Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 11:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f062d8ee8bf223f050913f006a2aac90N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
f062d8ee8bf223f050913f006a2aac90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
f062d8ee8bf223f050913f006a2aac90N.exe
-
Size
320KB
-
MD5
f062d8ee8bf223f050913f006a2aac90
-
SHA1
155ec00cf9867ee5115dcb6487f2dfa12bb2b32c
-
SHA256
37896db345ef7e74c23f5a5c06649646e2336bf2ea03c4fabc26ba2810108bf1
-
SHA512
5a564c61a6dcac942ea43a52413eea58412f174fa0426cf685de9a382370805f3924d1a0054d31fc02d7be9bb81909186fb4934fee114c4d570b82d9c5d62ac0
-
SSDEEP
6144:7ajFIxqpx8uCYTs9skLqMSBvgkEjWbjcSbcY+CA:7ajFICCrhLqtvgkFbzs
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QIMI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CSSUP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XSXFX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TQDZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RCVWI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WNZV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DKONPV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QXCVOSU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation EVJW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XQTS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FJW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GBCKPBA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ESWMW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PIMTBPX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FEPQND.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ZYL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KWPDHA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DNP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XEZXSIF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OWH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OJIXQMV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YTBHDC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DDWI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KHADWQP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MZRLMF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IQHCLC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ERF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XORZMVS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ZPAQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LULU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HZPNR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WOUUTM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RILWQDT.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HYAGHEY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QHR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IEPB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation EJV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VRJGAQE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IOQHF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PDGLO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IEN.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YXE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation EAJWW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SBOUEBP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WFTIM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IBV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WMQL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UWPK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QGNH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QIOYR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WBEDWU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GKNFS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YDGPC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YIPE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OIJNQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QTTD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation f062d8ee8bf223f050913f006a2aac90N.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YFWFZA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NAYOV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VUELRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IXPXW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PVS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation AQJTDI.exe -
Executes dropped EXE 64 IoCs
pid Process 3752 XHBE.exe 768 AQJTDI.exe 1228 VVIXXZV.exe 1144 SBOUEBP.exe 2148 GWS.exe 4332 RPVGS.exe 3252 YFWFZA.exe 1580 DKONPV.exe 4296 QIOYR.exe 1296 LVTQBHD.exe 3592 SOIYL.exe 4644 IEPB.exe 3536 IJHPY.exe 3464 WFTIM.exe 2992 FSDAUQG.exe 2828 EDGQCE.exe 4524 KDNE.exe 4128 WRUKQAZ.exe 3464 PJKVIBH.exe 760 VJJJR.exe 3208 IPR.exe 3004 VSNTGGN.exe 3676 RYAXR.exe 3312 WBEDWU.exe 628 PBTO.exe 2968 MZRLMF.exe 1064 SZZ.exe 3000 ZPAQ.exe 1344 QXCVOSU.exe 3912 EASUC.exe 4320 PTNNCKX.exe 4464 GBCKPBA.exe 1064 QJE.exe 3000 LMM.exe 4520 UUOB.exe 3212 AVWPBJB.exe 3512 EDCP.exe 3200 MQCDP.exe 1280 UWPK.exe 4972 ZYL.exe 4484 UJU.exe 4692 ESWMW.exe 3264 OPJG.exe 2000 NAYOV.exe 1184 YTBHDC.exe 1772 IQHCLC.exe 1168 RRJHOHD.exe 2452 VHQH.exe 2600 MHS.exe 3208 SHZ.exe 4064 JACXWFR.exe 5028 RLLRKKF.exe 1892 TIQLZSO.exe 1100 XRTTC.exe 4628 QRAEM.exe 4880 VUELRJ.exe 456 XSXFX.exe 4984 HQDZ.exe 652 EVJW.exe 1280 STOTAA.exe 3200 EJV.exe 2672 XEZXSIF.exe 4524 RZEG.exe 4596 ZFEVE.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\EDGQCE.exe FSDAUQG.exe File created C:\windows\SysWOW64\QJE.exe GBCKPBA.exe File opened for modification C:\windows\SysWOW64\XSXFX.exe VUELRJ.exe File opened for modification C:\windows\SysWOW64\JMQI.exe OWH.exe File created C:\windows\SysWOW64\VHQH.exe.bat RRJHOHD.exe File opened for modification C:\windows\SysWOW64\HLYSQTY.exe IBV.exe File created C:\windows\SysWOW64\NSJ.exe KKAXMDM.exe File opened for modification C:\windows\SysWOW64\SOIYL.exe LVTQBHD.exe File opened for modification C:\windows\SysWOW64\WRUKQAZ.exe KDNE.exe File created C:\windows\SysWOW64\VHQH.exe RRJHOHD.exe File created C:\windows\SysWOW64\QAA.exe.bat FHXCVL.exe File created C:\windows\SysWOW64\HYAGHEY.exe.bat WFKV.exe File created C:\windows\SysWOW64\EWG.exe ERF.exe File created C:\windows\SysWOW64\TWNOIXJ.exe XQD.exe File opened for modification C:\windows\SysWOW64\EASUC.exe QXCVOSU.exe File opened for modification C:\windows\SysWOW64\MQCDP.exe EDCP.exe File created C:\windows\SysWOW64\XSXFX.exe.bat VUELRJ.exe File created C:\windows\SysWOW64\YIPE.exe LXL.exe File created C:\windows\SysWOW64\KZVYRN.exe.bat XORZMVS.exe File opened for modification C:\windows\SysWOW64\SBOUEBP.exe VVIXXZV.exe File created C:\windows\SysWOW64\WRUKQAZ.exe.bat KDNE.exe File opened for modification C:\windows\SysWOW64\UWPK.exe MQCDP.exe File created C:\windows\SysWOW64\QRAEM.exe XRTTC.exe File created C:\windows\SysWOW64\HQDZ.exe.bat XSXFX.exe File created C:\windows\SysWOW64\IPR.exe VJJJR.exe File created C:\windows\SysWOW64\RZEG.exe.bat XEZXSIF.exe File created C:\windows\SysWOW64\ABMJJJW.exe YDGPC.exe File created C:\windows\SysWOW64\NSJ.exe.bat KKAXMDM.exe File created C:\windows\SysWOW64\KUJQK.exe.bat QGNH.exe File created C:\windows\SysWOW64\JMQI.exe OWH.exe File created C:\windows\SysWOW64\YDGPC.exe.bat LTKJ.exe File created C:\windows\SysWOW64\WFKV.exe DNP.exe File created C:\windows\SysWOW64\PVS.exe.bat NSJ.exe File created C:\windows\SysWOW64\AIRZBNG.exe PVS.exe File created C:\windows\SysWOW64\EASUC.exe QXCVOSU.exe File opened for modification C:\windows\SysWOW64\LXL.exe ZFEVE.exe File opened for modification C:\windows\SysWOW64\EWG.exe ERF.exe File created C:\windows\SysWOW64\YFH.exe LULU.exe File opened for modification C:\windows\SysWOW64\FEPQND.exe LQSG.exe File created C:\windows\SysWOW64\RLLRKKF.exe JACXWFR.exe File created C:\windows\SysWOW64\JMQI.exe.bat OWH.exe File created C:\windows\SysWOW64\DDWI.exe AIRZBNG.exe File created C:\windows\SysWOW64\WNZV.exe.bat RCVWI.exe File created C:\windows\SysWOW64\LVTQBHD.exe.bat QIOYR.exe File created C:\windows\SysWOW64\YDGPC.exe LTKJ.exe File opened for modification C:\windows\SysWOW64\QJE.exe GBCKPBA.exe File created C:\windows\SysWOW64\LXL.exe ZFEVE.exe File created C:\windows\SysWOW64\SOIYL.exe LVTQBHD.exe File created C:\windows\SysWOW64\IPR.exe.bat VJJJR.exe File created C:\windows\SysWOW64\RZEG.exe XEZXSIF.exe File opened for modification C:\windows\SysWOW64\AIRZBNG.exe PVS.exe File created C:\windows\SysWOW64\TWNOIXJ.exe.bat XQD.exe File opened for modification C:\windows\SysWOW64\CSSUP.exe IEN.exe File created C:\windows\SysWOW64\QXCVOSU.exe ZPAQ.exe File created C:\windows\SysWOW64\MQCDP.exe EDCP.exe File created C:\windows\SysWOW64\MQCDP.exe.bat EDCP.exe File created C:\windows\SysWOW64\HLYSQTY.exe IBV.exe File created C:\windows\SysWOW64\KZZWYRF.exe.bat ABMJJJW.exe File created C:\windows\SysWOW64\SBOUEBP.exe VVIXXZV.exe File created C:\windows\SysWOW64\QAA.exe FHXCVL.exe File opened for modification C:\windows\SysWOW64\GQBM.exe QAA.exe File created C:\windows\SysWOW64\KZVYRN.exe XORZMVS.exe File created C:\windows\SysWOW64\FEPQND.exe LQSG.exe File created C:\windows\SysWOW64\MZRLMF.exe.bat PBTO.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\QIOYR.exe DKONPV.exe File opened for modification C:\windows\system\ADGVMN.exe GQBM.exe File created C:\windows\system\VVHZWSM.exe ZQC.exe File created C:\windows\ERF.exe.bat GGDM.exe File opened for modification C:\windows\PIMTBPX.exe ADGVMN.exe File created C:\windows\system\KHADWQP.exe.bat FEPQND.exe File created C:\windows\ZQC.exe.bat RCX.exe File opened for modification C:\windows\system\YDF.exe YXE.exe File created C:\windows\system\UJU.exe.bat ZYL.exe File created C:\windows\system\OPJG.exe ESWMW.exe File created C:\windows\LULU.exe.bat KZVYRN.exe File created C:\windows\system\TQDZ.exe.bat HYAGHEY.exe File created C:\windows\QTTD.exe TWNOIXJ.exe File opened for modification C:\windows\system\WFTIM.exe IJHPY.exe File created C:\windows\system\RRJHOHD.exe.bat IQHCLC.exe File opened for modification C:\windows\system\RCX.exe FJUCWCI.exe File created C:\windows\system\STOTAA.exe EVJW.exe File created C:\windows\system\IOQHF.exe XYJZTD.exe File opened for modification C:\windows\system\IEN.exe FJW.exe File created C:\windows\SZZ.exe.bat MZRLMF.exe File opened for modification C:\windows\UUOB.exe LMM.exe File created C:\windows\system\EDCP.exe AVWPBJB.exe File created C:\windows\system\EDCP.exe.bat AVWPBJB.exe File opened for modification C:\windows\TIQLZSO.exe RLLRKKF.exe File created C:\windows\system\STOTAA.exe.bat EVJW.exe File created C:\windows\system\ADGVMN.exe.bat GQBM.exe File created C:\windows\OXAMD.exe.bat GKNFS.exe File opened for modification C:\windows\system\VVIXXZV.exe AQJTDI.exe File opened for modification C:\windows\system\RPVGS.exe GWS.exe File created C:\windows\QIOYR.exe DKONPV.exe File created C:\windows\IEPB.exe SOIYL.exe File created C:\windows\LMM.exe QJE.exe File created C:\windows\ZQC.exe RCX.exe File created C:\windows\QTTD.exe.bat TWNOIXJ.exe File created C:\windows\system\ESWMW.exe UJU.exe File opened for modification C:\windows\system\RRJHOHD.exe IQHCLC.exe File created C:\windows\XRTTC.exe TIQLZSO.exe File created C:\windows\system\LQSG.exe.bat OLMJWUE.exe File created C:\windows\PDGLO.exe BFI.exe File created C:\windows\system\VVIXXZV.exe.bat AQJTDI.exe File opened for modification C:\windows\system\KDNE.exe EDGQCE.exe File created C:\windows\PIMTBPX.exe.bat ADGVMN.exe File opened for modification C:\windows\WDBRQVW.exe BPWIGW.exe File opened for modification C:\windows\system\FJUCWCI.exe QTTD.exe File created C:\windows\VJJJR.exe.bat PJKVIBH.exe File created C:\windows\SHZ.exe MHS.exe File created C:\windows\UUTZZ.exe LMZMOWI.exe File created C:\windows\system\VDTXFG.exe WOUUTM.exe File created C:\windows\system\RILWQDT.exe.bat YFH.exe File created C:\windows\system\IBV.exe NFRTXFV.exe File opened for modification C:\windows\system\KHADWQP.exe FEPQND.exe File opened for modification C:\windows\RQSB.exe NNUOME.exe File created C:\windows\WDBRQVW.exe.bat BPWIGW.exe File created C:\windows\system\YXE.exe.bat CSSUP.exe File created C:\windows\system\AQJTDI.exe XHBE.exe File created C:\windows\system\VVIXXZV.exe AQJTDI.exe File created C:\windows\VJJJR.exe PJKVIBH.exe File created C:\windows\system\NAYOV.exe OPJG.exe File opened for modification C:\windows\system\TQDZ.exe HYAGHEY.exe File created C:\windows\system\PJKVIBH.exe.bat WRUKQAZ.exe File created C:\windows\system\VSNTGGN.exe.bat IPR.exe File created C:\windows\system\RYAXR.exe VSNTGGN.exe File created C:\windows\system\GBCKPBA.exe.bat PTNNCKX.exe File created C:\windows\UUTZZ.exe.bat LMZMOWI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4428 1424 WerFault.exe 89 4836 3752 WerFault.exe 97 2988 768 WerFault.exe 104 4644 1228 WerFault.exe 109 1604 1144 WerFault.exe 114 2024 2148 WerFault.exe 119 4092 4332 WerFault.exe 126 5008 3252 WerFault.exe 134 4336 1580 WerFault.exe 139 60 4296 WerFault.exe 144 4128 1296 WerFault.exe 149 1356 3592 WerFault.exe 155 4924 4644 WerFault.exe 160 4520 3536 WerFault.exe 165 3632 3464 WerFault.exe 170 3676 2992 WerFault.exe 177 3208 2828 WerFault.exe 182 4520 4524 WerFault.exe 187 4580 4128 WerFault.exe 192 2592 3464 WerFault.exe 197 4116 760 WerFault.exe 202 4536 3208 WerFault.exe 207 780 3004 WerFault.exe 212 540 3676 WerFault.exe 217 4880 3312 WerFault.exe 222 3444 628 WerFault.exe 227 4424 2968 WerFault.exe 232 4972 1064 WerFault.exe 237 4396 3000 WerFault.exe 242 4992 1344 WerFault.exe 247 1516 3912 WerFault.exe 252 2992 4320 WerFault.exe 257 2452 4464 WerFault.exe 262 4396 1064 WerFault.exe 267 4992 3000 WerFault.exe 272 3052 4520 WerFault.exe 277 3596 3212 WerFault.exe 282 3944 3512 WerFault.exe 288 1516 3200 WerFault.exe 293 1184 1280 WerFault.exe 298 4520 4972 WerFault.exe 303 3444 4484 WerFault.exe 308 3580 4692 WerFault.exe 314 2648 3264 WerFault.exe 319 4492 2000 WerFault.exe 324 3052 1184 WerFault.exe 329 3596 1772 WerFault.exe 334 2604 1168 WerFault.exe 339 1804 2452 WerFault.exe 344 1536 2600 WerFault.exe 349 2976 3208 WerFault.exe 354 5088 4064 WerFault.exe 359 4160 5028 WerFault.exe 364 4428 1892 WerFault.exe 369 1208 1100 WerFault.exe 374 3212 4628 WerFault.exe 379 3000 4880 WerFault.exe 384 5088 456 WerFault.exe 389 3660 4984 WerFault.exe 394 2784 652 WerFault.exe 399 4508 1280 WerFault.exe 404 4332 3200 WerFault.exe 409 4396 2672 WerFault.exe 414 3916 4524 WerFault.exe 419 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SZZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QXCVOSU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LQSG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AQJTDI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FEPQND.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDGLO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SBOUEBP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LFB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KZZWYRF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSSUP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ABMJJJW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FJUCWCI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GQBM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WBEDWU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSXFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RRJHOHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UUTZZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UKJOCNH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PTNNCKX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OPJG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TWNOIXJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LMZMOWI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BPWIGW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DDWI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VVHZWSM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GWS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QIOYR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WRUKQAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XEZXSIF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KHADWQP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WDBRQVW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MZRLMF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1424 f062d8ee8bf223f050913f006a2aac90N.exe 1424 f062d8ee8bf223f050913f006a2aac90N.exe 3752 XHBE.exe 3752 XHBE.exe 768 AQJTDI.exe 768 AQJTDI.exe 1228 VVIXXZV.exe 1228 VVIXXZV.exe 1144 SBOUEBP.exe 1144 SBOUEBP.exe 2148 GWS.exe 2148 GWS.exe 4332 RPVGS.exe 4332 RPVGS.exe 3252 YFWFZA.exe 3252 YFWFZA.exe 1580 DKONPV.exe 1580 DKONPV.exe 4296 QIOYR.exe 4296 QIOYR.exe 1296 LVTQBHD.exe 1296 LVTQBHD.exe 3592 SOIYL.exe 3592 SOIYL.exe 4644 IEPB.exe 4644 IEPB.exe 3536 IJHPY.exe 3536 IJHPY.exe 3464 WFTIM.exe 3464 WFTIM.exe 2992 FSDAUQG.exe 2992 FSDAUQG.exe 2828 EDGQCE.exe 2828 EDGQCE.exe 4524 KDNE.exe 4524 KDNE.exe 4128 WRUKQAZ.exe 4128 WRUKQAZ.exe 3464 PJKVIBH.exe 3464 PJKVIBH.exe 760 VJJJR.exe 760 VJJJR.exe 3208 IPR.exe 3208 IPR.exe 3004 VSNTGGN.exe 3004 VSNTGGN.exe 3676 RYAXR.exe 3676 RYAXR.exe 3312 WBEDWU.exe 3312 WBEDWU.exe 628 PBTO.exe 628 PBTO.exe 2968 MZRLMF.exe 2968 MZRLMF.exe 1064 SZZ.exe 1064 SZZ.exe 3000 ZPAQ.exe 3000 ZPAQ.exe 1344 QXCVOSU.exe 1344 QXCVOSU.exe 3912 EASUC.exe 3912 EASUC.exe 4320 PTNNCKX.exe 4320 PTNNCKX.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1424 f062d8ee8bf223f050913f006a2aac90N.exe 1424 f062d8ee8bf223f050913f006a2aac90N.exe 3752 XHBE.exe 3752 XHBE.exe 768 AQJTDI.exe 768 AQJTDI.exe 1228 VVIXXZV.exe 1228 VVIXXZV.exe 1144 SBOUEBP.exe 1144 SBOUEBP.exe 2148 GWS.exe 2148 GWS.exe 4332 RPVGS.exe 4332 RPVGS.exe 3252 YFWFZA.exe 3252 YFWFZA.exe 1580 DKONPV.exe 1580 DKONPV.exe 4296 QIOYR.exe 4296 QIOYR.exe 1296 LVTQBHD.exe 1296 LVTQBHD.exe 3592 SOIYL.exe 3592 SOIYL.exe 4644 IEPB.exe 4644 IEPB.exe 3536 IJHPY.exe 3536 IJHPY.exe 3464 WFTIM.exe 3464 WFTIM.exe 2992 FSDAUQG.exe 2992 FSDAUQG.exe 2828 EDGQCE.exe 2828 EDGQCE.exe 4524 KDNE.exe 4524 KDNE.exe 4128 WRUKQAZ.exe 4128 WRUKQAZ.exe 3464 PJKVIBH.exe 3464 PJKVIBH.exe 760 VJJJR.exe 760 VJJJR.exe 3208 IPR.exe 3208 IPR.exe 3004 VSNTGGN.exe 3004 VSNTGGN.exe 3676 RYAXR.exe 3676 RYAXR.exe 3312 WBEDWU.exe 3312 WBEDWU.exe 628 PBTO.exe 628 PBTO.exe 2968 MZRLMF.exe 2968 MZRLMF.exe 1064 SZZ.exe 1064 SZZ.exe 3000 ZPAQ.exe 3000 ZPAQ.exe 1344 QXCVOSU.exe 1344 QXCVOSU.exe 3912 EASUC.exe 3912 EASUC.exe 4320 PTNNCKX.exe 4320 PTNNCKX.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 4624 1424 f062d8ee8bf223f050913f006a2aac90N.exe 93 PID 1424 wrote to memory of 4624 1424 f062d8ee8bf223f050913f006a2aac90N.exe 93 PID 1424 wrote to memory of 4624 1424 f062d8ee8bf223f050913f006a2aac90N.exe 93 PID 4624 wrote to memory of 3752 4624 cmd.exe 97 PID 4624 wrote to memory of 3752 4624 cmd.exe 97 PID 4624 wrote to memory of 3752 4624 cmd.exe 97 PID 3752 wrote to memory of 3956 3752 XHBE.exe 100 PID 3752 wrote to memory of 3956 3752 XHBE.exe 100 PID 3752 wrote to memory of 3956 3752 XHBE.exe 100 PID 3956 wrote to memory of 768 3956 cmd.exe 104 PID 3956 wrote to memory of 768 3956 cmd.exe 104 PID 3956 wrote to memory of 768 3956 cmd.exe 104 PID 768 wrote to memory of 4004 768 AQJTDI.exe 105 PID 768 wrote to memory of 4004 768 AQJTDI.exe 105 PID 768 wrote to memory of 4004 768 AQJTDI.exe 105 PID 4004 wrote to memory of 1228 4004 cmd.exe 109 PID 4004 wrote to memory of 1228 4004 cmd.exe 109 PID 4004 wrote to memory of 1228 4004 cmd.exe 109 PID 1228 wrote to memory of 3632 1228 VVIXXZV.exe 110 PID 1228 wrote to memory of 3632 1228 VVIXXZV.exe 110 PID 1228 wrote to memory of 3632 1228 VVIXXZV.exe 110 PID 3632 wrote to memory of 1144 3632 cmd.exe 114 PID 3632 wrote to memory of 1144 3632 cmd.exe 114 PID 3632 wrote to memory of 1144 3632 cmd.exe 114 PID 1144 wrote to memory of 2960 1144 SBOUEBP.exe 115 PID 1144 wrote to memory of 2960 1144 SBOUEBP.exe 115 PID 1144 wrote to memory of 2960 1144 SBOUEBP.exe 115 PID 2960 wrote to memory of 2148 2960 cmd.exe 119 PID 2960 wrote to memory of 2148 2960 cmd.exe 119 PID 2960 wrote to memory of 2148 2960 cmd.exe 119 PID 2148 wrote to memory of 3052 2148 GWS.exe 122 PID 2148 wrote to memory of 3052 2148 GWS.exe 122 PID 2148 wrote to memory of 3052 2148 GWS.exe 122 PID 3052 wrote to memory of 4332 3052 cmd.exe 126 PID 3052 wrote to memory of 4332 3052 cmd.exe 126 PID 3052 wrote to memory of 4332 3052 cmd.exe 126 PID 4332 wrote to memory of 1824 4332 RPVGS.exe 130 PID 4332 wrote to memory of 1824 4332 RPVGS.exe 130 PID 4332 wrote to memory of 1824 4332 RPVGS.exe 130 PID 1824 wrote to memory of 3252 1824 cmd.exe 134 PID 1824 wrote to memory of 3252 1824 cmd.exe 134 PID 1824 wrote to memory of 3252 1824 cmd.exe 134 PID 3252 wrote to memory of 1280 3252 YFWFZA.exe 135 PID 3252 wrote to memory of 1280 3252 YFWFZA.exe 135 PID 3252 wrote to memory of 1280 3252 YFWFZA.exe 135 PID 1280 wrote to memory of 1580 1280 cmd.exe 139 PID 1280 wrote to memory of 1580 1280 cmd.exe 139 PID 1280 wrote to memory of 1580 1280 cmd.exe 139 PID 1580 wrote to memory of 1056 1580 DKONPV.exe 140 PID 1580 wrote to memory of 1056 1580 DKONPV.exe 140 PID 1580 wrote to memory of 1056 1580 DKONPV.exe 140 PID 1056 wrote to memory of 4296 1056 cmd.exe 144 PID 1056 wrote to memory of 4296 1056 cmd.exe 144 PID 1056 wrote to memory of 4296 1056 cmd.exe 144 PID 4296 wrote to memory of 4468 4296 QIOYR.exe 145 PID 4296 wrote to memory of 4468 4296 QIOYR.exe 145 PID 4296 wrote to memory of 4468 4296 QIOYR.exe 145 PID 4468 wrote to memory of 1296 4468 cmd.exe 149 PID 4468 wrote to memory of 1296 4468 cmd.exe 149 PID 4468 wrote to memory of 1296 4468 cmd.exe 149 PID 1296 wrote to memory of 1824 1296 LVTQBHD.exe 151 PID 1296 wrote to memory of 1824 1296 LVTQBHD.exe 151 PID 1296 wrote to memory of 1824 1296 LVTQBHD.exe 151 PID 1824 wrote to memory of 3592 1824 cmd.exe 155
Processes
-
C:\Users\Admin\AppData\Local\Temp\f062d8ee8bf223f050913f006a2aac90N.exe"C:\Users\Admin\AppData\Local\Temp\f062d8ee8bf223f050913f006a2aac90N.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XHBE.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\windows\XHBE.exeC:\windows\XHBE.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AQJTDI.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\windows\system\AQJTDI.exeC:\windows\system\AQJTDI.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VVIXXZV.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\windows\system\VVIXXZV.exeC:\windows\system\VVIXXZV.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBOUEBP.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\windows\SysWOW64\SBOUEBP.exeC:\windows\system32\SBOUEBP.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GWS.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\windows\system\GWS.exeC:\windows\system\GWS.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RPVGS.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\windows\system\RPVGS.exeC:\windows\system\RPVGS.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YFWFZA.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\windows\system\YFWFZA.exeC:\windows\system\YFWFZA.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DKONPV.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\windows\DKONPV.exeC:\windows\DKONPV.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QIOYR.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\windows\QIOYR.exeC:\windows\QIOYR.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LVTQBHD.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\windows\SysWOW64\LVTQBHD.exeC:\windows\system32\LVTQBHD.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOIYL.exe.bat" "22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\windows\SysWOW64\SOIYL.exeC:\windows\system32\SOIYL.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IEPB.exe.bat" "24⤵PID:216
-
C:\windows\IEPB.exeC:\windows\IEPB.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJHPY.exe.bat" "26⤵PID:2512
-
C:\windows\SysWOW64\IJHPY.exeC:\windows\system32\IJHPY.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WFTIM.exe.bat" "28⤵PID:4268
-
C:\windows\system\WFTIM.exeC:\windows\system\WFTIM.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FSDAUQG.exe.bat" "30⤵PID:3668
-
C:\windows\FSDAUQG.exeC:\windows\FSDAUQG.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EDGQCE.exe.bat" "32⤵PID:396
-
C:\windows\SysWOW64\EDGQCE.exeC:\windows\system32\EDGQCE.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KDNE.exe.bat" "34⤵PID:2648
-
C:\windows\system\KDNE.exeC:\windows\system\KDNE.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WRUKQAZ.exe.bat" "36⤵PID:452
-
C:\windows\SysWOW64\WRUKQAZ.exeC:\windows\system32\WRUKQAZ.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PJKVIBH.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:4160 -
C:\windows\system\PJKVIBH.exeC:\windows\system\PJKVIBH.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VJJJR.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:508 -
C:\windows\VJJJR.exeC:\windows\VJJJR.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPR.exe.bat" "42⤵PID:4472
-
C:\windows\SysWOW64\IPR.exeC:\windows\system32\IPR.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VSNTGGN.exe.bat" "44⤵PID:2400
-
C:\windows\system\VSNTGGN.exeC:\windows\system\VSNTGGN.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RYAXR.exe.bat" "46⤵PID:3864
-
C:\windows\system\RYAXR.exeC:\windows\system\RYAXR.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WBEDWU.exe.bat" "48⤵PID:2548
-
C:\windows\SysWOW64\WBEDWU.exeC:\windows\system32\WBEDWU.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PBTO.exe.bat" "50⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\windows\PBTO.exeC:\windows\PBTO.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZRLMF.exe.bat" "52⤵PID:4116
-
C:\windows\SysWOW64\MZRLMF.exeC:\windows\system32\MZRLMF.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SZZ.exe.bat" "54⤵PID:2444
-
C:\windows\SZZ.exeC:\windows\SZZ.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZPAQ.exe.bat" "56⤵PID:4512
-
C:\windows\system\ZPAQ.exeC:\windows\system\ZPAQ.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QXCVOSU.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:4580 -
C:\windows\SysWOW64\QXCVOSU.exeC:\windows\system32\QXCVOSU.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EASUC.exe.bat" "60⤵PID:3944
-
C:\windows\SysWOW64\EASUC.exeC:\windows\system32\EASUC.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PTNNCKX.exe.bat" "62⤵
- System Location Discovery: System Language Discovery
PID:4088 -
C:\windows\PTNNCKX.exeC:\windows\PTNNCKX.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GBCKPBA.exe.bat" "64⤵PID:508
-
C:\windows\system\GBCKPBA.exeC:\windows\system\GBCKPBA.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJE.exe.bat" "66⤵PID:1208
-
C:\windows\SysWOW64\QJE.exeC:\windows\system32\QJE.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LMM.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:3944 -
C:\windows\LMM.exeC:\windows\LMM.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUOB.exe.bat" "70⤵PID:3096
-
C:\windows\UUOB.exeC:\windows\UUOB.exe71⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AVWPBJB.exe.bat" "72⤵PID:4336
-
C:\windows\system\AVWPBJB.exeC:\windows\system\AVWPBJB.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EDCP.exe.bat" "74⤵PID:4440
-
C:\windows\system\EDCP.exeC:\windows\system\EDCP.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MQCDP.exe.bat" "76⤵PID:4828
-
C:\windows\SysWOW64\MQCDP.exeC:\windows\system32\MQCDP.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UWPK.exe.bat" "78⤵PID:2604
-
C:\windows\SysWOW64\UWPK.exeC:\windows\system32\UWPK.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZYL.exe.bat" "80⤵PID:3864
-
C:\windows\SysWOW64\ZYL.exeC:\windows\system32\ZYL.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UJU.exe.bat" "82⤵PID:2068
-
C:\windows\system\UJU.exeC:\windows\system\UJU.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ESWMW.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\windows\system\ESWMW.exeC:\windows\system\ESWMW.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OPJG.exe.bat" "86⤵PID:404
-
C:\windows\system\OPJG.exeC:\windows\system\OPJG.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NAYOV.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:1208 -
C:\windows\system\NAYOV.exeC:\windows\system\NAYOV.exe89⤵
- Checks computer location settings
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YTBHDC.exe.bat" "90⤵PID:2068
-
C:\windows\YTBHDC.exeC:\windows\YTBHDC.exe91⤵
- Checks computer location settings
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IQHCLC.exe.bat" "92⤵PID:3716
-
C:\windows\IQHCLC.exeC:\windows\IQHCLC.exe93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RRJHOHD.exe.bat" "94⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\windows\system\RRJHOHD.exeC:\windows\system\RRJHOHD.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHQH.exe.bat" "96⤵PID:2996
-
C:\windows\SysWOW64\VHQH.exeC:\windows\system32\VHQH.exe97⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MHS.exe.bat" "98⤵PID:1516
-
C:\windows\MHS.exeC:\windows\MHS.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SHZ.exe.bat" "100⤵PID:2648
-
C:\windows\SHZ.exeC:\windows\SHZ.exe101⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JACXWFR.exe.bat" "102⤵
- System Location Discovery: System Language Discovery
PID:4644 -
C:\windows\system\JACXWFR.exeC:\windows\system\JACXWFR.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RLLRKKF.exe.bat" "104⤵
- System Location Discovery: System Language Discovery
PID:4232 -
C:\windows\SysWOW64\RLLRKKF.exeC:\windows\system32\RLLRKKF.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TIQLZSO.exe.bat" "106⤵PID:1064
-
C:\windows\TIQLZSO.exeC:\windows\TIQLZSO.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRTTC.exe.bat" "108⤵PID:3440
-
C:\windows\XRTTC.exeC:\windows\XRTTC.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QRAEM.exe.bat" "110⤵PID:4992
-
C:\windows\SysWOW64\QRAEM.exeC:\windows\system32\QRAEM.exe111⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VUELRJ.exe.bat" "112⤵PID:1736
-
C:\windows\VUELRJ.exeC:\windows\VUELRJ.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSXFX.exe.bat" "114⤵PID:4356
-
C:\windows\SysWOW64\XSXFX.exeC:\windows\system32\XSXFX.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQDZ.exe.bat" "116⤵PID:844
-
C:\windows\SysWOW64\HQDZ.exeC:\windows\system32\HQDZ.exe117⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EVJW.exe.bat" "118⤵PID:5008
-
C:\windows\system\EVJW.exeC:\windows\system\EVJW.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\STOTAA.exe.bat" "120⤵PID:3264
-
C:\windows\system\STOTAA.exeC:\windows\system\STOTAA.exe121⤵
- Executes dropped EXE
PID:1280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-