Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 18:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe
-
Size
208KB
-
MD5
9a60fa88a25f7a989a0f6198c00db2a9
-
SHA1
ea158817ce225ddb008887c5806306103a631076
-
SHA256
02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc
-
SHA512
15be937aaf5dee04f02b5a5b66a99625ece0d2a49473ec1fee5bfe2a0bc9bc9f9ac492ef0a6c4caa7bac1a4484e60560f0aa8c569350aed5d8f66dc89f7aec20
-
SSDEEP
3072:t8b66lwHHT6seAK4xR6l154eFHdZUtQQI4G5Sk0edV4NLthEjQT6:t8b6SwnTJKFSnVI4CSsVQEj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HQP.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WLYNN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BLRVHF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YXT.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TKLW.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KQO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SOH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QHGUVI.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RXBFQFS.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JCDGLDF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XMNLP.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UITGEHV.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QHTSCVD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XFWHPB.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SFDLR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation LOBJPLR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation AWN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WQOR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UZJR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OAL.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HRRHRF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YXE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OKSEE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MBVD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CKYEOH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RZO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UGYK.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BQC.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation VJIDTHL.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HKAUKE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TMUP.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ECM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SIKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JRVA.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation LRCD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XYD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NAXA.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ZXRMR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YYRFU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MLYZXH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YIFGZ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ZDJCEZG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XHL.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WHNBUH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BSXFM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation GHRN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JWMEEAG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OQGUIQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KSYCXU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HYD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ZQTZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YDDOEYJ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XYDMST.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BHW.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation DYLBH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NWVK.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BAOLDC.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QVXX.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OKAY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation FNZ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SGUU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation GQHI.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XUPAMF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XIS.exe -
Executes dropped EXE 64 IoCs
pid Process 668 VDFO.exe 5100 DIK.exe 3304 OBNOOLN.exe 4772 UMJM.exe 3684 HON.exe 1944 UZJR.exe 1816 AZRF.exe 4468 YAYTDH.exe 3116 AQZVBEY.exe 1676 GQHI.exe 1148 GTLMYO.exe 3684 XJKPJI.exe 3884 XMNLP.exe 3404 MRTI.exe 2232 DCSG.exe 1212 NAXA.exe 3788 XYDMST.exe 2680 MYMNF.exe 3032 SZUBWNL.exe 4272 BHW.exe 3400 OKSEE.exe 2804 UKASNER.exe 4740 WIBUU.exe 3624 LOHRBKB.exe 4052 SYHLPPI.exe 2788 SEI.exe 720 KRSRGY.exe 5040 TZUWJWA.exe 4716 ZACK.exe 1040 KSXDBF.exe 2536 OAL.exe 4468 YYRFU.exe 4032 SLWPFGD.exe 1476 JWMEEAG.exe 4568 AJWXU.exe 1240 KSYCXU.exe 4820 XUPAMF.exe 5088 YXT.exe 1644 NOUVYRI.exe 4900 LOBJPLR.exe 4636 LRFNUB.exe 1604 VRHSYGV.exe 3492 VULO.exe 2204 XXND.exe 2788 BFPLZ.exe 3252 UITGEHV.exe 3888 LVDY.exe 2760 WOY.exe 2980 AWN.exe 3972 CUGTNS.exe 664 XHL.exe 3400 KST.exe 4536 BDR.exe 5012 MLYZXH.exe 32 HYD.exe 3404 SRYB.exe 712 WHNBUH.exe 4544 JRVA.exe 620 BSXFM.exe 228 JFKMW.exe 4040 CANP.exe 4752 NTIIK.exe 2784 LRCD.exe 1112 TWUS.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\ZACK.exe.bat TZUWJWA.exe File opened for modification C:\windows\SysWOW64\TKLW.exe PUFWM.exe File created C:\windows\SysWOW64\YAYTDH.exe.bat AZRF.exe File created C:\windows\SysWOW64\GQHI.exe.bat AQZVBEY.exe File created C:\windows\SysWOW64\SZUBWNL.exe MYMNF.exe File created C:\windows\SysWOW64\XIS.exe.bat HSM.exe File opened for modification C:\windows\SysWOW64\BAOLDC.exe QHTSCVD.exe File created C:\windows\SysWOW64\NIXU.exe.bat BQC.exe File opened for modification C:\windows\SysWOW64\EVB.exe KIWVTB.exe File opened for modification C:\windows\SysWOW64\BFPLZ.exe XXND.exe File opened for modification C:\windows\SysWOW64\JRVA.exe WHNBUH.exe File opened for modification C:\windows\SysWOW64\OMB.exe CWUUJV.exe File opened for modification C:\windows\SysWOW64\XIS.exe HSM.exe File created C:\windows\SysWOW64\NEMGZX.exe.bat VJIDTHL.exe File created C:\windows\SysWOW64\UZJR.exe HON.exe File created C:\windows\SysWOW64\MRTI.exe.bat XMNLP.exe File created C:\windows\SysWOW64\TZUWJWA.exe KRSRGY.exe File created C:\windows\SysWOW64\XYD.exe.bat CKYEOH.exe File opened for modification C:\windows\SysWOW64\MFZYY.exe OKAY.exe File created C:\windows\SysWOW64\UWX.exe HMTK.exe File created C:\windows\SysWOW64\PMSD.exe GMQ.exe File opened for modification C:\windows\SysWOW64\NEMGZX.exe VJIDTHL.exe File created C:\windows\SysWOW64\YAYTDH.exe AZRF.exe File created C:\windows\SysWOW64\XYDMST.exe.bat NAXA.exe File opened for modification C:\windows\SysWOW64\KST.exe XHL.exe File created C:\windows\SysWOW64\RZO.exe GGLMWEY.exe File created C:\windows\SysWOW64\MFZYY.exe OKAY.exe File created C:\windows\SysWOW64\NEMGZX.exe VJIDTHL.exe File created C:\windows\SysWOW64\DIK.exe.bat VDFO.exe File opened for modification C:\windows\SysWOW64\XJKPJI.exe GTLMYO.exe File opened for modification C:\windows\SysWOW64\GLASQJ.exe WLYNN.exe File created C:\windows\SysWOW64\LTFIDR.exe.bat HLY.exe File created C:\windows\SysWOW64\KST.exe.bat XHL.exe File created C:\windows\SysWOW64\RXBFQFS.exe.bat TWUS.exe File created C:\windows\SysWOW64\LTFIDR.exe HLY.exe File created C:\windows\SysWOW64\GAHDXO.exe.bat LFCU.exe File opened for modification C:\windows\SysWOW64\WOY.exe LVDY.exe File created C:\windows\SysWOW64\CYXQXO.exe.bat OVBKSXM.exe File opened for modification C:\windows\SysWOW64\GAHDXO.exe LFCU.exe File created C:\windows\SysWOW64\HOO.exe BOH.exe File created C:\windows\SysWOW64\EVB.exe KIWVTB.exe File opened for modification C:\windows\SysWOW64\GQHI.exe AQZVBEY.exe File opened for modification C:\windows\SysWOW64\AJWXU.exe JWMEEAG.exe File created C:\windows\SysWOW64\XHL.exe.bat CUGTNS.exe File created C:\windows\SysWOW64\TKLW.exe PUFWM.exe File created C:\windows\SysWOW64\QVMINTJ.exe.bat HNK.exe File opened for modification C:\windows\SysWOW64\BPCI.exe OEGKV.exe File opened for modification C:\windows\SysWOW64\NIXU.exe BQC.exe File created C:\windows\SysWOW64\RUYPXHS.exe.bat SBNZW.exe File created C:\windows\SysWOW64\UKASNER.exe OKSEE.exe File created C:\windows\SysWOW64\JWMEEAG.exe.bat SLWPFGD.exe File created C:\windows\SysWOW64\JFKMW.exe.bat BSXFM.exe File opened for modification C:\windows\SysWOW64\LTFIDR.exe HLY.exe File created C:\windows\SysWOW64\PMSD.exe.bat GMQ.exe File created C:\windows\SysWOW64\EVB.exe.bat KIWVTB.exe File opened for modification C:\windows\SysWOW64\HOO.exe BOH.exe File opened for modification C:\windows\SysWOW64\UWX.exe HMTK.exe File created C:\windows\SysWOW64\UWX.exe.bat HMTK.exe File created C:\windows\SysWOW64\BGTILM.exe SSJ.exe File opened for modification C:\windows\SysWOW64\YTJOF.exe YBANZ.exe File opened for modification C:\windows\SysWOW64\XYD.exe CKYEOH.exe File created C:\windows\SysWOW64\MRTI.exe XMNLP.exe File opened for modification C:\windows\SysWOW64\LRFNUB.exe LOBJPLR.exe File created C:\windows\SysWOW64\GLASQJ.exe WLYNN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\LKNJCT.exe.bat TKLW.exe File created C:\windows\GHRN.exe URCNNX.exe File created C:\windows\HQP.exe MFZYY.exe File created C:\windows\AGKVJL.exe EVB.exe File created C:\windows\HON.exe.bat UMJM.exe File opened for modification C:\windows\BXVC.exe QHGUVI.exe File created C:\windows\system\HIRJE.exe WQOR.exe File created C:\windows\FDH.exe QIXEX.exe File created C:\windows\system\UAIUCHL.exe SFDLR.exe File created C:\windows\system\YWJ.exe NDGFWMR.exe File opened for modification C:\windows\SLWPFGD.exe YYRFU.exe File opened for modification C:\windows\OVBKSXM.exe FNZ.exe File created C:\windows\system\GTLMYO.exe.bat GQHI.exe File opened for modification C:\windows\system\UMJM.exe OBNOOLN.exe File created C:\windows\GHRN.exe.bat URCNNX.exe File opened for modification C:\windows\KZUVFZV.exe GJNV.exe File created C:\windows\system\SRYB.exe.bat HYD.exe File created C:\windows\CWUUJV.exe.bat XTQWE.exe File opened for modification C:\windows\system\TKWZD.exe MPZFBI.exe File opened for modification C:\windows\system\DYLBH.exe XYD.exe File opened for modification C:\windows\AWN.exe WOY.exe File created C:\windows\system\IXPXW.exe YONK.exe File created C:\windows\LOHRBKB.exe WIBUU.exe File created C:\windows\system\LOBJPLR.exe.bat NOUVYRI.exe File created C:\windows\system\HYD.exe MLYZXH.exe File created C:\windows\NWVK.exe.bat JOPKNMK.exe File created C:\windows\system\YBANZ.exe.bat NIXU.exe File created C:\windows\KZUVFZV.exe.bat GJNV.exe File created C:\windows\system\XTQWE.exe MBVD.exe File opened for modification C:\windows\FNZ.exe KZUVFZV.exe File created C:\windows\system\YDDOEYJ.exe CYXQXO.exe File created C:\windows\VDFO.exe.bat 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe File opened for modification C:\windows\NOUVYRI.exe YXT.exe File created C:\windows\system\MYMNF.exe.bat MTUZ.exe File opened for modification C:\windows\system\DHV.exe HZTPOCL.exe File created C:\windows\system\SFDLR.exe XSY.exe File opened for modification C:\windows\HKAUKE.exe NWVK.exe File created C:\windows\PJL.exe LTFIDR.exe File created C:\windows\system\UITGEHV.exe.bat BFPLZ.exe File opened for modification C:\windows\system\YBANZ.exe NIXU.exe File created C:\windows\system\SYHLPPI.exe LOHRBKB.exe File opened for modification C:\windows\CANP.exe JFKMW.exe File created C:\windows\YIFGZ.exe SIY.exe File created C:\windows\HKAUKE.exe.bat NWVK.exe File opened for modification C:\windows\AUGNCN.exe PCDU.exe File created C:\windows\system\HSM.exe MHD.exe File created C:\windows\NYORUH.exe OIV.exe File opened for modification C:\windows\YYRFU.exe OAL.exe File created C:\windows\LKNJCT.exe TKLW.exe File created C:\windows\BLRVHF.exe XIS.exe File created C:\windows\system\EOLBN.exe TWIR.exe File created C:\windows\YXT.exe XUPAMF.exe File opened for modification C:\windows\system\ILL.exe ZDJCEZG.exe File opened for modification C:\windows\system\EQL.exe MNHH.exe File created C:\windows\SOH.exe UAIUCHL.exe File created C:\windows\WHNBUH.exe.bat SRYB.exe File created C:\windows\system\OKAY.exe.bat IJSKKSJ.exe File opened for modification C:\windows\system\SIKQ.exe HQP.exe File opened for modification C:\windows\system\UGYK.exe SIKQ.exe File opened for modification C:\windows\YIFGZ.exe SIY.exe File created C:\windows\system\MBVD.exe AISKW.exe File created C:\windows\system\ECM.exe AUGNCN.exe File opened for modification C:\windows\LKNJCT.exe TKLW.exe File opened for modification C:\windows\ZXRMR.exe XVIFH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4268 2504 WerFault.exe 83 3044 668 WerFault.exe 91 4248 5100 WerFault.exe 97 4584 3304 WerFault.exe 102 2280 4772 WerFault.exe 107 1468 3684 WerFault.exe 112 2252 1944 WerFault.exe 117 2980 1816 WerFault.exe 124 864 4468 WerFault.exe 129 664 3116 WerFault.exe 136 3236 1676 WerFault.exe 141 4408 1148 WerFault.exe 146 1592 3684 WerFault.exe 150 888 3884 WerFault.exe 156 4936 3404 WerFault.exe 162 2900 2232 WerFault.exe 167 4764 1212 WerFault.exe 172 4792 3788 WerFault.exe 179 3344 1912 WerFault.exe 184 2920 2680 WerFault.exe 189 4872 3032 WerFault.exe 194 1916 4272 WerFault.exe 199 4352 3400 WerFault.exe 204 4436 2804 WerFault.exe 209 3884 4740 WerFault.exe 214 3796 3624 WerFault.exe 218 3104 4052 WerFault.exe 224 1644 2788 WerFault.exe 229 4544 720 WerFault.exe 234 2268 5040 WerFault.exe 239 3852 4716 WerFault.exe 244 1612 1040 WerFault.exe 249 1740 2536 WerFault.exe 254 2844 4468 WerFault.exe 259 1212 4032 WerFault.exe 264 1924 1476 WerFault.exe 269 1384 4568 WerFault.exe 274 4832 1240 WerFault.exe 279 1260 4820 WerFault.exe 284 4984 5088 WerFault.exe 289 1676 1644 WerFault.exe 294 4272 4900 WerFault.exe 300 4568 4636 WerFault.exe 305 1768 1604 WerFault.exe 310 332 3492 WerFault.exe 316 1212 2204 WerFault.exe 322 4916 2788 WerFault.exe 327 3720 3252 WerFault.exe 332 5020 3888 WerFault.exe 337 4116 2760 WerFault.exe 342 796 2980 WerFault.exe 346 2784 3972 WerFault.exe 352 5040 664 WerFault.exe 357 2492 3400 WerFault.exe 362 4948 4536 WerFault.exe 367 2748 5012 WerFault.exe 372 2840 32 WerFault.exe 377 4792 3404 WerFault.exe 382 1616 712 WerFault.exe 387 2680 4544 WerFault.exe 392 4220 620 WerFault.exe 397 1768 228 WerFault.exe 402 4008 4040 WerFault.exe 407 4904 4752 WerFault.exe 412 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTUZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UITGEHV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BXJTKQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UAIUCHL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TZUWJWA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BHW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KSXDBF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKAUKE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LUVZW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMQYQM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IJSKKSJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CKYEOH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TOZZX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HNK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HRRHRF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SFDLR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VDFO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KQO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOBJPLR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YWJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BSXFM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CUGTNS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MNHH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CNWZT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YXT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NWVK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XFWHPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CANP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AQZVBEY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SZUBWNL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 668 VDFO.exe 668 VDFO.exe 5100 DIK.exe 5100 DIK.exe 3304 OBNOOLN.exe 3304 OBNOOLN.exe 4772 UMJM.exe 4772 UMJM.exe 3684 HON.exe 3684 HON.exe 1944 UZJR.exe 1944 UZJR.exe 1816 AZRF.exe 1816 AZRF.exe 4468 YAYTDH.exe 4468 YAYTDH.exe 3116 AQZVBEY.exe 3116 AQZVBEY.exe 1676 GQHI.exe 1676 GQHI.exe 1148 GTLMYO.exe 1148 GTLMYO.exe 3684 XJKPJI.exe 3684 XJKPJI.exe 3884 XMNLP.exe 3884 XMNLP.exe 3404 MRTI.exe 3404 MRTI.exe 2232 DCSG.exe 2232 DCSG.exe 1212 NAXA.exe 1212 NAXA.exe 1912 MTUZ.exe 1912 MTUZ.exe 2680 MYMNF.exe 2680 MYMNF.exe 3032 SZUBWNL.exe 3032 SZUBWNL.exe 4272 BHW.exe 4272 BHW.exe 3400 OKSEE.exe 3400 OKSEE.exe 2804 UKASNER.exe 2804 UKASNER.exe 4740 WIBUU.exe 4740 WIBUU.exe 3624 LOHRBKB.exe 3624 LOHRBKB.exe 4052 SYHLPPI.exe 4052 SYHLPPI.exe 2788 SEI.exe 2788 SEI.exe 720 KRSRGY.exe 720 KRSRGY.exe 5040 TZUWJWA.exe 5040 TZUWJWA.exe 4716 ZACK.exe 4716 ZACK.exe 1040 KSXDBF.exe 1040 KSXDBF.exe 2536 OAL.exe 2536 OAL.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 668 VDFO.exe 668 VDFO.exe 5100 DIK.exe 5100 DIK.exe 3304 OBNOOLN.exe 3304 OBNOOLN.exe 4772 UMJM.exe 4772 UMJM.exe 3684 HON.exe 3684 HON.exe 1944 UZJR.exe 1944 UZJR.exe 1816 AZRF.exe 1816 AZRF.exe 4468 YAYTDH.exe 4468 YAYTDH.exe 3116 AQZVBEY.exe 3116 AQZVBEY.exe 1676 GQHI.exe 1676 GQHI.exe 1148 GTLMYO.exe 1148 GTLMYO.exe 3684 XJKPJI.exe 3684 XJKPJI.exe 3884 XMNLP.exe 3884 XMNLP.exe 3404 MRTI.exe 3404 MRTI.exe 2232 DCSG.exe 2232 DCSG.exe 1212 NAXA.exe 1212 NAXA.exe 1912 MTUZ.exe 1912 MTUZ.exe 2680 MYMNF.exe 2680 MYMNF.exe 3032 SZUBWNL.exe 3032 SZUBWNL.exe 4272 BHW.exe 4272 BHW.exe 3400 OKSEE.exe 3400 OKSEE.exe 2804 UKASNER.exe 2804 UKASNER.exe 4740 WIBUU.exe 4740 WIBUU.exe 3624 LOHRBKB.exe 3624 LOHRBKB.exe 4052 SYHLPPI.exe 4052 SYHLPPI.exe 2788 SEI.exe 2788 SEI.exe 720 KRSRGY.exe 720 KRSRGY.exe 5040 TZUWJWA.exe 5040 TZUWJWA.exe 4716 ZACK.exe 4716 ZACK.exe 1040 KSXDBF.exe 1040 KSXDBF.exe 2536 OAL.exe 2536 OAL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3540 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 87 PID 2504 wrote to memory of 3540 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 87 PID 2504 wrote to memory of 3540 2504 02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe 87 PID 3540 wrote to memory of 668 3540 cmd.exe 91 PID 3540 wrote to memory of 668 3540 cmd.exe 91 PID 3540 wrote to memory of 668 3540 cmd.exe 91 PID 668 wrote to memory of 800 668 VDFO.exe 93 PID 668 wrote to memory of 800 668 VDFO.exe 93 PID 668 wrote to memory of 800 668 VDFO.exe 93 PID 800 wrote to memory of 5100 800 cmd.exe 97 PID 800 wrote to memory of 5100 800 cmd.exe 97 PID 800 wrote to memory of 5100 800 cmd.exe 97 PID 5100 wrote to memory of 3736 5100 DIK.exe 98 PID 5100 wrote to memory of 3736 5100 DIK.exe 98 PID 5100 wrote to memory of 3736 5100 DIK.exe 98 PID 3736 wrote to memory of 3304 3736 cmd.exe 102 PID 3736 wrote to memory of 3304 3736 cmd.exe 102 PID 3736 wrote to memory of 3304 3736 cmd.exe 102 PID 3304 wrote to memory of 3964 3304 OBNOOLN.exe 103 PID 3304 wrote to memory of 3964 3304 OBNOOLN.exe 103 PID 3304 wrote to memory of 3964 3304 OBNOOLN.exe 103 PID 3964 wrote to memory of 4772 3964 cmd.exe 107 PID 3964 wrote to memory of 4772 3964 cmd.exe 107 PID 3964 wrote to memory of 4772 3964 cmd.exe 107 PID 4772 wrote to memory of 524 4772 UMJM.exe 108 PID 4772 wrote to memory of 524 4772 UMJM.exe 108 PID 4772 wrote to memory of 524 4772 UMJM.exe 108 PID 524 wrote to memory of 3684 524 cmd.exe 112 PID 524 wrote to memory of 3684 524 cmd.exe 112 PID 524 wrote to memory of 3684 524 cmd.exe 112 PID 3684 wrote to memory of 2860 3684 HON.exe 113 PID 3684 wrote to memory of 2860 3684 HON.exe 113 PID 3684 wrote to memory of 2860 3684 HON.exe 113 PID 2860 wrote to memory of 1944 2860 cmd.exe 117 PID 2860 wrote to memory of 1944 2860 cmd.exe 117 PID 2860 wrote to memory of 1944 2860 cmd.exe 117 PID 1944 wrote to memory of 4752 1944 UZJR.exe 120 PID 1944 wrote to memory of 4752 1944 UZJR.exe 120 PID 1944 wrote to memory of 4752 1944 UZJR.exe 120 PID 4752 wrote to memory of 1816 4752 cmd.exe 124 PID 4752 wrote to memory of 1816 4752 cmd.exe 124 PID 4752 wrote to memory of 1816 4752 cmd.exe 124 PID 1816 wrote to memory of 2836 1816 AZRF.exe 125 PID 1816 wrote to memory of 2836 1816 AZRF.exe 125 PID 1816 wrote to memory of 2836 1816 AZRF.exe 125 PID 2836 wrote to memory of 4468 2836 cmd.exe 129 PID 2836 wrote to memory of 4468 2836 cmd.exe 129 PID 2836 wrote to memory of 4468 2836 cmd.exe 129 PID 4468 wrote to memory of 2536 4468 YAYTDH.exe 132 PID 4468 wrote to memory of 2536 4468 YAYTDH.exe 132 PID 4468 wrote to memory of 2536 4468 YAYTDH.exe 132 PID 2536 wrote to memory of 3116 2536 cmd.exe 136 PID 2536 wrote to memory of 3116 2536 cmd.exe 136 PID 2536 wrote to memory of 3116 2536 cmd.exe 136 PID 3116 wrote to memory of 4116 3116 AQZVBEY.exe 137 PID 3116 wrote to memory of 4116 3116 AQZVBEY.exe 137 PID 3116 wrote to memory of 4116 3116 AQZVBEY.exe 137 PID 4116 wrote to memory of 1676 4116 cmd.exe 141 PID 4116 wrote to memory of 1676 4116 cmd.exe 141 PID 4116 wrote to memory of 1676 4116 cmd.exe 141 PID 1676 wrote to memory of 4032 1676 GQHI.exe 142 PID 1676 wrote to memory of 4032 1676 GQHI.exe 142 PID 1676 wrote to memory of 4032 1676 GQHI.exe 142 PID 4032 wrote to memory of 1148 4032 cmd.exe 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe"C:\Users\Admin\AppData\Local\Temp\02d4c5ceb2a39e237a6713743ee0143c10a119f44923a7932995113addd15bcc.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VDFO.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\windows\VDFO.exeC:\windows\VDFO.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DIK.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\windows\SysWOW64\DIK.exeC:\windows\system32\DIK.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBNOOLN.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\windows\OBNOOLN.exeC:\windows\OBNOOLN.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UMJM.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\windows\system\UMJM.exeC:\windows\system\UMJM.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HON.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\windows\HON.exeC:\windows\HON.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZJR.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\windows\SysWOW64\UZJR.exeC:\windows\system32\UZJR.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AZRF.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\windows\system\AZRF.exeC:\windows\system\AZRF.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YAYTDH.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\windows\SysWOW64\YAYTDH.exeC:\windows\system32\YAYTDH.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AQZVBEY.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\windows\SysWOW64\AQZVBEY.exeC:\windows\system32\AQZVBEY.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQHI.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\windows\SysWOW64\GQHI.exeC:\windows\system32\GQHI.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GTLMYO.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\windows\system\GTLMYO.exeC:\windows\system\GTLMYO.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XJKPJI.exe.bat" "24⤵PID:2296
-
C:\windows\SysWOW64\XJKPJI.exeC:\windows\system32\XJKPJI.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XMNLP.exe.bat" "26⤵PID:5012
-
C:\windows\system\XMNLP.exeC:\windows\system\XMNLP.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MRTI.exe.bat" "28⤵PID:2360
-
C:\windows\SysWOW64\MRTI.exeC:\windows\system32\MRTI.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DCSG.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:740 -
C:\windows\DCSG.exeC:\windows\DCSG.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NAXA.exe.bat" "32⤵PID:1260
-
C:\windows\system\NAXA.exeC:\windows\system\NAXA.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYDMST.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\windows\SysWOW64\XYDMST.exeC:\windows\system32\XYDMST.exe35⤵
- Checks computer location settings
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MTUZ.exe.bat" "36⤵PID:712
-
C:\windows\system\MTUZ.exeC:\windows\system\MTUZ.exe37⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MYMNF.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\windows\system\MYMNF.exeC:\windows\system\MYMNF.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SZUBWNL.exe.bat" "40⤵PID:1968
-
C:\windows\SysWOW64\SZUBWNL.exeC:\windows\system32\SZUBWNL.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BHW.exe.bat" "42⤵PID:3384
-
C:\windows\BHW.exeC:\windows\BHW.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OKSEE.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:4824 -
C:\windows\OKSEE.exeC:\windows\OKSEE.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKASNER.exe.bat" "46⤵PID:4544
-
C:\windows\SysWOW64\UKASNER.exeC:\windows\system32\UKASNER.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WIBUU.exe.bat" "48⤵PID:2296
-
C:\windows\SysWOW64\WIBUU.exeC:\windows\system32\WIBUU.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LOHRBKB.exe.bat" "50⤵PID:5108
-
C:\windows\LOHRBKB.exeC:\windows\LOHRBKB.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SYHLPPI.exe.bat" "52⤵PID:5024
-
C:\windows\system\SYHLPPI.exeC:\windows\system\SYHLPPI.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SEI.exe.bat" "54⤵PID:4588
-
C:\windows\system\SEI.exeC:\windows\system\SEI.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KRSRGY.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\windows\system\KRSRGY.exeC:\windows\system\KRSRGY.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZUWJWA.exe.bat" "58⤵PID:1760
-
C:\windows\SysWOW64\TZUWJWA.exeC:\windows\system32\TZUWJWA.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZACK.exe.bat" "60⤵PID:1416
-
C:\windows\SysWOW64\ZACK.exeC:\windows\system32\ZACK.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "62⤵PID:2252
-
C:\windows\SysWOW64\KSXDBF.exeC:\windows\system32\KSXDBF.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OAL.exe.bat" "64⤵PID:4944
-
C:\windows\SysWOW64\OAL.exeC:\windows\system32\OAL.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YYRFU.exe.bat" "66⤵PID:4476
-
C:\windows\YYRFU.exeC:\windows\YYRFU.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SLWPFGD.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\windows\SLWPFGD.exeC:\windows\SLWPFGD.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JWMEEAG.exe.bat" "70⤵PID:3540
-
C:\windows\SysWOW64\JWMEEAG.exeC:\windows\system32\JWMEEAG.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJWXU.exe.bat" "72⤵PID:2816
-
C:\windows\SysWOW64\AJWXU.exeC:\windows\system32\AJWXU.exe73⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KSYCXU.exe.bat" "74⤵PID:2180
-
C:\windows\KSYCXU.exeC:\windows\KSYCXU.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XUPAMF.exe.bat" "76⤵PID:232
-
C:\windows\SysWOW64\XUPAMF.exeC:\windows\system32\XUPAMF.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YXT.exe.bat" "78⤵PID:1268
-
C:\windows\YXT.exeC:\windows\YXT.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NOUVYRI.exe.bat" "80⤵PID:4920
-
C:\windows\NOUVYRI.exeC:\windows\NOUVYRI.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LOBJPLR.exe.bat" "82⤵PID:3428
-
C:\windows\system\LOBJPLR.exeC:\windows\system\LOBJPLR.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRFNUB.exe.bat" "84⤵PID:5112
-
C:\windows\SysWOW64\LRFNUB.exeC:\windows\system32\LRFNUB.exe85⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VRHSYGV.exe.bat" "86⤵PID:2368
-
C:\windows\system\VRHSYGV.exeC:\windows\system\VRHSYGV.exe87⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VULO.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\windows\VULO.exeC:\windows\VULO.exe89⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XXND.exe.bat" "90⤵PID:4692
-
C:\windows\system\XXND.exeC:\windows\system\XXND.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFPLZ.exe.bat" "92⤵PID:1184
-
C:\windows\SysWOW64\BFPLZ.exeC:\windows\system32\BFPLZ.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UITGEHV.exe.bat" "94⤵PID:1148
-
C:\windows\system\UITGEHV.exeC:\windows\system\UITGEHV.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LVDY.exe.bat" "96⤵PID:620
-
C:\windows\system\LVDY.exeC:\windows\system\LVDY.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOY.exe.bat" "98⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\windows\SysWOW64\WOY.exeC:\windows\system32\WOY.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AWN.exe.bat" "100⤵PID:2920
-
C:\windows\AWN.exeC:\windows\AWN.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CUGTNS.exe.bat" "102⤵
- System Location Discovery: System Language Discovery
PID:4596 -
C:\windows\system\CUGTNS.exeC:\windows\system\CUGTNS.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XHL.exe.bat" "104⤵PID:2820
-
C:\windows\SysWOW64\XHL.exeC:\windows\system32\XHL.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KST.exe.bat" "106⤵PID:2468
-
C:\windows\SysWOW64\KST.exeC:\windows\system32\KST.exe107⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BDR.exe.bat" "108⤵PID:2180
-
C:\windows\BDR.exeC:\windows\BDR.exe109⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLYZXH.exe.bat" "110⤵PID:228
-
C:\windows\SysWOW64\MLYZXH.exeC:\windows\system32\MLYZXH.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HYD.exe.bat" "112⤵PID:4040
-
C:\windows\system\HYD.exeC:\windows\system\HYD.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SRYB.exe.bat" "114⤵PID:3148
-
C:\windows\system\SRYB.exeC:\windows\system\SRYB.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WHNBUH.exe.bat" "116⤵PID:1916
-
C:\windows\WHNBUH.exeC:\windows\WHNBUH.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JRVA.exe.bat" "118⤵PID:4324
-
C:\windows\SysWOW64\JRVA.exeC:\windows\system32\JRVA.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BSXFM.exe.bat" "120⤵PID:2804
-
C:\windows\BSXFM.exeC:\windows\BSXFM.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-