWM.exe File created C:\windows\SysWOW64\MWXJWUL.exe.bat MQXVV.exe File created C:\windows\SysWOW64\PVU.exe USMNI.exe File created C:\windows\SysWOW64\BIZ.exe GXQ.exe File created C:\windows\SysWOW64\KBE.exe.bat RYBY.exe File opened for modification C:\windows\SysWOW64\CGXITO.exe TXDDHQM.exe File created C:\windows\SysWOW64\PGJAFQQ.exe.bat JFKMW.exe File created C:\windows\SysWOW64\MWXJWUL.exe MQXVV.exe File opened for modification C:\windows\SysWOW64\OHWXJ.exe SCEITKE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\RGNFKP.exe IGL.exe File created C:\windows\JEMY.exe OIHPMPP.exe File created C:\windows\system\GPYLNDB.exe OHWXJ.exe File created C:\windows\EIJOVI.exe FXYYNUL.exe File created C:\windows\system\AJYVRM.exe WTSV.exe File created C:\windows\system\AJYVRM.exe.bat WTSV.exe File created C:\windows\system\RYBY.exe.bat RDXUVYZ.exe File opened for modification C:\windows\system\USMNI.exe BPI.exe File created C:\windows\system\GPYLNDB.exe.bat OHWXJ.exe File created C:\windows\system\TEQ.exe CRGZXFG.exe File opened for modification C:\windows\VPX.exe GMODY.exe File created C:\windows\system\EORKH.exe.bat GTR.exe File created C:\windows\system\CWYJ.exe.bat ATXC.exe File opened for modification C:\windows\WRU.exe HWKVT.exe File created C:\windows\WRU.exe.bat HWKVT.exe File created C:\windows\HPB.exe UMS.exe File created C:\windows\system\VZEJ.exe.bat LBRP.exe File opened for modification C:\windows\XAVHE.exe MISO.exe File created C:\windows\system\ECSVBX.exe UEMB.exe File opened for modification C:\windows\OMTURZ.exe RGNFKP.exe File created C:\windows\GPABFSG.exe RZZJ.exe File opened for modification C:\windows\QLG.exe HDMYYUE.exe File created C:\windows\XAVHE.exe.bat MISO.exe File opened for modification C:\windows\system\QUYA.exe TPSC.exe File opened for modification C:\windows\system\CNR.exe IAMSKB.exe File opened for modification C:\windows\system\YWVGTGP.exe CYPIE.exe File created C:\windows\MISO.exe.bat GHK.exe File created C:\windows\XUJZIUX.exe ERFDD.exe File opened for modification C:\windows\VENOOXQ.exe MELJKS.exe File created C:\windows\ATXC.exe.bat FYS.exe File opened for modification C:\windows\JLB.exe FDUY.exe File opened for modification C:\windows\CCTYP.exe PRLZBRB.exe File opened for modification C:\windows\system\GPYLNDB.exe OHWXJ.exe File created C:\windows\JJWK.exe FGXPNM.exe File created C:\windows\RSPSR.exe.bat TEQ.exe File created C:\windows\XUJZIUX.exe.bat ERFDD.exe File created C:\windows\system\DJI.exe.bat MWXJWUL.exe File created C:\windows\HHKQNOE.exe.bat KBE.exe File created C:\windows\system\NYIW.exe.bat SCDNSMK.exe File created C:\windows\LJCSSKA.exe.bat JLB.exe File opened for modification C:\windows\HPB.exe UMS.exe File created C:\windows\system\EQTXI.exe YUUXDJU.exe File created C:\windows\THB.exe.bat JJWK.exe File created C:\windows\JOA.exe NYGY.exe File created C:\windows\system\MELJKS.exe WJC.exe File opened for modification C:\windows\system\KEKWQRQ.exe VOJW.exe File created C:\windows\system\TLBMJRF.exe PVU.exe File created C:\windows\system\FXYYNUL.exe KMPIYRQ.exe File created C:\windows\system\LRZM.exe KNVJPB.exe File created C:\windows\system\GBXMHP.exe XAVHE.exe File created C:\windows\SJEUTH.exe.bat GBXMHP.exe File created C:\windows\EIJOVI.exe.bat FXYYNUL.exe File opened for modification C:\windows\WUGNRE.exe QUYA.exe File created C:\windows\FDUY.exe QNTZAHH.exe File created C:\windows\SJLBD.exe.bat DOCOKSY.exe File opened for modification C:\windows\INZPD.exe CNR.exe File opened for modification C:\windows\GPABFSG.exe RZZJ.exe File created C:\windows\system\TKGZV.exe MPBNLJ.exe File opened for modification C:\windows\FQOFWA.exe BIZ.exe File created C:\windows\WUGNRE.exe.bat QUYA.exe File created C:\windows\system\XMVICWM.exe.bat OMTURZ.exe File created C:\windows\system\RHA.exe.bat TLBMJRF.exe File opened for modification C:\windows\HDMYYUE.exe HSDEKI.exe File opened for modification C:\windows\XUJZIUX.exe ERFDD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4884 3164 WerFault.exe 83 712 1940 WerFault.exe 91 1116 2616 WerFault.exe 97 4304 1604 WerFault.exe 103 4344 3084 WerFault.exe 110 2868 4352 WerFault.exe 115 2544 3476 WerFault.exe 122 2420 2280 WerFault.exe 127 3176 2616 WerFault.exe 132 4056 3048 WerFault.exe 137 4848 4036 WerFault.exe 143 2444 3676 WerFault.exe 148 2676 3440 WerFault.exe 153 4936 1116 WerFault.exe 159 2220 4064 WerFault.exe 165 1240 1948 WerFault.exe 170 5100 4644 WerFault.exe 175 4820 4908 WerFault.exe 180 1712 4004 WerFault.exe 185 4368 656 WerFault.exe 190 1408 456 WerFault.exe 195 1764 1600 WerFault.exe 200 3820 1940 WerFault.exe 204 4872 2232 WerFault.exe 210 3260 1172 WerFault.exe 215 2124 2080 WerFault.exe 220 3048 1708 WerFault.exe 225 1752 1860 WerFault.exe 230 3488 4920 WerFault.exe 235 3284 4792 WerFault.exe 240 768 1592 WerFault.exe 245 2388 3712 WerFault.exe 250 4788 4948 WerFault.exe 255 1420 3004 WerFault.exe 260 5100 3588 WerFault.exe 265 3956 1664 WerFault.exe 270 4340 2156 WerFault.exe 275 4516 1136 WerFault.exe 280 2364 2484 WerFault.exe 285 4056 4936 WerFault.exe 290 4576 4012 WerFault.exe 296 5004 3552 WerFault.exe 302 4324 4556 WerFault.exe 308 3532 3868 WerFault.exe 313 4056 4984 WerFault.exe 318 1432 1116 WerFault.exe 323 3560 2112 WerFault.exe 329 3820 4008 WerFault.exe 334 4828 4820 WerFault.exe 339 4352 4324 WerFault.exe 344 1572 3532 WerFault.exe 349 4012 1380 WerFault.exe 354 2156 4576 WerFault.exe 359 4236 752 WerFault.exe 364 2336 1704 WerFault.exe 369 1048 4344 WerFault.exe 374 628 740 WerFault.exe 379 5100 2812 WerFault.exe 384 1080 456 WerFault.exe 389 1236 5004 WerFault.exe 394 1164 4568 WerFault.exe 399 4364 4564 WerFault.exe 404 1460 4824 WerFault.exe 409 3532 4324 WerFault.exe 414 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LAAFSVT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QUYA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EFU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARXJN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TONNG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LRZM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YUUXDJU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XUJZIUX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HHKQNOE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MWXJWUL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KEKWQRQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOCOKSY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FYS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language USMNI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJWK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TKGZV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VPX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GXQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RHEL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSPSR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ETVAVIW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWKDLV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YIFHCK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LBRP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OIHPMPP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HSDEKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 fc0885eba0c879235bed533a6f0f7090N.exe 3164 fc0885eba0c879235bed533a6f0f7090N.exe 1940 UMS.exe 1940 UMS.exe 2616 HPB.exe 2616 HPB.exe 1604 JNCQGQT.exe 1604 JNCQGQT.exe 3084 LQEXQEN.exe 3084 LQEXQEN.exe 4352 ETVAVIW.exe 4352 ETVAVIW.exe 3476 TONNG.exe 3476 TONNG.exe 2280 OBRWQV.exe 2280 OBRWQV.exe 2616 BMNVV.exe 2616 BMNVV.exe 3048 KMPIYRQ.exe 3048 KMPIYRQ.exe 4036 FXYYNUL.exe 4036 FXYYNUL.exe 3676 EIJOVI.exe 3676 EIJOVI.exe 3440 RSRN.exe 3440 RSRN.exe 1116 KNVJPB.exe 1116 KNVJPB.exe 4064 LRZM.exe 4064 LRZM.exe 1948 NOMHKZO.exe 1948 NOMHKZO.exe 4644 VUE.exe 4644 VUE.exe 4908 ZKLVYEF.exe 4908 ZKLVYEF.exe 4004 YUUXDJU.exe 4004 YUUXDJU.exe 656 EQTXI.exe 656 EQTXI.exe 456 JVLN.exe 456 JVLN.exe 1600 CYPIE.exe 1600 CYPIE.exe 1940 YWVGTGP.exe 1940 YWVGTGP.exe 2232 RZZJ.exe 2232 RZZJ.exe 1172 GPABFSG.exe 1172 GPABFSG.exe 2080 HSDEKI.exe 2080 HSDEKI.exe 1708 HDMYYUE.exe 1708 HDMYYUE.exe 1860 QLG.exe 1860 QLG.exe 4920 FGXPNM.exe 4920 FGXPNM.exe 4792 JJWK.exe 4792 JJWK.exe 1592 THB.exe 1592 THB.exe 3712 MPBNLJ.exe 3712 MPBNLJ.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3164 fc0885eba0c879235bed533a6f0f7090N.exe 3164 fc0885eba0c879235bed533a6f0f7090N.exe 1940 UMS.exe 1940 UMS.exe 2616 HPB.exe 2616 HPB.exe 1604 JNCQGQT.exe 1604 JNCQGQT.exe 3084 LQEXQEN.exe 3084 LQEXQEN.exe 4352 ETVAVIW.exe 4352 ETVAVIW.exe 3476 TONNG.exe 3476 TONNG.exe 2280 OBRWQV.exe 2280 OBRWQV.exe 2616 BMNVV.exe 2616 BMNVV.exe 3048 KMPIYRQ.exe 3048 KMPIYRQ.exe 4036 FXYYNUL.exe 4036 FXYYNUL.exe 3676 EIJOVI.exe 3676 EIJOVI.exe 3440 RSRN.exe 3440 RSRN.exe 1116 KNVJPB.exe 1116 KNVJPB.exe 4064 LRZM.exe 4064 LRZM.exe 1948 NOMHKZO.exe 1948 NOMHKZO.exe 4644 VUE.exe 4644 VUE.exe 4908 ZKLVYEF.exe 4908 ZKLVYEF.exe 4004 YUUXDJU.exe 4004 YUUXDJU.exe 656 EQTXI.exe 656 EQTXI.exe 456 JVLN.exe 456 JVLN.exe 1600 CYPIE.exe 1600 CYPIE.exe 1940 YWVGTGP.exe 1940 YWVGTGP.exe 2232 RZZJ.exe 2232 RZZJ.exe 1172 GPABFSG.exe 1172 GPABFSG.exe 2080 HSDEKI.exe 2080 HSDEKI.exe 1708 HDMYYUE.exe 1708 HDMYYUE.exe 1860 QLG.exe 1860 QLG.exe 4920 FGXPNM.exe 4920 FGXPNM.exe 4792 JJWK.exe 4792 JJWK.exe 1592 THB.exe 1592 THB.exe 3712 MPBNLJ.exe 3712 MPBNLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4776 3164 fc0885eba0c879235bed533a6f0f7090N.exe 87 PID 3164 wrote to memory of 4776 3164 fc0885eba0c879235bed533a6f0f7090N.exe 87 PID 3164 wrote to memory of 4776 3164 fc0885eba0c879235bed533a6f0f7090N.exe 87 PID 4776 wrote to memory of 1940 4776 cmd.exe 91 PID 4776 wrote to memory of 1940 4776 cmd.exe 91 PID 4776 wrote to memory of 1940 4776 cmd.exe 91 PID 1940 wrote to memory of 1928 1940 UMS.exe 93 PID 1940 wrote to memory of 1928 1940 UMS.exe 93 PID 1940 wrote to memory of 1928 1940 UMS.exe 93 PID 1928 wrote to memory of 2616 1928 cmd.exe 97 PID 1928 wrote to memory of 2616 1928 cmd.exe 97 PID 1928 wrote to memory of 2616 1928 cmd.exe 97 PID 2616 wrote to memory of 2580 2616 HPB.exe 99 PID 2616 wrote to memory of 2580 2616 HPB.exe 99 PID 2616 wrote to memory of 2580 2616 HPB.exe 99 PID 2580 wrote to memory of 1604 2580 cmd.exe 103 PID 2580 wrote to memory of 1604 2580 cmd.exe 103 PID 2580 wrote to memory of 1604 2580 cmd.exe 103 PID 1604 wrote to memory of 3560 1604 JNCQGQT.exe 106 PID 1604 wrote to memory of 3560 1604 JNCQGQT.exe 106 PID 1604 wrote to memory of 3560 1604 JNCQGQT.exe 106 PID 3560 wrote to memory of 3084 3560 cmd.exe 110 PID 3560 wrote to memory of 3084 3560 cmd.exe 110 PID 3560 wrote to memory of 3084 3560 cmd.exe 110 PID 3084 wrote to memory of 2056 3084 LQEXQEN.exe 111 PID 3084 wrote to memory of 2056 3084 LQEXQEN.exe 111 PID 3084 wrote to memory of 2056 3084 LQEXQEN.exe 111 PID 2056 wrote to memory of 4352 2056 cmd.exe 115 PID 2056 wrote to memory of 4352 2056 cmd.exe 115 PID 2056 wrote to memory of 4352 2056 cmd.exe 115 PID 4352 wrote to memory of 1408 4352 ETVAVIW.exe 118 PID 4352 wrote to memory of 1408 4352 ETVAVIW.exe 118 PID 4352 wrote to memory of 1408 4352 ETVAVIW.exe 118 PID 1408 wrote to memory of 3476 1408 cmd.exe 122 PID 1408 wrote to memory of 3476 1408 cmd.exe 122 PID 1408 wrote to memory of 3476 1408 cmd.exe 122 PID 3476 wrote to memory of 4568 3476 TONNG.exe 123 PID 3476 wrote to memory of 4568 3476 TONNG.exe 123 PID 3476 wrote to memory of 4568 3476 TONNG.exe 123 PID 4568 wrote to memory of 2280 4568 cmd.exe 127 PID 4568 wrote to memory of 2280 4568 cmd.exe 127 PID 4568 wrote to memory of 2280 4568 cmd.exe 127 PID 2280 wrote to memory of 2824 2280 OBRWQV.exe 128 PID 2280 wrote to memory of 2824 2280 OBRWQV.exe 128 PID 2280 wrote to memory of 2824 2280 OBRWQV.exe 128 PID 2824 wrote to memory of 2616 2824 cmd.exe 132 PID 2824 wrote to memory of 2616 2824 cmd.exe 132 PID 2824 wrote to memory of 2616 2824 cmd.exe 132 PID 2616 wrote to memory of 2336 2616 BMNVV.exe 133 PID 2616 wrote to memory of 2336 2616 BMNVV.exe 133 PID 2616 wrote to memory of 2336 2616 BMNVV.exe 133 PID 2336 wrote to memory of 3048 2336 cmd.exe 137 PID 2336 wrote to memory of 3048 2336 cmd.exe 137 PID 2336 wrote to memory of 3048 2336 cmd.exe 137 PID 3048 wrote to memory of 2576 3048 KMPIYRQ.exe 139 PID 3048 wrote to memory of 2576 3048 KMPIYRQ.exe 139 PID 3048 wrote to memory of 2576 3048 KMPIYRQ.exe 139 PID 2576 wrote to memory of 4036 2576 cmd.exe 143 PID 2576 wrote to memory of 4036 2576 cmd.exe 143 PID 2576 wrote to memory of 4036 2576 cmd.exe 143 PID 4036 wrote to memory of 3904 4036 FXYYNUL.exe 144 PID 4036 wrote to memory of 3904 4036 FXYYNUL.exe 144 PID 4036 wrote to memory of 3904 4036 FXYYNUL.exe 144 PID 3904 wrote to memory of 3676 3904 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc0885eba0c879235bed533a6f0f7090N.exe"C:\Users\Admin\AppData\Local\Temp\fc0885eba0c879235bed533a6f0f7090N.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMS.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\windows\SysWOW64\UMS.exeC:\windows\system32\UMS.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HPB.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\windows\HPB.exeC:\windows\HPB.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\windows\JNCQGQT.exeC:\windows\JNCQGQT.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LQEXQEN.exe.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\windows\SysWOW64\LQEXQEN.exeC:\windows\system32\LQEXQEN.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ETVAVIW.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\windows\SysWOW64\ETVAVIW.exeC:\windows\system32\ETVAVIW.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TONNG.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\windows\TONNG.exeC:\windows\TONNG.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBRWQV.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\windows\OBRWQV.exeC:\windows\OBRWQV.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BMNVV.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\windows\SysWOW64\BMNVV.exeC:\windows\system32\BMNVV.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMPIYRQ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\windows\SysWOW64\KMPIYRQ.exeC:\windows\system32\KMPIYRQ.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FXYYNUL.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\windows\system\FXYYNUL.exeC:\windows\system\FXYYNUL.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EIJOVI.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\windows\EIJOVI.exeC:\windows\EIJOVI.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSRN.exe.bat" "24⤵PID:740
-
C:\windows\SysWOW64\RSRN.exeC:\windows\system32\RSRN.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KNVJPB.exe.bat" "26⤵PID:4796
-
C:\windows\system\KNVJPB.exeC:\windows\system\KNVJPB.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LRZM.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\windows\system\LRZM.exeC:\windows\system\LRZM.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOMHKZO.exe.bat" "30⤵PID:2056
-
C:\windows\SysWOW64\NOMHKZO.exeC:\windows\system32\NOMHKZO.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VUE.exe.bat" "32⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\windows\SysWOW64\VUE.exeC:\windows\system32\VUE.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZKLVYEF.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\windows\ZKLVYEF.exeC:\windows\ZKLVYEF.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YUUXDJU.exe.bat" "36⤵
- System Location Discovery: System Language Discovery
PID:3284 -
C:\windows\system\YUUXDJU.exeC:\windows\system\YUUXDJU.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQTXI.exe.bat" "38⤵PID:3712
-
C:\windows\system\EQTXI.exeC:\windows\system\EQTXI.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JVLN.exe.bat" "40⤵PID:1160
-
C:\windows\JVLN.exeC:\windows\JVLN.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CYPIE.exe.bat" "42⤵PID:1020
-
C:\windows\CYPIE.exeC:\windows\CYPIE.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YWVGTGP.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\windows\system\YWVGTGP.exeC:\windows\system\YWVGTGP.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RZZJ.exe.bat" "46⤵PID:1400
-
C:\windows\system\RZZJ.exeC:\windows\system\RZZJ.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GPABFSG.exe.bat" "48⤵PID:2156
-
C:\windows\GPABFSG.exeC:\windows\GPABFSG.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HSDEKI.exe.bat" "50⤵PID:3440
-
C:\windows\SysWOW64\HSDEKI.exeC:\windows\system32\HSDEKI.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HDMYYUE.exe.bat" "52⤵PID:3992
-
C:\windows\HDMYYUE.exeC:\windows\HDMYYUE.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QLG.exe.bat" "54⤵PID:3252
-
C:\windows\QLG.exeC:\windows\QLG.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FGXPNM.exe.bat" "56⤵PID:3568
-
C:\windows\FGXPNM.exeC:\windows\FGXPNM.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JJWK.exe.bat" "58⤵PID:4224
-
C:\windows\JJWK.exeC:\windows\JJWK.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\THB.exe.bat" "60⤵PID:2444
-
C:\windows\THB.exeC:\windows\THB.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MPBNLJ.exe.bat" "62⤵PID:2232
-
C:\windows\SysWOW64\MPBNLJ.exeC:\windows\system32\MPBNLJ.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TKGZV.exe.bat" "64⤵PID:1164
-
C:\windows\system\TKGZV.exeC:\windows\system\TKGZV.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LSGQ.exe.bat" "66⤵PID:2080
-
C:\windows\LSGQ.exeC:\windows\LSGQ.exe67⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JSBLDPX.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\windows\JSBLDPX.exeC:\windows\JSBLDPX.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YNYYNQ.exe.bat" "70⤵PID:2600
-
C:\windows\SysWOW64\YNYYNQ.exeC:\windows\system32\YNYYNQ.exe71⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LBRP.exe.bat" "72⤵PID:1240
-
C:\windows\system\LBRP.exeC:\windows\system\LBRP.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VZEJ.exe.bat" "74⤵PID:1400
-
C:\windows\system\VZEJ.exeC:\windows\system\VZEJ.exe75⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XWKDLV.exe.bat" "76⤵PID:3172
-
C:\windows\system\XWKDLV.exeC:\windows\system\XWKDLV.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DXRR.exe.bat" "78⤵PID:2288
-
C:\windows\SysWOW64\DXRR.exeC:\windows\system32\DXRR.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DCSG.exe.bat" "80⤵PID:4948
-
C:\windows\DCSG.exeC:\windows\DCSG.exe81⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FQOPGC.exe.bat" "82⤵PID:4848
-
C:\windows\FQOPGC.exeC:\windows\FQOPGC.exe83⤵
- Checks computer location settings
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WFVSSO.exe.bat" "84⤵PID:4872
-
C:\windows\system\WFVSSO.exeC:\windows\system\WFVSSO.exe85⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YIFHCK.exe.bat" "86⤵PID:4344
-
C:\windows\system\YIFHCK.exeC:\windows\system\YIFHCK.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGY.exe.bat" "88⤵PID:3008
-
C:\windows\SysWOW64\NYGY.exeC:\windows\system32\NYGY.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JOA.exe.bat" "90⤵PID:2296
-
C:\windows\JOA.exeC:\windows\JOA.exe91⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PPIUV.exe.bat" "92⤵PID:3872
-
C:\windows\PPIUV.exeC:\windows\PPIUV.exe93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCMLFYV.exe.bat" "94⤵PID:4340
-
C:\windows\SysWOW64\JCMLFYV.exeC:\windows\system32\JCMLFYV.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GHK.exe.bat" "96⤵
- System Location Discovery: System Language Discovery
PID:3956 -
C:\windows\SysWOW64\GHK.exeC:\windows\system32\GHK.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MISO.exe.bat" "98⤵PID:3372
-
C:\windows\MISO.exeC:\windows\MISO.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XAVHE.exe.bat" "100⤵PID:3212
-
C:\windows\XAVHE.exeC:\windows\XAVHE.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "102⤵PID:2068
-
C:\windows\system\GBXMHP.exeC:\windows\system\GBXMHP.exe103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SJEUTH.exe.bat" "104⤵PID:4036
-
C:\windows\SJEUTH.exeC:\windows\SJEUTH.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRGZXFG.exe.bat" "106⤵PID:980
-
C:\windows\SysWOW64\CRGZXFG.exeC:\windows\system32\CRGZXFG.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TEQ.exe.bat" "108⤵PID:1248
-
C:\windows\system\TEQ.exeC:\windows\system\TEQ.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RSPSR.exe.bat" "110⤵PID:1592
-
C:\windows\RSPSR.exeC:\windows\RSPSR.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IFAKHB.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:4020 -
C:\windows\IFAKHB.exeC:\windows\IFAKHB.exe113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TXDDHQM.exe.bat" "114⤵PID:4064
-
C:\windows\SysWOW64\TXDDHQM.exeC:\windows\system32\TXDDHQM.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGXITO.exe.bat" "116⤵PID:1436
-
C:\windows\SysWOW64\CGXITO.exeC:\windows\system32\CGXITO.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBOUEBP.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\windows\SysWOW64\SBOUEBP.exeC:\windows\system32\SBOUEBP.exe119⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IMEKDVT.exe.bat" "120⤵PID:4436
-
C:\windows\IMEKDVT.exeC:\windows\IMEKDVT.exe121⤵
- Executes dropped EXE
PID:4568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-