Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 17:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
-
Size
208KB
-
MD5
6f4712ccbc6884c4b0de02329adcdb40
-
SHA1
71249c7b6e95b9efac00baa31370e61af96de438
-
SHA256
981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67d
-
SHA512
8b0742457ebc8b93a6b97cc3021decd225bcac886a2c3fd8ebcc80e225ae84a27f8ff70b92629b53db8177bd4e24fa4677373ddfef49ebd054c88e1a5bb8fd14
-
SSDEEP
6144:PwYPIuButXpthx5IDD12piyZFFepqyZlPQEj+:tPIuB8tL5I/1ciyZFFUqyZlPQB
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JRKI.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation UWSNQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation MQSXNC.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JZL.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation EYVYTE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JNX.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DUCIIP.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation RGQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation LZCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation TPX.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation TLGMD.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation YEHNCHW.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation QLQJDVA.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation CXOFVZK.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation NVLBXVH.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation UHRT.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation FUMFT.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation RZKDH.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JBASKRC.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation HHISQZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation KLQTIOZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation OEZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation YOKS.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation XOPA.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation VMHDWT.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation AVE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation UFH.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation RRTNQL.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation OIM.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation FRF.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation FQUQOE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation EQL.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation PIDNVU.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation QQFEIM.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation QIWRN.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ILW.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DYACA.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation KPZIZA.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation OTG.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation RNVWH.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation VPPIEBH.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation XJVQVKF.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation KPDVXZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JKPT.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation EOSGRCT.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ISYL.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ECGCM.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation HHUNPJU.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation EGE.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation FGGP.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation IDOIN.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation QPY.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation HTJFB.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation BFP.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation KNSZJGD.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation GYBQHOD.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation OKCK.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation RXGDX.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation UIUDP.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JVEQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation LAAFSVT.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation NUJRR.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation TGFRG.exe -
Executes dropped EXE 64 IoCs
pid Process 2196 DUCIIP.exe 1876 TKLIH.exe 3644 PPJF.exe 3180 CSNDBD.exe 3080 MFYVIA.exe 3944 ILW.exe 4880 DYACA.exe 4536 DEBQJ.exe 1016 KWJSPA.exe 5052 UXLX.exe 372 HHUNPJU.exe 4104 NVTWL.exe 1108 EIDOBI.exe 4764 CDC.exe 4060 EGE.exe 1992 HTJFB.exe 4484 JRKI.exe 2504 QMUMSJM.exe 3184 BFP.exe 1824 JKPT.exe 2168 GQVQJ.exe 1456 UWSNQ.exe 1880 YEHNCHW.exe 3944 VJFK.exe 2208 MRHQN.exe 4180 BPNNCYU.exe 1628 KNSZJGD.exe 2828 WFVSSO.exe 4892 WYE.exe 2432 JBASKRC.exe 1468 FGGP.exe 804 RZJIS.exe 2820 VPPIEBH.exe 3836 PCUZ.exe 180 KPZIZA.exe 4484 QLQJDVA.exe 2160 BICPQCB.exe 3056 OTG.exe 3768 OZYC.exe 3612 JMDLHG.exe 4044 DZH.exe 4812 CXOFVZK.exe 1648 USSBIP.exe 4320 IDOIN.exe 1628 EBUXUQQ.exe 2456 TGAUBAS.exe 2508 RWYXNM.exe 4764 YZVRX.exe 244 MCZPCE.exe 1968 RNVWH.exe 3436 LAAFSVT.exe 4344 PIDNVU.exe 4320 GYBQHOD.exe 1816 VTYCIP.exe 2240 VMHDWT.exe 692 CHEQG.exe 3452 DKITMKJ.exe 1540 INM.exe 4260 VXI.exe 1252 BYPMF.exe 1632 MQSXNC.exe 2732 XJVQVKF.exe 1948 JBQ.exe 5096 ZRX.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\VMHDWT.exe VTYCIP.exe File created C:\windows\SysWOW64\INM.exe DKITMKJ.exe File opened for modification C:\windows\SysWOW64\IWX.exe RGQ.exe File opened for modification C:\windows\SysWOW64\NJXYQ.exe EJV.exe File created C:\windows\SysWOW64\JLTYO.exe.bat OYO.exe File opened for modification C:\windows\SysWOW64\RXGDX.exe CCXZEFC.exe File created C:\windows\SysWOW64\LHH.exe TGFRG.exe File created C:\windows\SysWOW64\UUVYWI.exe.bat XOPA.exe File created C:\windows\SysWOW64\CXOFVZK.exe DZH.exe File opened for modification C:\windows\SysWOW64\YZVRX.exe RWYXNM.exe File created C:\windows\SysWOW64\VTYCIP.exe GYBQHOD.exe File opened for modification C:\windows\SysWOW64\INM.exe DKITMKJ.exe File created C:\windows\SysWOW64\FQUQOE.exe.bat LDPG.exe File opened for modification C:\windows\SysWOW64\PJYLL.exe ALB.exe File created C:\windows\SysWOW64\SCDNSMK.exe.bat YPYDIM.exe File opened for modification C:\windows\SysWOW64\FUMFT.exe LHH.exe File created C:\windows\SysWOW64\BICPQCB.exe QLQJDVA.exe File created C:\windows\SysWOW64\PIDNVU.exe.bat LAAFSVT.exe File created C:\windows\SysWOW64\LZCQ.exe.bat TTS.exe File created C:\windows\SysWOW64\QKNQG.exe.bat UFH.exe File created C:\windows\SysWOW64\KPDVXZ.exe.bat NJXYQ.exe File opened for modification C:\windows\SysWOW64\WGN.exe UIUDP.exe File opened for modification C:\windows\SysWOW64\JVEQ.exe AUC.exe File created C:\windows\SysWOW64\YDYPXLY.exe.bat JNX.exe File created C:\windows\SysWOW64\CXFKQDT.exe ECGCM.exe File opened for modification C:\windows\SysWOW64\KNSZJGD.exe BPNNCYU.exe File created C:\windows\SysWOW64\MCZPCE.exe.bat YZVRX.exe File opened for modification C:\windows\SysWOW64\YPYDIM.exe FUHADP.exe File created C:\windows\SysWOW64\VMHDWT.exe VTYCIP.exe File created C:\windows\SysWOW64\IWX.exe RGQ.exe File opened for modification C:\windows\SysWOW64\WIUJHO.exe NUJRR.exe File created C:\windows\SysWOW64\YPYDIM.exe FUHADP.exe File created C:\windows\SysWOW64\UWSNQ.exe.bat GQVQJ.exe File created C:\windows\SysWOW64\YZVRX.exe.bat RWYXNM.exe File created C:\windows\SysWOW64\GYBQHOD.exe.bat PIDNVU.exe File created C:\windows\SysWOW64\NJXYQ.exe.bat EJV.exe File created C:\windows\SysWOW64\KPDVXZ.exe NJXYQ.exe File created C:\windows\SysWOW64\CXFKQDT.exe.bat ECGCM.exe File created C:\windows\SysWOW64\RNVWH.exe MCZPCE.exe File created C:\windows\SysWOW64\VTYCIP.exe.bat GYBQHOD.exe File created C:\windows\SysWOW64\UIUDP.exe.bat OIM.exe File created C:\windows\SysWOW64\EBUXUQQ.exe.bat IDOIN.exe File created C:\windows\SysWOW64\GYBQHOD.exe PIDNVU.exe File created C:\windows\SysWOW64\VXI.exe INM.exe File created C:\windows\SysWOW64\RZO.exe.bat EOSGRCT.exe File created C:\windows\SysWOW64\NGXDXJL.exe.bat EYVYTE.exe File created C:\windows\SysWOW64\UWSNQ.exe GQVQJ.exe File opened for modification C:\windows\SysWOW64\TGAUBAS.exe EBUXUQQ.exe File created C:\windows\SysWOW64\IWX.exe.bat RGQ.exe File opened for modification C:\windows\SysWOW64\AUC.exe UUVYWI.exe File created C:\windows\SysWOW64\RZKDH.exe.bat CEB.exe File opened for modification C:\windows\SysWOW64\VTYCIP.exe GYBQHOD.exe File created C:\windows\SysWOW64\RXGDX.exe CCXZEFC.exe File opened for modification C:\windows\SysWOW64\VJFK.exe YEHNCHW.exe File created C:\windows\SysWOW64\HHISQZ.exe MUEIG.exe File created C:\windows\SysWOW64\YPYDIM.exe.bat FUHADP.exe File opened for modification C:\windows\SysWOW64\JLTYO.exe OYO.exe File opened for modification C:\windows\SysWOW64\BFI.exe RXGDX.exe File created C:\windows\SysWOW64\BFI.exe.bat RXGDX.exe File opened for modification C:\windows\SysWOW64\LZCQ.exe TTS.exe File created C:\windows\SysWOW64\FEXAN.exe VWVV.exe File opened for modification C:\windows\SysWOW64\NGXDXJL.exe EYVYTE.exe File created C:\windows\SysWOW64\FUMFT.exe.bat LHH.exe File opened for modification C:\windows\SysWOW64\CXFKQDT.exe ECGCM.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\HHUNPJU.exe UXLX.exe File created C:\windows\system\PCUZ.exe VPPIEBH.exe File created C:\windows\system\OEZ.exe.bat FEXAN.exe File opened for modification C:\windows\system\CCXZEFC.exe RJCGEX.exe File created C:\windows\system\FTXFTJT.exe.bat FNFQKWQ.exe File created C:\windows\system\TKLIH.exe DUCIIP.exe File created C:\windows\JMDLHG.exe.bat OZYC.exe File created C:\windows\RGQ.exe.bat RBYSFMR.exe File created C:\windows\system\EQL.exe VIJX.exe File created C:\windows\ILW.exe.bat MFYVIA.exe File opened for modification C:\windows\CDC.exe EIDOBI.exe File created C:\windows\system\XJXWF.exe.bat IEZ.exe File created C:\windows\system\TTS.exe KLQTIOZ.exe File created C:\windows\system\CSNDBD.exe PPJF.exe File created C:\windows\HHUNPJU.exe.bat UXLX.exe File created C:\windows\system\WFVSSO.exe KNSZJGD.exe File opened for modification C:\windows\DYACA.exe ILW.exe File created C:\windows\system\ECGCM.exe RZKDH.exe File created C:\windows\system\NVTWL.exe.bat HHUNPJU.exe File created C:\windows\EGE.exe.bat CDC.exe File created C:\windows\system\VUR.exe CXFKQDT.exe File opened for modification C:\windows\system\YEHNCHW.exe UWSNQ.exe File created C:\windows\system\WFVSSO.exe.bat KNSZJGD.exe File opened for modification C:\windows\system\VXG.exe RHANRN.exe File opened for modification C:\windows\system\VIJX.exe AVE.exe File opened for modification C:\windows\NVLBXVH.exe QQFEIM.exe File created C:\windows\TLGMD.exe.bat NLY.exe File created C:\windows\system\JNX.exe.bat UHRT.exe File created C:\windows\system\PPJF.exe.bat TKLIH.exe File created C:\windows\system\RHANRN.exe PJYLL.exe File opened for modification C:\windows\UFH.exe OEZ.exe File opened for modification C:\windows\system\STBRFBP.exe MTUDW.exe File created C:\windows\XOPA.exe.bat VRWYJJ.exe File created C:\windows\YOKS.exe TLGMD.exe File opened for modification C:\windows\CSRX.exe RZO.exe File opened for modification C:\windows\system\OTG.exe BICPQCB.exe File created C:\windows\OZYC.exe.bat OTG.exe File created C:\windows\IDOIN.exe USSBIP.exe File opened for modification C:\windows\system\RHANRN.exe PJYLL.exe File created C:\windows\TGFRG.exe NGXDXJL.exe File opened for modification C:\windows\system\BFP.exe QMUMSJM.exe File created C:\windows\GQVQJ.exe JKPT.exe File created C:\windows\system\JBQ.exe XJVQVKF.exe File created C:\windows\system\CNHD.exe.bat OPJG.exe File created C:\windows\FYVCHN.exe.bat YDYPXLY.exe File created C:\windows\BPNNCYU.exe.bat MRHQN.exe File created C:\windows\system\PCUZ.exe.bat VPPIEBH.exe File created C:\windows\system\QQFEIM.exe QKNQG.exe File created C:\windows\system\RJCGEX.exe.bat RRTNQL.exe File opened for modification C:\windows\XJVQVKF.exe MQSXNC.exe File created C:\windows\system\TTS.exe.bat KLQTIOZ.exe File created C:\windows\JKPT.exe.bat BFP.exe File opened for modification C:\windows\GQVQJ.exe JKPT.exe File created C:\windows\VPPIEBH.exe RZJIS.exe File created C:\windows\RGQ.exe RBYSFMR.exe File created C:\windows\UFH.exe OEZ.exe File created C:\windows\NVLBXVH.exe QQFEIM.exe File created C:\windows\system\OIM.exe.bat BFI.exe File created C:\windows\XOPA.exe VRWYJJ.exe File opened for modification C:\windows\system\TVCXJP.exe UKTEW.exe File opened for modification C:\windows\system\AKO.exe UKPWOE.exe File created C:\windows\system\MFYVIA.exe.bat CSNDBD.exe File created C:\windows\DYACA.exe ILW.exe File opened for modification C:\windows\system\EQL.exe VIJX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4860 1648 WerFault.exe 82 5052 2196 WerFault.exe 90 372 1876 WerFault.exe 96 2596 3644 WerFault.exe 101 2056 3180 WerFault.exe 106 2188 3080 WerFault.exe 111 2820 3944 WerFault.exe 116 3400 4880 WerFault.exe 121 3352 4536 WerFault.exe 126 1556 1016 WerFault.exe 131 824 5052 WerFault.exe 136 2240 372 WerFault.exe 141 1256 4104 WerFault.exe 146 4280 1108 WerFault.exe 151 3512 4764 WerFault.exe 155 3164 4060 WerFault.exe 161 228 1992 WerFault.exe 166 3760 4484 WerFault.exe 171 4208 2504 WerFault.exe 176 2016 3184 WerFault.exe 181 2432 1824 WerFault.exe 186 1468 2168 WerFault.exe 191 804 1456 WerFault.exe 195 1868 1880 WerFault.exe 201 4800 3944 WerFault.exe 206 3400 2208 WerFault.exe 211 3236 4180 WerFault.exe 216 4208 1628 WerFault.exe 221 1884 2828 WerFault.exe 226 4720 4892 WerFault.exe 231 4232 2432 WerFault.exe 236 4516 1468 WerFault.exe 241 3672 804 WerFault.exe 246 1180 2820 WerFault.exe 250 4868 3836 WerFault.exe 256 2080 180 WerFault.exe 261 2196 4484 WerFault.exe 265 2456 2160 WerFault.exe 271 3704 3056 WerFault.exe 276 2928 3768 WerFault.exe 281 4684 3612 WerFault.exe 286 3112 4044 WerFault.exe 293 3380 4812 WerFault.exe 298 1520 1648 WerFault.exe 303 4660 4320 WerFault.exe 307 2828 1628 WerFault.exe 313 4224 2456 WerFault.exe 319 2544 2508 WerFault.exe 324 2008 4764 WerFault.exe 329 4408 244 WerFault.exe 334 940 1968 WerFault.exe 339 3488 3436 WerFault.exe 343 2080 4344 WerFault.exe 348 2580 4320 WerFault.exe 354 3456 1816 WerFault.exe 359 1212 2240 WerFault.exe 364 2800 692 WerFault.exe 369 1152 3452 WerFault.exe 374 3836 1540 WerFault.exe 379 1384 4260 WerFault.exe 383 2252 1252 WerFault.exe 389 5000 1632 WerFault.exe 394 4052 2732 WerFault.exe 399 5100 1948 WerFault.exe 403 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BYPMF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZSNAAG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FEXAN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RZJIS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HHKQNOE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CDLS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WYE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UKTEW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VJFK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NVTWL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IWX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TVCXJP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PJYLL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JRKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BFP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VPPIEBH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NUJRR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZDFDTM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CCXZEFC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TLGMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TKLIH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GQVQJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VMHDWT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJXYQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FTXFTJT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEBQJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCDNSMK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VUR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OZYC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GYBQHOD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JKPT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MRHQN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTUDW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JVEQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NGXDXJL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HHISQZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 2196 DUCIIP.exe 2196 DUCIIP.exe 1876 TKLIH.exe 1876 TKLIH.exe 3644 PPJF.exe 3644 PPJF.exe 3180 CSNDBD.exe 3180 CSNDBD.exe 3080 MFYVIA.exe 3080 MFYVIA.exe 3944 ILW.exe 3944 ILW.exe 4880 DYACA.exe 4880 DYACA.exe 4536 DEBQJ.exe 4536 DEBQJ.exe 1016 KWJSPA.exe 1016 KWJSPA.exe 5052 UXLX.exe 5052 UXLX.exe 372 HHUNPJU.exe 372 HHUNPJU.exe 4104 NVTWL.exe 4104 NVTWL.exe 1108 EIDOBI.exe 1108 EIDOBI.exe 4764 CDC.exe 4764 CDC.exe 4060 EGE.exe 4060 EGE.exe 1992 HTJFB.exe 1992 HTJFB.exe 4484 JRKI.exe 4484 JRKI.exe 2504 QMUMSJM.exe 2504 QMUMSJM.exe 3184 BFP.exe 3184 BFP.exe 1824 JKPT.exe 1824 JKPT.exe 2168 GQVQJ.exe 2168 GQVQJ.exe 1456 UWSNQ.exe 1456 UWSNQ.exe 1880 YEHNCHW.exe 1880 YEHNCHW.exe 3944 VJFK.exe 3944 VJFK.exe 2208 MRHQN.exe 2208 MRHQN.exe 4180 BPNNCYU.exe 4180 BPNNCYU.exe 1628 KNSZJGD.exe 1628 KNSZJGD.exe 2828 WFVSSO.exe 2828 WFVSSO.exe 4892 WYE.exe 4892 WYE.exe 2432 JBASKRC.exe 2432 JBASKRC.exe 1468 FGGP.exe 1468 FGGP.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 2196 DUCIIP.exe 2196 DUCIIP.exe 1876 TKLIH.exe 1876 TKLIH.exe 3644 PPJF.exe 3644 PPJF.exe 3180 CSNDBD.exe 3180 CSNDBD.exe 3080 MFYVIA.exe 3080 MFYVIA.exe 3944 ILW.exe 3944 ILW.exe 4880 DYACA.exe 4880 DYACA.exe 4536 DEBQJ.exe 4536 DEBQJ.exe 1016 KWJSPA.exe 1016 KWJSPA.exe 5052 UXLX.exe 5052 UXLX.exe 372 HHUNPJU.exe 372 HHUNPJU.exe 4104 NVTWL.exe 4104 NVTWL.exe 1108 EIDOBI.exe 1108 EIDOBI.exe 4764 CDC.exe 4764 CDC.exe 4060 EGE.exe 4060 EGE.exe 1992 HTJFB.exe 1992 HTJFB.exe 4484 JRKI.exe 4484 JRKI.exe 2504 QMUMSJM.exe 2504 QMUMSJM.exe 3184 BFP.exe 3184 BFP.exe 1824 JKPT.exe 1824 JKPT.exe 2168 GQVQJ.exe 2168 GQVQJ.exe 1456 UWSNQ.exe 1456 UWSNQ.exe 1880 YEHNCHW.exe 1880 YEHNCHW.exe 3944 VJFK.exe 3944 VJFK.exe 2208 MRHQN.exe 2208 MRHQN.exe 4180 BPNNCYU.exe 4180 BPNNCYU.exe 1628 KNSZJGD.exe 1628 KNSZJGD.exe 2828 WFVSSO.exe 2828 WFVSSO.exe 4892 WYE.exe 4892 WYE.exe 2432 JBASKRC.exe 2432 JBASKRC.exe 1468 FGGP.exe 1468 FGGP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1548 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 86 PID 1648 wrote to memory of 1548 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 86 PID 1648 wrote to memory of 1548 1648 981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe 86 PID 1548 wrote to memory of 2196 1548 cmd.exe 90 PID 1548 wrote to memory of 2196 1548 cmd.exe 90 PID 1548 wrote to memory of 2196 1548 cmd.exe 90 PID 2196 wrote to memory of 4376 2196 DUCIIP.exe 92 PID 2196 wrote to memory of 4376 2196 DUCIIP.exe 92 PID 2196 wrote to memory of 4376 2196 DUCIIP.exe 92 PID 4376 wrote to memory of 1876 4376 cmd.exe 96 PID 4376 wrote to memory of 1876 4376 cmd.exe 96 PID 4376 wrote to memory of 1876 4376 cmd.exe 96 PID 1876 wrote to memory of 4552 1876 TKLIH.exe 97 PID 1876 wrote to memory of 4552 1876 TKLIH.exe 97 PID 1876 wrote to memory of 4552 1876 TKLIH.exe 97 PID 4552 wrote to memory of 3644 4552 cmd.exe 101 PID 4552 wrote to memory of 3644 4552 cmd.exe 101 PID 4552 wrote to memory of 3644 4552 cmd.exe 101 PID 3644 wrote to memory of 5080 3644 PPJF.exe 102 PID 3644 wrote to memory of 5080 3644 PPJF.exe 102 PID 3644 wrote to memory of 5080 3644 PPJF.exe 102 PID 5080 wrote to memory of 3180 5080 cmd.exe 106 PID 5080 wrote to memory of 3180 5080 cmd.exe 106 PID 5080 wrote to memory of 3180 5080 cmd.exe 106 PID 3180 wrote to memory of 1428 3180 CSNDBD.exe 107 PID 3180 wrote to memory of 1428 3180 CSNDBD.exe 107 PID 3180 wrote to memory of 1428 3180 CSNDBD.exe 107 PID 1428 wrote to memory of 3080 1428 cmd.exe 111 PID 1428 wrote to memory of 3080 1428 cmd.exe 111 PID 1428 wrote to memory of 3080 1428 cmd.exe 111 PID 3080 wrote to memory of 1232 3080 MFYVIA.exe 112 PID 3080 wrote to memory of 1232 3080 MFYVIA.exe 112 PID 3080 wrote to memory of 1232 3080 MFYVIA.exe 112 PID 1232 wrote to memory of 3944 1232 cmd.exe 116 PID 1232 wrote to memory of 3944 1232 cmd.exe 116 PID 1232 wrote to memory of 3944 1232 cmd.exe 116 PID 3944 wrote to memory of 1320 3944 ILW.exe 117 PID 3944 wrote to memory of 1320 3944 ILW.exe 117 PID 3944 wrote to memory of 1320 3944 ILW.exe 117 PID 1320 wrote to memory of 4880 1320 cmd.exe 121 PID 1320 wrote to memory of 4880 1320 cmd.exe 121 PID 1320 wrote to memory of 4880 1320 cmd.exe 121 PID 4880 wrote to memory of 4116 4880 DYACA.exe 122 PID 4880 wrote to memory of 4116 4880 DYACA.exe 122 PID 4880 wrote to memory of 4116 4880 DYACA.exe 122 PID 4116 wrote to memory of 4536 4116 cmd.exe 126 PID 4116 wrote to memory of 4536 4116 cmd.exe 126 PID 4116 wrote to memory of 4536 4116 cmd.exe 126 PID 4536 wrote to memory of 180 4536 DEBQJ.exe 127 PID 4536 wrote to memory of 180 4536 DEBQJ.exe 127 PID 4536 wrote to memory of 180 4536 DEBQJ.exe 127 PID 180 wrote to memory of 1016 180 cmd.exe 131 PID 180 wrote to memory of 1016 180 cmd.exe 131 PID 180 wrote to memory of 1016 180 cmd.exe 131 PID 1016 wrote to memory of 4900 1016 KWJSPA.exe 132 PID 1016 wrote to memory of 4900 1016 KWJSPA.exe 132 PID 1016 wrote to memory of 4900 1016 KWJSPA.exe 132 PID 4900 wrote to memory of 5052 4900 cmd.exe 136 PID 4900 wrote to memory of 5052 4900 cmd.exe 136 PID 4900 wrote to memory of 5052 4900 cmd.exe 136 PID 5052 wrote to memory of 4892 5052 UXLX.exe 137 PID 5052 wrote to memory of 4892 5052 UXLX.exe 137 PID 5052 wrote to memory of 4892 5052 UXLX.exe 137 PID 4892 wrote to memory of 372 4892 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe"C:\Users\Admin\AppData\Local\Temp\981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DUCIIP.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\windows\system\DUCIIP.exeC:\windows\system\DUCIIP.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TKLIH.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\windows\system\TKLIH.exeC:\windows\system\TKLIH.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PPJF.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\windows\system\PPJF.exeC:\windows\system\PPJF.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CSNDBD.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\windows\system\CSNDBD.exeC:\windows\system\CSNDBD.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MFYVIA.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\windows\system\MFYVIA.exeC:\windows\system\MFYVIA.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ILW.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\windows\ILW.exeC:\windows\ILW.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DYACA.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\windows\DYACA.exeC:\windows\DYACA.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DEBQJ.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\windows\system\DEBQJ.exeC:\windows\system\DEBQJ.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KWJSPA.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:180 -
C:\windows\KWJSPA.exeC:\windows\KWJSPA.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXLX.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\windows\SysWOW64\UXLX.exeC:\windows\system32\UXLX.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HHUNPJU.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\windows\HHUNPJU.exeC:\windows\HHUNPJU.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NVTWL.exe.bat" "24⤵PID:4680
-
C:\windows\system\NVTWL.exeC:\windows\system\NVTWL.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EIDOBI.exe.bat" "26⤵PID:4792
-
C:\windows\system\EIDOBI.exeC:\windows\system\EIDOBI.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CDC.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\windows\CDC.exeC:\windows\CDC.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EGE.exe.bat" "30⤵PID:1720
-
C:\windows\EGE.exeC:\windows\EGE.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HTJFB.exe.bat" "32⤵PID:3404
-
C:\windows\HTJFB.exeC:\windows\HTJFB.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JRKI.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:5020 -
C:\windows\system\JRKI.exeC:\windows\system\JRKI.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMUMSJM.exe.bat" "36⤵PID:2936
-
C:\windows\SysWOW64\QMUMSJM.exeC:\windows\system32\QMUMSJM.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BFP.exe.bat" "38⤵PID:2684
-
C:\windows\system\BFP.exeC:\windows\system\BFP.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKPT.exe.bat" "40⤵PID:4948
-
C:\windows\JKPT.exeC:\windows\JKPT.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GQVQJ.exe.bat" "42⤵PID:1316
-
C:\windows\GQVQJ.exeC:\windows\GQVQJ.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UWSNQ.exe.bat" "44⤵PID:4732
-
C:\windows\SysWOW64\UWSNQ.exeC:\windows\system32\UWSNQ.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YEHNCHW.exe.bat" "46⤵PID:4444
-
C:\windows\system\YEHNCHW.exeC:\windows\system\YEHNCHW.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJFK.exe.bat" "48⤵PID:1692
-
C:\windows\SysWOW64\VJFK.exeC:\windows\system32\VJFK.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MRHQN.exe.bat" "50⤵PID:244
-
C:\windows\MRHQN.exeC:\windows\MRHQN.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BPNNCYU.exe.bat" "52⤵PID:220
-
C:\windows\BPNNCYU.exeC:\windows\BPNNCYU.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNSZJGD.exe.bat" "54⤵PID:3488
-
C:\windows\SysWOW64\KNSZJGD.exeC:\windows\system32\KNSZJGD.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WFVSSO.exe.bat" "56⤵PID:2976
-
C:\windows\system\WFVSSO.exeC:\windows\system\WFVSSO.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYE.exe.bat" "58⤵PID:4076
-
C:\windows\SysWOW64\WYE.exeC:\windows\system32\WYE.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JBASKRC.exe.bat" "60⤵PID:1316
-
C:\windows\JBASKRC.exeC:\windows\JBASKRC.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGGP.exe.bat" "62⤵PID:4904
-
C:\windows\SysWOW64\FGGP.exeC:\windows\system32\FGGP.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RZJIS.exe.bat" "64⤵PID:4456
-
C:\windows\RZJIS.exeC:\windows\RZJIS.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VPPIEBH.exe.bat" "66⤵
- System Location Discovery: System Language Discovery
PID:3804 -
C:\windows\VPPIEBH.exeC:\windows\VPPIEBH.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PCUZ.exe.bat" "68⤵PID:752
-
C:\windows\system\PCUZ.exeC:\windows\system\PCUZ.exe69⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KPZIZA.exe.bat" "70⤵PID:1908
-
C:\windows\system\KPZIZA.exeC:\windows\system\KPZIZA.exe71⤵
- Checks computer location settings
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QLQJDVA.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\windows\QLQJDVA.exeC:\windows\QLQJDVA.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "74⤵PID:2744
-
C:\windows\SysWOW64\BICPQCB.exeC:\windows\system32\BICPQCB.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OTG.exe.bat" "76⤵PID:2984
-
C:\windows\system\OTG.exeC:\windows\system\OTG.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OZYC.exe.bat" "78⤵PID:3676
-
C:\windows\OZYC.exeC:\windows\OZYC.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JMDLHG.exe.bat" "80⤵PID:4016
-
C:\windows\JMDLHG.exeC:\windows\JMDLHG.exe81⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DZH.exe.bat" "82⤵PID:3512
-
C:\windows\DZH.exeC:\windows\DZH.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXOFVZK.exe.bat" "84⤵PID:4060
-
C:\windows\SysWOW64\CXOFVZK.exeC:\windows\system32\CXOFVZK.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\USSBIP.exe.bat" "86⤵PID:2044
-
C:\windows\USSBIP.exeC:\windows\USSBIP.exe87⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IDOIN.exe.bat" "88⤵PID:3152
-
C:\windows\IDOIN.exeC:\windows\IDOIN.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBUXUQQ.exe.bat" "90⤵
- System Location Discovery: System Language Discovery
PID:232 -
C:\windows\SysWOW64\EBUXUQQ.exeC:\windows\system32\EBUXUQQ.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TGAUBAS.exe.bat" "92⤵PID:3644
-
C:\windows\SysWOW64\TGAUBAS.exeC:\windows\system32\TGAUBAS.exe93⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RWYXNM.exe.bat" "94⤵PID:2504
-
C:\windows\RWYXNM.exeC:\windows\RWYXNM.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YZVRX.exe.bat" "96⤵PID:1232
-
C:\windows\SysWOW64\YZVRX.exeC:\windows\system32\YZVRX.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MCZPCE.exe.bat" "98⤵PID:4516
-
C:\windows\SysWOW64\MCZPCE.exeC:\windows\system32\MCZPCE.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNVWH.exe.bat" "100⤵PID:3012
-
C:\windows\SysWOW64\RNVWH.exeC:\windows\system32\RNVWH.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LAAFSVT.exe.bat" "102⤵PID:1764
-
C:\windows\LAAFSVT.exeC:\windows\LAAFSVT.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PIDNVU.exe.bat" "104⤵
- System Location Discovery: System Language Discovery
PID:3152 -
C:\windows\SysWOW64\PIDNVU.exeC:\windows\system32\PIDNVU.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GYBQHOD.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\windows\SysWOW64\GYBQHOD.exeC:\windows\system32\GYBQHOD.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VTYCIP.exe.bat" "108⤵PID:2160
-
C:\windows\SysWOW64\VTYCIP.exeC:\windows\system32\VTYCIP.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMHDWT.exe.bat" "110⤵PID:2648
-
C:\windows\SysWOW64\VMHDWT.exeC:\windows\system32\VMHDWT.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CHEQG.exe.bat" "112⤵PID:3100
-
C:\windows\SysWOW64\CHEQG.exeC:\windows\system32\CHEQG.exe113⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKITMKJ.exe.bat" "114⤵PID:2412
-
C:\windows\SysWOW64\DKITMKJ.exeC:\windows\system32\DKITMKJ.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\INM.exe.bat" "116⤵PID:1320
-
C:\windows\SysWOW64\INM.exeC:\windows\system32\INM.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VXI.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\windows\SysWOW64\VXI.exeC:\windows\system32\VXI.exe119⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BYPMF.exe.bat" "120⤵PID:4848
-
C:\windows\system\BYPMF.exeC:\windows\system\BYPMF.exe121⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-