Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 18:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2ede8f521521a935a46a861571dcbb0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a2ede8f521521a935a46a861571dcbb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
a2ede8f521521a935a46a861571dcbb0N.exe
-
Size
448KB
-
MD5
a2ede8f521521a935a46a861571dcbb0
-
SHA1
46ee251845d8848d5a77c1d87cca40d98b1c7131
-
SHA256
9c9cbede957d5bde9eede15bad06463145d71e4720000535159526389496da55
-
SHA512
9be5c01f968316331df7374d5088c4793136754c1d9127ae0476d984bb7a284566e52f97d1ff8ac4d2c481bacf7729796d838ddf605f440a21aa2cf83c8f8cb3
-
SSDEEP
6144:EbPahFCuKGPRQXrP18w1YqGGbMQlkEjiPISUOgW9X+hOGzC/NM:EbyhNDRQXj1F1YfQkmZzcukG2/
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation NJCHC.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation GBXMHP.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation NKBLOFG.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation FOKCAU.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation SUBF.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation XRW.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation QKMXXN.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation OCRJY.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation XVKPMR.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation EGIGOC.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation PCYBMD.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation MKKYPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation HZLPJN.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RJMET.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WYQCAR.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ZCOUAE.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation MOCZMO.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ANJW.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation FOT.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation KRSRGY.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ULNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation QXTTW.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ZQDF.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WYFWYNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation HBZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation UUBMO.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation OWH.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation KZWE.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WPBBI.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation CFCCXC.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation HPWPNKN.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation NHO.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation GQU.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation a2ede8f521521a935a46a861571dcbb0N.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation BANI.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation PGITSXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation UNBIOMF.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation CIFGO.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DQDZT.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation VIAY.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DAC.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation SIKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation JMHJOSY.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation OGIX.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RWWK.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation SXP.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation UXOWLVM.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation OMUFRMJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation AOXGE.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation STCTROG.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation LBWJGS.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation JAI.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation OUQXF.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation FIX.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation BHDDE.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RLYX.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ROREVCI.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation NTIIK.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation UHOUGR.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation KAC.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation LTTG.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation KNCFQB.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation KJBHRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DFGZ.exe -
Executes dropped EXE 64 IoCs
pid Process 2268 BANI.exe 2952 FDLVVFJ.exe 1448 EGIGOC.exe 2664 RJMET.exe 4208 LXXCZPD.exe 4512 TPGW.exe 244 JAI.exe 3588 VQPUIR.exe 2424 JOXF.exe 4836 WYFWYNH.exe 4968 EESDJMD.exe 4676 KZWE.exe 1868 XKA.exe 1116 NQRJNK.exe 3096 PNSDUHS.exe 1712 RLYX.exe 456 HBZ.exe 1948 FRSSVI.exe 2664 VHTRB.exe 5024 PCYBMD.exe 3040 DFGZ.exe 3528 LTTG.exe 1936 PTU.exe 1192 XBVIVE.exe 4536 QCLSEFY.exe 4664 ZCN.exe 216 VNVWWN.exe 5060 XLJJD.exe 4076 OLPOQ.exe 4600 WYQCAR.exe 4576 VJSSA.exe 3332 UUBMO.exe 4432 OUQXF.exe 3868 SXP.exe 392 FIX.exe 2576 GDBMZ.exe 4028 WOMC.exe 2840 MRVGTXY.exe 4524 WPBBI.exe 4856 UZMR.exe 3272 RFJOY.exe 5112 CTQM.exe 1844 GBXMHP.exe 1988 YJL.exe 3956 KRSRGY.exe 1868 MPY.exe 4524 DXARZEJ.exe 1672 UXOWLVM.exe 688 PTTF.exe 5112 CQTRYGC.exe 4756 DTXN.exe 516 QWNL.exe 1980 UMULDR.exe 1916 IKUXF.exe 3036 NKBLOFG.exe 5060 DAC.exe 1356 ZGVA.exe 5008 SJMDQSY.exe 5004 LBBOZTG.exe 3868 KMEEIH.exe 4544 MKKYPQ.exe 3980 HXPIZQA.exe 4788 CIFGO.exe 3800 NBAROAL.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\FRSSVI.exe.bat HBZ.exe File created C:\windows\SysWOW64\XBVIVE.exe PTU.exe File created C:\windows\SysWOW64\OLPOQ.exe.bat XLJJD.exe File created C:\windows\SysWOW64\DXARZEJ.exe.bat MPY.exe File created C:\windows\SysWOW64\UXOWLVM.exe.bat DXARZEJ.exe File opened for modification C:\windows\SysWOW64\EOPLKEJ.exe KBKCAE.exe File created C:\windows\SysWOW64\NJCHC.exe.bat JGEMCWF.exe File created C:\windows\SysWOW64\ANJW.exe.bat UNBIOMF.exe File created C:\windows\SysWOW64\HZLPJN.exe OWH.exe File created C:\windows\SysWOW64\XLJJD.exe VNVWWN.exe File created C:\windows\SysWOW64\OUQXF.exe.bat UUBMO.exe File opened for modification C:\windows\SysWOW64\GDBMZ.exe FIX.exe File opened for modification C:\windows\SysWOW64\KNCFQB.exe TCZXHVP.exe File opened for modification C:\windows\SysWOW64\FRSSVI.exe HBZ.exe File opened for modification C:\windows\SysWOW64\MPY.exe KRSRGY.exe File created C:\windows\SysWOW64\DAC.exe.bat NKBLOFG.exe File created C:\windows\SysWOW64\EOPLKEJ.exe KBKCAE.exe File created C:\windows\SysWOW64\UCCYHAG.exe AOXGE.exe File created C:\windows\SysWOW64\WGN.exe XVKPMR.exe File created C:\windows\SysWOW64\KZWE.exe EESDJMD.exe File created C:\windows\SysWOW64\OUQXF.exe UUBMO.exe File created C:\windows\SysWOW64\DXARZEJ.exe MPY.exe File created C:\windows\SysWOW64\EOPLKEJ.exe.bat KBKCAE.exe File created C:\windows\SysWOW64\SUBF.exe OMUFRMJ.exe File created C:\windows\SysWOW64\WOMC.exe GDBMZ.exe File opened for modification C:\windows\SysWOW64\DXARZEJ.exe MPY.exe File created C:\windows\SysWOW64\ANJW.exe UNBIOMF.exe File created C:\windows\SysWOW64\NJCHC.exe JGEMCWF.exe File opened for modification C:\windows\SysWOW64\NJCHC.exe JGEMCWF.exe File created C:\windows\SysWOW64\DLREBPP.exe.bat STCTROG.exe File created C:\windows\SysWOW64\VUL.exe.bat DLREBPP.exe File created C:\windows\SysWOW64\GDBMZ.exe FIX.exe File created C:\windows\SysWOW64\MPY.exe.bat KRSRGY.exe File created C:\windows\SysWOW64\UGVLZ.exe KIQRS.exe File created C:\windows\SysWOW64\UYFFFD.exe DQDZT.exe File created C:\windows\SysWOW64\HMY.exe.bat FOKCAU.exe File opened for modification C:\windows\SysWOW64\OUQXF.exe UUBMO.exe File created C:\windows\SysWOW64\UZMR.exe WPBBI.exe File created C:\windows\SysWOW64\UZMR.exe.bat WPBBI.exe File created C:\windows\SysWOW64\OGIX.exe ITF.exe File created C:\windows\SysWOW64\JGEMCWF.exe.bat ULNH.exe File created C:\windows\SysWOW64\UXOWLVM.exe DXARZEJ.exe File created C:\windows\SysWOW64\OGIX.exe.bat ITF.exe File created C:\windows\SysWOW64\JCYG.exe.bat UHOUGR.exe File created C:\windows\SysWOW64\LBWJGS.exe.bat WGN.exe File created C:\windows\SysWOW64\KBKCAE.exe NBAROAL.exe File created C:\windows\SysWOW64\KZWE.exe.bat EESDJMD.exe File created C:\windows\SysWOW64\LBBOZTG.exe.bat SJMDQSY.exe File opened for modification C:\windows\SysWOW64\UGVLZ.exe KIQRS.exe File opened for modification C:\windows\SysWOW64\JGEMCWF.exe ULNH.exe File created C:\windows\SysWOW64\WGN.exe.bat XVKPMR.exe File created C:\windows\SysWOW64\DTXN.exe.bat CQTRYGC.exe File created C:\windows\SysWOW64\VUL.exe DLREBPP.exe File created C:\windows\SysWOW64\LXL.exe.bat JZGLG.exe File created C:\windows\SysWOW64\LBWJGS.exe WGN.exe File opened for modification C:\windows\SysWOW64\CQEM.exe LQCHYP.exe File created C:\windows\SysWOW64\JAI.exe TPGW.exe File created C:\windows\SysWOW64\GDBMZ.exe.bat FIX.exe File created C:\windows\SysWOW64\DLREBPP.exe STCTROG.exe File created C:\windows\SysWOW64\CQEM.exe LQCHYP.exe File opened for modification C:\windows\SysWOW64\HZLPJN.exe OWH.exe File opened for modification C:\windows\SysWOW64\XLJJD.exe VNVWWN.exe File created C:\windows\SysWOW64\UUBMO.exe VJSSA.exe File opened for modification C:\windows\SysWOW64\VUL.exe DLREBPP.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\PCYBMD.exe.bat VHTRB.exe File created C:\windows\DFGZ.exe.bat PCYBMD.exe File created C:\windows\system\VNVWWN.exe.bat ZCN.exe File opened for modification C:\windows\system\IKUXF.exe UMULDR.exe File created C:\windows\system\NKBLOFG.exe.bat IKUXF.exe File created C:\windows\system\QKMXXN.exe.bat PGITSXQ.exe File created C:\windows\system\RJMET.exe EGIGOC.exe File created C:\windows\HBZ.exe RLYX.exe File opened for modification C:\windows\system\UTU.exe SDS.exe File created C:\windows\GQU.exe.bat FOT.exe File created C:\windows\HPWPNKN.exe QKMXXN.exe File opened for modification C:\windows\KQO.exe YIHFWY.exe File created C:\windows\system\GBXMHP.exe CTQM.exe File opened for modification C:\windows\system\KRSRGY.exe YJL.exe File created C:\windows\system\RUR.exe.bat ROREVCI.exe File created C:\windows\HPWPNKN.exe.bat QKMXXN.exe File created C:\windows\system\MGSPN.exe WQRQGAZ.exe File created C:\windows\BANI.exe.bat a2ede8f521521a935a46a861571dcbb0N.exe File opened for modification C:\windows\HBZ.exe RLYX.exe File created C:\windows\RLYX.exe PNSDUHS.exe File created C:\windows\system\VNVWWN.exe ZCN.exe File created C:\windows\system\RWWK.exe LBWJGS.exe File created C:\windows\YIHFWY.exe HPWPNKN.exe File opened for modification C:\windows\UHOUGR.exe KJBHRJ.exe File opened for modification C:\windows\system\NTIIK.exe UYFFFD.exe File created C:\windows\WYQCAR.exe.bat OLPOQ.exe File created C:\windows\system\MRVGTXY.exe WOMC.exe File opened for modification C:\windows\WFXNYW.exe DCTS.exe File created C:\windows\system\FDLVVFJ.exe.bat BANI.exe File opened for modification C:\windows\RLYX.exe PNSDUHS.exe File created C:\windows\system\ULNH.exe QUTRO.exe File opened for modification C:\windows\system\MKKYPQ.exe KMEEIH.exe File opened for modification C:\windows\ZCOUAE.exe JMHJOSY.exe File created C:\windows\system\DQDZT.exe KNZ.exe File opened for modification C:\windows\system\QKMXXN.exe PGITSXQ.exe File created C:\windows\system\MOCZMO.exe.bat AGVZIV.exe File created C:\windows\system\LQCHYP.exe.bat XFU.exe File created C:\windows\OWH.exe.bat GQU.exe File opened for modification C:\windows\RTC.exe WFXNYW.exe File opened for modification C:\windows\system\CQTRYGC.exe PTTF.exe File created C:\windows\system\CQTRYGC.exe.bat PTTF.exe File created C:\windows\RTC.exe.bat WFXNYW.exe File opened for modification C:\windows\system\CAFFC.exe CFCCXC.exe File created C:\windows\OWH.exe GQU.exe File created C:\windows\system\KAC.exe OKAY.exe File created C:\windows\system\SIKQ.exe ZQDF.exe File created C:\windows\OTAVJIA.exe.bat UGVLZ.exe File created C:\windows\STCTROG.exe.bat KNCFQB.exe File created C:\windows\system\IKUXF.exe.bat UMULDR.exe File created C:\windows\system\UTU.exe SDS.exe File created C:\windows\LTTG.exe.bat DFGZ.exe File created C:\windows\system\UMULDR.exe.bat QWNL.exe File created C:\windows\system\MOCZMO.exe AGVZIV.exe File created C:\windows\system\LZGRN.exe.bat CQEM.exe File opened for modification C:\windows\system\ZCN.exe QCLSEFY.exe File created C:\windows\VJSSA.exe.bat WYQCAR.exe File created C:\windows\LXXCZPD.exe RJMET.exe File opened for modification C:\windows\system\LQCHYP.exe XFU.exe File created C:\windows\system\VIAY.exe.bat ZCOUAE.exe File created C:\windows\XHDT.exe VUL.exe File opened for modification C:\windows\system\RFJOY.exe UZMR.exe File created C:\windows\system\PTTF.exe UXOWLVM.exe File created C:\windows\MRIM.exe HMY.exe File created C:\windows\PGITSXQ.exe NJCHC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3048 1592 WerFault.exe 82 1920 2268 WerFault.exe 89 1072 2952 WerFault.exe 96 2272 1448 WerFault.exe 100 540 2664 WerFault.exe 106 4832 4208 WerFault.exe 111 4900 4512 WerFault.exe 116 916 244 WerFault.exe 121 2240 3588 WerFault.exe 126 3896 2424 WerFault.exe 131 3828 4836 WerFault.exe 138 1616 4968 WerFault.exe 143 1944 4676 WerFault.exe 149 1592 1868 WerFault.exe 155 3488 1116 WerFault.exe 160 5108 3096 WerFault.exe 165 2224 1712 WerFault.exe 171 1192 456 WerFault.exe 176 2024 1948 WerFault.exe 181 1856 2664 WerFault.exe 187 916 5024 WerFault.exe 193 3380 3040 WerFault.exe 198 3556 3528 WerFault.exe 203 5004 1936 WerFault.exe 208 1868 1192 WerFault.exe 213 3792 4536 WerFault.exe 218 3172 4664 WerFault.exe 223 2228 216 WerFault.exe 228 3828 5060 WerFault.exe 233 2880 4076 WerFault.exe 238 4788 4600 WerFault.exe 243 3212 4576 WerFault.exe 248 2776 3332 WerFault.exe 253 3172 4432 WerFault.exe 258 4276 3868 WerFault.exe 263 1072 392 WerFault.exe 268 5056 2576 WerFault.exe 274 736 4028 WerFault.exe 279 2192 2840 WerFault.exe 284 388 4524 WerFault.exe 289 1152 4856 WerFault.exe 294 3052 3272 WerFault.exe 299 2820 5112 WerFault.exe 305 4064 1844 WerFault.exe 310 4012 1988 WerFault.exe 315 2192 3956 WerFault.exe 320 2624 1868 WerFault.exe 325 4632 4524 WerFault.exe 330 2932 1672 WerFault.exe 335 3704 688 WerFault.exe 340 4600 5112 WerFault.exe 345 4348 4756 WerFault.exe 350 2084 516 WerFault.exe 355 1868 1980 WerFault.exe 361 3772 1916 WerFault.exe 366 2576 3036 WerFault.exe 371 3148 5060 WerFault.exe 376 736 1356 WerFault.exe 381 2176 5008 WerFault.exe 386 4804 5004 WerFault.exe 391 2656 3868 WerFault.exe 396 392 4544 WerFault.exe 401 4916 3980 WerFault.exe 406 3680 4788 WerFault.exe 411 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JOXF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FOKCAU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UTU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VNVWWN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ULNH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NQRJNK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DFGZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MKKYPQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCCYHAG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHPOGRX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KIQRS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OCRJY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANJW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDLVVFJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OLPOQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OKAY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2ede8f521521a935a46a861571dcbb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UGVLZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SDS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAFFC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LZGRN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TCZXHVP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CIFGO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CQTRYGC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OUQXF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FIX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MRVGTXY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UZMR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LBBOZTG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UUBMO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKUXF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EOPLKEJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZCOUAE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CFCCXC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZGVA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHDT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KJBHRJ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1592 a2ede8f521521a935a46a861571dcbb0N.exe 1592 a2ede8f521521a935a46a861571dcbb0N.exe 2268 BANI.exe 2268 BANI.exe 2952 FDLVVFJ.exe 2952 FDLVVFJ.exe 1448 EGIGOC.exe 1448 EGIGOC.exe 2664 RJMET.exe 2664 RJMET.exe 4208 LXXCZPD.exe 4208 LXXCZPD.exe 4512 TPGW.exe 4512 TPGW.exe 244 JAI.exe 244 JAI.exe 3588 VQPUIR.exe 3588 VQPUIR.exe 2424 JOXF.exe 2424 JOXF.exe 4836 WYFWYNH.exe 4836 WYFWYNH.exe 4968 EESDJMD.exe 4968 EESDJMD.exe 4676 KZWE.exe 4676 KZWE.exe 1868 XKA.exe 1868 XKA.exe 1116 NQRJNK.exe 1116 NQRJNK.exe 3096 PNSDUHS.exe 3096 PNSDUHS.exe 1712 RLYX.exe 1712 RLYX.exe 456 HBZ.exe 456 HBZ.exe 1948 FRSSVI.exe 1948 FRSSVI.exe 2664 VHTRB.exe 2664 VHTRB.exe 5024 PCYBMD.exe 5024 PCYBMD.exe 3040 DFGZ.exe 3040 DFGZ.exe 3528 LTTG.exe 3528 LTTG.exe 1936 PTU.exe 1936 PTU.exe 1192 XBVIVE.exe 1192 XBVIVE.exe 4536 QCLSEFY.exe 4536 QCLSEFY.exe 4664 ZCN.exe 4664 ZCN.exe 216 VNVWWN.exe 216 VNVWWN.exe 5060 XLJJD.exe 5060 XLJJD.exe 4076 OLPOQ.exe 4076 OLPOQ.exe 4600 WYQCAR.exe 4600 WYQCAR.exe 4576 VJSSA.exe 4576 VJSSA.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1592 a2ede8f521521a935a46a861571dcbb0N.exe 1592 a2ede8f521521a935a46a861571dcbb0N.exe 2268 BANI.exe 2268 BANI.exe 2952 FDLVVFJ.exe 2952 FDLVVFJ.exe 1448 EGIGOC.exe 1448 EGIGOC.exe 2664 RJMET.exe 2664 RJMET.exe 4208 LXXCZPD.exe 4208 LXXCZPD.exe 4512 TPGW.exe 4512 TPGW.exe 244 JAI.exe 244 JAI.exe 3588 VQPUIR.exe 3588 VQPUIR.exe 2424 JOXF.exe 2424 JOXF.exe 4836 WYFWYNH.exe 4836 WYFWYNH.exe 4968 EESDJMD.exe 4968 EESDJMD.exe 4676 KZWE.exe 4676 KZWE.exe 1868 XKA.exe 1868 XKA.exe 1116 NQRJNK.exe 1116 NQRJNK.exe 3096 PNSDUHS.exe 3096 PNSDUHS.exe 1712 RLYX.exe 1712 RLYX.exe 456 HBZ.exe 456 HBZ.exe 1948 FRSSVI.exe 1948 FRSSVI.exe 2664 VHTRB.exe 2664 VHTRB.exe 5024 PCYBMD.exe 5024 PCYBMD.exe 3040 DFGZ.exe 3040 DFGZ.exe 3528 LTTG.exe 3528 LTTG.exe 1936 PTU.exe 1936 PTU.exe 1192 XBVIVE.exe 1192 XBVIVE.exe 4536 QCLSEFY.exe 4536 QCLSEFY.exe 4664 ZCN.exe 4664 ZCN.exe 216 VNVWWN.exe 216 VNVWWN.exe 5060 XLJJD.exe 5060 XLJJD.exe 4076 OLPOQ.exe 4076 OLPOQ.exe 4600 WYQCAR.exe 4600 WYQCAR.exe 4576 VJSSA.exe 4576 VJSSA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1592 wrote to memory of 3368 1592 a2ede8f521521a935a46a861571dcbb0N.exe 86 PID 1592 wrote to memory of 3368 1592 a2ede8f521521a935a46a861571dcbb0N.exe 86 PID 1592 wrote to memory of 3368 1592 a2ede8f521521a935a46a861571dcbb0N.exe 86 PID 3368 wrote to memory of 2268 3368 cmd.exe 89 PID 3368 wrote to memory of 2268 3368 cmd.exe 89 PID 3368 wrote to memory of 2268 3368 cmd.exe 89 PID 2268 wrote to memory of 2192 2268 BANI.exe 92 PID 2268 wrote to memory of 2192 2268 BANI.exe 92 PID 2268 wrote to memory of 2192 2268 BANI.exe 92 PID 2192 wrote to memory of 2952 2192 cmd.exe 96 PID 2192 wrote to memory of 2952 2192 cmd.exe 96 PID 2192 wrote to memory of 2952 2192 cmd.exe 96 PID 2952 wrote to memory of 4308 2952 FDLVVFJ.exe 97 PID 2952 wrote to memory of 4308 2952 FDLVVFJ.exe 97 PID 2952 wrote to memory of 4308 2952 FDLVVFJ.exe 97 PID 4308 wrote to memory of 1448 4308 cmd.exe 100 PID 4308 wrote to memory of 1448 4308 cmd.exe 100 PID 4308 wrote to memory of 1448 4308 cmd.exe 100 PID 1448 wrote to memory of 1740 1448 EGIGOC.exe 102 PID 1448 wrote to memory of 1740 1448 EGIGOC.exe 102 PID 1448 wrote to memory of 1740 1448 EGIGOC.exe 102 PID 1740 wrote to memory of 2664 1740 cmd.exe 106 PID 1740 wrote to memory of 2664 1740 cmd.exe 106 PID 1740 wrote to memory of 2664 1740 cmd.exe 106 PID 2664 wrote to memory of 4052 2664 RJMET.exe 107 PID 2664 wrote to memory of 4052 2664 RJMET.exe 107 PID 2664 wrote to memory of 4052 2664 RJMET.exe 107 PID 4052 wrote to memory of 4208 4052 cmd.exe 111 PID 4052 wrote to memory of 4208 4052 cmd.exe 111 PID 4052 wrote to memory of 4208 4052 cmd.exe 111 PID 4208 wrote to memory of 3052 4208 LXXCZPD.exe 112 PID 4208 wrote to memory of 3052 4208 LXXCZPD.exe 112 PID 4208 wrote to memory of 3052 4208 LXXCZPD.exe 112 PID 3052 wrote to memory of 4512 3052 cmd.exe 116 PID 3052 wrote to memory of 4512 3052 cmd.exe 116 PID 3052 wrote to memory of 4512 3052 cmd.exe 116 PID 4512 wrote to memory of 1588 4512 TPGW.exe 117 PID 4512 wrote to memory of 1588 4512 TPGW.exe 117 PID 4512 wrote to memory of 1588 4512 TPGW.exe 117 PID 1588 wrote to memory of 244 1588 cmd.exe 121 PID 1588 wrote to memory of 244 1588 cmd.exe 121 PID 1588 wrote to memory of 244 1588 cmd.exe 121 PID 244 wrote to memory of 1764 244 JAI.exe 122 PID 244 wrote to memory of 1764 244 JAI.exe 122 PID 244 wrote to memory of 1764 244 JAI.exe 122 PID 1764 wrote to memory of 3588 1764 cmd.exe 126 PID 1764 wrote to memory of 3588 1764 cmd.exe 126 PID 1764 wrote to memory of 3588 1764 cmd.exe 126 PID 3588 wrote to memory of 1360 3588 VQPUIR.exe 127 PID 3588 wrote to memory of 1360 3588 VQPUIR.exe 127 PID 3588 wrote to memory of 1360 3588 VQPUIR.exe 127 PID 1360 wrote to memory of 2424 1360 cmd.exe 131 PID 1360 wrote to memory of 2424 1360 cmd.exe 131 PID 1360 wrote to memory of 2424 1360 cmd.exe 131 PID 2424 wrote to memory of 1248 2424 JOXF.exe 134 PID 2424 wrote to memory of 1248 2424 JOXF.exe 134 PID 2424 wrote to memory of 1248 2424 JOXF.exe 134 PID 1248 wrote to memory of 4836 1248 cmd.exe 138 PID 1248 wrote to memory of 4836 1248 cmd.exe 138 PID 1248 wrote to memory of 4836 1248 cmd.exe 138 PID 4836 wrote to memory of 4808 4836 WYFWYNH.exe 139 PID 4836 wrote to memory of 4808 4836 WYFWYNH.exe 139 PID 4836 wrote to memory of 4808 4836 WYFWYNH.exe 139 PID 4808 wrote to memory of 4968 4808 cmd.exe 143
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ede8f521521a935a46a861571dcbb0N.exe"C:\Users\Admin\AppData\Local\Temp\a2ede8f521521a935a46a861571dcbb0N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BANI.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\windows\BANI.exeC:\windows\BANI.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FDLVVFJ.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\windows\system\FDLVVFJ.exeC:\windows\system\FDLVVFJ.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EGIGOC.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\windows\EGIGOC.exeC:\windows\EGIGOC.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RJMET.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\windows\system\RJMET.exeC:\windows\system\RJMET.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LXXCZPD.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\windows\LXXCZPD.exeC:\windows\LXXCZPD.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TPGW.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\windows\SysWOW64\TPGW.exeC:\windows\system32\TPGW.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAI.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\windows\SysWOW64\JAI.exeC:\windows\system32\JAI.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VQPUIR.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\windows\system\VQPUIR.exeC:\windows\system\VQPUIR.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JOXF.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\windows\JOXF.exeC:\windows\JOXF.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WYFWYNH.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\windows\system\WYFWYNH.exeC:\windows\system\WYFWYNH.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EESDJMD.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\windows\system\EESDJMD.exeC:\windows\system\EESDJMD.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZWE.exe.bat" "24⤵PID:3028
-
C:\windows\SysWOW64\KZWE.exeC:\windows\system32\KZWE.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XKA.exe.bat" "26⤵PID:4616
-
C:\windows\system\XKA.exeC:\windows\system\XKA.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NQRJNK.exe.bat" "28⤵PID:4900
-
C:\windows\system\NQRJNK.exeC:\windows\system\NQRJNK.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PNSDUHS.exe.bat" "30⤵PID:5016
-
C:\windows\PNSDUHS.exeC:\windows\PNSDUHS.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RLYX.exe.bat" "32⤵PID:3904
-
C:\windows\RLYX.exeC:\windows\RLYX.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HBZ.exe.bat" "34⤵PID:920
-
C:\windows\HBZ.exeC:\windows\HBZ.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRSSVI.exe.bat" "36⤵PID:4876
-
C:\windows\SysWOW64\FRSSVI.exeC:\windows\system32\FRSSVI.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VHTRB.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\windows\system\VHTRB.exeC:\windows\system\VHTRB.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PCYBMD.exe.bat" "40⤵PID:340
-
C:\windows\system\PCYBMD.exeC:\windows\system\PCYBMD.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DFGZ.exe.bat" "42⤵PID:4036
-
C:\windows\DFGZ.exeC:\windows\DFGZ.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LTTG.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\windows\LTTG.exeC:\windows\LTTG.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PTU.exe.bat" "46⤵PID:688
-
C:\windows\system\PTU.exeC:\windows\system\PTU.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBVIVE.exe.bat" "48⤵PID:1712
-
C:\windows\SysWOW64\XBVIVE.exeC:\windows\system32\XBVIVE.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QCLSEFY.exe.bat" "50⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\windows\system\QCLSEFY.exeC:\windows\system\QCLSEFY.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZCN.exe.bat" "52⤵PID:4672
-
C:\windows\system\ZCN.exeC:\windows\system\ZCN.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VNVWWN.exe.bat" "54⤵PID:3000
-
C:\windows\system\VNVWWN.exeC:\windows\system\VNVWWN.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLJJD.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:3772 -
C:\windows\SysWOW64\XLJJD.exeC:\windows\system32\XLJJD.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLPOQ.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\windows\SysWOW64\OLPOQ.exeC:\windows\system32\OLPOQ.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WYQCAR.exe.bat" "60⤵PID:5064
-
C:\windows\WYQCAR.exeC:\windows\WYQCAR.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VJSSA.exe.bat" "62⤵
- System Location Discovery: System Language Discovery
PID:4028 -
C:\windows\VJSSA.exeC:\windows\VJSSA.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUBMO.exe.bat" "64⤵PID:1764
-
C:\windows\SysWOW64\UUBMO.exeC:\windows\system32\UUBMO.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OUQXF.exe.bat" "66⤵PID:4832
-
C:\windows\SysWOW64\OUQXF.exeC:\windows\system32\OUQXF.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SXP.exe.bat" "68⤵PID:920
-
C:\windows\SXP.exeC:\windows\SXP.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FIX.exe.bat" "70⤵PID:2296
-
C:\windows\FIX.exeC:\windows\FIX.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDBMZ.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\windows\SysWOW64\GDBMZ.exeC:\windows\system32\GDBMZ.exe73⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WOMC.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\windows\SysWOW64\WOMC.exeC:\windows\system32\WOMC.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MRVGTXY.exe.bat" "76⤵PID:1592
-
C:\windows\system\MRVGTXY.exeC:\windows\system\MRVGTXY.exe77⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WPBBI.exe.bat" "78⤵PID:2164
-
C:\windows\system\WPBBI.exeC:\windows\system\WPBBI.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZMR.exe.bat" "80⤵PID:1604
-
C:\windows\SysWOW64\UZMR.exeC:\windows\system32\UZMR.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RFJOY.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\windows\system\RFJOY.exeC:\windows\system\RFJOY.exe83⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CTQM.exe.bat" "84⤵PID:4632
-
C:\windows\CTQM.exeC:\windows\CTQM.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\windows\system\GBXMHP.exeC:\windows\system\GBXMHP.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YJL.exe.bat" "88⤵PID:2876
-
C:\windows\system\YJL.exeC:\windows\system\YJL.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KRSRGY.exe.bat" "90⤵PID:4600
-
C:\windows\system\KRSRGY.exeC:\windows\system\KRSRGY.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MPY.exe.bat" "92⤵PID:3800
-
C:\windows\SysWOW64\MPY.exeC:\windows\system32\MPY.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DXARZEJ.exe.bat" "94⤵PID:2084
-
C:\windows\SysWOW64\DXARZEJ.exeC:\windows\system32\DXARZEJ.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXOWLVM.exe.bat" "96⤵PID:1608
-
C:\windows\SysWOW64\UXOWLVM.exeC:\windows\system32\UXOWLVM.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PTTF.exe.bat" "98⤵PID:3040
-
C:\windows\system\PTTF.exeC:\windows\system\PTTF.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "100⤵PID:5056
-
C:\windows\system\CQTRYGC.exeC:\windows\system\CQTRYGC.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTXN.exe.bat" "102⤵PID:1488
-
C:\windows\SysWOW64\DTXN.exeC:\windows\system32\DTXN.exe103⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QWNL.exe.bat" "104⤵PID:3332
-
C:\windows\system\QWNL.exeC:\windows\system\QWNL.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UMULDR.exe.bat" "106⤵PID:756
-
C:\windows\system\UMULDR.exeC:\windows\system\UMULDR.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IKUXF.exe.bat" "108⤵PID:2624
-
C:\windows\system\IKUXF.exeC:\windows\system\IKUXF.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NKBLOFG.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\windows\system\NKBLOFG.exeC:\windows\system\NKBLOFG.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DAC.exe.bat" "112⤵PID:2228
-
C:\windows\SysWOW64\DAC.exeC:\windows\system32\DAC.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZGVA.exe.bat" "114⤵PID:2480
-
C:\windows\ZGVA.exeC:\windows\ZGVA.exe115⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SJMDQSY.exe.bat" "116⤵PID:4672
-
C:\windows\system\SJMDQSY.exeC:\windows\system\SJMDQSY.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBBOZTG.exe.bat" "118⤵PID:872
-
C:\windows\SysWOW64\LBBOZTG.exeC:\windows\system32\LBBOZTG.exe119⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KMEEIH.exe.bat" "120⤵PID:2476
-
C:\windows\KMEEIH.exeC:\windows\KMEEIH.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-