Analysis
-
max time kernel
115s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 09:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe
-
Size
208KB
-
MD5
9045694005a1f2f996d3fdab3d925560
-
SHA1
42acd7a2343265f64bdbe9ea8e0bc9a5eae1fd57
-
SHA256
4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153
-
SHA512
07fbe037bb72eaf6b2c9c5cdbafcf1446009886e36ed196e573885b50994a434fc33b07a6a80d044e3c4260a368efec3dc9ef84a889ffa57a8c443502b0142a9
-
SSDEEP
3072:5djpRllkwo8syI6IqSUEDjycJ/2Gk4C1o4NLthEjQT6c:5XRTkwMyI7BZ2LxoQEj+
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation BHQJVRY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PNGCRHP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TNMC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HDUFA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation YVJTNZH.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VJFSK.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation BDUYWM.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OVZMZIX.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OBRWQV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation UYZF.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DSC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WQIURCW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TZZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XSAPY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DTQK.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SCKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HGJF.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation LKTPC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XBTI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ATGZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SYOI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation UCCYHAG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SWVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation IBT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DWLGR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ZFV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RQV.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation XUZGKIW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HNZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ERPC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RIUZRR.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation EMA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ZJKP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation UKC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SCDNSMK.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SDS.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FXOJP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation NNFZXAD.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CLOFGP.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation IFDTBDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation JCYG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AQESF.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MBKI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CQTRYGC.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FZTENY.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MJENULG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PKU.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RLYX.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation OXIHRQI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation AFX.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation VQBH.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FNFQKWQ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CCQD.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SNPHD.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MBNHVG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FQZYIW.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HDHXBT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation IBKI.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation FML.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SUXEGUA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TVKPBJT.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation GFLHNG.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SNNIHLZ.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation HEAFIZ.exe -
Executes dropped EXE 64 IoCs
pid Process 3588 ZJKP.exe 2112 BHQJVRY.exe 4884 PKU.exe 3676 JXYRK.exe 396 NNFZXAD.exe 3104 IBKI.exe 1436 OBRWQV.exe 3468 ZUM.exe 1248 LKTPC.exe 1152 LPTDEH.exe 1940 PXA.exe 3068 CIQCEC.exe 1564 MGWWM.exe 1360 SBVXQO.exe 964 NOA.exe 3260 FREKGDX.exe 2876 LSLY.exe 3264 IPRV.exe 1140 CLOFGP.exe 1432 ILW.exe 2324 RLYX.exe 4828 VBEXNZO.exe 680 DHEM.exe 4844 HPLUBFF.exe 1860 CCQD.exe 2260 PNGCRHP.exe 1448 XSYQBUK.exe 2296 KDPHHXG.exe 1164 KJH.exe 2240 AMQACX.exe 4828 LETTK.exe 1080 LZXW.exe 3188 XSAPY.exe 3488 GFLHNG.exe 2192 MBKI.exe 3664 QJRIWB.exe 1496 RMU.exe 2196 LZZVM.exe 4556 TNMC.exe 4248 ZNLPGSK.exe 1780 SIXTT.exe 2208 FTTSY.exe 3920 XBTI.exe 3992 UYZF.exe 1116 GMRWPTY.exe 1496 KCYWBL.exe 5088 AXVJL.exe 3640 HSAV.exe 3684 DSC.exe 2016 LOHRBKB.exe 3696 QOOF.exe 3300 AMURZNL.exe 1140 THYVFD.exe 4860 UKC.exe 2240 YAIZW.exe 4556 SNNIHLZ.exe 3580 WVUI.exe 1780 CQTRYGC.exe 4568 PTXQDY.exe 4084 FWGC.exe 4380 OXIHRQI.exe 3676 SNPHD.exe 4872 WVWPQTS.exe 4264 HNZ.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\DHEM.exe.bat VBEXNZO.exe File created C:\windows\SysWOW64\SCDNSMK.exe SXDYQHH.exe File created C:\windows\SysWOW64\SMRV.exe.bat HWKVT.exe File created C:\windows\SysWOW64\IBKI.exe.bat NNFZXAD.exe File created C:\windows\SysWOW64\IPRV.exe.bat LSLY.exe File opened for modification C:\windows\SysWOW64\IXVLO.exe QBR.exe File created C:\windows\SysWOW64\YVJTNZH.exe AFX.exe File opened for modification C:\windows\SysWOW64\UCCYHAG.exe UGY.exe File opened for modification C:\windows\SysWOW64\PSLDWQ.exe EZQK.exe File created C:\windows\SysWOW64\IPRV.exe LSLY.exe File created C:\windows\SysWOW64\HPLUBFF.exe DHEM.exe File created C:\windows\SysWOW64\WVWPQTS.exe SNPHD.exe File created C:\windows\SysWOW64\WVWPQTS.exe.bat SNPHD.exe File opened for modification C:\windows\SysWOW64\SCDNSMK.exe SXDYQHH.exe File opened for modification C:\windows\SysWOW64\DJKAJN.exe VQBH.exe File created C:\windows\SysWOW64\FWGC.exe PTXQDY.exe File opened for modification C:\windows\SysWOW64\ZYL.exe HDUFA.exe File opened for modification C:\windows\SysWOW64\MTS.exe DTQK.exe File created C:\windows\SysWOW64\NNFZXAD.exe JXYRK.exe File created C:\windows\SysWOW64\XSYQBUK.exe PNGCRHP.exe File created C:\windows\SysWOW64\SCDNSMK.exe.bat SXDYQHH.exe File opened for modification C:\windows\SysWOW64\FYRTVL.exe HGJF.exe File created C:\windows\SysWOW64\PXA.exe LPTDEH.exe File created C:\windows\SysWOW64\LSLY.exe FREKGDX.exe File opened for modification C:\windows\SysWOW64\XBTI.exe FTTSY.exe File opened for modification C:\windows\SysWOW64\HNZ.exe WVWPQTS.exe File created C:\windows\SysWOW64\QLDHLHL.exe.bat IFDTBDQ.exe File opened for modification C:\windows\SysWOW64\ERPC.exe DWLGR.exe File created C:\windows\SysWOW64\XSA.exe.bat KISNU.exe File opened for modification C:\windows\SysWOW64\PXA.exe LPTDEH.exe File created C:\windows\SysWOW64\DHEM.exe VBEXNZO.exe File created C:\windows\SysWOW64\HPLUBFF.exe.bat DHEM.exe File created C:\windows\SysWOW64\KJH.exe KDPHHXG.exe File created C:\windows\SysWOW64\TNMC.exe LZZVM.exe File created C:\windows\SysWOW64\TNMC.exe.bat LZZVM.exe File created C:\windows\SysWOW64\VQBH.exe.bat RIUZRR.exe File created C:\windows\SysWOW64\PXXHW.exe JCYG.exe File created C:\windows\SysWOW64\FNFQKWQ.exe XSA.exe File created C:\windows\SysWOW64\LSLY.exe.bat FREKGDX.exe File opened for modification C:\windows\SysWOW64\LETTK.exe AMQACX.exe File created C:\windows\SysWOW64\LETTK.exe.bat AMQACX.exe File opened for modification C:\windows\SysWOW64\TNMC.exe LZZVM.exe File created C:\windows\SysWOW64\FTTSY.exe.bat SIXTT.exe File opened for modification C:\windows\SysWOW64\HGJF.exe VQVFAYM.exe File opened for modification C:\windows\SysWOW64\KJH.exe KDPHHXG.exe File opened for modification C:\windows\SysWOW64\YVJTNZH.exe AFX.exe File created C:\windows\SysWOW64\FML.exe.bat HBALSM.exe File created C:\windows\SysWOW64\NNFZXAD.exe.bat JXYRK.exe File created C:\windows\SysWOW64\IXVLO.exe.bat QBR.exe File created C:\windows\SysWOW64\MTS.exe.bat DTQK.exe File opened for modification C:\windows\SysWOW64\YBP.exe BJTUT.exe File created C:\windows\SysWOW64\PXA.exe.bat LPTDEH.exe File opened for modification C:\windows\SysWOW64\ZNLPGSK.exe TNMC.exe File created C:\windows\SysWOW64\ERPC.exe.bat DWLGR.exe File created C:\windows\SysWOW64\VQBH.exe RIUZRR.exe File created C:\windows\SysWOW64\ZUM.exe OBRWQV.exe File created C:\windows\SysWOW64\HGJF.exe.bat VQVFAYM.exe File opened for modification C:\windows\SysWOW64\ZURS.exe NCO.exe File created C:\windows\SysWOW64\XSA.exe KISNU.exe File created C:\windows\SysWOW64\LETTK.exe AMQACX.exe File created C:\windows\SysWOW64\QLDHLHL.exe IFDTBDQ.exe File created C:\windows\SysWOW64\JCYG.exe.bat SMRV.exe File opened for modification C:\windows\SysWOW64\FWGC.exe PTXQDY.exe File created C:\windows\SysWOW64\ZFV.exe PSLDWQ.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\HEAFIZ.exe MTS.exe File created C:\windows\system\RQV.exe.bat ZURS.exe File created C:\windows\ILW.exe CLOFGP.exe File opened for modification C:\windows\system\KCYWBL.exe GMRWPTY.exe File opened for modification C:\windows\YVUMYUO.exe DAQCOV.exe File created C:\windows\system\AFX.exe.bat IXVLO.exe File opened for modification C:\windows\SYOI.exe DDEDID.exe File opened for modification C:\windows\system\UGY.exe BDUYWM.exe File opened for modification C:\windows\system\EZQK.exe UCCYHAG.exe File created C:\windows\system\OVZMZIX.exe MYLSSAO.exe File opened for modification C:\windows\system\PKU.exe BHQJVRY.exe File created C:\windows\SNPHD.exe OXIHRQI.exe File opened for modification C:\windows\system\ELN.exe GTSIYPI.exe File created C:\windows\XUZGKIW.exe YBP.exe File created C:\windows\system\NOA.exe.bat SBVXQO.exe File created C:\windows\SNPHD.exe.bat OXIHRQI.exe File opened for modification C:\windows\MBNHVG.exe ATGZ.exe File created C:\windows\MLLHWO.exe.bat PGFS.exe File opened for modification C:\windows\system\IBT.exe ELN.exe File created C:\windows\BHQJVRY.exe ZJKP.exe File created C:\windows\system\NOA.exe SBVXQO.exe File opened for modification C:\windows\VJFSK.exe RBYSFMR.exe File created C:\windows\HDUFA.exe.bat SYOI.exe File opened for modification C:\windows\system\LMPXJD.exe HWIW.exe File created C:\windows\ZJKP.exe 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe File opened for modification C:\windows\system\AXVJL.exe KCYWBL.exe File created C:\windows\system\CQTRYGC.exe.bat WVUI.exe File created C:\windows\OXIHRQI.exe FWGC.exe File created C:\windows\system\NCO.exe WPDHLUN.exe File created C:\windows\system\NCO.exe.bat WPDHLUN.exe File created C:\windows\system\ELN.exe GTSIYPI.exe File created C:\windows\system\JXYRK.exe PKU.exe File opened for modification C:\windows\UKC.exe THYVFD.exe File opened for modification C:\windows\OXIHRQI.exe FWGC.exe File created C:\windows\system\NPZEOA.exe.bat BHTECI.exe File opened for modification C:\windows\system\DDEDID.exe PFERYSN.exe File created C:\windows\system\MYLSSAO.exe AQESF.exe File opened for modification C:\windows\ILW.exe CLOFGP.exe File created C:\windows\LZXW.exe.bat LETTK.exe File created C:\windows\LZZVM.exe.bat RMU.exe File created C:\windows\system\AXVJL.exe KCYWBL.exe File opened for modification C:\windows\system\CQTRYGC.exe WVUI.exe File opened for modification C:\windows\system\IFDTBDQ.exe JIR.exe File created C:\windows\BHQJVRY.exe.bat ZJKP.exe File created C:\windows\LZXW.exe LETTK.exe File opened for modification C:\windows\system\HBALSM.exe VJFSK.exe File created C:\windows\JCZ.exe.bat SUXEGUA.exe File created C:\windows\system\EMA.exe.bat OVZMZIX.exe File created C:\windows\BHTECI.exe MBNHVG.exe File opened for modification C:\windows\system\QBR.exe MLLHWO.exe File created C:\windows\system\YAIZW.exe.bat UKC.exe File created C:\windows\VQVFAYM.exe ADYWP.exe File opened for modification C:\windows\KISNU.exe QUZWSEY.exe File created C:\windows\system\VBEXNZO.exe RLYX.exe File created C:\windows\system\KCYWBL.exe GMRWPTY.exe File created C:\windows\system\XSAPY.exe.bat LZXW.exe File created C:\windows\HEAFIZ.exe.bat MTS.exe File opened for modification C:\windows\system\NCO.exe WPDHLUN.exe File opened for modification C:\windows\QUZWSEY.exe XUZGKIW.exe File opened for modification C:\windows\ZJKP.exe 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe File opened for modification C:\windows\system\LKTPC.exe ZUM.exe File opened for modification C:\windows\system\HWIW.exe MJENULG.exe File created C:\windows\KISNU.exe QUZWSEY.exe File created C:\windows\MJCCUX.exe FNFQKWQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1324 1780 WerFault.exe 81 4188 3588 WerFault.exe 86 2972 2112 WerFault.exe 92 4992 4884 WerFault.exe 97 2108 3676 WerFault.exe 102 2684 396 WerFault.exe 107 1020 3104 WerFault.exe 112 1824 1436 WerFault.exe 116 2876 3468 WerFault.exe 122 336 1248 WerFault.exe 127 2644 1152 WerFault.exe 132 3496 1940 WerFault.exe 137 1624 3068 WerFault.exe 144 4892 1564 WerFault.exe 150 1704 1360 WerFault.exe 156 1808 964 WerFault.exe 161 3684 3260 WerFault.exe 166 2208 2876 WerFault.exe 171 5008 3264 WerFault.exe 177 3976 1140 WerFault.exe 182 4004 1432 WerFault.exe 187 4564 2324 WerFault.exe 193 4980 4828 WerFault.exe 199 4760 680 WerFault.exe 204 944 4844 WerFault.exe 208 1248 1860 WerFault.exe 214 4708 2260 WerFault.exe 219 2660 1448 WerFault.exe 224 628 2296 WerFault.exe 229 3212 1164 WerFault.exe 234 3960 2240 WerFault.exe 239 4832 4828 WerFault.exe 243 2804 1080 WerFault.exe 249 3768 3188 WerFault.exe 253 1404 3488 WerFault.exe 259 4696 2192 WerFault.exe 264 3092 3664 WerFault.exe 269 3400 1496 WerFault.exe 274 2292 2196 WerFault.exe 279 5048 4556 WerFault.exe 285 2960 4248 WerFault.exe 289 3904 1780 WerFault.exe 295 4568 2208 WerFault.exe 300 3264 3920 WerFault.exe 306 3976 3992 WerFault.exe 311 3276 1116 WerFault.exe 316 4924 1496 WerFault.exe 321 644 5088 WerFault.exe 326 3440 3640 WerFault.exe 331 2232 3684 WerFault.exe 336 2928 2016 WerFault.exe 341 1172 3696 WerFault.exe 346 4600 3300 WerFault.exe 351 3400 1140 WerFault.exe 356 3112 4860 WerFault.exe 361 3776 2240 WerFault.exe 366 2356 4556 WerFault.exe 371 4768 3580 WerFault.exe 376 2388 1780 WerFault.exe 381 752 4568 WerFault.exe 386 3092 4084 WerFault.exe 391 2112 4380 WerFault.exe 396 4916 3676 WerFault.exe 401 4300 4872 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ADYWP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMRV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MBNHVG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AMQACX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MGWWM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UYZF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOHRBKB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QLDHLHL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FYRTVL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BHQJVRY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LKTPC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HNZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZJKP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PSLDWQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSAPY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MBKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YVUMYUO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WQIURCW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SBVXQO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LETTK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FWGC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XUZGKIW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LMPXJD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HGJF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TNMC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SDS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TDFIKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HPLUBFF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DSC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 3588 ZJKP.exe 3588 ZJKP.exe 2112 BHQJVRY.exe 2112 BHQJVRY.exe 4884 PKU.exe 4884 PKU.exe 3676 JXYRK.exe 3676 JXYRK.exe 396 NNFZXAD.exe 396 NNFZXAD.exe 3104 IBKI.exe 3104 IBKI.exe 1436 OBRWQV.exe 1436 OBRWQV.exe 3468 ZUM.exe 3468 ZUM.exe 1248 LKTPC.exe 1248 LKTPC.exe 1152 LPTDEH.exe 1152 LPTDEH.exe 1940 PXA.exe 1940 PXA.exe 3068 CIQCEC.exe 3068 CIQCEC.exe 1564 MGWWM.exe 1564 MGWWM.exe 1360 SBVXQO.exe 1360 SBVXQO.exe 964 NOA.exe 964 NOA.exe 3260 FREKGDX.exe 3260 FREKGDX.exe 2876 LSLY.exe 2876 LSLY.exe 3264 IPRV.exe 3264 IPRV.exe 1140 CLOFGP.exe 1140 CLOFGP.exe 1432 ILW.exe 1432 ILW.exe 2324 RLYX.exe 2324 RLYX.exe 4828 VBEXNZO.exe 4828 VBEXNZO.exe 680 DHEM.exe 680 DHEM.exe 4844 HPLUBFF.exe 4844 HPLUBFF.exe 1860 CCQD.exe 1860 CCQD.exe 2260 PNGCRHP.exe 2260 PNGCRHP.exe 1448 XSYQBUK.exe 1448 XSYQBUK.exe 2296 KDPHHXG.exe 2296 KDPHHXG.exe 1164 KJH.exe 1164 KJH.exe 2240 AMQACX.exe 2240 AMQACX.exe 4828 LETTK.exe 4828 LETTK.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 3588 ZJKP.exe 3588 ZJKP.exe 2112 BHQJVRY.exe 2112 BHQJVRY.exe 4884 PKU.exe 4884 PKU.exe 3676 JXYRK.exe 3676 JXYRK.exe 396 NNFZXAD.exe 396 NNFZXAD.exe 3104 IBKI.exe 3104 IBKI.exe 1436 OBRWQV.exe 1436 OBRWQV.exe 3468 ZUM.exe 3468 ZUM.exe 1248 LKTPC.exe 1248 LKTPC.exe 1152 LPTDEH.exe 1152 LPTDEH.exe 1940 PXA.exe 1940 PXA.exe 3068 CIQCEC.exe 3068 CIQCEC.exe 1564 MGWWM.exe 1564 MGWWM.exe 1360 SBVXQO.exe 1360 SBVXQO.exe 964 NOA.exe 964 NOA.exe 3260 FREKGDX.exe 3260 FREKGDX.exe 2876 LSLY.exe 2876 LSLY.exe 3264 IPRV.exe 3264 IPRV.exe 1140 CLOFGP.exe 1140 CLOFGP.exe 1432 ILW.exe 1432 ILW.exe 2324 RLYX.exe 2324 RLYX.exe 4828 VBEXNZO.exe 4828 VBEXNZO.exe 680 DHEM.exe 680 DHEM.exe 4844 HPLUBFF.exe 4844 HPLUBFF.exe 1860 CCQD.exe 1860 CCQD.exe 2260 PNGCRHP.exe 2260 PNGCRHP.exe 1448 XSYQBUK.exe 1448 XSYQBUK.exe 2296 KDPHHXG.exe 2296 KDPHHXG.exe 1164 KJH.exe 1164 KJH.exe 2240 AMQACX.exe 2240 AMQACX.exe 4828 LETTK.exe 4828 LETTK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1780 wrote to memory of 744 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 82 PID 1780 wrote to memory of 744 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 82 PID 1780 wrote to memory of 744 1780 4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe 82 PID 744 wrote to memory of 3588 744 cmd.exe 86 PID 744 wrote to memory of 3588 744 cmd.exe 86 PID 744 wrote to memory of 3588 744 cmd.exe 86 PID 3588 wrote to memory of 2140 3588 ZJKP.exe 88 PID 3588 wrote to memory of 2140 3588 ZJKP.exe 88 PID 3588 wrote to memory of 2140 3588 ZJKP.exe 88 PID 2140 wrote to memory of 2112 2140 cmd.exe 92 PID 2140 wrote to memory of 2112 2140 cmd.exe 92 PID 2140 wrote to memory of 2112 2140 cmd.exe 92 PID 2112 wrote to memory of 2672 2112 BHQJVRY.exe 93 PID 2112 wrote to memory of 2672 2112 BHQJVRY.exe 93 PID 2112 wrote to memory of 2672 2112 BHQJVRY.exe 93 PID 2672 wrote to memory of 4884 2672 cmd.exe 97 PID 2672 wrote to memory of 4884 2672 cmd.exe 97 PID 2672 wrote to memory of 4884 2672 cmd.exe 97 PID 4884 wrote to memory of 1148 4884 PKU.exe 98 PID 4884 wrote to memory of 1148 4884 PKU.exe 98 PID 4884 wrote to memory of 1148 4884 PKU.exe 98 PID 1148 wrote to memory of 3676 1148 cmd.exe 102 PID 1148 wrote to memory of 3676 1148 cmd.exe 102 PID 1148 wrote to memory of 3676 1148 cmd.exe 102 PID 3676 wrote to memory of 60 3676 JXYRK.exe 103 PID 3676 wrote to memory of 60 3676 JXYRK.exe 103 PID 3676 wrote to memory of 60 3676 JXYRK.exe 103 PID 60 wrote to memory of 396 60 cmd.exe 107 PID 60 wrote to memory of 396 60 cmd.exe 107 PID 60 wrote to memory of 396 60 cmd.exe 107 PID 396 wrote to memory of 4132 396 NNFZXAD.exe 108 PID 396 wrote to memory of 4132 396 NNFZXAD.exe 108 PID 396 wrote to memory of 4132 396 NNFZXAD.exe 108 PID 4132 wrote to memory of 3104 4132 cmd.exe 112 PID 4132 wrote to memory of 3104 4132 cmd.exe 112 PID 4132 wrote to memory of 3104 4132 cmd.exe 112 PID 3104 wrote to memory of 1396 3104 IBKI.exe 113 PID 3104 wrote to memory of 1396 3104 IBKI.exe 113 PID 3104 wrote to memory of 1396 3104 IBKI.exe 113 PID 1396 wrote to memory of 1436 1396 cmd.exe 116 PID 1396 wrote to memory of 1436 1396 cmd.exe 116 PID 1396 wrote to memory of 1436 1396 cmd.exe 116 PID 1436 wrote to memory of 4412 1436 OBRWQV.exe 118 PID 1436 wrote to memory of 4412 1436 OBRWQV.exe 118 PID 1436 wrote to memory of 4412 1436 OBRWQV.exe 118 PID 4412 wrote to memory of 3468 4412 cmd.exe 122 PID 4412 wrote to memory of 3468 4412 cmd.exe 122 PID 4412 wrote to memory of 3468 4412 cmd.exe 122 PID 3468 wrote to memory of 2220 3468 ZUM.exe 123 PID 3468 wrote to memory of 2220 3468 ZUM.exe 123 PID 3468 wrote to memory of 2220 3468 ZUM.exe 123 PID 2220 wrote to memory of 1248 2220 cmd.exe 127 PID 2220 wrote to memory of 1248 2220 cmd.exe 127 PID 2220 wrote to memory of 1248 2220 cmd.exe 127 PID 1248 wrote to memory of 4552 1248 LKTPC.exe 128 PID 1248 wrote to memory of 4552 1248 LKTPC.exe 128 PID 1248 wrote to memory of 4552 1248 LKTPC.exe 128 PID 4552 wrote to memory of 1152 4552 cmd.exe 132 PID 4552 wrote to memory of 1152 4552 cmd.exe 132 PID 4552 wrote to memory of 1152 4552 cmd.exe 132 PID 1152 wrote to memory of 3992 1152 LPTDEH.exe 133 PID 1152 wrote to memory of 3992 1152 LPTDEH.exe 133 PID 1152 wrote to memory of 3992 1152 LPTDEH.exe 133 PID 3992 wrote to memory of 1940 3992 cmd.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe"C:\Users\Admin\AppData\Local\Temp\4cf85b78ad2c2c5e082d97787e062ee276bdca6026a04408e89611ebf4566153N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZJKP.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\windows\ZJKP.exeC:\windows\ZJKP.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BHQJVRY.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\windows\BHQJVRY.exeC:\windows\BHQJVRY.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PKU.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\windows\system\PKU.exeC:\windows\system\PKU.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JXYRK.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\windows\system\JXYRK.exeC:\windows\system\JXYRK.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNFZXAD.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\windows\SysWOW64\NNFZXAD.exeC:\windows\system32\NNFZXAD.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IBKI.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\windows\SysWOW64\IBKI.exeC:\windows\system32\IBKI.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBRWQV.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\windows\OBRWQV.exeC:\windows\OBRWQV.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZUM.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\windows\SysWOW64\ZUM.exeC:\windows\system32\ZUM.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LKTPC.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\windows\system\LKTPC.exeC:\windows\system\LKTPC.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LPTDEH.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\windows\LPTDEH.exeC:\windows\LPTDEH.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXA.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\windows\SysWOW64\PXA.exeC:\windows\system32\PXA.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CIQCEC.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:4292 -
C:\windows\SysWOW64\CIQCEC.exeC:\windows\system32\CIQCEC.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MGWWM.exe.bat" "26⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\windows\system\MGWWM.exeC:\windows\system\MGWWM.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SBVXQO.exe.bat" "28⤵PID:4288
-
C:\windows\system\SBVXQO.exeC:\windows\system\SBVXQO.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NOA.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\windows\system\NOA.exeC:\windows\system\NOA.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FREKGDX.exe.bat" "32⤵PID:3596
-
C:\windows\SysWOW64\FREKGDX.exeC:\windows\system32\FREKGDX.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LSLY.exe.bat" "34⤵PID:3148
-
C:\windows\SysWOW64\LSLY.exeC:\windows\system32\LSLY.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPRV.exe.bat" "36⤵PID:656
-
C:\windows\SysWOW64\IPRV.exeC:\windows\system32\IPRV.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CLOFGP.exe.bat" "38⤵PID:1332
-
C:\windows\CLOFGP.exeC:\windows\CLOFGP.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ILW.exe.bat" "40⤵PID:3004
-
C:\windows\ILW.exeC:\windows\ILW.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RLYX.exe.bat" "42⤵PID:3296
-
C:\windows\RLYX.exeC:\windows\RLYX.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VBEXNZO.exe.bat" "44⤵PID:4008
-
C:\windows\system\VBEXNZO.exeC:\windows\system\VBEXNZO.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DHEM.exe.bat" "46⤵PID:4812
-
C:\windows\SysWOW64\DHEM.exeC:\windows\system32\DHEM.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPLUBFF.exe.bat" "48⤵PID:1824
-
C:\windows\SysWOW64\HPLUBFF.exeC:\windows\system32\HPLUBFF.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CCQD.exe.bat" "50⤵PID:3860
-
C:\windows\CCQD.exeC:\windows\CCQD.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PNGCRHP.exe.bat" "52⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\windows\system\PNGCRHP.exeC:\windows\system\PNGCRHP.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XSYQBUK.exe.bat" "54⤵PID:4216
-
C:\windows\SysWOW64\XSYQBUK.exeC:\windows\system32\XSYQBUK.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KDPHHXG.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:3976 -
C:\windows\system\KDPHHXG.exeC:\windows\system\KDPHHXG.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KJH.exe.bat" "58⤵PID:60
-
C:\windows\SysWOW64\KJH.exeC:\windows\system32\KJH.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AMQACX.exe.bat" "60⤵PID:4304
-
C:\windows\AMQACX.exeC:\windows\AMQACX.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LETTK.exe.bat" "62⤵PID:2996
-
C:\windows\SysWOW64\LETTK.exeC:\windows\system32\LETTK.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LZXW.exe.bat" "64⤵PID:456
-
C:\windows\LZXW.exeC:\windows\LZXW.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XSAPY.exe.bat" "66⤵PID:3580
-
C:\windows\system\XSAPY.exeC:\windows\system\XSAPY.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GFLHNG.exe.bat" "68⤵PID:3376
-
C:\windows\system\GFLHNG.exeC:\windows\system\GFLHNG.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MBKI.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\windows\system\MBKI.exeC:\windows\system\MBKI.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "72⤵PID:1108
-
C:\windows\system\QJRIWB.exeC:\windows\system\QJRIWB.exe73⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMU.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:3476 -
C:\windows\system\RMU.exeC:\windows\system\RMU.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LZZVM.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\windows\LZZVM.exeC:\windows\LZZVM.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TNMC.exe.bat" "78⤵PID:1244
-
C:\windows\SysWOW64\TNMC.exeC:\windows\system32\TNMC.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZNLPGSK.exe.bat" "80⤵PID:3776
-
C:\windows\SysWOW64\ZNLPGSK.exeC:\windows\system32\ZNLPGSK.exe81⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SIXTT.exe.bat" "82⤵PID:612
-
C:\windows\SIXTT.exeC:\windows\SIXTT.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTTSY.exe.bat" "84⤵PID:2876
-
C:\windows\SysWOW64\FTTSY.exeC:\windows\system32\FTTSY.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBTI.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\windows\SysWOW64\XBTI.exeC:\windows\system32\XBTI.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UYZF.exe.bat" "88⤵PID:2256
-
C:\windows\system\UYZF.exeC:\windows\system\UYZF.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GMRWPTY.exe.bat" "90⤵PID:4600
-
C:\windows\system\GMRWPTY.exeC:\windows\system\GMRWPTY.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KCYWBL.exe.bat" "92⤵PID:712
-
C:\windows\system\KCYWBL.exeC:\windows\system\KCYWBL.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AXVJL.exe.bat" "94⤵PID:640
-
C:\windows\system\AXVJL.exeC:\windows\system\AXVJL.exe95⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HSAV.exe.bat" "96⤵PID:5096
-
C:\windows\system\HSAV.exeC:\windows\system\HSAV.exe97⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DSC.exe.bat" "98⤵PID:976
-
C:\windows\DSC.exeC:\windows\DSC.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LOHRBKB.exe.bat" "100⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\windows\LOHRBKB.exeC:\windows\LOHRBKB.exe101⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QOOF.exe.bat" "102⤵PID:3488
-
C:\windows\QOOF.exeC:\windows\QOOF.exe103⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMURZNL.exe.bat" "104⤵PID:4084
-
C:\windows\system\AMURZNL.exeC:\windows\system\AMURZNL.exe105⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\THYVFD.exe.bat" "106⤵PID:60
-
C:\windows\system\THYVFD.exeC:\windows\system\THYVFD.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UKC.exe.bat" "108⤵PID:3676
-
C:\windows\UKC.exeC:\windows\UKC.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YAIZW.exe.bat" "110⤵PID:4520
-
C:\windows\system\YAIZW.exeC:\windows\system\YAIZW.exe111⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SNNIHLZ.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:4300 -
C:\windows\SNNIHLZ.exeC:\windows\SNNIHLZ.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUI.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\windows\system\WVUI.exeC:\windows\system\WVUI.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "116⤵PID:2120
-
C:\windows\system\CQTRYGC.exeC:\windows\system\CQTRYGC.exe117⤵
- Checks computer location settings
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PTXQDY.exe.bat" "118⤵PID:3004
-
C:\windows\system\PTXQDY.exeC:\windows\system\PTXQDY.exe119⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWGC.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\windows\SysWOW64\FWGC.exeC:\windows\system32\FWGC.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-