Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 18:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
-
Size
208KB
-
MD5
b881e969b3000bb334e8dafbc7dbe0eb
-
SHA1
e70fbce90f3b6ef2e6664a253003e4027e91783b
-
SHA256
1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5
-
SHA512
94102470d7b44ce171d2e9bd4837689a0a8b82da8f5b3038510b0207581ac4b02a3bc32bf7ebdd967512d2132cc97d7ba84592c2e7364ddc5bea146ce927373d
-
SSDEEP
3072:zpSV2jk89a0CZI+om9jkA4d39Wv0fMDYVHtKHwUfqSady9m+7gi4NLthEjQT6:3/a055OcNDMEFt3UfqSadyl7dQEj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation AQUYZT.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JDX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PST.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KRG.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NLLE.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TGO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XVK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation MJXVD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CSQ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation USAH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation VSYQ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation IAEPUM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ICCU.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XTMPMI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation FDIKKSI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SLJUPIZ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation VTAAI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EEG.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UEDUH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CRPIJO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZXBI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DYBOJQ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KORPFL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation MJWX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YOTUUZM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ADA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SAGPJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XCAGLGM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OHIJOSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SSDPN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GAK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RVDD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JWSE.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JMBQUFP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GNIFOAH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KZUIB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DKOBSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation AVM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PHRC.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZZLOB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KUR.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SRLIK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NUXINA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NMBOGV.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation MABXHMN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NOKZLPS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TWOXNX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation VCVH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZJRX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LLXMDA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DNRFRPZ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JNLKG.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PMM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EVDTJSB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TVNUES.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WVLQCC.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PCEUP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DQZGJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SITRKK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation QOXOEEX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JTJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UNEYLPA.exe -
Executes dropped EXE 64 IoCs
pid Process 1968 YIC.exe 1656 GVOREPG.exe 1556 VQYVP.exe 3500 KWESELJ.exe 3720 LLXMDA.exe 4224 PCEUP.exe 1780 SPIEZSC.exe 3868 UNWY.exe 3144 JDX.exe 1840 PDFDW.exe 4012 KQJNGQP.exe 2944 EEG.exe 4120 ZZLOB.exe 2288 UMQXDQI.exe 3400 CSQ.exe 2236 ZSYZW.exe 3208 YIWCI.exe 2376 YVXQJ.exe 3152 PBHIZA.exe 4308 YJJO.exe 4368 TWOXNX.exe 2172 GHWW.exe 4460 UNEYLPA.exe 2184 UTW.exe 2528 ATEAW.exe 772 VOJJGWT.exe 1952 AOQXPYU.exe 3476 VCVH.exe 2192 VHVVBDM.exe 4296 MVGNRIZ.exe 4476 WVIS.exe 4840 SAGPJ.exe 3116 NOKZLPS.exe 1240 PMM.exe 4412 JZQKC.exe 772 PZYYL.exe 3672 ICCU.exe 1708 EIIR.exe 1584 ZVFAI.exe 4296 KOITQNY.exe 2692 ZJRX.exe 632 ZORML.exe 880 LEYUPFX.exe 3544 XXBN.exe 4564 AFHNJE.exe 2676 VAM.exe 3560 BBUKD.exe 4660 KBWPGE.exe 3636 QBDC.exe 1492 LOIUZY.exe 2692 NMBOGV.exe 524 EVDTJSB.exe 4388 CNLHS.exe 4496 TVNUES.exe 2016 TGO.exe 4860 OBTXU.exe 1984 QOXOEEX.exe 4856 JRBK.exe 2444 SSDPN.exe 2932 JFO.exe 2376 TFQM.exe 4452 VBUDQT.exe 512 ZJB.exe 3832 ZOBS.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\CEQORZ.exe XTMPMI.exe File opened for modification C:\windows\SysWOW64\XCAGLGM.exe MJXVD.exe File created C:\windows\SysWOW64\ZSYZW.exe CSQ.exe File opened for modification C:\windows\SysWOW64\WVIS.exe MVGNRIZ.exe File created C:\windows\SysWOW64\USCFNPC.exe ZEXWL.exe File created C:\windows\SysWOW64\CEFSB.exe JLCZ.exe File opened for modification C:\windows\SysWOW64\USCFNPC.exe ZEXWL.exe File opened for modification C:\windows\SysWOW64\TFQM.exe JFO.exe File opened for modification C:\windows\SysWOW64\JWSE.exe JQS.exe File opened for modification C:\windows\SysWOW64\JMBQUFP.exe XUG.exe File created C:\windows\SysWOW64\UTW.exe.bat UNEYLPA.exe File created C:\windows\SysWOW64\PMM.exe NOKZLPS.exe File created C:\windows\SysWOW64\QBDC.exe KBWPGE.exe File opened for modification C:\windows\SysWOW64\URRWL.exe AVM.exe File created C:\windows\SysWOW64\TGKR.exe URRWL.exe File created C:\windows\SysWOW64\PHRC.exe.bat ABLFSYT.exe File created C:\windows\SysWOW64\URRWL.exe AVM.exe File opened for modification C:\windows\SysWOW64\TMV.exe YRQMNC.exe File created C:\windows\SysWOW64\EVDTJSB.exe NMBOGV.exe File opened for modification C:\windows\SysWOW64\XOCXVQ.exe MVZEV.exe File created C:\windows\SysWOW64\XVK.exe GNIFOAH.exe File created C:\windows\SysWOW64\VRSQPA.exe YTMTIQ.exe File created C:\windows\SysWOW64\TMV.exe YRQMNC.exe File created C:\windows\SysWOW64\ICCU.exe.bat PZYYL.exe File created C:\windows\SysWOW64\BCPHDD.exe GPKY.exe File opened for modification C:\windows\SysWOW64\NOKZLPS.exe SAGPJ.exe File opened for modification C:\windows\SysWOW64\XVK.exe GNIFOAH.exe File opened for modification C:\windows\SysWOW64\TRA.exe VRSQPA.exe File created C:\windows\SysWOW64\VRSQPA.exe.bat YTMTIQ.exe File created C:\windows\SysWOW64\THSYC.exe YTN.exe File created C:\windows\SysWOW64\NOKZLPS.exe.bat SAGPJ.exe File opened for modification C:\windows\SysWOW64\KXYJAI.exe IAEPUM.exe File opened for modification C:\windows\SysWOW64\XTMPMI.exe GSK.exe File opened for modification C:\windows\SysWOW64\VQYVP.exe GVOREPG.exe File created C:\windows\SysWOW64\PHRC.exe ABLFSYT.exe File created C:\windows\SysWOW64\BCPHDD.exe.bat GPKY.exe File opened for modification C:\windows\SysWOW64\YTMTIQ.exe WVLQCC.exe File created C:\windows\SysWOW64\XOCXVQ.exe.bat MVZEV.exe File created C:\windows\SysWOW64\LLXMDA.exe KWESELJ.exe File created C:\windows\SysWOW64\VAM.exe.bat AFHNJE.exe File created C:\windows\SysWOW64\DNRFRPZ.exe.bat LMP.exe File created C:\windows\SysWOW64\VIDC.exe MABXHMN.exe File created C:\windows\SysWOW64\JWSE.exe.bat JQS.exe File created C:\windows\SysWOW64\XXBN.exe LEYUPFX.exe File opened for modification C:\windows\SysWOW64\DNRFRPZ.exe LMP.exe File opened for modification C:\windows\SysWOW64\LLXMDA.exe KWESELJ.exe File opened for modification C:\windows\SysWOW64\UTW.exe UNEYLPA.exe File opened for modification C:\windows\SysWOW64\FUNKN.exe NLLE.exe File opened for modification C:\windows\SysWOW64\TGKR.exe URRWL.exe File created C:\windows\SysWOW64\YTN.exe.bat AEH.exe File created C:\windows\SysWOW64\JLCZ.exe ADA.exe File opened for modification C:\windows\SysWOW64\ZSYZW.exe CSQ.exe File created C:\windows\SysWOW64\WVIS.exe MVGNRIZ.exe File created C:\windows\SysWOW64\LOIUZY.exe.bat QBDC.exe File created C:\windows\SysWOW64\ZOBS.exe.bat ZJB.exe File opened for modification C:\windows\SysWOW64\GNIFOAH.exe AMARX.exe File created C:\windows\SysWOW64\YOTUUZM.exe.bat MGMU.exe File created C:\windows\SysWOW64\TGO.exe.bat TVNUES.exe File created C:\windows\SysWOW64\PMM.exe.bat NOKZLPS.exe File created C:\windows\SysWOW64\EIIR.exe ICCU.exe File created C:\windows\SysWOW64\CEFSB.exe.bat JLCZ.exe File opened for modification C:\windows\SysWOW64\YTN.exe AEH.exe File created C:\windows\SysWOW64\THSYC.exe.bat YTN.exe File created C:\windows\SysWOW64\GHME.exe IGFIDXW.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\UNWY.exe.bat SPIEZSC.exe File opened for modification C:\windows\IAEPUM.exe DHXB.exe File created C:\windows\system\SJNVFJS.exe.bat MIFHOOR.exe File created C:\windows\system\DYBOJQ.exe VTAAI.exe File created C:\windows\VSYQ.exe XCZ.exe File created C:\windows\system\VCW.exe.bat TMV.exe File opened for modification C:\windows\system\KUR.exe KORPFL.exe File created C:\windows\system\VYZZQ.exe.bat JISZEAN.exe File created C:\windows\RPUI.exe GWR.exe File opened for modification C:\windows\DAB.exe KXYJAI.exe File created C:\windows\OMV.exe.bat WJRDTJ.exe File opened for modification C:\windows\system\OWALJW.exe CEFSB.exe File created C:\windows\system\VKJR.exe KRG.exe File created C:\windows\JISZEAN.exe.bat JCSLCNK.exe File opened for modification C:\windows\KORPFL.exe CEQORZ.exe File created C:\windows\system\KUR.exe.bat KORPFL.exe File opened for modification C:\windows\WNAECO.exe SFT.exe File opened for modification C:\windows\JTJ.exe RYGWFC.exe File opened for modification C:\windows\UEDUH.exe OMV.exe File created C:\windows\system\WVLQCC.exe.bat RVDD.exe File opened for modification C:\windows\system\PCEUP.exe LLXMDA.exe File opened for modification C:\windows\system\ZJRX.exe KOITQNY.exe File opened for modification C:\windows\LEYUPFX.exe ZORML.exe File created C:\windows\IAEPUM.exe DHXB.exe File opened for modification C:\windows\system\CRPIJO.exe SJNVFJS.exe File created C:\windows\AMARX.exe.bat WEURTOJ.exe File created C:\windows\system\XCZ.exe NUXINA.exe File created C:\windows\KORPFL.exe CEQORZ.exe File created C:\windows\system\PBHIZA.exe.bat YVXQJ.exe File created C:\windows\LEYUPFX.exe ZORML.exe File opened for modification C:\windows\system\JCSLCNK.exe OPVBS.exe File created C:\windows\GBES.exe NGBPV.exe File created C:\windows\RXPM.exe.bat XKLDZBC.exe File created C:\windows\system\VYYEE.exe VSYQ.exe File created C:\windows\system\JHW.exe YOTUUZM.exe File opened for modification C:\windows\LKMMER.exe JNLKG.exe File created C:\windows\system\PST.exe LKMMER.exe File created C:\windows\system\PCEUP.exe LLXMDA.exe File opened for modification C:\windows\system\JHW.exe YOTUUZM.exe File created C:\windows\system\TYGNZMC.exe.bat VYZZQ.exe File opened for modification C:\windows\system\JYR.exe XQCOZ.exe File created C:\windows\EKDWLZ.exe VKJR.exe File created C:\windows\DKOBSJ.exe.bat SRLIK.exe File created C:\windows\AEH.exe WNAECO.exe File opened for modification C:\windows\system\UCQ.exe EZZGX.exe File created C:\windows\JNLKG.exe USCFNPC.exe File opened for modification C:\windows\SRLIK.exe JMBQUFP.exe File created C:\windows\system\OHIJOSJ.exe KZUIB.exe File created C:\windows\GPKY.exe.bat XCAGLGM.exe File created C:\windows\system\VCW.exe TMV.exe File created C:\windows\PDFDW.exe JDX.exe File opened for modification C:\windows\system\CNLHS.exe EVDTJSB.exe File created C:\windows\JRBK.exe QOXOEEX.exe File created C:\windows\USVIJO.exe UEDUH.exe File opened for modification C:\windows\system\UWWMG.exe MJWX.exe File created C:\windows\SRLIK.exe.bat JMBQUFP.exe File created C:\windows\system\WJRDTJ.exe.bat KQOKL.exe File created C:\windows\JQS.exe.bat JYR.exe File opened for modification C:\windows\ADA.exe FPVLFK.exe File created C:\windows\PDFDW.exe.bat JDX.exe File created C:\windows\system\TYGNZMC.exe VYZZQ.exe File created C:\windows\JTJ.exe.bat RYGWFC.exe File created C:\windows\BBUKD.exe.bat VAM.exe File opened for modification C:\windows\system\OPVBS.exe UCQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2988 1808 WerFault.exe 80 4140 1968 WerFault.exe 85 408 1656 WerFault.exe 91 3600 1556 WerFault.exe 98 4592 3500 WerFault.exe 105 3664 3720 WerFault.exe 110 1012 4224 WerFault.exe 115 1028 1780 WerFault.exe 120 4856 3868 WerFault.exe 126 3328 3144 WerFault.exe 131 2160 1840 WerFault.exe 136 2820 4012 WerFault.exe 141 1520 2944 WerFault.exe 148 1284 4120 WerFault.exe 153 4812 2288 WerFault.exe 158 2256 3400 WerFault.exe 163 2184 2236 WerFault.exe 168 880 3208 WerFault.exe 173 1424 2376 WerFault.exe 178 4816 3152 WerFault.exe 183 2916 4308 WerFault.exe 188 2124 4368 WerFault.exe 193 3480 2172 WerFault.exe 198 2744 2552 WerFault.exe 203 4656 4460 WerFault.exe 208 1392 2184 WerFault.exe 213 4828 2528 WerFault.exe 218 4232 772 WerFault.exe 223 1640 1952 WerFault.exe 228 1268 3476 WerFault.exe 233 3084 2192 WerFault.exe 238 1984 4296 WerFault.exe 243 1964 4476 WerFault.exe 248 3936 4840 WerFault.exe 253 4832 3116 WerFault.exe 258 972 1240 WerFault.exe 263 2648 4412 WerFault.exe 267 1284 772 WerFault.exe 273 684 3672 WerFault.exe 278 2068 1708 WerFault.exe 283 4336 1584 WerFault.exe 289 4140 4296 WerFault.exe 294 4840 2692 WerFault.exe 299 1396 632 WerFault.exe 304 2044 880 WerFault.exe 310 388 3544 WerFault.exe 315 4448 4564 WerFault.exe 320 4492 2676 WerFault.exe 325 3400 3560 WerFault.exe 330 4192 4660 WerFault.exe 334 3244 3636 WerFault.exe 340 2656 1492 WerFault.exe 345 4828 2692 WerFault.exe 349 1504 524 WerFault.exe 355 3384 4388 WerFault.exe 360 4620 4496 WerFault.exe 365 2816 2016 WerFault.exe 370 1508 4860 WerFault.exe 375 1064 1984 WerFault.exe 380 452 4856 WerFault.exe 385 3220 2444 WerFault.exe 390 3496 2932 WerFault.exe 395 4784 2376 WerFault.exe 400 464 4452 WerFault.exe 405 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JZQKC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QBDC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DQZGJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LMP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZEXWL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JQS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PMM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NLLE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JCSLCNK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VCVH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICCU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PHRC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GWR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RYGWFC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KWESELJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GBES.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OHIJOSJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DYBOJQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GHME.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UNEYLPA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZORML.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GHWW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KQOKL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JLCZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TYGNZMC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHXB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XDYJGWM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZXBI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AQUYZT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XQCOZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RVHUQQS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SFT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZSYZW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TWOXNX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PZYYL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YTMTIQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OWALJW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PCEUP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FHAH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JYR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 1968 YIC.exe 1968 YIC.exe 1656 GVOREPG.exe 1656 GVOREPG.exe 1556 VQYVP.exe 1556 VQYVP.exe 3500 KWESELJ.exe 3500 KWESELJ.exe 3720 LLXMDA.exe 3720 LLXMDA.exe 4224 PCEUP.exe 4224 PCEUP.exe 1780 SPIEZSC.exe 1780 SPIEZSC.exe 3868 UNWY.exe 3868 UNWY.exe 3144 JDX.exe 3144 JDX.exe 1840 PDFDW.exe 1840 PDFDW.exe 4012 KQJNGQP.exe 4012 KQJNGQP.exe 2944 EEG.exe 2944 EEG.exe 4120 ZZLOB.exe 4120 ZZLOB.exe 2288 UMQXDQI.exe 2288 UMQXDQI.exe 3400 CSQ.exe 3400 CSQ.exe 2236 ZSYZW.exe 2236 ZSYZW.exe 3208 YIWCI.exe 3208 YIWCI.exe 2376 YVXQJ.exe 2376 YVXQJ.exe 3152 PBHIZA.exe 3152 PBHIZA.exe 4308 YJJO.exe 4308 YJJO.exe 4368 TWOXNX.exe 4368 TWOXNX.exe 2552 SAZOB.exe 2552 SAZOB.exe 4460 UNEYLPA.exe 4460 UNEYLPA.exe 2184 UTW.exe 2184 UTW.exe 2528 ATEAW.exe 2528 ATEAW.exe 772 VOJJGWT.exe 772 VOJJGWT.exe 1952 AOQXPYU.exe 1952 AOQXPYU.exe 3476 VCVH.exe 3476 VCVH.exe 2192 VHVVBDM.exe 2192 VHVVBDM.exe 4296 MVGNRIZ.exe 4296 MVGNRIZ.exe 4476 WVIS.exe 4476 WVIS.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 1968 YIC.exe 1968 YIC.exe 1656 GVOREPG.exe 1656 GVOREPG.exe 1556 VQYVP.exe 1556 VQYVP.exe 3500 KWESELJ.exe 3500 KWESELJ.exe 3720 LLXMDA.exe 3720 LLXMDA.exe 4224 PCEUP.exe 4224 PCEUP.exe 1780 SPIEZSC.exe 1780 SPIEZSC.exe 3868 UNWY.exe 3868 UNWY.exe 3144 JDX.exe 3144 JDX.exe 1840 PDFDW.exe 1840 PDFDW.exe 4012 KQJNGQP.exe 4012 KQJNGQP.exe 2944 EEG.exe 2944 EEG.exe 4120 ZZLOB.exe 4120 ZZLOB.exe 2288 UMQXDQI.exe 2288 UMQXDQI.exe 3400 CSQ.exe 3400 CSQ.exe 2236 ZSYZW.exe 2236 ZSYZW.exe 3208 YIWCI.exe 3208 YIWCI.exe 2376 YVXQJ.exe 2376 YVXQJ.exe 3152 PBHIZA.exe 3152 PBHIZA.exe 4308 YJJO.exe 4308 YJJO.exe 4368 TWOXNX.exe 4368 TWOXNX.exe 2552 SAZOB.exe 2552 SAZOB.exe 4460 UNEYLPA.exe 4460 UNEYLPA.exe 2184 UTW.exe 2184 UTW.exe 2528 ATEAW.exe 2528 ATEAW.exe 772 VOJJGWT.exe 772 VOJJGWT.exe 1952 AOQXPYU.exe 1952 AOQXPYU.exe 3476 VCVH.exe 3476 VCVH.exe 2192 VHVVBDM.exe 2192 VHVVBDM.exe 4296 MVGNRIZ.exe 4296 MVGNRIZ.exe 4476 WVIS.exe 4476 WVIS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1512 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 81 PID 1808 wrote to memory of 1512 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 81 PID 1808 wrote to memory of 1512 1808 1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe 81 PID 1512 wrote to memory of 1968 1512 cmd.exe 85 PID 1512 wrote to memory of 1968 1512 cmd.exe 85 PID 1512 wrote to memory of 1968 1512 cmd.exe 85 PID 1968 wrote to memory of 4304 1968 YIC.exe 87 PID 1968 wrote to memory of 4304 1968 YIC.exe 87 PID 1968 wrote to memory of 4304 1968 YIC.exe 87 PID 4304 wrote to memory of 1656 4304 cmd.exe 91 PID 4304 wrote to memory of 1656 4304 cmd.exe 91 PID 4304 wrote to memory of 1656 4304 cmd.exe 91 PID 1656 wrote to memory of 1504 1656 GVOREPG.exe 94 PID 1656 wrote to memory of 1504 1656 GVOREPG.exe 94 PID 1656 wrote to memory of 1504 1656 GVOREPG.exe 94 PID 1504 wrote to memory of 1556 1504 cmd.exe 98 PID 1504 wrote to memory of 1556 1504 cmd.exe 98 PID 1504 wrote to memory of 1556 1504 cmd.exe 98 PID 1556 wrote to memory of 4912 1556 VQYVP.exe 101 PID 1556 wrote to memory of 4912 1556 VQYVP.exe 101 PID 1556 wrote to memory of 4912 1556 VQYVP.exe 101 PID 4912 wrote to memory of 3500 4912 cmd.exe 105 PID 4912 wrote to memory of 3500 4912 cmd.exe 105 PID 4912 wrote to memory of 3500 4912 cmd.exe 105 PID 3500 wrote to memory of 3672 3500 KWESELJ.exe 106 PID 3500 wrote to memory of 3672 3500 KWESELJ.exe 106 PID 3500 wrote to memory of 3672 3500 KWESELJ.exe 106 PID 3672 wrote to memory of 3720 3672 cmd.exe 110 PID 3672 wrote to memory of 3720 3672 cmd.exe 110 PID 3672 wrote to memory of 3720 3672 cmd.exe 110 PID 3720 wrote to memory of 1340 3720 LLXMDA.exe 111 PID 3720 wrote to memory of 1340 3720 LLXMDA.exe 111 PID 3720 wrote to memory of 1340 3720 LLXMDA.exe 111 PID 1340 wrote to memory of 4224 1340 cmd.exe 115 PID 1340 wrote to memory of 4224 1340 cmd.exe 115 PID 1340 wrote to memory of 4224 1340 cmd.exe 115 PID 4224 wrote to memory of 1936 4224 PCEUP.exe 116 PID 4224 wrote to memory of 1936 4224 PCEUP.exe 116 PID 4224 wrote to memory of 1936 4224 PCEUP.exe 116 PID 1936 wrote to memory of 1780 1936 cmd.exe 120 PID 1936 wrote to memory of 1780 1936 cmd.exe 120 PID 1936 wrote to memory of 1780 1936 cmd.exe 120 PID 1780 wrote to memory of 684 1780 SPIEZSC.exe 122 PID 1780 wrote to memory of 684 1780 SPIEZSC.exe 122 PID 1780 wrote to memory of 684 1780 SPIEZSC.exe 122 PID 684 wrote to memory of 3868 684 cmd.exe 126 PID 684 wrote to memory of 3868 684 cmd.exe 126 PID 684 wrote to memory of 3868 684 cmd.exe 126 PID 3868 wrote to memory of 3040 3868 UNWY.exe 127 PID 3868 wrote to memory of 3040 3868 UNWY.exe 127 PID 3868 wrote to memory of 3040 3868 UNWY.exe 127 PID 3040 wrote to memory of 3144 3040 cmd.exe 131 PID 3040 wrote to memory of 3144 3040 cmd.exe 131 PID 3040 wrote to memory of 3144 3040 cmd.exe 131 PID 3144 wrote to memory of 3956 3144 JDX.exe 132 PID 3144 wrote to memory of 3956 3144 JDX.exe 132 PID 3144 wrote to memory of 3956 3144 JDX.exe 132 PID 3956 wrote to memory of 1840 3956 cmd.exe 136 PID 3956 wrote to memory of 1840 3956 cmd.exe 136 PID 3956 wrote to memory of 1840 3956 cmd.exe 136 PID 1840 wrote to memory of 2056 1840 PDFDW.exe 137 PID 1840 wrote to memory of 2056 1840 PDFDW.exe 137 PID 1840 wrote to memory of 2056 1840 PDFDW.exe 137 PID 2056 wrote to memory of 4012 2056 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe"C:\Users\Admin\AppData\Local\Temp\1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YIC.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\windows\SysWOW64\YIC.exeC:\windows\system32\YIC.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GVOREPG.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\windows\system\GVOREPG.exeC:\windows\system\GVOREPG.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VQYVP.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\windows\SysWOW64\VQYVP.exeC:\windows\system32\VQYVP.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KWESELJ.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\windows\SysWOW64\KWESELJ.exeC:\windows\system32\KWESELJ.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LLXMDA.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\windows\SysWOW64\LLXMDA.exeC:\windows\system32\LLXMDA.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PCEUP.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\windows\system\PCEUP.exeC:\windows\system\PCEUP.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SPIEZSC.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\windows\SPIEZSC.exeC:\windows\SPIEZSC.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UNWY.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\windows\system\UNWY.exeC:\windows\system\UNWY.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JDX.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\windows\JDX.exeC:\windows\JDX.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PDFDW.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\windows\PDFDW.exeC:\windows\PDFDW.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQJNGQP.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\windows\SysWOW64\KQJNGQP.exeC:\windows\system32\KQJNGQP.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EEG.exe.bat" "24⤵PID:4412
-
C:\windows\system\EEG.exeC:\windows\system\EEG.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZZLOB.exe.bat" "26⤵PID:4308
-
C:\windows\ZZLOB.exeC:\windows\ZZLOB.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UMQXDQI.exe.bat" "28⤵PID:4048
-
C:\windows\system\UMQXDQI.exeC:\windows\system\UMQXDQI.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CSQ.exe.bat" "30⤵PID:2124
-
C:\windows\system\CSQ.exeC:\windows\system\CSQ.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSYZW.exe.bat" "32⤵PID:1636
-
C:\windows\SysWOW64\ZSYZW.exeC:\windows\system32\ZSYZW.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YIWCI.exe.bat" "34⤵PID:1980
-
C:\windows\YIWCI.exeC:\windows\YIWCI.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YVXQJ.exe.bat" "36⤵PID:2296
-
C:\windows\system\YVXQJ.exeC:\windows\system\YVXQJ.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PBHIZA.exe.bat" "38⤵PID:4828
-
C:\windows\system\PBHIZA.exeC:\windows\system\PBHIZA.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YJJO.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\windows\SysWOW64\YJJO.exeC:\windows\system32\YJJO.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TWOXNX.exe.bat" "42⤵PID:2320
-
C:\windows\system\TWOXNX.exeC:\windows\system\TWOXNX.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GHWW.exe.bat" "44⤵PID:4928
-
C:\windows\system\GHWW.exeC:\windows\system\GHWW.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SAZOB.exe.bat" "46⤵PID:3216
-
C:\windows\system\SAZOB.exeC:\windows\system\SAZOB.exe47⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UNEYLPA.exe.bat" "48⤵PID:4660
-
C:\windows\system\UNEYLPA.exeC:\windows\system\UNEYLPA.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UTW.exe.bat" "50⤵PID:4724
-
C:\windows\SysWOW64\UTW.exeC:\windows\system32\UTW.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ATEAW.exe.bat" "52⤵PID:632
-
C:\windows\ATEAW.exeC:\windows\ATEAW.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VOJJGWT.exe.bat" "54⤵PID:2784
-
C:\windows\VOJJGWT.exeC:\windows\VOJJGWT.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AOQXPYU.exe.bat" "56⤵PID:3120
-
C:\windows\AOQXPYU.exeC:\windows\AOQXPYU.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VCVH.exe.bat" "58⤵PID:784
-
C:\windows\system\VCVH.exeC:\windows\system\VCVH.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHVVBDM.exe.bat" "60⤵PID:2944
-
C:\windows\SysWOW64\VHVVBDM.exeC:\windows\system32\VHVVBDM.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MVGNRIZ.exe.bat" "62⤵PID:4788
-
C:\windows\MVGNRIZ.exeC:\windows\MVGNRIZ.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVIS.exe.bat" "64⤵PID:1620
-
C:\windows\SysWOW64\WVIS.exeC:\windows\system32\WVIS.exe65⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SAGPJ.exe.bat" "66⤵PID:3244
-
C:\windows\system\SAGPJ.exeC:\windows\system\SAGPJ.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOKZLPS.exe.bat" "68⤵PID:1704
-
C:\windows\SysWOW64\NOKZLPS.exeC:\windows\system32\NOKZLPS.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PMM.exe.bat" "70⤵PID:404
-
C:\windows\SysWOW64\PMM.exeC:\windows\system32\PMM.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JZQKC.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:3444 -
C:\windows\system\JZQKC.exeC:\windows\system\JZQKC.exe73⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PZYYL.exe.bat" "74⤵PID:1092
-
C:\windows\PZYYL.exeC:\windows\PZYYL.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICCU.exe.bat" "76⤵PID:3832
-
C:\windows\SysWOW64\ICCU.exeC:\windows\system32\ICCU.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EIIR.exe.bat" "78⤵PID:2232
-
C:\windows\SysWOW64\EIIR.exeC:\windows\system32\EIIR.exe79⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZVFAI.exe.bat" "80⤵PID:3700
-
C:\windows\system\ZVFAI.exeC:\windows\system\ZVFAI.exe81⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KOITQNY.exe.bat" "82⤵PID:4120
-
C:\windows\KOITQNY.exeC:\windows\KOITQNY.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZJRX.exe.bat" "84⤵PID:1876
-
C:\windows\system\ZJRX.exeC:\windows\system\ZJRX.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZORML.exe.bat" "86⤵PID:2112
-
C:\windows\ZORML.exeC:\windows\ZORML.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LEYUPFX.exe.bat" "88⤵PID:5040
-
C:\windows\LEYUPFX.exeC:\windows\LEYUPFX.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XXBN.exe.bat" "90⤵PID:1504
-
C:\windows\SysWOW64\XXBN.exeC:\windows\system32\XXBN.exe91⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFHNJE.exe.bat" "92⤵PID:1088
-
C:\windows\SysWOW64\AFHNJE.exeC:\windows\system32\AFHNJE.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VAM.exe.bat" "94⤵PID:4620
-
C:\windows\SysWOW64\VAM.exeC:\windows\system32\VAM.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BBUKD.exe.bat" "96⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\windows\BBUKD.exeC:\windows\BBUKD.exe97⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KBWPGE.exe.bat" "98⤵PID:1616
-
C:\windows\KBWPGE.exeC:\windows\KBWPGE.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QBDC.exe.bat" "100⤵PID:3216
-
C:\windows\SysWOW64\QBDC.exeC:\windows\system32\QBDC.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LOIUZY.exe.bat" "102⤵PID:2988
-
C:\windows\SysWOW64\LOIUZY.exeC:\windows\system32\LOIUZY.exe103⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NMBOGV.exe.bat" "104⤵PID:2112
-
C:\windows\NMBOGV.exeC:\windows\NMBOGV.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVDTJSB.exe.bat" "106⤵PID:2376
-
C:\windows\SysWOW64\EVDTJSB.exeC:\windows\system32\EVDTJSB.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CNLHS.exe.bat" "108⤵PID:4452
-
C:\windows\system\CNLHS.exeC:\windows\system\CNLHS.exe109⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TVNUES.exe.bat" "110⤵PID:512
-
C:\windows\SysWOW64\TVNUES.exeC:\windows\system32\TVNUES.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGO.exe.bat" "112⤵PID:64
-
C:\windows\SysWOW64\TGO.exeC:\windows\system32\TGO.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OBTXU.exe.bat" "114⤵PID:332
-
C:\windows\SysWOW64\OBTXU.exeC:\windows\system32\OBTXU.exe115⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QOXOEEX.exe.bat" "116⤵PID:4616
-
C:\windows\SysWOW64\QOXOEEX.exeC:\windows\system32\QOXOEEX.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JRBK.exe.bat" "118⤵PID:5008
-
C:\windows\JRBK.exeC:\windows\JRBK.exe119⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SSDPN.exe.bat" "120⤵PID:2316
-
C:\windows\system\SSDPN.exeC:\windows\system\SSDPN.exe121⤵
- Checks computer location settings
- Executes dropped EXE
PID:2444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-