Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2024, 00:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe
-
Size
208KB
-
MD5
988c7c3290e82e8971b9eb01437fba40
-
SHA1
6e567e8c31bb1edc772b577ab4d6b39cd5c5193c
-
SHA256
d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476
-
SHA512
a412115938e5d6b32b6d33897c811d31b365ae474895d8a32294386b481ee2f7899e25b6029d9a748dd09adcc9bb8bd5e0cb377a3068f919d563682e115a9469
-
SSDEEP
3072:tqE5gudRhi2uvC4jr65igGBg+sSVD7RMnqQezwCPDODNbY/4NLthEjQT6c:XHjuFmsgGB6SlRiqQoHGGQEj+
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OWH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HMUNSS.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation DOYN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WUYDSKB.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RILWQDT.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UZCO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OLK.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation PXLFZEF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UCV.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation DELO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OECXA.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation PDCZT.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation PFDH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QTCN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation AFIU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KXI.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CFXUY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SEU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UZHOKXF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation IGEWCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KYWPYFU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CMP.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XPYWTU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation IAQVIWM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation INB.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MDHWM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MUVQR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation USXZQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CRKXER.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MVOGEG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation VSL.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QDWC.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YXNK.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ULCCTY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YUTBGH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TAFOUF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OMMY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JBKYEV.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WRBLZAK.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SNELNYJ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QMAITJU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation PNECLHZ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation GNG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XIBRE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation EPBTJCE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OMHXAY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KYIR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RKDRNV.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JPNM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation FVPOZA.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation IPN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HBMUEO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XTWRJWT.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NFOU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OATK.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UKJYUZR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BFYQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation LWZBW.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation VVW.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BBC.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OVEUT.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HTQJ.exe -
Executes dropped EXE 64 IoCs
pid Process 4916 BTRT.exe 2592 EBA.exe 2096 EUJJDS.exe 4772 PNECLHZ.exe 4812 GNG.exe 4552 VSL.exe 3416 IDHD.exe 2780 SBVXQO.exe 1928 LWZBW.exe 3260 PMF.exe 1808 AFIU.exe 2104 MNPUDW.exe 4788 QDWC.exe 4532 ULCCTY.exe 3528 AGO.exe 1492 ROQI.exe 3012 XPYWTU.exe 3240 XUYKDZG.exe 2512 TAIZL.exe 1808 UDMV.exe 1040 FVPOZA.exe 3780 JDV.exe 3564 VWYH.exe 1932 YEFPGSR.exe 1508 KXI.exe 1820 BFCN.exe 4256 WSHWCF.exe 208 UQAZ.exe 4984 PDFIZK.exe 972 JRK.exe 4724 EEPBL.exe 4672 IPN.exe 2616 XKWBE.exe 2448 NAXA.exe 1396 TAFOUF.exe 4928 CBHTXKB.exe 2728 DELO.exe 856 BTW.exe 1316 SEU.exe 4676 YFCDG.exe 3516 BVJ.exe 744 TVLI.exe 860 GGTH.exe 3648 NBQ.exe 2544 OECXA.exe 4108 VUD.exe 1096 HCJOT.exe 4212 LSQ.exe 3900 GFVFH.exe 1164 VVW.exe 5016 IGEWCQ.exe 1924 UZHOKXF.exe 3468 OMMY.exe 3704 GMODY.exe 4400 AITUAVL.exe 3216 PDCZT.exe 4164 RAIT.exe 4708 JBKYEV.exe 3908 NRR.exe 4576 HEVHB.exe 4272 SXYAJV.exe 2428 EPBTJCE.exe 2260 KPJHA.exe 4732 UNPBINO.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\GNG.exe.bat PNECLHZ.exe File created C:\windows\SysWOW64\LWZBW.exe.bat SBVXQO.exe File created C:\windows\SysWOW64\AFIU.exe PMF.exe File created C:\windows\SysWOW64\QDWC.exe.bat MNPUDW.exe File created C:\windows\SysWOW64\YEFPGSR.exe VWYH.exe File opened for modification C:\windows\SysWOW64\XTWRJWT.exe JOYUUM.exe File created C:\windows\SysWOW64\XTWRJWT.exe.bat JOYUUM.exe File created C:\windows\SysWOW64\XTMXXS.exe.bat OLK.exe File opened for modification C:\windows\SysWOW64\YUTBGH.exe JPNM.exe File created C:\windows\SysWOW64\PFDH.exe.bat SIY.exe File opened for modification C:\windows\SysWOW64\USS.exe XRRU.exe File created C:\windows\SysWOW64\FPFUO.exe KEWEZSX.exe File created C:\windows\SysWOW64\SMTUC.exe HTQJ.exe File created C:\windows\SysWOW64\QDWC.exe MNPUDW.exe File created C:\windows\SysWOW64\YFCDG.exe.bat SEU.exe File created C:\windows\SysWOW64\MVOHZ.exe.bat XFNISC.exe File created C:\windows\SysWOW64\LSQ.exe HCJOT.exe File created C:\windows\SysWOW64\WRBLZAK.exe MUVQR.exe File created C:\windows\SysWOW64\ABUWG.exe MVOHZ.exe File created C:\windows\SysWOW64\WUYDSKB.exe.bat UHOUGR.exe File opened for modification C:\windows\SysWOW64\UCV.exe LUTBC.exe File created C:\windows\SysWOW64\LWZBW.exe SBVXQO.exe File created C:\windows\SysWOW64\AITUAVL.exe.bat GMODY.exe File created C:\windows\SysWOW64\PFDH.exe SIY.exe File created C:\windows\SysWOW64\UCV.exe LUTBC.exe File opened for modification C:\windows\SysWOW64\AGO.exe ULCCTY.exe File created C:\windows\SysWOW64\TAIZL.exe.bat XUYKDZG.exe File created C:\windows\SysWOW64\YFCDG.exe SEU.exe File created C:\windows\SysWOW64\GGTH.exe.bat TVLI.exe File created C:\windows\SysWOW64\NBQ.exe GGTH.exe File created C:\windows\SysWOW64\LMSPK.exe.bat WRBLZAK.exe File created C:\windows\SysWOW64\WSHWCF.exe.bat BFCN.exe File created C:\windows\SysWOW64\XTMXXS.exe OLK.exe File opened for modification C:\windows\SysWOW64\FPFUO.exe KEWEZSX.exe File created C:\windows\SysWOW64\NMKJGJ.exe AKGCB.exe File created C:\windows\SysWOW64\DOYN.exe.bat XORZMVS.exe File opened for modification C:\windows\SysWOW64\JWZGVDL.exe MYTJGT.exe File created C:\windows\SysWOW64\GGTH.exe TVLI.exe File opened for modification C:\windows\SysWOW64\GGTH.exe TVLI.exe File opened for modification C:\windows\SysWOW64\ABUWG.exe MVOHZ.exe File opened for modification C:\windows\SysWOW64\SIY.exe YUTBGH.exe File created C:\windows\SysWOW64\WVMOJGZ.exe.bat NMKJGJ.exe File created C:\windows\SysWOW64\FPQDQO.exe HWFNHIH.exe File created C:\windows\SysWOW64\GNG.exe PNECLHZ.exe File created C:\windows\SysWOW64\NBQ.exe.bat GGTH.exe File opened for modification C:\windows\SysWOW64\LSQ.exe HCJOT.exe File created C:\windows\SysWOW64\GFVFH.exe.bat LSQ.exe File opened for modification C:\windows\SysWOW64\JBKYEV.exe RAIT.exe File created C:\windows\SysWOW64\OATK.exe UNPBINO.exe File opened for modification C:\windows\SysWOW64\FPQDQO.exe HWFNHIH.exe File created C:\windows\SysWOW64\RAIT.exe.bat PDCZT.exe File opened for modification C:\windows\SysWOW64\JPNM.exe GCICOXQ.exe File created C:\windows\SysWOW64\YUTBGH.exe.bat JPNM.exe File created C:\windows\SysWOW64\USS.exe.bat XRRU.exe File opened for modification C:\windows\SysWOW64\DOYN.exe XORZMVS.exe File created C:\windows\SysWOW64\SEU.exe BTW.exe File opened for modification C:\windows\SysWOW64\SEU.exe BTW.exe File opened for modification C:\windows\SysWOW64\YFCDG.exe SEU.exe File created C:\windows\SysWOW64\JNKJUS.exe USS.exe File created C:\windows\SysWOW64\FPFUO.exe.bat KEWEZSX.exe File created C:\windows\SysWOW64\AKGCB.exe.bat QMAITJU.exe File created C:\windows\SysWOW64\VWYH.exe.bat JDV.exe File created C:\windows\SysWOW64\WSHWCF.exe BFCN.exe File opened for modification C:\windows\SysWOW64\UNPBINO.exe KPJHA.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\ROQI.exe.bat AGO.exe File created C:\windows\OMMY.exe.bat UZHOKXF.exe File created C:\windows\UHOUGR.exe.bat GBGIWNK.exe File created C:\windows\system\CMP.exe.bat YEJZHD.exe File created C:\windows\UDMV.exe TAIZL.exe File opened for modification C:\windows\ATL.exe BBC.exe File opened for modification C:\windows\system\ADGVMN.exe WVMOJGZ.exe File opened for modification C:\windows\system\YEJZHD.exe OWH.exe File created C:\windows\UQAZ.exe.bat WSHWCF.exe File created C:\windows\system\CBHTXKB.exe.bat TAFOUF.exe File opened for modification C:\windows\system\IGEWCQ.exe VVW.exe File created C:\windows\system\JBKXB.exe.bat UKJYUZR.exe File created C:\windows\system\HWFNHIH.exe DOYN.exe File created C:\windows\UDMV.exe.bat TAIZL.exe File created C:\windows\system\UZHOKXF.exe IGEWCQ.exe File opened for modification C:\windows\system\QTCN.exe MLIFWK.exe File opened for modification C:\windows\system\VRMPC.exe BWH.exe File created C:\windows\system\SNELNYJ.exe XCVN.exe File opened for modification C:\windows\system\INB.exe WUYDSKB.exe File created C:\windows\XORZMVS.exe.bat MVOGEG.exe File created C:\windows\EEPBL.exe JRK.exe File created C:\windows\system\UZHOKXF.exe.bat IGEWCQ.exe File created C:\windows\system\NRR.exe JBKYEV.exe File created C:\windows\CRKXER.exe.bat KRIS.exe File opened for modification C:\windows\system\IAQVIWM.exe NYIW.exe File created C:\windows\WFXNYW.exe UCV.exe File created C:\windows\WFXNYW.exe.bat UCV.exe File created C:\windows\system\TAFOUF.exe.bat NAXA.exe File created C:\windows\TVLI.exe.bat BVJ.exe File created C:\windows\system\XFNISC.exe LMSPK.exe File created C:\windows\system\XFNISC.exe.bat LMSPK.exe File opened for modification C:\windows\UHOUGR.exe GBGIWNK.exe File created C:\windows\system\BTIVLGC.exe.bat MDHWM.exe File created C:\windows\VSL.exe GNG.exe File created C:\windows\TVLI.exe BVJ.exe File created C:\windows\OMMY.exe UZHOKXF.exe File created C:\windows\system\RKDRNV.exe CFXUY.exe File opened for modification C:\windows\OVEUT.exe KNPMHQL.exe File opened for modification C:\windows\system\PDFIZK.exe UQAZ.exe File created C:\windows\MUVQR.exe DTTLGUZ.exe File created C:\windows\WEPH.exe.bat CRKXER.exe File created C:\windows\system\BWH.exe IBECMU.exe File opened for modification C:\windows\system\JBKXB.exe UKJYUZR.exe File created C:\windows\system\INB.exe.bat WUYDSKB.exe File opened for modification C:\windows\system\HWFNHIH.exe DOYN.exe File opened for modification C:\windows\system\IBECMU.exe XIBRE.exe File created C:\windows\system\SPSMJTZ.exe.bat VRMPC.exe File opened for modification C:\windows\system\BFYQ.exe RILWQDT.exe File created C:\windows\system\XOZZJ.exe QTCN.exe File opened for modification C:\windows\EBA.exe BTRT.exe File created C:\windows\EUJJDS.exe EBA.exe File created C:\windows\system\JOYUUM.exe OATK.exe File created C:\windows\system\NFOU.exe.bat FPFUO.exe File created C:\windows\system\HBMUEO.exe HOLFC.exe File opened for modification C:\windows\system\CMP.exe YEJZHD.exe File opened for modification C:\windows\WFXNYW.exe UCV.exe File created C:\windows\JRK.exe.bat PDFIZK.exe File created C:\windows\EEPBL.exe.bat JRK.exe File opened for modification C:\windows\TVLI.exe BVJ.exe File created C:\windows\system\NRR.exe.bat JBKYEV.exe File created C:\windows\USXZQ.exe RKDRNV.exe File created C:\windows\system\ROQI.exe AGO.exe File created C:\windows\MUVQR.exe.bat DTTLGUZ.exe File opened for modification C:\windows\system\RKDRNV.exe CFXUY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1436 4336 WerFault.exe 81 1808 4916 WerFault.exe 86 3468 2592 WerFault.exe 92 3232 2096 WerFault.exe 97 3704 4772 WerFault.exe 101 4816 4812 WerFault.exe 107 2792 4552 WerFault.exe 112 64 3416 WerFault.exe 117 4924 2780 WerFault.exe 122 532 1928 WerFault.exe 127 1192 3260 WerFault.exe 132 4584 1808 WerFault.exe 139 4420 2104 WerFault.exe 144 1784 4788 WerFault.exe 151 1772 4532 WerFault.exe 156 5076 3528 WerFault.exe 161 4528 1492 WerFault.exe 167 1556 3012 WerFault.exe 172 3464 3240 WerFault.exe 177 4112 2512 WerFault.exe 182 3468 1808 WerFault.exe 189 1096 1040 WerFault.exe 194 2896 3780 WerFault.exe 199 4368 3564 WerFault.exe 204 4976 1932 WerFault.exe 209 4008 1508 WerFault.exe 214 3812 1820 WerFault.exe 219 2092 4256 WerFault.exe 224 3740 208 WerFault.exe 229 1748 4984 WerFault.exe 234 2792 972 WerFault.exe 239 3412 4724 WerFault.exe 244 1852 4672 WerFault.exe 249 3796 2616 WerFault.exe 254 1252 2448 WerFault.exe 259 4612 1396 WerFault.exe 264 1692 4928 WerFault.exe 269 2428 2728 WerFault.exe 274 4532 856 WerFault.exe 279 1416 1316 WerFault.exe 285 3912 4676 WerFault.exe 290 1164 3516 WerFault.exe 295 4568 744 WerFault.exe 300 3696 860 WerFault.exe 306 2684 3648 WerFault.exe 311 4992 2544 WerFault.exe 316 3488 4108 WerFault.exe 321 1908 1096 WerFault.exe 326 808 4212 WerFault.exe 331 2064 3900 WerFault.exe 336 2648 1164 WerFault.exe 341 4548 5016 WerFault.exe 346 4900 1924 WerFault.exe 351 3180 3468 WerFault.exe 356 3016 3704 WerFault.exe 361 408 4400 WerFault.exe 366 4012 3216 WerFault.exe 371 4808 4164 WerFault.exe 376 3012 4708 WerFault.exe 381 2352 3908 WerFault.exe 386 4376 4576 WerFault.exe 391 2728 4272 WerFault.exe 396 116 2428 WerFault.exe 401 2360 2260 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BFCN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFVFH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YEJZHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ULCCTY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROQI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SIY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MYTJGT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language USXZQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JNKJUS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NFOU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WDB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KYIR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SBVXQO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WUYDSKB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MUVQR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OVEUT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QTCN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UQAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OMMY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEVHB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YXNK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BWH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ATL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XOZZJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PNECLHZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KXI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CBHTXKB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WFXNYW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JDV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PXLFZEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAIT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 4916 BTRT.exe 4916 BTRT.exe 2592 EBA.exe 2592 EBA.exe 2096 EUJJDS.exe 2096 EUJJDS.exe 4772 PNECLHZ.exe 4772 PNECLHZ.exe 4812 GNG.exe 4812 GNG.exe 4552 VSL.exe 4552 VSL.exe 3416 IDHD.exe 3416 IDHD.exe 2780 SBVXQO.exe 2780 SBVXQO.exe 1928 LWZBW.exe 1928 LWZBW.exe 3260 PMF.exe 3260 PMF.exe 1808 AFIU.exe 1808 AFIU.exe 2104 MNPUDW.exe 2104 MNPUDW.exe 4788 QDWC.exe 4788 QDWC.exe 4532 ULCCTY.exe 4532 ULCCTY.exe 3528 AGO.exe 3528 AGO.exe 1492 ROQI.exe 1492 ROQI.exe 3012 XPYWTU.exe 3012 XPYWTU.exe 3240 XUYKDZG.exe 3240 XUYKDZG.exe 2512 TAIZL.exe 2512 TAIZL.exe 1808 UDMV.exe 1808 UDMV.exe 1040 FVPOZA.exe 1040 FVPOZA.exe 3780 JDV.exe 3780 JDV.exe 3564 VWYH.exe 3564 VWYH.exe 1932 YEFPGSR.exe 1932 YEFPGSR.exe 1508 KXI.exe 1508 KXI.exe 1820 BFCN.exe 1820 BFCN.exe 4256 WSHWCF.exe 4256 WSHWCF.exe 208 UQAZ.exe 208 UQAZ.exe 4984 PDFIZK.exe 4984 PDFIZK.exe 972 JRK.exe 972 JRK.exe 4724 EEPBL.exe 4724 EEPBL.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 4916 BTRT.exe 4916 BTRT.exe 2592 EBA.exe 2592 EBA.exe 2096 EUJJDS.exe 2096 EUJJDS.exe 4772 PNECLHZ.exe 4772 PNECLHZ.exe 4812 GNG.exe 4812 GNG.exe 4552 VSL.exe 4552 VSL.exe 3416 IDHD.exe 3416 IDHD.exe 2780 SBVXQO.exe 2780 SBVXQO.exe 1928 LWZBW.exe 1928 LWZBW.exe 3260 PMF.exe 3260 PMF.exe 1808 AFIU.exe 1808 AFIU.exe 2104 MNPUDW.exe 2104 MNPUDW.exe 4788 QDWC.exe 4788 QDWC.exe 4532 ULCCTY.exe 4532 ULCCTY.exe 3528 AGO.exe 3528 AGO.exe 1492 ROQI.exe 1492 ROQI.exe 3012 XPYWTU.exe 3012 XPYWTU.exe 3240 XUYKDZG.exe 3240 XUYKDZG.exe 2512 TAIZL.exe 2512 TAIZL.exe 1808 UDMV.exe 1808 UDMV.exe 1040 FVPOZA.exe 1040 FVPOZA.exe 3780 JDV.exe 3780 JDV.exe 3564 VWYH.exe 3564 VWYH.exe 1932 YEFPGSR.exe 1932 YEFPGSR.exe 1508 KXI.exe 1508 KXI.exe 1820 BFCN.exe 1820 BFCN.exe 4256 WSHWCF.exe 4256 WSHWCF.exe 208 UQAZ.exe 208 UQAZ.exe 4984 PDFIZK.exe 4984 PDFIZK.exe 972 JRK.exe 972 JRK.exe 4724 EEPBL.exe 4724 EEPBL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4336 wrote to memory of 916 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 82 PID 4336 wrote to memory of 916 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 82 PID 4336 wrote to memory of 916 4336 d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe 82 PID 916 wrote to memory of 4916 916 cmd.exe 86 PID 916 wrote to memory of 4916 916 cmd.exe 86 PID 916 wrote to memory of 4916 916 cmd.exe 86 PID 4916 wrote to memory of 1952 4916 BTRT.exe 88 PID 4916 wrote to memory of 1952 4916 BTRT.exe 88 PID 4916 wrote to memory of 1952 4916 BTRT.exe 88 PID 1952 wrote to memory of 2592 1952 cmd.exe 92 PID 1952 wrote to memory of 2592 1952 cmd.exe 92 PID 1952 wrote to memory of 2592 1952 cmd.exe 92 PID 2592 wrote to memory of 4256 2592 EBA.exe 93 PID 2592 wrote to memory of 4256 2592 EBA.exe 93 PID 2592 wrote to memory of 4256 2592 EBA.exe 93 PID 4256 wrote to memory of 2096 4256 cmd.exe 97 PID 4256 wrote to memory of 2096 4256 cmd.exe 97 PID 4256 wrote to memory of 2096 4256 cmd.exe 97 PID 2096 wrote to memory of 2224 2096 EUJJDS.exe 98 PID 2096 wrote to memory of 2224 2096 EUJJDS.exe 98 PID 2096 wrote to memory of 2224 2096 EUJJDS.exe 98 PID 2224 wrote to memory of 4772 2224 cmd.exe 101 PID 2224 wrote to memory of 4772 2224 cmd.exe 101 PID 2224 wrote to memory of 4772 2224 cmd.exe 101 PID 4772 wrote to memory of 2152 4772 PNECLHZ.exe 103 PID 4772 wrote to memory of 2152 4772 PNECLHZ.exe 103 PID 4772 wrote to memory of 2152 4772 PNECLHZ.exe 103 PID 2152 wrote to memory of 4812 2152 cmd.exe 107 PID 2152 wrote to memory of 4812 2152 cmd.exe 107 PID 2152 wrote to memory of 4812 2152 cmd.exe 107 PID 4812 wrote to memory of 2552 4812 GNG.exe 108 PID 4812 wrote to memory of 2552 4812 GNG.exe 108 PID 4812 wrote to memory of 2552 4812 GNG.exe 108 PID 2552 wrote to memory of 4552 2552 cmd.exe 112 PID 2552 wrote to memory of 4552 2552 cmd.exe 112 PID 2552 wrote to memory of 4552 2552 cmd.exe 112 PID 4552 wrote to memory of 4044 4552 VSL.exe 113 PID 4552 wrote to memory of 4044 4552 VSL.exe 113 PID 4552 wrote to memory of 4044 4552 VSL.exe 113 PID 4044 wrote to memory of 3416 4044 cmd.exe 117 PID 4044 wrote to memory of 3416 4044 cmd.exe 117 PID 4044 wrote to memory of 3416 4044 cmd.exe 117 PID 3416 wrote to memory of 3936 3416 IDHD.exe 118 PID 3416 wrote to memory of 3936 3416 IDHD.exe 118 PID 3416 wrote to memory of 3936 3416 IDHD.exe 118 PID 3936 wrote to memory of 2780 3936 cmd.exe 122 PID 3936 wrote to memory of 2780 3936 cmd.exe 122 PID 3936 wrote to memory of 2780 3936 cmd.exe 122 PID 2780 wrote to memory of 1904 2780 SBVXQO.exe 123 PID 2780 wrote to memory of 1904 2780 SBVXQO.exe 123 PID 2780 wrote to memory of 1904 2780 SBVXQO.exe 123 PID 1904 wrote to memory of 1928 1904 cmd.exe 127 PID 1904 wrote to memory of 1928 1904 cmd.exe 127 PID 1904 wrote to memory of 1928 1904 cmd.exe 127 PID 1928 wrote to memory of 1104 1928 LWZBW.exe 128 PID 1928 wrote to memory of 1104 1928 LWZBW.exe 128 PID 1928 wrote to memory of 1104 1928 LWZBW.exe 128 PID 1104 wrote to memory of 3260 1104 cmd.exe 132 PID 1104 wrote to memory of 3260 1104 cmd.exe 132 PID 1104 wrote to memory of 3260 1104 cmd.exe 132 PID 3260 wrote to memory of 2512 3260 PMF.exe 135 PID 3260 wrote to memory of 2512 3260 PMF.exe 135 PID 3260 wrote to memory of 2512 3260 PMF.exe 135 PID 2512 wrote to memory of 1808 2512 cmd.exe 139
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe"C:\Users\Admin\AppData\Local\Temp\d04dab1740c985c0ba7bcc0f83906d48a2d6c756d3c10814279e1355bf83a476N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BTRT.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\windows\system\BTRT.exeC:\windows\system\BTRT.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EBA.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\windows\EBA.exeC:\windows\EBA.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EUJJDS.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\windows\EUJJDS.exeC:\windows\EUJJDS.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PNECLHZ.exe.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\windows\PNECLHZ.exeC:\windows\PNECLHZ.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNG.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\windows\SysWOW64\GNG.exeC:\windows\system32\GNG.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VSL.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\windows\VSL.exeC:\windows\VSL.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IDHD.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\windows\IDHD.exeC:\windows\IDHD.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SBVXQO.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\windows\system\SBVXQO.exeC:\windows\system\SBVXQO.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWZBW.exe.bat" "18⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\windows\SysWOW64\LWZBW.exeC:\windows\system32\LWZBW.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PMF.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\windows\PMF.exeC:\windows\PMF.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFIU.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\windows\SysWOW64\AFIU.exeC:\windows\system32\AFIU.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MNPUDW.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\windows\SysWOW64\MNPUDW.exeC:\windows\system32\MNPUDW.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QDWC.exe.bat" "26⤵PID:4992
-
C:\windows\SysWOW64\QDWC.exeC:\windows\system32\QDWC.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ULCCTY.exe.bat" "28⤵PID:2080
-
C:\windows\SysWOW64\ULCCTY.exeC:\windows\system32\ULCCTY.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AGO.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\windows\SysWOW64\AGO.exeC:\windows\system32\AGO.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ROQI.exe.bat" "32⤵PID:4212
-
C:\windows\system\ROQI.exeC:\windows\system\ROQI.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XPYWTU.exe.bat" "34⤵PID:1672
-
C:\windows\system\XPYWTU.exeC:\windows\system\XPYWTU.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XUYKDZG.exe.bat" "36⤵PID:1640
-
C:\windows\XUYKDZG.exeC:\windows\XUYKDZG.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAIZL.exe.bat" "38⤵PID:2808
-
C:\windows\SysWOW64\TAIZL.exeC:\windows\system32\TAIZL.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UDMV.exe.bat" "40⤵PID:3292
-
C:\windows\UDMV.exeC:\windows\UDMV.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FVPOZA.exe.bat" "42⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\windows\system\FVPOZA.exeC:\windows\system\FVPOZA.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JDV.exe.bat" "44⤵PID:3676
-
C:\windows\JDV.exeC:\windows\JDV.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWYH.exe.bat" "46⤵PID:2572
-
C:\windows\SysWOW64\VWYH.exeC:\windows\system32\VWYH.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEFPGSR.exe.bat" "48⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\windows\SysWOW64\YEFPGSR.exeC:\windows\system32\YEFPGSR.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KXI.exe.bat" "50⤵PID:3720
-
C:\windows\system\KXI.exeC:\windows\system\KXI.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BFCN.exe.bat" "52⤵PID:4808
-
C:\windows\BFCN.exeC:\windows\BFCN.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WSHWCF.exe.bat" "54⤵PID:3632
-
C:\windows\SysWOW64\WSHWCF.exeC:\windows\system32\WSHWCF.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UQAZ.exe.bat" "56⤵PID:832
-
C:\windows\UQAZ.exeC:\windows\UQAZ.exe57⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PDFIZK.exe.bat" "58⤵PID:3640
-
C:\windows\system\PDFIZK.exeC:\windows\system\PDFIZK.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JRK.exe.bat" "60⤵PID:1200
-
C:\windows\JRK.exeC:\windows\JRK.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EEPBL.exe.bat" "62⤵PID:3160
-
C:\windows\EEPBL.exeC:\windows\EEPBL.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IPN.exe.bat" "64⤵PID:4736
-
C:\windows\system\IPN.exeC:\windows\system\IPN.exe65⤵
- Checks computer location settings
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XKWBE.exe.bat" "66⤵PID:3200
-
C:\windows\XKWBE.exeC:\windows\XKWBE.exe67⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NAXA.exe.bat" "68⤵PID:1164
-
C:\windows\system\NAXA.exeC:\windows\system\NAXA.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TAFOUF.exe.bat" "70⤵PID:3964
-
C:\windows\system\TAFOUF.exeC:\windows\system\TAFOUF.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CBHTXKB.exe.bat" "72⤵PID:2356
-
C:\windows\system\CBHTXKB.exeC:\windows\system\CBHTXKB.exe73⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DELO.exe.bat" "74⤵PID:4900
-
C:\windows\system\DELO.exeC:\windows\system\DELO.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BTW.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:3392 -
C:\windows\system\BTW.exeC:\windows\system\BTW.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEU.exe.bat" "78⤵PID:864
-
C:\windows\SysWOW64\SEU.exeC:\windows\system32\SEU.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YFCDG.exe.bat" "80⤵PID:2784
-
C:\windows\SysWOW64\YFCDG.exeC:\windows\system32\YFCDG.exe81⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BVJ.exe.bat" "82⤵PID:3988
-
C:\windows\system\BVJ.exeC:\windows\system\BVJ.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TVLI.exe.bat" "84⤵PID:2064
-
C:\windows\TVLI.exeC:\windows\TVLI.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GGTH.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\windows\SysWOW64\GGTH.exeC:\windows\system32\GGTH.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:5072 -
C:\windows\SysWOW64\NBQ.exeC:\windows\system32\NBQ.exe89⤵
- Checks computer location settings
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OECXA.exe.bat" "90⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\windows\OECXA.exeC:\windows\OECXA.exe91⤵
- Checks computer location settings
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VUD.exe.bat" "92⤵PID:2540
-
C:\windows\system\VUD.exeC:\windows\system\VUD.exe93⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HCJOT.exe.bat" "94⤵PID:1772
-
C:\windows\system\HCJOT.exeC:\windows\system\HCJOT.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LSQ.exe.bat" "96⤵PID:2500
-
C:\windows\SysWOW64\LSQ.exeC:\windows\system32\LSQ.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFVFH.exe.bat" "98⤵PID:4472
-
C:\windows\SysWOW64\GFVFH.exeC:\windows\system32\GFVFH.exe99⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VVW.exe.bat" "100⤵PID:4424
-
C:\windows\VVW.exeC:\windows\VVW.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IGEWCQ.exe.bat" "102⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\windows\system\IGEWCQ.exeC:\windows\system\IGEWCQ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UZHOKXF.exe.bat" "104⤵PID:1820
-
C:\windows\system\UZHOKXF.exeC:\windows\system\UZHOKXF.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OMMY.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\windows\OMMY.exeC:\windows\OMMY.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GMODY.exe.bat" "108⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\windows\SysWOW64\GMODY.exeC:\windows\system32\GMODY.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AITUAVL.exe.bat" "110⤵PID:1712
-
C:\windows\SysWOW64\AITUAVL.exeC:\windows\system32\AITUAVL.exe111⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PDCZT.exe.bat" "112⤵PID:828
-
C:\windows\PDCZT.exeC:\windows\PDCZT.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAIT.exe.bat" "114⤵PID:664
-
C:\windows\SysWOW64\RAIT.exeC:\windows\system32\RAIT.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JBKYEV.exe.bat" "116⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\windows\SysWOW64\JBKYEV.exeC:\windows\system32\JBKYEV.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NRR.exe.bat" "118⤵PID:1792
-
C:\windows\system\NRR.exeC:\windows\system\NRR.exe119⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEVHB.exe.bat" "120⤵PID:3880
-
C:\windows\SysWOW64\HEVHB.exeC:\windows\system32\HEVHB.exe121⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-