Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 04:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ffd82313904fcc25c38c9427898bb20N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
4ffd82313904fcc25c38c9427898bb20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
4ffd82313904fcc25c38c9427898bb20N.exe
-
Size
282KB
-
MD5
4ffd82313904fcc25c38c9427898bb20
-
SHA1
657bb6372559458921a6626f8edf094215452ec0
-
SHA256
eab56657a10cc857cba066dfd7b95b162d42a674baf00a8d3a97ba1ff001e05f
-
SHA512
f9ddd7984c65de5c57b9acbcb49737d5d6bc0f95fa142673fb9bf33ba23c703f28431ac85937a65bc70d97b83952a9798bf924b0499165322223ff6b78a15ed3
-
SSDEEP
6144:3KtQXqJ2jusPxe2ZSHrvpO4tkEjiPISUOgW9X+hOGzC/:6toqs822r4CkmZzcukG2/
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VKAHK.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation NXHTGN.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VYJTRS.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AHDNDG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CJDIR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RNIUPI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CAFFC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation KZVYRN.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JZGKCMG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CUKGIC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation BYR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RWJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XBAFLW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation UPXEWNR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AND.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GLASQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PBOGLV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GQWMQO.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEKL.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation QPY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MCG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HCGMSWA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XCDWFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CEUVNWB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEHKYJQ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OYABT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PGZW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HUSPYE.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation BHFCP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DSLP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation QDAA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OBWT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation KUQC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PQYRTTY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HMUNSS.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OVET.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ADXMD.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VSNTGGN.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CQRGXT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation KYIR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CUA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ZIHUB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WXHSM.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TAKMC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation YUOA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation KAAHH.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CGIDFB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DCDV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation QWSMDZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JTJTI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HKDEPZV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TUUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GXZGBT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation EMA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WMGMG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation BSI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ZAALWJF.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ZJNK.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation NEFCG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WXAW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VTSY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ZUV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AJUXJAH.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TLPRX.exe -
Executes dropped EXE 64 IoCs
pid Process 1492 ZUV.exe 4524 BSI.exe 3512 VYJTRS.exe 408 BYR.exe 512 AJUXJAH.exe 4364 KGZSZ.exe 808 DCDV.exe 2404 UKFAH.exe 1176 QPXQYZ.exe 3448 AND.exe 4436 TQHGTXG.exe 3804 YBZJKF.exe 2876 WMCZT.exe 3372 CHOSZ.exe 5008 BSQI.exe 4812 ENIST.exe 4784 BGJUFL.exe 4624 QWSMDZJ.exe 5004 RZJIS.exe 4392 AHDNDG.exe 4172 KFQH.exe 4504 ZAALWJF.exe 4936 JTJTI.exe 2284 FBEB.exe 760 TWPU.exe 4772 OJUDB.exe 4760 WXHSM.exe 2948 HUSPYE.exe 5076 LYQL.exe 4812 QDAA.exe 1892 OYABT.exe 3188 MOT.exe 3976 CEUVNWB.exe 5056 KSYCXU.exe 3804 OAFK.exe 4956 YXT.exe 4884 YDLS.exe 4992 CJDIR.exe 4116 ZJNK.exe 4792 VPL.exe 4508 QXUWJ.exe 2420 LKYFTD.exe 1000 MNCJY.exe 636 BIMNRO.exe 3264 TLPRX.exe 3964 NEFCG.exe 3668 CUGTNS.exe 4792 TUUZ.exe 112 VSNTGGN.exe 2444 HKDEPZV.exe 4524 TAKMC.exe 4672 RWJ.exe 2340 GRSRR.exe 2416 QPY.exe 4152 FFHLFL.exe 2472 HCMX.exe 1568 CQRGXT.exe 4456 XBAFLW.exe 3312 KYIR.exe 2164 KRIS.exe 2296 YMULHI.exe 3616 CUA.exe 4924 GXZGBT.exe 5016 DDRVJ.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\BST.exe HZETF.exe File created C:\windows\SysWOW64\DCDV.exe.bat KGZSZ.exe File opened for modification C:\windows\SysWOW64\MOT.exe OYABT.exe File opened for modification C:\windows\SysWOW64\VPL.exe ZJNK.exe File created C:\windows\SysWOW64\RWJ.exe.bat TAKMC.exe File created C:\windows\SysWOW64\GLASQJ.exe.bat DDRVJ.exe File opened for modification C:\windows\SysWOW64\JNQTUXM.exe FXKLI.exe File created C:\windows\SysWOW64\KFQH.exe AHDNDG.exe File created C:\windows\SysWOW64\XBAFLW.exe.bat CQRGXT.exe File created C:\windows\SysWOW64\MDRZF.exe NKGJWS.exe File opened for modification C:\windows\SysWOW64\VKAHK.exe CRLWB.exe File opened for modification C:\windows\SysWOW64\UPXEWNR.exe AHO.exe File created C:\windows\SysWOW64\KUQC.exe.bat XSHL.exe File created C:\windows\SysWOW64\RXW.exe.bat WMGMG.exe File opened for modification C:\windows\SysWOW64\AJUXJAH.exe BYR.exe File created C:\windows\SysWOW64\YDLS.exe.bat YXT.exe File created C:\windows\SysWOW64\LKYFTD.exe.bat QXUWJ.exe File opened for modification C:\windows\SysWOW64\RWJ.exe TAKMC.exe File opened for modification C:\windows\SysWOW64\UKFAH.exe DCDV.exe File created C:\windows\SysWOW64\OYABT.exe.bat QDAA.exe File created C:\windows\SysWOW64\UPXEWNR.exe AHO.exe File opened for modification C:\windows\SysWOW64\QXBP.exe RHIMKB.exe File opened for modification C:\windows\SysWOW64\YDLS.exe YXT.exe File opened for modification C:\windows\SysWOW64\BIMNRO.exe MNCJY.exe File created C:\windows\SysWOW64\AJUXJAH.exe BYR.exe File created C:\windows\SysWOW64\TUUZ.exe CUGTNS.exe File opened for modification C:\windows\SysWOW64\MDRZF.exe NKGJWS.exe File created C:\windows\SysWOW64\JNQTUXM.exe FXKLI.exe File created C:\windows\SysWOW64\XFAF.exe CUKGIC.exe File opened for modification C:\windows\SysWOW64\KUQC.exe XSHL.exe File created C:\windows\SysWOW64\CRLWB.exe.bat BOH.exe File opened for modification C:\windows\SysWOW64\OKOIT.exe DSLP.exe File created C:\windows\SysWOW64\ENIST.exe.bat BSQI.exe File created C:\windows\SysWOW64\TAKMC.exe.bat HKDEPZV.exe File created C:\windows\SysWOW64\GRSRR.exe RWJ.exe File created C:\windows\SysWOW64\BST.exe HZETF.exe File opened for modification C:\windows\SysWOW64\RXW.exe WMGMG.exe File created C:\windows\SysWOW64\DEKL.exe.bat SLP.exe File created C:\windows\SysWOW64\OVET.exe QAFLLE.exe File created C:\windows\SysWOW64\OVET.exe.bat QAFLLE.exe File created C:\windows\SysWOW64\HKDEPZV.exe VSNTGGN.exe File created C:\windows\SysWOW64\OBWT.exe.bat MDRZF.exe File created C:\windows\SysWOW64\UPXEWNR.exe.bat AHO.exe File created C:\windows\SysWOW64\KUQC.exe XSHL.exe File created C:\windows\SysWOW64\FPAJJ.exe ZUO.exe File created C:\windows\SysWOW64\FBEB.exe JTJTI.exe File opened for modification C:\windows\SysWOW64\CGIDFB.exe OKEKRF.exe File created C:\windows\SysWOW64\KZVYRN.exe XTN.exe File opened for modification C:\windows\SysWOW64\CRLWB.exe BOH.exe File created C:\windows\SysWOW64\DRXTTB.exe.bat OBWT.exe File created C:\windows\SysWOW64\RXW.exe WMGMG.exe File created C:\windows\SysWOW64\QXBP.exe.bat RHIMKB.exe File created C:\windows\SysWOW64\FNA.exe KAVJAS.exe File created C:\windows\SysWOW64\VKAHK.exe CRLWB.exe File created C:\windows\SysWOW64\UKFAH.exe DCDV.exe File created C:\windows\SysWOW64\WMCZT.exe YBZJKF.exe File created C:\windows\SysWOW64\MOT.exe OYABT.exe File created C:\windows\SysWOW64\HKDEPZV.exe.bat VSNTGGN.exe File created C:\windows\SysWOW64\OYABT.exe QDAA.exe File opened for modification C:\windows\SysWOW64\GRSRR.exe RWJ.exe File created C:\windows\SysWOW64\CUA.exe YMULHI.exe File opened for modification C:\windows\SysWOW64\OVET.exe QAFLLE.exe File opened for modification C:\windows\SysWOW64\OYABT.exe QDAA.exe File created C:\windows\SysWOW64\BIMNRO.exe MNCJY.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\RNIUPI.exe.bat SUXEGUA.exe File opened for modification C:\windows\HZETF.exe DRXTTB.exe File created C:\windows\system\MTCNWS.exe.bat CWWTGKQ.exe File created C:\windows\KGZSZ.exe.bat AJUXJAH.exe File created C:\windows\QWSMDZJ.exe BGJUFL.exe File opened for modification C:\windows\QWSMDZJ.exe BGJUFL.exe File created C:\windows\system\RNIUPI.exe SUXEGUA.exe File created C:\windows\YLIS.exe.bat AYJRQV.exe File opened for modification C:\windows\JYVCVE.exe KNSM.exe File created C:\windows\XTN.exe CGIDFB.exe File created C:\windows\system\ZQB.exe KAAHH.exe File created C:\windows\HZETF.exe DRXTTB.exe File created C:\windows\KNSM.exe.bat CAFFC.exe File created C:\windows\system\HCGMSWA.exe EMA.exe File created C:\windows\BOH.exe ZQB.exe File opened for modification C:\windows\BOH.exe ZQB.exe File created C:\windows\system\TQHGTXG.exe.bat AND.exe File created C:\windows\system\YUOA.exe.bat HMUNSS.exe File created C:\windows\system\ZIHUB.exe FPAJJ.exe File opened for modification C:\windows\YBZJKF.exe ODMP.exe File created C:\windows\system\TWPU.exe.bat FBEB.exe File created C:\windows\system\FXKLI.exe MCG.exe File opened for modification C:\windows\system\YUOA.exe HMUNSS.exe File created C:\windows\KIHHSO.exe.bat BHFCP.exe File created C:\windows\system\XSHL.exe HCGMSWA.exe File created C:\windows\system\XCDWFQ.exe.bat KZVYRN.exe File opened for modification C:\windows\system\BSI.exe ZUV.exe File created C:\windows\AND.exe.bat QPXQYZ.exe File created C:\windows\system\EMA.exe JYVCVE.exe File created C:\windows\system\ZUO.exe PWBOO.exe File created C:\windows\system\MNCJY.exe LKYFTD.exe File created C:\windows\UHOUGR.exe.bat MTCNWS.exe File created C:\windows\XHGBAZR.exe VKAHK.exe File created C:\windows\ZUV.exe.bat 4ffd82313904fcc25c38c9427898bb20N.exe File opened for modification C:\windows\BSQI.exe CHOSZ.exe File created C:\windows\system\JTJTI.exe ZAALWJF.exe File created C:\windows\DAP.exe OKOIT.exe File created C:\windows\system\PWBOO.exe QLYGNP.exe File created C:\windows\system\PGZW.exe VTSY.exe File created C:\windows\system\PBOGLV.exe TWWQD.exe File created C:\windows\system\CQRGXT.exe HCMX.exe File opened for modification C:\windows\MCG.exe VUELRJ.exe File opened for modification C:\windows\HMUNSS.exe BRJUMD.exe File opened for modification C:\windows\EIXSJH.exe KIHHSO.exe File created C:\windows\PQYRTTY.exe.bat GQWMQO.exe File opened for modification C:\windows\KSYCXU.exe CEUVNWB.exe File created C:\windows\MCG.exe VUELRJ.exe File created C:\windows\system\HCGMSWA.exe.bat EMA.exe File created C:\windows\system\QLYGNP.exe.bat DAP.exe File opened for modification C:\windows\system\PWBOO.exe QLYGNP.exe File created C:\windows\system\LYQL.exe HUSPYE.exe File created C:\windows\system\GXZGBT.exe.bat CUA.exe File opened for modification C:\windows\system\XCDWFQ.exe KZVYRN.exe File created C:\windows\XHGBAZR.exe.bat VKAHK.exe File created C:\windows\system\NXHTGN.exe XHGBAZR.exe File created C:\windows\DSLP.exe WXAW.exe File created C:\windows\QDAA.exe LYQL.exe File created C:\windows\system\QPY.exe GRSRR.exe File opened for modification C:\windows\AYJRQV.exe FNA.exe File created C:\windows\RHIMKB.exe NWK.exe File created C:\windows\system\MWAELSV.exe.bat ADXMD.exe File created C:\windows\system\HCMX.exe.bat FFHLFL.exe File opened for modification C:\windows\system\GXZGBT.exe CUA.exe File created C:\windows\system\YUOA.exe HMUNSS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3804 2556 WerFault.exe 83 3372 1492 WerFault.exe 91 1336 4524 WerFault.exe 98 3800 3512 WerFault.exe 103 2128 408 WerFault.exe 108 2240 512 WerFault.exe 115 3824 4364 WerFault.exe 120 2876 808 WerFault.exe 127 2260 2404 WerFault.exe 132 4852 1176 WerFault.exe 137 1288 3448 WerFault.exe 143 4420 4436 WerFault.exe 148 4956 452 WerFault.exe 153 3976 3804 WerFault.exe 158 460 2876 WerFault.exe 165 2904 3372 WerFault.exe 170 3896 5008 WerFault.exe 175 3452 4812 WerFault.exe 180 4940 4784 WerFault.exe 185 4744 4624 WerFault.exe 190 1276 5004 WerFault.exe 195 3836 4392 WerFault.exe 200 2828 4172 WerFault.exe 205 2628 4504 WerFault.exe 210 5032 4936 WerFault.exe 215 4992 2284 WerFault.exe 220 1184 760 WerFault.exe 225 224 4772 WerFault.exe 230 3564 4760 WerFault.exe 234 4924 2948 WerFault.exe 240 1400 5076 WerFault.exe 245 4940 4812 WerFault.exe 250 4524 1892 WerFault.exe 255 2044 3188 WerFault.exe 260 4824 3976 WerFault.exe 265 1672 5056 WerFault.exe 270 4924 3804 WerFault.exe 276 2808 4956 WerFault.exe 281 2776 4884 WerFault.exe 286 4764 4992 WerFault.exe 291 4500 4116 WerFault.exe 296 848 4792 WerFault.exe 302 2948 4508 WerFault.exe 307 1628 2420 WerFault.exe 313 4852 1000 WerFault.exe 318 4784 636 WerFault.exe 323 4532 3264 WerFault.exe 328 3400 3964 WerFault.exe 333 2636 3668 WerFault.exe 338 4924 4792 WerFault.exe 343 4316 112 WerFault.exe 348 1012 2444 WerFault.exe 353 2400 4524 WerFault.exe 358 4632 4672 WerFault.exe 363 2032 2340 WerFault.exe 368 3288 2416 WerFault.exe 373 4576 4152 WerFault.exe 378 1400 2472 WerFault.exe 383 2712 1568 WerFault.exe 388 5092 4456 WerFault.exe 393 384 3312 WerFault.exe 398 4672 2164 WerFault.exe 403 1224 2296 WerFault.exe 408 1948 3616 WerFault.exe 413 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SLP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QPXQYZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AND.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SUXEGUA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TQHGTXG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OJUDB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HUSPYE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PGZW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LYQL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YXT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QXUWJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OKOIT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NKGJWS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JZGKCMG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UHOUGR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KAAHH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEHKYJQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TWPU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZJNK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TLPRX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YUOA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QLYGNP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TUUZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KRIS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BST.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WXAW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UKFAH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AYJRQV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VUELRJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VYJTRS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 4ffd82313904fcc25c38c9427898bb20N.exe 2556 4ffd82313904fcc25c38c9427898bb20N.exe 1492 ZUV.exe 1492 ZUV.exe 4524 BSI.exe 4524 BSI.exe 3512 VYJTRS.exe 3512 VYJTRS.exe 408 BYR.exe 408 BYR.exe 512 AJUXJAH.exe 512 AJUXJAH.exe 4364 KGZSZ.exe 4364 KGZSZ.exe 808 DCDV.exe 808 DCDV.exe 2404 UKFAH.exe 2404 UKFAH.exe 1176 QPXQYZ.exe 1176 QPXQYZ.exe 3448 AND.exe 3448 AND.exe 452 ODMP.exe 452 ODMP.exe 3804 YBZJKF.exe 3804 YBZJKF.exe 2876 WMCZT.exe 2876 WMCZT.exe 3372 CHOSZ.exe 3372 CHOSZ.exe 5008 BSQI.exe 5008 BSQI.exe 4812 ENIST.exe 4812 ENIST.exe 4784 BGJUFL.exe 4784 BGJUFL.exe 4624 QWSMDZJ.exe 4624 QWSMDZJ.exe 5004 RZJIS.exe 5004 RZJIS.exe 4392 AHDNDG.exe 4392 AHDNDG.exe 4172 KFQH.exe 4172 KFQH.exe 4504 ZAALWJF.exe 4504 ZAALWJF.exe 4936 JTJTI.exe 4936 JTJTI.exe 2284 FBEB.exe 2284 FBEB.exe 760 TWPU.exe 760 TWPU.exe 4772 OJUDB.exe 4772 OJUDB.exe 4760 WXHSM.exe 4760 WXHSM.exe 2948 HUSPYE.exe 2948 HUSPYE.exe 5076 LYQL.exe 5076 LYQL.exe 4812 QDAA.exe 4812 QDAA.exe 1892 OYABT.exe 1892 OYABT.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2556 4ffd82313904fcc25c38c9427898bb20N.exe 2556 4ffd82313904fcc25c38c9427898bb20N.exe 1492 ZUV.exe 1492 ZUV.exe 4524 BSI.exe 4524 BSI.exe 3512 VYJTRS.exe 3512 VYJTRS.exe 408 BYR.exe 408 BYR.exe 512 AJUXJAH.exe 512 AJUXJAH.exe 4364 KGZSZ.exe 4364 KGZSZ.exe 808 DCDV.exe 808 DCDV.exe 2404 UKFAH.exe 2404 UKFAH.exe 1176 QPXQYZ.exe 1176 QPXQYZ.exe 3448 AND.exe 3448 AND.exe 452 ODMP.exe 452 ODMP.exe 3804 YBZJKF.exe 3804 YBZJKF.exe 2876 WMCZT.exe 2876 WMCZT.exe 3372 CHOSZ.exe 3372 CHOSZ.exe 5008 BSQI.exe 5008 BSQI.exe 4812 ENIST.exe 4812 ENIST.exe 4784 BGJUFL.exe 4784 BGJUFL.exe 4624 QWSMDZJ.exe 4624 QWSMDZJ.exe 5004 RZJIS.exe 5004 RZJIS.exe 4392 AHDNDG.exe 4392 AHDNDG.exe 4172 KFQH.exe 4172 KFQH.exe 4504 ZAALWJF.exe 4504 ZAALWJF.exe 4936 JTJTI.exe 4936 JTJTI.exe 2284 FBEB.exe 2284 FBEB.exe 760 TWPU.exe 760 TWPU.exe 4772 OJUDB.exe 4772 OJUDB.exe 4760 WXHSM.exe 4760 WXHSM.exe 2948 HUSPYE.exe 2948 HUSPYE.exe 5076 LYQL.exe 5076 LYQL.exe 4812 QDAA.exe 4812 QDAA.exe 1892 OYABT.exe 1892 OYABT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 544 2556 4ffd82313904fcc25c38c9427898bb20N.exe 87 PID 2556 wrote to memory of 544 2556 4ffd82313904fcc25c38c9427898bb20N.exe 87 PID 2556 wrote to memory of 544 2556 4ffd82313904fcc25c38c9427898bb20N.exe 87 PID 544 wrote to memory of 1492 544 cmd.exe 91 PID 544 wrote to memory of 1492 544 cmd.exe 91 PID 544 wrote to memory of 1492 544 cmd.exe 91 PID 1492 wrote to memory of 1172 1492 ZUV.exe 94 PID 1492 wrote to memory of 1172 1492 ZUV.exe 94 PID 1492 wrote to memory of 1172 1492 ZUV.exe 94 PID 1172 wrote to memory of 4524 1172 cmd.exe 98 PID 1172 wrote to memory of 4524 1172 cmd.exe 98 PID 1172 wrote to memory of 4524 1172 cmd.exe 98 PID 4524 wrote to memory of 2416 4524 BSI.exe 99 PID 4524 wrote to memory of 2416 4524 BSI.exe 99 PID 4524 wrote to memory of 2416 4524 BSI.exe 99 PID 2416 wrote to memory of 3512 2416 cmd.exe 103 PID 2416 wrote to memory of 3512 2416 cmd.exe 103 PID 2416 wrote to memory of 3512 2416 cmd.exe 103 PID 3512 wrote to memory of 1132 3512 VYJTRS.exe 104 PID 3512 wrote to memory of 1132 3512 VYJTRS.exe 104 PID 3512 wrote to memory of 1132 3512 VYJTRS.exe 104 PID 1132 wrote to memory of 408 1132 cmd.exe 108 PID 1132 wrote to memory of 408 1132 cmd.exe 108 PID 1132 wrote to memory of 408 1132 cmd.exe 108 PID 408 wrote to memory of 4296 408 BYR.exe 111 PID 408 wrote to memory of 4296 408 BYR.exe 111 PID 408 wrote to memory of 4296 408 BYR.exe 111 PID 4296 wrote to memory of 512 4296 cmd.exe 115 PID 4296 wrote to memory of 512 4296 cmd.exe 115 PID 4296 wrote to memory of 512 4296 cmd.exe 115 PID 512 wrote to memory of 2424 512 AJUXJAH.exe 116 PID 512 wrote to memory of 2424 512 AJUXJAH.exe 116 PID 512 wrote to memory of 2424 512 AJUXJAH.exe 116 PID 2424 wrote to memory of 4364 2424 cmd.exe 120 PID 2424 wrote to memory of 4364 2424 cmd.exe 120 PID 2424 wrote to memory of 4364 2424 cmd.exe 120 PID 4364 wrote to memory of 4884 4364 KGZSZ.exe 123 PID 4364 wrote to memory of 4884 4364 KGZSZ.exe 123 PID 4364 wrote to memory of 4884 4364 KGZSZ.exe 123 PID 4884 wrote to memory of 808 4884 cmd.exe 127 PID 4884 wrote to memory of 808 4884 cmd.exe 127 PID 4884 wrote to memory of 808 4884 cmd.exe 127 PID 808 wrote to memory of 4628 808 DCDV.exe 128 PID 808 wrote to memory of 4628 808 DCDV.exe 128 PID 808 wrote to memory of 4628 808 DCDV.exe 128 PID 4628 wrote to memory of 2404 4628 cmd.exe 132 PID 4628 wrote to memory of 2404 4628 cmd.exe 132 PID 4628 wrote to memory of 2404 4628 cmd.exe 132 PID 2404 wrote to memory of 708 2404 UKFAH.exe 133 PID 2404 wrote to memory of 708 2404 UKFAH.exe 133 PID 2404 wrote to memory of 708 2404 UKFAH.exe 133 PID 708 wrote to memory of 1176 708 cmd.exe 137 PID 708 wrote to memory of 1176 708 cmd.exe 137 PID 708 wrote to memory of 1176 708 cmd.exe 137 PID 1176 wrote to memory of 2044 1176 QPXQYZ.exe 138 PID 1176 wrote to memory of 2044 1176 QPXQYZ.exe 138 PID 1176 wrote to memory of 2044 1176 QPXQYZ.exe 138 PID 2044 wrote to memory of 3448 2044 cmd.exe 143 PID 2044 wrote to memory of 3448 2044 cmd.exe 143 PID 2044 wrote to memory of 3448 2044 cmd.exe 143 PID 3448 wrote to memory of 4320 3448 AND.exe 144 PID 3448 wrote to memory of 4320 3448 AND.exe 144 PID 3448 wrote to memory of 4320 3448 AND.exe 144 PID 4320 wrote to memory of 4436 4320 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ffd82313904fcc25c38c9427898bb20N.exe"C:\Users\Admin\AppData\Local\Temp\4ffd82313904fcc25c38c9427898bb20N.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZUV.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\windows\ZUV.exeC:\windows\ZUV.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BSI.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\windows\system\BSI.exeC:\windows\system\BSI.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VYJTRS.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\windows\system\VYJTRS.exeC:\windows\system\VYJTRS.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BYR.exe.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\windows\BYR.exeC:\windows\BYR.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJUXJAH.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\windows\SysWOW64\AJUXJAH.exeC:\windows\system32\AJUXJAH.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KGZSZ.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\windows\KGZSZ.exeC:\windows\KGZSZ.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DCDV.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\windows\SysWOW64\DCDV.exeC:\windows\system32\DCDV.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\windows\SysWOW64\UKFAH.exeC:\windows\system32\UKFAH.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPXQYZ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\windows\system\QPXQYZ.exeC:\windows\system\QPXQYZ.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AND.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\windows\AND.exeC:\windows\AND.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TQHGTXG.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\windows\system\TQHGTXG.exeC:\windows\system\TQHGTXG.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ODMP.exe.bat" "24⤵PID:112
-
C:\windows\system\ODMP.exeC:\windows\system\ODMP.exe25⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YBZJKF.exe.bat" "26⤵PID:3560
-
C:\windows\YBZJKF.exeC:\windows\YBZJKF.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WMCZT.exe.bat" "28⤵PID:4652
-
C:\windows\SysWOW64\WMCZT.exeC:\windows\system32\WMCZT.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CHOSZ.exe.bat" "30⤵PID:4520
-
C:\windows\CHOSZ.exeC:\windows\CHOSZ.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BSQI.exe.bat" "32⤵
- System Location Discovery: System Language Discovery
PID:648 -
C:\windows\BSQI.exeC:\windows\BSQI.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ENIST.exe.bat" "34⤵PID:3744
-
C:\windows\SysWOW64\ENIST.exeC:\windows\system32\ENIST.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BGJUFL.exe.bat" "36⤵PID:2628
-
C:\windows\BGJUFL.exeC:\windows\BGJUFL.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QWSMDZJ.exe.bat" "38⤵PID:4964
-
C:\windows\QWSMDZJ.exeC:\windows\QWSMDZJ.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RZJIS.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:3640 -
C:\windows\RZJIS.exeC:\windows\RZJIS.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AHDNDG.exe.bat" "42⤵PID:3628
-
C:\windows\AHDNDG.exeC:\windows\AHDNDG.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KFQH.exe.bat" "44⤵PID:532
-
C:\windows\SysWOW64\KFQH.exeC:\windows\system32\KFQH.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZAALWJF.exe.bat" "46⤵PID:3744
-
C:\windows\system\ZAALWJF.exeC:\windows\system\ZAALWJF.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JTJTI.exe.bat" "48⤵PID:244
-
C:\windows\system\JTJTI.exeC:\windows\system\JTJTI.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBEB.exe.bat" "50⤵PID:4356
-
C:\windows\SysWOW64\FBEB.exeC:\windows\system32\FBEB.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TWPU.exe.bat" "52⤵PID:4104
-
C:\windows\system\TWPU.exeC:\windows\system\TWPU.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OJUDB.exe.bat" "54⤵PID:2080
-
C:\windows\system\OJUDB.exeC:\windows\system\OJUDB.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXHSM.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:4156 -
C:\windows\WXHSM.exeC:\windows\WXHSM.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HUSPYE.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\windows\HUSPYE.exeC:\windows\HUSPYE.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LYQL.exe.bat" "60⤵PID:4320
-
C:\windows\system\LYQL.exeC:\windows\system\LYQL.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QDAA.exe.bat" "62⤵PID:244
-
C:\windows\QDAA.exeC:\windows\QDAA.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYABT.exe.bat" "64⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\windows\SysWOW64\OYABT.exeC:\windows\system32\OYABT.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MOT.exe.bat" "66⤵PID:4104
-
C:\windows\SysWOW64\MOT.exeC:\windows\system32\MOT.exe67⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CEUVNWB.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:4532 -
C:\windows\SysWOW64\CEUVNWB.exeC:\windows\system32\CEUVNWB.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KSYCXU.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\windows\KSYCXU.exeC:\windows\KSYCXU.exe71⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OAFK.exe.bat" "72⤵PID:3464
-
C:\windows\OAFK.exeC:\windows\OAFK.exe73⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YXT.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\windows\YXT.exeC:\windows\YXT.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDLS.exe.bat" "76⤵PID:1700
-
C:\windows\SysWOW64\YDLS.exeC:\windows\system32\YDLS.exe77⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CJDIR.exe.bat" "78⤵PID:2080
-
C:\windows\CJDIR.exeC:\windows\CJDIR.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZJNK.exe.bat" "80⤵PID:1580
-
C:\windows\ZJNK.exeC:\windows\ZJNK.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VPL.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\windows\SysWOW64\VPL.exeC:\windows\system32\VPL.exe83⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QXUWJ.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\windows\system\QXUWJ.exeC:\windows\system\QXUWJ.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LKYFTD.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:708 -
C:\windows\SysWOW64\LKYFTD.exeC:\windows\system32\LKYFTD.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MNCJY.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\windows\system\MNCJY.exeC:\windows\system\MNCJY.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BIMNRO.exe.bat" "90⤵PID:5032
-
C:\windows\SysWOW64\BIMNRO.exeC:\windows\system32\BIMNRO.exe91⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TLPRX.exe.bat" "92⤵PID:2656
-
C:\windows\system\TLPRX.exeC:\windows\system\TLPRX.exe93⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NEFCG.exe.bat" "94⤵PID:2956
-
C:\windows\system\NEFCG.exeC:\windows\system\NEFCG.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CUGTNS.exe.bat" "96⤵PID:4724
-
C:\windows\system\CUGTNS.exeC:\windows\system\CUGTNS.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TUUZ.exe.bat" "98⤵PID:1960
-
C:\windows\SysWOW64\TUUZ.exeC:\windows\system32\TUUZ.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VSNTGGN.exe.bat" "100⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\windows\system\VSNTGGN.exeC:\windows\system\VSNTGGN.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HKDEPZV.exe.bat" "102⤵PID:1400
-
C:\windows\SysWOW64\HKDEPZV.exeC:\windows\system32\HKDEPZV.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAKMC.exe.bat" "104⤵PID:4360
-
C:\windows\SysWOW64\TAKMC.exeC:\windows\system32\TAKMC.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWJ.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\windows\SysWOW64\RWJ.exeC:\windows\system32\RWJ.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GRSRR.exe.bat" "108⤵PID:3628
-
C:\windows\SysWOW64\GRSRR.exeC:\windows\system32\GRSRR.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPY.exe.bat" "110⤵PID:2804
-
C:\windows\system\QPY.exeC:\windows\system\QPY.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FFHLFL.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\windows\SysWOW64\FFHLFL.exeC:\windows\system32\FFHLFL.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HCMX.exe.bat" "114⤵PID:2508
-
C:\windows\system\HCMX.exeC:\windows\system\HCMX.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CQRGXT.exe.bat" "116⤵PID:4792
-
C:\windows\system\CQRGXT.exeC:\windows\system\CQRGXT.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBAFLW.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:664 -
C:\windows\SysWOW64\XBAFLW.exeC:\windows\system32\XBAFLW.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KYIR.exe.bat" "120⤵PID:3968
-
C:\windows\system\KYIR.exeC:\windows\system\KYIR.exe121⤵
- Checks computer location settings
- Executes dropped EXE
PID:3312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-