Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 00:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe
-
Size
208KB
-
MD5
2a1a7ff58ed0fb57f9b68c91901a7150
-
SHA1
c154025318f72a5d1f54f1633f627e55419f9f35
-
SHA256
b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58
-
SHA512
0e93b2ff5bbed5648c6153dd980a60701be6be7786a79f61cca5d8b03e0afb2adf98141c606dc19784ef5226ecb29363bd2ef2fc80a5f8ed89ffef6f8a94f772
-
SSDEEP
6144:d6WI6x1UYmwyukOslxQYcOgNgAAgczkRtz7/hQEjE:dPuBgNgAAgczkRtH/hQn
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RWDEMCP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TYOL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IYUY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SGE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KNO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation COXA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HBRN.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NUZEE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UROP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UUTZZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YLOOZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TPSQECP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FFPVI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MKMQV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KRQSGIL.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation UIRAW.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YSV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DZTOZSU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KMXTVUT.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PKGYTX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PLWOQOM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LAMC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RUBOIE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NKGJWS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NQKNVIE.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation KYYNRTK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HYTGHU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation API.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HKCPRNK.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VGVPV.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation SYOI.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QMJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LSU.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WHRZC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation TXZA.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation QGCIPB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VDYGRY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation OMJWXVP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GWM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IJWLZF.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PMSD.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation AJAGG.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation YMM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation JNM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation GOX.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation COKS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NGC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation FRREP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation NLY.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation XDYMJLB.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WTGZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation INHO.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation VMOIPUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation CRM.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation LLRGC.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ABWJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IXKP.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RZHISS.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation BUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation PICGJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation DDEDID.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ARXJN.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation HZHO.exe -
Executes dropped EXE 64 IoCs
pid Process 5100 AVZQ.exe 4472 FVVLLBH.exe 1772 KYRRQT.exe 2484 LBVNW.exe 4160 YMM.exe 4680 BUUI.exe 3492 HUUWAI.exe 1936 USCHC.exe 2216 JNM.exe 2096 LLRGC.exe 2428 XEUZLEM.exe 3016 OMJWXVP.exe 4024 NXLMGB.exe 852 QFUBFVH.exe 2992 MKMQV.exe 4512 SGE.exe 1892 PLWOQOM.exe 3000 VGVPV.exe 4500 IJD.exe 740 LAMC.exe 3336 ESCN.exe 3352 DDEDID.exe 4372 SYOI.exe 1236 ELVO.exe 3596 RWDEMCP.exe 2744 RZHISS.exe 2484 VHOI.exe 2280 WKSMJB.exe 2664 NKGJWS.exe 1632 LGFS.exe 3528 TYOL.exe 3340 FRREP.exe 2804 KRQSGIL.exe 2972 FAZ.exe 3208 AKQFTF.exe 3364 HYTGHU.exe 856 FQEWQ.exe 1532 COCTXSJ.exe 224 UROP.exe 4704 KMXTVUT.exe 3904 BUZ.exe 3200 WIEPJ.exe 1712 NQKNVIE.exe 4840 AOSYX.exe 3704 OYB.exe 4028 KZLZPBS.exe 4868 WHRZC.exe 4216 EXS.exe 1956 KVDCVUL.exe 2036 OYCPV.exe 4352 JLGYFN.exe 1180 FRZOWIX.exe 1520 VHA.exe 2580 DMM.exe 3492 UUTZZ.exe 1892 RVDB.exe 1848 PLBE.exe 4676 GWM.exe 1180 OJRBAVS.exe 4276 ARXJN.exe 1968 IXKP.exe 3956 TXZA.exe 1892 NLY.exe 1620 IYDIW.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\KYYNRTK.exe TPSQECP.exe File created C:\windows\SysWOW64\PLWOQOM.exe SGE.exe File created C:\windows\SysWOW64\BUUI.exe.bat YMM.exe File created C:\windows\SysWOW64\PLWOQOM.exe.bat SGE.exe File opened for modification C:\windows\SysWOW64\IYDIW.exe NLY.exe File created C:\windows\SysWOW64\YSV.exe QMJ.exe File created C:\windows\SysWOW64\COXA.exe FONYP.exe File created C:\windows\SysWOW64\KYYNRTK.exe.bat TPSQECP.exe File opened for modification C:\windows\SysWOW64\ZMTQ.exe ZGT.exe File opened for modification C:\windows\SysWOW64\FVVLLBH.exe AVZQ.exe File created C:\windows\SysWOW64\PPUEVDP.exe CRM.exe File created C:\windows\SysWOW64\BUZ.exe KMXTVUT.exe File opened for modification C:\windows\SysWOW64\VHA.exe FRZOWIX.exe File created C:\windows\SysWOW64\OJRBAVS.exe.bat GWM.exe File created C:\windows\SysWOW64\PMSD.exe.bat EHLF.exe File created C:\windows\SysWOW64\PRP.exe QGNH.exe File opened for modification C:\windows\SysWOW64\PRP.exe QGNH.exe File created C:\windows\SysWOW64\FAZ.exe.bat KRQSGIL.exe File created C:\windows\SysWOW64\EXS.exe.bat WHRZC.exe File created C:\windows\SysWOW64\COXA.exe.bat FONYP.exe File created C:\windows\SysWOW64\TYOL.exe LGFS.exe File created C:\windows\SysWOW64\ELVO.exe.bat SYOI.exe File created C:\windows\SysWOW64\TXZA.exe.bat IXKP.exe File created C:\windows\SysWOW64\INHO.exe.bat PMSD.exe File opened for modification C:\windows\SysWOW64\BUUI.exe YMM.exe File created C:\windows\SysWOW64\KRQSGIL.exe FRREP.exe File created C:\windows\SysWOW64\RUBOIE.exe NUZEE.exe File opened for modification C:\windows\SysWOW64\AVZQ.exe b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe File opened for modification C:\windows\SysWOW64\YSV.exe QMJ.exe File opened for modification C:\windows\SysWOW64\RUBOIE.exe NUZEE.exe File created C:\windows\SysWOW64\UROP.exe.bat COCTXSJ.exe File opened for modification C:\windows\SysWOW64\XDYMJLB.exe YSV.exe File created C:\windows\SysWOW64\JVO.exe OHKFAM.exe File opened for modification C:\windows\SysWOW64\FONYP.exe KDFZAIS.exe File created C:\windows\SysWOW64\VMOIPUZ.exe NGC.exe File created C:\windows\SysWOW64\IYDIW.exe.bat NLY.exe File created C:\windows\SysWOW64\FRREP.exe TYOL.exe File opened for modification C:\windows\SysWOW64\KRQSGIL.exe FRREP.exe File created C:\windows\SysWOW64\HYTGHU.exe.bat AKQFTF.exe File opened for modification C:\windows\SysWOW64\VCLPRZ.exe XSIZJTC.exe File created C:\windows\SysWOW64\FFPVI.exe GUNFZT.exe File created C:\windows\SysWOW64\RZHISS.exe.bat RWDEMCP.exe File created C:\windows\SysWOW64\KRQSGIL.exe.bat FRREP.exe File created C:\windows\SysWOW64\NQKNVIE.exe.bat WIEPJ.exe File created C:\windows\SysWOW64\GWM.exe PLBE.exe File opened for modification C:\windows\SysWOW64\PICGJ.exe BNZFDJ.exe File created C:\windows\SysWOW64\VMOIPUZ.exe.bat NGC.exe File created C:\windows\SysWOW64\PPUEVDP.exe.bat CRM.exe File opened for modification C:\windows\SysWOW64\FRREP.exe TYOL.exe File opened for modification C:\windows\SysWOW64\KYYNRTK.exe TPSQECP.exe File created C:\windows\SysWOW64\NUZEE.exe.bat SGUU.exe File opened for modification C:\windows\SysWOW64\RZHISS.exe RWDEMCP.exe File created C:\windows\SysWOW64\PICGJ.exe BNZFDJ.exe File created C:\windows\SysWOW64\WTGZ.exe IYUY.exe File opened for modification C:\windows\SysWOW64\FFPVI.exe GUNFZT.exe File created C:\windows\SysWOW64\BUUI.exe YMM.exe File created C:\windows\SysWOW64\TYOL.exe.bat LGFS.exe File created C:\windows\SysWOW64\VHA.exe.bat FRZOWIX.exe File created C:\windows\SysWOW64\QGCIPB.exe.bat XDYMJLB.exe File created C:\windows\SysWOW64\ONJJFTC.exe.bat LSRZMAV.exe File created C:\windows\SysWOW64\NUZEE.exe SGUU.exe File created C:\windows\SysWOW64\ELVO.exe SYOI.exe File opened for modification C:\windows\SysWOW64\EXS.exe WHRZC.exe File opened for modification C:\windows\SysWOW64\OJRBAVS.exe GWM.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\DDEDID.exe.bat ESCN.exe File created C:\windows\SYOI.exe.bat DDEDID.exe File created C:\windows\IBAA.exe.bat RSMD.exe File created C:\windows\system\NXLMGB.exe.bat OMJWXVP.exe File opened for modification C:\windows\SYOI.exe DDEDID.exe File opened for modification C:\windows\VHOI.exe RZHISS.exe File created C:\windows\WIEPJ.exe.bat BUZ.exe File opened for modification C:\windows\system\XSIZJTC.exe DZTOZSU.exe File opened for modification C:\windows\system\LSVG.exe ZAOVTD.exe File opened for modification C:\windows\UIRAW.exe XCYLGK.exe File created C:\windows\system\XEUZLEM.exe.bat LLRGC.exe File opened for modification C:\windows\LAMC.exe IJD.exe File created C:\windows\KMXTVUT.exe UROP.exe File opened for modification C:\windows\KZLZPBS.exe OYB.exe File opened for modification C:\windows\system\TVCXJP.exe EATTQ.exe File created C:\windows\system\IJWLZF.exe.bat COKS.exe File created C:\windows\DZTOZSU.exe.bat VMOIPUZ.exe File opened for modification C:\windows\system\ESCN.exe LAMC.exe File opened for modification C:\windows\WIEPJ.exe BUZ.exe File created C:\windows\EATTQ.exe KNO.exe File opened for modification C:\windows\system\JLGYFN.exe OYCPV.exe File created C:\windows\OHKFAM.exe AMYMUXQ.exe File opened for modification C:\windows\OHKFAM.exe AMYMUXQ.exe File opened for modification C:\windows\system\SGUU.exe XLD.exe File created C:\windows\system\LSVG.exe.bat ZAOVTD.exe File opened for modification C:\windows\HKCPRNK.exe ZEXJGPO.exe File opened for modification C:\windows\QMJ.exe PJFMKI.exe File created C:\windows\system\PTDUMQ.exe YLOOZ.exe File created C:\windows\CNDH.exe UIRAW.exe File opened for modification C:\windows\GUNFZT.exe HKCPRNK.exe File opened for modification C:\windows\MKMQV.exe QFUBFVH.exe File created C:\windows\system\LSRZMAV.exe PRP.exe File opened for modification C:\windows\IIOXM.exe ADJRB.exe File created C:\windows\system\COCTXSJ.exe.bat FQEWQ.exe File created C:\windows\system\PJFMKI.exe ERPBTH.exe File created C:\windows\YLOOZ.exe.bat QGCIPB.exe File created C:\windows\UFH.exe.bat HZHO.exe File created C:\windows\system\TGIM.exe.bat LSVG.exe File opened for modification C:\windows\QFUBFVH.exe NXLMGB.exe File created C:\windows\VGVPV.exe.bat PLWOQOM.exe File created C:\windows\AKQFTF.exe.bat FAZ.exe File created C:\windows\system\ZAOVTD.exe.bat RUBOIE.exe File created C:\windows\system\AMYMUXQ.exe PTDUMQ.exe File opened for modification C:\windows\system\HBRN.exe IIOXM.exe File opened for modification C:\windows\RVDB.exe UUTZZ.exe File created C:\windows\system\BIPMU.exe.bat TVCXJP.exe File created C:\windows\system\ERPBTH.exe.bat BIPMU.exe File created C:\windows\NGC.exe VDYGRY.exe File created C:\windows\EATTQ.exe.bat KNO.exe File opened for modification C:\windows\IYUY.exe LTKJ.exe File created C:\windows\system\UNWFA.exe VCLPRZ.exe File created C:\windows\AJAGG.exe UNWFA.exe File created C:\windows\SYOI.exe DDEDID.exe File opened for modification C:\windows\KMXTVUT.exe UROP.exe File created C:\windows\system\OYCPV.exe.bat KVDCVUL.exe File opened for modification C:\windows\NLY.exe TXZA.exe File created C:\windows\system\GOX.exe IYDIW.exe File opened for modification C:\windows\EATTQ.exe KNO.exe File opened for modification C:\windows\VRRNJW.exe ZMTQ.exe File opened for modification C:\windows\VGVPV.exe PLWOQOM.exe File opened for modification C:\windows\system\ERPBTH.exe BIPMU.exe File created C:\windows\ADJRB.exe.bat PKGYTX.exe File created C:\windows\system\HBRN.exe IIOXM.exe File created C:\windows\JZE.exe.bat HBRN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1204 4888 WerFault.exe 88 1048 5100 WerFault.exe 93 2592 4472 WerFault.exe 99 2520 1772 WerFault.exe 104 4212 2484 WerFault.exe 109 4868 4160 WerFault.exe 114 2092 4680 WerFault.exe 119 4848 3492 WerFault.exe 125 1632 1936 WerFault.exe 130 4872 2216 WerFault.exe 137 3212 2096 WerFault.exe 144 1892 2428 WerFault.exe 149 3352 3016 WerFault.exe 154 4496 4024 WerFault.exe 159 3124 852 WerFault.exe 165 1568 2992 WerFault.exe 170 4048 4512 WerFault.exe 175 5104 1892 WerFault.exe 181 4528 3000 WerFault.exe 187 2212 4500 WerFault.exe 192 1432 740 WerFault.exe 197 3236 3336 WerFault.exe 202 4856 3352 WerFault.exe 207 5100 4372 WerFault.exe 212 1636 1236 WerFault.exe 217 3588 3596 WerFault.exe 222 4512 2744 WerFault.exe 227 1892 2484 WerFault.exe 232 1512 2280 WerFault.exe 237 4736 2664 WerFault.exe 242 940 1632 WerFault.exe 247 4664 3528 WerFault.exe 252 3016 3340 WerFault.exe 257 4264 2804 WerFault.exe 262 5100 2972 WerFault.exe 267 2992 3208 WerFault.exe 272 4868 3364 WerFault.exe 278 4956 856 WerFault.exe 283 1648 1532 WerFault.exe 288 2856 224 WerFault.exe 293 2552 4704 WerFault.exe 299 4004 3904 WerFault.exe 304 2744 3200 WerFault.exe 309 2012 1712 WerFault.exe 314 3352 4840 WerFault.exe 319 116 3704 WerFault.exe 324 3588 4028 WerFault.exe 329 3328 4868 WerFault.exe 334 4936 4216 WerFault.exe 339 3620 1956 WerFault.exe 344 4416 2036 WerFault.exe 349 1168 4352 WerFault.exe 354 3700 1180 WerFault.exe 359 2996 1520 WerFault.exe 364 1644 2580 WerFault.exe 369 3680 3492 WerFault.exe 374 4260 1892 WerFault.exe 379 4872 1848 WerFault.exe 384 3020 4676 WerFault.exe 389 3236 1180 WerFault.exe 394 1376 4276 WerFault.exe 399 2016 1968 WerFault.exe 404 4024 3956 WerFault.exe 409 4500 1892 WerFault.exe 414 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YLOOZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PLWOQOM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VMOIPUZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UNWFA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZEXJGPO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TVCXJP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZPLLWA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IJWLZF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LTKJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SGUU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OYB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GWM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JVO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRREP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HZHO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSIZJTC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XCYLGK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PLBE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ELVO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RZHISS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EHLF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QGCIPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZMTQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UUTZZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IXKP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language USCHC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NXLMGB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COCTXSJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KRQSGIL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ECGCM.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 5100 AVZQ.exe 5100 AVZQ.exe 4472 FVVLLBH.exe 4472 FVVLLBH.exe 1772 KYRRQT.exe 1772 KYRRQT.exe 2484 LBVNW.exe 2484 LBVNW.exe 4160 YMM.exe 4160 YMM.exe 4680 BUUI.exe 4680 BUUI.exe 3492 HUUWAI.exe 3492 HUUWAI.exe 1936 USCHC.exe 1936 USCHC.exe 2216 JNM.exe 2216 JNM.exe 2096 LLRGC.exe 2096 LLRGC.exe 2428 XEUZLEM.exe 2428 XEUZLEM.exe 3016 OMJWXVP.exe 3016 OMJWXVP.exe 4024 NXLMGB.exe 4024 NXLMGB.exe 852 QFUBFVH.exe 852 QFUBFVH.exe 2992 MKMQV.exe 2992 MKMQV.exe 4512 SGE.exe 4512 SGE.exe 1892 PLWOQOM.exe 1892 PLWOQOM.exe 3000 VGVPV.exe 3000 VGVPV.exe 4500 IJD.exe 4500 IJD.exe 740 LAMC.exe 740 LAMC.exe 3336 ESCN.exe 3336 ESCN.exe 3352 DDEDID.exe 3352 DDEDID.exe 4372 SYOI.exe 4372 SYOI.exe 1236 ELVO.exe 1236 ELVO.exe 3596 RWDEMCP.exe 3596 RWDEMCP.exe 2744 RZHISS.exe 2744 RZHISS.exe 2484 VHOI.exe 2484 VHOI.exe 2280 WKSMJB.exe 2280 WKSMJB.exe 2664 NKGJWS.exe 2664 NKGJWS.exe 1632 LGFS.exe 1632 LGFS.exe 3528 TYOL.exe 3528 TYOL.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 5100 AVZQ.exe 5100 AVZQ.exe 4472 FVVLLBH.exe 4472 FVVLLBH.exe 1772 KYRRQT.exe 1772 KYRRQT.exe 2484 LBVNW.exe 2484 LBVNW.exe 4160 YMM.exe 4160 YMM.exe 4680 BUUI.exe 4680 BUUI.exe 3492 HUUWAI.exe 3492 HUUWAI.exe 1936 USCHC.exe 1936 USCHC.exe 2216 JNM.exe 2216 JNM.exe 2096 LLRGC.exe 2096 LLRGC.exe 2428 XEUZLEM.exe 2428 XEUZLEM.exe 3016 OMJWXVP.exe 3016 OMJWXVP.exe 4024 NXLMGB.exe 4024 NXLMGB.exe 852 QFUBFVH.exe 852 QFUBFVH.exe 2992 MKMQV.exe 2992 MKMQV.exe 4512 SGE.exe 4512 SGE.exe 1892 PLWOQOM.exe 1892 PLWOQOM.exe 3000 VGVPV.exe 3000 VGVPV.exe 4500 IJD.exe 4500 IJD.exe 740 LAMC.exe 740 LAMC.exe 3336 ESCN.exe 3336 ESCN.exe 3352 DDEDID.exe 3352 DDEDID.exe 4372 SYOI.exe 4372 SYOI.exe 1236 ELVO.exe 1236 ELVO.exe 3596 RWDEMCP.exe 3596 RWDEMCP.exe 2744 RZHISS.exe 2744 RZHISS.exe 2484 VHOI.exe 2484 VHOI.exe 2280 WKSMJB.exe 2280 WKSMJB.exe 2664 NKGJWS.exe 2664 NKGJWS.exe 1632 LGFS.exe 1632 LGFS.exe 3528 TYOL.exe 3528 TYOL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4888 wrote to memory of 3788 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 89 PID 4888 wrote to memory of 3788 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 89 PID 4888 wrote to memory of 3788 4888 b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe 89 PID 3788 wrote to memory of 5100 3788 cmd.exe 93 PID 3788 wrote to memory of 5100 3788 cmd.exe 93 PID 3788 wrote to memory of 5100 3788 cmd.exe 93 PID 5100 wrote to memory of 3076 5100 AVZQ.exe 95 PID 5100 wrote to memory of 3076 5100 AVZQ.exe 95 PID 5100 wrote to memory of 3076 5100 AVZQ.exe 95 PID 3076 wrote to memory of 4472 3076 cmd.exe 99 PID 3076 wrote to memory of 4472 3076 cmd.exe 99 PID 3076 wrote to memory of 4472 3076 cmd.exe 99 PID 4472 wrote to memory of 3224 4472 FVVLLBH.exe 100 PID 4472 wrote to memory of 3224 4472 FVVLLBH.exe 100 PID 4472 wrote to memory of 3224 4472 FVVLLBH.exe 100 PID 3224 wrote to memory of 1772 3224 cmd.exe 104 PID 3224 wrote to memory of 1772 3224 cmd.exe 104 PID 3224 wrote to memory of 1772 3224 cmd.exe 104 PID 1772 wrote to memory of 3540 1772 KYRRQT.exe 105 PID 1772 wrote to memory of 3540 1772 KYRRQT.exe 105 PID 1772 wrote to memory of 3540 1772 KYRRQT.exe 105 PID 3540 wrote to memory of 2484 3540 cmd.exe 109 PID 3540 wrote to memory of 2484 3540 cmd.exe 109 PID 3540 wrote to memory of 2484 3540 cmd.exe 109 PID 2484 wrote to memory of 3896 2484 LBVNW.exe 110 PID 2484 wrote to memory of 3896 2484 LBVNW.exe 110 PID 2484 wrote to memory of 3896 2484 LBVNW.exe 110 PID 3896 wrote to memory of 4160 3896 cmd.exe 114 PID 3896 wrote to memory of 4160 3896 cmd.exe 114 PID 3896 wrote to memory of 4160 3896 cmd.exe 114 PID 4160 wrote to memory of 552 4160 YMM.exe 115 PID 4160 wrote to memory of 552 4160 YMM.exe 115 PID 4160 wrote to memory of 552 4160 YMM.exe 115 PID 552 wrote to memory of 4680 552 cmd.exe 119 PID 552 wrote to memory of 4680 552 cmd.exe 119 PID 552 wrote to memory of 4680 552 cmd.exe 119 PID 4680 wrote to memory of 1072 4680 BUUI.exe 121 PID 4680 wrote to memory of 1072 4680 BUUI.exe 121 PID 4680 wrote to memory of 1072 4680 BUUI.exe 121 PID 1072 wrote to memory of 3492 1072 cmd.exe 125 PID 1072 wrote to memory of 3492 1072 cmd.exe 125 PID 1072 wrote to memory of 3492 1072 cmd.exe 125 PID 3492 wrote to memory of 2588 3492 HUUWAI.exe 126 PID 3492 wrote to memory of 2588 3492 HUUWAI.exe 126 PID 3492 wrote to memory of 2588 3492 HUUWAI.exe 126 PID 2588 wrote to memory of 1936 2588 cmd.exe 130 PID 2588 wrote to memory of 1936 2588 cmd.exe 130 PID 2588 wrote to memory of 1936 2588 cmd.exe 130 PID 1936 wrote to memory of 4496 1936 USCHC.exe 133 PID 1936 wrote to memory of 4496 1936 USCHC.exe 133 PID 1936 wrote to memory of 4496 1936 USCHC.exe 133 PID 4496 wrote to memory of 2216 4496 cmd.exe 137 PID 4496 wrote to memory of 2216 4496 cmd.exe 137 PID 4496 wrote to memory of 2216 4496 cmd.exe 137 PID 2216 wrote to memory of 4280 2216 JNM.exe 140 PID 2216 wrote to memory of 4280 2216 JNM.exe 140 PID 2216 wrote to memory of 4280 2216 JNM.exe 140 PID 4280 wrote to memory of 2096 4280 cmd.exe 144 PID 4280 wrote to memory of 2096 4280 cmd.exe 144 PID 4280 wrote to memory of 2096 4280 cmd.exe 144 PID 2096 wrote to memory of 2700 2096 LLRGC.exe 145 PID 2096 wrote to memory of 2700 2096 LLRGC.exe 145 PID 2096 wrote to memory of 2700 2096 LLRGC.exe 145 PID 2700 wrote to memory of 2428 2700 cmd.exe 149
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe"C:\Users\Admin\AppData\Local\Temp\b4adb5a5c4d12719a397d5c2df3dfd344ca02627c2ccf16f2f207f0dfc09dd58N.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVZQ.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\windows\SysWOW64\AVZQ.exeC:\windows\system32\AVZQ.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FVVLLBH.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\windows\SysWOW64\FVVLLBH.exeC:\windows\system32\FVVLLBH.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KYRRQT.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\windows\KYRRQT.exeC:\windows\KYRRQT.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LBVNW.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\windows\LBVNW.exeC:\windows\LBVNW.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YMM.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\windows\system\YMM.exeC:\windows\system\YMM.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUUI.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\windows\SysWOW64\BUUI.exeC:\windows\system32\BUUI.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HUUWAI.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\windows\HUUWAI.exeC:\windows\HUUWAI.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\USCHC.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\windows\system\USCHC.exeC:\windows\system\USCHC.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JNM.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\windows\system\JNM.exeC:\windows\system\JNM.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LLRGC.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\windows\SysWOW64\LLRGC.exeC:\windows\system32\LLRGC.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XEUZLEM.exe.bat" "22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\windows\system\XEUZLEM.exeC:\windows\system\XEUZLEM.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OMJWXVP.exe.bat" "24⤵PID:2472
-
C:\windows\system\OMJWXVP.exeC:\windows\system\OMJWXVP.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NXLMGB.exe.bat" "26⤵PID:4856
-
C:\windows\system\NXLMGB.exeC:\windows\system\NXLMGB.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QFUBFVH.exe.bat" "28⤵PID:4132
-
C:\windows\QFUBFVH.exeC:\windows\QFUBFVH.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MKMQV.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\windows\MKMQV.exeC:\windows\MKMQV.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SGE.exe.bat" "32⤵PID:5012
-
C:\windows\SGE.exeC:\windows\SGE.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLWOQOM.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\windows\SysWOW64\PLWOQOM.exeC:\windows\system32\PLWOQOM.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VGVPV.exe.bat" "36⤵PID:2588
-
C:\windows\VGVPV.exeC:\windows\VGVPV.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IJD.exe.bat" "38⤵PID:2972
-
C:\windows\IJD.exeC:\windows\IJD.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LAMC.exe.bat" "40⤵PID:2412
-
C:\windows\LAMC.exeC:\windows\LAMC.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ESCN.exe.bat" "42⤵PID:1568
-
C:\windows\system\ESCN.exeC:\windows\system\ESCN.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DDEDID.exe.bat" "44⤵PID:2484
-
C:\windows\system\DDEDID.exeC:\windows\system\DDEDID.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SYOI.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\windows\SYOI.exeC:\windows\SYOI.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ELVO.exe.bat" "48⤵PID:4608
-
C:\windows\SysWOW64\ELVO.exeC:\windows\system32\ELVO.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RWDEMCP.exe.bat" "50⤵PID:3020
-
C:\windows\system\RWDEMCP.exeC:\windows\system\RWDEMCP.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZHISS.exe.bat" "52⤵PID:4212
-
C:\windows\SysWOW64\RZHISS.exeC:\windows\system32\RZHISS.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VHOI.exe.bat" "54⤵
- System Location Discovery: System Language Discovery
PID:4444 -
C:\windows\VHOI.exeC:\windows\VHOI.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WKSMJB.exe.bat" "56⤵PID:3392
-
C:\windows\WKSMJB.exeC:\windows\WKSMJB.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NKGJWS.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:3608 -
C:\windows\system\NKGJWS.exeC:\windows\system\NKGJWS.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGFS.exe.bat" "60⤵PID:3704
-
C:\windows\system\LGFS.exeC:\windows\system\LGFS.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TYOL.exe.bat" "62⤵PID:1936
-
C:\windows\SysWOW64\TYOL.exeC:\windows\system32\TYOL.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRREP.exe.bat" "64⤵PID:5108
-
C:\windows\SysWOW64\FRREP.exeC:\windows\system32\FRREP.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KRQSGIL.exe.bat" "66⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\windows\SysWOW64\KRQSGIL.exeC:\windows\system32\KRQSGIL.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FAZ.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:4460 -
C:\windows\SysWOW64\FAZ.exeC:\windows\system32\FAZ.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AKQFTF.exe.bat" "70⤵PID:4680
-
C:\windows\AKQFTF.exeC:\windows\AKQFTF.exe71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HYTGHU.exe.bat" "72⤵PID:1292
-
C:\windows\SysWOW64\HYTGHU.exeC:\windows\system32\HYTGHU.exe73⤵
- Checks computer location settings
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FQEWQ.exe.bat" "74⤵PID:4276
-
C:\windows\FQEWQ.exeC:\windows\FQEWQ.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\COCTXSJ.exe.bat" "76⤵PID:3236
-
C:\windows\system\COCTXSJ.exeC:\windows\system\COCTXSJ.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UROP.exe.bat" "78⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\windows\SysWOW64\UROP.exeC:\windows\system32\UROP.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KMXTVUT.exe.bat" "80⤵
- System Location Discovery: System Language Discovery
PID:3164 -
C:\windows\KMXTVUT.exeC:\windows\KMXTVUT.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:3736 -
C:\windows\SysWOW64\BUZ.exeC:\windows\system32\BUZ.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WIEPJ.exe.bat" "84⤵PID:3700
-
C:\windows\WIEPJ.exeC:\windows\WIEPJ.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NQKNVIE.exe.bat" "86⤵PID:372
-
C:\windows\SysWOW64\NQKNVIE.exeC:\windows\system32\NQKNVIE.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AOSYX.exe.bat" "88⤵PID:3336
-
C:\windows\system\AOSYX.exeC:\windows\system\AOSYX.exe89⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OYB.exe.bat" "90⤵PID:3392
-
C:\windows\system\OYB.exeC:\windows\system\OYB.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KZLZPBS.exe.bat" "92⤵PID:396
-
C:\windows\KZLZPBS.exeC:\windows\KZLZPBS.exe93⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WHRZC.exe.bat" "94⤵
- System Location Discovery: System Language Discovery
PID:4492 -
C:\windows\WHRZC.exeC:\windows\WHRZC.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EXS.exe.bat" "96⤵PID:1816
-
C:\windows\SysWOW64\EXS.exeC:\windows\system32\EXS.exe97⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KVDCVUL.exe.bat" "98⤵PID:4968
-
C:\windows\KVDCVUL.exeC:\windows\KVDCVUL.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OYCPV.exe.bat" "100⤵PID:4544
-
C:\windows\system\OYCPV.exeC:\windows\system\OYCPV.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JLGYFN.exe.bat" "102⤵PID:2360
-
C:\windows\system\JLGYFN.exeC:\windows\system\JLGYFN.exe103⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FRZOWIX.exe.bat" "104⤵PID:2992
-
C:\windows\system\FRZOWIX.exeC:\windows\system\FRZOWIX.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHA.exe.bat" "106⤵PID:2940
-
C:\windows\SysWOW64\VHA.exeC:\windows\system32\VHA.exe107⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DMM.exe.bat" "108⤵PID:1312
-
C:\windows\system\DMM.exeC:\windows\system\DMM.exe109⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUTZZ.exe.bat" "110⤵PID:2484
-
C:\windows\UUTZZ.exeC:\windows\UUTZZ.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RVDB.exe.bat" "112⤵PID:4544
-
C:\windows\RVDB.exeC:\windows\RVDB.exe113⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PLBE.exe.bat" "114⤵PID:3788
-
C:\windows\PLBE.exeC:\windows\PLBE.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GWM.exe.bat" "116⤵PID:908
-
C:\windows\SysWOW64\GWM.exeC:\windows\system32\GWM.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJRBAVS.exe.bat" "118⤵PID:4020
-
C:\windows\SysWOW64\OJRBAVS.exeC:\windows\system32\OJRBAVS.exe119⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ARXJN.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\windows\system\ARXJN.exeC:\windows\system\ARXJN.exe121⤵
- Checks computer location settings
- Executes dropped EXE
PID:4276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-