Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 01:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
-
Size
208KB
-
MD5
9d13099934aa78e29176707abf8257d0
-
SHA1
ba6b1df82ae5b7ca13a6c4f1bcdc3ea253cbd363
-
SHA256
57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64
-
SHA512
11cee32a0393e1830b15c430fa032d62f4b35becd6514bfa6a992133dee9b746c30c81068197e527962e7f9acf10750384b3507f8c648c4a1cee7c9ae5d0c1af
-
SSDEEP
3072:0Tgnx1vQQyrT0yDlRFnhXNc5xzWYSnnGauuW6KPoK1xwC5Yf4NLthEjQT6c:91vRyrT0AlRFI5xzWDY6sxwCGfQEj+
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HYAGHEY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MKRU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XRBAW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VMYOZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IKIRUY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HARBM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TUY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation STDQC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MMK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LXVUPNO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FXRPI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation BVN.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RGFXAEF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XSNXQX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GGLMWEY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UQGALEU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KGPZS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NHLIO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation THBV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OLSRQTO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FRWCWS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OIUPLD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ULLBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KEWEZSX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QXTTW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NPA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation JEDB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation BXZP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XZEFHQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation JKNFMBP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation COKI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ZTJELCA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CXFKQDT.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FJW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HNFXC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DEWNKW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CFXT.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SLP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RUPMH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation AEODZUO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PQYRTTY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OFZRZTC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RAUQZR.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LGS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FDOP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YQL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DHGIZO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HONSUTU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MMWYEWH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PERVRJW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HTW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WZCHJJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LMTKHKX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SRJDZTO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RIJYXHE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation JVK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation EMO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KIPOC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XDJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QONCWG.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UWC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ZDJCEZG.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YLGAH.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ZSN.exe -
Executes dropped EXE 64 IoCs
pid Process 3152 RUPMH.exe 1172 ULLBQ.exe 4376 RIJYXHE.exe 5068 BGWS.exe 2316 DECN.exe 2596 DHGIZO.exe 4124 FFLDO.exe 2072 INUR.exe 2148 RVW.exe 2056 JVK.exe 4832 HONSUTU.exe 2212 KBE.exe 4752 XZEFHQ.exe 3872 RAUQZR.exe 4948 IAIVMI.exe 1760 QONCWG.exe 4772 UWC.exe 1804 LGS.exe 3320 GRAYOW.exe 3928 PSC.exe 3436 HARBM.exe 1936 LQXJQCQ.exe 3844 ZDJCEZG.exe 4812 QLXHRQB.exe 3888 TUY.exe 4948 EMO.exe 4284 EAOV.exe 2392 HNFXC.exe 1804 MNHH.exe 1028 SJTAUU.exe 2316 KEWEZSX.exe 2064 SRJKKQT.exe 2456 XXT.exe 3508 WIEPJ.exe 2936 USHF.exe 3464 GLWQ.exe 3264 EEZ.exe 4328 MJENULG.exe 916 MMWYEWH.exe 4132 GAN.exe 448 QXTTW.exe 3888 YLGAH.exe 5092 HQKH.exe 4588 HTW.exe 1576 NPA.exe 4988 FPO.exe 4916 FDOP.exe 636 JLV.exe 3684 NLXZPSJ.exe 3176 VRJGAQE.exe 4300 DEWNKW.exe 3772 JEDB.exe 3920 GXF.exe 1680 OLSRQTO.exe 896 DGBWB.exe 60 DLTKCT.exe 1964 GGLMWEY.exe 3660 FRWCWS.exe 1768 WZCHJJ.exe 3920 FAEMUHZ.exe 920 NFRTXFV.exe 896 OIUPLD.exe 2608 BTD.exe 2936 AEODZUO.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\JVK.exe RVW.exe File created C:\windows\SysWOW64\JEDB.exe.bat DEWNKW.exe File opened for modification C:\windows\SysWOW64\NFRTXFV.exe FAEMUHZ.exe File created C:\windows\SysWOW64\KBE.exe.bat HONSUTU.exe File opened for modification C:\windows\SysWOW64\GLWQ.exe USHF.exe File opened for modification C:\windows\SysWOW64\NSS.exe LKK.exe File created C:\windows\SysWOW64\OFZRZTC.exe.bat IKIRUY.exe File created C:\windows\SysWOW64\ZTJELCA.exe.bat RGFXAEF.exe File created C:\windows\SysWOW64\GLWQ.exe.bat USHF.exe File created C:\windows\SysWOW64\TWV.exe.bat AEODZUO.exe File created C:\windows\SysWOW64\LXVUPNO.exe.bat MMK.exe File opened for modification C:\windows\SysWOW64\QDNMGB.exe OFZRZTC.exe File opened for modification C:\windows\SysWOW64\HQKH.exe YLGAH.exe File created C:\windows\SysWOW64\DLTKCT.exe DGBWB.exe File opened for modification C:\windows\SysWOW64\KBE.exe HONSUTU.exe File created C:\windows\SysWOW64\RAUQZR.exe XZEFHQ.exe File created C:\windows\SysWOW64\HYAGHEY.exe.bat ZSN.exe File created C:\windows\SysWOW64\PILP.exe NKFV.exe File opened for modification C:\windows\SysWOW64\MUSTCN.exe VMYOZ.exe File created C:\windows\SysWOW64\OFZRZTC.exe IKIRUY.exe File opened for modification C:\windows\SysWOW64\RAUQZR.exe XZEFHQ.exe File opened for modification C:\windows\SysWOW64\PSC.exe GRAYOW.exe File opened for modification C:\windows\SysWOW64\HNFXC.exe EAOV.exe File created C:\windows\SysWOW64\NFRTXFV.exe FAEMUHZ.exe File opened for modification C:\windows\SysWOW64\LKK.exe CFXT.exe File opened for modification C:\windows\SysWOW64\IHTI.exe IED.exe File created C:\windows\SysWOW64\KMEXOVS.exe QTPEFUK.exe File created C:\windows\SysWOW64\QDNMGB.exe OFZRZTC.exe File created C:\windows\SysWOW64\IAIVMI.exe.bat RAUQZR.exe File created C:\windows\SysWOW64\EEZ.exe GLWQ.exe File created C:\windows\SysWOW64\GBNN.exe.bat WDHS.exe File created C:\windows\SysWOW64\PDWLLO.exe PILP.exe File created C:\windows\SysWOW64\IHTI.exe IED.exe File created C:\windows\SysWOW64\HONSUTU.exe JVK.exe File opened for modification C:\windows\SysWOW64\HYAGHEY.exe ZSN.exe File created C:\windows\SysWOW64\PSC.exe GRAYOW.exe File created C:\windows\SysWOW64\HNFXC.exe.bat EAOV.exe File created C:\windows\SysWOW64\WDHS.exe.bat OYVMJ.exe File opened for modification C:\windows\SysWOW64\PILP.exe NKFV.exe File created C:\windows\SysWOW64\PILP.exe.bat NKFV.exe File opened for modification C:\windows\SysWOW64\MMK.exe XRBAW.exe File created C:\windows\SysWOW64\NFRTXFV.exe.bat FAEMUHZ.exe File opened for modification C:\windows\SysWOW64\XRBAW.exe PDWLLO.exe File created C:\windows\SysWOW64\MMK.exe XRBAW.exe File created C:\windows\SysWOW64\HQKH.exe.bat YLGAH.exe File created C:\windows\SysWOW64\JLV.exe FDOP.exe File created C:\windows\SysWOW64\TWV.exe AEODZUO.exe File created C:\windows\SysWOW64\DKFRD.exe.bat MKRU.exe File created C:\windows\SysWOW64\ZTJELCA.exe RGFXAEF.exe File opened for modification C:\windows\SysWOW64\JEDB.exe DEWNKW.exe File opened for modification C:\windows\SysWOW64\DLTKCT.exe DGBWB.exe File opened for modification C:\windows\SysWOW64\TWV.exe AEODZUO.exe File created C:\windows\SysWOW64\CXFKQDT.exe FWEAFH.exe File created C:\windows\SysWOW64\GBNN.exe WDHS.exe File opened for modification C:\windows\SysWOW64\KMEXOVS.exe QTPEFUK.exe File created C:\windows\SysWOW64\ZAOFS.exe.bat JKNFMBP.exe File opened for modification C:\windows\SysWOW64\RGFXAEF.exe FYMXNS.exe File created C:\windows\SysWOW64\WDHS.exe OYVMJ.exe File opened for modification C:\windows\SysWOW64\COKI.exe TQENZVT.exe File created C:\windows\SysWOW64\COKI.exe.bat TQENZVT.exe File created C:\windows\SysWOW64\DZG.exe.bat KHQ.exe File created C:\windows\SysWOW64\KHQ.exe ZTJELCA.exe File opened for modification C:\windows\SysWOW64\HONSUTU.exe JVK.exe File opened for modification C:\windows\SysWOW64\EEZ.exe GLWQ.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\OLSRQTO.exe.bat GXF.exe File created C:\windows\system\FAEMUHZ.exe.bat WZCHJJ.exe File opened for modification C:\windows\system\NROEH.exe GBNN.exe File created C:\windows\system\IEN.exe FJW.exe File opened for modification C:\windows\EAOV.exe EMO.exe File created C:\windows\system\USHF.exe WIEPJ.exe File created C:\windows\system\QXTTW.exe.bat GAN.exe File opened for modification C:\windows\system\FYMXNS.exe BVN.exe File opened for modification C:\windows\MMWYEWH.exe MJENULG.exe File opened for modification C:\windows\system\STDQC.exe ZAOFS.exe File opened for modification C:\windows\system\FXRPI.exe SRJDZTO.exe File opened for modification C:\windows\system\PERVRJW.exe SLP.exe File opened for modification C:\windows\XRAA.exe QWPH.exe File created C:\windows\MYMYTG.exe DKC.exe File opened for modification C:\windows\HTW.exe HQKH.exe File created C:\windows\system\FDOP.exe FPO.exe File opened for modification C:\windows\FRWCWS.exe GGLMWEY.exe File opened for modification C:\windows\system\BBFVNVW.exe STDQC.exe File created C:\windows\KGPZS.exe.bat UQGALEU.exe File created C:\windows\SRJDZTO.exe KMEXOVS.exe File opened for modification C:\windows\QLXHRQB.exe ZDJCEZG.exe File created C:\windows\HTW.exe.bat HQKH.exe File created C:\windows\system\OYVMJ.exe.bat TKQ.exe File created C:\windows\NHLIO.exe VYXKC.exe File created C:\windows\THBV.exe LCWO.exe File opened for modification C:\windows\XXT.exe SRJKKQT.exe File created C:\windows\VRJGAQE.exe NLXZPSJ.exe File opened for modification C:\windows\PNCUB.exe LXVUPNO.exe File created C:\windows\system\XSNXQX.exe.bat DZG.exe File opened for modification C:\windows\system\RIJYXHE.exe ULLBQ.exe File created C:\windows\system\KEWEZSX.exe SJTAUU.exe File created C:\windows\ZSN.exe HPJWJP.exe File opened for modification C:\windows\system\WNTTKBS.exe IHTI.exe File opened for modification C:\windows\system\VMYOZ.exe NHLIO.exe File created C:\windows\system\FXRPI.exe.bat SRJDZTO.exe File created C:\windows\AEODZUO.exe.bat BTD.exe File opened for modification C:\windows\PQYRTTY.exe NSS.exe File created C:\windows\SLP.exe.bat PQYRTTY.exe File opened for modification C:\windows\WZCHJJ.exe FRWCWS.exe File opened for modification C:\windows\LCWO.exe COKI.exe File created C:\windows\system\XSNXQX.exe DZG.exe File created C:\windows\system\DECN.exe.bat BGWS.exe File created C:\windows\system\SRJKKQT.exe.bat KEWEZSX.exe File created C:\windows\FRWCWS.exe GGLMWEY.exe File opened for modification C:\windows\ZGO.exe HYAGHEY.exe File created C:\windows\HMTK.exe.bat ZGO.exe File created C:\windows\FJW.exe XDJ.exe File opened for modification C:\windows\system\FPO.exe NPA.exe File opened for modification C:\windows\VRJGAQE.exe NLXZPSJ.exe File opened for modification C:\windows\ZSN.exe HPJWJP.exe File created C:\windows\system\STDQC.exe ZAOFS.exe File created C:\windows\system\NKFV.exe RFFJOE.exe File created C:\windows\DEWNKW.exe VRJGAQE.exe File created C:\windows\HMTK.exe ZGO.exe File created C:\windows\system\NROEH.exe GBNN.exe File created C:\windows\system\BBFVNVW.exe.bat STDQC.exe File opened for modification C:\windows\BXZP.exe TSMJ.exe File created C:\windows\KGPZS.exe UQGALEU.exe File created C:\windows\system\DECN.exe BGWS.exe File created C:\windows\XXT.exe.bat SRJKKQT.exe File created C:\windows\system\FAEMUHZ.exe WZCHJJ.exe File created C:\windows\ZGO.exe.bat HYAGHEY.exe File created C:\windows\system\NROEH.exe.bat GBNN.exe File opened for modification C:\windows\NHLIO.exe VYXKC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4592 212 WerFault.exe 88 2992 3152 WerFault.exe 93 1112 1172 WerFault.exe 99 2804 4376 WerFault.exe 104 2240 5068 WerFault.exe 109 4468 2316 WerFault.exe 114 408 2596 WerFault.exe 119 2396 4124 WerFault.exe 124 3780 2072 WerFault.exe 129 3468 2148 WerFault.exe 136 3396 2056 WerFault.exe 143 2316 4832 WerFault.exe 148 4084 2212 WerFault.exe 153 2324 4752 WerFault.exe 160 5100 3872 WerFault.exe 165 4440 4948 WerFault.exe 169 4792 1760 WerFault.exe 175 3440 4772 WerFault.exe 182 1768 1804 WerFault.exe 187 3176 3320 WerFault.exe 192 636 3928 WerFault.exe 197 1420 3436 WerFault.exe 202 2160 1936 WerFault.exe 207 416 3844 WerFault.exe 212 2384 4812 WerFault.exe 217 3860 3888 WerFault.exe 222 2192 4948 WerFault.exe 227 1328 4284 WerFault.exe 232 1848 2392 WerFault.exe 237 4780 1804 WerFault.exe 242 448 1028 WerFault.exe 247 4708 2316 WerFault.exe 252 3132 2064 WerFault.exe 257 3780 2456 WerFault.exe 262 3396 3508 WerFault.exe 267 1604 2936 WerFault.exe 273 4416 3464 WerFault.exe 278 2264 3264 WerFault.exe 283 1828 4328 WerFault.exe 288 4540 916 WerFault.exe 294 456 4132 WerFault.exe 299 4252 448 WerFault.exe 304 4316 3888 WerFault.exe 309 976 5092 WerFault.exe 314 2908 4588 WerFault.exe 319 1804 1576 WerFault.exe 324 1160 4988 WerFault.exe 329 4780 4916 WerFault.exe 334 4760 636 WerFault.exe 339 3652 3684 WerFault.exe 344 1232 3176 WerFault.exe 349 3468 4300 WerFault.exe 354 1608 3772 WerFault.exe 359 1460 3920 WerFault.exe 364 5092 1680 WerFault.exe 369 3616 896 WerFault.exe 374 2604 60 WerFault.exe 379 2996 1964 WerFault.exe 384 456 3660 WerFault.exe 389 2192 1768 WerFault.exe 394 3828 3920 WerFault.exe 399 3544 920 WerFault.exe 404 4088 896 WerFault.exe 409 4252 2608 WerFault.exe 414 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STDQC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JLV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XYR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZGO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PNCUB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QTPEFUK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CXFKQDT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZSN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XRAA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDWLLO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KHQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZDJCEZG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DKC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IAIVMI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UQGALEU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VMYOZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FYMXNS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTJELCA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IED.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSNXQX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHGIZO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FAEMUHZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MMK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QONCWG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JKNFMBP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THBV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XZEFHQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 3152 RUPMH.exe 3152 RUPMH.exe 1172 ULLBQ.exe 1172 ULLBQ.exe 4376 RIJYXHE.exe 4376 RIJYXHE.exe 5068 BGWS.exe 5068 BGWS.exe 2316 DECN.exe 2316 DECN.exe 2596 DHGIZO.exe 2596 DHGIZO.exe 4124 FFLDO.exe 4124 FFLDO.exe 2072 INUR.exe 2072 INUR.exe 2148 RVW.exe 2148 RVW.exe 2056 JVK.exe 2056 JVK.exe 4832 HONSUTU.exe 4832 HONSUTU.exe 2212 KBE.exe 2212 KBE.exe 4752 XZEFHQ.exe 4752 XZEFHQ.exe 3872 RAUQZR.exe 3872 RAUQZR.exe 4948 IAIVMI.exe 4948 IAIVMI.exe 1760 QONCWG.exe 1760 QONCWG.exe 4772 UWC.exe 4772 UWC.exe 1804 LGS.exe 1804 LGS.exe 3320 GRAYOW.exe 3320 GRAYOW.exe 3928 PSC.exe 3928 PSC.exe 3436 HARBM.exe 3436 HARBM.exe 1936 LQXJQCQ.exe 1936 LQXJQCQ.exe 3844 ZDJCEZG.exe 3844 ZDJCEZG.exe 4812 QLXHRQB.exe 4812 QLXHRQB.exe 3888 TUY.exe 3888 TUY.exe 4948 EMO.exe 4948 EMO.exe 4284 EAOV.exe 4284 EAOV.exe 2392 HNFXC.exe 2392 HNFXC.exe 1804 MNHH.exe 1804 MNHH.exe 1028 SJTAUU.exe 1028 SJTAUU.exe 2316 KEWEZSX.exe 2316 KEWEZSX.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 3152 RUPMH.exe 3152 RUPMH.exe 1172 ULLBQ.exe 1172 ULLBQ.exe 4376 RIJYXHE.exe 4376 RIJYXHE.exe 5068 BGWS.exe 5068 BGWS.exe 2316 DECN.exe 2316 DECN.exe 2596 DHGIZO.exe 2596 DHGIZO.exe 4124 FFLDO.exe 4124 FFLDO.exe 2072 INUR.exe 2072 INUR.exe 2148 RVW.exe 2148 RVW.exe 2056 JVK.exe 2056 JVK.exe 4832 HONSUTU.exe 4832 HONSUTU.exe 2212 KBE.exe 2212 KBE.exe 4752 XZEFHQ.exe 4752 XZEFHQ.exe 3872 RAUQZR.exe 3872 RAUQZR.exe 4948 IAIVMI.exe 4948 IAIVMI.exe 1760 QONCWG.exe 1760 QONCWG.exe 4772 UWC.exe 4772 UWC.exe 1804 LGS.exe 1804 LGS.exe 3320 GRAYOW.exe 3320 GRAYOW.exe 3928 PSC.exe 3928 PSC.exe 3436 HARBM.exe 3436 HARBM.exe 1936 LQXJQCQ.exe 1936 LQXJQCQ.exe 3844 ZDJCEZG.exe 3844 ZDJCEZG.exe 4812 QLXHRQB.exe 4812 QLXHRQB.exe 3888 TUY.exe 3888 TUY.exe 4948 EMO.exe 4948 EMO.exe 4284 EAOV.exe 4284 EAOV.exe 2392 HNFXC.exe 2392 HNFXC.exe 1804 MNHH.exe 1804 MNHH.exe 1028 SJTAUU.exe 1028 SJTAUU.exe 2316 KEWEZSX.exe 2316 KEWEZSX.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 212 wrote to memory of 688 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 89 PID 212 wrote to memory of 688 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 89 PID 212 wrote to memory of 688 212 57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe 89 PID 688 wrote to memory of 3152 688 cmd.exe 93 PID 688 wrote to memory of 3152 688 cmd.exe 93 PID 688 wrote to memory of 3152 688 cmd.exe 93 PID 3152 wrote to memory of 3660 3152 RUPMH.exe 95 PID 3152 wrote to memory of 3660 3152 RUPMH.exe 95 PID 3152 wrote to memory of 3660 3152 RUPMH.exe 95 PID 3660 wrote to memory of 1172 3660 cmd.exe 99 PID 3660 wrote to memory of 1172 3660 cmd.exe 99 PID 3660 wrote to memory of 1172 3660 cmd.exe 99 PID 1172 wrote to memory of 3148 1172 ULLBQ.exe 100 PID 1172 wrote to memory of 3148 1172 ULLBQ.exe 100 PID 1172 wrote to memory of 3148 1172 ULLBQ.exe 100 PID 3148 wrote to memory of 4376 3148 cmd.exe 104 PID 3148 wrote to memory of 4376 3148 cmd.exe 104 PID 3148 wrote to memory of 4376 3148 cmd.exe 104 PID 4376 wrote to memory of 2152 4376 RIJYXHE.exe 105 PID 4376 wrote to memory of 2152 4376 RIJYXHE.exe 105 PID 4376 wrote to memory of 2152 4376 RIJYXHE.exe 105 PID 2152 wrote to memory of 5068 2152 cmd.exe 109 PID 2152 wrote to memory of 5068 2152 cmd.exe 109 PID 2152 wrote to memory of 5068 2152 cmd.exe 109 PID 5068 wrote to memory of 220 5068 BGWS.exe 110 PID 5068 wrote to memory of 220 5068 BGWS.exe 110 PID 5068 wrote to memory of 220 5068 BGWS.exe 110 PID 220 wrote to memory of 2316 220 cmd.exe 114 PID 220 wrote to memory of 2316 220 cmd.exe 114 PID 220 wrote to memory of 2316 220 cmd.exe 114 PID 2316 wrote to memory of 448 2316 DECN.exe 115 PID 2316 wrote to memory of 448 2316 DECN.exe 115 PID 2316 wrote to memory of 448 2316 DECN.exe 115 PID 448 wrote to memory of 2596 448 cmd.exe 119 PID 448 wrote to memory of 2596 448 cmd.exe 119 PID 448 wrote to memory of 2596 448 cmd.exe 119 PID 2596 wrote to memory of 4448 2596 DHGIZO.exe 120 PID 2596 wrote to memory of 4448 2596 DHGIZO.exe 120 PID 2596 wrote to memory of 4448 2596 DHGIZO.exe 120 PID 4448 wrote to memory of 4124 4448 cmd.exe 124 PID 4448 wrote to memory of 4124 4448 cmd.exe 124 PID 4448 wrote to memory of 4124 4448 cmd.exe 124 PID 4124 wrote to memory of 1920 4124 FFLDO.exe 125 PID 4124 wrote to memory of 1920 4124 FFLDO.exe 125 PID 4124 wrote to memory of 1920 4124 FFLDO.exe 125 PID 1920 wrote to memory of 2072 1920 cmd.exe 129 PID 1920 wrote to memory of 2072 1920 cmd.exe 129 PID 1920 wrote to memory of 2072 1920 cmd.exe 129 PID 2072 wrote to memory of 3844 2072 INUR.exe 132 PID 2072 wrote to memory of 3844 2072 INUR.exe 132 PID 2072 wrote to memory of 3844 2072 INUR.exe 132 PID 3844 wrote to memory of 2148 3844 cmd.exe 136 PID 3844 wrote to memory of 2148 3844 cmd.exe 136 PID 3844 wrote to memory of 2148 3844 cmd.exe 136 PID 2148 wrote to memory of 2032 2148 RVW.exe 139 PID 2148 wrote to memory of 2032 2148 RVW.exe 139 PID 2148 wrote to memory of 2032 2148 RVW.exe 139 PID 2032 wrote to memory of 2056 2032 cmd.exe 143 PID 2032 wrote to memory of 2056 2032 cmd.exe 143 PID 2032 wrote to memory of 2056 2032 cmd.exe 143 PID 2056 wrote to memory of 4440 2056 JVK.exe 144 PID 2056 wrote to memory of 4440 2056 JVK.exe 144 PID 2056 wrote to memory of 4440 2056 JVK.exe 144 PID 4440 wrote to memory of 4832 4440 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe"C:\Users\Admin\AppData\Local\Temp\57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RUPMH.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\windows\RUPMH.exeC:\windows\RUPMH.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ULLBQ.exe.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\windows\ULLBQ.exeC:\windows\ULLBQ.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RIJYXHE.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\windows\system\RIJYXHE.exeC:\windows\system\RIJYXHE.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BGWS.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\windows\system\BGWS.exeC:\windows\system\BGWS.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DECN.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\windows\system\DECN.exeC:\windows\system\DECN.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DHGIZO.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\windows\system\DHGIZO.exeC:\windows\system\DHGIZO.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FFLDO.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\windows\system\FFLDO.exeC:\windows\system\FFLDO.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\INUR.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\windows\SysWOW64\INUR.exeC:\windows\system32\INUR.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RVW.exe.bat" "18⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\windows\SysWOW64\RVW.exeC:\windows\system32\RVW.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JVK.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\windows\SysWOW64\JVK.exeC:\windows\system32\JVK.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HONSUTU.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\windows\SysWOW64\HONSUTU.exeC:\windows\system32\HONSUTU.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KBE.exe.bat" "24⤵PID:4912
-
C:\windows\SysWOW64\KBE.exeC:\windows\system32\KBE.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XZEFHQ.exe.bat" "26⤵PID:2064
-
C:\windows\XZEFHQ.exeC:\windows\XZEFHQ.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAUQZR.exe.bat" "28⤵PID:3028
-
C:\windows\SysWOW64\RAUQZR.exeC:\windows\system32\RAUQZR.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IAIVMI.exe.bat" "30⤵PID:2216
-
C:\windows\SysWOW64\IAIVMI.exeC:\windows\system32\IAIVMI.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QONCWG.exe.bat" "32⤵PID:2240
-
C:\windows\QONCWG.exeC:\windows\QONCWG.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UWC.exe.bat" "34⤵PID:4632
-
C:\windows\UWC.exeC:\windows\UWC.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGS.exe.bat" "36⤵PID:3132
-
C:\windows\system\LGS.exeC:\windows\system\LGS.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GRAYOW.exe.bat" "38⤵PID:60
-
C:\windows\GRAYOW.exeC:\windows\GRAYOW.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSC.exe.bat" "40⤵PID:404
-
C:\windows\SysWOW64\PSC.exeC:\windows\system32\PSC.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HARBM.exe.bat" "42⤵PID:220
-
C:\windows\HARBM.exeC:\windows\HARBM.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LQXJQCQ.exe.bat" "44⤵PID:4388
-
C:\windows\system\LQXJQCQ.exeC:\windows\system\LQXJQCQ.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZDJCEZG.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:4520 -
C:\windows\ZDJCEZG.exeC:\windows\ZDJCEZG.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QLXHRQB.exe.bat" "48⤵PID:1200
-
C:\windows\QLXHRQB.exeC:\windows\QLXHRQB.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TUY.exe.bat" "50⤵PID:4336
-
C:\windows\system\TUY.exeC:\windows\system\TUY.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EMO.exe.bat" "52⤵PID:1220
-
C:\windows\system\EMO.exeC:\windows\system\EMO.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EAOV.exe.bat" "54⤵PID:4976
-
C:\windows\EAOV.exeC:\windows\EAOV.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HNFXC.exe.bat" "56⤵PID:2448
-
C:\windows\SysWOW64\HNFXC.exeC:\windows\system32\HNFXC.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MNHH.exe.bat" "58⤵PID:1268
-
C:\windows\system\MNHH.exeC:\windows\system\MNHH.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SJTAUU.exe.bat" "60⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\windows\SJTAUU.exeC:\windows\SJTAUU.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KEWEZSX.exe.bat" "62⤵PID:4988
-
C:\windows\system\KEWEZSX.exeC:\windows\system\KEWEZSX.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SRJKKQT.exe.bat" "64⤵PID:1584
-
C:\windows\system\SRJKKQT.exeC:\windows\system\SRJKKQT.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XXT.exe.bat" "66⤵PID:2192
-
C:\windows\XXT.exeC:\windows\XXT.exe67⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WIEPJ.exe.bat" "68⤵PID:1420
-
C:\windows\WIEPJ.exeC:\windows\WIEPJ.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\USHF.exe.bat" "70⤵PID:4540
-
C:\windows\system\USHF.exeC:\windows\system\USHF.exe71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GLWQ.exe.bat" "72⤵PID:4068
-
C:\windows\SysWOW64\GLWQ.exeC:\windows\system32\GLWQ.exe73⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEZ.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\windows\SysWOW64\EEZ.exeC:\windows\system32\EEZ.exe75⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MJENULG.exe.bat" "76⤵PID:3212
-
C:\windows\system\MJENULG.exeC:\windows\system\MJENULG.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MMWYEWH.exe.bat" "78⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\windows\MMWYEWH.exeC:\windows\MMWYEWH.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GAN.exe.bat" "80⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\windows\GAN.exeC:\windows\GAN.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QXTTW.exe.bat" "82⤵PID:2320
-
C:\windows\system\QXTTW.exeC:\windows\system\QXTTW.exe83⤵
- Checks computer location settings
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YLGAH.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\windows\system\YLGAH.exeC:\windows\system\YLGAH.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQKH.exe.bat" "86⤵PID:3136
-
C:\windows\SysWOW64\HQKH.exeC:\windows\system32\HQKH.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HTW.exe.bat" "88⤵PID:4520
-
C:\windows\HTW.exeC:\windows\HTW.exe89⤵
- Checks computer location settings
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NPA.exe.bat" "90⤵PID:2628
-
C:\windows\system\NPA.exeC:\windows\system\NPA.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FPO.exe.bat" "92⤵PID:916
-
C:\windows\system\FPO.exeC:\windows\system\FPO.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FDOP.exe.bat" "94⤵PID:5100
-
C:\windows\system\FDOP.exeC:\windows\system\FDOP.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JLV.exe.bat" "96⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\windows\SysWOW64\JLV.exeC:\windows\system32\JLV.exe97⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NLXZPSJ.exe.bat" "98⤵PID:2732
-
C:\windows\NLXZPSJ.exeC:\windows\NLXZPSJ.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VRJGAQE.exe.bat" "100⤵PID:1860
-
C:\windows\VRJGAQE.exeC:\windows\VRJGAQE.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DEWNKW.exe.bat" "102⤵PID:2608
-
C:\windows\DEWNKW.exeC:\windows\DEWNKW.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JEDB.exe.bat" "104⤵PID:2888
-
C:\windows\SysWOW64\JEDB.exeC:\windows\system32\JEDB.exe105⤵
- Checks computer location settings
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GXF.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:3640 -
C:\windows\system\GXF.exeC:\windows\system\GXF.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OLSRQTO.exe.bat" "108⤵PID:1604
-
C:\windows\system\OLSRQTO.exeC:\windows\system\OLSRQTO.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DGBWB.exe.bat" "110⤵PID:4948
-
C:\windows\system\DGBWB.exeC:\windows\system\DGBWB.exe111⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DLTKCT.exe.bat" "112⤵PID:404
-
C:\windows\SysWOW64\DLTKCT.exeC:\windows\system32\DLTKCT.exe113⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GGLMWEY.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\windows\system\GGLMWEY.exeC:\windows\system\GGLMWEY.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FRWCWS.exe.bat" "116⤵PID:2888
-
C:\windows\FRWCWS.exeC:\windows\FRWCWS.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WZCHJJ.exe.bat" "118⤵PID:1220
-
C:\windows\WZCHJJ.exeC:\windows\WZCHJJ.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FAEMUHZ.exe.bat" "120⤵PID:2772
-
C:\windows\system\FAEMUHZ.exeC:\windows\system\FAEMUHZ.exe121⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-