Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 03:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe
-
Size
208KB
-
MD5
80d387c104ed12039e86db8178bfd516
-
SHA1
d6e466bb3b2ba9e081ee73a960f6cc99eac3a5e9
-
SHA256
eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b
-
SHA512
8513bcadcac73f88406033f4d625618bf020a41fc3d599889d9f0ab5bbe84ffcd5f5c5eefa01bc3ee06a409d1be20d764050aaec8a2ae0c2c256f345e3fec9cc
-
SSDEEP
3072:7j3ENMKgkgQNfcnId+s3pqKXUJx6EWKxIVsa+htMAIG1Qb7Y8bkNk4NLthEjQT6W:76b3NflfEKXUJx9WKxI+61b88bkaQEjE
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KFTHKN.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HWZR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XABEIT.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CEPUXD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PJU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HZVOL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QKROOL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation AZUIH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XXSEOX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IYFDD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MBPGSVL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KZSAYR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TCZXHVP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RMZJGC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OVF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation JMOWTZD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WZEOOEK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XDJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PBTO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GIXYUUH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NHIMZS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation EEEWRY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UTU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HHS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PUV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YGQL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YBLT.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SOSYS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FHJYUUP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NAKIEZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QHU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SJXY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ACHRV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HIZDS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YEHMMK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PJP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VHA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CTWGVS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QPSG.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KVYONTF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DAHTR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VEYUPB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QXDS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DOVLYNO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VFNBZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FBYREZN.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation BWUDWV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MVOHZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VGLVG.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TMQATEX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FSNGVC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XKNEKU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PYU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RKYR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CQL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation JLFSX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LGGGL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GYJNR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MHZQFYB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OMB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation EGZXERJ.exe -
Executes dropped EXE 64 IoCs
pid Process 3076 MBPGSVL.exe 3692 WUYGEY.exe 3900 FHJYUUP.exe 2076 KZSAYR.exe 2152 OPZIK.exe 5052 FQOFWA.exe 3320 FDGUYN.exe 2072 PBTO.exe 212 HBALSM.exe 3252 DHGIZO.exe 5028 FFHLFL.exe 3700 GIXYUUH.exe 4148 MVOHZ.exe 316 ZGF.exe 4816 SYM.exe 1152 PZWTAXJ.exe 1676 OKLBS.exe 4908 FSNGVC.exe 1136 XABEIT.exe 4772 GAERL.exe 4256 FLGZUWT.exe 2552 SWXXIHO.exe 4892 VEYUPB.exe 688 KZHY.exe 896 XFPKKAC.exe 440 SSUT.exe 4852 VGLVG.exe 3860 OTKBL.exe 3948 SJDTYYJ.exe 3868 XKNEKU.exe 3796 ICUPUV.exe 5080 XSVG.exe 3120 UTF.exe 824 UTU.exe 1612 UGY.exe 2216 PJP.exe 1464 EZQK.exe 3840 TCZXHVP.exe 4600 QVBZLZ.exe 32 BVQKCS.exe 856 PYU.exe 3036 VUL.exe 1400 OMB.exe 1576 HPFYB.exe 3388 YPTDOU.exe 1944 XIWTW.exe 1544 ZVNVQ.exe 3572 YGQL.exe 1136 VHA.exe 4020 XURP.exe 3684 LARAXBL.exe 692 RVDB.exe 5048 IVRY.exe 2208 EGZXERJ.exe 2784 RMZJGC.exe 5044 CEPUXD.exe 4368 OMV.exe 3644 MIVDGR.exe 1500 UNHJRP.exe 4616 XIQLCI.exe 4472 MYZ.exe 3796 ABI.exe 5036 NHIMZS.exe 2992 ISYL.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\GYJNR.exe.bat OVF.exe File created C:\windows\SysWOW64\VZNUYBZ.exe.bat JMOWTZD.exe File opened for modification C:\windows\SysWOW64\CQL.exe NAKIEZ.exe File created C:\windows\SysWOW64\OHRZXX.exe.bat LUAXDD.exe File created C:\windows\SysWOW64\FFHLFL.exe.bat DHGIZO.exe File created C:\windows\SysWOW64\SYM.exe ZGF.exe File opened for modification C:\windows\SysWOW64\GYJNR.exe OVF.exe File opened for modification C:\windows\SysWOW64\MIVDGR.exe OMV.exe File created C:\windows\SysWOW64\VFNBZ.exe LXLO.exe File opened for modification C:\windows\SysWOW64\RJBL.exe TZYDO.exe File created C:\windows\SysWOW64\GAERL.exe XABEIT.exe File created C:\windows\SysWOW64\XFPKKAC.exe.bat KZHY.exe File created C:\windows\SysWOW64\MIVDGR.exe OMV.exe File opened for modification C:\windows\SysWOW64\XSVG.exe ICUPUV.exe File created C:\windows\SysWOW64\EGZXERJ.exe IVRY.exe File created C:\windows\SysWOW64\EGZXERJ.exe.bat IVRY.exe File opened for modification C:\windows\SysWOW64\QHU.exe RJBL.exe File opened for modification C:\windows\SysWOW64\IYFDD.exe GAZ.exe File opened for modification C:\windows\SysWOW64\KZSAYR.exe FHJYUUP.exe File created C:\windows\SysWOW64\MVOHZ.exe GIXYUUH.exe File created C:\windows\SysWOW64\KZHY.exe.bat VEYUPB.exe File created C:\windows\SysWOW64\IYFDD.exe.bat GAZ.exe File created C:\windows\SysWOW64\MHZQFYB.exe YLNPZJL.exe File created C:\windows\SysWOW64\LWNM.exe NDDEY.exe File opened for modification C:\windows\SysWOW64\LWNM.exe NDDEY.exe File opened for modification C:\windows\SysWOW64\TMQATEX.exe YEHMMK.exe File opened for modification C:\windows\SysWOW64\LSS.exe PUV.exe File created C:\windows\SysWOW64\KZSAYR.exe.bat FHJYUUP.exe File opened for modification C:\windows\SysWOW64\XFPKKAC.exe KZHY.exe File created C:\windows\SysWOW64\UUZWEUA.exe.bat VEBLS.exe File created C:\windows\SysWOW64\DAHTR.exe LSS.exe File opened for modification C:\windows\SysWOW64\MVTQN.exe JHKO.exe File opened for modification C:\windows\SysWOW64\EGZXERJ.exe IVRY.exe File opened for modification C:\windows\SysWOW64\LXLO.exe BZYBGT.exe File opened for modification C:\windows\SysWOW64\ZGF.exe MVOHZ.exe File opened for modification C:\windows\SysWOW64\VGLVG.exe SSUT.exe File created C:\windows\SysWOW64\XIWTW.exe.bat YPTDOU.exe File created C:\windows\SysWOW64\LSS.exe PUV.exe File created C:\windows\SysWOW64\QHU.exe.bat RJBL.exe File created C:\windows\SysWOW64\TTDTX.exe KLBOUBH.exe File created C:\windows\SysWOW64\VPHSYXJ.exe.bat TRGYSI.exe File opened for modification C:\windows\SysWOW64\AWBKD.exe IWMN.exe File created C:\windows\SysWOW64\QXDS.exe.bat ISYL.exe File created C:\windows\SysWOW64\MJQLCX.exe EEEWRY.exe File opened for modification C:\windows\SysWOW64\OHRZXX.exe LUAXDD.exe File created C:\windows\SysWOW64\SJDTYYJ.exe.bat OTKBL.exe File opened for modification C:\windows\SysWOW64\HPFYB.exe OMB.exe File opened for modification C:\windows\SysWOW64\QXDS.exe ISYL.exe File opened for modification C:\windows\SysWOW64\RKYR.exe QHU.exe File created C:\windows\SysWOW64\RLLQGR.exe.bat VFNBZ.exe File created C:\windows\SysWOW64\EQSWIG.exe.bat PVJ.exe File created C:\windows\SysWOW64\VQDU.exe BDY.exe File opened for modification C:\windows\SysWOW64\VZNUYBZ.exe JMOWTZD.exe File created C:\windows\SysWOW64\VHA.exe YGQL.exe File created C:\windows\SysWOW64\VHA.exe.bat YGQL.exe File created C:\windows\SysWOW64\VEBLS.exe HZVOL.exe File created C:\windows\SysWOW64\MJQLCX.exe.bat EEEWRY.exe File created C:\windows\SysWOW64\RLLQGR.exe VFNBZ.exe File created C:\windows\SysWOW64\AWBKD.exe.bat IWMN.exe File created C:\windows\SysWOW64\MHZQFYB.exe.bat YLNPZJL.exe File created C:\windows\SysWOW64\TCS.exe.bat LWNM.exe File created C:\windows\SysWOW64\SJXY.exe.bat CTWGVS.exe File opened for modification C:\windows\SysWOW64\EUYVBHG.exe ICO.exe File created C:\windows\SysWOW64\PJU.exe LYW.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\JMRFVTW.exe.bat MHZQFYB.exe File created C:\windows\system\PUV.exe.bat FMTUMCW.exe File opened for modification C:\windows\YGQL.exe ZVNVQ.exe File created C:\windows\IVRY.exe RVDB.exe File created C:\windows\system\DYSMU.exe SGP.exe File created C:\windows\system\FNCGEC.exe.bat UUZWEUA.exe File created C:\windows\system\MKARJH.exe ACHRV.exe File created C:\windows\QPSG.exe.bat CSSUP.exe File opened for modification C:\windows\system\KWZYS.exe MEWIKJ.exe File created C:\windows\system\SGP.exe RLLQGR.exe File opened for modification C:\windows\QPSG.exe CSSUP.exe File created C:\windows\YLNPZJL.exe NYORUH.exe File opened for modification C:\windows\system\DHGIZO.exe HBALSM.exe File opened for modification C:\windows\system\UTU.exe UTF.exe File opened for modification C:\windows\system\PYU.exe BVQKCS.exe File created C:\windows\HIZDS.exe ZDMWI.exe File created C:\windows\system\TCZXHVP.exe EZQK.exe File created C:\windows\system\RMZJGC.exe.bat EGZXERJ.exe File opened for modification C:\windows\system\CTWGVS.exe SVR.exe File created C:\windows\system\XXSEOX.exe.bat GWEZB.exe File created C:\windows\system\PUV.exe FMTUMCW.exe File opened for modification C:\windows\system\FKXLY.exe XXSEOX.exe File created C:\windows\system\UPUE.exe TMQATEX.exe File created C:\windows\system\HBALSM.exe.bat PBTO.exe File created C:\windows\LARAXBL.exe.bat XURP.exe File opened for modification C:\windows\YBLT.exe ILKTU.exe File created C:\windows\NYORUH.exe.bat HYGD.exe File created C:\windows\system\JMRFVTW.exe MHZQFYB.exe File opened for modification C:\windows\system\XXSEOX.exe GWEZB.exe File created C:\windows\system\KWZYS.exe.bat MEWIKJ.exe File opened for modification C:\windows\system\MKARJH.exe ACHRV.exe File created C:\windows\system\MKARJH.exe.bat ACHRV.exe File created C:\windows\system\LUAXDD.exe.bat BWUDWV.exe File created C:\windows\system\MYZ.exe XIQLCI.exe File opened for modification C:\windows\system\LGGGL.exe TLD.exe File created C:\windows\ANNU.exe.bat USK.exe File created C:\windows\YEHMMK.exe.bat VQDU.exe File created C:\windows\KFTHKN.exe UPUE.exe File created C:\windows\system\UTU.exe.bat UTF.exe File created C:\windows\system\BDY.exe VIM.exe File created C:\windows\SWXXIHO.exe.bat FLGZUWT.exe File created C:\windows\UTF.exe XSVG.exe File created C:\windows\system\MYZ.exe.bat XIQLCI.exe File created C:\windows\EEEWRY.exe.bat PJU.exe File created C:\windows\YBLT.exe ILKTU.exe File created C:\windows\GFTHZX.exe.bat JMRFVTW.exe File created C:\windows\FQOFWA.exe.bat OPZIK.exe File opened for modification C:\windows\system\FSNGVC.exe OKLBS.exe File created C:\windows\system\IUA.exe.bat SJXY.exe File opened for modification C:\windows\system\DOVLYNO.exe LGGGL.exe File created C:\windows\YEOXP.exe MMK.exe File opened for modification C:\windows\YLNPZJL.exe NYORUH.exe File opened for modification C:\windows\XIQLCI.exe UNHJRP.exe File opened for modification C:\windows\system\IUA.exe SJXY.exe File opened for modification C:\windows\CSSE.exe OHWXJ.exe File created C:\windows\system\USK.exe AZUIH.exe File created C:\windows\WAWUJIS.exe ZAURXEJ.exe File opened for modification C:\windows\system\PEZUNI.exe EQSWIG.exe File created C:\windows\OPZIK.exe.bat KZSAYR.exe File created C:\windows\XABEIT.exe FSNGVC.exe File opened for modification C:\windows\SSUT.exe XFPKKAC.exe File created C:\windows\TRGYSI.exe WZEOOEK.exe File created C:\windows\OVBKSXM.exe YCQ.exe File created C:\windows\PVJ.exe ZFISQY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4148 2836 WerFault.exe 86 3124 3076 WerFault.exe 91 2452 3692 WerFault.exe 97 5080 3900 WerFault.exe 102 1200 2076 WerFault.exe 107 772 2152 WerFault.exe 112 3624 5052 WerFault.exe 118 2236 3320 WerFault.exe 123 720 2072 WerFault.exe 130 1016 212 WerFault.exe 137 3416 3252 WerFault.exe 142 1676 5028 WerFault.exe 147 4908 3700 WerFault.exe 152 1136 4148 WerFault.exe 158 436 316 WerFault.exe 163 2756 4816 WerFault.exe 168 4608 1152 WerFault.exe 175 4892 1676 WerFault.exe 180 3796 4908 WerFault.exe 185 972 1136 WerFault.exe 190 3464 4772 WerFault.exe 195 4460 4256 WerFault.exe 200 1780 2552 WerFault.exe 205 5048 4892 WerFault.exe 210 2208 688 WerFault.exe 215 4656 896 WerFault.exe 220 3596 440 WerFault.exe 225 4256 4852 WerFault.exe 230 2324 3860 WerFault.exe 235 1536 3948 WerFault.exe 240 5012 3868 WerFault.exe 245 2748 3796 WerFault.exe 250 4060 5080 WerFault.exe 255 2000 3120 WerFault.exe 260 3060 824 WerFault.exe 265 3492 1612 WerFault.exe 270 3868 2216 WerFault.exe 276 3796 1464 WerFault.exe 281 5080 3840 WerFault.exe 286 4412 4600 WerFault.exe 291 984 32 WerFault.exe 297 3336 856 WerFault.exe 302 740 3036 WerFault.exe 307 3848 1400 WerFault.exe 312 5028 1576 WerFault.exe 317 2872 3388 WerFault.exe 322 4588 1944 WerFault.exe 327 2752 1544 WerFault.exe 332 468 3572 WerFault.exe 337 1124 1136 WerFault.exe 342 4320 4020 WerFault.exe 347 1412 3684 WerFault.exe 352 2948 692 WerFault.exe 357 4900 5048 WerFault.exe 362 1976 2208 WerFault.exe 367 2176 2784 WerFault.exe 372 1008 5044 WerFault.exe 377 5064 4368 WerFault.exe 382 4588 3644 WerFault.exe 387 2332 1500 WerFault.exe 392 1980 4616 WerFault.exe 397 3416 4472 WerFault.exe 402 4356 3796 WerFault.exe 406 4600 5036 WerFault.exe 412 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PYU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEZUNI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language USK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SYM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RMZJGC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OHRZXX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XFPKKAC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NHIMZS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LXLO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZGF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSVG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XIQLCI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NCVWT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JHKO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NDDEY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VEYUPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IVRY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EUYVBHG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BDY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OVBKSXM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PJP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VPHSYXJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MHZQFYB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZARD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PBTO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTDTX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TZYDO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IWPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FHJYUUP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MJQLCX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FNCGEC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 3076 MBPGSVL.exe 3076 MBPGSVL.exe 3692 WUYGEY.exe 3692 WUYGEY.exe 3900 FHJYUUP.exe 3900 FHJYUUP.exe 2076 KZSAYR.exe 2076 KZSAYR.exe 2152 OPZIK.exe 2152 OPZIK.exe 5052 FQOFWA.exe 5052 FQOFWA.exe 3320 FDGUYN.exe 3320 FDGUYN.exe 2072 PBTO.exe 2072 PBTO.exe 212 HBALSM.exe 212 HBALSM.exe 3252 DHGIZO.exe 3252 DHGIZO.exe 5028 FFHLFL.exe 5028 FFHLFL.exe 3700 GIXYUUH.exe 3700 GIXYUUH.exe 4148 MVOHZ.exe 4148 MVOHZ.exe 316 ZGF.exe 316 ZGF.exe 4816 SYM.exe 4816 SYM.exe 1152 PZWTAXJ.exe 1152 PZWTAXJ.exe 1676 OKLBS.exe 1676 OKLBS.exe 4908 FSNGVC.exe 4908 FSNGVC.exe 1136 XABEIT.exe 1136 XABEIT.exe 4772 GAERL.exe 4772 GAERL.exe 4256 FLGZUWT.exe 4256 FLGZUWT.exe 2552 SWXXIHO.exe 2552 SWXXIHO.exe 4892 VEYUPB.exe 4892 VEYUPB.exe 688 KZHY.exe 688 KZHY.exe 896 XFPKKAC.exe 896 XFPKKAC.exe 440 SSUT.exe 440 SSUT.exe 4852 VGLVG.exe 4852 VGLVG.exe 3860 OTKBL.exe 3860 OTKBL.exe 3948 SJDTYYJ.exe 3948 SJDTYYJ.exe 3868 XKNEKU.exe 3868 XKNEKU.exe 3796 ICUPUV.exe 3796 ICUPUV.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 3076 MBPGSVL.exe 3076 MBPGSVL.exe 3692 WUYGEY.exe 3692 WUYGEY.exe 3900 FHJYUUP.exe 3900 FHJYUUP.exe 2076 KZSAYR.exe 2076 KZSAYR.exe 2152 OPZIK.exe 2152 OPZIK.exe 5052 FQOFWA.exe 5052 FQOFWA.exe 3320 FDGUYN.exe 3320 FDGUYN.exe 2072 PBTO.exe 2072 PBTO.exe 212 HBALSM.exe 212 HBALSM.exe 3252 DHGIZO.exe 3252 DHGIZO.exe 5028 FFHLFL.exe 5028 FFHLFL.exe 3700 GIXYUUH.exe 3700 GIXYUUH.exe 4148 MVOHZ.exe 4148 MVOHZ.exe 316 ZGF.exe 316 ZGF.exe 4816 SYM.exe 4816 SYM.exe 1152 PZWTAXJ.exe 1152 PZWTAXJ.exe 1676 OKLBS.exe 1676 OKLBS.exe 4908 FSNGVC.exe 4908 FSNGVC.exe 1136 XABEIT.exe 1136 XABEIT.exe 4772 GAERL.exe 4772 GAERL.exe 4256 FLGZUWT.exe 4256 FLGZUWT.exe 2552 SWXXIHO.exe 2552 SWXXIHO.exe 4892 VEYUPB.exe 4892 VEYUPB.exe 688 KZHY.exe 688 KZHY.exe 896 XFPKKAC.exe 896 XFPKKAC.exe 440 SSUT.exe 440 SSUT.exe 4852 VGLVG.exe 4852 VGLVG.exe 3860 OTKBL.exe 3860 OTKBL.exe 3948 SJDTYYJ.exe 3948 SJDTYYJ.exe 3868 XKNEKU.exe 3868 XKNEKU.exe 3796 ICUPUV.exe 3796 ICUPUV.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 1056 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 87 PID 2836 wrote to memory of 1056 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 87 PID 2836 wrote to memory of 1056 2836 eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe 87 PID 1056 wrote to memory of 3076 1056 cmd.exe 91 PID 1056 wrote to memory of 3076 1056 cmd.exe 91 PID 1056 wrote to memory of 3076 1056 cmd.exe 91 PID 3076 wrote to memory of 4888 3076 MBPGSVL.exe 93 PID 3076 wrote to memory of 4888 3076 MBPGSVL.exe 93 PID 3076 wrote to memory of 4888 3076 MBPGSVL.exe 93 PID 4888 wrote to memory of 3692 4888 cmd.exe 97 PID 4888 wrote to memory of 3692 4888 cmd.exe 97 PID 4888 wrote to memory of 3692 4888 cmd.exe 97 PID 3692 wrote to memory of 3824 3692 WUYGEY.exe 98 PID 3692 wrote to memory of 3824 3692 WUYGEY.exe 98 PID 3692 wrote to memory of 3824 3692 WUYGEY.exe 98 PID 3824 wrote to memory of 3900 3824 cmd.exe 102 PID 3824 wrote to memory of 3900 3824 cmd.exe 102 PID 3824 wrote to memory of 3900 3824 cmd.exe 102 PID 3900 wrote to memory of 1784 3900 FHJYUUP.exe 103 PID 3900 wrote to memory of 1784 3900 FHJYUUP.exe 103 PID 3900 wrote to memory of 1784 3900 FHJYUUP.exe 103 PID 1784 wrote to memory of 2076 1784 cmd.exe 107 PID 1784 wrote to memory of 2076 1784 cmd.exe 107 PID 1784 wrote to memory of 2076 1784 cmd.exe 107 PID 2076 wrote to memory of 752 2076 KZSAYR.exe 108 PID 2076 wrote to memory of 752 2076 KZSAYR.exe 108 PID 2076 wrote to memory of 752 2076 KZSAYR.exe 108 PID 752 wrote to memory of 2152 752 cmd.exe 112 PID 752 wrote to memory of 2152 752 cmd.exe 112 PID 752 wrote to memory of 2152 752 cmd.exe 112 PID 2152 wrote to memory of 5044 2152 OPZIK.exe 114 PID 2152 wrote to memory of 5044 2152 OPZIK.exe 114 PID 2152 wrote to memory of 5044 2152 OPZIK.exe 114 PID 5044 wrote to memory of 5052 5044 cmd.exe 118 PID 5044 wrote to memory of 5052 5044 cmd.exe 118 PID 5044 wrote to memory of 5052 5044 cmd.exe 118 PID 5052 wrote to memory of 4564 5052 FQOFWA.exe 119 PID 5052 wrote to memory of 4564 5052 FQOFWA.exe 119 PID 5052 wrote to memory of 4564 5052 FQOFWA.exe 119 PID 4564 wrote to memory of 3320 4564 cmd.exe 123 PID 4564 wrote to memory of 3320 4564 cmd.exe 123 PID 4564 wrote to memory of 3320 4564 cmd.exe 123 PID 3320 wrote to memory of 1084 3320 FDGUYN.exe 126 PID 3320 wrote to memory of 1084 3320 FDGUYN.exe 126 PID 3320 wrote to memory of 1084 3320 FDGUYN.exe 126 PID 1084 wrote to memory of 2072 1084 cmd.exe 130 PID 1084 wrote to memory of 2072 1084 cmd.exe 130 PID 1084 wrote to memory of 2072 1084 cmd.exe 130 PID 2072 wrote to memory of 4252 2072 PBTO.exe 133 PID 2072 wrote to memory of 4252 2072 PBTO.exe 133 PID 2072 wrote to memory of 4252 2072 PBTO.exe 133 PID 4252 wrote to memory of 212 4252 cmd.exe 137 PID 4252 wrote to memory of 212 4252 cmd.exe 137 PID 4252 wrote to memory of 212 4252 cmd.exe 137 PID 212 wrote to memory of 1548 212 HBALSM.exe 138 PID 212 wrote to memory of 1548 212 HBALSM.exe 138 PID 212 wrote to memory of 1548 212 HBALSM.exe 138 PID 1548 wrote to memory of 3252 1548 cmd.exe 142 PID 1548 wrote to memory of 3252 1548 cmd.exe 142 PID 1548 wrote to memory of 3252 1548 cmd.exe 142 PID 3252 wrote to memory of 3816 3252 DHGIZO.exe 143 PID 3252 wrote to memory of 3816 3252 DHGIZO.exe 143 PID 3252 wrote to memory of 3816 3252 DHGIZO.exe 143 PID 3816 wrote to memory of 5028 3816 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe"C:\Users\Admin\AppData\Local\Temp\eda67068585989ec405e0c11719a81e90ebbff60b4cae72939ad5e5575ecbc1b.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MBPGSVL.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\windows\system\MBPGSVL.exeC:\windows\system\MBPGSVL.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WUYGEY.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\windows\system\WUYGEY.exeC:\windows\system\WUYGEY.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHJYUUP.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\windows\SysWOW64\FHJYUUP.exeC:\windows\system32\FHJYUUP.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZSAYR.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\windows\SysWOW64\KZSAYR.exeC:\windows\system32\KZSAYR.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OPZIK.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\windows\OPZIK.exeC:\windows\OPZIK.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FQOFWA.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\windows\FQOFWA.exeC:\windows\FQOFWA.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FDGUYN.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\windows\FDGUYN.exeC:\windows\FDGUYN.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PBTO.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\windows\PBTO.exeC:\windows\PBTO.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HBALSM.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\windows\system\HBALSM.exeC:\windows\system\HBALSM.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DHGIZO.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\windows\system\DHGIZO.exeC:\windows\system\DHGIZO.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FFHLFL.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\windows\SysWOW64\FFHLFL.exeC:\windows\system32\FFHLFL.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GIXYUUH.exe.bat" "24⤵PID:1032
-
C:\windows\GIXYUUH.exeC:\windows\GIXYUUH.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "26⤵
- System Location Discovery: System Language Discovery
PID:4588 -
C:\windows\SysWOW64\MVOHZ.exeC:\windows\system32\MVOHZ.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZGF.exe.bat" "28⤵PID:3308
-
C:\windows\SysWOW64\ZGF.exeC:\windows\system32\ZGF.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYM.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\windows\SysWOW64\SYM.exeC:\windows\system32\SYM.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PZWTAXJ.exe.bat" "32⤵PID:1464
-
C:\windows\PZWTAXJ.exeC:\windows\PZWTAXJ.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OKLBS.exe.bat" "34⤵PID:1940
-
C:\windows\system\OKLBS.exeC:\windows\system\OKLBS.exe35⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FSNGVC.exe.bat" "36⤵PID:540
-
C:\windows\system\FSNGVC.exeC:\windows\system\FSNGVC.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XABEIT.exe.bat" "38⤵PID:1500
-
C:\windows\XABEIT.exeC:\windows\XABEIT.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GAERL.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\windows\SysWOW64\GAERL.exeC:\windows\system32\GAERL.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FLGZUWT.exe.bat" "42⤵PID:3672
-
C:\windows\system\FLGZUWT.exeC:\windows\system\FLGZUWT.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SWXXIHO.exe.bat" "44⤵PID:4936
-
C:\windows\SWXXIHO.exeC:\windows\SWXXIHO.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VEYUPB.exe.bat" "46⤵PID:5008
-
C:\windows\system\VEYUPB.exeC:\windows\system\VEYUPB.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZHY.exe.bat" "48⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\windows\SysWOW64\KZHY.exeC:\windows\system32\KZHY.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XFPKKAC.exe.bat" "50⤵PID:3608
-
C:\windows\SysWOW64\XFPKKAC.exeC:\windows\system32\XFPKKAC.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SSUT.exe.bat" "52⤵PID:1332
-
C:\windows\SSUT.exeC:\windows\SSUT.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VGLVG.exe.bat" "54⤵PID:3772
-
C:\windows\SysWOW64\VGLVG.exeC:\windows\system32\VGLVG.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OTKBL.exe.bat" "56⤵PID:4420
-
C:\windows\SysWOW64\OTKBL.exeC:\windows\system32\OTKBL.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SJDTYYJ.exe.bat" "58⤵PID:1128
-
C:\windows\SysWOW64\SJDTYYJ.exeC:\windows\system32\SJDTYYJ.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XKNEKU.exe.bat" "60⤵PID:2948
-
C:\windows\SysWOW64\XKNEKU.exeC:\windows\system32\XKNEKU.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ICUPUV.exe.bat" "62⤵PID:3980
-
C:\windows\SysWOW64\ICUPUV.exeC:\windows\system32\ICUPUV.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSVG.exe.bat" "64⤵PID:2532
-
C:\windows\SysWOW64\XSVG.exeC:\windows\system32\XSVG.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UTF.exe.bat" "66⤵PID:1768
-
C:\windows\UTF.exeC:\windows\UTF.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UTU.exe.bat" "68⤵PID:4808
-
C:\windows\system\UTU.exeC:\windows\system\UTU.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UGY.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:3344 -
C:\windows\system\UGY.exeC:\windows\system\UGY.exe71⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PJP.exe.bat" "72⤵PID:3452
-
C:\windows\PJP.exeC:\windows\PJP.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EZQK.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\windows\system\EZQK.exeC:\windows\system\EZQK.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TCZXHVP.exe.bat" "76⤵PID:368
-
C:\windows\system\TCZXHVP.exeC:\windows\system\TCZXHVP.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QVBZLZ.exe.bat" "78⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\windows\system\QVBZLZ.exeC:\windows\system\QVBZLZ.exe79⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BVQKCS.exe.bat" "80⤵
- System Location Discovery: System Language Discovery
PID:4432 -
C:\windows\system\BVQKCS.exeC:\windows\system\BVQKCS.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PYU.exe.bat" "82⤵PID:3360
-
C:\windows\system\PYU.exeC:\windows\system\PYU.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VUL.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\windows\SysWOW64\VUL.exeC:\windows\system32\VUL.exe85⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMB.exe.bat" "86⤵PID:1980
-
C:\windows\SysWOW64\OMB.exeC:\windows\system32\OMB.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPFYB.exe.bat" "88⤵PID:5044
-
C:\windows\SysWOW64\HPFYB.exeC:\windows\system32\HPFYB.exe89⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YPTDOU.exe.bat" "90⤵PID:4400
-
C:\windows\YPTDOU.exeC:\windows\YPTDOU.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XIWTW.exe.bat" "92⤵PID:3092
-
C:\windows\SysWOW64\XIWTW.exeC:\windows\system32\XIWTW.exe93⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZVNVQ.exe.bat" "94⤵PID:3076
-
C:\windows\ZVNVQ.exeC:\windows\ZVNVQ.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YGQL.exe.bat" "96⤵PID:2208
-
C:\windows\YGQL.exeC:\windows\YGQL.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHA.exe.bat" "98⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\windows\SysWOW64\VHA.exeC:\windows\system32\VHA.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XURP.exe.bat" "100⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\windows\XURP.exeC:\windows\XURP.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LARAXBL.exe.bat" "102⤵PID:4812
-
C:\windows\LARAXBL.exeC:\windows\LARAXBL.exe103⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RVDB.exe.bat" "104⤵PID:1152
-
C:\windows\RVDB.exeC:\windows\RVDB.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IVRY.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:3124 -
C:\windows\IVRY.exeC:\windows\IVRY.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGZXERJ.exe.bat" "108⤵PID:4416
-
C:\windows\SysWOW64\EGZXERJ.exeC:\windows\system32\EGZXERJ.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMZJGC.exe.bat" "110⤵PID:1332
-
C:\windows\system\RMZJGC.exeC:\windows\system\RMZJGC.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CEPUXD.exe.bat" "112⤵PID:3672
-
C:\windows\system\CEPUXD.exeC:\windows\system\CEPUXD.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMV.exe.bat" "114⤵PID:1400
-
C:\windows\SysWOW64\OMV.exeC:\windows\system32\OMV.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MIVDGR.exe.bat" "116⤵PID:4608
-
C:\windows\SysWOW64\MIVDGR.exeC:\windows\system32\MIVDGR.exe117⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UNHJRP.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\windows\UNHJRP.exeC:\windows\UNHJRP.exe119⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XIQLCI.exe.bat" "120⤵PID:4768
-
C:\windows\XIQLCI.exeC:\windows\XIQLCI.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-